IBM using Napoleon Dynamite Quote to Encrypt Data

schmack writes "A developer discovers a quote from the movie Napoleon Dynamite is being used as the cipher key by IBM to publish encrypted XML at this year's Wimbledon grand slam. But is this a rather glaring lapse in security or an easter egg for curious hackers, many of whom would surely be fans of the quirky movie?"

depends

[Spiked_Three]

on whether or not they were encrypting anything important. If they were then they were idiots.

Re:What is with that movie?

MOD PARENT +5 INSIGHTFUL!!!

There is a disturbing trend in film today that automatically bills any film that is both watchable and different as a "cult classic" or a "hidden gem". I find it personally disturbing that people seem to be losing their ability to a) seperate humor from simple sarcasm or irony, and b) discern aesthetic merit -- not absolutely but just generally -- and seperate pure schlock from geuine plot-driven, substantive films.

Flash player 8

[pjbgravely]

I see even so called Linux friendly IBM is blocking Linux users out because there is no Flash 8 for Linux yet. Oh well maybe next Wimbledon. Is there a Flash player 8 out for Mac?

Microsoft uses "Wildebeest!!" as a password

In Excel, the Solver, Analysis Toolpak and Autosave add-ins are protected using the password "Wildebeest!!", and the Internet Assistant VBA add-in uses the password "Weezaarde!?"... More info about it is here.

That's nothing...

That's nothing... For a long time (and maybe still) one US state's master Medicare/Medicaid database was secured at the admin level with a username/password from an AC/DC song's lyrics. Rock on!

Re:Huh?

If a project doesn't require strong encryption, does it require encryption at all?

ROT-13 is eminently useful. So is encryption by printing text upside down at the bottom of a magazine page so you don't accidentally see the answers to a quiz.

The password of a database could be stored lightly encrypted in a web server's config file. Just strong enough that it can't be directly decoded by someone taking a quick peek over your shoulder.

Communication between a rifle and a smart bullet can be relatively lightly encrypted. By the time the code has been cracked the bullet has already made the hole it was destinend to make.

A program activation key (like PC games have) doesn't need to be very strong because it can always be cracked at a different point, i.e. by disassembling or modifying the program. No sense having a steel door in a house if the walls are cardboard (and cannot be made stronger).

Re:Script substrings

[(H)elix1]

Scripts of popular movies such as the Star Wars trilogy are obvious things to include in a cracking dictionary.

Amen!

I've seen this on some of my external servers - long lists of dictionary attacks. For a while someone was trying to log into executioner. Before an IP filter was added, we would get tons of login attempts in the logs. Quotes were always in there, including things like Darth quotes (Ifylofd, Tfiswto, Issapinfs, Ysnhcb, and the l33t spelling variants of words and phrases). It became a bit of a game to figure out who could guess the quote based on the attempted password. If you think the first letters of a quote are protection, you are in for a rude awakening when you get back into the office next week. (Happy 4th of July to those in the States)

Re:Huh?

[gkhan1]

This is exactly my point (maybe I wasn't very clear ;). If you want to break the encryptions, you don't do it using cryptanalysis. The only way is exploiting the human factors. The ciphers themselves are solid. That's why I said "using the correct implementation and a good key" all the time. If you encrypt something with a tool like TrueCrypt which uses a rock solid, completly bulletproof implementation with a good password (and, ofcourse, assuming that no one has hacked your system) you will be completly safe from any potential snoopers.

I really can't say enough good things about TrueCrypt. Every step of the process is done 100% right. What it does is that it it mounts a virtual drive on your system that is encrypted to a file on your harddrive. There is no trace in the files themselves that they are encrypted, they are completly idestinguisable to random noise. You can even hide a hidden drive inside a volume (so if someone forces you to reveal your password, you can still hide a bunch of files inside a volume). It is completly impossible to know whether a hidden drive even exists within a virtual drive if you don't have the password (for the hidden drive that is, which should be different from your standard drive password). It also includes tons of other features, you can choose any cipher you like, from Blowfish to 3-DES (although I have no idea why you wouldn't just go with 256 bit AES), you can backup the fileheaders if someone loses their password, you can use keyfiles in addition to your passwords, you can create "travel disks" so you can take your encrypted stuff on the road an not have to install TrueCrypt on every computer you wish to use, and any other feature you could possibly want if you want to encrypt data. If you don't want to bother with PGP, you could even make a tiny drive, add your files to it, and email it to someone! It's also fast as hell, as I said, you could watch Hi-Def movies from an encrypted drive and it will decrypt it on the fly and you wont notice a thing. All that, and it's open source! I really encourage anyone to use it that has a need to encrypt data.