Jan 8

The GCHQ Cipher Story you don’t know.

Category: InfoSec

So much has been said, good and bad, about GCHQ’s recent release of a cipher to the community. Simply a publicity stunt or well designed honey-pot? No one will ever really know, but what you don’t know is that this was an example of seeing a good idea and then totally cocking it up.

Let me start by saying these are my own words and thoughts and in no way reflect the opinion of my employer, or those organisations I am associated with.

A year or so ago, I got involved with the UK Cyber Security Challenge, which, as far as I am concerned is a good organisation, doing the right thing for the industry and those that want to be a part of it. I put a lot of my own personal time and resources into it for free, and make my employer give even more time, resources and money to the cause as well. Since I got involved with the UKCSC I have been providing them with simple on-line code breaking challenges, though my own devious thought processes and those of the many experts far better than me, that I have the pleasure of employing. We do these little challenges, typically on a quarterly basis, as well as to “support suitable and worthwhile endeavours”. One such endeavour happened recently, specifically, the London Conference on Cyberspace, hosted by the FCO. As was the usual manner for these things, I got a phone call from one of the UKCSC directors on a Friday evening asking if we could pull together a cipher for the event the following week, of course, I said we would be able to and engaged the collective grey matter of a couple of my team. The caveat to this request was that the cipher needed to somehow include GCHQ, the FCO, the UKCSC and of course my own companies brand. As such, I devised a simple 2 stage approach that would allow me to sufficiently bring together the brands and get the exposure each organisation wanted.

The cipher itself was a union jack (in keeping with the event) hosted on the FCO conference site, with a series of logos on the flag itself. It was uploaded as a PNG file and had a binary string in the middle of the flag. The binary string easily translated to a goog.le shortlink that took you to a holding page on one of my sites that had each of the organisations logo’s and a message saying thanks for playing. What was less obvious and in fact the real challenge, was that the flag actually had two binary strings embedded onto each other in such a way that if you played with the colours you would see a series of 0’s that were in fact 1’s and vice versa 🙂 This decoded to a different goog.le link that took you to a random page on a paste bin style site, where there was an ascii art pumpkin with some cipher text in it. The cipher text required a key to decrypt, and the key was hidden as a html comment in the other page that you went to if you only found the first shortlink, so to complete the entire task you had to visit both short links, and pull it all together.

It was a simple little cipher that around 100 or so people played and 3 people got right. I put the low turn out down to the last minute nature of the engagement and lack of major press coverage, but, it was still a lot of fun to pull together, and if you cant have fun in your work, what’s the point?

So, what does all this have to do with the GCHQ Cipher I hear you ask? Simple…

When my team and I developed this cipher for the event I was liaising with the guys at GCHQ careers to ensure they were happy with what we had done and that we had hit the relevant targets for them. In short, they “absolutely loved the cipher” and “thought it was a brilliant idea”.

…a few weeks later, they had their own.

Now, don’t get me wrong, I am aware I don’t own the rights to developing cipher/code breaking challenges to identify talent in the community, but I have been doing it long enough to know that you have to get the “pitching” absolutely perfect to the targets. By this I mean, there is no point in creating a cipher/challenge that would tax the most senior pen tester in the market when your using it to find talent to fill a job that pays £20K or so, in fact, this is the reason the ciphers we develop for the UKCSC are not that difficult. What these challenges do/should do is require the player to demonstrate some core requirements such as R&D/basic scripting/coding potentially, ability to think creatively etc, and then entice them in through layers of difficulty to a point where they are genuinely interested and engaged. This approach lets us target the college/university/entry to employment band of the industry and find the real talent in it to bring on board and then develop.

So, in summary, GCHQ, nice try but don’t give up your day jobs, and next time you want some help finding talent to help protect the nation, just ask, we are always happy to help.


2 Comments so far

  1. SF January 10th, 2012 11:13 am

    Yjcv ku vjg pcog qh vjg uauvgo wugf da jco qrgtcvqtu
    vq ocmg htgg rjqpg ecnnu?

  2. Jabs January 10th, 2012 12:18 pm

    Funny… Autopatch

Leave a comment