1286: "Encryptic"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

RandomSam
Posts: 10
Joined: Fri May 15, 2009 10:51 am UTC

Re: 1286: "Encryptic"

Postby RandomSam » Sun Nov 10, 2013 4:53 pm UTC

In the spirit of Life Imitates XKCD, I've had a go at implementing this with real data. It's not very pretty at the moment, but what do people think?

<URL REMOVED>
Last edited by RandomSam on Mon Nov 11, 2013 8:08 am UTC, edited 1 time in total.

User avatar
PinkShinyRose
Posts: 835
Joined: Mon Nov 05, 2012 6:54 pm UTC
Location: the Netherlands

Re: 1286: "Encryptic"

Postby PinkShinyRose » Sun Nov 10, 2013 9:12 pm UTC

RandomSam wrote:In the spirit of Life Imitates XKCD, I've had a go at implementing this with real data. It's not very pretty at the moment, but what do people think?

http://blackburns.org.uk/encryptic/

Is this legal where you live?

RandomSam
Posts: 10
Joined: Fri May 15, 2009 10:51 am UTC

Re: 1286: "Encryptic"

Postby RandomSam » Sun Nov 10, 2013 10:37 pm UTC

I don't see how it's any worse than publishing a top 100 list of passwords, but I guess I don't have a legal department to protect me. I feel paranoid now - I'll take the link down until there's a consensus that it's OK.

The intention was not to cause trouble - I stripped out the email addresses and sorted the list, so it doesn't lead back to anyone's accounts without finding the raw data again. I don't expect a significant number of passwords to be guessed, I was just trying to see if the crossword idea had merit.

I hope this can be cleared up - in case people have advice on the legality, I live in the UK.

User avatar
PinkShinyRose
Posts: 835
Joined: Mon Nov 05, 2012 6:54 pm UTC
Location: the Netherlands

Re: 1286: "Encryptic"

Postby PinkShinyRose » Mon Nov 11, 2013 4:32 pm UTC

RandomSam wrote:I don't see how it's any worse than publishing a top 100 list of passwords, but I guess I don't have a legal department to protect me. I feel paranoid now - I'll take the link down until there's a consensus that it's OK.

The intention was not to cause trouble - I stripped out the email addresses and sorted the list, so it doesn't lead back to anyone's accounts without finding the raw data again. I don't expect a significant number of passwords to be guessed, I was just trying to see if the crossword idea had merit.

I hope this can be cleared up - in case people have advice on the legality, I live in the UK.

I'm not really sure if it would be legal here either, I'm not a law person. I'm kind of afraid it might be seen as promoting others to crack passwords if some law person happens to dislike you, I'm not sure if that's illegal in the UK though.

User avatar
orthogon
Posts: 3104
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: 1286: "Encryptic"

Postby orthogon » Mon Nov 11, 2013 6:08 pm UTC

RandomSam wrote:I don't see how it's any worse than publishing a top 100 list of passwords, but I guess I don't have a legal department to protect me. I feel paranoid now - I'll take the link down until there's a consensus that it's OK.

The intention was not to cause trouble - I stripped out the email addresses and sorted the list, so it doesn't lead back to anyone's accounts without finding the raw data again. I don't expect a significant number of passwords to be guessed, I was just trying to see if the crossword idea had merit.

I hope this can be cleared up - in case people have advice on the legality, I live in the UK.

I can't help on the legal side, but just wanted to say I enjoyed it while it was up - nice work! I was pleasantly surprised by how well the comic captured the feel of it (and vice versa). I was thinking Randall had invented just-about-plausible sets of blocks and hints to make it seem more like a crossword, but I nearly got hooked trying to solve the very first example your thing gave me!
xtifr wrote:... and orthogon merely sounds undecided.

RandomSam
Posts: 10
Joined: Fri May 15, 2009 10:51 am UTC

Re: 1286: "Encryptic"

Postby RandomSam » Mon Nov 11, 2013 7:41 pm UTC

Glad it was enjoyed by someone. I might do some tidying and post the code I used to process the data, but anyone who wanted to play would have to fetch the original dump, and the collaborative appeal of the game would be lost.

acd
Posts: 21
Joined: Fri Jul 11, 2008 2:02 pm UTC

Re: 1286: "Encryptic"

Postby acd » Wed Nov 13, 2013 10:00 pm UTC

This whole Adobe issue reminded me of this story http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants, about PCI idiot auditor. Perhaps the same guy audited Adobe and forced them to implement encryption instead of hashing, so that they could provide "A list of current usernames and plain-text passwords for all user accounts on all servers" to auditor.

RandomSam
Posts: 10
Joined: Fri May 15, 2009 10:51 am UTC

Re: 1286: "Encryptic"

Postby RandomSam » Wed Nov 13, 2013 11:19 pm UTC

Damn, that is scary. I wonder if the auditor is still in business?

User avatar
PinkShinyRose
Posts: 835
Joined: Mon Nov 05, 2012 6:54 pm UTC
Location: the Netherlands

Re: 1286: "Encryptic"

Postby PinkShinyRose » Wed Nov 13, 2013 11:24 pm UTC

acd wrote:This whole Adobe issue reminded me of this story http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants, about PCI idiot auditor. Perhaps the same guy audited Adobe and forced them to implement encryption instead of hashing, so that they could provide "A list of current usernames and plain-text passwords for all user accounts on all servers" to auditor.

This really worries me (it doesn't surprise me at all, but it's creepy). Especially the point where he mentions it has never been a problem for audits he performed in the last 10 years (that did surprise me).

Seriously, I don't have an IT (or mathematics) background, yet I get the point that if the admin can access plain-text passwords, the same goes for crackers (at least if they have sufficient system access) while passwords can be validated from hashed versions without that risk occurring. So, would that make me sufficiently qualified to be a security auditor?

rmsgrey
Posts: 3656
Joined: Wed Nov 16, 2011 6:35 pm UTC

Re: 1286: "Encryptic"

Postby rmsgrey » Thu Nov 14, 2013 7:32 pm UTC

acd wrote:This whole Adobe issue reminded me of this story http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants, about PCI idiot auditor. Perhaps the same guy audited Adobe and forced them to implement encryption instead of hashing, so that they could provide "A list of current usernames and plain-text passwords for all user accounts on all servers" to auditor.


Like PSR says, if this auditor really has ten years of experience without anyone having a problem with him requesting full access to confidential data that good practice would prevent anyone from accessing, then that says something deeply scary about the general competence of sysadmins...

nlawson
Posts: 4
Joined: Fri Nov 15, 2013 11:03 pm UTC

Re: 1286: "Encryptic"

Postby nlawson » Fri Nov 15, 2013 11:32 pm UTC

RandomSam wrote:In the spirit of Life Imitates XKCD, I've had a go at implementing this with real data. It's not very pretty at the moment, but what do people think?

<URL REMOVED>


Ah shoot, you beat me to it! I put mine up today, but didn't notice that someone else had already taken a stab at writing one. I would have liked to see how you implemented yours...

My hunch, though, is that there's no reason for you to feel goosy about the legality of something like this. It's not copyright infringement, because the password hints aren't copyrighted. It's not computer hacking, because somebody else did the hacking, and the damage is already done. And if you scrubbed the personal data and anonymized the blocks (I did too!), then you've showed that your intent is not to give more ammunition to the password crackers. On my own site, I even try to point out how people can better improve their password security.

The only way I imagine something like this could be harmful is if enough users collaboratively "solved" the puzzle, and then the potential nogoodniks reverse-engineered the encrypted blocks from the password hints, matched the passwords to the email addresses in the original file, and then started logging into people's emails or accessing their accounts at other sites. Yeah, as I type this out, I realize that that could actually be pretty bad. Password re-use is rampant, and plenty of people probably ignored the advisory that Adobe sent out. Hmm...

Well, in any case, I don't think my tiny server could handle that many users (nor will it attract them - the UI is pretty rough). So I doubt it's gonna cause any uproar. And XKCD apparently won't let me post a link, since I'm new to the forum, so it's a moot point. But just FYI, you aren't the only one!

User avatar
zed0
Posts: 179
Joined: Sun Dec 17, 2006 11:00 pm UTC

Re: 1286: "Encryptic"

Postby zed0 » Sat Nov 16, 2013 2:39 am UTC

Well, I guess I should also add my attempt at implementing this: http://zed0.co.uk/crossword/
Have fun with it and let me know if you come across any bugs or want to give any feedback. :)

I'm not too worried about the legality of it, mostly due to the reasons mentioned by nlawson.
Also http://stricture-group.com/files/adobe-top100.txt displays quite a lot of information.

RandomSam
Posts: 10
Joined: Fri May 15, 2009 10:51 am UTC

Re: 1286: "Encryptic"

Postby RandomSam » Sat Nov 16, 2013 11:58 pm UTC

nlawson wrote:Ah shoot, you beat me to it! I put mine up today

Excellent, I'd love to see it!

zed0 wrote:Well, I guess I should also add my attempt at implementing this: http://zed0.co.uk/crossword/

That's a nice UI, I like that it looks like a real crossword. Do you autogenerate the cases, or did you arrange 10 puzzles by hand?

My attempt took a slightly different approach, employing the player to solve the passwords in the first place. The downside of this is that it doesn't resemble a crossword at all; it looks a lot more like the comic. Instead, the page lists clues for every password containing a particular block, and the other blocks in those passwords are links so the user can browse through the dump. There's a submit button, which adds your guess for all to see, and any previously guessed blocks on the page are filled in.

User avatar
zed0
Posts: 179
Joined: Sun Dec 17, 2006 11:00 pm UTC

Re: 1286: "Encryptic"

Postby zed0 » Sun Nov 17, 2013 12:16 am UTC

I auto-generated the crosswords and then make sure that the generation had actually made something sensible since the script I used was a bit rough around the edges.
I'll probably put the source up soon.

I also got a rather larger response than I expected, I had to set up a CDN to my server could cope with it. :D

nlawson
Posts: 4
Joined: Fri Nov 15, 2013 11:03 pm UTC

Re: 1286: "Encryptic"

Postby nlawson » Sun Nov 17, 2013 2:10 am UTC

RandomSam wrote:
nlawson wrote:Ah shoot, you beat me to it! I put mine up today

Excellent, I'd love to see it!


OK, here it is: ultimatecrossword.net

I think I went more in your direction than Zed's, since mine also doesn't look anything like a crossword. I suppose that's the problem with the "crossword" idea: from looking purely at the data, it's actually not a crossword at all, because if you laid it all out, the passwords would only overlap horizontally! Hence no "crossing." :)

Zed's is definitely a cooler UI, though! With mine, you kinda have to stare at it for awhile before it makes sense.

RandomSam wrote:There's a submit button, which adds your guess for all to see, and any previous guessed blocks on the page are filled in.


This is what I did as well, initially. Then when I wrote my post above, I realized it just opens the doors for misuse by less-than-good-hearted people. So now, the site only stores the guessed blocks locally, which means it doesn't expose any more data than the leaked file itself (and in fact, much less). The puzzle isn't as much fun this way, but I think it's better to stay on the safe side.

Anyway, let me know what you guys think!

User avatar
PinkShinyRose
Posts: 835
Joined: Mon Nov 05, 2012 6:54 pm UTC
Location: the Netherlands

Re: 1286: "Encryptic"

Postby PinkShinyRose » Sun Nov 17, 2013 1:50 pm UTC

zed0 wrote:I auto-generated the crosswords and then make sure that the generation had actually made something sensible since the script I used was a bit rough around the edges.
I'll probably put the source up soon.

I also got a rather larger response than I expected, I had to set up a CDN to my server could cope with it. :D

It's great, but, did you crack the passwords first? By the way, did adobe use a 16-bit password limit? Is this list only of passwords from US users? Both the hints and passwords are in English (with American names)... It's interesting how many people apparently call their black pets shadow though.

User avatar
Klear
Posts: 1965
Joined: Sun Jun 13, 2010 8:43 am UTC
Location: Prague

Re: 1286: "Encryptic"

Postby Klear » Sun Nov 17, 2013 2:57 pm UTC

PinkShinyRose wrote:Is this list only of passwords from US users? Both the hints and passwords are in English (with American names)... It's interesting how many people apparently call their black pets shadow though.


There's a lot of French there as well.

nlawson
Posts: 4
Joined: Fri Nov 15, 2013 11:03 pm UTC

Re: 1286: "Encryptic"

Postby nlawson » Sun Nov 17, 2013 7:58 pm UTC

PinkShinyRose wrote:It's great, but, did you crack the passwords first?


Yep, as Zed says on his site, the passwords come from a fully solved list of the top 100.

PinkShinyRose wrote:By the way, did adobe use a 16-bit password limit?


In the password file, I saw passwords of length 1, 2, 3, and 4 blocks, although very few 3s and 4s. Assuming that each block represents 8 characters (or maybe bytes), it seems there were indeed a few passwords longer than 16 characters or even 24.

Admittedly, though, I still don't fully grasp the relationship between the 3DES blocks and the lengths of the passwords. For instance, there's one block that only shows up in position #2 and seems to simply mark that a password is exactly 8 characters. For the longer passwords it may be trickier.

PinkShinyRose wrote:Is this list only of passwords from US users? Both the hints and passwords are in English (with American names)...


Nope, they come from everywhere. For instance, one password has the hints "sanrio frog," "grenouille" (French for frog), "verde" (green in Spanish), and "kerokero" (the sound a frog makes in Japanese). I'll leave that one as an exercise to the reader. :)

There were also some non-ASCII hints in the file, but unfortunately the hacker didn't convert the characters properly, so they all turned into question marks (literally ASCII code 63, not U+FFFD �).

RandomSam
Posts: 10
Joined: Fri May 15, 2009 10:51 am UTC

Re: 1286: "Encryptic"

Postby RandomSam » Sun Nov 17, 2013 9:49 pm UTC

nlawson wrote:For instance, there's one block that only shows up in position #2 and seems to simply mark that a password is exactly 8 characters.

It looks like the null terminator was included in the encrypted string. C-like strings only have a pointer to the start of the data, and you keep reading memory from that point until you find a zero byte. For passwords a multiple of 8 bytes long, you end up with an extra block just for the encrypted null byte:

"abc" => [97 98 99 0]
"abcdefgh" => [97 98 99 100 101 102 103 104] [0]
"abcdefghabcdefgh" => [97 98 99 100 101 102 103 104] [97 98 99 100 101 102 103 104] [0]

So we have slightly more information than Randall thought - we can distinguish 1-7 character blocks from 8-character blocks based on whether there's another block following them.
Last edited by RandomSam on Sun Nov 17, 2013 10:16 pm UTC, edited 1 time in total.

User avatar
PinkShinyRose
Posts: 835
Joined: Mon Nov 05, 2012 6:54 pm UTC
Location: the Netherlands

Re: 1286: "Encryptic"

Postby PinkShinyRose » Sun Nov 17, 2013 10:08 pm UTC

nlawson wrote:Admittedly, though, I still don't fully grasp the relationship between the 3DES blocks and the lengths of the passwords. For instance, there's one block that only shows up in position #2 and seems to simply mark that a password is exactly 8 characters. For the longer passwords it may be trickier.

I saw those in one of the puzzles but assumed they represented a character combination that's usually at the end of a word (like "ck", which also happened to match the hints).
nlawson wrote:
PinkShinyRose wrote:Is this list only of passwords from US users? Both the hints and passwords are in English (with American names)...


Nope, they come from everywhere. For instance, one password has the hints "sanrio frog," "grenouille" (French for frog), "verde" (green in Spanish), and "kerokero" (the sound a frog makes in Japanese). I'll leave that one as an exercise to the reader. :)

There were also some non-ASCII hints in the file, but unfortunately the hacker didn't convert the characters properly, so they all turned into question marks (literally ASCII code 63, not U+FFFD �).

I saw sombra for shadow too, I thought it was someone who didn't think other people would speak both Spanish and English... This could still be the case for kerokerokeroppi but this does seem to suggest a French or Spanish speaker is involved (although I think Spanish and English are on par by native speakers in the US, I'm not sure about that though. French is somewhat rarer). I think it should contain far more foreign language hints and passwords if it's not a localised list.

nlawson
Posts: 4
Joined: Fri Nov 15, 2013 11:03 pm UTC

Re: 1286: "Encryptic"

Postby nlawson » Mon Nov 18, 2013 7:32 am UTC

RandomSam wrote:It looks like the null terminator was included in the encrypted string. C-like strings only have a pointer to the start of the data, and you keep reading memory from that point until you find a zero byte.


Okay, that explains it! My first guess, similar to PinkShinyRose's, was that the mystery block represented something like a "1" at the end of a 9-letter password. But the null terminator theory would explain why none of its preceding neighbors ever appear by themselves (nor does it appear by itself).

Here's the mystery block with its most popular neighbors: http://ultimatecrossword.net/#/block/183465. They're all clearly just common 8-letter passwords.

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 6598
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: 1286: "Encryptic"

Postby Thesh » Mon Nov 18, 2013 2:37 pm UTC

RandomSam wrote:
nlawson wrote:For instance, there's one block that only shows up in position #2 and seems to simply mark that a password is exactly 8 characters.

It looks like the null terminator was included in the encrypted string. C-like strings only have a pointer to the start of the data, and you keep reading memory from that point until you find a zero byte. For passwords a multiple of 8 bytes long, you end up with an extra block just for the encrypted null byte:

"abc" => [97 98 99 0]
"abcdefgh" => [97 98 99 100 101 102 103 104] [0]
"abcdefghabcdefgh" => [97 98 99 100 101 102 103 104] [97 98 99 100 101 102 103 104] [0]

So we have slightly more information than Randall thought - we can distinguish 1-7 character blocks from 8-character blocks based on whether there's another block following them.

It's probably not null terminated, but most padding schemes require that at least one extra character is added to the end. If you use PKCS7 padding, for example, each padding byte is equal to the total number of padding bytes added. In this case, if the password is exactly 8 bytes, the padding would be the octet string 0808080808080808.
Summum ius, summa iniuria.

RandomSam
Posts: 10
Joined: Fri May 15, 2009 10:51 am UTC

Re: 1286: "Encryptic"

Postby RandomSam » Mon Nov 18, 2013 7:22 pm UTC

I guess those cases would be indistinguishable without reversing the encryption. The first block of "smilies☺" could conceivably match "smilies" with a padding byte.

But it's hard to see how a user could type the control character that looks like a smiley, 0x1, and not end up submitting a Unicode character, which would get split across the block boundary in a way that's really inconvenient for crosswords!


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: ZoomanSP and 91 guests