MetaFilter posts tagged with cryptography

AES à la XKCD

Electric Dragon — Sat, 26 Sep 2009 09:29:32 -0800

A stick figure guide to the Advanced Encryption Standard. [via Bruce Schneier]

The XKCD Puzzle

zarq — Mon, 21 Sep 2009 19:47:11 -0800

XKCD author Randall Munroe appears to have left a neat little cryptographic puzzle for Reddit users in his new book. They're trying to decipher it.

Thomas and the cipher

caddis — Thu, 02 Jul 2009 07:43:18 -0800

Thomas Jefferson's cipher message from Robert Patterson For more than 200 years, buried deep within Thomas Jefferson's correspondence and papers, there lay a mysterious cipher -- a coded message that appears to have remained unsolved. Until now.... To Mr. Patterson's view, a perfect code had four properties: It should be adaptable to all languages; it should be simple to learn and memorize; it should be easy to write and to read; and most important of all, "it should be absolutely inscrutable to all unacquainted with the particular key or secret for decyphering." "In Congress, July Fourth, one thousand seven hundred and seventy six. A declaration by the Representatives of the United States of America in Congress assembled. When in the course of human events..."

"It was beautiful, kind of like abstract art"

subbes — Wed, 16 Jul 2008 11:08:38 -0800

In March 2007, the FermiLab Office of Public Affairs in Batavia, IL "received a curious message in code" via USPS. In May 2008, scientists posted a facsimile image of the letter to their blog in the hopes of soliciting cryptologists to decipher the letter. A partial solution began to appear by the very next day. Geoff Milburn (creator of the Homebrew Air Conditioner and employee of the Canadian Space Agency) noted that the first and last paragraphs appeared to be in base-3 and base-2, and got to work. By the 17th, he had experimented with possible mappings and reached a solution. Meanwhile, John Graham-Cumming whipped up a Perl program to experiment with the mappings and posted his Perl-decrypted version. The text? "FRANK SHOEMAKER WOULD CALL THIS NOISE," and "EMPLOYEE NUMBER BASSE SIXTEEN." Two months later, the central paragraph remains unsolved, and a Chicago Tribune article has rekindled the web's interest, and spread work and comments on the mystery through blogs and forums. Too simple for you? Well, there's work still to be done on the Zodiac Killer's November 8 1969 cryptogram, the CIA's Kryptos sculpture (previously), the Voynich Manuscript (previously) and the Shugborough House Shepherd's monument inscription. And of course, there's always the Mayday Mystery (previously and previously).

¡Atención!", "1234567890"

rongorongo — Mon, 30 Jun 2008 06:31:28 -0800

Find a short wave radio and before long you should be able to tune into The Lincolnshire Poacher - the station plays an introduction comprising part of the eponymous folk tune followed by a robotic female voice reading strings of numbers: listen! So called Numbers Stations have been a mysterious constant of short wave radio for several decades. The Conet Project [previously 1, 2, 3] has made a collection of the recordings available allowing you to listen to "Ready! Ready! 15728", "The Buzzer" (especially mysterious), "Gong Station Chimes", "Magnetic Fields" and many others.... Nobody will admit to owning or running these stations - but, since the 70s, a small community of followers has been gathering information on them in sites like Spynumbers, in books like Simon Mason's "Secret Signals" and as samples that have made their way into tracks like "Gyroscope" from the Boards of Canada. NPR recorded the spooky "Shortwave Numbers Mystery" and The Washington Post profiled Londoner Akin Fernandez who was behind the Conet CDs. The most credible theory is that the stations are for the benefit of spies (for MI6 in the case of the Lincolnshire Poacher) and that they are broadcasting messages for use with one time pads. In the UK, by the way, you are breaking the law by listening to these transmissions - and, as a spokesperson from the British ministry of defence said (quoted by Wired), "These [numbers stations] are what you suppose they are - people shouldn't be mystified by them. They're not, shall we say, for public consumption." That's OK then. Message ends.

15 bits of crypto should be enough for anybody

finite — Fri, 16 May 2008 22:01:42 -0800

On May 13, security advisories published by Debian and Ubuntu revealed that, for over a year, their OpenSSL libraries have had a major flaw in their CSPRNG, which is used by key generation functions in many widely-used applications, which caused the "random" numbers produced to be extremely predictable. [lolcat summary] How bad is it? It's pretty bad. Understand that these keys are used not only for encryption, but also for authentication. The keyspace has been reduced to a mere 32,768 possibilities, and you can already download them all, along with tools to use them. Worse still, in the days before the issue became publicly known, there was a noticeable spike in the number of brute-force attacks on SSH servers, indicating that there has already been significant exploitation of this vulnerability. Partial timeline of events: In May 2006, a bug led to a question which led to the fateful patch being applied to md_rand.c (in Debian's "unstable" development branch). In April 2007, Debian 4.0 "etch" and Ubuntu 7.04 were both released, which was the beginning of the inclusion of the buggy version of OpenSSL in officially-released distributions. The bug remained unfixed through the releases of Ubuntu 7.10 and 8.04. On May 7, 2008, the patch to fix the problem was committed to Debian's source repository, and on May 13 the issue was officially disclosed and updated packages were made available to users. (The patch's availability days before public disclosure of the bug appears to be a violation of Debian's policy.) Here are some responses from Debian blogs, and two from an OpenSSL developer.

Amazing discoveries in plain-text Tor exit traffic.

Anything — Tue, 04 Dec 2007 18:04:45 -0800

This is an ironic tale of the consequences of inept application of cryptographic tools. Or is it? Dan Egerstad, a Swedish hacker, gained access to hundreds of computer network accounts around the world, belonging to various embassies, corporations and other organizations. How did he do it? Very easily: by sniffing exit traffic on his Tor nodes. Egerstad ran exit nodes on the Tor anonymity network, used as links from the network to the rest of the world. He looked at the traffic going through his nodes and found that many users were logging in to sensitive accounts without using end-to-end encryption. From the Sydney Morning Herald article:

After a couple of months sniffing and capturing information, Egerstad was faced with a moral dilemma: what to do with all the intercepted passwords and emails. If he turned his findings over to the Swedish authorities, his experiment might be used by his country's intelligence services to continue monitoring the compromised accounts. That was a little too close to espionage for his liking. So Egerstad set about notifying the affected governments. He approached a few, but the only one to respond was Iran. "They wanted to know everything I knew," he says. "That's the only response I got, except a couple of calls from the Swedish security police, but that was pretty much all the response I got from any authority." Frustrated by the lack of a response, Egerstad's next step caused high anxiety for government staffers - and perhaps intelligence services - across the globe. He posted 100 email log-ins and passwords on his blog, DEranged Security. "I just ended up (saying) 'Screw it, I'm just going to put it online and see what happens'."

He later removed the information from his blog, says the hard drives are "long gone"; also, there don't appear to be any public mirrors of the data. Nonetheless, the incident got him arrested and his hardware confiscated. One curious angle in this story is the question of which of the plain-text logins sniffed by Egerstad were made by unauthorized third party attackers instead of unwitting legitimate users.

However, Egerstad now believes the victims of his experiment may not have been using Tor. It's quite possible he stumbled on an underground intelligence gathering exercise, carried out by parties unknown. "The whole point of the story that has been forgotten, and I haven't said much about it, (is that) many of these accounts had been compromised," he says. "The logins I caught were not legit users but actual hackers who'd been reading these accounts."

Here's Bruce Schneier's commentary on the case. Here's the Tor FAQ, which tells you what it's good for and how to use it properly.

Cryptome Shutdown

homunculus — Tue, 01 May 2007 20:48:44 -0800

Cryptome Shutdown by Verio/NTT. Who Killed Cryptome.org?

BETWEEN SUBTLE SHADING AND THE ABSENCE OF LIGHT LIES THE NUANCE OF IQLUSION

goodnewsfortheinsane — Sun, 03 Dec 2006 11:52:33 -0800

If you work at Langley and you need a break from actual intelligence gathering, you can always try to crack the code to the sculpture right outside the cafeteria window. Kryptos is a sculpture by James Sanborn located on the CIA grounds which contains a four-part coded message: sections 1-3 have been solved (with Sanborn admitting he made a typo in section 2). Perhaps you'd like to join Elonka (and the hive mind) in having a go at section 4.

Things you didn't know about Bruce Schneier. They are on the internet, so they must be true.

chunking express — Wed, 16 Aug 2006 10:59:26 -0800

"Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

Number stations

caddis — Wed, 09 Aug 2006 16:22:42 -0800

Project Evil - Number stations appear on VoIP and it just seems very mysterious. Slashdot picks up the story. Now all is revealed.

Englandspiel - or 'Germany Game'

goodnewsfortheinsane — Sun, 06 Aug 2006 15:46:23 -0800

Secret agent Huub Lauwers was parachuted into occupied Holland in 1941 to relay intelligence back to London. His capture by the Germans marked the beginning of the Englandspiel, a deadly game of cat-and-mouse intelligence that cost the lives of over fifty agents. Lauwers frantically tried to inform the SOE that he had been caught, but the Baker Street Irregulars just didn't get it. Or did they? [more inside]

Enigma no more!

blahblahblah — Mon, 27 Feb 2006 16:50:33 -0800

A previously unbroken Enigma code has been solved by a group of hackers. After just over a month of effort, the M4 group, using distributed computing, cracked a 60 year-old German naval code. The message: "Forced to submerge during attack." There are lots of other interesting historical codes that still remain mysteries, however. Lots of Enigma goodness in an earlier post.

Handwritten Real-World Cryptogram?

tranquileye — Sat, 11 Feb 2006 04:44:40 -0800

Linda Rayburn and her son Michael Berry were brutally murdered by her husband, David Rayburn, on February 3rd, 2004. Rayburn then hanged himself in the basement of their home, leaving behind a handwritten cryptogram.

Le chiffre indéchiffrable

Plutor — Tue, 05 Jul 2005 05:49:54 -0800

Plgjoekz xh jiw lwe zqsd meecebefi aqxaxgw xb pzchiottazlq (pbq kvqetnpavckxg) fqrut fegqeifrm nvednsvu ix xzt 9hu kifiuea, efijn dnzx gu tug Vskwcsem gaehrt ic qahogbvaquggd. Lpsxgr li Nxgrpebi vxr awx acvrpt dlw rwcpij (we qgvopgesq i wlgoaieb tgamnttzpbrvim gaevrz), Kadvnp Bkxahhn Jidpsb jan hgcs fw gwcthtiow wpfyqij, xn 1553. Oglkwg'h wzxpwbeavadmgc vnzrwhsrf tri hdkrz sx ihr valydp frkxs ihnv wkw kfinvhwgeq dy dlw dpiqsmh kra pbsygsfamgc os vhyww ivnb gsbe ogfyvw wwz, irv uoe vho jaggg bmet ia uefif wialvws yrcrc, ef jboziszaone msvt qbcpv qe huen. Gzpfymw Tpbocgo wmrqrawxjlya cbeuzsq Dmytnrte psj ivr Jvaiifj devacu gpi Ugizgax Asg, phb ml laf mezx ktqemx mctvn Fbmwsfvkl Cpsvpsum jtjripws hvu moxzdr n liupdr nadij, xb 1863. Gpi hdllclzlsqsgqg uxpugrc, wmrv na xzxs bpe, biepwa wrw df gje veki qblik qrrckkfdt pl i psnprtsyr oxhuwyl p cbopexwg.

Herbert O. Yardley and the Birth of American Codebreaking

matteo — Fri, 22 Apr 2005 08:47:07 -0800

The Reader of Gentlemen's Mail In the spring of 1919, when the father of American cryptography, Herbert O. Yardley, drew up a plan for a permanent State Department codebreaking organization — a "black chamber — he estimated that a modest $100,000 a year would buy a chief (Yardley) and fifty clerks and cryptanalysts. Yardley rented a three-story building in New York City: on East 38th Street just off Fifth Avenue, he put two dozen people to work under civilian cover—as the Code Compiling Company. His summary dismissal happened in 1929 at the hand of incoming Secretary of State Henry Stimson, who closed down the Cipher Bureau with the casual observation that "gentlemen do not read each other's mail". The son of a railroad telegrapher, a man with a lively Jazz Age interest in money, good-looking women, and drinks at five, Yardley not only taught his country how to read other people's mail but wrote two of the enduring American books—the memoir The American Black Chamber (1931), and The Education of a Poker Player (1957).

Get out your stethoscopes!

painquale — Thu, 27 Jan 2005 03:55:40 -0800

Learn to Safecrack! [pdf] Last year, computer scientist and cryptologist Matt Blaze drew ire from the locksmithing community for publically revealing information on how to create the master key to a lock (previous MetaFilter discussion). He's back with a paper on cracking safes. Once again, locksmiths are up in arms over Blaze's disregard of trade secrets. Apparently, safes adhere to the principle of security through obscurity rather than Kerckhoff's Law. [via]

Rongorongo!

Ogre Lawless — Mon, 19 Jan 2004 14:04:17 -0800

Rongorongo! Say it twice -- don't it feel nice? Most people think of the enigmatic maoi when they think of Easter Island but an equally vexing mystery is found in twenty-six wooden objects which contain pictographic symbols comprising...what? A language? A mnemomic system for recording stories now long forgotten? A resource for modern primitives' tribal tatoos? We could ask, but the authors are long-gone -- the victims of hard times -- leaving only a few tablets and a bunch of carved stone to puzzle over.

It was just a matter of time...

DailyBread — Wed, 10 Dec 2003 23:54:02 -0800

26 year old student finds largest known prime number. The number is 6,320,430 digits long and would need 1,400 to 1,500 pages to write out. It is more than 2 million digits larger than the previous largest known prime number. Why? What use is it? How can knowing the next highest prime number be of any benefit?

One word: Cryptography.
Prime numbers are essential in producing keys for cryptography.

The Alice and Bob After Dinner Speech

thebabelfish — Sat, 25 Oct 2003 20:04:53 -0800

There comes a time when people at a technical conference like this need something more relaxing. A change of pace. A shift of style. To put aside all that work stuff and think of something refreshingly different. So let's talk about coding theory.

Navajo Code Talkers

taz — Wed, 22 Jan 2003 06:54:22 -0800

You've probably heard of the WWII Navajo "code talkers" who managed to baffle crack Japanese cryptanalysts and were credited with enabling US success at Iwo Jima. Civil engineer, journalist and photographer Philip Johnston was the determined mind behind the "windtalkers". The son of missionaries, Johnston grew up on a Navajo reservation and was one of only a handful of outsiders fluent in the Navajo language. A bit of his background is included this article, and you can read a complete history of his plan, view an archive of photos by Johnston, and see copies of his enlistment application letter to the Marine Corps commandant, as well as a recommendation letter from the Commanding General. (more inside...)

andrew cooke — Mon, 16 Sep 2002 04:06:27 -0800

AES may have been broken. The new standard in crypto, AES, and other algorithms, appear to be vulnerable to xsl. This is not a practical attack, yet, but if you're interested in crypto it's fascinating (and shocking) news.

kaefer — Wed, 15 May 2002 20:32:10 -0800

Fun with Fingerprint Readers. A Japanese cryptoanalyst recently found that he could reliably fool biometric fingerprint scanners using only gelatin like that found in gummy bears. Not only could he create a fake finger using the original, he was also successful in fooling the scanners based on a gelatin mold of a fingerprint lifted from a piece of glass.

shagoth — Tue, 16 Apr 2002 07:15:35 -0800

How to Think About Security from Bruce Schneier's Cryptogram. It's a brief discussion with a five point filter to use when evaluating security measures. Good food for thought and best of all, he echos many things I've already spouted off about airport security...

skallas — Fri, 21 Sep 2001 13:26:17 -0800

Crypto guru getting blamed for his software. PGP writer Phil Zimmermann's hate mail goes a little something like this, "Phil -- I hope you can sleep at night with the blood of 5,000 people on your hands." If Phil is guilty of anything so is everyone who has ever used their credit card online, including Mr. Hate Mail.