30 comments

[ 3.0 ms ] story [ 58.0 ms ] thread
Ok, now these kinds of challenges are not really good. The reason is that without any extra property, they are trivial. Here is why:

Let's assume you have a cyphertext c, of length l (ie |c| = l). Now I take a plaintext p of length also l (|p| = l). Let the key k be c xor p. Now

   c xor k = c xor (c xor p) = (c xor c) xor p = 0^l xor p = p
Where 0^l is a string of l zeros. So yeah, given one cyphertext, I can craft a pair of key and plaintext such that there is a cypher (simple xor) that, given the cyphertext and the key, outputs the plaintext.

What is worse? I can craft |E|^l of such plaintexts (where |E| is the size of the alphabet).

So yeah: this test only checks if people know basic cryptography and boolean algebra. Which tends not to be a very good test[1,2]

[1] http://techcrunch.com/2011/05/07/why-the-new-guy-cant-code/

[2] http://devinterviews.pen.io/

also, it's even not a case of "crack this and get an interview" it's "crack this and get to apply for the same vacancy that gchq publish on their homepage": job id 35874.

But, it's a good publicity ruse.

edit: the pay's not even that great.

Nice work on getting to the true meaning.
Is that salary listed yearly? If so I can understand why they have to do something like this to get people to apply, I earned more than that while working in retail.
Why do you think this challenge has anything to do with xor'ing with a key? It's not that kind of code.

Actually, I'd say that mob is after assembly language programmers at the moment, not people who know "basic cryptography and boolean algebra".

Moreover, they don't really care if the solution gets plastered all over the net, because from their perspective the point is not the code, but the message (that they have jobs available to British citizens with those skills). And I know that because, according to the press, they said so.

Why do you think it doesn't? Xor ciphers are the basic blocks of S-boxes[1], which are part of several cryptosystems, like AES, DES and Blowfish.

And the word cipher is on the title.

[1] http://en.wikipedia.org/wiki/S_box

Oh! You thought they wanted to hire people who could crack actual real world cryptosystems.
I'm sorry if I misunderstood you but I get the impression that you feel like a One Time Pad is trivial to break?

Just because you can construct any plaintext of that size and a suitable key to generate that ciphertext doesn't mean you've broken it or know anything about its content (aside from the maximum length of the plaintext).

The answer is supposed to be a keyword, I seriously doubt it's an OTP they are asking for...

Just in case no one gets it in time:

Pr0t3ct!on#cyber_security@12*12.2011+

Which leads to http://www.gchq-careers.co.uk/cyber-jobs/, then https://apply.gchq-careers.co.uk/fe/tpl_gchq01ssl.asp?newms=.... They don't even seem to track who solved it or not, unless they look at the referral URLs on Google Analytics.
-1 to GCHQ for not even tracking who solved their damn riddle and actually using that as a bozo filter. Duh.
The Australian equivalent (DSD) did a challenge like this last month. Same deal - x86 assembly to decrypt a message and reveal a secret URL. They too had no tracking.
are we crowd sourcing intelligence tasks now?
Turn it into a game and get it solved in 10 minutes by 14 year old
don't know if this means anything at all but exif info on the photo has a comment: QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR78jKLw==
Are Americans eligible to apply?
(comment deleted)
I don't think so. They don't even take non-British EU citizens.
Can anyone here point me in the direction of what I should be reading in order to attack a problem like this.

I literally have little to no idea how to start.

Give me a reading list, or outline the first few steps!

Why oh why wouldn't they put this up there in a copy-able format? Why an image?
Spoiler: because the image displays some x86 code (its RC4 with a fixed key), the image file itself contains the ciphertext (in a PNG iTXt block).
So did anybody genuinely manage to figure this out for themselves without google?
/index.asp oh please, what's a challenge worth when I can find out the solution without solving it, by going to the application url. My naive proxy thought it's advertisment and didn't allow me apply hehe.

also we're lucky they exclude non-british folks, that way they interchange doubtable trust measures with infosec beginners.

x86 asm code

yawn.

why do I want to type all this in, again?

(God's laughing)

God says... C:\LoseThos\www.losethos.com\text\DARWIN.TXT

firstly, that all animals tend to vary in some degree, and, secondly, that agriculturists improve their domesticated animals by selection; and then, he adds, but what is done in this latter case "by art, seems to be done with equal efficacy, though more slowly, by nature, in the formation of varieties of mankind, fitted for the country which they inhabit. Of the accidental varieties of man, which would occur among the first few and scattered inhabitants of the middle regions of Africa, some one wo

---------

Who is GCHQ?