back to article GCHQ code-breaking challenge cracked by Google search

A simple Google search unlocks the supposedly secret completion page to GCHQ's code-cracking competition. The signals snooping agency launched a codebreaking competition this week, promoted via social networks, that aimed to find would be code breakers that conventional recruitment efforts might miss. The canyoucrackit.co.uk …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Set up and secured by the finest government security specialists.

  2. ElNumbre
    Holmes

    Does it matter?

    Shirley in a world of espionage, it doesn't matter how you solve the problem, provided you solve the problem. If you can find a back-door without having to engineer something a bit complicated, then bonus points to you.

  3. Fuzz

    How did Google find the page?

    Google follows links so is there a link somewhere to the success page?

  4. Gordon 10 Silver badge

    DOH!

    That is all.

  5. advocate

    if you add anything to the end of the URL you get a message saying you are on the right lines. for example:

    www.canyoucrackit.co.uk/winner

    I haven't tried actually cracking any code but I am doubtful there is one to crack, given the relatively low pay and recent publicity for the need of cybercrime specialists perhaps they just want people that can find back doors in websites.

    1. Anonymous Coward
      Anonymous Coward

      Yes. Silly article.

      Google could only find the page when someone had solved it and published it first, and a search for the first few bytes of the code showed many bloggers openly collaborating.

      However impressive as the exercise was, and kudos to the anonymous Russians that got there first (no surprise there!), I learned a lot. it has has also created thousands more shellcode crackers and VM engineers overnight.

      Perhaps an unforeseen consequence, but GCHQ are going to need a bigger and better paid army now.

    2. Anonymous Coward
      Anonymous Coward

      Good one

      Did you actually read the story?

      "The canyoucrackit.co.uk website was set up in partnership with a recruitment agency and at arm's length from GCHQ itself. El Reg doubts anyone from the intelligence agency was involved in setting up the website, but we unable to immediately confirm this on Friday afternoon."

      1. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          I spy with my little eye.. A Guardian reader

          You're really not getting the whole el Reg forum ethos are you? If you want serious debate and comment I suggest you disappear off to somewhere a lot less fun and disrespectful.

          Articles read, yes.

          T&Cs of 'challenge' read, yes.

          Pisstake, YES.

          Attack, no.

          I'd get my coat if I were allowed an icon, it's the one with Jeremy Clarkson's latest book in it (heavens no, not for reading, it's for planting in civil service office book sharing club stocks)

      2. Anonymous Coward
        Facepalm

        Outsourced

        ...by the finest government security specialists.

        He was right the first time.

      3. John Bailey

        But that isn't funny.

      4. N2 Silver badge

        Outsource?

        Isnt that what you get when you outsource?

        They completely miss the bleedin obvious

    3. Anonymous Coward
      Anonymous Coward

      25-30k per year for the "finest computer minds"

      Most basic programmer jobs are 30k+ Skinflints

      1. Marvin the Martian
        Holmes

        "Skinflints"

        Well do something about it. For example, write your MP that you want to pay more taxes to get better skilled GCHQ keyboard botherers.

      2. fajensen Silver badge
        Gimp

        The "benefits" make up for the lack of direct pay. Whatever would one *do* with access to the "lawful interception interface" on the nations network equipment - specifically the ones wired to the banks and the stock exchange?

        I know of some former spooks who used their training and connections very well in their "retirement"; however that was the cold war: In these puritan times, one might end up taking a swim inside a sports-bag wearing wimmens clothes and a variety of studded rubber items ....

    4. PT

      Absolutely. Stealing the plaintext is the quickest method, and is one of the proud traditions of security services everywhere. Failing that, the rubber hose method also brings results with less effort.

    5. Rob - Denmark
      Boffin

      Or the page uses some kind of Google service like Google Analytics.

  6. Ol'Peculier
    Meh

    Probably not

    In the pub last night, this site came into the conversation. Everybody had heard of it, except for the one person in the group that works for GCHQ!

    1. Anonymous Coward
      Anonymous Coward

      That's because

      people working at GCHQ don't have a connection to the interwebs on their computers.

    2. Madboater
      Black Helicopters

      Perhaps they are trained

      to deny any knowledge to do with their work...

  7. Tim Nicholls

    I'm willing to bet...

    ...that very few people capable of 'cracking it' the hard way will be interested in a £25-35K a year job with GCHQ. Especially when I know for sure that there are contract staff that are coming up to their 7th year at the doughnut on £600-700 a day.

  8. Jacqui

    GCHQ fail

    The test was not exactly hard -it can be explained in less that two paragraphs and <100 LOC but I suppose was a good example of the sort of grunt work they expect of staff.

    As I said before the real test should be to obtain the info required to solve the puzzle without leaving a footprint. That includes bypassing clicktrackers and leaving fake data in the web logs

    during application submission Solving puzzles is one thing - ensuring the target does not know you are on to them just as important .

    IMHO there is no direct (trustable) path back to GCHQ - anyone who applies (via the agency site) should auto-fail - those that find and use the correct email address and/or postal address should be shortlisted.

  9. Rick C

    PERFECT, they found a back door. No prizes for doing it the hard way!

    If the folk at Bletchley Park had not looked for a back door they would never have cracked Enigma. Hats off to the cheats, the spirit of Bletchley Park is still alive and well amongst the same kind of enthusiastic amateurs who helped win WW2. Let's hope GCHQ have learned a valuable lesson!

    Rick

    1. Wensleydale Cheese Silver badge

      Hear hear. @Rick C

      Finding a back door is what James Bond would have done.

      All's fair in love and war and all that.

      1. BrownishMonstr
        Angel

        Heheh, back door.

    2. Paul_Murphy

      But BP wasn't about Enigma

      It was far more interested in the 'Fish' traffic that Colossus was built to crack. (http://en.wikipedia.org/wiki/Colossus_computer)

      Since the nicely organised Germans were sending very regular reports to Berlin, and getting regular orders back it made working out what they were up to a lot more straight-forward.

      Enigma was used 'on-the-ground' for more tactical purposes.

      As for back doors I would recommend reading Paul Gannons book: http://books.google.co.uk/books/about/Colossus.html?id=J9ezAAAACAAJ&redir_esc=y

      and decided for yourself what constitutes a back door.

      ttfn

      oh yeah - all hail to the BT engineer Tommy Flowers, who did the work, insisted on using valves and used his own money (http://www.computinghistory.org.uk/det/1078/Tommy-Flowers/) to get the project working.

      1. Anonymous Coward
        Anonymous Coward

        @Paul Murphy

        Bletchley wasn't about Enigma? Colossus wasn't about Enigma, but Bletchley wasn't just Colossus. There were all those Turing Bombes, which were used to err... Crack Enigma.

        Fish/Lorenz came later.

    3. Anonymous Coward
      Anonymous Coward

      Enigma? :)

      just have to share - here's my tiny Enigma VM in perl... pity there's no monospace, but it does survive formatting.

      A virtual pint for the first person to solve it... :-)

      AVWBU ISDDZ NPILY BMQEE XOUSV YDPON

      CCQWR BHOPB PZOMC HUZTA TRSBV CB

      #!/usr/bin/perl

      #Tinigma 2010 Usage:tinigma.pl 123 rng ini "GHWVYYDVPQGEWQWVT"

      ($n,$o,$p)=map(ord()-65,split//,uc$ARGV[1]);($z,$y,$x)=map(ord

      ()-65,split//,uc$ARGV[2]);($l,$m,$r)=map$_-1,split//,$ARGV[0];

      $t=uc$ARGV[3];$t=~s/[^A-Z]//g;$b=26;$j=0;@N=qw(7 25 11 6 1);@R

      =('EKMFLGDQVZNTOWYHXUSPAIBRCJ'x3,'AJDKSIRUXBLHWTMCQGZNPYFVOE'x

      3,'BDFHJLCPRTXVZNYEIWGAKMUSQO'x3,'ESOVPZJAYQUIRHXLNFTGKDCMWB'x

      3,'VZBRGITYUPSDNHLXAWMJQOFECK'x3,'YRUHQSLDPXNGOKMIEBFZCWVJAT'x

      3);@t=split//,$t;for$v(@R){$i=0;for(split//,$v){$c=ord()-65;$F

      [$j][$i]=$c;$R[$j][$c+$b*int($i/$b)]=$i%$b;$i++}$j++}@S=@{$F[5

      ]};$f=$y==$F[$m][$N[$m]]?1:0;$i=0;for(@t){if($f){$y++;$y%=$b;$

      z++;$z%=$b;$f=0}if($x==$F[$r][$N[$r]]){$y++;$y%=$b;if($y==$F[$

      m][$N[$m]]){$f=1}}$x++;$x%=$b;$e.=chr(($R[$r][$R[$m][$R[$l][$S

      [$F[$l][$F[$m][$F[$r][ord($_)-39+$x-$n]-$x+$n+$y-$o]-$y+$o+$z-

      $p]-$z+$p]+$z-$p]-$z+$p+$y-$o]-$y+$o+$x-$n]-$x+$n)%$b+65)}

      print"$e\n"

    4. Anonymous Coward
      Anonymous Coward

      Re: Rick C

      Except we expanded on the work performed by a Polish mathematician, the reality is when Enigma first came out we were completely stumped by it.

  10. jacobbe
    FAIL

    common sense not required!

    Doesnt make you want to apply does it?

  11. charles blackburn
    FAIL

    http://canyoucrackit.co.uk/soyoudidit.asp

    So you did it. Well done! Now this is where it gets interesting. Could you use your skills and ingenuity to combat terrorism and cyber threats? As one of our experts, you'll help protect our nation's security and the lives of thousands. Every day will bring new challenges, new solutions to find – and new ways to prove that you're one of the best.

    i lol'd

  12. Blubster
    Coat

    Answer to the Ultimate Question of Life, the Universe, and Everything

    Forty-two

  13. Gary F
    FAIL

    I found the back door too

    The code to unlock it is in javascript which seems pretty daft on top of the winning page being a static page. Surely they were being this daft intentionally? Mind you, as they're only paying a £28K salary to the winning applicant they aren't exactly going to great efforts to attract the smartest brains out there.

    The heroes of WWII Bletchley Park would be embarassed if they knew.

    And I agree with the point made by others that it doesn't matter how the solution is reached, either through the front door or a backdoor. And it's just crazy that GCHQ had such a big back door on their website. Hopefully they're just responsible for cracking other countries' security and not protecting our own!!!!

  14. Pink Duck

    There was no backdoor, Google just spidered the links mentioned at http://lolhax.org/2011/12/03/can-you-crack-it/#more-114 (warning: contains answer and solution technique)

  15. Pete Spicer

    To all those wondering how Google got it

    What are the odds someone on high actually used Google Chrome or Firefox to test it worked? Since those browsers send a request to Google to verify that the site isn't malware laden, it's no great stretch to assume that it also covers discoverability and silently adding it to the index...

    1. charlesmeaden

      Google indexed it before the 3rd of Dec

      As author of the blog post referenced in the Sophos story, the site was already indexed by Google on the 1st December. Even if others had linked to the soyoufoundit page, it's not difficult to stop Google from not indexing a page

  16. hplasm Silver badge
    Happy

    "007- we need to find Mr Badaffi's secret lair..."

    Ok M, oh- Google says it just there...look."

    1. LaeMing Silver badge
      Go

      G007LE - no evil-doers.

  17. carrera4life
    Stop

    So what...

    So Google found the page that offers you the chance to APPLY for a position. You can rest assured that even if you used Google to find this page, it will be of little help once you're asked to demonstrate your abilities.

    I really do not see what all the fuss is about.

  18. Ebeneser
    Unhappy

    Let's face it ...

    From a cyber security point of view we're screwed ... and if the salaries posted on the recruitment site are indicative, you'd be better off working for the bad guys ...

  19. stucs201

    Its an advert, not a competion

    It leads to the exact same job as you get to just by going to their standard jobs page. If it was a test then it might have been a bit lacking, as an advert I'd say its been quite succesful at attracting attention.

  20. hayseed

    This has happened before...

    Reminds me of the frantic search for a spy in Africa by the British in WWII. Turns out they were telling stuff to some American guy who used something like a lame, already-broken code to transmit his stuff home.

    1. Sir Runcible Spoon Silver badge

      Sir

      "you'd be better off working for the bad guys"

      That really says it all. Have you truly thought that one through?

      Spooks are unfortunately necessary in this day and age, and they need to be kept on a short lead by those who are publicly responsible for their actions; but to suggest that working for Blofeld would be better is just asking for a swim with the laser bedecked sharks.

  21. Dodgy Geezer Silver badge
    Facepalm

    What we need...

    ...are people who can solve the puzzle and NOT TALK ABOUT IT.

    The first is no problem....

  22. bobdobbs
    WTF?

    salary?

    I don't understand. Where are you guys getting the salary figures from?

    ...or does it give you that little letdown after you break the code.

    1. Anonymous Coward
      Anonymous Coward

      re: salary

      From the job page it eventually leads to:

      https://apply.gchq-careers.co.uk/fe/tpl_gchq01ssl.asp?newms=jj&id=35874

      1. bobdobbs
        Unhappy

        ah, thx.

        oh wow, that really is a kick in the nuts after the hard work of solving the code and all..

  23. Anonymous Coward
    Anonymous Coward

    Are you really sure about that?

    Ahem - isn't this hex "puzzle" just a PR gimmick? The real test all along was to find the backdoor (i.e. using the Google site: tag) and go through it to move right along to the next stage (the GCHQ careers page!). Mind you, the press have also done their bit flawlessly - everyone now knows what the backdoor is! Ok, a certain devious cleverness there - but I certainly wouldn't put it past 'em :).

    Usually you need a "crib" - an inspired guess, a known weakness/pattern, or some other side-channel data - to crack supposed ciphers anyway. So has anyone *genuinely* cracked the hex, explained convincingly how they did it and said what the keyword is? No? My point entirely...

    1. Anonymous Coward
      Anonymous Coward

      YES they did

      several people have cracked it the long hard way they don't need people of can figure out Google they need people who can turn what little fragments of intel they get into usable product. Sometimes its a cluster on shattered hard drive that's all they have of the data and its gotta be sussed. Some F*c*wit using Google trick or html trick aint any use its not hacking TGP p0rn links.

    2. Anonymous Coward
      Anonymous Coward

      @ Are you really sure about that?

      WRONG!!! Try some deadbeef ... (or rather ... ef be ad de ... ) see http://lolhax.org

      BTW, it doesn't matter if you used Google or solved it the "interesting" way - both are "useful" technique and get you there.

  24. Kenno
    Happy

    Well think about it

    Its a 25K job in the MIDDLE of LONDON. Peanuts/ Monkies

    1. amanfromearth

      Well, it's not a job for you

      ... because you haven't even figured out where GCHQ is located.

      Numpty.

      1. 5.antiago

        Cheltenham

        They're based in Cheltenham. You can buy at least two houses and three horses out west on £25k :-)

  25. Cutman
    Coat

    The passcode was 55378008

    1. Graham Marsden
      Coat

      I prefer...

      ... 58008918

      The post is required, and must contain letters.

    2. Philolai

      Guess they're not after Sun readers then.

      1. Paul_Murphy

        >Guess they're not after Sun readers then.

        Yep - that is exactly the point.

        Just being able to use google in an intelligent way - let alone reading source code is an advantage these days.

        'using a computer' <> 'can play WoW' :-(

        ttfn

    3. JibberJabberBadger

      I'll just get my...

      trusty calculator.... lucky I'm down under, don't even have to turn it upside down

  26. Benchops
    Happy

    6031769

    (and obligatory letters)

    1. Anonymous Coward
      Anonymous Coward

      6031769 - This is etched in my brain for all time.

      The days when games were hard.

  27. JDX Gold badge

    Isn't cracking the code supposed to give a password? If so how does just knowing the completion URL help?

    1. stucs201
      Facepalm

      because...

      ...all that entering the password does it take you to another page. Knowing the url of that 2nd page is just as effective as knowing the code to enter on the first page.

      Alternatively just go to GCHQ's normal jobs page, the same job can be reached that way too.

  28. Zot

    GCHQ is based in Cheltenham.

    Still peanuts though!

  29. Stu_The_Jock
    Facepalm

    Password ?

    Or maybe simply finding the "you found it" page proves you didn't crack the code and the REAL page it takes you to is on a totally seperate site, not indexed on a public DNS, and the "passcord" is an IP address to log into . . . .

    just a thought !

  30. phear46

    maybe...

    Maybe they intentionally left it open to searches? Gaming the system doesn't necessarily mean your not as smart as the guys who cracked the code, you just think in a different way. Gchq probably needs both kinds of thinkers in order to do a good job. Correct me if I'm wrong.

  31. Jeff 11

    Google is pretty bloody irritating for websites; either you have to develop them on a totally private network, or if you can't do that, add some form of authentication layer around your dev site. If you don't, Chrome and Google Toolbar will quite happily send off what would otherwise be invisible, unlinked URLs as 'usage data' to Google when you visit them.

    1. This post has been deleted by its author

  32. TonyHoyle

    Are they having a laugh?

    2:1 degree or better in a science subject

    Experienced

    25k?

    It'd have to be bloody good for anyone with any experience to take that kind of pay cut. I could see a graduate going for it, but they'd fail on condition 2.

  33. John Deeb
    Big Brother

    Google does actually more

    "Google follows links so is there a link somewhere to the success page?"

    While that might be very probably and underrepresented in many new stories on this none-item it might come as a surprise to some that the Google Bot is a bit more adventurous than just "following links". Sometimes it actually does "guess" the URL by putting in certain keywords not only in the query but also in atheresource path.

    Don't ask me why, it just does and it takes a few years following (occasionally) bots around in log files to know it does.

    Another mystery solved! Can I get that job now?

    1. Anonymous Coward
      Anonymous Coward

      And people still think public sector workers are well payed?

      1. Simon Neill
        FAIL

        Yep.

        Why?

        Because when you say "Public sector worker" 90% of people think "teacher".

        Teacher base pay starts on £23k/ year and that is for working only 40 weeks 9-3.

        My pay? maxxed out at £23k/year for 47 weeks 8-4.

        Also, teachers get 50% more travel allowance than me.

        1. Your Retarded
          Thumb Down

          Dear Simon,

          If you knew any teachers that actually give a damn about their jobs, you'd find that they certainly work considerably longer hours than those for which typical children attend school.

        2. Ross 7

          @Simon Neill

          You don't know any teachers do you? Working 9 while 3? Rofl!

          Regarding the benefits, I presume the ad said "plus pension" but then that kinda changed ;)

          I don't think that ad is looking to attract anyone important - just somone with an IQ > 90 to do some grunt work. The "test" is just to make it sound cool and interesting, when the job is anything but.

    2. CD001

      Can't be bothered to look but there's probably a "+ benefits" note in there - that's the main reason people work in the public sector; it sure isn't for the pay.

  34. Anonymous Coward
    Anonymous Coward

    It all sounds a bit too easy really, doesn't it? Sort out the twats who google for a living first then see who gets to the real meaning in the code. They're not looking for the average arsehole who posts on here ( myself included) but the type of person who thinks outside the box ( not what you're thinking google fanatic, go back to yewer pr0n). I acn imagine that they've outsourced an apparently obvious puzzle to a bit of an arsehole web agency, but what is the real nested message in the encrypted message. This will sort out the men from the boys. which brings me to my favourite icon.....Paris.... but the bastards at El Reg won't let me post it anonymously, never mind, come the revolution they'll be first against the wall. Where's the Che Guevara icon...?

  35. lostinspace

    It's hardly "CODE-BREAKING CHALLENGE CRACKED BY GOOGLE SEARCH". This whole thing is just marketing for GCHQ. There's no prize for solving it, or finding that page. Storm and teacup.

    1. This post has been deleted by its author

  36. Babai
    Holmes

    Looks like a old COM file

    First byte "EB" means the first jump as in a standard COM file.

    So it could be a obsecure COM file's hex dump. Need to boot up old MSDOS 6 in VM...

    (I hate it that my Win7 x64 can't run 16 bit progs)

  37. Anonymous Coward
    Anonymous Coward

    Oxymoron

    I always felt that "Military Intelligence" was a contradiction in terms.. Now we have the proof..

  38. Nerd

    I don't fancy the salary much.

  39. Anonymous Coward
    Anonymous Coward

    http://www.theregister.co.uk/Design/graphics/icons/comment/alien_32.pngMen In Black

    Reminds me of the test to join the men in black. lol

    The best of the best!!!

  40. Anonymous Coward
    Facepalm

    Doh...

    Sounds like Johnny English is real.

  41. Robin Szemeti
    FAIL

    How much

    So after all that, and they were failry tricky questions, I would say putting you in the top 1% of the IQ spectrum .. they offer:

    Salary £25,446 (GC10) £31,152 (GC9)

    err ... dood, you just screened them for being bright, and you think they are dumb enough to work for those salaries? get a grip.

    I'll take a nice contract on £10K a month thanks.

  42. Robin Bradshaw
    Stop

    How to fail the test

    Im fairly sure if you were to go straight to the winning page there will be an absence of your ip address/ cookie in the web logs for the stage 2 and stage 3 parts of the challenge so they will know to bin your application.

  43. nigel 15
    FAIL

    stupid article.

    as has been pointed out google only found it because someone linked to it.

    the Sophos smart ass should think how much easier it would have been if they had put it in the robots.txt file.

  44. Anonymous Coward
    Anonymous Coward

    "Cluley"

    What a fab name!

  45. This post has been deleted by its author

  46. Homer 1 Silver badge
    Black Helicopters

    Less euphemistic version

    I "cracked" their promotion with a slightly more honest version, complete with some pertinent links:

    {quote}

    Title: Is your soul for sale?

    GCHQ, Sponsored by War Inc.®

    So you learned how to use Google. Well done! Now this is where it gets interesting. Could you use your skills and ingenuity to help us with our hostile invasion and corporate takeover of sovereign nations, to further the narcissistic goals of the American Empire? As one of our propagandists, you'll help protect greedy bankers, evil corporations, corrupt politicians and the investment portfolios of thousands of morally-bankrupt minions like yourself. Every day will bring new threats to fabricate, new scandals to whitewash – and new ways to screw innocent people.

    Civil Rights Violations Specialists

    Find out more and apply"

    {/quote}

    http://static.slated.org/canyoucrackit/soyoudidit.html

  47. Dave White

    Active Server Pages

    Of much more concern here is that this page was written in a language which microsoft made obsolete ten years ago. Why do people still use asp?

  48. Delbert
    Linux

    Intelligence

    I suppose it has to be asked who supplied the url to Google? I have to say I am very tempted to download the page and use it as wallpaper on my android pad , but backdoors and shortcuts are what information seeking is all about. Who has not when confronted with Error 404 rather than run back to google had a little search around with alternate url's they would expect to find and found themselves on pages not normally accessible or in Nerdvana in FTP heaven with direct access to page source files?

  49. Bill Cumming
    Coat

    the prize is in...

    ... the journey, not in the destination.

    The solution to get the pass code includes grabbing a couple of files from a website.

    Those IP addresses are probably logged and matched against people clicking the "apply here for a job" button.

    If they get a match then that's the start of the first part of the interview... ^_~

    Mine is the coat with the unencrypted Thumb drive from GCHQ in the pocket...

  50. Kael
    Alien

    DWH

    There is a better way to integrate humans into decoding using entirely new concept NOT mathematic based, and would be superior challenge to break. Sic Itur ad astra #GLBT prima Status

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019