Blowfish on "24"

Two nights ago, my encryption algorithm Blowfish was mentioned on the Fox show "24." An alleged computer expert from the fictional anti-terror agency CTU was trying to retrieve some files from a terrorist's laptop. This is the exchange between the agent and the terrorist's girlfriend:

They used Blowfish algorithm.

How can you tell?

By the tab on the file headers.

Can you decrypt it?

CTU has a proprietary algorithm. It shouldn't take that long. We'll start by trying to hack the password. Let's start with the basics. Write down nicknames, birthdays, pets -- anything you think he might have used.

Posted on April 27, 2005 at 12:26 PM • 113 Comments

Comments

TimApril 27, 2005 1:02 PM

I saw this and immediately cracked up. As much as I love that show, the pseudo tech-talk always leaves me in stitches.

xApril 27, 2005 1:15 PM

If I were to ever try to brute-force a password, I know that I'd start by WRITING DOWN all the possibilities that came to mind first. It just seems more efficient. /sarcasm

Since they're taking technical liberties anyway, why wouldn't they just make up a fictitious algorithm name?

Israel TorresApril 27, 2005 1:22 PM

They could have recycled these lines:
"We go in over phone lines. Pop the firewall, drop in the hydra, and just sit back and wait for the money."

with:

"We go in over the data link. Pop the algo, drop in the cracker, and just sit back and wait for the password."

(sad chuckle)

... another bad exchange in "factual" dialogue appear to be here:
"Oh, my God. Don't you have a Gun?"
(Phone rings)
"I work with computers."

... not watching the program I can only assume in 24 there are no IT-enabled NRA card carrying members which may differ ever so slightly in the "real world" as it were (especially if they are attempting to "crack" anything".)

Israel Torres

Emmanuel PirschApril 27, 2005 1:42 PM

Bruce,

If I were you, I would be a lot more disturbed by this quote : " Can you decrypt it? Ctu has a proprietary algorithm. It shouldn't take that long. "

:-)

DarrylApril 27, 2005 1:51 PM

I caught that and excitedly told the people I was watching with, "Hey blowfish is a real computer algorithm." They looked at me like I was crazy. I then explained that cracking it would take quite a while. They still looked at me like i was crazy.

ChrisApril 27, 2005 2:12 PM

I just want to know how Jack gets his cell phone to work 3 stories below ground in a hospital basement, or how Edgar can reposition a satellite to track a guy running thorough LA in a matter of seconds while at the same time downloading detailed building schematics of the LA sewer system to Jack's PDA on what must be some super secret nationwide 802.11g network, because I know they can't get that kind of bandwidth with a Sprint PCS card :)

FunCrusherApril 27, 2005 2:39 PM

I just tried explaining to my wife why this was funny and she said "I didn't understand anything you just said".

Nevermind.

Anonymous Reader 1April 27, 2005 3:30 PM

"Can you decrypt it?

CTU has a proprietary algorithm. It shouldn't take that long."

Doesn't sound very realistic to me. You'd expect a "CTU" agent to be more careful than that about disclosing their cryptanalytic capabilities!

Saar DrimerApril 27, 2005 3:49 PM

"24" is fun to watch as a cynic, because they do every possible thing wrong. Every decision is stupid. Seriously, one can't expect them to be technically/operationally accurate.

What I'm wondering is why they chose Blowfish? Anyone?

oliverApril 27, 2005 3:49 PM

@kevin

your company must have a pretty lousy password policy. the computer lab at my school requires all passwords to be 6-8 chars, to contain at least one non-alpha character, and not be based on a dictionary word. this may not be the most rigid set of requirements, but they are adequate for our needs.

though it takes most new users quite a while to choose a proper password, the password hashes are by no means easily crackable.

as bruce would say -- tradeoffs. this one seems to be a wise one.

ChadApril 27, 2005 3:53 PM

I have Tivo. My wife through a chair at me because I would not stop laughing and hitting the instant replay button.

It still gets me..."proprietary algorithm"...hahaha

"shouldn't take that long"...hahaha sniff sniff

;)

Barry FreedApril 27, 2005 4:07 PM

CTU uses snakeoil? Somehow I'm not surprised. After all, they think torture is an effective interrogation technique.


Bruce, do you think this might be actionable? IANAL, but maybe defamation or disparagement of the mark.


This also strikes me as similar to the tried and true method for solving 85% of all pontentially disastrous technical malfunctions in sci-fi: Reverse the polarity.

GustavoApril 27, 2005 4:09 PM

At last those pseudo-sci-fi writers are learning new tricks. Expressions like 'brute force' are really new (to them). Some years ago the good guy would just type 'override' and bypass the security/encryption/protection system instantly.

Davi OttenheimerApril 27, 2005 4:58 PM

Careful now, Fox may claim rights to any mention of Blowfish and 24. Or, in other words, if you try and sell anything that uses a screenshot or soundbite of their dialogue, they may claim infringement and demand royalties. This happened to a friend of mine who was at first pleasantly surprised to see a reference in mass media to his security software, only to be shocked by a threatening letter that said he would be sued if he tried to document that his software was used in their (fictional) movie.

Steven PlunkettApril 27, 2005 6:24 PM

Just keep in mind that the writers of 24 for 4 seasons have been using really silly and inappropriate technical terms (in the wrong context). I wouldn't take it personally - I don't think any crypto conspiracy theorist is going to take what is said on 24 as gospel. Israel Torres's Swordfish reference was definitely an appropriate example. :-)

AndyApril 27, 2005 7:09 PM

Judging by http://www.fox.com/24/research/ (click on 1am-2am) the Blowfish reference is because:

Schneier wanted Blowfish to be unpatented and in the public domain to be used freely by anyone.

As or the show, it's worth looking for the plot, the drama, the suspence. The technical details are often wishful thinking. Isn't this the case with most movies?

RogerApril 27, 2005 10:36 PM

I think it's obvious why they chose Blowfish: it has a cool name. It's definitely one of my "Top 5 Algorithm Names", along with Akelarre, Khufu, Khafre, Snefru, and ICE. Oh, and "Wide Mouth Frog", if I be permitted to include the latter.

And to be fair, the description of a dictionary attack on CTU's algorithm, whilst not completely accurate, does convey two useful points to the layman:
a) proprietary algorithms are not cool; and
b) passwords based on pet's names etc. are easily broken.

AndrewApril 28, 2005 12:36 AM

It's not quite as bad as earlier in the season... when they were trying to "crack" into a unix system, and the computer nerd guys solution was something like:

"hold control + f9 until you see the manufacturer code appear on the screen"
..

Computer guy gives him some random 5 character long password to type in and it magically unlocks everything on the system.

Even earlie there was mention of an IP address that was alphanumeric (no it definately was not anything related to the MAC address)

ChirayuApril 28, 2005 1:27 AM

Comeon guys... its a TV show!! There is a reason these people are not where probably you guys are. :)

As a friend of mine says, its all about "computers, guns and chicks". why bother with the details. ;)

miss p.April 28, 2005 2:50 AM

The last ep of the new series of Doctor Who has a scene where the Doctor is telling Mickey The Idiot how to fire a *nuclear missile* from a Royal Navy ship, through a *web interface.* Said interface was reachable from a login box on this organisation's public homepage and the password was 'bison,' I think? Or 'buffalo?'

I cried. A lot.

RampoApril 28, 2005 3:46 AM

@miss_p

It was a non-nuclear missile (the point being that the unlock codes for the UK's nuclear weapons arrived too late, but a conventional explosive was in any case the right device to destroy 10 Downing Street without collateral damage to the London conurbation).

The Doctor knows the password to the UNIT website because he was coƶpted onto UNIT in the 1970's, and is technically still a member.

Clearly this is all silly plot-nonsense, but not in the same league of stupidity as magic cracking techniques (such as this week's "Hustle"'s magic box which discovered an electronic hotel-room-safe's combination).

The password for the UN site, should anyone here wish to destroy their enemies with a Royal Navy missile is "buffalo" -- just keep entering it at every level (apparently there are no usernames, presumably because accountability for firing deadly missiles is not required :-)

bahApril 28, 2005 4:49 AM

The "24" techies also mentioned an IP address starting with "257" in last years show.

miss pApril 28, 2005 4:56 AM

Oh, I know about the Doctor's history with UNIT and all. Also that it clearly wasn't armed, but hell, it's still a *missile.* Fired from a RN *ship.* Buh?

I haven't seen that ep of Hustle, but now I'm reminded of that ep of Spooks where a schoolkid manages to plant a virus into the Grid's mainframe (complete with lovely spider animations), and the explanation given is that he must have got in through their web site. Again. WTF.

The same kid managed to get more access when there was a truck parked outside his school, complete with high-speed direct access to the mainframe, that had been left unlocked and unoccupied for some reason. Genius.

AnonymousApril 28, 2005 5:42 AM

@Barry Freed

If you are going to quote Dr. Who (John Pertwee) get the quote right you missed the bit about the "nutron flow" ;)

It's nice to have Dr. Who back on it reminds me of when monsters where so simple even a child could make one with the help of Valary Singelton and a shaggy dog named Shep :)

Folk's if you don't know what I and one or two others are talking about don't worry it's a UK BBC thing.

Clive RobinsonApril 28, 2005 6:04 AM

@Rampo

The repeated use of Buffalo has reminded me of an odd (and slightly silly) fact,

The word Buffalo has several meanings, and can be used as a noun, a plural noun, a verb and a transitive verb. So it is quite correct to say,

"Buffalo Buffalo Buffalo"

In fact you can use just about as many Buffalo as you like and still have a correct and meaningfull english sentance...

If you want to know the full gory details look in "Sweet Reason" by Tom Tymoczko and Jim Henle. It's a suprisingly easy read for a text book on modern logic.

Clint LaskowskiApril 28, 2005 6:52 AM

So, could it be considered a form of 'nation information security awareness training' to send a copy of this thread to the producers of '24' so they get some of these things right in the future? Maybe even have Bruce make a guest appearance?

Nick BarronApril 28, 2005 7:29 AM

24 is a great show to play Security Breach Bingo (or drinking game ;) with.

Factual accuracy is not a strong point...

Perhaps you should ask for a cameo in the next series as an independent crypto consultant :-)

Chris of Dangerous LogicApril 28, 2005 11:53 AM

I'm guessing that the '257.' IP address is the equivalent of the 555 phone number, although it would have been a shout-out to geek fans if they had used the IP address of Fox TV's web site.

ProbitasApril 28, 2005 12:49 PM

@ Clive

Now, that's what I'm talking about!

I am guessing that person who complained of the non-security nature of the post on attacking ants never made it to this point of the postings, but thanks for adding to my aresnal of completely pointless, absolutely fascinating information.

HootApril 28, 2005 1:21 PM

For the love of god MAN it is a TV SHOW Entertainment, Comedy, Drama. Do you guys think swordfish was real tooooooo

WJCarpenterApril 28, 2005 3:50 PM

Why shouldn't I believe they can crack blowfish instantly? In this supposed "real time" show, they can get across town during the commercial breaks.

(And I give them the benefit of the doubt, since I FF the commercials with TiVo. Still, downtown to uptown in the time it takes someone to describe an allergy medication is pretty good.)

ChrisJApril 28, 2005 3:52 PM

This thread is hilarious...but absolutely nothing tops the FauxGeek from Swordfish...

"True multi-screen capability!"

(Snicker)

Hrunga ZmudaApril 28, 2005 4:09 PM

Well, if it's good enough for my dad, a REAL former counter espionage spy, then it's good enough for me!

I thought that particular passage in the dialog was pretty trite. But when Chloe blew away the guy outside with the M-16, I knew she was my kind of girl!

Bad CheeseApril 28, 2005 6:27 PM

I agree with Simon Brunner. I actually worked at CTU for several years on the missle/web interface project. At the end, we were only able to get a rather large weiner dog through the matrix and launched. I had to parachute out when my spell check failed to detect intrusion.

I can be reached at Soldier of Fortune.

steveApril 28, 2005 6:48 PM

maybe they had the super secret ip address that sandra bullock used in 'the net'. something like 328.356.10.1 or whatever. that is probably the key to decrypting proprietary algorithms :)

AnonymousApril 29, 2005 3:32 AM

I think the funniest thing I've seen on here are references to how horrible the show/writers are for getting technical details wrong...yet about 50% of the comments on here have spelling/grammatical mistakes.

Think about it for a minute. You're lambasting a group/show for getting something wrong that they, and the general public couldn't care less about (it's ENTERTAINMENT: they just need to sound technical enough to entertain 99% of the public).

So...we're all blasting them for getting a fairly technical topic wrong, while posting using incorrect grammar and spelling, which should be within the reach of all of us. A lot of people watching that show would not understand that the tech-talk is hogwash, but they could point out the problems with basic english in these comments...

Anybody see my point? We're all brilliant, because we understand technical computer science topics, but not brilliant enough to post a message exhibiting basic English skills.

Ah well...I'm sure this post has problems too...If only I was as smart as I thought I was at 15.

RampoApril 29, 2005 4:47 AM

If our security work were truly interesting, then they wouldn't need to pay actors and scriptwriters for such shows -- they'd just send round a Channel 4 camera crew to film us.

Sadly, we are mostly ugly, and our work is highly tedious to the uninitiated (indeed, much is highly tedious to the initiated too).

We have no chance.

PS I have discovered a truly marvellous proof that Blowfish can be cracked in 24 rounds; sadly this margin is too small to contain it.

MisterSilverApril 29, 2005 9:18 AM

Well I guess I am dating myself but I have been watching this stupid fake science and technology stuff for 40 years and it just get funnier every year. My favorite was the time when Kirk TALKED a robot (and later a computer) into blowing itself up. The best was that both were supposed to be infinitly more intelligent than average humans (which added a couple of orders of magnitude to the superiority to Kirk).

Carlos Granier-PhelpsApril 29, 2005 11:21 AM

A little off-topic... but just noticed the comment-spam here on Schneier.com and was wondering what the thought-process behind these idiots is.

I mean, spamming a website were crypto-hackers meet? That's about as smart as robbing someone at the NRA convention.

PerryApril 29, 2005 1:23 PM

As several posters have noted, anything to do with computers shown on TV (or in the movies) is almost always completely inaccurate. What is more interesting is that this is also true of any other topic that that viewer happens to be expert in. My SO is as familiar with equestrian pursuits (horses) as I am with computers and she can point out glaring inaccuracies, anachronisms and plain impossibilities with any treatment of that subject on TV. Even for topics on which we are not expert but merely familiar we can often identify things we are pretty sure are incorrect.

The logical extension of these empirical observations is that *everything* shown on TV is wildly inaccurate and trivialized. While not all that surprising it makes suspension of disbelief that little bit harder ;-)

Duncan D'NutsMay 1, 2005 7:02 AM

"The '24' techies also mentioned an IP address starting with '257' in last year's show."

Maybe on OUR internet that is an invalid address, but on some of the other internets that George Bush mentioned it's perfectly fine.

RichMay 1, 2005 5:15 PM

@Carlos Granier-Phelps

Re: Spam comments: They're probably automatic. At some point Bruce will probably implement one of those 'prove you're a human by entering the word in this picture' filters.

Clive RobinsonMay 2, 2005 6:27 AM

@Rich

I have nearly normal eye sight and I have concluded that those "prove your a human..." pictures on HotMail can only be read by a computer ;)

Seriously though in the EU they are against half a dozen EU directives for disability.

D ManMay 2, 2005 3:11 PM

I for one do not doubt for an instant that Chloe can crack Blowfish in the time it takes Jack to get across LA on the highway (45 seconds). I actually worked at CTU for a while myself, until I was fired for helping Jack in his extracurricular missions, and I know that Chloe has a couple of tricks up her sleeves.

TafferMay 4, 2005 2:05 AM

On a related topic: I found it wholly incredulous that the cable repairman in Independence Day wrote a virus for an alien computer system without knowing any of its internal workings at all... But then again, maybe aliens use Windows just like we do.

Joel ScanlanMay 10, 2005 6:56 PM

in defence of Independence Day... he did have access to the little ship. And thus the writers would argue he just scaled upwards within that framework. But that, again, would be like taking over a agent platform based off of a single mobile agent snatched from the network..

TV is great :)

Fred PullenMay 11, 2005 5:49 PM

I saw Independence Day again last night, and was glad the aliens hadn't heard of a "Defense in Depth" strategy!

On the topic of computer security on the big screen, I just have to suspend disbelief. For example, I love Crichton's books & movies, but nearly every one has significant technical inaccuracies. Who ever heard of designing a system whose default failsafe is to *open* cage doors? Once again, it's an opportunity to laugh and nod sagely to ourselves. :-)

GrammaticusMay 14, 2005 2:33 AM

@Anonymous

"Anybody see my point? We're all brilliant, because we understand technical computer science topics, but not brilliant enough to post a message exhibiting basic English skills.

Ah well...I'm sure this post has problems too...If only I was as smart as I thought I was at 15."

Problems? At least one. Among those basic English skills is using the subjunctive mood in counterfactual conditional statements.

Thus, your last sentence should read "If only I WERE as smart as I thought I was at 15."

And I'm guessing you wouldn't have written it correctly when you were 15 either.

mike hoyMay 14, 2005 7:17 AM

i love this show but that was too much. I mean why did she even have to go to the house? couldn't they have transported the ibook to CTU where the 'proprietary algorithm' was located anyway?

any btw, is the bit about 'cking the file hearders' accurate? can she tell by the file headers that's it's blowfish and not AES or whatever?

NickNovember 17, 2005 12:49 AM

Crap, looks like I'm gonna have to switch encryption algorithms now...I thought I was pretty safe with Blowfish...

The easiest way to crack encryption is to just "brute force" through the post-it notes next to the computer until you find the password....

toysnobJanuary 24, 2006 12:30 AM

I know I'm late to this thread and this is totaly off topic, but for crying out loud, 24 aint the best show on TV. That distinction would go to The Shield. Watch the first four episodes from Season 1 and then tell me that you can respect a show like 24.

Equality72521April 13, 2006 7:56 AM

It always cracks me up that Jack's mobile phone isn't set to silent when he's out and about. Creeping through some baddies' hideout and his phone goes off...

normalMay 5, 2006 12:32 PM

24 is one of the best, if not the best, television shows out there. Granted, they don't know their technical jargon (on Craig Fergusion, Kiefer actually came clean and told audience that he is now starting to learn how to use email!), but I am so glad that I ain't a geek that I laugh and ridicule the show because "they didn't get that algorithm right at all."

But thinking retrospectively, I am an aerospace engineer and somehow (Lord knows I hard I try not to) chuckle or burst out laughing if someone doesn't know what Prandtl-Meyer waves or piezo actuators are. Hmmm ....

Narf.

ScottMay 9, 2006 8:46 AM

Go easy on 24 guys! Are you confident in saying that the Department of Defense doesn't have the capability to reverse Blowfish? The NSA? I think it's easier to explain to the avg person that encryption involves passwords than to explain that it involves #-bit keys of random data. As for the 257 IP address, it's like using 555 in phone numbers. I sure as hell wouldn't want them saying my IP address on the show. It must have sucked to have had the number 867-5309. Alphanumeric IP address? IPv6 maybe? Broadband on a cell phone? Cell phones underground? Could it be that CTU is entitled to use other portions of the spectrum than 900 Mhz, 2.4Ghz, etc?

SubzMay 11, 2006 3:43 PM

Yeah cell phones working on the 3rd underground floor are pretty amazing. What's even more amazing is a stolen F117 that cant be traced by the military. I'm sure that their must be a few devices in this plane that allow the US to know where the plane is located if a request is sent by satellite, perhaps also remote control and auto-destruction. I know that France sold some missiles to another country a while ago. And, at some point, one of the missile was launched against France. Well, it never reached the target cause of course they activated the self-destruct option of the missile before they were hit. I think it was a surface to surface (Sea-sea) missile. Perhaps Exocet?... Not sure...

sathishJuly 26, 2006 11:21 AM

sir iam student in engineering college. iam doing my project in ieee papers about topic name is "combination of data compression and encryption " i want this source code of this project.

AnonymousSeptember 5, 2006 11:49 PM

"As or the show, it's worth looking for the plot, the drama, the suspence. The technical details are often wishful thinking. Isn't this the case with most movies?"

I hope not too many people are wishing Blowfish has a backdoor......

And @ the person that said torture isn't effective I agree but do you have any sort of links about this? Google isn't the best for this sort of thing.

Fenris FoxOctober 10, 2006 12:38 PM

It is funny that they used your algorithm - but it could be a type of "homage." =;o)

Seriously, though, it is very possible that they could break it with their "proprietary algorithm." It wouldn't attack the cipher, of course, but it would attack the passphrase. Lots of people use crappy passphrases.

And as far as "proprietary" - they could just write their own dictionary attack algorithm, and say it's "proprietary..." =xoD

kenshinMarch 22, 2007 12:02 AM

fiction is good but what if non-techy clients heard about BLOWFISH being cracked easily?, and look for some fictional encryption algo's that may be mentioned in a show... :p just my opinion...

TheEyeSeptember 6, 2007 9:27 PM

"fiction is good but what if non-techy clients heard about BLOWFISH being cracked easily?"

They could just think that you're not very creative and took the name from the show (rather than the other way around)! :D

qdmOctober 5, 2007 8:32 PM

I guess that at a minimum the "blowfish" name has become a widely known term, even among the Willy Hackers among the 24 writers. At least we should give them credit for mentioning a truly secure encryption algorithm. To portray it as "easy to crack", however, shouldn't have sat well with Bruce.

I think that when portrayed in this manner that statement can actually mislead a significant percent of the population who might one day have to choose an encryption algorithm for whatever purpose. Most people who watched the program will remember the name, and would probably follow the following decision scheme:

encryption -> blowfish -> 24 -> easy to crack -> not a good choice -> don't choose blowfish

just due to the "crackable" label unfortunately attached to it. And don't even suggest that people can easily verify it, because most people don't want to bother reading about anything that requires to put in some effort to understand it (too much trouble, they would tell you).

What can you expect from a TV series intended to keep people watching the commercials along the way ?

I agree, following the so apparent fictional dialog they should have chosen a fictional encryption algorithm name as well.

if they wanted to do something useful they could have included a line like:

-----------------------------------------------
A: They used the "Xeon" algorithm.

B: How can you tell?

A: By the tab on the file headers.

B : Can you decrypt it?

A: Fortunately they didn't used something like blowfish. CTU has a proprietary algorithm. bla bla bla...

z17813October 21, 2007 2:13 AM

"They used Blowfish algorithm.
How can you tell?
By the tab on the file headers.
Can you decrypt it"

'No but get some electrodes, a hood and a pair of pliers and look up the address for Bruce Schneier'

;)

MarcusJanuary 16, 2008 2:30 PM

A good writer should be able to make factually based information sound just as cool.

-------
They used Blowfish algorithm.

How can you tell?

It's in the file header.

Can you decrypt it?

CTU has a proprietary cracking algorithm, but it might take awhile. So, we'll start by trying to guess the password. Let's start with the basics. Write down nicknames, birthdays, pets -- anything you think he might have used.

LIke uh BobMay 1, 2008 1:40 PM

Spotted on 24 awhile back...URL beginning with 324.?Obviously a more advanced version of D.N.S. at CTU

Noone9May 25, 2008 4:03 PM

Funny, I just saw that episode of 24 on DVD and when I heard Blowfish I decided to visit this site to see if Bruce got a kick out of it. And so you have an over 3 year old (as of 2008-05-25) thread about this. Cool.

Anyhow, this is my view on the issue... 24 like virtually all TV shows, movies, and science fiction literature is highly inaccurate in respects to all things technology, but that is what makes it fun to watch. Non-programmers/Non-hackers would be bored to death if they were to explain the mathematical, physics, chemical, computational, or overall scientific logic of things.

The funniest of things about these pseudo science fully fiction media is not the scientific abominations but the fact that they portray the United States intelligence agencies and military as highly efficient security networks. CTU and their 007-like Jack Bauer manage to defeat about every terrorist threat in the world. Whereas in real life...

The intelligence agencies couldn't prevent nor stop a few Muslim fanatics from hijacking airplaines with knives and crashing them into WTC and the Pentagon.

In real life the US ARMY and even the Marines are humiliated on a daily basis in Afghanistan and Iraq, while badly trained insurgents with old soviet equipment manage to blow up Blackhawk Helicopters and kill a few dozen military personnel on a virtually daily basis.

So I mean the FUNNIEST thing is how the media portrays the 'efficiency' of the United States government, whereas in real life they are as incompetent as any other in the world, merely compensated by a 300 Billion/yr. USD budget.

AnonymousSeptember 8, 2008 1:17 PM

>Brute forcing is a proprietary algorithm?
>Posted by: nick at April 27, 2005 1:53 PM

No, but the program implementing it - perhaps with extra optimizations or heuristics to speed up the key search.

AgentCROCODILESeptember 11, 2008 12:02 AM

I wonder how they could figure out what algorithm it is by "looking at the tab on the file headers" - They should have said it was a "double inversion algorithm" to add some spice

basically, plaintext with bytes inverted (1s change to 0s and vice versa) twice to give the original plaintext

AgentCROCODILESeptember 11, 2008 12:10 AM

I also find it funny how in any modern movie:

1. The most popular operating system is either OS/2, MS-DOS or Macintosh
2. The user interface has not improved very much (2050 setting with 1985 user interface)
3. Passwords are pathetic (To get into the CIA or Pentagon, the passwords are like "FLUFFY", "SUPERMAN", etc)
4. Speech recognition and biometrics is flawless
5. Simple commands eg "RUN SEQUENCE" without any known parameters, as if they are absorbed via osmosis - And you type it into a single box with the rest of the screen filled with fancy-pants border junk
6. All computers seem to speak NATURALLY
7. The operators wear headsets and either look after their skin too much or don't look after it enough
8. They all are of the same color, race, and CLOTHING and SIZE!

Jacob SobaszkiewiczJanuary 5, 2009 12:18 AM

Thanks for keeping this thread. Funny isn't the word... perhaps historically histarical honey for the newly reached. Hey - don't forget the Jake 2.0 reboot episode... I think it single handedly killed the series.

Tim DMarch 16, 2009 9:12 PM

You are famous again. It was mentioned on 24 again. This time it was a "Blowfish 148" algorithm. I assume that the 148 was the cypher length... LOL

JCMarch 16, 2009 9:12 PM

24 has done it again!
In tonight's episode, they (Moris O'Brien's character) claims that the designer of the Blowfish algorithm put in a backdoor. He then proceeds to decrypt a message in a fiew seconds!

EmpireMarch 16, 2009 9:30 PM

=)

'24' just referenced Blowfish (called Blowfish-148) once again, this time in Season 7.

And, once again, it was easily cracked by not Chloe, but her husband, who claimed 'the creator of this algorithm built a backdoor. It's a cinch if you know the override codes'. And then voila, the entire encryption was defeated within seconds.

Ahh how hilarious. =)

JohnMarch 16, 2009 10:14 PM

Tonight's episode of "24" referred to the "back door" in "Blowfish 148". Morris O'Brian was able to decrypt a file ecrypted with "Blowfish 148" within seconds because "the designer of this algorithm built a back door into his code". O'Brian said, "decryption is a piece-of-cake if you know the override codes".

JamesMarch 17, 2009 10:38 AM

I got a good laugh, as soon as I heard it too.. My thoughts were...

1 - 148 - bits are not possible (not divisible by 8)..
2 - Back Door? Now non techies will try to avoid anything with Blowfish implemented, because they will think it has a back door!

Linus TorvaldsMarch 17, 2009 10:49 AM

Did it ever occur to you that Morris was the designer of the algorithm?

I mean, what do these guys do the other 364 days of the year when the nation's destruction is not imminent? Maybe they attend security conferences and design proprietary crypto algorithms with back doors just in case something like this ever happens.

JCMarch 17, 2009 1:19 PM

@"Linus"
This is likely a troll, but if not, you might want to click on the "cryptography" link on the left menu and find out who actually designed Blowfish...

Mike MorganMarch 17, 2009 1:48 PM

Bruce,

You were mentioned again yesterday.

This time they said you put in an intentional back door, a clear reference to the the original source code representing the key with type char [], which produces a sign extension bug with many compilers.

BTW, BF148 is possible, if 148 represents the number of rounds, for example.

ptbMarch 17, 2009 2:59 PM

When Morris claimed the designer put a back-door into Blowfish, my first thought was: "Oh man, Bruce is really gonna be mad!" :-)

Mark FMarch 18, 2009 6:21 AM

I think it's great that they did that, actually. It makes people like my Dad think. He asked me after the show, "Do a lot of people do that?" I said, "Do what?" He said, "Use personal information like their zip code as a password?" I said, "Yeah--way too many." I noticed him later, up in his office, changing his email password.

Mark FMarch 18, 2009 6:26 AM

As long as the cat's out of the bag, by the way, would you mind publishing the override codes for Blowfish 148?

Bruce, you could probably sue the 24 producers and retire to a tropical isle of your choice.

SageMarch 21, 2009 9:25 AM

Bruce,

I saw it on 24 last week. Seriously, is there a proverbial backdoor to any encryption including yours?

iwonttellanyoneMarch 24, 2009 2:23 PM

Hello sir, could you please send me the override code for your backdoor?

I won't use it, just want to look at it?
T3H4Ck3R@malware.bin

LegbaMarch 24, 2009 5:31 PM

I was literally flabbergasted when I watched the episode! I actually worked with ciphers every now and then. IMHO the creators of 24 went way too far.
I have a persona theory as to why it is 148. I believe it is bit they are talking about and I believe they presumed Renee went for the biggest key size possible but the actress analyst or the guy who wrote the script, somebody, must have been remembered the wrong number and so instead of 448bit the actress said 148: EVEN MORE PATHETIC!

ImranJuly 30, 2009 1:03 AM

Sir I am doing my project on DART Dynamic Address Routing in Adhoc and Mesh Networks can i hav the extension and some of the source codes of it.

Thanking you

nihal nooruddeenFebruary 12, 2010 7:53 AM

sir i am doing the project based on blowfish algorithm using VHDL. i'm half way to the project but i dont have any guidance based on it. can any one help me based on this project it would be a great help for me. so please sir, kindly help me based on it.

PaulFebruary 17, 2010 6:43 PM

I think it's common knowledge that the NSA has a backdoor to open PGP encrypted data. Is it such a stretch to presume the government requires all encryption algorithms in America to have such a backdoor?

They wouldn't require a cracking algorithm if there is a built in backdoor for law enforcement purposes. Of course nobody who created an encryption algorithm would actually admit to making a backdoor, because nobody would use it.

Only Bruce Schneier really knows. I'll stick to AES myself because asymmetric encryption kicks ass over symmetric anyway...unless you're taking about huge amounts of data. Then you just use asymmetric encryption on the hash of the shared key.

MeJune 16, 2010 4:14 AM

@Paul

AES is a symmetric encryption algorithm. And I wouldn't say asymmetric is better than symmetric, it just depends what you want to do ; it's not even about how much data you want to encrypt, it's about the whole system.
And even for communication purposes, I'd take a symmetric encryption with a previously exchanged key over asymmetric encryption on an unsure channel.

gornSeptember 14, 2010 3:53 PM

I actually love the 24 tech-speak ... sometimes I nearly feel the extreme pleasure the IT adviser had to have putting these dialogs in.

Before you critisize any of it imagine yourself in his shoes. His assignement for the dialog should look like this: "Fabricate a dialog which includes encryption and the fact that no-one exept person XY can decrypt given message in short time. It should sound techie, let some space for publicly understadable jokes and it should take 10 seconds."

What would be YOUR answer to this? I think the IT guy did extremely well in Day 7 E14 (dialogue with the backdoor). The dialogue not only fulfills the accignement, but is fun for IT guys as well - admint it many of you were just PLEASED to hear something familiar like blowfish in the speech. Something you can talk about with your non-IT fellow spectators. Something you know and can have a good laugh about, which no-one else understood. "blowfish .... backdoor ... 15 seconds .... hahahaha" ... you know what I mean.

So do you still thing that these dialogs are stupid? If yes, than I think you just do not understand their purpose.

PS: I am personaly also very much pleased that many of the computers in 24 show is showing *nix operating systems. I think that it helps spread the world with alternatives to Windows.

PaulDecember 6, 2011 5:49 AM

It's not only the tech that's wildly inaccurate - Jack can hit anything he aims at at about a million yards with his pistol, and when their weapons run out of rounds they keep clicking...

To mention but two of many other flaws. As has been said, anyone with a little knowledge about any subject on TV notices the flaws.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..