1286: "Encryptic"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

User avatar
Linux0s
Posts: 247
Joined: Sat Dec 29, 2007 7:34 pm UTC

1286: "Encryptic"

Postby Linux0s » Mon Nov 04, 2013 7:15 am UTC

Image

Title Text: It was bound to happen eventually. This data theft will enable almost limitless [xkcd.com/792]-style password reuse attacks in the coming weeks. There's only one group that comes out of this looking smart: Everyone who pirated Photoshop.

I think "Monster Mash" is gonna be the first one hacked.
If the male mind truly were a machine it would consist of a shaft and a bushing.

User avatar
rhomboidal
Posts: 801
Joined: Wed Jun 15, 2011 5:25 pm UTC
Contact:

Re: 1286: "Encryptic"

Postby rhomboidal » Mon Nov 04, 2013 7:17 am UTC

hehe, I remember getting an email from Adobe about the hack. If 125,615,814-across's hint is "YOU KNOW" then I've got that one nailed.

dalcde
Posts: 173
Joined: Fri Apr 06, 2012 5:49 am UTC

Re: 1286: "Encryptic"

Postby dalcde » Mon Nov 04, 2013 9:08 am UTC

I trust Adobe that my password is well encrypted/hashed.

User avatar
BlitzGirl
Posts: 9120
Joined: Mon Sep 20, 2010 11:48 am UTC
Location: Out of the basement for Yip 6! Schizoblitz: 115/2672 NP
Contact:

Re: 1286: "Encryptic"

Postby BlitzGirl » Mon Nov 04, 2013 9:21 am UTC

936 Across: Veridical equine identifies the metal fastener of an electrochemical cell.
Knight Temporal of the One True Comic
BlitzGirl the Pink, Mopey Molpy Mome
Spoiler:
Image
Image
Image<Profile
~.Image~.FAQ->Image

dalcde
Posts: 173
Joined: Fri Apr 06, 2012 5:49 am UTC

Re: 1286: "Encryptic"

Postby dalcde » Mon Nov 04, 2013 11:03 am UTC

BlitzGirl wrote:936 Across: Veridical equine identifies the metal fastener of an electrochemical cell.

Strictly speaking, a group of two or more electrochemical cells.

User avatar
BlitzGirl
Posts: 9120
Joined: Mon Sep 20, 2010 11:48 am UTC
Location: Out of the basement for Yip 6! Schizoblitz: 115/2672 NP
Contact:

Re: 1286: "Encryptic"

Postby BlitzGirl » Mon Nov 04, 2013 11:42 am UTC

dalcde wrote:
BlitzGirl wrote:936 Across: Veridical equine identifies the metal fastener of an electrochemical cell.

Strictly speaking, a group of two or more electrochemical cells.

Veridical equine identifies the metal fastener of a group of two or more electrochemical cells! :mrgreen:
Knight Temporal of the One True Comic
BlitzGirl the Pink, Mopey Molpy Mome
Spoiler:
Image
Image
Image<Profile
~.Image~.FAQ->Image

stianhat
Posts: 175
Joined: Mon Jun 13, 2011 6:31 pm UTC

Re: 1286: "Encryptic"

Postby stianhat » Mon Nov 04, 2013 12:18 pm UTC

*Very* strictly speaking, they have to be non-equipotential. :D

dalcde
Posts: 173
Joined: Fri Apr 06, 2012 5:49 am UTC

Re: 1286: "Encryptic"

Postby dalcde » Mon Nov 04, 2013 12:29 pm UTC

stianhat wrote:*Very* strictly speaking, they have to be non-equipotential. :D


I thought an equipotential one won't be a cell?

Draco18s
Posts: 89
Joined: Fri Oct 03, 2008 7:50 am UTC

Re: 1286: "Encryptic"

Postby Draco18s » Mon Nov 04, 2013 1:19 pm UTC

Just as a commentary on the alt-text:
It's possible to have pirated Photoshop and have an Adobe.com password.

My problem in protecting myself from "[xkcd.com/792]-style password reuse attacks" is I have no idea what my Adobe password was before the attack, nor which sites I use that may have used the same one (I've got a half-dozen or so different passwords that conform to different "strength" checks).

WilliamsXev
Posts: 4
Joined: Fri Dec 03, 2010 2:47 am UTC

Re: 1286: "Encryptic"

Postby WilliamsXev » Mon Nov 04, 2013 1:20 pm UTC

"Weather vane sword" must be a Redwall reference. "Sword of Martin" perhaps?

stianhat
Posts: 175
Joined: Mon Jun 13, 2011 6:31 pm UTC

Re: 1286: "Encryptic"

Postby stianhat » Mon Nov 04, 2013 2:07 pm UTC

Well, one cell would be either an orphaned anode or cathode. The cells are always at their own equilibrium. a Cu / Cu 2+ cell is static unless you can add or remove electrons. Thats why you need more than one to have a battery. Connect your Cu / Cu 2+ to a Zn 2+ / Zn and there will be light.

Furthermore they need to have different potentials to let current travel or you have to enforce a different potential to make it travel. Two connected Cu / Cu 2+ cells with the same Cu 2+ concentration is not going to do anything.

It was just nitpicking to make the sentence even more complicated.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26824
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 1286: "Encryptic"

Postby gmalivuk » Mon Nov 04, 2013 2:56 pm UTC

Draco18s wrote:Just as a commentary on the alt-text:
It's possible to have pirated Photoshop and have an Adobe.com password.

My problem in protecting myself from "[xkcd.com/792]-style password reuse attacks" is I have no idea what my Adobe password was before the attack, nor which sites I use that may have used the same one (I've got a half-dozen or so different passwords that conform to different "strength" checks).
If you only have half a dozen passwords that you reuse, none of them are strong.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

rmsgrey
Posts: 3655
Joined: Wed Nov 16, 2011 6:35 pm UTC

Re: 1286: "Encryptic"

Postby rmsgrey » Mon Nov 04, 2013 3:13 pm UTC

stianhat wrote:Well, one cell would be either an orphaned anode or cathode. The cells are always at their own equilibrium. a Cu / Cu 2+ cell is static unless you can add or remove electrons. Thats why you need more than one to have a battery. Connect your Cu / Cu 2+ to a Zn 2+ / Zn and there will be light.

Furthermore they need to have different potentials to let current travel or you have to enforce a different potential to make it travel. Two connected Cu / Cu 2+ cells with the same Cu 2+ concentration is not going to do anything.

It was just nitpicking to make the sentence even more complicated.


Here in the UK, we call those half-cells, and the pairing of two half-cells with different electrochemical potential a cell. A battery is then a number of connected cells.

User avatar
cellocgw
Posts: 2067
Joined: Sat Jun 21, 2008 7:40 pm UTC

Re: 1286: "Encryptic"

Postby cellocgw » Mon Nov 04, 2013 3:51 pm UTC

BlitzGirl wrote:
dalcde wrote:
BlitzGirl wrote:936 Across: Veridical equine identifies the metal fastener of an electrochemical cell.

Strictly speaking, a group of two or more electrochemical cells.

Veridical equine identifies the metal fastener of a group of two or more electrochemical cells! :mrgreen:


If I had an Adobe account (which I don't think I have, but who knows?), here's an easy hint: molpy,molpy,molpy,molpy

No, not that easy. The password would have been marvingaye :roll:
resume
Former OTTer
Vote cellocgw for President 2020. #ScienceintheWhiteHouse http://cellocgw.wordpress.com
"The Planck length is 3.81779e-33 picas." -- keithl
" Earth weighs almost exactly π milliJupiters" -- what-if #146, note 7

User avatar
cellocgw
Posts: 2067
Joined: Sat Jun 21, 2008 7:40 pm UTC

Re: 1286: "Encryptic"

Postby cellocgw » Mon Nov 04, 2013 3:53 pm UTC

gmalivuk wrote:
Draco18s wrote:Just as a commentary on the alt-text:
It's possible to have pirated Photoshop and have an Adobe.com password.

My problem in protecting myself from "[xkcd.com/792]-style password reuse attacks" is I have no idea what my Adobe password was before the attack, nor which sites I use that may have used the same one (I've got a half-dozen or so different passwords that conform to different "strength" checks).
If you only have half a dozen passwords that you reuse, none of them are strong.


No, they can be ultra-mega-strong regardless of how often they're used. It's just that the result of exposing one is much greater than if every site had its own password. Don't confuse probability with outcome.
resume
Former OTTer
Vote cellocgw for President 2020. #ScienceintheWhiteHouse http://cellocgw.wordpress.com
"The Planck length is 3.81779e-33 picas." -- keithl
" Earth weighs almost exactly π milliJupiters" -- what-if #146, note 7

User avatar
ManaUser
Posts: 284
Joined: Mon Jun 09, 2008 9:28 pm UTC

Re: 1286: "Encryptic"

Postby ManaUser » Mon Nov 04, 2013 4:16 pm UTC

Can anyone explain how the puzzle shown is supposed to work? Why are there two columns of hashes, and what's the deal with the two types of fill-in-the-blanks?

User avatar
neoliminal
Posts: 626
Joined: Wed Feb 18, 2009 6:39 pm UTC

Re: 1286: "Encryptic"

Postby neoliminal » Mon Nov 04, 2013 4:51 pm UTC

My password hint is:

Code: Select all

••••••••

Please note that my actual password is:

Code: Select all

"••••••••"
...with the quotes.
http://www.amazon.com/dp/B0073YYXRC
Read My Book. Cost less than coffee. Will probably keep you awake longer.
[hint, scary!]

Kal
Posts: 11
Joined: Tue Jul 29, 2008 12:03 pm UTC

Re: 1286: "Encryptic"

Postby Kal » Mon Nov 04, 2013 5:05 pm UTC

ManaUser wrote:Can anyone explain how the puzzle shown is supposed to work? Why are there two columns of hashes, and what's the deal with the two types of fill-in-the-blanks?


I'm not sure what the two types of fill-in-the-blanks are, but I suspect the two columns are for different length passwords.
Short passwords (up to 8 bytes) will be encrypted as a single block, and result in an 8 byte cipher text. Passwords of 9-16 bytes will result in 16 bytes of cipher text, etc.

This leads me to believe I have broken "Favorite of the 12 apostles". Since there is another password which starts out with the exact same 8 bytes of cipher text, and then follows with 8 more, it seems likely that the password is exactly 8 characters long. (If it was shorter than 8 characters, for instance "John" and the longer password was "John Williams" then the encrypted versions would be ENC(John) and ENC(John Wil) ENC(liams). i.e. the rest of the long password would pollute the block containing the first name). This means that the favorite apostle is probably Iscariot, or Matthias. Since Matthias was a wielder of the weathervane sword (The Sword of Martin, as mentioned by WilliamsXev), we probably have that cracked.

chernobyl
Posts: 23
Joined: Wed Jun 27, 2007 6:24 am UTC
Location: Sofia, Bulgaria
Contact:

Re: 1286: "Encryptic"

Postby chernobyl » Mon Nov 04, 2013 5:06 pm UTC

I used a disposable email forwarding address to register with Adobe. I got spam on it a few days ago. Even without cracking the passwords, they've monetized the data anyway.

dp2
Posts: 346
Joined: Wed Aug 18, 2010 3:06 pm UTC

Re: 1286: "Encryptic"

Postby dp2 » Mon Nov 04, 2013 6:07 pm UTC

Linux0s wrote:I think "Monster Mash" is gonna be the first one hacked.

That's assuming the answer is the obvious one. The best hint would be one that means nothing to anyone else. The next best would be one that looks like it means something to everyone but really means something different to the owner. Maybe the password is "PurplePeopleEater".

rmsgrey
Posts: 3655
Joined: Wed Nov 16, 2011 6:35 pm UTC

Re: 1286: "Encryptic"

Postby rmsgrey » Mon Nov 04, 2013 6:13 pm UTC

dp2 wrote:
Linux0s wrote:I think "Monster Mash" is gonna be the first one hacked.

That's assuming the answer is the obvious one. The best hint would be one that means nothing to anyone else. The next best would be one that looks like it means something to everyone but really means something different to the owner. Maybe the password is "PurplePeopleEater".


The ideal password hint is something that means nothing to anyone else, even if their website has harvested another hint/password pair from you, but which will immediately tell you the password even years later after you've forgotten you even had that account...

User avatar
Klear
Posts: 1965
Joined: Sun Jun 13, 2010 8:43 am UTC
Location: Prague

Re: 1286: "Encryptic"

Postby Klear » Mon Nov 04, 2013 6:15 pm UTC

rmsgrey wrote:
dp2 wrote:
Linux0s wrote:I think "Monster Mash" is gonna be the first one hacked.

That's assuming the answer is the obvious one. The best hint would be one that means nothing to anyone else. The next best would be one that looks like it means something to everyone but really means something different to the owner. Maybe the password is "PurplePeopleEater".


The ideal password hint is something that means nothing to anyone else, even if their website has harvested another hint/password pair from you, but which will immediately tell you the password even years later after you've forgotten you even had that account...


http://www.penny-arcade.com/comic/2006/7/12/

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26824
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 1286: "Encryptic"

Postby gmalivuk » Mon Nov 04, 2013 7:54 pm UTC

cellocgw wrote:
gmalivuk wrote:
Draco18s wrote:Just as a commentary on the alt-text:
It's possible to have pirated Photoshop and have an Adobe.com password.

My problem in protecting myself from "[xkcd.com/792]-style password reuse attacks" is I have no idea what my Adobe password was before the attack, nor which sites I use that may have used the same one (I've got a half-dozen or so different passwords that conform to different "strength" checks).
If you only have half a dozen passwords that you reuse, none of them are strong.


No, they can be ultra-mega-strong regardless of how often they're used. It's just that the result of exposing one is much greater than if every site had its own password. Don't confuse probability with outcome.
Well yes, technically what is weak in that case is the whole security process you're using, rather than any one password+website combination.

Which means, on the other hand, also don't confuse individually strong passwords with strong security protocols.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

speising
Posts: 2365
Joined: Mon Sep 03, 2012 4:54 pm UTC
Location: wien

Re: 1286: "Encryptic"

Postby speising » Mon Nov 04, 2013 8:03 pm UTC

gmalivuk wrote:
cellocgw wrote:
gmalivuk wrote:
Draco18s wrote:Just as a commentary on the alt-text:
It's possible to have pirated Photoshop and have an Adobe.com password.

My problem in protecting myself from "[xkcd.com/792]-style password reuse attacks" is I have no idea what my Adobe password was before the attack, nor which sites I use that may have used the same one (I've got a half-dozen or so different passwords that conform to different "strength" checks).
If you only have half a dozen passwords that you reuse, none of them are strong.


No, they can be ultra-mega-strong regardless of how often they're used. It's just that the result of exposing one is much greater than if every site had its own password. Don't confuse probability with outcome.
Well yes, technically what is weak in that case is the whole security process you're using, rather than any one password+website combination.

Which means, on the other hand, also don't confuse individually strong passwords with strong security protocols.

also, draco didn't claim anything about the strength of the passwords, just about their performance in strength checks.

YenTheFirst
Posts: 13
Joined: Thu Mar 01, 2007 6:45 am UTC

Re: 1286: "Encryptic"

Postby YenTheFirst » Mon Nov 04, 2013 8:19 pm UTC

Kal wrote:
ManaUser wrote:Can anyone explain how the puzzle shown is supposed to work? Why are there two columns of hashes, and what's the deal with the two types of fill-in-the-blanks?


I'm not sure what the two types of fill-in-the-blanks are, but I suspect the two columns are for different length passwords.
Short passwords (up to 8 bytes) will be encrypted as a single block, and result in an 8 byte cipher text. Passwords of 9-16 bytes will result in 16 bytes of cipher text, etc.

This leads me to believe I have broken "Favorite of the 12 apostles". Since there is another password which starts out with the exact same 8 bytes of cipher text, and then follows with 8 more, it seems likely that the password is exactly 8 characters long. (If it was shorter than 8 characters, for instance "John" and the longer password was "John Williams" then the encrypted versions would be ENC(John) and ENC(John Wil) ENC(liams). i.e. the rest of the long password would pollute the block containing the first name). This means that the favorite apostle is probably Iscariot, or Matthias. Since Matthias was a wielder of the weathervane sword (The Sword of Martin, as mentioned by WilliamsXev), we probably have that cracked.


To expand a bit on this -

Adobe encrypted their passwords using 3DES, in 'Electronic Code Book' mode.
3DES is a block mode cipher, with a block size of 8 bytes. This means, passwords are chunked up into 8-byte groups. if the last group has <8 bytes, it is padded with some filler.
Electronic Code Book mode means that, each individual block is encrypted individually, with no input from an extra random source or previous blocks.

So, for example, if the password was "AAAAAAAAAAAAAAAA" (16 as", the first block would be "AAAAAAAA", as would be the second. If "AAAAAAAA" encrypts to "0x09ABCC17646F88", for example, the encrypted password would be "0x09ABCC17646F8809ABCC17646F88". if someone else's password was "AAAAAAAABBBBBBBB", the encrypted password would be something like "0x09ABCC17646F88...."

so, in the comic, each column of encrypted passwords is one block of password. the first 3 passwords share the same block. the first 2 are "0 < size <= 8" characters in length, since we know they have exactly 1 block, and the 3rd password has 2 blocks, so it's "8 < size <= 16 characters". so, that first, shared block must be exactly 8 characters.

in the crossword section, on the right hand size, there's 8 individual blanks. the 3rd password has a 2nd block, which is 1-8 characters, so it has an extra long blank box tacked on the end, for a variable length word.


a bit more specifically -
passwords 1,2,3 share a common 8-byte prefix. In the case of 1 and 2, this prefix is the entire password. passwords 4,5,6 share a common 8-byte prefix. password 4 is the prefix only, passwords 3 and 5 share a common, unknown length suffix. password 6 has an unknown, unshared suffix.
Last edited by YenTheFirst on Mon Nov 04, 2013 8:23 pm UTC, edited 1 time in total.

Nnelg
Posts: 39
Joined: Mon May 30, 2011 4:44 am UTC

Re: 1286: "Encryptic"

Postby Nnelg » Mon Nov 04, 2013 8:22 pm UTC

This is why I have unique passwords for important things. (I reuse the same password for trivial stuff like forums: that way I won't forget it, but don't really care if it gets hacked.)
keithl wrote:As a rule of thumb, it is imprudent to pass over speed bumps faster than orbital velocity.

User avatar
Dracomax
Posts: 998
Joined: Wed Mar 27, 2013 1:11 pm UTC

Re: 1286: "Encryptic"

Postby Dracomax » Mon Nov 04, 2013 8:40 pm UTC

I have basically 3 passwords, but each site gets a unique 5 figure addition either at the beginning, the end, or in the middle. I know it could be more secure, but I can remember it, it is possible to enter them in on my kindle in less than 10 minutes, and the important sites get the most secure passwords. That being said, why does my bank only allow 16 Characters in the password? It forces me to be less secure than I would like.
“have i gone mad?
im afraid so, but let me tell you something, the best people usualy are.”
― Lewis Carroll, Alice in Wonderland

thisisnotdan
Posts: 2
Joined: Tue Jul 16, 2013 1:06 pm UTC

Re: 1286: "Encryptic"

Postby thisisnotdan » Mon Nov 04, 2013 8:42 pm UTC

The comic says that Adobe "misused" Block-mode 3DES encryption. What does that mean?

speising
Posts: 2365
Joined: Mon Sep 03, 2012 4:54 pm UTC
Location: wien

Re: 1286: "Encryptic"

Postby speising » Mon Nov 04, 2013 8:46 pm UTC

for one thing, they didn't salt their hashes, so that different users with the same pw got the same hash.
edit: ok, yeah, hashing and encrypting are two different things...
Last edited by speising on Mon Nov 04, 2013 9:09 pm UTC, edited 1 time in total.

gnutrino
Posts: 100
Joined: Sat Sep 06, 2008 9:02 am UTC
Location: Over the edge...

Re: 1286: "Encryptic"

Postby gnutrino » Mon Nov 04, 2013 9:06 pm UTC

thisisnotdan wrote:The comic says that Adobe "misused" Block-mode 3DES encryption. What does that mean?


See YenTheFirst's post, i started writing something to explain this but (s)he got there before me and did it better than I would have. Basically usually if you were doing this you would use something like cipher block chaining to make sure subsequent cipher-text blocks are dependent on previous blocks, Adobe didn't and because of this what YenTheFirst described happens.

This does raise a number of questions for me though. First why is Adobe encrypting the passwords rather than using the more usual salt+hash approach? Do they use an authentication method that relies on a shared secret or something? Secondly what the hell are they doing still using trippledes in this day and age :roll:?

As far as the answers are concerned, google tells me that "with your own hands you have done all this" is from Judith 15:10 which means "name + jersey #" is probably either judith15 or judith 1 depending on whether spaces were used (or the capitalized equivalents). I'm not actually sure "Monster Mash" is the answer to "He did the mash, he did the" as monster only has 7 characters and even if you include the space I don't see how it works with "purloined". That and whatever comes after character eight has to also be the end of the name of a water-3 Pokemon which would mean it ends -l, -el, -le, -t, -ta or -r by my reckoning. And given the time and effort I've already put into this I've just realized Randall has Nerd-sniped me. Again.

ThemePark
Posts: 450
Joined: Fri Jun 27, 2008 5:42 pm UTC
Location: Århus, Denmark

Re: 1286: "Encryptic"

Postby ThemePark » Mon Nov 04, 2013 9:09 pm UTC

Okay, about the purloined part, people are reading it wrong. It goes with the line above it, so the entire hint is "He did the mash, he did the purloined". And The Purloined Letter is by Edgar Allan Poe, so I'm wondering if he can be connected to mash, or M*A*S*H in any way.
I have traveled from 1979 to be a member of the unofficial board Council of Elders. Phear M3

User avatar
PinkShinyRose
Posts: 835
Joined: Mon Nov 05, 2012 6:54 pm UTC
Location: the Netherlands

Re: 1286: "Encryptic"

Postby PinkShinyRose » Mon Nov 04, 2013 9:55 pm UTC

Title Text wrote:It was bound to happen eventually. This data theft will enable almost limitless [xkcd.com/792]-style password reuse attacks in the coming weeks. There's only one group that comes out of this looking smart: Everyone who pirated Photoshop.

Wouldn't that be most amateur photoshop users?
dalcde wrote:I trust Adobe that my password is well encrypted/hashed.

Do you mean that or is it a joke?
Kal wrote:(If it was shorter than 8 characters, for instance "John" and the longer password was "John Williams" then the encrypted versions would be ENC(John) and ENC(John Wil) ENC(liams). i.e. the rest of the long password would pollute the block containing the first name). This means that the favorite apostle is probably Iscariot, or Matthias. Since Matthias was a wielder of the weathervane sword (The Sword of Martin, as mentioned by WilliamsXev), we probably have that cracked.

But did they use the English versions of their names, it could be the Hebrew (original?), Greek or Latin version. If they used the Latin version Iohannes would be an option, and it's not that weird if the user is a Roman Catholic. I think don't think you really need the hash though, especially if it's assumed the English version is used, trying 12 times is not that problematic and 48 attempts would also be workable.

The pokémon one can be narrowed down to 10 pokémon in the water 3 breeding group, that probably existed during the leak (everything until generation V) with a name of 8 < number of characters <= 16. None of the Japanese names exceed 6 characters in length, they are in katakana which are also on Unicode plane 0 and should therefore be of the same length as Roman characters. As mentioned before, 10 tries is workable...
Dracomax wrote:I have basically 3 passwords, but each site gets a unique 5 figure addition either at the beginning, the end, or in the middle. I know it could be more secure, but I can remember it, it is possible to enter them in on my kindle in less than 10 minutes, and the important sites get the most secure passwords. That being said, why does my bank only allow 16 Characters in the password? It forces me to be less secure than I would like.

To save hard-disc space? For a bank that is a dubious priority over security though, for a forum I would understand.

User avatar
Alaska Girl
Posts: 14
Joined: Wed Feb 08, 2012 8:08 pm UTC
Location: The white North

Re: 1286: "Encryptic"

Postby Alaska Girl » Mon Nov 04, 2013 10:16 pm UTC

WilliamsXev wrote:"Weather vane sword" must be a Redwall reference. "Sword of Martin" perhaps?

Sounds likely to me. As someone who was once a card-holding member of the official fan club, it's embarrassing that I didn't think of that. I'm just not used to seeing Redwall references online. Thank you, Randall! I resurrected my account just for this post; I think that testifies to how pleased (and geeky) I really am.
Last edited by Alaska Girl on Mon Nov 04, 2013 10:21 pm UTC, edited 1 time in total.
Hatred is blind, as well as love.

MadH
Posts: 30
Joined: Wed Aug 01, 2012 4:51 pm UTC

Re: 1286: "Encryptic"

Postby MadH » Mon Nov 04, 2013 10:21 pm UTC

PinkShinyRose wrote:
Title Text wrote:It was bound to happen eventually. This data theft will enable almost limitless [xkcd.com/792]-style password reuse attacks in the coming weeks. There's only one group that comes out of this looking smart: Everyone who pirated Photoshop.

Wouldn't that be most amateur photoshop users?


I can't figure out if you're saying most of the people who pirate Photoshop are amateurs (true) or that only amateurs pirate Photoshop (false). If it's the latter, let me show you a whole world of small businesses that pirate all their programs as well as all the freelance designers who pirate the entire creative suite.

I'll admit it, in my student days I was the crack dealer...the cracked program dealer. You came to me if you wanted to work outside the computer labs.
Last edited by MadH on Mon Nov 04, 2013 10:22 pm UTC, edited 1 time in total.

Teaspoon
Posts: 351
Joined: Tue Sep 12, 2006 11:37 pm UTC
Location: Where you least expect me

Re: 1286: "Encryptic"

Postby Teaspoon » Mon Nov 04, 2013 10:22 pm UTC

thisisnotdan wrote:The comic says that Adobe "misused" Block-mode 3DES encryption. What does that mean?


The "right" (or at least, "currently considered to be good enough") way to store passwords is by encrypting them using an algorithm that is not designed to be decryptable even by the person who did the encrypting, because all you really need to do to check that a submitted password is correct is encrypt it the same way and then compare the result with the stored encrypted password. These one-way algorithms are "hashing" algorithms. The other thing that's commonly done is to combine the password with some other data that's specific to the user and to the system (ie, the username and a word chosen by the website's administrator) before hashing it so that the hashed password will be unique to that user+password+site combination. If two users at the same site have the same password their hashes will be different because of the user-specific data included, and if one user sets up an identical account on two systems the hashes should be different because of the system-specific data.

DES (and 3DES, because it's just DES applied three times with different keys to triple the effective length of the key) is a reversible encryption algorithm. That's their first mistake, as it means an attacker who steals or guesses* the key can use it to simply decrypt all the passwords. Their second mistake that makes the first mistake look a lot worse is the use of the "electronic codebook" mode of operation, where each block of ciphertext is derived from only the secret key and the matching block of plaintext, and identical blocks of ciphertext imply identical blocks of plaintext. Using the "cipher block chaining" mode of operation, each block of ciphertext would be dependent on the secret key, the matching block of plaintext AND the previous block of ciphertext. The "previous block" of ciphertext used to encrypt the first block of plaintext is known as the initialisation vector and is typically randomly generated and stored along with the ciphertext, and ensures that identical plaintext blocks are stored as different ciphertext blocks. Note that the CBC mode of operation only prevents comparison of ciphertexts and does nothing at all to protect the passwords in the event that the key becomes known.

*guessing the key is "difficult", but gets a tiny bit easier with each plaintext+ciphertext pair made available. In this case, there are 153 million ciphertexts matched up with hints about the plaintexts so it's conceivable that tens of millions of plaintext/ciphertext pairs will become available over time.

User avatar
AussieJono
Posts: 34
Joined: Wed Mar 27, 2013 11:23 am UTC

Re: 1286: "Encryptic"

Postby AussieJono » Mon Nov 04, 2013 10:30 pm UTC

Just wanted to get in there and say that alpha, obvious and Michael Jackson are almost certainly abc or ABC. I don't know anything about encryption, so let me have this one and feel smart for five minutes.
<pretentious quote> </pretentious quote>

gnutrino
Posts: 100
Joined: Sat Sep 06, 2008 9:02 am UTC
Location: Over the edge...

Re: 1286: "Encryptic"

Postby gnutrino » Mon Nov 04, 2013 10:39 pm UTC

PinkShinyRose wrote:
Kal wrote:(If it was shorter than 8 characters, for instance "John" and the longer password was "John Williams" then the encrypted versions would be ENC(John) and ENC(John Wil) ENC(liams). i.e. the rest of the long password would pollute the block containing the first name). This means that the favorite apostle is probably Iscariot, or Matthias. Since Matthias was a wielder of the weathervane sword (The Sword of Martin, as mentioned by WilliamsXev), we probably have that cracked.

But did they use the English versions of their names, it could be the Hebrew (original?), Greek or Latin version. If they used the Latin version Iohannes would be an option, and it's not that weird if the user is a Roman Catholic. I think don't think you really need the hash though, especially if it's assumed the English version is used, trying 12 times is not that problematic and 48 attempts would also be workable.

The pokémon one can be narrowed down to 10 pokémon in the water 3 breeding group, that probably existed during the leak (everything until generation V) with a name of 8 < number of characters <= 16. None of the Japanese names exceed 6 characters in length, they are in katakana which are also on Unicode plane 0 and should therefore be of the same length as Roman characters. As mentioned before, 10 tries is workable...


Given the "Weather Vane Sword" reference I'm pretty sure Matthias is the right answer for that. Also as I'm almost certain that Randall made these up rather than publishing a part of the leak in webcomic form there's nothing to "try" answers on, you can just try to guess what he used (or try to guess the key he used to encrypt them but I'd say that's significantly harder than solving the hints). Of course this leaves open the possibility that some hints have no answer and he's just trolling us but his track record with these sorts of things suggests there are actual answers.

xtifr
Posts: 366
Joined: Wed Oct 01, 2008 6:38 pm UTC

Re: 1286: "Encryptic"

Postby xtifr » Mon Nov 04, 2013 10:45 pm UTC

There's only one group that comes out of this looking smart: Everyone who pirated Photoshop.

Oh really? What about those of us who simply don't use Adobe products? Frankly, I'd look like an idiot if I did pirate Photoshop, since the damn thing doesn't run on my system in the first place.
"[T]he author has followed the usual practice of contemporary books on graph theory, namely to use words that are similar but not identical to the terms used in other books on graph theory."
-- Donald Knuth, The Art of Computer Programming, Vol I, 3rd ed.

User avatar
PinkShinyRose
Posts: 835
Joined: Mon Nov 05, 2012 6:54 pm UTC
Location: the Netherlands

Re: 1286: "Encryptic"

Postby PinkShinyRose » Mon Nov 04, 2013 10:48 pm UTC

MadH wrote:
PinkShinyRose wrote:
Title Text wrote:It was bound to happen eventually. This data theft will enable almost limitless [xkcd.com/792]-style password reuse attacks in the coming weeks. There's only one group that comes out of this looking smart: Everyone who pirated Photoshop.

Wouldn't that be most amateur photoshop users?


I can't figure out if you're saying most of the people who pirate Photoshop are amateurs (true) or that only amateurs pirate Photoshop (false). If it's the latter, let me show you a whole world of small businesses that pirate all their programs as well as all the freelance designers who pirate the entire creative suite.

I'll admit it, in my student days I was the crack dealer...the cracked program dealer. You came to me if you wanted to work outside the computer labs.

No, I'm saying most photoshop amateurs use a pirated copy (i.e. only a small proportion is actually willing to pay the fortune demanded for an official licence). I'm not trying to imply anything about professional users (except maybe that apparently a sufficient number of them actually pay for the licence to make the development profitable).

Not entirely related to the former: I think there may be more pirated copies of photoshop than that there are copies of GIMP.

Carteeg_Struve
Posts: 124
Joined: Mon Jun 08, 2009 12:56 pm UTC

Re: 1286: "Encryptic"

Postby Carteeg_Struve » Mon Nov 04, 2013 11:19 pm UTC

Greatest Password Hint: "Just click 'forgot password?' dumbass"


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: Jorpho, typo and 106 guests