20040428

I was a teenage hacker

Instead of discussing further events that involve leaving the apartment, I'll stick to the self-absorbed and recursive subject of writing about blogs. Most of the blogs I read are written by people that I know, and some of them are written by FOAFs (Friends of a Friend). One such FOAF blog, which I will omit details of [though it's hosted by Laurie, which should be a big giveaway to those in the know] recently posted a load of photographs. Some of these were considered "Too Hot for the Web", and so rather being posted as JPGs, they were placed in an encrypted zip. Readers were invited to email for the password.

The problem is, I just can't resist a challenge like this. Surely everyone knows that the encryption of zips isn't that hard to break? I thought I would use this as a test to find out exactly how hard. After a small amount of research, I discovered that not only are there are bunch of tools to crack open encrypted zip files using a variety of standard techniques (dictionary attack, brute force key space search), but there are also well-known weaknesses in the encrypted zip format. I started by downloading a nice shareware program that has a helpful GUI to help you open the zip. There's a bunch of different options on how to proceed, but the most appealing one was that uses the fact that zips encrypted using Winzip are especially easy to break, so I selected that one. After about four minutes of thinking, the process ground to a halt. The program had successfully opened the file, but being the shareware version, it only extracted the first file, rather than all the files in the zip.

But wait -- here's an opportunity to try another approach. A rather less pretty solution comes in the form of a set of command line utilities for breaking open zip files. These don't work as well, since they rely on a known plaintext approach. But, now that I've got the first file out of the zip, then I know a lot of plaintext, and so I can feed this in to the program and get out the files that way. In fact, you only need a few bytes of plaintext -- more than 12bytes does the trick -- so if you can make a reasonable guess at the header of the files you want (eg the JPEG header) then you'll have a good chance of applying this. Anyway, after some confusion over the command line parameters, it was churning away, and successfully extracted the rest of the files. Total time to break open the file, including time to locate, download and install the utilities: under 30 minutes.

For fans of comp.risks [it's a newsgroup, which young people might understand better if I explain that it's a bit like a web forum], what are the risks here? Well, the basic mistake was to put up the ciphertext. Even if the crypto system is strong, then you don't want to make Eve's job so easy that she can just surf the web to eavesdrop. Since the original blogger didn't want anyone apart from intended people to see the pictures, but invited Bob to "email for the password", wouldn't it have been more secure to invite Bob to "email for the files", thus ensuring that Eve never had a chance to try breaking the system? Silly Alice.

The next question is what to do with the pictures now that I have them? Well, I'm not particularly interested any more. If I was more malign then I could probably find some campus newspapers to send them to, but I'm sure they'll find their way there of their own accord, without any need for further intervention from me. I'll just file them for future reference. Of course, if you want a copy of the jpegs, then just email me...

No comments: