Enthusiasts claim to have already solved the first test in the Cyber Security Challenge UK hunt for would-be cyber-security experts. The challenge, consisting of a series of online and face-to-face competitions, was launched by UK security minister Baroness Neville-Jones on Monday. It is intended to inspire talented individuals …
"Those who sent cipher answers: Thx for amazing response. Lots right. Lots wrong. We will mail everyone by end week 2 confirm which they r!"
Hmm.. I have enough difficulty trying to decode that!
It's a fairly trivial task, it looked like it was base 64 encoded so after decoding it and looking at the output I noticed Exif being mentioned and after opening it in a image viewer it turned out to be an XKCD comic.
Not even half of it, sorry.
Thats the first hurdle solved, keep going until you find the hidden code and the email address to which you should send it. There is a lot more to the challenge than discovering the jpeg.
I agree with Anonymous1 (I actually DO know who you are!)
The = at the end of the cipher was a massive giveaway, the fact the opening part of the resulting file had JFIF in it was the clue it was a JPG file, and loaded it up.
It's trivial though if you recognise the clues... no way I'm going to do the real challenge though!
Anonymous1 & DavyBoy79
You're wrong, and I can't tell you why.
And that is one reason why I won't be attempting to enter the real contest! :-)
.. that part is indeed trivial.. now examine the border of the image..
Perhaps the hidden message is that our government supports torture using a $5 wrench?
Not just the xkcd...
There were loads of people who thought that the solution was the xkcd image, it wasnt.
Around the border of that image was a binary message which when decoded gave you a url to the second half of the puzzle with new cyphertext
solving *that* part gave you the code you had to submit to 'win'
Although... is there something else encoded in the border of the cartoon ?
Btw it's this : http://imgs.xkcd.com/comics/security.png but with a funky (information containing?) border...
"Those who sent cipher answers: Thx for amazing response. Lots right, lots wrong"
Yep, totally easy. Looked like base64, used online decoder and bam it had a JFIF header. I expect they will have received many small jokes in the form of an image.
Has anyone gone a little further to see if there's any other hidden information, steganography techniques anyone ?
Is there, for instance, something encoded in the border of the jpeg, for instance?
Not sure why I would think that ...
There is more to the puzzle:
1. Convert the base 64 into binary and obtain the comic.
2. The comic has weird on/off bits on the edges that should be converted into binary.
3. The binary should be converted into ascii.
4. The ascii should be transformed with ROT13.
5. The resulting string is a URL of: https://cybersecuritychallenge.org.uk/834jtp.html
6. The URL contains hex string that is the 'Real' code to be broken.
7. Use substitution and frequency analysis on two-letter combination of the alpha-numeric code... i.e. ac=E
8. The resulting message is below, I omitted the code that you are supposed to send.
C O N G R A T U L A T I O N S ! Y O U ' V E F O U N D A N D C O M P L E T E D T H E R E A L C H A L L E N G E . Y O U R W I N C O D E I S (OMITED BY ME) P L E A S E E M A I L T H I S C O D E T O O U R T E A M A T M E D I A @ C Y B E R S E C U R I T Y C H A L L E N G E . O R G . U K . I F Y O U ' R E T H E F I R S T P E R S O N T O D O S O , A N D C A N P R O V E Y O U M E E T T H E E L I G I G I L I T Y C R I T E R I A ( B R I T I S H C I T I Z E N C U R R E N T L Y R E S I D E N T I N T H E U K ) W E W I L L G E I N T O U C H T O A D V I S E H O W T O C L A I M Y O U R P R I Z E . W E L L D O N E A N D G O O D L U C K I N T H E C Y B E R S E C U R I T Y C H A L L E N G E C O M P E T I T I O N S T A K I N G P L A C E T H R O U G H O U T T H E R E S T O F T H E Y E A R .
I am not eligible for the contest, so I did not send.
I've got to the 834jtp part
Now I'm completely stuck
Seems like a waste of time to me, I've spent about an hour doing it, could have spent it productively
"Running Blind" by Desmond Bagley
concerns an electronic gizmo which was put together to waste the Russians time, thus preventing them from analysing other Allied technology as well as working on their own.
It was some sort of mock-circuit which combined all the electronic oddities known, and was supposed to be the heart of a new-age radar system.
I wonder .......
I just solved the real problem an hour ago...
Sussed out the binary border in the image pretty easily, downloaded the string and analyzed it.
The real result can only be arrived at by computing the algorithm, but it is not DES3 or RSA.
I don't want to spoil anyone else's fun, but I can say that it contains a h4ck3d phr4se.
I'll post my solution when they announce a winner.
Yeah, I'm sure it is easy when you missed the point of the exercise completely!
This is you, this is:
"Break the seal and remove your exam paper from the envelope"
"Done! That exam was totally easy peasy!"
No, it was *not* easy!
Took a good 5 hours to solve.
Did I not pass ;-)
All I can say is
and <sigh> I've got to do some work.
They already fail
I had their RSS feed in my feed reader as it promised to update with information as it launched.
Now thanks to their incompetence, I missed opening day.
and also I mailed them way back to ask if these jobs were going to be in London.
Can't say I'm particularly impressed so far. Maybe I'll go and work for the Yanks. In fact I could do that from my desk here.
In fact, maybe I am .....
I did the registration and got a 'thanks we will get back to you' page but so far there has been no sign of any kind of confirmation email that I would normally expect, having just given over my personal details.
The site itself isn't exactly a shining light of guaranteed secureness either.
When I saw this challenge appear on the news my main reaction was "but they did this one, ages ago" - but that was just the pre-announcement I was remembering. So I didn't rush, and when I got home the next day I ended up having to STFW for it since neither CPNI nor MI5 websites had any mention of it whatsoever, and (what is supposed to be) the main gov PR service was also lacking in usefulness on the subject.
Aside from the clearly non-functioning RSS, was there a mailing-list somewhere, or was this spammed all over security-related websites (that I didn't see) a few days in advance so anyone interested would be aware of it? By the time I got to the site there was a tw*tter message on the page saying 'all submissions received' so I figured I was too late to have a go since it looked like world+dog had already solved it anyway. Turns out they were still accepting entries but by then I had already gone beyond the 'meh' stage.
Thing is, if you're having to do code-breaking then your cybersecurity has already failed - someone got in and scrambled your files and you are desperately trying to get them back. Either that or your staff can't be trusted and that isn't a cybersecurity problem anyway. Personally I'm sticking with my theory that they have staff shortages at the spook farm.
On the upside this was only driven by curiosity, not 'gizza job'.
But "Bah! Humbug!" anyway because there are 'lessons to be learned'.
Congratulations on successfully solving the first test of the Cyber Security Challenge UK. We can confirm your submission was correct!
Whilst we’re afraid you were not the first to send in your win code, very few people solved the cipher so well done on getting it right.
We intend to post a new cipher in about a month – something a bit trickier to really push you to the limits. In the mean time, please keep a watch on our website, our Twitter profile, or our Facebook page for updates and news. For all those looking for a new way to test their skills – why not sign up to one of the competitions that form part of the full Cyber Security Challenge UK: https://cybersecuritychallenge.org.uk/candidates/registration.html
We hope you enjoyed this first test – we can assure you there are many more to come.
Congratulations again on solving our first puzzle.
The Cyber Security Challenge Team
So i've done it, and i've done it right. But someone else got there first... well what does that mean?
Does the image give you a different URL each time it is loaded??? I guess if you've got nothing better to do than sit up all night until its complete, then you win?
Now they've published the solution, here's mine:
I solved the last bit completely differently (and much more long-windedly):
- by analysing letter frequency this gave you the space, then filling these in and looking at the most common 3-letter word indicated strongly that this was 'the', giving you the t, h and e to fill in to the rest of the string.
- contextual information about letter placing gave you alot of the other letters, but you needed the whole ascii set to get the win code.
- i ordered the ascii set in excel by the 2nd hex character, then 1st and put in all the characters i knew. This effectively showed that their 'map' used every other character 0-255 to map the original 0-127. By ordering them in this way, every other character mapped to the 0-127 characters in order so i just filled them in, and decoded the string against my map.
This only left the d2 character (the one after Congratulations) as not being mapped, but i submitted it anyway and they said it is right.
Question is, if you decode it as they suggest, does the d2 map to something?
Points for creativity? No? I'll get my coat.
by their method, d2 maps to - but by my method it does not map! and i had - mapped to A5!!
that is the only character in the string that does not map in my method!
How I solved it too, checked for compressibility, used photoshop to look for patterns and frequency distribution which revealed it was a substitution method, but probably not of Enigma quality!
Once I saw "the" in a couple of places, I knew I was on to something, and got the rest of the letters using a hex viewer and a perl program to do the translation.. however, some of the chars in the win code were unique, so we needed the translation relationship which had to be 1:1. The lowest 'to' charcodes were 8x the 'from' charcodes. (<<3). As the source numbers increased, this pattern changed abuptly so something else was going on. A bit of fiddling and a few minutes later the answer just appeared like magic!
They had just swapped the top 3 and bottom 5 bits around. Very satisfying.
0xD2 == (110)(10010) ==> (10010)(110) == 0x96 == chr(150) '–' en dash in the windows charset.
Top marks for creativity... better working on these problems than watching brain mushmaking TV!
d2 and a5 map to long and short hyphens.
d2 is the only character they used from the extended ascii character set (127-255) - i only mapped 0-127.
- 'Windows 9' LEAK: Microsoft's playing catchup with Linux
- Review A SCORCHIO fatboy SSD: Samsung SSD850 PRO 3D V-NAND
- Was Earth once covered in HELLFIRE? No – more like a wet Sunday night in Iceland
- Breaking Fad 4K-ing excellent TV is on its way ... in its own sweet time, natch
- Every billionaire needs a PANZER TANK, right? STOP THERE, Paul Allen