Schneier on Security

Shame on you, Bruce Schneier, building in a backdoor into your code.

Pity. And I always thought Bruce wrote reliable code without backdoors!

I guess I'll have to start using Twofish instead.... ;->

The designer built a backdoor into the code? Sounds like defamation to me!

Bruce,

Don't suppose you could share how you feel about this?

Very few of us will ever have the same experience, so it might be interesting to know. Are you angry as hell? Proud to have your algorithm depicted in such a popular show? Sad? Or couldn't care less? Otherwise?

OK. Now we're gonna have to set up a perimeter around the blog, shoot Allen at Division in the thigh, and drink.

By comparison, the tech talk on the show Big Bang Theory is generally accurate. So it is possible for a fictional show to have correct references to technical information. Probably they just don't care. I don't watch 24 partly because the tech talk is absurd, so it ruins the story.

I have to wonder, in picking the specific algorithm to name (where any would suffice), did getting 24 mentioned (again) on a prominent security blog figure in their decision?

@Mark Lenahan
They get mentioned almost daily on Dave Barry's blog, and they haven't mentioned oosiks, the WeinerMobile, or other silliness yet.

The tech talk on 24 has been especially painful this season. I about fell out of my chair when they started talking about Blowfish. Absurdity!!

Anyways, the Ryan Burnett character was not involved in this dialog. It was FBI Agent Larry Moss.

This is clearly why Rijndael won the AES competition.

Bruce: next time, you should insist on a cameo appearance.

Dave Barry on 24
http://blogs.herald.com/dave_barrys_blog/24/

I'm curious as to what Bruce thinks as well.

In the meantime, doesn't it seem curious that the writer knew enough to write "Blowfish", but not enough to get the rest of the details? Doesn't it seem very curious that after that, the rest of the sentences (148, backdoor) are just plain old gibberish?

This is part of 24's charm - if you can call it that - the intentional misspeaks that cause "people in the know" to throw up their arms - or laugh out loud, as the case may be. It might require Myers-Briggs to determine which type you are, but there are instances of this sort of deliberate half truth in every minute of every show.

Personally, if I were Bruce, I'd consider this to be a great honor - sort of like a politician being the subject of a good cartoon - you gotta laugh!

If I have learned anything by watchign the new Knight Rider it is that ALL good programmers build backdoors into their programs.

"16 or 32 bit wavelength"

Oh dear, the stupidity of that line is almost painful.

24 is possibly the worst show on television for technical accuracy. They clearly just don't care. I'm actually quite surprised they didn't just make up an encryption algorithm name. I mean, "wavelength" measured in bits?

Rowan,

"Don't suppose you could share how you feel about this?...Are you angry as hell? Proud to have your algorithm depicted in such a popular show? Sad? Or couldn't care less? Otherwise?"

I've only watched 24 once by accident while stuck on a poorly chosen elliptical at the club. Jack was busy torturing some politican with a Taser, and threatening permanent neurological damage or sumsuch. I imagine its mfg feels much the same way Bruce does.

At least they used the name of an actual cipher. That's a step up for 24. I would take a paycheck of $0 just to correct their technobabble inaccuracies.

Will there ever be a porn equivalent of 24?

I don't believe you built a backdoor into your code!
How could you!?

Oh wait, sorry... the show is on FOX!
Given what passes for News and Opinion, how much credence can be given to fiction?

I'd still sue them for defamation. Backdoor indeed!

Could have been worse. They could have had an intern break the code with a People magazine and a calculator....Level 6 is SERIOUS!

Decrypted file contents:

YOUVEBEENPWNEDBYSCHNEIERMUAHAHAHA

Hey Designer Bruce, would you mind posting your patch to add the secret override codes?

Looking for them on The Google only found me the bug noted on http://www.schneier.com/blowfish.html.

Faux Noise: redfish, good; commiepinkobluefish, bad. ;-7

Fact: Bruce Schneier doesn't write backdoors into his algorithms. He IS the backdoor to his algorithms.

A few seconds to type in the backdoor code seems reasonable. I mean, how long does it take to type "Joshua?"

MarkJ: I'm assuming it's just coincidence that your comment came after mine. ;)

"Blowfish" is a cool-sounding name that the audience can actually Google. I wonder if that played a role in the writer's selection. To an inexpert audience, it doubtless will lend an air of authenticity. "Hey, I Googled that Blowfish thing and it turns out to be real!"

Just what we need. More people thinking that 24 is realistic.

Actually, there is no backdoor. O'Brien just built a GUI interface in Visual Basic and saw that he could track an IP address, because it was realtime.

Its not a good way of publicising Blowfish though. There will be lots of people out there who are now convinced that the system has a back door engineered by no less than Mr Schneier himself. I'm wondering if it could be regarded as an act of defamation.

I'm sure that Ford would have something to say if the show had a section in which they explained that their cars had a dangerous fault and the manufacturer had engineered a back door into the engine management which caused them to fail early.

I've heard 'clarifications'after broadcasts in the past and am wondering if this is another case where one should be transmitted.

After all Mr Schneier makes exceedingly good cryptosystems...

24's plots are too obvious. At every possible place in the story where anyone of consequence is able to make a decision, they always choose the wrong one. It's the only way they can stretch a 2 hour narrative into 24.

I've never bothered to watch 24, but what I've read suggests we're talking about a show that's tried numerous times to sell viewers the notion that torture is an effective way to solve a terrorist plots in under 24 hours. If so, Blowfish having a back door is just par for the course.

I still need to know: 16 or 32 bit wavelength and are you *sure* the data points are native?

Oh God, oh God.

If you don't tell me within the next commercial break, the hostages die!

I don't trust any algorithm that doesn't use at least 48 bit wavelength.

I'd be fuming mad if my algo was defamed like that.

There are shows like MacGuyver that teach us that a little ingenuity and clever thinking can go a long way.

There are movies like Oceans 11 that remind us that even the most drastic security measures are subject to being severely violated.

Then there's crap like this that completely and totally misrepresent security. Evan, you hit it spot on!

Haha, this is really funny. If I were Bruce, I would simply laugh.

Bruce: You should demand to go on The Daily Show with Jon Stewart to defend yourself. That's all the rage these days, and the interview will be a lot of fun.

In the closed captions for this episode, it actually reads "16 or 32 bit word length" instead of wavelength.

Cracked up. They're unstoppable.

@Dave Vincente
I thought "wavelength" didn't sound right. I'm pretty sure I remember it being "word length"

Isn´t 69 the porn equivalent?

Personally, I would have written a GUI in Visual Basic so I could have tracked Renee's IP address :-)

So you included a backdoor on that algorithm, Nasty Bruce!!

Time to share those override codes with us! :-)

(that wavelength stuff is hilarious, by the way)

“No good fish goes anywhere without a porpoise”
Lewis Carroll

Add that to the list of brilliant things Hollywood teaches us:
1. A cop can only solve a case after he is suspended.
2. If someone is 22 and pretty, they can bring down the federal government from any computer connected to the Internet.
3. A cable repairman can disrupt an entire fleet of far techologically advanced UFOs with a laptop.
4. Strange noises at night must always be investigated in one's most revealing underwear (especially when a serial killer is on the loose).
5. And a super genius working for the government can break complex equipment in 30 seconds by typing alone.

:)

"Don't suppose you could share how you feel about this? Very few of us will ever have the same experience, so it might be interesting to know. Are you angry as hell? Proud to have your algorithm depicted in such a popular show? Sad? Or couldn't care less? Otherwise?"

I've never seen the show, and don't really care to. As to how it feels: it feels surreal. I'm not proud to be mentioned, angry they claimed I put a back door in, annoyed they get the details wrong. If anything, I am amused by the whole situation. It's, well, it's surreal.

"'Blowfish' is a cool-sounding name that the audience can actually Google. I wonder if that played a role in the writer's selection."

That's my guess, too. It's a cool-sounding name. Let's face it, Rijndael or AES just doesn't sound as codewordy.

"Shame on you, Bruce Schneier, building in a backdoor into your code."

Anything to help ratings....

I bet you've got a fan who writes for the show, and or your name seems to be synonymous with crypto, so why not use a cool sounding "codewordy" name as blowfish.
If you did do what they claim, I bet the backdoor "code" would be:
ChuckN0rris&24_r_4_suckers~!
or perhaps
backdorz-r-kewl(FU-NSA)
-rich

I have never watched "24" but I might be willing to watch the English version "3."

They did say it was very serious encryption.

Thanks for the transcript corrections. (Though I did like the sheer absurdity of "wavelength.")

Back when I watched TV, I saw an episode of Prison Break in which someone had their hand severed completely, through the bone, above the wrist. A few hours work, with no anesthesia, by a veteranarian, and he was ready to use it to drive away.

That was my "Why am I watching this garbage?" moment. I'm now one of those "I only watch it for PBS documentaries" nerds.

Best piece of advice I've ever heard from Bruce, and there has been a lot is "don't watch TV"

@Rich Wilson:

This sort of TV (in fact most of TV) falls into the same category as the old line about news:

Have you ever watched the news about a subject you had personal knowledge on, and found yourself grinding your teeth at the blatant and obvious inaccuracies? ... Well, what makes you think any of the rest of the news is any more accurate, just because you don't know enough details to nitpick?

Honestly, given things like exploding cars and loud booming gunshots that are utterly unrealistic (but for which most people now believe the Hollywood version over the real version), most TV producers obviously haven't cared about even basic levels of accuracy for a long time...

I wonder if this might count as the third remote hole in the default install of OpenBSD.

Other TV funny, safecracking or window cutting with a laser and NO eye/body protection, especially when the beam reflects back.

The thing about backdoor passwords, once they are out, everyone knows them. Bruce, what were you thinking! :-)

Personally, I prefer keeping my secret stuff in plain sight. No one thinks of looking for it there... Besides, if it is REALLY well hidden, then I can't find it either! "Dear, did you see what I did with my super decoder ring?"

@Bryan Feir: Loud booming gunshots aren't nearly as bad as silencers that make the gun sound like someone playing Tiddlywinks.

If they really ment "key length" not "word length" I could see there being a backdoor... mainly that an overclocked TI-82 could brute force it!

Sue.

I think this is pretty awesome...

When we're talking about a show where the first episode of season 2 ended with Jack Bauer:

a) Murdering a federal witness,
b) Then saying "I think I'm going to need a hacksaw"

in order to remove said head to put it in a gym bag to give him "credibility" to infiltrate a group of domestic terrorists...

I don't think that you have to worry about people taking its realism too seriously.

http://theonlycritic.wordpress.com/category/...

I think this well deserves an full-fledged article debunking common ridiculousness about IT in spy programs.

It should probably include things like:

- Differential cryptanalysis means that if you have a bunch of messages, and do a WHOLE BUNCH of comparisons, you may get somewhere in cracking a cipher. (Where "WHOLE BUNCH" may on the order of thousands-to-hundreds-of-thousands...) That's not the same as "Guessing the key in your head."

- What do firewalls protect against, versus NOT protecting against. Probably to be conspicuously compared with the 24 conceit of "Oh, I need to open up a socket to that server to do my work!" Explaining what a socket *actually* is might be pretty useful!

- Explaining that the conceit of "we deleted everything from the database!!!" doesn't work because when the database is important, the transaction logs get copied to write-only locations and can be pretty easily made sufficiently "untied" from the online system that they are fairly invulnerable.

"a) Murdering a federal witness,
b) Then saying "I think I'm going to need a hacksaw"
in order to remove said head ..."

Yeah, that was so obviously fake. All you really need is a Swiss Army knife with the mini-saw blade.

"Yeah, that was so obviously fake. All you really need is a Swiss Army knife with the mini-saw blade."

I can do it just by thinking. About Feistel networks.

Nope, still don't feel like watching the show.

I wonder who they get to do their technobabble? I noticed that some assembler they put up was in some ways kind of accurate, but then again kind of not.

http://www.technovelty.org/humor/24.html

Bruce. With. All. Due. Respect.

You absolutely have to sue them.

Because, that is defamation. Even if the people did not know what are they talking about, that is still defamation.

And that should also teach them that doing some fact-checking of their scripts is a nice thing.

P.S.:

GUYS, DO WE HAVE LAWYERS HERE?!

One fish, two fish, red fish, blow fish

You expect any kind of technical accuracy out of an American TV show? Bwahahaha

The sad thing is, it could have been so much more realistic ... "ah, this'll be quick, they're using some proprietary encryption - give it 30 seconds, I'll have it - there."

The whole premise this season seems absurd. Building a piece of hardware to break through a firewall - in order to transmit on an analogue radio frequency? Talking airliners into crashing into each other? Again, SO easy to fix: a classified new anti-hijacking system gone wrong, intended to allow the FAA to seize control using a private key which has now fallen into the wrong hands, say. Maybe not perfect, but orders of magnitude more believable than this season so far!

Backdoor, indeed! Bruce, if I were you, I'd sue them for defamation...

Ridiculousness like this is one of the main reasons I stopped watching 24. If they went with complete technobabble, or they actually got things right, then I could stand it. Using real technical words and concepts, but getting them all wrong annoys me way too much though.

Oh, and a level 6 analyst. That sounds serious.

@FP: Bruce, next time, you should insist on a cameo appearance.

With the right to choose your costume. I'm thinking facial scars and a robotic hand, but maybe you're more of a top-hat-and-opera-cape kind of guy...

I don't get it, I thought Blowfish was just a substitution cipher? So they would need Enigma right?

The irony, it's too bright.

I have to agree with previous poster; it would have been so easy to make it more believable - Make it a simpler algo, add access to a top-secret government data-center and Tadaa! You have actual tech accuracy and a plot..

I nominate Bruce for the doghouse! LOL.

That transcript is almost as ridiculous as the dialogue between two "senior" IT consultants I met recently. It's all about delivery, if you say it confidently enough people will believe anything. If I wasn't cursed with scruples I could do anything.

i dont worry bout the makers of 24 believing their own drek. they said they dont. our fellw amuricans do. that scares me. and a better reason to sue. hey bruce you might end up owning the sho. teach em a good security lesson...never try to eat any thin bigger than your own head.

Someone asked the producers to stop being graphic in their depiction of torture 'cause yahoo's on both sides were trying what they saw on 24 on their own prisoners.

They said "Duuuuuude, it's just a tv show and if we stop with the violence no one will watch."

@ Beta,

"With the right to choose your costume... ...but maybe you're more of a top-hat-and-opera-cape kind of guy..."

Somehow I don't think Bruce has the face to be he Phantom of the Opera.

Mind you others have sugested he could be a Chuck Norris stand in so I guess anything is possible.

Maybe we should call him Bruce "Polymorphic Polymath" Schneier or 2'Pol for short.

Not to be confused with T'Pol where it's not just the ears he hasn't got...

Just kidding 8)

It's defamatory alright.

But unless Bruce can show damages, he doesn't have a case.

So, at the very, very best, Bruce might be able to get something like, "Have your lawyer call my lawyer, and they can do lunch!"

More likely, he'll only get someone to patiently explain that it's *fiction* before they hang up the phone. That is, if he can get through to anyone at all.

Myself, I'd still sue. Just to fuck with those bastards.

@ Aguirre,

'“No good fish goes anywhere without a porpoise”
Lewis Carroll'

Ah Charles Lutwidge Dodgson (AKA Lewis Carroll) one of the finest minds of his time. Logician, author, photographa and part time cryptographa. His books much liked by Queen Victoria to the amusment of the courtiers but then that is another story...

Considering the verbiage for interrogation techniques used on the prisoners of Guantanamo had more references to "24" than they did the constitution, I'd be pretty upset if a sho with that kind of power defamed my intellectual property.

Of COURSE Bruce put in a "back door"... sadly, no one has yet caught on to the fact that using it will convert any provided ciphertext into a plain-text containing obscene references to policians.

And, of course, the last phrase:

"Security... you keep using that word... I'm not sure you understand what it actually means".

@ Anonymous at 9:27 PM

"But unless Bruce can show damages, he doesn't have a case."

Well that depends on what part of the world he decides to sue.

Fox pushes 24 to many many parts of the world.

As Counterpane was bought by BT (UK PLC) and he has a job with them he has the option of the English court system.

Which in recent times under "Lord Justice Eady" and law firms "Olswang" and "carter-ruck" have been very advantageous to those with an axe to grind.

Carter-Ruck have in the past taken on many "no win no fee" cases and along with Lord Justice Eady have made numerous aperances in the UK magazine "Private Eye".

I'd start looking into legal options. Yes, it's a work of fiction, but considering that they used the name of YOUR algorithm to defile rather than just making something up (Starfish, maybe?) - well, I think you'd have a case.

It would be like saying, as someone pointed out above: "As an expert knows, all Ford cars blow up when you hit the exhaust pipe with a heavy object."

> This is clearly why Rijndael won the AES competition.

Best one-liner I've heard today.

Sue? Are you guys serious. Lighten up. It's not like it was a lengthy diatribe on the vulnerabilities of Blowfish on a respected tv show. It was a 30 second conversation on a (FICTIONAL) low rated Fox TV show.

Avi Rubin has weighed in: "Trusting Bruce Schneier is risky business - just ask Jack Bauer"

http://avi-rubin.blogspot.com/2009/03/...

Arguments of fiction aside, I'd interpret what was said differently. I interpret as: the specific *implementation* that was used in this case contains an override.

Blowfish is a published standard, but anyone is free to write the code that implements that standard. That includes implementing it wrongly, either unintentionally (bugs) or intentionally (backdoors). Although, technically, it might not really be Blowfish anymore; but the output might well be decryptable by the standard Blowfish decryption routine if the backdoor was implemented cleverly.

"The designer of this algorithm built a backdoor into his code."

The backdoor would have to be in the algorithm, not the code, to have been Bruce's work. They're not clear on which they really mean, but only because they're not trying to be.

Ah, yes, Lewis Carrol's works:

"The best book on programming for the layman is "Alice in Wonderland"; but that's because it's the best book on anything for the layman."
-- Alan Jay Perlis

I'm sure Bruce would agree that this includes the subject of cryptography, at least to some degree. Mathematics, language idiosyncrasies, logic, social engineering, it's all there.

From "Law and Order - SVU": (Kidporn suspect)

Forensics guy: "His hard drive was encrypted, so I removed it and did a forensics scan". (With what, a rubber hose?)

Same guy: "I looked in his Internet Cache ..." OK, there are still probably a lot of people who don't clear the cache on exit, and maybe some are kidporn traders, but really...

"This is clearly why Rijndael won the AES competition."

Because American actors can say "Blowfish", but haven't a clue how to pronounce "Rijndael".

This is the main reason why I can't watch 24: I can't suspend my disbelief enough to accept the technobabble. My ex used to watch the show, so I've seen most of the first season. My coping mechanism was to supply my own alternate MST3K-style dialog.

The problem is that in this sort of fiction, the only point in the writer putting in a reference to encryption is so they can show someone breaking it.

So you guys take on mind that movies and series don't have to be absolutely a match of technical knowledge?

I mean, when you watch ER or Dexter you are not expecting to see medical or forensic science at all.

Fiction is fiction and media wants something than could appear as truth for the average.

I'm quite sure no one will watch 24 if they spend the whole season in front of a screen looking at prime numbers with comments like "oh, this factor attack is quite powerful, it just took 2^28 cycles to got the top of the curve".

Bruce, as this is the second mention in 24 you really should ask for a cameo. It can go something like this...

Janis Gold: I isolated the data Renee uploaded to Bauer but I can't get past the filed header.

Larry Moss: What does that mean?

JG: She encrypted the name and address she used and I can't seem to crack it.

LM: Who can?

JG: She used her personal computer. This is very serious encryption. I mean, there are some high-level people who can do it.

LM: Like who?

JG: The guy who wrote it, Bruce Schneier.

LM: Get him on the phone....

(3 am phone-call to a very groggy Mr. Schneier)

LM: Mr. Schneier, a short time ago one of our agents was in touch with Jack Bauer. She sent a name and address that we assume is his next destination. Unfortunately, it's encrypted with Blowfish 148 and no one here knows how to crack that. Therefore, we need your help, please.

BS: Huh? You want me to crack what?

LM: A drive, encrypted with Blowfish, which I'm told you wrote.

BS: Um, yeah...I wrote it, and you are totally SOL...

LM: What? I know you high level programmers always put in back doors and stuff. You mean you wrote the program and you can't break it?

BS: That's right, I can't get you in. Crazy isn't it? Life's not always like it is on TV.

LM: (slamming down phone) @$!&* nerd!

At least they realize that they will need a software backdoor to access the information.

Since we're talking about backdoors, does anybody know how hard or easy it is to put a backdoor into an algorithm? Specifically, I'm wondering about algorithms that are available for public scrutiny, so the backdoors must be really hard to find.

Sue? Are you guys serious. Lighten up.

@Todd

Was U.S. Supreme Court Justice Antonin Scalia serious when he made his controversial remarks back in 2007?

The original report from the Globe and Mail is behind a paywall now, but here's part of a brief writeup in the WSJ Law Blog:

- - - - - - - - - - - - - - - - - - - - - - -

"Justice Scalia Hearts Jack Bauer" (20 Jun 2007)

...

During a panel discussion about terrorism, torture and the law, a Canadian judge remarked, "Thankfully, security agencies in all our countries do not subscribe to the mantra "What would Jack Bauer do?"

Justice Scalia responded with a defense of Agent Bauer, arguing that law enforcement officials deserve latitude in times of great crisis. "Jack Bauer saved Los Angeles . . . . He saved hundreds of thousands of lives," Judge Scalia reportedly said. "Are you going to convict Jack Bauer?"

...

http://blogs.wsj.com/law/2007/06/20/...

- - - - - - - - - - - - - - - - - - - - - - -

If our ruling class --people like Justice Scalia-- are forming policy based on "24", then the show's defamation of Bruce deserves to be taken a little bit seriously.

Suppose that's the first impression Justice Scalia forms about Blowfish? That it was designed with a backdoor?

Yeah, we've been hacking common crypto algorithms for years - and not just using obvious back-doors implemented by their creators.
We use QC, or Quantum-Crypto, when we come across something nasty. We have probablistic-trees pre-computed in the supercomputing cluster, all primed and ready to "get a feel" for the password, if it's a code we can't hack. Some of these terrorists use header-stripping so that we jest can't detect from the layout of the binary what kind of file it is, or how it's been encrypted. So, we throw it into the cluster, it disgests it, and tells us how likely it is at being a certain type of file, encrypted with a certain algorithm, of a certain key. The rest is simply matching up the keys from the pre-compute.

You crypto-kids no nuthin' what we do at CIA/NSA/FBI/DOE/DOA/ER - we're jest too good to lest you guys catch up.

Oh, and don't go believing everything you see on TV. Afterall, folks like those on TBBT just don't exist in The Real World [TM, Fox Entertainment].

Honestly, I think Star Trek was at least as realistic as most of the stuff on television these days. At least the Star Trek writers were sufficiently aware of the various impossibilities to include hand-wave explanations for them (e.g., "inertial dampers" to explain away some of the more impossible aspects of shipboard gravity, "Heisenburg compensators" to explain away the fact that transporter technology obviously violates the uncertainty principle). Bothering to do that proves that they *knew* what was impossible about their show, and were asking the viewer to suspend disbelief for the sake of the story. I don't think the writers on most television shows these days are up to that standard.

@Bernie: "does anybody know how hard or easy it is to put a backdoor into an algorithm?"

Have a look at this to get a feeling:
http://www.schneier.com/blog/archives/2008/06/...

The best part of 24 is indeed the way they talk about technology, missing a fact but not missing a beat. It seems perfectly reasonable to assume that if you do not notice it, you have a good time watching the show and if you do, you have a laugh and a jolly good time writing and ranting about said mistakes for days on end. Until the next show comes. Which we watch over and over, to be able to properly rant about it. Good fun, is it not?

I know wikipedia isn't the most reliable source, but this line from the entry on defamation seems applicable:
"English law allows actions for libel to be brought in the High Court for any published statements which are alleged to defame a named or identifiable individual or individuals in a manner which causes them loss in their trade or profession, or causes a reasonable person to think worse of him, her or them"

And stating that a renowned security resarcher and consultant deliberately built a backdoor into his algo. is surely going to lead people to think the worse of him.

Though whether '24' viewers can be considered 'reasonable' might be a sticky point.

So yeah, when it airs in England then I say you sue.

@Bruce

I'd probbably be offended if I were you, but there is a compliment buried in it. On screen, they never have a scripted super-genius break something that's easy to break. I it takes a hollywood hero 30 seconds to break it, they are saying it is unbreakable to mere real-life mortals.

You know, NCIS used to do the same thing. Tim and Abby tossing absurd techno-babble back and forth like it meant something. They've gotten better. Maybe in a few seasons, 24 will get some better advisers, too.

I think I found a clue to Bruce's Blowfish backdoor here:
http://geekz.co.uk/schneierfacts/fact/60

My theory is that Bruce Schneier and Morris O'Brian are brothers. (of course Morris can not use his real name) That is how Morris knew the backdoor that no one else knows. You must admit there is some resemblance. I think it is a good conspiracy theory anyway. 24 needs to write it into the show, and it started here.

I don't know why they went through the hassle of making up the story about the back door. Everyone knows that if you subject encrypted data to enough gravatational force it will separate plain text form the cypher. It's like panning for gold - works every time.

Wait.. if 24 mentions a real technology that exists.. how does that change the 24 drinking games? do we chug the whole bottle?

Then there was that 733t hacker performance in "Swordfish" by Hugh Jackman, alongside John Travolta and 'Ginger'. "Log on. Hack in. Go anywhere. Steal everything." (Man, good thing Jackman had other things going for him besides "Swordfish").

Blowfish is the current encryption Klingon.

You remember on Star Trek when they wanted to show that the alien of the week was really tough, they'd have him beat up Worf, the token Klingon in Starfleet. Now in order to show that the decryption guy is really smart, they have him crack blowfish.

@Jonadab the Unsightly One -

I don't know... I choked when I watched a couple episodes recently (I think of Voyager) featuring a visible dark matter asteroid, Tachyons moving slower than light, and creating their own name for Neutron radiation (which also interacted with light incorrectly, was moving inexplicably at highly variable speeds, etc...)

While I may despise the show for other reasons, 24 at least did realize that Blowfish is an encryption algorithm.

@Jack Bauer at March 20, 2009 7:11 AM: is that you, Clive?

It's all a conspiracy. Indoctrinating people to believe encryption is not secure will make them use it less ;)

@romain ramierz "when you watch ER or Dexter "

I don't watch ER or Dexter or CSI. I watch Dollhouse. Much more real to life...and pretty people.

@yt "supply my own alternate MST3K-style dialog" no offense but was this main cause of the 'ex'? Unless you are alone or with fellow travelers? It's annoying dude.

Okay let's talk about professional cyberwarriors using crypto they know is flawed and breakable in 20 seconds. How good are these people we're paying ... I mean a Level 5 analyst has to be what carrying a graduate degree in math and a GS-11? I want my money back. and the

@chas...he's right Bruce...and the hat is cool! It's a good look. Update your webphoto.

It wasn't real Blowfish, it was Blowfish 148. You know, the one with the back door in it.

I swore I'd never tell anyone this, but the backdoor into Blowfish is "Joshua".

OK, the timelines are a little short ... :) I'm a huge fan of 24, but this one had me on the floor.

Bruce, this should give you a laugh. It's an Eddie Izzard comedy skit where he discusses backdoors as they occur in the movies. :-D

http://www.youtube.com/watch?v=k6C_HjWr3Nk

IMO, the "go on The Daily Show" idea is the best one so far.

Bruce would make a great guest, and I can just imagine Jon Stewart riffing through the screen dialogue and then turning to Bruce and saying, "So, how realistic *is* that?" and Bruce saying, "About as realistic as the DHS approach to airport security" [cue audience laughter].

Bruce, your logical operators are ambiguous in your reply:

> As to how it feels: it feels surreal. I'm not proud to be
> mentioned, angry they claimed I put a back door in, annoyed
> they get the details wrong. If anything, I am amused by
> the whole situation. It's, well, it's surreal.

That can be read:

I'm NOT (proud to be mentioned OR angry that they claimed I put a back door in OR annoyed that they get the details wrong)

or

I'm (not proud to be mentioned AND angry that they claimed I put a back door in AND annoyed that they get the details wrong)

(although the "It's, well... it's surreal" does imply the first) :)

@everyone worried about the backdoor.
This is "24", which means they had to crack the code in seconds, and the only other slightly plausible method would have been to exploit a schoolboy error in the algorithm, and that's impossible. Consider the whole incident a "backdoor compliment".

Get real, everyone knows that high level passwords are the last name spelled backwards. That way you can, during a national emergency, send any encrypted file to anyone necessary in a matter of seconds and not have to worry about agreeing to a password over open communications. The only problem is that Morris O'Brian called it a backdoor instead of a predefined standard. Which obviously does not sound as sexy.

Hmmm, I never realized that Blowfish was a asymmetrical cipher ;-)

I have learned to just ignore the absurdness of such things and try to enjoy the entertainment value. But sometimes the absurdness can be entertaining when they make simple mistakes like wavelength for word / key length, etc,...

When I heard the mention of Blowfish in the dialog, I commented to the others in the room, that the mention should incite some interesting discussion over here.

LOL,
Exo

The fact that people need to be reminded that this is fiction, is a bit scary. Just because something real is mentioned on fiction, it doesn't mean that a single word that follows will have any truth to it.

Dude! I saw it on TV, therefore it must be fact.

It's a freakin TV SHOW. While I'm proud to be a geek, I'm ashamed of you nerds who just can't seem to get over yourselves. You don't have to be a dolt to be able to use suspension of disbelief - just mature, I guess...

Guys!! wow get a life, everybody knows there is a back door that's how the US government get to see what is in my e-mails

The only way that could have gotten better is if at the end you had two more lines:

LM: How did you do that.

MO: Its a special trick I picked up, rubber hose cryptography.

I wouldnt worry about it, RSA's not much good either.

Recall a film called swordfish where the guy cracks a DoD database protected with "128" bit RSA in under 60 seconds while being threatened with a gun and being given intimate attention by a hooker ...

Shame on the DoD for using a ridiculously small asym key size. Ironically, RSA presumably paid for the privilege of advertising their product name on the big screen, even if it did suggest it was absolutely trivial to break with the right incentive :-)

I don't think it's that far-fetched at all. To encrypt something in practice you need more than just an encryption algorithm -- you need a _program_.

It's perfectly believable that someone would write a tool which uses Blowfish internally, and call it 'Blowfish 148'. The number might be derived from the author's birthday, or anything else. It's believable that the author could put a backdoor into it too.

It's also perfectly believable that moronic government employees/contractors would _buy_ such a tool, instead of using decent peer-reviewed software where they have access to audit the source. It makes me sad, but it doesn't mean I don't believe it.

What more do we need to believe? That a few non-technical people in the heat of the moment might refer to a specific program as an 'algorithm'? I'll buy that one too.

And some aspect of this program's file format is dependent on endianness -- hence the question about word size and native vs. "modified".

It's _fiction_, for crying out load -- it's all about willing suspension of disbelief.

And it's Fox, so get drunk first.

"3. A cable repairman can disrupt an entire fleet of far techologically advanced UFOs with a laptop."

Seriously, that one is true.