IBM using Napoleon Dynamite Quote to Encrypt Data

schmack writes "A developer discovers a quote from the movie Napoleon Dynamite is being used as the cipher key by IBM to publish encrypted XML at this year's Wimbledon grand slam. But is this a rather glaring lapse in security or an easter egg for curious hackers, many of whom would surely be fans of the quirky movie?"

Re:The client had the key anyway.

[daeg]

You don't even need to decompile the flash. Unless recent flash versions have changed, the majority of actionscript is almost completely readable directly in the file with little-to-no obfuscation.

Is there any point to weak encryption?

[Beryllium+Sphere(tm)]

>If a project doesn't require strong encryption, does it require encryption at all?

That is an insightful question.

Historically, weak encryption had a niche for information whose value dropped sharply over time. If you have a lame algorithm that a cluster of supercomputers can crack in a week, you can still safely use it for messages like "unit 3, fall back to hill 41, await instructions".

Sports scores might fall into that category, though the problem in this particular case was not weak encryption, it was a failure of key management.

The other niche is information that you don't want to leak, but that nobody will pay enough to get cracked. No crook motivated by money would crack 40-bit encryption to get the number of your prepaid credit card with the $100 limit. The problem with this idea is the number of crackers motivated by ego rather than money.

Some people have believed that weak crypto makes sense if the most cost-effective attack on the data is to attack something other than the crypto. This was the reasoning behind WEP, "Wired Equivalent Privacy". The idea was that since anyone could tap a wired network, the crypto didn't need to be strong. This failed because the crypto was not just weak but sloppy, causing it to collapse into near-zero protection, and because the threat models weren't comparable. The "cost" of tapping a wired network includes showing your face and getting into the building. Wardriving is much safer for an eavesdroper.

All these ideas are nonsense today because strong crypto is just as easy to deploy as weak crypto, except in the world of puny embedded devices.

Re:Well...

[WilliamSChips]

You forgot one: password.

It's satire

[shaneh0]

Dynamite was the most deft satire of high school life that I've ever seen. There are a ton of people that are twentysomething or younger that DONT'T like the movie, but in my experience, most do. And the older you get, the more you're removed from todays High School experience, the less likely that you'll enjoy the movie.

Re:Huh?

[Gerzel]

Hand delivery is still a form of transmission and can still be intercepted, even if it is a lot harder. Thus there is still a need for incryption of such things.

Re:Huh?

[gkhan1]

There are a few things I wish to clarify about your post

If you don't want normal people to access the project, a standard encryption like 128bit AES is enough to feel safe.

First off, right now 128 bit AES is virtually unbreakable. I mean, the US government has approved 128 bit AES for use in encrypting classifed documents. That should tell you alot. It's true, maybe in 10 years or so, one might be able to crack 128 bit AES in a few weeks or so, which is kinda bad for a modern cipher. But you can rest assured, if you use 128 bit AES (correctly implemented, and with a good password), there isn't a force on earth that could crack it (right now, that is).

By normal people I mean bored people with only little computing power.

This statement makes no sense at all. Do you have any idea how fast AES is? On my puny, 2 year old, cheap crap Dell computer, I just benchmarked 256 bit AES, it can encrypt 55.3 MB/s. Fifty-five megabytes per second! That's fast as hell! By little computing power, are you reffering to ENIAC? 'Cause I bet even that transistor-less monster can crank out a few kbs per seconds, AES is that fast. I routinely watch Hi-Def movies on a drive encrypted by TrueCrypt. That means that the movie is decrypted on the fly, while I'm watching it!

And even that will probably not be enough against black-ops a la your-favorite-secret-agent-franchise...

I HATE IT when people say "Well, I'm sure that NSA could crack any cipher, their so secrative and so cool!" NO THEY COULDN'T. No one can crack a 256 bit AES with a correct implementation (and a good key). It's just not doable. I refer you to an earlier post of mine, where I got really pissed and did a few calculations. You cannot crack 256 bit AES. It's. Not. Possible.

The mistake you seem to be making in your post is that you assume that most encrypted material get cracked because they used a weak cipher. That is not true. 99.9999% of all modern codes that are cracked are cracked because of a poor implementation. Some-one selects a bad password, maybe someone gets your PGP key from your computer, maybe a secret agent beat the crap out the poor IT guy and got in. Whatever. It's simply not feasable to crack modern ciphers by cryptanalysis. It's virtually impossible, and there are so many easier ways to do it.

In conclusion: If you want your material safe, it's fine to use 128 bit AES, but there's no reason not to use 256 bit, so you could just as well use that. Just make damn sure that you use a good password and keep it safe. And no, a quote from Napoleon Dynamite is NOT a good password.

It's not just a pissing contest

[Schraegstrichpunkt]

It's a common misconception that encryption is supposed to be 'unbreakable' (for some large value of 'unbreakable'), in all instances. In the real world of security (I.E. DoD etc...) it's quite common to have the complexity and difficulty of the cipher or code to match the 'speed value' (to coin a term) of the information. For example, diplomatic messages need to be kept hidden essentially forever - thus strong encryption. Tactical communications between Army formations or Navy ships can have a much lesser grade of encryption applied because their value is almost always rendered moot before they can be broken.

Do you know first-hand that this is true and is the policy?

The 'need' for ultra-strong, resist-attack forever grade encryption for personal use is an artifact of the (not uncommon) geek need to be [bigger|faster|stronger] than anyone else when it comes to computer stuff.

No. Well, yes it is, but it's not only a 'geek artifact'. On the Internet, if we need any cryptography at all, we need the strongest cryptography we can find, because we never know how capable our adversaries are. Actually, we know a little about our adversaries' capabilities: any adversary is capable of at least every attack that has ever been published, and possibly some attacks that haven't. Whenever we design a system using strong cryptography, we are designing the system with knowledge of current attacks. However, the system will be subjected to both current attacks and future attacks, so we need a margin of security[1] that is large enough that we can have confidence that the system will not be practically breakable while it is still in use.

Basically, we need strong cryptography because designing systems against future, unknown attacks using knowledge of current, known attacks. This is harder than it looks.

-----

[1] By "margin of security", I mean, loosely, the difference between the limit of computing power that we assume will be available to any adversary, and the amount of computing power that we assume will be required to break the system.

Re:Script substrings

[archgoon]

Okay my guesses are Ifylofd -> I find your lack of faith disturbing Tfiswto -> The force is with you Issapinfs -> I sense a presence I have not felt since... Ysnhcb -> You should not have come back. So, how did I do?