Feeds

back to article GCHQ code-breaking challenge cracked by Google search

A simple Google search unlocks the supposedly secret completion page to GCHQ's code-cracking competition. The signals snooping agency launched a codebreaking competition this week, promoted via social networks, that aimed to find would be code breakers that conventional recruitment efforts might miss. The canyoucrackit.co.uk …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

DOH!

That is all.

1
1
Anonymous Coward

Set up and secured by the finest government security specialists.

13
4
Anonymous Coward

Good one

Did you actually read the story?

"The canyoucrackit.co.uk website was set up in partnership with a recruitment agency and at arm's length from GCHQ itself. El Reg doubts anyone from the intelligence agency was involved in setting up the website, but we unable to immediately confirm this on Friday afternoon."

3
4

This post has been deleted by its author

Facepalm

Outsourced

...by the finest government security specialists.

He was right the first time.

5
1
Bronze badge

But that isn't funny.

1
0
Anonymous Coward

I spy with my little eye.. A Guardian reader

You're really not getting the whole el Reg forum ethos are you? If you want serious debate and comment I suggest you disappear off to somewhere a lot less fun and disrespectful.

Articles read, yes.

T&Cs of 'challenge' read, yes.

Pisstake, YES.

Attack, no.

I'd get my coat if I were allowed an icon, it's the one with Jeremy Clarkson's latest book in it (heavens no, not for reading, it's for planting in civil service office book sharing club stocks)

1
5
N2

Outsource?

Isnt that what you get when you outsource?

They completely miss the bleedin obvious

0
0

if you add anything to the end of the URL you get a message saying you are on the right lines. for example:

www.canyoucrackit.co.uk/winner

I haven't tried actually cracking any code but I am doubtful there is one to crack, given the relatively low pay and recent publicity for the need of cybercrime specialists perhaps they just want people that can find back doors in websites.

2
0
Anonymous Coward

25-30k per year for the "finest computer minds"

Most basic programmer jobs are 30k+ Skinflints

1
0
Holmes

"Skinflints"

Well do something about it. For example, write your MP that you want to pay more taxes to get better skilled GCHQ keyboard botherers.

3
0
Gimp

The "benefits" make up for the lack of direct pay. Whatever would one *do* with access to the "lawful interception interface" on the nations network equipment - specifically the ones wired to the banks and the stock exchange?

I know of some former spooks who used their training and connections very well in their "retirement"; however that was the cold war: In these puritan times, one might end up taking a swim inside a sports-bag wearing wimmens clothes and a variety of studded rubber items ....

0
1
Holmes

Does it matter?

Shirley in a world of espionage, it doesn't matter how you solve the problem, provided you solve the problem. If you can find a back-door without having to engineer something a bit complicated, then bonus points to you.

18
1
PT

Absolutely. Stealing the plaintext is the quickest method, and is one of the proud traditions of security services everywhere. Failing that, the rubber hose method also brings results with less effort.

0
0
Bronze badge

How did Google find the page?

Google follows links so is there a link somewhere to the success page?

4
2
Anonymous Coward

Yes. Silly article.

Google could only find the page when someone had solved it and published it first, and a search for the first few bytes of the code showed many bloggers openly collaborating.

However impressive as the exercise was, and kudos to the anonymous Russians that got there first (no surprise there!), I learned a lot. it has has also created thousands more shellcode crackers and VM engineers overnight.

Perhaps an unforeseen consequence, but GCHQ are going to need a bigger and better paid army now.

5
1
Boffin

Or the page uses some kind of Google service like Google Analytics.

0
0
Meh

Probably not

In the pub last night, this site came into the conversation. Everybody had heard of it, except for the one person in the group that works for GCHQ!

3
0
Anonymous Coward

That's because

people working at GCHQ don't have a connection to the interwebs on their computers.

0
0
Black Helicopters

Perhaps they are trained

to deny any knowledge to do with their work...

0
0

I'm willing to bet...

...that very few people capable of 'cracking it' the hard way will be interested in a £25-35K a year job with GCHQ. Especially when I know for sure that there are contract staff that are coming up to their 7th year at the doughnut on £600-700 a day.

10
0

GCHQ fail

The test was not exactly hard -it can be explained in less that two paragraphs and <100 LOC but I suppose was a good example of the sort of grunt work they expect of staff.

As I said before the real test should be to obtain the info required to solve the puzzle without leaving a footprint. That includes bypassing clicktrackers and leaving fake data in the web logs

during application submission Solving puzzles is one thing - ensuring the target does not know you are on to them just as important .

IMHO there is no direct (trustable) path back to GCHQ - anyone who applies (via the agency site) should auto-fail - those that find and use the correct email address and/or postal address should be shortlisted.

2
0

PERFECT, they found a back door. No prizes for doing it the hard way!

If the folk at Bletchley Park had not looked for a back door they would never have cracked Enigma. Hats off to the cheats, the spirit of Bletchley Park is still alive and well amongst the same kind of enthusiastic amateurs who helped win WW2. Let's hope GCHQ have learned a valuable lesson!

Rick

20
0
Bronze badge

Hear hear. @Rick C

Finding a back door is what James Bond would have done.

All's fair in love and war and all that.

1
0
Angel

Heheh, back door.

4
0

But BP wasn't about Enigma

It was far more interested in the 'Fish' traffic that Colossus was built to crack. (http://en.wikipedia.org/wiki/Colossus_computer)

Since the nicely organised Germans were sending very regular reports to Berlin, and getting regular orders back it made working out what they were up to a lot more straight-forward.

Enigma was used 'on-the-ground' for more tactical purposes.

As for back doors I would recommend reading Paul Gannons book: http://books.google.co.uk/books/about/Colossus.html?id=J9ezAAAACAAJ&redir_esc=y

and decided for yourself what constitutes a back door.

ttfn

oh yeah - all hail to the BT engineer Tommy Flowers, who did the work, insisted on using valves and used his own money (http://www.computinghistory.org.uk/det/1078/Tommy-Flowers/) to get the project working.

1
0
Anonymous Coward

Enigma? :)

just have to share - here's my tiny Enigma VM in perl... pity there's no monospace, but it does survive formatting.

A virtual pint for the first person to solve it... :-)

AVWBU ISDDZ NPILY BMQEE XOUSV YDPON

CCQWR BHOPB PZOMC HUZTA TRSBV CB

#!/usr/bin/perl

#Tinigma 2010 Usage:tinigma.pl 123 rng ini "GHWVYYDVPQGEWQWVT"

($n,$o,$p)=map(ord()-65,split//,uc$ARGV[1]);($z,$y,$x)=map(ord

()-65,split//,uc$ARGV[2]);($l,$m,$r)=map$_-1,split//,$ARGV[0];

$t=uc$ARGV[3];$t=~s/[^A-Z]//g;$b=26;$j=0;@N=qw(7 25 11 6 1);@R

=('EKMFLGDQVZNTOWYHXUSPAIBRCJ'x3,'AJDKSIRUXBLHWTMCQGZNPYFVOE'x

3,'BDFHJLCPRTXVZNYEIWGAKMUSQO'x3,'ESOVPZJAYQUIRHXLNFTGKDCMWB'x

3,'VZBRGITYUPSDNHLXAWMJQOFECK'x3,'YRUHQSLDPXNGOKMIEBFZCWVJAT'x

3);@t=split//,$t;for$v(@R){$i=0;for(split//,$v){$c=ord()-65;$F

[$j][$i]=$c;$R[$j][$c+$b*int($i/$b)]=$i%$b;$i++}$j++}@S=@{$F[5

]};$f=$y==$F[$m][$N[$m]]?1:0;$i=0;for(@t){if($f){$y++;$y%=$b;$

z++;$z%=$b;$f=0}if($x==$F[$r][$N[$r]]){$y++;$y%=$b;if($y==$F[$

m][$N[$m]]){$f=1}}$x++;$x%=$b;$e.=chr(($R[$r][$R[$m][$R[$l][$S

[$F[$l][$F[$m][$F[$r][ord($_)-39+$x-$n]-$x+$n+$y-$o]-$y+$o+$z-

$p]-$z+$p]+$z-$p]-$z+$p+$y-$o]-$y+$o+$x-$n]-$x+$n)%$b+65)}

print"$e\n"

0
0
Anonymous Coward

@Paul Murphy

Bletchley wasn't about Enigma? Colossus wasn't about Enigma, but Bletchley wasn't just Colossus. There were all those Turing Bombes, which were used to err... Crack Enigma.

Fish/Lorenz came later.

0
0
Anonymous Coward

Re: Rick C

Except we expanded on the work performed by a Polish mathematician, the reality is when Enigma first came out we were completely stumped by it.

0
0
Coat

Answer to the Ultimate Question of Life, the Universe, and Everything

Forty-two

1
2
FAIL

http://canyoucrackit.co.uk/soyoudidit.asp

So you did it. Well done! Now this is where it gets interesting. Could you use your skills and ingenuity to combat terrorism and cyber threats? As one of our experts, you'll help protect our nation's security and the lives of thousands. Every day will bring new challenges, new solutions to find – and new ways to prove that you're one of the best.

i lol'd

3
0
FAIL

common sense not required!

Doesnt make you want to apply does it?

0
0
FAIL

I found the back door too

The code to unlock it is in javascript which seems pretty daft on top of the winning page being a static page. Surely they were being this daft intentionally? Mind you, as they're only paying a £28K salary to the winning applicant they aren't exactly going to great efforts to attract the smartest brains out there.

The heroes of WWII Bletchley Park would be embarassed if they knew.

And I agree with the point made by others that it doesn't matter how the solution is reached, either through the front door or a backdoor. And it's just crazy that GCHQ had such a big back door on their website. Hopefully they're just responsible for cracking other countries' security and not protecting our own!!!!

0
0

There was no backdoor, Google just spidered the links mentioned at http://lolhax.org/2011/12/03/can-you-crack-it/#more-114 (warning: contains answer and solution technique)

1
0

Google indexed it before the 3rd of Dec

As author of the blog post referenced in the Sophos story, the site was already indexed by Google on the 1st December. Even if others had linked to the soyoufoundit page, it's not difficult to stop Google from not indexing a page

0
0

To all those wondering how Google got it

What are the odds someone on high actually used Google Chrome or Firefox to test it worked? Since those browsers send a request to Google to verify that the site isn't malware laden, it's no great stretch to assume that it also covers discoverability and silently adding it to the index...

0
1
Silver badge
Happy

"007- we need to find Mr Badaffi's secret lair..."

Ok M, oh- Google says it just there...look."

1
0
Silver badge
Go

G007LE - no evil-doers.

1
0
Unhappy

Let's face it ...

From a cyber security point of view we're screwed ... and if the salaries posted on the recruitment site are indicative, you'd be better off working for the bad guys ...

0
0
Silver badge

Sir

"you'd be better off working for the bad guys"

That really says it all. Have you truly thought that one through?

Spooks are unfortunately necessary in this day and age, and they need to be kept on a short lead by those who are publicly responsible for their actions; but to suggest that working for Blofeld would be better is just asking for a swim with the laser bedecked sharks.

0
0
Stop

So what...

So Google found the page that offers you the chance to APPLY for a position. You can rest assured that even if you used Google to find this page, it will be of little help once you're asked to demonstrate your abilities.

I really do not see what all the fuss is about.

0
0
Silver badge

Its an advert, not a competion

It leads to the exact same job as you get to just by going to their standard jobs page. If it was a test then it might have been a bit lacking, as an advert I'd say its been quite succesful at attracting attention.

3
0

This has happened before...

Reminds me of the frantic search for a spy in Africa by the British in WWII. Turns out they were telling stuff to some American guy who used something like a lame, already-broken code to transmit his stuff home.

0
0
Silver badge
Facepalm

What we need...

...are people who can solve the puzzle and NOT TALK ABOUT IT.

The first is no problem....

0
0
WTF?

salary?

I don't understand. Where are you guys getting the salary figures from?

...or does it give you that little letdown after you break the code.

0
0
Anonymous Coward

re: salary

From the job page it eventually leads to:

https://apply.gchq-careers.co.uk/fe/tpl_gchq01ssl.asp?newms=jj&id=35874

0
0
Unhappy

ah, thx.

oh wow, that really is a kick in the nuts after the hard work of solving the code and all..

0
0
Anonymous Coward

Are you really sure about that?

Ahem - isn't this hex "puzzle" just a PR gimmick? The real test all along was to find the backdoor (i.e. using the Google site: tag) and go through it to move right along to the next stage (the GCHQ careers page!). Mind you, the press have also done their bit flawlessly - everyone now knows what the backdoor is! Ok, a certain devious cleverness there - but I certainly wouldn't put it past 'em :).

Usually you need a "crib" - an inspired guess, a known weakness/pattern, or some other side-channel data - to crack supposed ciphers anyway. So has anyone *genuinely* cracked the hex, explained convincingly how they did it and said what the keyword is? No? My point entirely...

0
2
Anonymous Coward

YES they did

several people have cracked it the long hard way they don't need people of can figure out Google they need people who can turn what little fragments of intel they get into usable product. Sometimes its a cluster on shattered hard drive that's all they have of the data and its gotta be sussed. Some F*c*wit using Google trick or html trick aint any use its not hacking TGP p0rn links.

2
2
Anonymous Coward

@ Are you really sure about that?

WRONG!!! Try some deadbeef ... (or rather ... ef be ad de ... ) see http://lolhax.org

BTW, it doesn't matter if you used Google or solved it the "interesting" way - both are "useful" technique and get you there.

0
0

Page:

This topic is closed for new posts.