Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GCHQ Challenge Solution Explained

timothy posted more than 2 years ago | from the oh-well-now-that's-just-obvious dept.

Encryption 107

First time accepted submitter DrDevil writes "The British spy agency GCHQ recently published a puzzle at canyoucrackit.co.uk (as featured on Slashdot), now just a few days later an academic at the University of Greenwich in England has posted a full video explanation of the puzzle. The puzzle has three stages and is not at all simple — likely to challenge even the best computer science graduates."

cancel ×

107 comments

Sorry! There are no comments related to the filter you selected.

The correct solution was... (-1)

Anonymous Coward | more than 2 years ago | (#38258154)

"First Post"

Screen recorder (1)

onceuponatime (821046) | more than 2 years ago | (#38258722)

So what screen recorder software did the author use? It plays back nicely.

Re:Screen recorder (0)

Anonymous Coward | more than 2 years ago | (#38259272)

I don't know exactly what they used, but FRAPS will typically record 30/60 FPS smoothly. Given the low resolution, it wouldn't be that hard either.

Re:Screen recorder (1)

onceuponatime (821046) | more than 2 years ago | (#38259458)

Fraps doesn't do Linux. Whatever was used here was on Linux. That's what I want it for as well.

Re:Screen recorder (1)

xaxa (988988) | more than 2 years ago | (#38260138)

If you look at the final video, you'll see that it's Linux running inside a VM, on Windows.

Re:Screen recorder (1)

Sulphur (1548251) | more than 2 years ago | (#38261216)

If you look at the final video, you'll see that it's Linux running inside a VM, on Windows.

Was it on the boss's machine?

Re:Screen recorder - here (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38259768)

http://recordmydesktop.sourceforge.net/about.php

Re:Screen recorder - here (1)

onceuponatime (821046) | more than 2 years ago | (#38259896)

This is probably it. Thanks.

For something ontopic. What's all that stuff about morse code in the source then? Are they providing several challenges so they can recruit people of different skill levels and I indeed different areas of expertise? It would seem the logical thing to do. Maybe there is even another even harder challenge in there to get the really really clued up people? Maybe there's a code hidden In the white space of the source code? (Just throwing down the gauntlet and teasing people).

Re:Screen recorder (1)

DrDevil (90608) | more than 2 years ago | (#38260604)

The screen recorder is Camtasia - Linux is running in a VM under Windows.

Re:Screen recorder (1)

onceuponatime (821046) | more than 2 years ago | (#38264072)

Thanks for that! It made for a very nice presentation.

Entitlement? (-1)

Anonymous Coward | more than 2 years ago | (#38258212)

Does anyone else think that artists have entitlement issues nowadays? First of all, it costs nothing to make a copy of something. Digital copies can be made an infinite number of times at no cost to the artist. Yet they have the audacity to complain that pirates are costing them money? Something seems off.

Our society is brainwashing people to believe that copying is bad, and stealing money from customers (the artists) is good. How can we stop this?

Re:Entitlement? (-1)

Anonymous Coward | more than 2 years ago | (#38258244)

Does anyone else think that artists have entitlement issues nowadays? First of all, it costs nothing to make a copy of something. Digital copies can be made an infinite number of times at no cost to the artist. Yet they have the audacity to complain that pirates are costing them money? Something seems off.

Our society is brainwashing people to believe that copying is bad, and stealing money from customers (the artists) is good. How can we stop this?

Wildly irrelevant. Lovely!

Opaque (3, Interesting)

DarkIye (875062) | more than 2 years ago | (#38258234)

I didn't give the challenge a serious go, but stage 1 just seems convoluted - why is it the mark of a good code cracker to recognise x86 bytecode?

Re:Opaque (4, Funny)

Robadob (1800074) | more than 2 years ago | (#38258276)

Because terrorists are yet to discover x64

Re:Opaque (1)

An dochasac (591582) | more than 2 years ago | (#38260006)

X64? Weren't the Taliban still using C64s? Can GCHQ crack this Commodore 64 crypto [pagetable.com] : ; WAIT Command B82D 20 EB B7 JSR $B7EB B830 86 49 STX $49 B832 A2 00 LDX #$00 B834 20 79 00 JSR $0079 B837 F0 03 BEQ $B83C B839 20 F1 B7 JSR $B7F1 B83C 86 4A STX $4A B83E A0 00 LDY #$00 B840 B1 14 LDA ($14),Y B842 45 4A EOR $4A B844 25 49 AND $49 B846 F0 F8 BEQ $B840 B848 60 RTS

Google? (1)

grimJester (890090) | more than 2 years ago | (#38258302)

You can probably find some examples by doing a search for the start of the code. The problem right now is that all the hits are on the challenge itself.

Re:Opaque (5, Insightful)

bWareiWare.co.uk (660144) | more than 2 years ago | (#38258372)

The ability to recognise codes is precisely what they were testing.
If they had used a week cryptography code everyone would have cracked it, if they had used a strong code no one could (at least no one who didn't already work for their competition).
Utilizing an unexpected but extremely common code seems to be a nice solution.

Re:Opaque (-1, Troll)

JWSmythe (446288) | more than 2 years ago | (#38258460)

    I was just sent it last night, and my first reaction to stage 1 was "that's a simple cipher.". When I tried to crack the cipher, and found it wasn't.. So as a good hacker, I checked around to see if anyone else had done any work towards it.

    I finished stage 1 and 2, and decided it wasn't worth the time finishing it, since they wouldn't hire me anyways. :) That, and I think I'm allergic to the UK. Having cameras all over the place, watching my every move, gives me the creeps. I'm ok with the occasional stalker, but these aren't even people that decided they were madly in love with me, and want to kill me. I'd always feel like I'd be hearing a voice over a hidden speaker saying "Citizen, you have violated citizens code XYZ. Please remain where you are. You will be transported for re-education."

Re:Opaque (-1, Flamebait)

Runaway1956 (1322357) | more than 2 years ago | (#38259008)

I share your allergy, but I also have a more serious allergy. I am no person's "subject". I am a free man. No matter how the Brits argue the matter, no matter all the amendments etc to UK constitution, Brits remain subjects of some old woman in a castle. The only way that I would ever bow to the old girl, is if she first bowed to me. Figurehead or not, that "subject" thing would rub me raw, really, really fast.

Re:Opaque (0)

Anonymous Coward | more than 2 years ago | (#38259074)

An old woman in a palace (most of the time).

Re:Opaque (3, Interesting)

maroberts (15852) | more than 2 years ago | (#38259200)

Let's assume for the sake of this discussion that you are a USian.
As a result of political infighting you have heads of state that are reviled in a vitriolic manner by about half the population.

Lets take a list of your heads of state:
Nixon (out due to Watergate)
Ford (ok, but reviled for Nixon pardon)
Carter (amiable bloke, but seemed to let America go to sleep on his watch)
Reagan (surprisingly effective, considering he was slowly losing his marbles)
H.W.Bush (had the bad luck to say "No new taxes" when ambush adverting was getting going)
Clinton (also effective, but American expectation of clean personal life when married to Hillary?? pleasse)
George Bush (endless disputes about chads)
Obama (has the bad luck to be black, leading to morons disputing his legitimacy to be President)

In the UK, Queen Lizzie enjoys the support of a large majority of the population, and most of the political shenanigans gets directed, not at the Head of State, but at the (semi) elected Prime Minister, thus keeping the head of state out of most of the sh1t. I'd say the UK system works better in that regard.

As for the tv cameras, I strongly suspect that most US shopping malls have the same coverage as our city centres, and your heavily robbed 7-11s probably have their own personal systems etc. Most states have surveillance of one sort or another; the only question is where and how much.

And we've (nearly) all been British Citizens and not British Subjects since the Nationality Act 1981 (subject is used but is normally incorrect)

Re:Opaque (1)

Ash Vince (602485) | more than 2 years ago | (#38264388)

In the UK, Queen Lizzie enjoys the support of a large majority of the population

She is kind of easy to support, she does sweet FA and she costs us less than we give to most foreign countries in aid.

Obama (has the bad luck to be black, leading to morons disputing his legitimacy to be President)

Nice.

Re:Opaque (0)

Anonymous Coward | more than 2 years ago | (#38259910)

You know.. of all the shit you could have thrown at the UK... it's constitutional monarchy is the LEAST problem at the moment. We have the same problems as the US - our democracy has been eaten from the inside by corporations.

Re:Opaque (1)

xaxa (988988) | more than 2 years ago | (#38260350)

There is a group, Republic [republic.org.uk] , trying to make the UK a republic. I considered joining around the time of Prince Whatsit's wedding.

Economically, it would be nice if we didn't have to pay for the royal family. Politically, it would be nice if we could elect a head of state. Culturally, it would be nice to look round our castles and palaces, and have the art and so on in a national museum.

But, there are much, much bigger economic, political and cultural problems. I gave some extra money to Liberty [liberty-hu...hts.org.uk] instead.

Re:Opaque (0)

Anonymous Coward | more than 2 years ago | (#38263948)

Awww, nice try, but you fell a the very first step.

We in the UK are British Citizens not British Subjects, and have been for 29 years.
Oh, and nobody is expected to bow (or curtsey) when meeting members of the Royal Family, either.

So, you two main points are completely wrong.

Must try harder...

Re:Opaque (4, Interesting)

xaxa (988988) | more than 2 years ago | (#38260292)

It looked interesting, but I lost interest when I saw the salary -- slightly less than what I have already, working for a different bit of government. And GCHQ is in Cheltenham.

But have you visited the UK? I live here, so it's what I'm used to, but when visiting a couple of cities in the US recently I felt more "watched" and regulated. There were many signs with lists of local laws, with violations incurring big fines. There were *more* public (government/city/whatever) CCTV cameras. (I don't know about private ones, in shops and so on -- they didn't catch my eye.) The government buildings were built like fortresses, and I had my ID scanned and bag x-rayed when visiting museums. When I tried to leave, a government employee handled my genitals.

I don't want an argument about which country is better -- they both need improvements in this respect. But I'd like to know how you felt watched (or similar) when you visited the UK.

Re:Opaque (3, Interesting)

Lumpy (12016) | more than 2 years ago | (#38258770)

Not really.
You can make a simple cipher that is obfuscated in such a way that many people will not get it.

Heck a simply letter substitution ciper used on a dead language will pretty much cull the number of people trying to crack it by a significant amount. I completely fooled my CS instructor by doing just that. Aramaic phrase that had a simple letter substitution applied and a xor of a passphrase that was 1/10th the length of the cipher.

Mine was un-cracked for a full semester with him, his undergrads and all the CS students crakcing at it. Nowhere in the challenge did he say we HAD to use english as the content of the message.

Re:Opaque (4, Informative)

pushing-robot (1037830) | more than 2 years ago | (#38258374)

Well, "DEADBEEF" is a bit of a giveaway [wikipedia.org] .

Re:Opaque (1)

TheRealMindChild (743925) | more than 2 years ago | (#38258420)

I was always more partial to DEADD00D

Re:Opaque (1)

Surt (22457) | more than 2 years ago | (#38258456)

I would have expected deadbeef to indicate another platform.

Re:Opaque (5, Informative)

marcansoft (727665) | more than 2 years ago | (#38258520)

Recognizing unknown architecture binaries is an important skill to have when reverse engineering, especially for embedded systems. Very often you'll get a firmware file and you have to figure out what it is. Each architecture has its peculiarities, so it doesn't take long to get a feeling for what their opcodes look like. For example, 32-bit ARM code sticks out like a sore thumb (no pun intended :) due to the condition code field, which means that every 32-bit word almost always starts with 0xEx (and whether that's the first or last byte in the word tells you the endianness). Variable length architectures like x86 look very different from RISC ISAs with a fixed instruction length like PowerPC.

Re:Opaque (0)

Anonymous Coward | more than 2 years ago | (#38260984)

So... maybe there is a market for old computers for terrorists?

What - you don't recognize tms9900 byte code? Fools!

Re:Opaque (1)

marcansoft (727665) | more than 2 years ago | (#38261502)

Well... I do know someone who is capable of staring at an unknown, undocumented binary blob for a new/proprietary architecture and working out enough of the ISA to write a fairly comprehensive disassembler and then an emulator. Just by staring at the hex and making educated guesses as to what each opcode means, which he later refines as he makes sense of the program. How he can do that boggles the mind, but he can (I've seen him do it at least three times already).

I don't know if the intelligence agencies happen to employ anyone like him though.

Re:Opaque (1)

whoever57 (658626) | more than 2 years ago | (#38258588)

It wasn't -- according to the Register, the mark of a good cracker was the ability to use Google. [theregister.co.uk]

Re:Opaque (1)

ceoyoyo (59147) | more than 2 years ago | (#38259430)

The mark of a good code cracker is to be able to look at a bunch of numbers and/or letters and recognize patterns. This one was x86 byte code, which is, IMHO, a nice break from english language letter frequencies.

Re:Opaque (1)

AHuxley (892839) | more than 2 years ago | (#38260426)

Its what they taught the freedom fighters in the 1980's?

Re:Opaque (0)

Anonymous Coward | more than 2 years ago | (#38261704)

If you've spent any time at all looking at x86 machine code it should be obvious what this is. The first byte is EB which is a near jump, the sequence CD 80 appears, which is a Linux system call invoke, there are several 90 opcodes which are no-ops commonly used for padding, and the constant "deadbeef" is present, in little-endian order, further increasing the odds that it's x86 machine code. I actually started this puzzle, but it seemed kind of stupid and too easy so I stopped. Seeing the full solution now, I'm glad I didn't waste my time.

Re:Opaque (1)

jdege (88942) | more than 2 years ago | (#38262204)

I wondered that, myself. I doubt I would have recognized it.

But just on a lark, I put the bytes into a file, and hadded it to the Unix "file" command.

It reports that it is a "DOS executable (COM)".

Not a great challenge (5, Interesting)

marcansoft (727665) | more than 2 years ago | (#38258328)

My opinion, as someone who has both solved and organized several challenges of this sort, is that the challenge is neither hard (at least by the standards of the ones I've dealt with) nor well designed. In fact, it kind of degenerates: it starts out OK but the ending is terrible.

Stage 1 is interesting: it combines recognizing executable code (the first thing I thought when I stared at that hex dump is "this looks like x86 code", but being able to recognize binary architectures is a valuable skill) combined with some steganography (fishing out the rest of the required data from the PNG. Fair enough, and OK for a first round.

Stage 2 starts out well: virtual machines are used for obfuscation and make fun challenges. However, the execution is backwards. Being given VM bytecode and a specificiation to implement a VM isn't a hacking or reverse engineering challenge; it's just work ("go implement this for me"). A much better challenge would be to be given either the spec or (preferably) code that implements it, and then have to reverse engineer the bytecode itself to solve the puzzle. That involves writing a custom disassembler, which is a much more interesting task.

Stage 3 is a clusterfuck. It's just an executable that checks for a few constants in a file and then builds a URL out of the rest of it. There's a hash (old-school DES crypt() salted password) that the input has to match, but even though it's crackable using a dictionary, you don't even have to do that because the URL includes the hash (which is in the executable), not the plaintext! The rest of the URL isn't checked, and it's basically a guessing game where you have to fish out constants from previous levels. It's just a glorified way of saying "okay, now take a wild guess as to what numbers to stick in the URL". It's not realistic in the slightest.

Anyone interested in a "better stage 2" might want to check out a level [marcansoft.com] that I put together for the Hack-It competition at the 18th Euskal Encounter (2010). Your goal is to figure out the 64-bit input key that works (if you don't know what "works" means, compile and run the code and it should be obvious). The full set of challenges can be found here: 2010 [marcansoft.com] 2011 [marcansoft.com] (unfortunately, the website / problem statements are in Spanish, but I'm sure you can work it out with a bit of copy/pasting into Google Translate - if there's enough interest I'll translate them to English).

Re:Not a great challenge (0)

Anonymous Coward | more than 2 years ago | (#38258784)

Step 1, interestingly it also reminded me of machine code - probably because I've spent too many hours programming a ZX81 inmy yuff, I'm not sure today's kids have had that experience - so all in all I agree its bad.

Re:Not a great challenge (0)

Anonymous Coward | more than 2 years ago | (#38259218)

Hmm someone is an 8bit fan ;-) Marcan

Re:Not a great challenge (0)

ceoyoyo (59147) | more than 2 years ago | (#38259498)

"combined with some steganography"

Calling data contained in the comment field of a png steganography seems rather overly generous.

Re:Not a great challenge (1)

snowgirl (978879) | more than 2 years ago | (#38259894)

"combined with some steganography"

Calling data contained in the comment field of a png steganography seems rather overly generous.

He didn't say that it was GOOD stenography...

Re:Not a great challenge (1)

marcansoft (727665) | more than 2 years ago | (#38260982)

If you want a steganography challenge (with a twist), try this [marcansoft.com] , from this year's Hack-It ;)

Stage 2 not trivial (1)

Frans Faase (648933) | more than 2 years ago | (#38260216)

It took me about 3 hours to implement stage 2 in JavaScript (and in C++ when the JavaScript implementation seemed to run in an infinite loop). The specification was not really trivial with respect to the jump instruction and did not explain the use of the cs register, which is not obvious to people who have not worked with 8 mirco processors using segmented memory, such as the Z-80. I always played with the 6502, which doesn't use segmented memory and has a 16-bit program counter.

Re:Stage 2 not trivial (1)

marcansoft (727665) | more than 2 years ago | (#38261002)

It took me about 30 minutes using Python (why would you use JavaScript? The mind boggles.), but yes, I agree, the specification wasn't terribly clear especially if you've never worked with segmented memory. The jump instructions also are confusingly described as jumping to r2:r1 in the mod=1 version (it should be imm:r1). Personally, I quite dislike this memory model (and x86 in general), but I've had the "pleasure" of working with an embedded system integrating a 80186 core so I had a fairly good idea of what they look like.

Re:Stage 2 not trivial (0)

Anonymous Coward | more than 2 years ago | (#38261690)

why would you use JavaScript?

Why not? My JavaScript version is no more complicated than the Python version linked in TFA. Did you have some sort of point or are you just another Python fanatic?

Re:Stage 2 not trivial (1)

marcansoft (727665) | more than 2 years ago | (#38262376)

Well, if JavaScript is the language that you're most familiar and comfortable with, and you're happy using a browser or you have a commandline JS interpreter handy, then by all means. I personally prefer Python of course, but everyone has a different taste in programming languages. However, what makes no sense is writing it in JS just because the original file ends in .js. That little fact should have exactly zero influence on the choice of language that you do pick to implement this in.

Considering the parent switched to C++ though, it seems the he hit some kind of snag. If JS is his preferred scripting language then I wouldn't expect him to switch to something else when he has trouble, that's why I kind of assumed that he picked JS just because the original file happened to be JS and not because it's what he finds easiest.

FWIW, my Python version [marcansoft.com] is about 2.5x shorter than TFA's version (counting only the actual code, not the memory block or comments), though I went for a quick and dirty, shortest and simplest version that would do the job, without attempting to make it pretty-print instructions or do anything fancy, and without giving much though to readability (it was meant as a throwaway implementation that I could expand upon if I needed to analyze execution in more detail - thankfully, that wasn't needed and after adding a couple debug prints I was able to iron out a bug or two and it just worked).

Re:Stage 2 not trivial (1)

Frans Faase (648933) | more than 2 years ago | (#38264382)

I used JavaScript as I assumed that that was the expected target language. Most of the time went into understanding the semantics of the jmp(e) instruction and for that I needed some tracing. Then I went to C++ (my prefered language for the matter) when I hit an infinite loop and did not see any output, because I ran the script inside Firefox.

It was also not my objection to write the shortest possible code. The more I write programs (including dirty and quick), I come to the conviction that my code should look nice and be pleasant to read. Too often, I have had the experience of having trouble with understandig code that I wrote more than few years ago. I look at your code and indeed it is very compact, but it is not easy to see that it indeed implements the specifications correctly. I am getting the impression that there is an "self.ip += 1" missing in the implementation of the jmp(e) when mod == 1.

Re: segmented memory (2)

neonsignal (890658) | more than 2 years ago | (#38263754)

The Z80 is not a segmented memory model either; you might be thinking of some of the embedded versions such as the HD64180. It was the x86 architecture that was really afflicted with these segment registers.

Re:Not a great challenge (3, Interesting)

b4dc0d3r (1268512) | more than 2 years ago | (#38260530)

Your experience has you quite biased towards these sorts of things. You only watched this video, I can tell, and didn't pay attention.

In the disassembly for stage 3, the messages "loading stage x license key", when they clearly said you were on "stage 2 of 3", were good hints. The unused firmware bits were fairly obvious because they had the right size and served no other purpose, and the unused bytes from stage 1 were obvious after you get your mind on the "unused bits from each stage" track.

And the VM part wasn't trivial. This guy did it in python, but it was intended to be done in javascript. The implementation doesn't really matter, but understanding the bit fiddling needed to implement it is a valuable skill. If you have the skills to disassemble, but not write anything more complicated than hello world, you're probably not useful to them. Not a difficult challenge, but one where you can easily make a mistake and grind your gears for hours. Remember the intent, to find viable candidates for cybersecurity who are interested in doing this sort of thing. Sometimes cyber security is boring but you do what's necessary to solve the problem.

And they never advertised it as a hack-it contest or programming challenge, just a puzzle. So it didn't have to even be fun or entertaining to do - just something to solve. Note as well, they didn't ask for contact information or offer a resume upload - just "Please consider applying with us". So it doesn't even get you an interview.

If you spent the time and are curious enough, you're probably someone they want. If not, you're probably not.

Re:Not a great challenge (1, Interesting)

marcansoft (727665) | more than 2 years ago | (#38261138)

Your experience has you quite biased towards these sorts of things. You only watched this video, I can tell, and didn't pay attention.

I solved stage 2 entirely on my own and reverse engineered enough of stage 3 to realize exactly what it was doing. I had glossed over stage 1 (after I realized it was x86 I just googled it and saw that others had solved it already) so I didn't immediately know about the unused instructions, but I did correctly guess that the "firmware" stuff from stage 2 was used for the second two 32-bit words in the URL.

Basically, I had no interest in playing the guessing game portions of the challenge, especially since I found out about it late and plenty of people had solved all of it already. I have no incentive to beat it entirely on my own: this isn't a contest and I already have a full-time job so I am not interested in applying; I was just curious to see what kind of problems they were and whether any of them were interesting to me.

In the disassembly for stage 3, the messages "loading stage x license key", when they clearly said you were on "stage 2 of 3", were good hints. The unused firmware bits were fairly obvious because they had the right size and served no other purpose, and the unused bytes from stage 1 were obvious after you get your mind on the "unused bits from each stage" track.

Of course it was obvious, but that doesn't make it interesting. This is the kind of problem that is testing no useful skill other than whether the player has been on the lookout for unused stuff that may or may not be useful later. That's not really how real life problems work. If something is used, there will be pointers to it in real applications. Reverse engineering isn't about pulling numbers from strange places and "trying to see if they work".

Mind you, some people enjoy this kind of puzzle. I'm just saying it's the wrong kind of puzzle.

And the VM part wasn't trivial. This guy did it in python, but it was intended to be done in javascript.

Why, because the file happened to end in .js? The only information in it was a memory array, a few constants, and comments. If, as a reverse engineer, you pick the language that you're "supposed to use" instead of the language that you prefer or which is most practical or useful in a given situation, you're doing it wrong. I played in a CTF once where we were given a Linux box running a few services, including one written in shell with a bunch of shell injection and path traversal vulnerabilities. I just rewrote it in Python: it was faster than trying to wrap my head around the existing shell code and its bugs, and I could easily guarantee that all of those holes were gone (and the service was simple enough that I knew there wouldn't be any unexpected exploitable problems). Fixing the original would've taken longer.

The implementation doesn't really matter, but understanding the bit fiddling needed to implement it is a valuable skill.

So they had people implement a VM in order to prove that they know how to shift and mask bits? The are a myriad other ways of doing that that don't involve a VM. If you're going to have a challenge based on a VM, it should be because you want the player to be able to understand a program written in a novel architecture and write their own disassembler, or something similar. The whole point of a VM in a security system is to obfuscate the code running on it - if you don't have to disassemble or understand that code to achieve your goal, then the VM has failed its purpose.

If you have the skills to disassemble, but not write anything more complicated than hello world, you're probably not useful to them.

If the intent is to test that the player can program, then it's still a much better challenge to provide the VM code and a description of the architecture, but still require that the user write both an interpreter and a disassembler and then understand the code. Again, if all you want to do is prove that the player knows how to program, then there are plenty of simpler ways that don't involve a VM.

Not a difficult challenge, but one where you can easily make a mistake and grind your gears for hours. Remember the intent, to find viable candidates for cybersecurity who are interested in doing this sort of thing. Sometimes cyber security is boring but you do what's necessary to solve the problem.

But that's the thing: this is boring because it's unrealistic. It would be a lot more interesting if you had to reverse engineer the VM bytecode itself! That would also be more realistic and would test more skills.

If you spent the time and are curious enough, you're probably someone they want. If not, you're probably not.

You've got it backwards: the intent of the challenge is not for them to test whether you're good enough to solve it (that stops working as soon as someone posts the solution on the internet), but rather to get people who like this kind of thing interested in applying. If the challenge isn't well put together and doesn't appear realistic to someone who is genuinely interested in this kind of work and who has some experience, then it doesn't leave a good impression of the agency and fails to do its job.

Re:Not a great challenge (3, Insightful)

dnewt (2457806) | more than 2 years ago | (#38261490)

Unless you're intimately familiar with the tasks undertaken by GCHQ analysts such as the one this test is recruiting for, I think it's hard to say for sure whether the test was, in fact, good or bad. The thinking behind why some elements of the test were designed the way they were may not be immediately obvious. Having said that, I do wonder whether GCHQ would put their best minds to task working on devising a top rate recruitment puzzle. With the current international climate, combined the the current economic climate, I'd hazard a guess that their time is rather precious ;)

Why crack it when you can bypass it? (4, Funny)

TripleP (525879) | more than 2 years ago | (#38258352)

So if you can't crack it, but you can bypass the challenge, do you still win?

http://www.canyoucrackit.co.uk/soyoudidit.asp [canyoucrackit.co.uk]

Re:Why crack it when you can bypass it? (1)

Xugumad (39311) | more than 2 years ago | (#38258530)

If by win, you mean stand a fair chance of getting to the interview stage, probably. I suspect lacking a good answer to "How did you solve the problem?" would be a bit of an issue, until the whole thing was blown wide open anyway...

Re:Why crack it when you can bypass it? (1)

newcastlejon (1483695) | more than 2 years ago | (#38258700)

If by win, you mean stand a fair chance of getting to the interview stage, probably. I suspect lacking a good answer to "How did you solve the problem?" would be a bit of an issue, until the whole thing was blown wide open anyway...

"Cheating is often more efficient." 7 of 9

I'm no expert, but isn't showing initiative a desirable quality in candidates?

Re:Why crack it when you can bypass it? (1)

ericloewe (2129490) | more than 2 years ago | (#38259778)

Yeah, but simply trying out addresses to see if you randomly reach the "Well done!" page is not really useful in this context.

Re:Why crack it when you can bypass it? (0)

Anonymous Coward | more than 2 years ago | (#38259964)

It wasn't random at all. Google indexed it and there were only a few links, and the name made it obvious.

I'm surprised that more of an issue wasn't made as to the sloppy execution.

Re:Why crack it when you can bypass it? (1)

Xugumad (39311) | more than 2 years ago | (#38260834)

Debatable; keep in mind they're recruiting for cryptanalysts and information/network security people, not spies in the traditional sense. They want strong problem solving abilities; so short-cutting to the solution I would imagine won't discount someone, but they would also need to show the core skills expected of the job...

Re:Why crack it when you can bypass it? (0)

Anonymous Coward | more than 2 years ago | (#38264380)

Even if it's blown wide open you can still ask "here's a similar but not identical problem, please solve it" at the interview. Those who googled the solution and didn't understand the method will be very easy to weed out, those who googled the solution and understood the problem might have a chance of solving similar problems. Those who solved it themselves should be able to make the relevant adjustments easily.

Re:Why crack it when you can bypass it? (1)

Anonymous Coward | more than 2 years ago | (#38264488)

"I crowdsourced it."

Re:Why crack it when you can bypass it? (0)

Anonymous Coward | more than 2 years ago | (#38258632)

Pointless anyway. I recently learned that the PC is dead and there is no use for these complex machines anymore. All we need is tablets and phones, for which the apps are available from app stores. Is there an app for this challenge?

Re:Why crack it when you can bypass it? (1)

Rashdot (845549) | more than 2 years ago | (#38260508)

No, because your IP address wasn't registered jumping through all the hoops.

I've been having a go... (3, Interesting)

shic (309152) | more than 2 years ago | (#38258378)

I'm aware that the solution has been leaking out onto the net...

Starting later than most, in spare time, I've trudged through stages One and Two... I've been playing with the stage-3 executable and have disassembled it... though there remains further tedious trudging for me to demonstrate by sensible sequential steps how to go about solving stage-3.

I'm finding it difficult to convince myself that it's worth the effort... I'm sure I can fathom any remaining steps - based upon the fact that there has been little about stages one and two that was actually 'challenging'. It seems silly to plod onwards without 'cheating'.

I was interested principally to try and find out what sort of skills GCHQ actually want... I never assumed I'd be (one of the) first to solve it. The experience has left me wondering what sort of job this sort of tom-foolery would suit one for. Sure debugging and OS-level skills can be valuable - but the challenge is most time consuming as one is required to guess the objective - identifying the intentions of the challenge setter rather than to address real-world issues.

Re:I've been having a go... (2)

marcansoft (727665) | more than 2 years ago | (#38258464)

Stage 3 isn't worth the effort. It's very little hacking/reverse engineering and mostly silly guesswork with no sensible sequence of steps to get there. Spoiler ahead:

The primary challenge is to guess what bits of stage 1 and stage 2 to stick into a URL (or a file which the exe then formats into a URL). You have to go back to stages 1 and 2 and fish out the most likely candidates for "3 32-bit numbers that do nothing and stick out like a sore thumb".

Re:I've been having a go... (0)

locokamil (850008) | more than 2 years ago | (#38258704)

It's absolutely not worth it to get through to the end.

Salary [gchq-careers.co.uk] from their job posting:

£25,446 (GC10) £31,152 (GC9)

Why on earth would a top notch graduate apply for this position when s/he could make 4x that in the private sector? As the professor in the third video said: that's rather a disappointing end.

Re:I've been having a go... (2)

starofale (1976650) | more than 2 years ago | (#38258892)

errrr.... what?

I'd like to know where I could earn £120,000 as a starting salary when I graduate.

Re:I've been having a go... (1)

locokamil (850008) | more than 2 years ago | (#38259524)

Top grade banks. Look to get hired as a quant, not a techie. Starting salary in the US was $160K flat, plus bonus when my college friends were doing it a few years back. Things have cooled off a bit since then, but it's still possible -- especially with a finished masters or half-finished doctorate.

Re:I've been having a go... (1)

Rising Ape (1620461) | more than 2 years ago | (#38259800)

What are the hours and stress like in that job though?

Re:I've been having a go... (1)

Necroloth (1512791) | more than 2 years ago | (#38259992)

compared to working for the Intelligence service, knowing that your every movement, call and net is monitored?

Re:I've been having a go... (1)

locokamil (850008) | more than 2 years ago | (#38260262)

In at 6:30, out by 7, with monitoring of risk jobs overnight if need be.

Re:I've been having a go... (1)

Rising Ape (1620461) | more than 2 years ago | (#38260448)

So pretty horrible then, just about enough time to work, eat and sleep.

There's always a catch isn't there?

Re:I've been having a go... (1)

locokamil (850008) | more than 2 years ago | (#38265908)

I didn't mind it too much...I managed to find a wife, start a family, have a hobby shop and write a book while I was in the system.

The key is to not become addicted to the fat paycheck. It's hard for some people to do, which is why they stay in and subject themselves to the stress for years on end. I saw far too many people with empty million dollar Manhattan apartments to fall into that trap, so when the wife got a teaching job in another part of the country in my sixth year, I packed up and left. We bought a house, have enough left over for our kids' college educations, and keep family-friendly hours now.

There are tradeoffs for everything, but if I had a chance to do it all over again, I can't imagine what I'd do differently.

Re:I've been having a go... (2)

xaxa (988988) | more than 2 years ago | (#38260476)

What are the hours and stress like in that job though?

Rhetorical, or not?

A couple of my friends (well, more friends-of-friends) from my year went on to do that. That was when I stopped seeing them. "Let's meet for drinks after work in central London!" They rarely turned up before 10pm, and even then sometimes went back to work after an hour or two. Got to get their bonus, you see.

One of my closer friends -- I lived with this guy for two years! -- is working for a hedge fund. £200k, I think, probably with a bonus. He was never particularly social, but in the last three years I've seen him about three times. Last time, he noticed I'd cycled straight from work and asked if I thought it was quicker than taking the metro. I said it was similar, but it was nice to avoid the crowds and kept me fit. He said "but the train's always pretty empty at 5:45am"...

Re:I've been having a go... (3, Informative)

MattBecker82 (1686358) | more than 2 years ago | (#38264054)

Err ... no. There simply aren't quant jobs with grad starting salaries of that level, certainly not in London, and I would highly doubt you'd find that level in NY either. Salaries actually went up (and bonuses down in relative terms) after '08-09, but there's still no way you'll get a six-figure (GBP) base for a grad starting position.

Also, timing is pretty bad if you want to land a quant role right now. Front-office hiring patterns tend to be very cyclical and right now they're in a downswing with most banks downsizing their quant teams and only a few hiring. Those that are hiring will much prefer experienced candidates over fresh grads, and competition among grads is fierce at the best of time.

If you really want to go for it, be aware that most houses won't look at you unless you have at least a Masters or equivalent in finance and/or a Doctorate in strongly numerate hard-science subject. You need demonstrable skills in maths (linear algebra, PDEs, probability theory), quant finance theory and software development. Language-wise, C++ is a must-have, knowing R is also good. "Sure I can program: I did some MATLAB as part of my masters" is not looked upon well. Interviews are tough and mostly fair: a mix of technical (maths, finance, programming) and problem-solving, with some interviewers unfortunately throwing in the odd "what-am-I-thinking" type question. Oh, and if the interviewer asks you to explain your doctoral thesis, it's not because they care about the subject: they are testing your skill at communicating complex subject matter succinctly.

Disclaimer: I was a quant in a tier-one European bank for over 6 years, including recruiting experienced hires and grads.

Re:I've been having a go... (2)

xaxa (988988) | more than 2 years ago | (#38260582)

You might get £35k (basic) in IT in a bank in London, with anything up to 100% bonus. You get to help screw up the economy, too. Don't worry -- after 2-3 years you'll have lost your morals.

Or similar money (and bonus) working in IT for a software company writing code for banks.

I know someone who's making nearer (over?) £120k as a contractor for banks writing Android apps, but he spent a couple of years writing apps himself (earning a decent amount selling them) before he had the reputation to do that.

I thought this was a crypto/cypher challange (1)

morphage (62416) | more than 2 years ago | (#38258504)

I didn't realize that reversing IA-32 excutables was the modern meaning of cracking a code. I figured it would be difficult and possibly even rely on dictonary attack of a cryptographic hash, but IA-32 machine code? This sounds like they are more interested in recruiting people to analyze stuff like Stuxnet than to attract people with cryptography, information theory, and signals backgrounds. I don't claim to be crypto expert (I've took an abstract algebra class that is a requirement for all cryptography classes at a university) but my first instinct was to assume that each byte was either an xor'd (as a first pass, to get it out of signed byte space) or residue of some modular division operation. When that didn't work I started analyzing the frequency of the bytes and map them to the letter frequency distribution for English. When I realized that most symbols only appeared once I gave up. If nothing else it was an excuse to brush up on my Python iterators.

I haven't looked at the video yet, because I still want to see how far I can get with just the spoilers in the comments.

Re:I thought this was a crypto/cypher challange (2)

morphage (62416) | more than 2 years ago | (#38258540)

I haven't looked at the video yet, because I still want to see how far I can get with just the spoilers in the comments.

Grr...now I'm mad I didn't recognize the byte swapped DEADBEEF.

Re:I thought this was a crypto/cypher challange (1)

elfprince13 (1521333) | more than 2 years ago | (#38259912)

Maybe I've too recently spent too much time looking at disassemblies, but I recognized it as x86 almost immediately.

Re:I thought this was a crypto/cypher challange (0)

Anonymous Coward | more than 2 years ago | (#38260394)

Yup, me too, although I didnt quite get why. Although reading some of the comments I understand it isnt a extremely fun puzzle.

Re:I thought this was a crypto/cypher challange (4, Insightful)

dachshund (300733) | more than 2 years ago | (#38258566)

didn't realize that reversing IA-32 excutables was the modern meaning of cracking a code. I figured it would be difficult and possibly even rely on dictonary attack of a cryptographic hash, but IA-32 machine code?

For better or for worse, modern intelligence agencies are much more dependent on people who can RE software and develop exploits, than they are on pure cryptographers.

This is a consequence of the rolling disaster that is software security, combined with the fact that crypto folks have (mostly) gotten their act together.

Re:I thought this was a crypto/cypher challange (3, Interesting)

The Askylist (2488908) | more than 2 years ago | (#38258584)

GCHQ has just announced that they are to lead the UK's cybersecurity push. I guess they need some reverse engineering skills in a hurry.

Re:I thought this was a crypto/cypher challange (0)

Anonymous Coward | more than 2 years ago | (#38264474)

Doesn't one usually push from behind?

Re:I thought this was a crypto/cypher challange (2)

PeterBrett (780946) | more than 2 years ago | (#38258708)

This sounds like they are more interested in recruiting people to analyze stuff like Stuxnet

Yes, that's probably exactly what they're after.

Re:I thought this was a crypto/cypher challange (2)

russotto (537200) | more than 2 years ago | (#38259640)

This sounds like they are more interested in recruiting people to analyze stuff like Stuxnet

Yes, that's probably exactly what they're after.

If they're really looking for people who can do that, they should be looking at people who crack DRM. Oh, are most of the people like that keeping their heads down and unlikely to be considering government jobs? Gee golly, I can't imagine why...

Re:I thought this was a crypto/cypher challange (0)

Anonymous Coward | more than 2 years ago | (#38259258)

Weak crypto is almost trivial to decrypt - substitution ciphers fall prey to simple frequency analysis, Kasiski, Friedman, et al

Strong crypto is usually impossible to crack and the only weaknesses you can hope for are in the implementation of the algorithm rather than the algorithm itself (whether that is the re-use of one-time pads, weaknesses in a software implementation that lead to side channels, bad randomness, ...).

In practice you will want to get the text before it is encrypted or after it has been decrypted. Breaking the actual codes will only be possible when dealing with fools.

Meh (0)

Anonymous Coward | more than 2 years ago | (#38258536)

Looks like some Brits need to try out the Mystery Hunt [mit.edu]

perhaps they want to examine packet logs? (4, Insightful)

wierd_w (1375923) | more than 2 years ago | (#38258592)

This is an intelligence agency, and network intrusion programs pumping executable code in the attempt at smashing a stack and jumping execution are pretty common.

Perhaps they want people who can quickly spot x86 assembly payloads from raw packet traces as part of a counter aggression op?

If we assume that their network stack isn't riddled with exploitable stack variables or pointers, and that they successfully prevent the code from running, but log the unrequested network access and dump the binary packets to file for analysis, then having people that can "at a glance" determine what kind of data is in those dumps would be valuable.

Being able to determine what it actually is supposed to do even more so.

With the recent hysteria over scada system cyber attacks (I hate that phrase btw..),setting up a fake scada system as a honeypot and seeing what the cat drags in could also make use of this skillset.

So, the obvious questions:

Does the UK fear it has poorly secured scada systems, or does it fear network worm intrusion on some network segement, and if so, what segments or systems are those?

Re:perhaps they want to examine packet logs? (1)

carvell (764574) | more than 2 years ago | (#38259282)

Why do people think this is anything other than a publicity stunt to generate internet-chatter and pimp their name about a bit?

The details of the challenge are almost certainly irrelevant - anyone can apply for GCHQ jobs directly with them, without having to complete a challenge.

The more their name is banded around forums and sites like slashdot the better, as they'll get more people applying for their jobs, which can only be good for them.

Re:perhaps they want to examine packet logs? (0)

Anonymous Coward | more than 2 years ago | (#38264534)

Perhaps they want people who can quickly spot x86 assembly payloads from raw packet traces as part of a counter aggression op?

This is a simple task in statistical analysis. You can bet your ass that they have code which does this way better than a human does it. And if they don't I'll write it for them (not for £25K/year though).

What a jerk! (-1)

Anonymous Coward | more than 2 years ago | (#38259042)

What kind of a pedantic jerk posts a video tutorial on how to solve this? Actually I can answer that - one that wants to show everybody how smart he thinks he is. Me a colleague in the lab were having a good bit of fun working on this as an interesting diversion!

Stopped at stage 3 (1)

AdrianKemp (1988748) | more than 2 years ago | (#38259072)

Stage 1 and 2 were really easy frankly. Especially stage 2 since aside from the small error (intentional or not) in the implementation document it was just some simple coding.

Stage 3 was where I stopped, not because I was daunted or otherwise unable but because I didn't have the tools available to screw around with the exe. It was also at that point that I learned they were too stupid to even put up a robots.txt file and thus were not an organization I had any interest in working for.

Re:Stopped at stage 3 (1)

X-Power (1009277) | more than 2 years ago | (#38259660)

Since you know of the importance of robots.txt, wouldnt this be the perfect place for you to work?

They lack the competence, you have the competence.

You guys should meet and greet.

My solution with full writeup (5, Informative)

ncw (59013) | more than 2 years ago | (#38259352)

I was going to hold this back until the competition was finished, but it seems the cat is out of the bag!

Here is my solution and a writeup of exactly how I got there.

http://www.craig-wood.com/nick/articles/how-i-solved-the-gchq-challenge/ [craig-wood.com]

I got demotivated (0)

Anonymous Coward | more than 2 years ago | (#38259488)

after googling the solution: https://www.google.com/#q=site:canyoucrackit.co.uk&hl=en&safe=off&filter=0

'Disallow: /' in robots.txt does not stop Google from picking these URLs from other sites...

GCHQ explanation (0)

Anonymous Coward | more than 2 years ago | (#38259588)

www.twitter.com/badeip posted an explanation for this challenge a while ago

Stage 2 VM in JavaScript (1)

Frans Faase (648933) | more than 2 years ago | (#38260082)

I spend about three hours writing (mostly debugging) a JavaScript implementation of the VM. (I did make a side step to C++ because at one point the JavaScript implementation seemed to run in an infinite loop.) I also discovered that the specification was not very clear and required some interpretation. So stating that stage 2 was the simplest step, and using some code that someone else developed, is not really honest. The biggest problem was with figuring out how the jmp instruction worked and the use of the cs register, because that was not explained in the specification. For more on my implementation see here [iwriteiam.nl] .

Thank you, participants... (1)

Anonymous Coward | more than 2 years ago | (#38261192)

...for helping GCHQ crack the "Modern Warfare 3" video game copy protection! Well done, everyone!

If you are interested in helping us get free premium television channels, cellular phone minutes, tickets to concerts, and more money from taxpayers, then join our team!

not to go all dark arts (0)

Anonymous Coward | more than 2 years ago | (#38262008)

but my first thought was,
the passwords probably somewhere amongst the hosted files
and if i did dns lookup, I could either use a web crawler see if anything was left somewhere obvious
or go for a dictionary attack and try and get FTP access and search through the root
but this seemed what's the word, stupid so I didn't bother ...

kind of wished I had tbh ... 30k a year for using a bit of commonsense

what we've learned; web masters are as lazy I'd thought

Challenge ruined .... (0)

Anonymous Coward | more than 2 years ago | (#38264302)

Thanks for ruining the challenge in favour of some cheap publicity!!!!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>