?

Log in

No account? Create an account
Okay, I'll bite. - Baxil [bakh-HEEL'], n. My Sites [Tomorrowlands] [The TTU Wiki] [Photos]
View My LJ [By Tag]


October 29th, 2008
07:02 pm
[User Picture]

[Link]

Previous Entry Share Next Entry
Okay, I'll bite.
http://img147.imageshack.us/img147/9924/donotpostbf3.jpg: A sign reading

DO NOT POST PICTURES OF THIS SIGN ON THE INTERNET
986F 64B9 3005 E03E FC42 A41E BD57 3179


Google doesn't seem to turn up anything relevant, but here's a Reddit thread speculating on its meaning (and whether it's Photoshopped; weak consensus there is yes).

Among the more interesting tidbits pointed out there:
  • The hexadecimal code is 128 bits, which (among other things) is the right size for an MD5 hash.
  • The user who posted the link to Reddit, "agent_langley" (Langley, VA being the home of the CIA), has posted only that single link so far (and two possibly unrelated comments to other threads).
  • Converting it to eight Unicode characters gets three Japanese glyphs Han unified ideographs [See comments -B] followed by several other random characters from non-Asian languages.
  • Converting to ASCII gets basically gibberish.
  • It's not the AACS HD-DVD decryption key, which began with 09F9.

I wouldn't be surprised if it's some viral campaign that hasn't quite hit the denouement stage yet, but it's still an interesting brainteaser.

Edited to add: Well, that was quick. Apparently solved (less than an hour later!) in comments.

Current Location: ~spiral
Current Mood: curiouscurious
Current Music: "Knight of Fire," Xenogears OST
Tags: ,

(16 comments | Leave a comment)

Comments
 
[User Picture]
From:baxil
Date:October 30th, 2008 03:00 am (UTC)

Wow, that was quick.

(Link)
I am informed via IM that it's an md5-encoded advertisement; I'll let the author decide whether to take credit or remain anonymous:

7:42
Hey Bax, I think I have a possible lead for your mysterious MD5 hash
I ran it through a hash decrypter, and this is what popped out:
986f64b93005e03efc42a41ebd573179 = http://pbwiki.com/content/jobs
I'm not sure if it's a coincidence (Nothing is!), but a job offer from an MD5 hash, for a computing firm...

pbwiki is in fact in San Mateo, so the sign location isn't far. And that's too great a coincidence to ignore.

Edited at 2008-10-30 03:00 am (UTC)
[User Picture]
From:roaminrob
Date:October 30th, 2008 03:06 am (UTC)

Re: Wow, that was quick.

(Link)
Er, uh, hm. How in the seven hells did someone manage to "decrypt" the hash to that?

They'd have to be using a hellaciously large lookup table.
[User Picture]
From:link_man
Date:October 30th, 2008 03:38 am (UTC)

Re: Wow, that was quick.

(Link)
Obviously I have a supercomputer in my basement! ;)

Just kidding.

Actually I didn't "decrypt" the hash, that was some bad terminology on my part. The URL string is exactly 32 characters long, so you're going to have, well, a LOT of permutations. All I did was really just as simple as trying the MD5 on a fairly well known internet hash table, http://www.md5oogle.com/

This is also posted on my lj:

http://link-man.livejournal.com/
From:(Anonymous)
Date:October 30th, 2008 03:41 am (UTC)

Re: Wow, that was quick.

(Link)
Ahhh, that makes a lot more sense. I didn't know about md5oogle.com, thanks!
[User Picture]
From:roaminrob
Date:October 30th, 2008 04:02 am (UTC)

Re: Wow, that was quick.

(Link)
Ahhh, that makes a lot more sense. I didn't know about md5oogle.com, thanks!

(That was me. Razzin' frazzin' LJ logins.)

Do you mind if I post a link to your journal on the appropriate Reddit thread? Based on the number of comments there, I'm thinking that solving this thing might increase our GDP a half a point.
[User Picture]
From:link_man
Date:October 30th, 2008 04:52 pm (UTC)

Re: Wow, that was quick.

(Link)
Nah, go for it. by all means cross link, etc. =P
[User Picture]
From:tangaroa
Date:October 30th, 2008 03:10 am (UTC)

Re: Wow, that was quick.

(Link)
I wasn't aware that md5 hashes could be decrypted that easily. Isn't the point of hashing something so that it can't be?

With respect to applications, it seems md5()ing passwords for a login database isn't sufficient protection anymore. Can anyone suggest a better practice?
[User Picture]
From:roaminrob
Date:October 30th, 2008 03:53 am (UTC)

Re: Wow, that was quick.

(Link)
Well, you can't, that's the thing.

Any (proper) hash is a one-way cipher, so the best you can do is have a huge table of strings and their hashes, and then look for your hash in that table. If you get a match, then you have a string which will hash to whatever value you're looking for -- it's not necessarily the password being used.

md5 does have some weaknesses. There are two that I know of: one is a computational shortcut which I don't remember anything about. The other is that it's too fast. With increasingly available computing power, the amount of time it takes to calculate any given hash value is becoming important. Some security systems have taken to iterating over hash values dozens or hundreds of times before handing it out as a key; others rely on entirely different ciphers which take longer to compute.

Now, as far as application security goes, I'm going to assume here that you're talking about web-based applications. Here, the rules are different: if at all possible, if you actually care about login security, use SSL. Seriously. It's not even hard or all that expensive to get a certificate anymore. Do it. It's the only way to actually create a marginally secure website login system.

If you encrypt the user's password on the client side, then you're protecting the user from having their password in the clear over the wire, but you'll probably need to store the user's password in the clear on the server. That's bad, because if someone happens to break the server, then they get everyone's password. The only other way is to send the user's password in the clear to the server, and then hash it and compare that against a properly salted table on the server. Now you've protected against a server break-in, but the user is at risk in environments like wifi networks.
[User Picture]
From:tangaroa
Date:October 30th, 2008 05:35 am (UTC)
(Link)
I meant encryption on the server side as a last-ditch protection for users against break-ins. Since people tend to use the same passwords on more than one system, someone reading an unencrypted passwords field could compromise their accounts on other systems. You know this, I'm just expositing for the audience. If md5sums are becoming breakable, we ought to start using something else. "We" being those few of use that are paranoid about this stuff. I've run into more systems that don't encrypt the password than those that do.

Encryption on the client side for the wifi situation is an interesting idea that I haven't heard of before. As you mention though, something unencrypted has to be stored on the server so that it can be encrypted for comparison with the encrypted data that the client is sending. You'd just be trading one security problem for another.

As for SSL, at everywhere I've worked it has been impossible to implement SSL for one reason or another. It's always some combination of having no budget for a cert (ask about our $0 IT budget!), third-party software refuses to work with self-signed certs, first-party software refuses to work with self-signed certs, or I don't have admin rights and the admin drags his heels to the point of nothing ever happening no matter how much I harangue him about it.
[User Picture]
From:roaminrob
Date:October 30th, 2008 06:31 am (UTC)
(Link)
| If md5sums are becoming breakable, we ought to start using something else.

bcrypt, which uses the Blowfish cypher, seems to be a pretty good choice. OpenBSD uses that for its system password file hashes, and their developers tend to be pretty security-conscious. :-) Bruce Schneier is now recommending Twofish instead, but it's been slow to get adopted.

| Encryption on the client side for the wifi situation is an interesting idea that I haven't heard of before.

I should note (also for the audience!) that this method doesn't protect the user's password in any reasonable way on the system they're logging in to. All it does is protect their password from floating through the air, and being used to access accounts that they have in other systems, because, like you say, people tend to re-use passwords.

| As for SSL, at everywhere I've worked it has been impossible to implement SSL for one reason or another.

Yeah, I sympathize. I can get all preachy about using SSL, but, uhm, *ahem*, I've never actually used it.

The good news is that some registrars are making it silly cheap to do now. Register.com is advertising SSL certificates for 13 bucks a year, and even guaranteeing 99% browser compatibility. I think for that price though they want you to be hosted with them. I hate GoDaddy, but they're offering $15 SSL.
[User Picture]
From:shatterstripes
Date:October 31st, 2008 11:32 pm (UTC)

Re: Wow, that was quick.

(Link)
A few days ago I saw a link on Reddit to a similar stunt from the same company: 'To apply to this position, send your resume to the e-mail address just sent to your Firebug console.'. This is a pretty clever way of trying to make sure your applicants have some of the basic skills for your job, I think.

(The email address also shows up in Safari's console. I sent 'em email telling them that, with no resume, because I am a snarky thing.)

I would not be surprised if both stories were posted to Reddit by people who work at pbwiki.com: while it's broadening its audience and slowly turning into Digg, Reddit is still mostly a site that hacker-types hang out at. So you're throwing it at a group of people who generally are more likely to be Worthy Hires, and then further filtering it by the puzzle...
From:drake [begriffli.ch]
Date:October 30th, 2008 05:10 am (UTC)
(Link)

Ennnnh. Sorry for the probable light rant, but this irks me. Here, take a gander—though many Unihan properties have been elided and the output rearranged for clarity.

U+986F CJK UNIFIED IDEOGRAPH-986F = 顯
UTF-8: e9 a1 af  UTF-16BE: 986f  Decimal: 39023
Uppercase: U+986F
Category: Lo (Letter, Other)
Bidi: L (Left-to-Right)
kDefinition: manifest, display; evident, clear
kMandarin: XIAN3
kCantonese: hin2
kHanyuPinlu: xian3(503)
kJapaneseKun: AKIRAKA
kKorean: HYEN
U+64B9 CJK UNIFIED IDEOGRAPH-64B9 = 撹
UTF-8: e6 92 b9  UTF-16BE: 64b9  Decimal: 25785
Uppercase: U+64B9
Category: Lo (Letter, Other)
Bidi: L (Left-to-Right)
kDefinition: disturb, agitate, stir up
kMandarin: JIAO3
kCantonese: gaau2
kJapaneseKun: MIDASU
kKorean: KYO
kJapaneseOn: KAKU KOU
U+3005 IDEOGRAPHIC ITERATION MARK = 々
UTF-8: e3 80 85  UTF-16BE: 3005  Decimal: 12293
Category: Lm (Letter, Modifier)
Bidi: L (Left-to-Right)

Han unified ideographs automatically kanji are not. The third one may in fact be primarily used in Japanese (I've never heard of an iteration mark being used in Korean, for instance) but I find it unlikely that the first two have such a bias. Picking that usage as primary seems kind of arbitrary.

Not that anyone has to care. :-)

[User Picture]
From:baxil
Date:October 30th, 2008 06:18 am (UTC)
(Link)
Thanks for the clarification - I labeled them as Japanese based on the identification thereof in the Reddit thread, which is about three steps less reliable than sourcing it from Wikipedia. (Though, in my defense, I specifically avoided calling them kanji.)

I'll notate my post accordingly.
[User Picture]
From:circuit_four
Date:October 30th, 2008 08:48 am (UTC)
(Link)
I'm surprised nobody's commented on the wisdom (or foolishness?) of an ad campaign that starts with "DON'T DO THIS, AND DON'T DISSEMINATE IT." If nothing else, these guys have an amazingly good grasp on geek psychology. :)
[User Picture]
From:frameacloud
Date:October 30th, 2008 03:55 pm (UTC)
(Link)
Yeah, it's like the sign in the Unseen University that says "Under no circumstances should you open this door," so of course the wizards have on several occasions, only to board it up again and replace the sign. It's just brilliant.

I confess that my initial interpretation was that the "do not post photos of this sign on the Internet" referred to the sign that is displayed directly above the "do not post photos of this sign on the Internet" sign. As in "don't show people that sign, the one over there."
From:(Anonymous)
Date:October 31st, 2008 05:40 pm (UTC)

Psychology in general...

(Link)
Put up a WET PAINT sign and watch people touch the walls!
Tomorrowlands Powered by LiveJournal.com