GCHQ code-breaking challenge cracked by Google search A simple Google search unlocks the supposedly secret completion page to GCHQ's code-cracking competition. The signals snooping agency launched a codebreaking competition this week, promoted via social networks, that aimed to find would be code breakers that conventional recruitment efforts might miss. The canyoucrackit.co.uk …
Did you actually read the story?
"The canyoucrackit.co.uk website was set up in partnership with a recruitment agency and at arm's length from GCHQ itself. El Reg doubts anyone from the intelligence agency was involved in setting up the website, but we unable to immediately confirm this on Friday afternoon."
This post has been deleted by its author
You're really not getting the whole el Reg forum ethos are you? If you want serious debate and comment I suggest you disappear off to somewhere a lot less fun and disrespectful.
Articles read, yes.
T&Cs of 'challenge' read, yes.
Pisstake, YES.
Attack, no.
I'd get my coat if I were allowed an icon, it's the one with Jeremy Clarkson's latest book in it (heavens no, not for reading, it's for planting in civil service office book sharing club stocks)
Yes. Silly article.
Google could only find the page when someone had solved it and published it first, and a search for the first few bytes of the code showed many bloggers openly collaborating.
However impressive as the exercise was, and kudos to the anonymous Russians that got there first (no surprise there!), I learned a lot. it has has also created thousands more shellcode crackers and VM engineers overnight.
Perhaps an unforeseen consequence, but GCHQ are going to need a bigger and better paid army now.
if you add anything to the end of the URL you get a message saying you are on the right lines. for example:
www.canyoucrackit.co.uk/winner
I haven't tried actually cracking any code but I am doubtful there is one to crack, given the relatively low pay and recent publicity for the need of cybercrime specialists perhaps they just want people that can find back doors in websites.
The "benefits" make up for the lack of direct pay. Whatever would one *do* with access to the "lawful interception interface" on the nations network equipment - specifically the ones wired to the banks and the stock exchange?
I know of some former spooks who used their training and connections very well in their "retirement"; however that was the cold war: In these puritan times, one might end up taking a swim inside a sports-bag wearing wimmens clothes and a variety of studded rubber items ....
The test was not exactly hard -it can be explained in less that two paragraphs and <100 LOC but I suppose was a good example of the sort of grunt work they expect of staff.
As I said before the real test should be to obtain the info required to solve the puzzle without leaving a footprint. That includes bypassing clicktrackers and leaving fake data in the web logs
during application submission Solving puzzles is one thing - ensuring the target does not know you are on to them just as important .
IMHO there is no direct (trustable) path back to GCHQ - anyone who applies (via the agency site) should auto-fail - those that find and use the correct email address and/or postal address should be shortlisted.
PERFECT, they found a back door. No prizes for doing it the hard way!
If the folk at Bletchley Park had not looked for a back door they would never have cracked Enigma. Hats off to the cheats, the spirit of Bletchley Park is still alive and well amongst the same kind of enthusiastic amateurs who helped win WW2. Let's hope GCHQ have learned a valuable lesson!
Rick
It was far more interested in the 'Fish' traffic that Colossus was built to crack. (http://en.wikipedia.org/wiki/Colossus_computer)
Since the nicely organised Germans were sending very regular reports to Berlin, and getting regular orders back it made working out what they were up to a lot more straight-forward.
Enigma was used 'on-the-ground' for more tactical purposes.
As for back doors I would recommend reading Paul Gannons book: http://books.google.co.uk/books/about/Colossus.html?id=J9ezAAAACAAJ&redir_esc=y
and decided for yourself what constitutes a back door.
ttfn
oh yeah - all hail to the BT engineer Tommy Flowers, who did the work, insisted on using valves and used his own money (http://www.computinghistory.org.uk/det/1078/Tommy-Flowers/) to get the project working.
just have to share - here's my tiny Enigma VM in perl... pity there's no monospace, but it does survive formatting.
A virtual pint for the first person to solve it... :-)
AVWBU ISDDZ NPILY BMQEE XOUSV YDPON
CCQWR BHOPB PZOMC HUZTA TRSBV CB
#!/usr/bin/perl
#Tinigma 2010 Usage:tinigma.pl 123 rng ini "GHWVYYDVPQGEWQWVT"
($n,$o,$p)=map(ord()-65,split//,uc$ARGV[1]);($z,$y,$x)=map(ord
()-65,split//,uc$ARGV[2]);($l,$m,$r)=map$_-1,split//,$ARGV[0];
$t=uc$ARGV[3];$t=~s/[^A-Z]//g;$b=26;$j=0;@N=qw(7 25 11 6 1);@R
=('EKMFLGDQVZNTOWYHXUSPAIBRCJ'x3,'AJDKSIRUXBLHWTMCQGZNPYFVOE'x
3,'BDFHJLCPRTXVZNYEIWGAKMUSQO'x3,'ESOVPZJAYQUIRHXLNFTGKDCMWB'x
3,'VZBRGITYUPSDNHLXAWMJQOFECK'x3,'YRUHQSLDPXNGOKMIEBFZCWVJAT'x
3);@t=split//,$t;for$v(@R){$i=0;for(split//,$v){$c=ord()-65;$F
[$j][$i]=$c;$R[$j][$c+$b*int($i/$b)]=$i%$b;$i++}$j++}@S=@{$F[5
]};$f=$y==$F[$m][$N[$m]]?1:0;$i=0;for(@t){if($f){$y++;$y%=$b;$
z++;$z%=$b;$f=0}if($x==$F[$r][$N[$r]]){$y++;$y%=$b;if($y==$F[$
m][$N[$m]]){$f=1}}$x++;$x%=$b;$e.=chr(($R[$r][$R[$m][$R[$l][$S
[$F[$l][$F[$m][$F[$r][ord($_)-39+$x-$n]-$x+$n+$y-$o]-$y+$o+$z-
$p]-$z+$p]+$z-$p]-$z+$p+$y-$o]-$y+$o+$x-$n]-$x+$n)%$b+65)}
print"$e\n"
http://canyoucrackit.co.uk/soyoudidit.asp
So you did it. Well done! Now this is where it gets interesting. Could you use your skills and ingenuity to combat terrorism and cyber threats? As one of our experts, you'll help protect our nation's security and the lives of thousands. Every day will bring new challenges, new solutions to find – and new ways to prove that you're one of the best.
i lol'd
The code to unlock it is in javascript which seems pretty daft on top of the winning page being a static page. Surely they were being this daft intentionally? Mind you, as they're only paying a £28K salary to the winning applicant they aren't exactly going to great efforts to attract the smartest brains out there.
The heroes of WWII Bletchley Park would be embarassed if they knew.
And I agree with the point made by others that it doesn't matter how the solution is reached, either through the front door or a backdoor. And it's just crazy that GCHQ had such a big back door on their website. Hopefully they're just responsible for cracking other countries' security and not protecting our own!!!!
What are the odds someone on high actually used Google Chrome or Firefox to test it worked? Since those browsers send a request to Google to verify that the site isn't malware laden, it's no great stretch to assume that it also covers discoverability and silently adding it to the index...
"you'd be better off working for the bad guys"
That really says it all. Have you truly thought that one through?
Spooks are unfortunately necessary in this day and age, and they need to be kept on a short lead by those who are publicly responsible for their actions; but to suggest that working for Blofeld would be better is just asking for a swim with the laser bedecked sharks.
Ahem - isn't this hex "puzzle" just a PR gimmick? The real test all along was to find the backdoor (i.e. using the Google site: tag) and go through it to move right along to the next stage (the GCHQ careers page!). Mind you, the press have also done their bit flawlessly - everyone now knows what the backdoor is! Ok, a certain devious cleverness there - but I certainly wouldn't put it past 'em :).
Usually you need a "crib" - an inspired guess, a known weakness/pattern, or some other side-channel data - to crack supposed ciphers anyway. So has anyone *genuinely* cracked the hex, explained convincingly how they did it and said what the keyword is? No? My point entirely...
several people have cracked it the long hard way they don't need people of can figure out Google they need people who can turn what little fragments of intel they get into usable product. Sometimes its a cluster on shattered hard drive that's all they have of the data and its gotta be sussed. Some F*c*wit using Google trick or html trick aint any use its not hacking TGP p0rn links.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
