A simple Google search unlocks the supposedly secret completion page to GCHQ's code-cracking competition. The signals snooping agency launched a codebreaking competition this week, promoted via social networks, that aimed to find would be code breakers that conventional recruitment efforts might miss. The canyoucrackit.co.uk …
That is all.
Set up and secured by the finest government security specialists.
Did you actually read the story?
"The canyoucrackit.co.uk website was set up in partnership with a recruitment agency and at arm's length from GCHQ itself. El Reg doubts anyone from the intelligence agency was involved in setting up the website, but we unable to immediately confirm this on Friday afternoon."
...by the finest government security specialists.
He was right the first time.
But that isn't funny.
I spy with my little eye.. A Guardian reader
You're really not getting the whole el Reg forum ethos are you? If you want serious debate and comment I suggest you disappear off to somewhere a lot less fun and disrespectful.
Articles read, yes.
T&Cs of 'challenge' read, yes.
I'd get my coat if I were allowed an icon, it's the one with Jeremy Clarkson's latest book in it (heavens no, not for reading, it's for planting in civil service office book sharing club stocks)
Isnt that what you get when you outsource?
They completely miss the bleedin obvious
if you add anything to the end of the URL you get a message saying you are on the right lines. for example:
I haven't tried actually cracking any code but I am doubtful there is one to crack, given the relatively low pay and recent publicity for the need of cybercrime specialists perhaps they just want people that can find back doors in websites.
25-30k per year for the "finest computer minds"
Most basic programmer jobs are 30k+ Skinflints
Well do something about it. For example, write your MP that you want to pay more taxes to get better skilled GCHQ keyboard botherers.
The "benefits" make up for the lack of direct pay. Whatever would one *do* with access to the "lawful interception interface" on the nations network equipment - specifically the ones wired to the banks and the stock exchange?
I know of some former spooks who used their training and connections very well in their "retirement"; however that was the cold war: In these puritan times, one might end up taking a swim inside a sports-bag wearing wimmens clothes and a variety of studded rubber items ....
Does it matter?
Shirley in a world of espionage, it doesn't matter how you solve the problem, provided you solve the problem. If you can find a back-door without having to engineer something a bit complicated, then bonus points to you.
Absolutely. Stealing the plaintext is the quickest method, and is one of the proud traditions of security services everywhere. Failing that, the rubber hose method also brings results with less effort.
How did Google find the page?
Google follows links so is there a link somewhere to the success page?
Yes. Silly article.
Google could only find the page when someone had solved it and published it first, and a search for the first few bytes of the code showed many bloggers openly collaborating.
However impressive as the exercise was, and kudos to the anonymous Russians that got there first (no surprise there!), I learned a lot. it has has also created thousands more shellcode crackers and VM engineers overnight.
Perhaps an unforeseen consequence, but GCHQ are going to need a bigger and better paid army now.
Or the page uses some kind of Google service like Google Analytics.
In the pub last night, this site came into the conversation. Everybody had heard of it, except for the one person in the group that works for GCHQ!
people working at GCHQ don't have a connection to the interwebs on their computers.
Perhaps they are trained
to deny any knowledge to do with their work...
I'm willing to bet...
...that very few people capable of 'cracking it' the hard way will be interested in a £25-35K a year job with GCHQ. Especially when I know for sure that there are contract staff that are coming up to their 7th year at the doughnut on £600-700 a day.
The test was not exactly hard -it can be explained in less that two paragraphs and <100 LOC but I suppose was a good example of the sort of grunt work they expect of staff.
As I said before the real test should be to obtain the info required to solve the puzzle without leaving a footprint. That includes bypassing clicktrackers and leaving fake data in the web logs
during application submission Solving puzzles is one thing - ensuring the target does not know you are on to them just as important .
IMHO there is no direct (trustable) path back to GCHQ - anyone who applies (via the agency site) should auto-fail - those that find and use the correct email address and/or postal address should be shortlisted.
PERFECT, they found a back door. No prizes for doing it the hard way!
If the folk at Bletchley Park had not looked for a back door they would never have cracked Enigma. Hats off to the cheats, the spirit of Bletchley Park is still alive and well amongst the same kind of enthusiastic amateurs who helped win WW2. Let's hope GCHQ have learned a valuable lesson!
Hear hear. @Rick C
Finding a back door is what James Bond would have done.
All's fair in love and war and all that.
Heheh, back door.
But BP wasn't about Enigma
It was far more interested in the 'Fish' traffic that Colossus was built to crack. (http://en.wikipedia.org/wiki/Colossus_computer)
Since the nicely organised Germans were sending very regular reports to Berlin, and getting regular orders back it made working out what they were up to a lot more straight-forward.
Enigma was used 'on-the-ground' for more tactical purposes.
As for back doors I would recommend reading Paul Gannons book: http://books.google.co.uk/books/about/Colossus.html?id=J9ezAAAACAAJ&redir_esc=y
and decided for yourself what constitutes a back door.
oh yeah - all hail to the BT engineer Tommy Flowers, who did the work, insisted on using valves and used his own money (http://www.computinghistory.org.uk/det/1078/Tommy-Flowers/) to get the project working.
just have to share - here's my tiny Enigma VM in perl... pity there's no monospace, but it does survive formatting.
A virtual pint for the first person to solve it... :-)
AVWBU ISDDZ NPILY BMQEE XOUSV YDPON
CCQWR BHOPB PZOMC HUZTA TRSBV CB
#Tinigma 2010 Usage:tinigma.pl 123 rng ini "GHWVYYDVPQGEWQWVT"
$t=uc$ARGV;$t=~s/[^A-Z]//g;$b=26;$j=0;@N=qw(7 25 11 6 1);@R
Bletchley wasn't about Enigma? Colossus wasn't about Enigma, but Bletchley wasn't just Colossus. There were all those Turing Bombes, which were used to err... Crack Enigma.
Fish/Lorenz came later.
Re: Rick C
Except we expanded on the work performed by a Polish mathematician, the reality is when Enigma first came out we were completely stumped by it.
Answer to the Ultimate Question of Life, the Universe, and Everything
So you did it. Well done! Now this is where it gets interesting. Could you use your skills and ingenuity to combat terrorism and cyber threats? As one of our experts, you'll help protect our nation's security and the lives of thousands. Every day will bring new challenges, new solutions to find – and new ways to prove that you're one of the best.
common sense not required!
Doesnt make you want to apply does it?
I found the back door too
The heroes of WWII Bletchley Park would be embarassed if they knew.
And I agree with the point made by others that it doesn't matter how the solution is reached, either through the front door or a backdoor. And it's just crazy that GCHQ had such a big back door on their website. Hopefully they're just responsible for cracking other countries' security and not protecting our own!!!!
There was no backdoor, Google just spidered the links mentioned at http://lolhax.org/2011/12/03/can-you-crack-it/#more-114 (warning: contains answer and solution technique)
Google indexed it before the 3rd of Dec
As author of the blog post referenced in the Sophos story, the site was already indexed by Google on the 1st December. Even if others had linked to the soyoufoundit page, it's not difficult to stop Google from not indexing a page
To all those wondering how Google got it
What are the odds someone on high actually used Google Chrome or Firefox to test it worked? Since those browsers send a request to Google to verify that the site isn't malware laden, it's no great stretch to assume that it also covers discoverability and silently adding it to the index...
"007- we need to find Mr Badaffi's secret lair..."
Ok M, oh- Google says it just there...look."
G007LE - no evil-doers.
Let's face it ...
From a cyber security point of view we're screwed ... and if the salaries posted on the recruitment site are indicative, you'd be better off working for the bad guys ...
"you'd be better off working for the bad guys"
That really says it all. Have you truly thought that one through?
Spooks are unfortunately necessary in this day and age, and they need to be kept on a short lead by those who are publicly responsible for their actions; but to suggest that working for Blofeld would be better is just asking for a swim with the laser bedecked sharks.
So Google found the page that offers you the chance to APPLY for a position. You can rest assured that even if you used Google to find this page, it will be of little help once you're asked to demonstrate your abilities.
I really do not see what all the fuss is about.
Its an advert, not a competion
It leads to the exact same job as you get to just by going to their standard jobs page. If it was a test then it might have been a bit lacking, as an advert I'd say its been quite succesful at attracting attention.
This has happened before...
Reminds me of the frantic search for a spy in Africa by the British in WWII. Turns out they were telling stuff to some American guy who used something like a lame, already-broken code to transmit his stuff home.
What we need...
...are people who can solve the puzzle and NOT TALK ABOUT IT.
The first is no problem....
I don't understand. Where are you guys getting the salary figures from?
...or does it give you that little letdown after you break the code.
From the job page it eventually leads to:
oh wow, that really is a kick in the nuts after the hard work of solving the code and all..
Are you really sure about that?
Ahem - isn't this hex "puzzle" just a PR gimmick? The real test all along was to find the backdoor (i.e. using the Google site: tag) and go through it to move right along to the next stage (the GCHQ careers page!). Mind you, the press have also done their bit flawlessly - everyone now knows what the backdoor is! Ok, a certain devious cleverness there - but I certainly wouldn't put it past 'em :).
Usually you need a "crib" - an inspired guess, a known weakness/pattern, or some other side-channel data - to crack supposed ciphers anyway. So has anyone *genuinely* cracked the hex, explained convincingly how they did it and said what the keyword is? No? My point entirely...
YES they did
several people have cracked it the long hard way they don't need people of can figure out Google they need people who can turn what little fragments of intel they get into usable product. Sometimes its a cluster on shattered hard drive that's all they have of the data and its gotta be sussed. Some F*c*wit using Google trick or html trick aint any use its not hacking TGP p0rn links.
@ Are you really sure about that?
WRONG!!! Try some deadbeef ... (or rather ... ef be ad de ... ) see http://lolhax.org
BTW, it doesn't matter if you used Google or solved it the "interesting" way - both are "useful" technique and get you there.
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Review We have a winner! Fresh Linux Mint 17.1 – hands down the best
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
- You stupid BRICK! PCs running Avast AV can't handle Windows fixes