Comments

BF Skinner July 19, 2010 7:30 AM

My favorite attacker’s method.

“I called them up and asked them what it was.”

The Heralds are getting clever.

stijn July 19, 2010 7:51 AM

It’s not really a code, is it? The Wired article mentions ‘decoding’, but the plaintext was guessed, not decoded.

Dofang July 19, 2010 8:05 AM

As a great cryptographer once said, “A crummy commercial?” Remember to drink your Ovaltine!

dreamfish July 19, 2010 8:29 AM

To be frank, it wasn’t ‘cracked’. The nature of the string lent itself to be recognised as a hash. What they guy did was determine what type of hash algorithm (not difficult as there aren’t that many in regular use), make an educated guess as to what the plain text was and recreate and compare strings.

BF Skinner July 19, 2010 8:47 AM

Forgot to add…let the quibbling and hair splitting begin!

too late now.

Guessing plaintext is a valid attack isn’t it? Isn’t it the principal behind dictionary and brute force attacks.

Wes P July 19, 2010 9:05 AM

Yea, this was on /. a while back. I was excited, then I found out it was ONLY and md5 hash. Then I was severely disappointed. The only redeeming quality here could would be if this hash of their mission statement is shared with some other bizarre encrypted message that no one will ever find out… but this is the government we’re talking about. Fat chance at that one.

Christopher July 19, 2010 9:06 AM

Why are they still using MD5? I’m sure a collision free hash is good enough for their logo, but shouldn’t a newly formed military infosec group prefer a strongly collision free one?

vedaal July 19, 2010 9:11 AM

Well, since it IS MD5, maybe it might be interesting to give it to the ‘cloud’ to generate ‘alternative ‘ mission statements’ until a collision is found …

aikimark July 19, 2010 11:15 AM

The real challenge now begins to find a (collision) text message producing the same MD5 value.

Jake July 19, 2010 1:16 PM

shouldn’t a newly formed military infosec group prefer a strongly collision free one?

of course they prefer such a thing. we’re just not allowed to know what it is!

Bob July 19, 2010 3:09 PM

Yeah, a little behind the times..

It was pretty clearly an MD5 and then easy enough to guess (and not decrypt).

HOWEVER, I do think it’s a great way for them to get people to read (or at least skim) their mission statement.

Chris July 19, 2010 7:30 PM

The Wired article mentions ‘decoding’, but the plaintext was guessed, not decoded.

i am sure USCYBERCOM will happily sign up anyone who can consistently produce verifiable plaintexts — even if it’s by guessing rather than cryptanalysis.

Sasha van den Heetkamp July 19, 2010 11:01 PM

SHA didn’t fit the logo, so they resorted to MD5. Typically the trade-of I would expect.

Jarda July 20, 2010 1:53 AM

Save the logo. In future it will allow you to check, if the mission statement didn’t change

Corned Beef July 20, 2010 7:56 AM

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. P.S. Mattel Aquarius rules OK.

Hmm. Can’t work out why my MD5 is different.

vedaal July 20, 2010 3:04 PM

@ Henning, Akimark and Rog :

Here’s a possible way to find a collision:

[1] Compose your own message M, less than 391 characters.
[2] Generate random suffix characters and append to M until a 391 character length.
[3] Check if the ‘logo’ hash verifies.
[4] Repeat steps 2 and 3 until it does.

Example:

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; to use the latest vetted strong cryptographic hashes. Our special encoded message follows: fghmtghkp5gygtpgtjk\rgkdslm\HSJY8Sghahrjyjkuknn689w6793okgi838939k49499k889898989898kk89989k788o9o999kyoyo76fytytiiiu8888

Write a script in Perl or Python to randomly generate the suffix part until the given hash verifies.
Bruce, Do you want to offer an autographed book as a prize? 😉

anton August 9, 2010 6:34 AM

So for lazy people like me, please can someone quote the Cybercom’s 58-word mission statement!

Presumably the motivation for putting the mission statement hash into the logo was to draw attention to it.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.