Comments

BF SkinnerJuly 19, 2010 7:30 AM

My favorite attacker's method.

"I called them up and asked them what it was."

The Heralds are getting clever.

stijnJuly 19, 2010 7:51 AM

It's not really a code, is it? The Wired article mentions 'decoding', but the plaintext was guessed, not decoded.

DofangJuly 19, 2010 8:05 AM

As a great cryptographer once said, "A crummy *commercial*?" Remember to drink your Ovaltine!

dreamfishJuly 19, 2010 8:29 AM

To be frank, it wasn't 'cracked'. The nature of the string lent itself to be recognised as a hash. What they guy did was determine what type of hash algorithm (not difficult as there aren't that many in regular use), make an educated guess as to what the plain text was and recreate and compare strings.

BF SkinnerJuly 19, 2010 8:47 AM

Forgot to add...let the quibbling and hair splitting begin!

too late now.

Guessing plaintext is a valid attack isn't it? Isn't it the principal behind dictionary and brute force attacks.

Wes PJuly 19, 2010 9:05 AM

Yea, this was on /. a while back. I was excited, then I found out it was ONLY and md5 hash. Then I was severely disappointed. The only redeeming quality here could would be if this hash of their mission statement is shared with some other bizarre encrypted message that no one will ever find out... but this is the government we're talking about. Fat chance at that one.

ChristopherJuly 19, 2010 9:06 AM

Why are they still using MD5? I'm sure a collision free hash is good enough for their logo, but shouldn't a newly formed military infosec group prefer a strongly collision free one?

vedaalJuly 19, 2010 9:11 AM

Well, since it IS MD5, maybe it might be interesting to give it to the 'cloud' to generate 'alternative ' mission statements' until a collision is found ...

aikimarkJuly 19, 2010 11:15 AM

The real challenge now begins to find a (collision) text message producing the same MD5 value.

JakeJuly 19, 2010 1:16 PM

> shouldn't a newly formed military infosec group prefer a strongly collision free one?

of course they prefer such a thing. we're just not allowed to know what it is!

BobJuly 19, 2010 3:09 PM

Yeah, a little behind the times..

It was pretty clearly an MD5 and then easy enough to guess (and not decrypt).

HOWEVER, I do think it's a great way for them to get people to read (or at least skim) their mission statement.

ChrisJuly 19, 2010 7:30 PM

>The Wired article mentions 'decoding', but the plaintext was guessed, not decoded.

i am sure USCYBERCOM will happily sign up anyone who can consistently produce verifiable plaintexts -- even if it's by guessing rather than cryptanalysis.

Sasha van den HeetkampJuly 19, 2010 11:01 PM

SHA didn't fit the logo, so they resorted to MD5. Typically the trade-of I would expect.

JardaJuly 20, 2010 1:53 AM

Save the logo. In future it will allow you to check, if the mission statement didn't change

Corned BeefJuly 20, 2010 7:56 AM

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. P.S. Mattel Aquarius rules OK.

***

Hmm. Can't work out why my MD5 is different.

vedaalJuly 20, 2010 3:04 PM

@ Henning, Akimark and Rog :

Here's a possible way to find a collision:

[1] Compose your own message M, less than 391 characters.
[2] Generate random suffix characters and append to M until a 391 character length.
[3] Check if the 'logo' hash verifies.
[4] Repeat steps 2 and 3 until it does.

Example:

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; to use the latest vetted strong cryptographic hashes. Our special encoded message follows: fghmtghkp5gygtpgtjk\rgkdslm\HSJY8Sghahrjyjkuknn689w6793okgi838939k49499k889898989898kk89989k788o9o999kyoyo76fytytiiiu8888

Write a script in Perl or Python to randomly generate the suffix part until the given hash verifies.
Bruce, Do you want to offer an autographed book as a prize? ;-)

antonAugust 9, 2010 6:34 AM

So for lazy people like me, please can someone quote the Cybercom's 58-word mission statement!

Presumably the motivation for putting the mission statement hash into the logo was to draw attention to it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..