GCHQ has launched a code-breaker challenge as part of its attempts to unearth fresh talent from unconventional sources. The signals intelligence agency's ‘canyoucrackit’ challenge invites would-be codebreakers to crack a visual code at canyoucrackit.co.uk. The campaign will be supported in social media channels, including blogs …
The quickest way to solve this is a quick google.
I wonder how far admitting that would get me in the process?
Not that you really need to Google...
considering that I worked it out while I was in the process of typing it out in a HEX editor.
Still, I do wonder how they deal with Google etc... How can they tell who actually worked out the code, and who just Googled it. By the end of it they may end up hiring people with good Google skills, rather than what they want...
(Not to mention, you'd want to be careful typing out binary values into your PC, you never know what they might do).
Anonymous due to GCHQ black helicopters nearby...
No, the quickest way to solve it is to show it to an autistic child in the form of a puzzle book!
Actually it seems to be 16x10.
Also if you check the source the "password" field is 16 chars.
I had a look but after translating to ascii and finding two lines "=AAAA" and "=BBBB" failed to see the next step... unless that was a red herring of course
James Bond never cracked any codes! He did crack a few skulls, but certainly no code!
So, this article leads me to believe that some 70Kg whzzkid will be running around the streets of Kiev armed with a silenced pistol knocking off bad guys.. then again perhaps on the games console as this new "James Bond" will be desk bound!
The toughest part...
Of course, the toughest part of this test, is asking yourself, "Can I live in Cheltenham and earn a fraction of what I could get elsewhere?"
Re: The toughest part...
"Of course, the toughest part of this test, is asking yourself, "Can I live in Cheltenham and earn a fraction of what I could get elsewhere?""
FWICR average pay for this job is <20K - take 6K off for travel costs and spread hourly rate over the 4+ hours travel time and you would be better off doing a couple of "would you like fries" jobs or some contract cleaning. I know of one local cleaner (surrey) who does private houses under contract and earns ~20K for what is a part time job.
Anyone applying who has hacked illegally
I would have thought these were *exactly* the people you need to recruit .....
Remember kids, it's only illegal when *you* do it!
It is only illegal when you get caught.
They are x86 op codes.
Someone on a blog has disassembled it and it looks reasonable code. There is a mov instruction of xDEADBEEF and a couple of compares with x41414141 etc.
See this link
I have not really looked at the instuctions yet, but maybe this xDEADBEEF is an input to a cipher and the answer is the result.
Or there is something encrypted in the image itself on the weppage and this is barking up the wrong tree!
oooh, nice, hadn't thought of Steganography
I think you're reading it the wrong way, it's not read across but down giving a 16 character password at the end, or at least the source code suggests a post of size 16.
Speccy kid with Asthma required for fight with a maniac in a train compartment.
Nearly chocked own my tongue reading that.....
57 20 66 68 20 67 72 6f 6e 70 66 68 20 72 67 76
66 27 6e 20 51 20 46 42 72 20 72 6b 68 70 6e 67
79 6f 2c 72 71 20 72 62 61 66 67 27 7a 20 6e 72
20 61 67 76 6a 20 79 76 20 79 68 65 0a 61 00 00
"Be sure to drink your Ovaltine"
"Anyone applying who has hacked illegally will not be eligible to continue in the recruitment process."
Pity, because judging from some of the online info about solving it so far, it is only going to be people with a very high degree of skill in hacking who are likely to decode it...
If it's 0-based.
Just one recruit?
Presumably only the first person to crack it will be eligible as after that no doubt the solution will be shared far and wide.
I would suspect that if they're the type of person to immediately publicise what they have discovered then they are not the type of person that GCHQ is looking for.
Probably he will have hacked illegally, be ineligible and have not reason not to publish.
Lots of starting points
It may be:
A varying number (like a series of happy primes) added to the ASCII value of the text
Digital stenography on the image
Hex code that will run on a particular type of processor (I'm thinking of the old hex printings in many an old computer magazine)
And a few others that are a bit more fiddly to explain.
Can't be bothered.
For anyone that can be bothered it's x86 assembly and there's a hidden piece of data hidden in the png comment which is either base64'd or uuencoded.
The x86 assembly presumably decodes the png comment and prints it out or something like that - never could be bothered learning x86 assembly.
From comments at:
I already figured it out.
And the answer's "no" - they can't afford me.
Steganography on the image led to a decription key for shell code in the hex bytes. This (compiled in the pastebins in the previous comment) returns the URL:
Which leads to part 2 of the challenge, which is to write a virtual machine compiler to run the next set of bytes to return the 3rd URL.
The Virtual machine is already written in python here:
Which leads to part 3 of the chalenge.
Page 1, Chapter 1: Thank you for purchasing this thousand page shellcode guide...
I'm actually quite impressed at the depth of knowledge required to do this. Bravo, chaps. No pandering to the "prizes for all" crowd here. Sadly :(
This site is reminiscent of Judy Susan Baker's CyberSecurityChallenge fiasco.
They are using an unencrypted website with fake domain registration information.
There's nothing to stop anyone engaged in hostile foreign surveillance (eg, like for example Phorm, Huawei, or Bluecoat to name but a few) identifying all those people who visit the site and especially those who successfully crack the code.
Genius; all your spooks are belong to us.
Remind me again, what the hell is it that GCHQ are mean to be experts in...?
why would you?
want a job with GCHQ?
Ok we'd like to offer you the job.
Great what are the benefits?
Well you'll be an HEO or SEO so pay will be around £25k
ermmmmmm, ok bit shite what about prospects?
well only 1% pay rises for the next 2 yrs and you'll need to jump through hoops to get promotion to SEO or SSO.
Ok how about health care, expense account, share options, car, etc?
Pension must be good I've heard so much about this gold plated pension.
Well it was pretty good but you'll need to find an extra 50% contribution from April and then more again next year.
Ermmmmm right I think I'll take that job in ASDA instead, I get a staff discount
Worked out the xor'ed shellcode and found the base64 string looking at the PNG in a hex editor, but using the second part in a virtual java thingy got me stumped. Pass me the script kiddy dunce hat please!
Pointless publicity stunt
Either modern encryption schemes like AES are broken (or even breakable) - in which case why don't we own the world? Or they aren't - in which case you can have all the crossword fiends in the world but there's no point.
So if all GCHQ does is listen in on SMS messages and arrest people for texting clash lyrics - I can see why they might have issues luring the best and brightest mathematicians away from the city.
hahaha. Is would be much easier and fast just to do a google search like:
it will return a link to an .js file which contain the solution. http://www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js
we can always count on the incompetence of MI5/6 managers and IT personnel.
I think you'll find the solution needs a bit more work than that..
Simples. Use your working on solving this (and other toys) in your CV when you apply for a real job in the private sector.
Using google search
Sometimes google can be your friend.
It doesn't give you the answer but does tell you where you'll be after you answer the question.
While there is some code breaking there, the shellcode part of it suggests they are looking for hackers or someone who can decrypt custom tools/exploits that foreign government funded hackers are using.
And the answer is:
Which takes you to:
for a crappy £25k job advert.
One of the final puzzles is to avoid the supposedly mandatory atdmt click through tracker as this third party tracker had been hacked in the past. Kudos to anyone who posts a list of those who applied broken down by browser, location etc.
If you prefer to avoid the merkins(+hackers) knowing, simply go direct to
Numeric job ids - have these muppets never heard of OWASP?
If this sort of job "tickles you boat", try applying for CYBER/SCAR/11 its the same dosh as cheltenham but based in scarborough which would allow you to rent a flat instead of having to live in a cardboard box/tent/...
Well, I couldn't work it out in the couple of hours I gave it before finding the answer posted above. On the plus side, though, I now know how to write shellcode, which should turn out to be a lot more lucrative than working for GCHQ.
So the solution page is
which leads to an application page that says:
"...whether you've got a relevant technical degree or YOU'VE DEVELOPED YOUR OWN EXPERTISE [my emphasis], you could really make a difference..."
and then expects you to send a CV demonstrating a "graduate with a minimum 2:1 degree". Human Resources strikes again!
It's a Classic ASP page? In 2011 on a site developed by supposedly the most high-tech place in the country?
Welcome to GCHQ. The time is currently 2002.
"So I did it...!"
Took about 90 seconds. Go me.
I must say I'm impressed. I thought the security services were immoral opportunists who would do and say anything to protect the country and supply suitably sexy dossiers to their masters
But that they would have the moral courage to risk the lives of British troops in foreign wars and allow Britain to come under attack from totalitarian regimes - rather than employ somebody who sneaked a look at their exam marks in school - shows really moral fibre
When you click the 'apply' button for the job it takes you to ADTMT.COM - which I block as advertising/ad-clicking/tracking/nasty piece or work/etc.
I expect that a lot of people in my line of work (Information & IT security) will get the same result - so GCHQ are asking security people to lower their security settings to enable them to apply for a job to show how good at security they are - GENIUS.
- JLaw, Upton caught in celeb nude pics hack
- Google flushes out users of old browsers by serving up CLUNKY, AGED version of search
- GCHQ protesters stick it to British spooks ... by drinking urine
- Facebook to let stalkers unearth buried posts with mobe search
- Page File Love XKCD? Love science? You'll love a book about science from Randall Munroe