While working through How Linux Works as part of my daily Linux study, I learned something that quietly rearranged how I think about files: Linux doesn't check whether a filename matches its content. At all.
You could rename a shell script to definitely_a_pdf.pdf, and Linux will run it exactly the same as if you'd been honest. The extension is just decoration, a label you're free to lie about.
That's also exactly how a lot of phishing attacks work. invoice.pdf.exe disguised as invoice.pdf. A convincing icon. A victim who trusts a filename instead of checking what the file actually is.
How files are actually identified
Every real file format has a signature, "magic bytes", at the very start of its content, completely independent of the filename:
PDFs start with %PDF-
JPEGs start with FF D8 FF
Linux executables (ELF) start with 7F 45 4C 46
Run file somefile.txt on Linux and it reads these bytes directly, telling you what something actually is, not what its name claims.
So I built a small detector
Instead of just reading about this, I wrote masq_detector, a small Python CLI that scans a directory, checks each file's real content against its claimed extension, and flags mismatches, specifically prioritizing files that are both disguised and directly executable.
pythonif is_dangerous_content and extension_mismatch:
severity = "HIGH"
That and wasn't there in my first version, I originally used or, which meant any executable got flagged, including perfectly honest .exe installers sitting in my Downloads folder. Running it against my real Downloads directory surfaced that false positive immediately, which was a good reminder that testing against real data catches design flaws that testing against toy examples never will.
What it actually does under the hood
It leans on the Unix file command for the actual content detection, no reason to reinvent decades of battle-tested magic-byte parsing. What I built is the layer on top: comparing that output against expected keywords per extension, and deciding what counts as a genuine threat versus a harmless mismatch.
Honest limitations
No ML, no fancy heuristics, just straightforward signature comparison
Linux/macOS only, since it depends on the file command
A learning project, not a production security tool
Why this mattered to me
I'm a CS student working toward graduation in 2028, currently deep in Linux and networking self-study, with cloud security as the direction I'm exploring next and a DAAD-funded Masters in Germany as the long-term goal. Small, fully-understood projects like this one feel like the right way to build toward that, not by making something impressive, but by making something I can actually explain, line by line.
Code: github.com/AyeshaAbbas-engg/masq_detector
What's a Linux "wait, that's how it works?" moment you've had recently? I'm collecting these.

Top comments (0)