Slashdot Mirror

← Back to Stories (view on slashdot.org)

IBM using Napoleon Dynamite Quote to Encrypt Data

Posted by ryuzaki0 on from the masters-of-the-bo-staff dept.

schmack writes "A developer discovers a quote from the movie Napoleon Dynamite is being used as the cipher key by IBM to publish encrypted XML at this year's Wimbledon grand slam. But is this a rather glaring lapse in security or an easter egg for curious hackers, many of whom would surely be fans of the quirky movie?"

28 of 170 comments (clear)

  1. depends by Spiked_Three · · Score: 3, Interesting

    on whether or not they were encrypting anything important. If they were then they were idiots.

    --
    slashdot troll = you make a compelling argument I do not like the implications of.
    1. Re:depends by Minwee · · Score: 4, Funny

      Once the terrorists gain access to the scores from Wimbledon then it's all over for the free world. They could use our own tennis scores against us.

      They had better be using the strongest encryption available for this kind of thing.

  2. Huh? by LordKaT · · Score: 4, Insightful

    I don't really see this as a "lapse" in security. I mean, it was an XML file with updated scares, not a SQL database with every known Social Security Number. The application in question (a flash scoreboard) doesn't exactly call for some kind of PKE scheme.

    1. Re:Huh? by Stiletto · · Score: 4, Insightful


      If a project doesn't require strong encryption, does it require encryption at all?

    2. Re:Huh? by hyfe · · Score: 5, Insightful
      If a project doesn't require strong encryption, does it require encryption at all?

      Of course it does. The lock to your house is most certainly breakable. Does that mean you should throw away the door?

      Weak'ish encryption protects you against untargetted attacks, such as network-snooping. Anybody doing untargetted attacks are probably going to have massive amount of data to search through. Even the most simplistic encryption algorithm involving keys is going to force the attacker to include state-information in his application.. which as we all is just plain painfull on high-traffic networks.

      --
      "" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
    3. Re:Huh? by Deltaspectre · · Score: 3, Funny

      I think what he's saying is....

      If you're going camping you don't necessarily need to lock your tent door up, because it's such a trivial thing to do

      --
      My UID is prime... is yours?
    4. Re:Huh? by DerekLyons · · Score: 5, Insightful
      If a project doesn't require strong encryption, does it require encryption at all?

      Yes.
       
      It's a common misconception that encryption is supposed to be 'unbreakable' (for some large value of 'unbreakable'), in all instances. In the real world of security (I.E. DoD etc...) it's quite common to have the complexity and difficulty of the cipher or code to match the 'speed value' (to coin a term) of the information. For example, diplomatic messages need to be kept hidden essentially forever - thus strong encryption. Tactical communications between Army formations or Navy ships can have a much lesser grade of encryption applied because their value is almost always rendered moot before they can be broken.
       
      The 'need' for ultra-strong, resist-attack forever grade encryption for personal use is an artifact of the (not uncommon) geek need to be [bigger|faster|stronger] than anyone else when it comes to computer stuff.
    5. Re:Huh? by gkhan1 · · Score: 4, Informative

      There are a few things I wish to clarify about your post

      If you don't want normal people to access the project, a standard encryption like 128bit AES is enough to feel safe.

      First off, right now 128 bit AES is virtually unbreakable. I mean, the US government has approved 128 bit AES for use in encrypting classifed documents. That should tell you alot. It's true, maybe in 10 years or so, one might be able to crack 128 bit AES in a few weeks or so, which is kinda bad for a modern cipher. But you can rest assured, if you use 128 bit AES (correctly implemented, and with a good password), there isn't a force on earth that could crack it (right now, that is).

      By normal people I mean bored people with only little computing power.

      This statement makes no sense at all. Do you have any idea how fast AES is? On my puny, 2 year old, cheap crap Dell computer, I just benchmarked 256 bit AES, it can encrypt 55.3 MB/s. Fifty-five megabytes per second! That's fast as hell! By little computing power, are you reffering to ENIAC? 'Cause I bet even that transistor-less monster can crank out a few kbs per seconds, AES is that fast. I routinely watch Hi-Def movies on a drive encrypted by TrueCrypt. That means that the movie is decrypted on the fly, while I'm watching it!

      And even that will probably not be enough against black-ops a la your-favorite-secret-agent-franchise...

      I HATE IT when people say "Well, I'm sure that NSA could crack any cipher, their so secrative and so cool!" NO THEY COULDN'T. No one can crack a 256 bit AES with a correct implementation (and a good key). It's just not doable. I refer you to an earlier post of mine, where I got really pissed and did a few calculations. You cannot crack 256 bit AES. It's. Not. Possible.

      The mistake you seem to be making in your post is that you assume that most encrypted material get cracked because they used a weak cipher. That is not true. 99.9999% of all modern codes that are cracked are cracked because of a poor implementation. Some-one selects a bad password, maybe someone gets your PGP key from your computer, maybe a secret agent beat the crap out the poor IT guy and got in. Whatever. It's simply not feasable to crack modern ciphers by cryptanalysis. It's virtually impossible, and there are so many easier ways to do it.

      In conclusion: If you want your material safe, it's fine to use 128 bit AES, but there's no reason not to use 256 bit, so you could just as well use that. Just make damn sure that you use a good password and keep it safe. And no, a quote from Napoleon Dynamite is NOT a good password.

    6. Re:Huh? by gkhan1 · · Score: 3, Interesting

      This is exactly my point (maybe I wasn't very clear ;). If you want to break the encryptions, you don't do it using cryptanalysis. The only way is exploiting the human factors. The ciphers themselves are solid. That's why I said "using the correct implementation and a good key" all the time. If you encrypt something with a tool like TrueCrypt which uses a rock solid, completly bulletproof implementation with a good password (and, ofcourse, assuming that no one has hacked your system) you will be completly safe from any potential snoopers.

      I really can't say enough good things about TrueCrypt. Every step of the process is done 100% right. What it does is that it it mounts a virtual drive on your system that is encrypted to a file on your harddrive. There is no trace in the files themselves that they are encrypted, they are completly idestinguisable to random noise. You can even hide a hidden drive inside a volume (so if someone forces you to reveal your password, you can still hide a bunch of files inside a volume). It is completly impossible to know whether a hidden drive even exists within a virtual drive if you don't have the password (for the hidden drive that is, which should be different from your standard drive password). It also includes tons of other features, you can choose any cipher you like, from Blowfish to 3-DES (although I have no idea why you wouldn't just go with 256 bit AES), you can backup the fileheaders if someone loses their password, you can use keyfiles in addition to your passwords, you can create "travel disks" so you can take your encrypted stuff on the road an not have to install TrueCrypt on every computer you wish to use, and any other feature you could possibly want if you want to encrypt data. If you don't want to bother with PGP, you could even make a tiny drive, add your files to it, and email it to someone! It's also fast as hell, as I said, you could watch Hi-Def movies from an encrypted drive and it will decrypt it on the fly and you wont notice a thing. All that, and it's open source! I really encourage anyone to use it that has a need to encrypt data.

  3. Let me be the first to say... by ChePibe · · Score: 5, Funny

    Idiots!

  4. The client had the key anyway. by vidarlo · · Score: 4, Insightful

    If you read the article, you'll see that he found the key in the flash applet that presented the data to the website visitors. So even if they used a truly random key, it would be worth no more, since the client could just read the flash file (de-assemblers for flash is out there. Search on google.), and get the key. So really, there is no point of better encryption, because the determined people will get the key anyway.

    Remember that flash runs on your computer. Thus, the encryption key has to be on your computer so the flash application can decode the XML file and show you the results. As long as Trusted Computing does not excist, there is no way to stop a determined person from getting the key. Thus, using a stronger key would not make it more difficult. It is not like the key was discovered by accident. The writer of TFA was looking for the key in the flash file...

    Nothing here to see, please move along!

    --
    Assembling etherkillers for fun an profit
    1. Re:The client had the key anyway. by daeg · · Score: 3, Informative

      You don't even need to decompile the flash. Unless recent flash versions have changed, the majority of actionscript is almost completely readable directly in the file with little-to-no obfuscation.

  5. Preemptive Questioning Your Own Answers by soloport · · Score: 5, Insightful

    It was totally retarded, why do people like it?

    Look, it's all right there:
    Q. Why do people like it?
    A. It was totally retarded.

    You're, uh, one step away from Yoda-speak.

  6. Re:What is with that movie? by athakur999 · · Score: 5, Funny
    It was totally retarded, why do people like it?


    roman_mir, don't be jealous that I've been chatting online with babes, all day. Besides, we both know I'm training to become a cage fighter.

    --
    "People that quote themselves in their signatures bother me" - athakur999
  7. Exactly! by FatSean · · Score: 4, Insightful

    Not sure why exactly they would want to encrypt the scores as they flew over the network though. The scores are public knowledge...who cares if they are sniffed? Technology demonstration? Wanted to use the 'encryption' buzzword perhaps?

    --
    Blar.
    1. Re:Exactly! by vidarlo · · Score: 4, Insightful
      Not sure why exactly they would want to encrypt the scores as they flew over the network though. The scores are public knowledge...who cares if they are sniffed? Technology demonstration? Wanted to use the 'encryption' buzzword perhaps?

      To force people interested in live stats either to view their website (=ad revenue) or watch their tv broadcast (=ad revenue). 3rd party apps accessing the information means less ad revenue. Simple as that.

      --
      Assembling etherkillers for fun an profit
  8. Flash player 8 by pjbgravely · · Score: 3, Interesting

    I see even so called Linux friendly IBM is blocking Linux users out because there is no Flash 8 for Linux yet. Oh well maybe next Wimbledon. Is there a Flash player 8 out for Mac?

    --
    Star Trek, there maybe hope.
  9. Gosh! by fdiskne1 · · Score: 3, Funny

    I wonder if the guy who cracked this has nunchuck skills and bowhunting skills too.

    --
    But why is the rum gone?
  10. Re:What is with that movie? by Sage+Gaspar · · Score: 4, Funny

    Whoever he wants to be. Gosh!

  11. Re:What is with that movie? by shotgunefx · · Score: 3, Insightful

    I ain't modding him up, but I won't mod him down either.

    I really like the movie, granted it was annoying at times the first run through.

    I imagine one of the reasons it's popular because it's a movie about "losers", you don't really see that too often. Even when you do, they characters aren't really losers, just perceived that way (and usually not perceived that way by the final reel).

    --

    -William Shatner can be neither created nor destroyed.
  12. This is pretty much.... by Itninja · · Score: 3, Funny

    ....the worst post ever made.
    Please, ITninja, like anyone could even know that.

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  13. Re:I thought Napoleon Dynamite was a horrible movi by plopez · · Score: 3, Insightful

    it is much more fun to talk about than it was to actually see it. which is one marker of a cult classic.

    --
    putting the 'B' in LGBTQ+
  14. Re:well... by Cheapy · · Score: 3, Funny

    If what they were sending was important then it is definately the former, if it's something which they meant for people to have a go at then it'll be the latter.

    Captain Obvious to the rescue once again!

    --
    Would you kindly mod me +1 insightful?
  15. eets a slayjhammer by Anonymous Coward · · Score: 3, Funny

    It's a diversionary tactic, gosh!

    How do you keep a bunch of computer nerd hackers in suspense?...

  16. Thank you, Captain Obvious by JourneyExpertApe · · Score: 4, Funny

    We're looking for a good English to English translator. Would you be available soon?

    --
    If you can read this sig, you're too close.
  17. Randomly Generated? by feepness · · Score: 4, Funny

    Is it not possible that this was a randomly generated key that simply happened to be a Napoleon Dynamite quote?

  18. Re:Script substrings by Wolfrider · · Score: 4, Funny

    --Those responsible for the cipher key in question, have been sacked.
     
    We apologize for the inconvenience.
     
    A m00se once bit my sister...

    --
    .
    == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
  19. Re:Script substrings by (H)elix1 · · Score: 4, Interesting

    Scripts of popular movies such as the Star Wars trilogy are obvious things to include in a cracking dictionary.

    Amen!

    I've seen this on some of my external servers - long lists of dictionary attacks. For a while someone was trying to log into executioner. Before an IP filter was added, we would get tons of login attempts in the logs. Quotes were always in there, including things like Darth quotes (Ifylofd, Tfiswto, Issapinfs, Ysnhcb, and the l33t spelling variants of words and phrases). It became a bit of a game to figure out who could guess the quote based on the attempted password. If you think the first letters of a quote are protection, you are in for a rude awakening when you get back into the office next week. (Happy 4th of July to those in the States)

    --
    +++ UGUCAUCGUAUUUCU