Schneier on Security
A blog covering security and security technology.
« How Peer Review Doesn't Work |
| Comodo Group Issues Bogus SSL Certificates »
March 30, 2011
FBI Asks for Cryptanalysis Help
Could be interesting.
Posted on March 30, 2011 at 1:48 PM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If he's been writing these notes to himself since he was a kid, it's probably not a Vigenère cipher, or something else that would be difficult to read and write in your head. More likely, it's some secret language he invented.
Or, maybe he's just schizophrenic :)
I was just reading about this on slashdot. I tend to think that it is some sort of personal shorthand code. Possibly written backwards. There are a lot of comments about the letter E being apparently used as a separator. I haven't taken a close look at it yet but I don't have high hopes.
Seems like there's a fair amount of structure to the content. My guess is that the content is simply too short to conclusively crack it using statistical analysis. Probably why the FBI is hoping to turn up other samples of his "code". If they can build a large enough corpus of cipher text, they will probably have more luck.
My guess would be that it isn't a code, rather it is a language with only one speaker... him. Without a large volume of examples to draw on, no one could distinguish it from a code.
(an exercise for the reader: go look at 1KB of USB traffic, knowing it is encoding binary content, and see if you can figure it out. Just because its in an ISO spec somewhere doesn't mean it doesn't look like code when used)
I solved it. It's leet speak.
Go for it Bruce. This will make you famous in the cryptanalysis world.
Caution. If someone solves this, they may have found their perp.
Dick Moby just cracked it. Here's what it says.
First message: “Five years from now, Jeri Ryan will spill the beans on her by-that-time ex-husband’s proclivities to visit sex clubs. That will doom his odds-on favorite status to be elected Senator from Illinois, opening the way for an unknown ‘community organizer’ representing Chicago in the state legislature to snatch a stunning victory.”
Second message: “The newly elected senator, filled with hope and audacity, will run for President four years later, but his hopes will be dashed when I produce, to the news media, evidence of his birth in Nairobi to an American mother and a Kenyan father.”
ncbe gets used alot, @kashmarek says alot about the peoples comments :)
"The bureau isn't offering any reward for assistance in solving the case at this time"
Are there actually people out there willing to do free work for a government institution ?
@ Dirk Praet:
In the US, about 40-50% of all the work we do is for the benefit of a government institution.
(i. e., that is how much of our gross income goes to taxation at all levels, with fluctuations over time, of course.)
@kashmarek The coded notes were written by the victim, not the murderer.
Over on the Yahoo! page (Bruce's 3rd link), someone named John reasons that the two pages are a list of manic episodes (p. 1) and a list of bipolar meds (p. 2) and provides a partial decoding for both.
It's the 3rd highest rated post as I'm writing this.
I'm gonna love this if the first one turns out to be his laundry list and the second his grocery list. Go, FBI!
Morons can't solve this case without cracking this stupid code? Do they REALLY expect that whoever murdered him left this sort of incriminating evidence in his pockets? Is it even likely that he wrote it instead of someone else? Is this guy's death even worth investigating on a Federal level?
Bottom line: If this is what they're reduced to, give it up. Do we really want tax payer dollars going to solve crimes from a decade ago? This is just full employment for these idiots trying to get their budget increased.
Every time I hear the FBI is supposed to be protecting us from terrorists, I run into crap like this in the press: how they're spending tons of money chasing utterly irrelevant "crimes", harassing peaceful antiwar groups, chasing teenage hackers, etc., etc.
When do they find any time to chase terrorists? Oh, wait, they spend all their time CREATING terrorists out of incompetent wannabe lames in order to fan the public's fears and justify their ever increasing budgets.
Here's a direct example: Back in the late '60's when I was in the Army, I was stationed in the Adjutant General's office at Fort Rucker, Alabama. One of my duties was to track AWOLS and deserters and maintain their personnel files for 30 days prior to sending them up to the next higher command level. During that time, the FBI from the local office in Dothan, Alabama, would come to the base and fill out a report form to be sent to the AWOL's local home police department. Occasionally two agents would show up. Overhearing their conversation, it would be like: "How many cases are you working on?" "Oh, forty." "I got fifty cases I'm working on."
The Mafia used to refer to the FBI as the "Fumbling Bunch of Idiots". Looks like it's as true as ever.
And let's not even get started on their wonderful IT projects that blow up hundreds of millions of dollars and fail miserably.
@Richard Steven Hack
Yeah the FBI makes very public silly mistakes. Yeah its not at all like it's TV image. Yeah to all you said about competence.
But on principle all crime cases must never be 'closed' until solved. You can make all kinds of economic reasoning for not actively pursuing nuisance crimes etc but all that becomes socially unacceptable when you try and say its not economical to pursue murders if you don't get an easy break.
Best clues found so far: Both someone on slashdot and the medicines theory guy on the Yahoo page noted that "d-w-m-ymil" is about dates; either day-week-month-year-millenium or day-week-month-year morning, day or late (night). John on Yahoo thinks it's mdl rather than mil, judging from the note I don't think that's correct.
Someone on slashdot noted that GDDMNSENCURE, which is in there, could simply be "goddamn secure", something not entirely unlikely to be encrypted by an amateur proud of his own code.
The pattern in these lines is striking. "fir" and "cdn" strongly suggests "first" and "second" to me, but what "prt" which occurs in the same place in the third line means is not so clear. I'm thinking part, partial or persistent, but maybe I'm too influenced by John's bipolar medicine theory.
It seems clear that while there may be a simple (but unusual?) cipher of some sort obscuring it, it relies mainly on a shorthand code for secrecy. Knowing more about Ricky McCormick would be essential for checking possible decodings. If he had bipolar episodes for the first time in 1971 second in 1974, and there was "no cause before episode" (NCBE), as John suggests, that should be easy to check - but as far as I can count, McCormick must have been around 13 in 1971. That is a bit early for a depressive episode, but not impossible.
@w: I also noted the ncbe, also I get a distinct feeling that anything not a letter is plaintext.
It also looks like he can write the notes directly, there are no supporting text, no extensive crossovers. And if he could use the system for notes - it probably wasn't too hard for him. That points toward something that can be memorized.
Which pretty much rules out anything that
is actually fancy. But perhaps a two-step transform, some combination of a limited codebook and a substitution cipher? Possibly on bigram level.
Unlike others who have exposed their cluelessness, the investigators don't believe the encrypted notes were left by the murderer, or that they contain crucial details of the murder. They expect the notes are a diary or journal kept by the victim, and are probably hoping it contains 'went to meet Benjie today' type of entries. This kind of information can help them interview the right people, look in the right places, ectetera, in the investigation.
Like Will, I hope the FBI (and other LE) continues trying to arrest and convict murderers.
If nobody's been able to crack it over all these years it's probably using a one-time pad that only the perp has.
Sometimes you need to know the "entity" when trying to work out how a system is constructed.
From what has been said,
"McCormick was a high school dropout, but was able to read and write and was said to be “street smart.” According to members of his family, McCormick had used such encrypted notes since he was young, but apparently no one in his family knows how to decipher the codes"
"The FBI says that officers in St. Louis, Missour discovered the body of 41 year-old Ricky McCormick on June 30, 1999 in a field and the clues regarding the homicide were two encrypted notes found in the victim's pants pockets."
So Ricky was born around 1958, and the various forms of high functioning Autism such as dyslexia were not realy recognised / diagnosed / treated untill the mid 1980's so well past the time he would have "dropped out" (possibly of shame).
One asspect of the various Autistic Spectrum Disorders (ASD) is a "savant" ability whereby they can memorise large amounts of data and do "mentaly mechanical" tasks way beyond that of other mortals.
What has not been said is what is known about Ricky around the time of his death or what the FBI's interest in the matter is (I was under the impression they did not deal with local jurisdiction type crimes).
What did he do for a living for instance where and what sort of place did he live in. All can be clues to his mental makeup.
If he was "street smart" but a "high school drop out" I would but a small bet on his being ASD without further evidence.
Keeping encrypted notes from prior to adolescense is another significant indicator (ie they cannot accademicaly show how smart they are but can prove it by doing things others his own age or considerably older cannot do (and the inability of others to recognise this gives rise to a real sense of shame and resentment).
If he worked at the fringes of crime I would actually increase the size of the bet, esspecialy if he was a "bookies runner" or other "numbers person" (by and large criminals don't care what your academic ability is but they do realy care if you have a rare useful skill they can use profitably).
This is because in several studies of first offenders who had educational problems above junior level, many were found to have high intellect but poor academic ability. In some extended studies after receiving appropriate "schooling" something like 80% of these "offenders" did not re-offend and over a period of years worked their way up to above average income for the areas they lived.
If Ricky had these problems (ie was high functioning ASD) the chances are he could do multiple encipherment fuctions in his head without having to use pencil and paper.
Thus we could be looking at a polyalphabetic cipher or stream cipher using some kind of feed back or feed forward generator.
For instance for my sins (and no I'm by no means of "savant" level) I have in the past been able to do a simple additive generator with a five charecter lag in my head.
There is also an additional mental trick where you can do a running average by keeping the running total of the five numbers in your head and subtracting the fifth char back whilst adding the new char.
So some of those bracketed items may be "message indicators" or keys.
So it is entirely possible Ricky's system is polyalphabetic with a running key based on a simple generator. And if that is the case we don't have sufficient information to find the system except by luck.
One avenue would be "probable plain text" for both messages and try to "zig zag" (or "saw tooth" for those in the US) them out.
@ Dirk Praet: & @tommy
Oddly enough, some people enter these things called the "NIST cryptographic hash Algorithm Competition"
'Oddly enough, some people enter these things called the "NIST cryptographic hash Algorithm Competition'
Could that "oddly" be because they don't trust Federal employees enough to get it right (I know I don't based on past performance)?
Afterall the majority of the serious entrants don't even pay US Tax...
So in a way it shows just how little the rest of the world trusts "Federal Employees" and their employer.
Or maybe their daft enough to think there may be fame and fortune in it somewhere ;)
Clive - the FBI's interest is just as they said in the press release - a code, potentially connected to a crime, that they can't break. RRAU are something of a clearinghouse for all things encryption in law enforcement in the US, as most local agencies have only the most infrequent need for that sort of expertise...
@Bruce - Awwww, haha, you DO read your comments :)
Oh nice! The first article I saw yesterday only published one of the cipher texts. I thought that was fairly ridiculous considering.
This brought to mind this other code I saw in a book (a kind of weird book actually IMHO, called "Bluebird : Deliberate Creation of Multiple Personality by Psychiatrists").
The code is located just before the introduction on its own page and goes like this:
I am not sure but perhaps the author was hoping that would trigger some behavior in some Manchurian Candidates?
I agree with Clive that more background information on McCormick is likely to be the key to solving this. I highly doubt that this is crypto though; otherwise it would have been cracked by now.
One other possibility -- it could be total gibberish or the ravings of a lunatic, not ever meant to be decipherable by any rational individual. I once saw a guy on a bus furiously scribbling down page after page of numbers. Was he genius or just nuts? We'll never know.
"I highly doubt that this is crypto though; otherwise it would have been cracked by now."
Possibly not, there are many civil war ciphers still waiting to be decoded where the key is not one of the standard set or have minor errors in coding etc.
Likewise there are still a great deal of "agents codes" from the second world war and later just sitting there undecoded and some may still be of importance over and above their historical value.
It's usually a question of "resources" such as thinking time when a cipher structure is unknown.
Looking at the two images both pages appear to be written in a rational way and a quick visual scan for frequency count sugests they are not "randomly selected by human". However the flow of the lines does suggest that they were written continuously not on a charecter by charecter basis which would be evidence for your proposal as "gibberish".
That said if I had to make a guess my first thought due to the structure and various line lengths is it is a character based substitution cipher. That was written out in a fluid way (either by being copied from a rough working sheet or because the writer could code in their head).
If it is actually a cipher or code the question then arises as to if it is mono or polyalphabetic?
Although there are short stretches that appear to be monoalphabetic I'm thinking that it's probably polyalphabetic in some way.
The question then is are the alphabets related or independent of each other and how many are there and what cause the shift to the next alphabet.
It might also be a chained monoalphabet, but the ciphertext does not look right for that (I'd need to do a charecter distance graph to check that by eye).
The question then arises about the other symbols etc that are interspaced with the text, they may or may not have meaning as "control charecters" in changing the alphabet etc.
In truth the number of possabilities is probably more abundant than the number of letters, and there is insufficient ciphertext to take a reliable stab at finding any real structure.
The St. Louis Today website gives more background information than the FBI posting. Includes mention of a head injury, when McCormick was last seen, that he was taking medications, had a criminal record, etc.
What Clive said, about not trusting the Feds and that having one's algorithm selected for AES or SHA is, uh, "quite" the feather in one's resumé cap. Which, theoretically, could lead to more clients being willing to hire the winner (and the *finalists*, Bruce!) for their commercial (read "paid") needs.
Doesn't affect the sarcastic irony in my reply to Dirk Praet (at Gov's expense, not at Dirk's). Cheers.
One possibility, is that the writer was recording just the first letters of words as an aide memoire, rather than any particularly sophisticated enciphering.
Checking the texts against the frequency distribution of the first letters of English text might be a useful check.
Such a shorthand would probably drop definite articles, etc from the text, too.
Okay, so there were some strong clues in part 2.
99.84 is the medical diagnosis for isolation (see ICD-9-CM)
I'll post the full translation soon.
The description of his illness (chronic heart&lungs) may be an indicative of "living rough" or long term poor nutrition in cold or damp or both conditions.
The head injury sounds like the suspect cause of death. I guess from the little said it ranges from him having had an accident such as a trip or fall that caused a significant insult that was not immediatly terminal and stagering of bewildered to die (sadly this is quite common with head injuries). Or on the other hand having had some kind of RTA with a car/lorry/etc through to having someone caving in his head for some reason, and in either case another "person(s) unknown" putting the body out of sight.
@ cream cipher,
Yes the World Health Organisation (WHO) International Clasification of Diseases (ICD) ninth edition was in use in the US from 1979 to 1998 and the tenth edition should have been in use by June 1999.
It was mentioned in a post about these ciphers over on the Fortean Times,
Where it list the three classificationss under ICD-9-CM Vol 3 section 18 code 99.84,
1, Isolation after contact with infectious disease
2, Protection of individual from his surrounding
3, Protection of surroundings from individual
The question is why if it's relevent would Ricky know of it and want to write it down?
Maybe his chronic lung condition had caused him to pick up tuberculosis (TB) or his doctor at the hospital was testing for it.
I know from doing a bit of research some years ago about Amsterdam and Schippol Airport that flying from there on a US bound flight carries a very significant risk to non immunized or immuno surpressed passengers (it's where a significant percentage of the UK indigenous population contracts TB either to the US or certain 3rd world countries).
This is because of the "law of unintended consiquences" with regards to US Public Health policy with regards to TB.
Basicaly the US Public Health Service Act (US-PSHA) gives the US Department of Health and Human Services (HHS) and the Center for Disease Control (CDC) the authority to detain and examine persons suspected of carrying tuberculosis. This legislitive power is then disolved down to Federal state and local LEA's to enforce the detention aspects of the US-PSHA upon direction from the HHS and CDC.
The unintended consiquence is people from many third world countrie get fake medical certificates to say they are free of TB fly to the US via AMS and then present themselves for compulsory treatment at the expense of the US Gov.
Thus it might have been mentioned to Ricky...
I also found out that the incidence of TB in those either in prison or who have spent time there is many many times that of the general populous by as much as fourty times in some places.
I definitely noticed the patterns which made NCBE the no cause before episode.
I do say largely a personal language no complicated cipher.
going from memory PRSE could be prison.
The third w/o prse looked a bit like probated.
One line appears to be no god damn cure.
wcd or wld could be sex type crime.
One question if this is merely a medical history, small journal kept for drug maintenance purposes etc. then there is no value to this document at all. So you have to ask yourself, why are we being asked to solve this? The FBI has some background on the guy. This seems more like an excercise in unconventional approaches for a conventional organization.
ps. I had two somewhat valid theories prior to finding the most credible. 98.54 is some missouri statue for special tax treatment.
the circling of certain blocks of text seemed to have an approach like crossing off a list of prospects.
one block seems to include prk,clg, htl, park college hotel, I think nrse near residence Nurse?. Thinking casing properties listing attributes. Also the huge number of car like attributes models etc (coincidence probably) lx le glx.
It helps to drink a few bears and think of the character in fat albert that talked funny. Then it all starts makings sense.
Page 1 is a sports bookmaking sheet for someone referenced by "AL" (name, part of name, or initials) who lost (LUSE TOTE) three bets (#1, #4, #5)
(FIRSE PRSEONDE)1 NCBE)
(CDNSE PRSEONSDE)4 NCBE)
(PRtSE PRSEONREDE)5 NCBE)
Page 1 and the "Notes" page are unconnected, and the terms WLD (wild) and XL (excellent) wouldn't intentionally refer to the killer.
The encryption is an idiosyncratic shorthand with repeated (E, WLD, XL, NCBE, PR, SEOND, SE, '(', ')') and other ad hoc obfuscating elements.
nteg -> tgen
ment to use sep breck to be seen no repeat inc
I read the numbering in the one instance as 99.84.5 which might lend credibility to the idea that the text has been reversed.
Maybe 5:48 (Time) 99 (Year) the next characters could be June especially if written under duress. It would fit the time frame I suppose.
At first I thought it was a shopping list for a stolen car chop shop, but then I came across this message board where several of the posters seem to be on to something... the Stock Market. Lots of the codes seem to correspond to stock trading terminology and stock symbols. That seems too obvious though and the FBI would have went down that road already.
my two cents...
a substitution cypher over a very small text approximates an OTP (One Time Pad) cipher. It's almost impossible to crack.
It's like if I say "2.45" and I challenge u to crack that ciphertext... it could mean anything or it could be just nonsense, there's NO difference. :)
Traditional cryptanalysis is no use here, because it's not encrypted. Incomprehensible, yes; encrypted, no. The guy who wrote it is known NOT to have been a math geek. Besides that, you can tell by looking at it that it's linguistic in nature, albeit probably heavily abbreviated. If he's been writing notes like this since he was a kid, the language probably developed its own vocabulary and syntax over the years, though I'd be surprised if it didn't have some (probably mangled) English-based vocabulary at its core.
I would assume that the killers couldn't read it either. Whether knowing the content of the notes will actually help the investigation, I don't know.
> Are there actually people out there willing to
> do free work for a government institution?
Certain kinds of people cannot resist working on certain kinds of problems (math, crypto, and engineering being the main kinds) when the problem is publicly acknowledged to be a particularly difficult one. But like I said, I don't think this one is really a crypto problem so much as a linguistics problem. And yeah, two partial pages of text isn't much to go on.
I think this is just a FBI study to determine just how "closet Racist " this society still is. Give a group of people 2 sheets of paper containing gibberish, tell them the guy who wrote it is black , and see what opinions you get. He's a low level bookie , a crack dealer . a car thief , a burglar. This is like "The Aristocrats " joke where the interpretation reveals the personality and character of the teller more than anything else. Save the snap judgements for the police, this is probably the main reason for their failure to solve this.
SE seems to be important,
numbers (real ?)
There is a minus 'n', and space? between 'word'
But, it is the old atomic code of the last war or a story about a murder ? .. That is an another question ;)
Should a forensic murder investigation be trumped by polical correctness?
How about you attempt to answer the FBI's request by 1) helping to decrypt the ciphertext and 2) explain the killing.
I wasn't intending to sound racist, if that seemed implied.
It is remarkable that the lack of context makes any context and interpretation from that seem plausible. Street smart seems to imply the street. Picture I saw showed a bit of a wild look. What I thought was convincing before is muddied by similar plausible explanations.
I noticed the stock market implications initially. Options, even bond future or something else like that I looked up tend to use similar conventions for futures contracts. Followed the market for about 10 yrs. However, context doesn't quite follow. However, most interpretations are conflicted by another or themselves.
Generally, agree with all of you.
> helps to drink a few bears
bear: the beverage for those who like to live on the edge.
drink it, before it drinks you.
LOL. yeah that was code for beer. There is a russian proverb, I believe it's "If your going to dance with a bear don't quit when you get tired"
3 2 1 4 3 2 1 1 3 2 4 4 3 2 1
a l p n t e g l s e - s e e r t e
purtrse on prse wld ncbe
n wld xl rcmsp newld sts me xl
du lmt 6 tunse ncbe xl
1 2 3 4
1 P L A N
2 G E T -
3 L E S S
4 T R E E
Maybe isbn number for characters in dashes. The numbers and decimals reminded me of dewey decimal system.
Characters per line is interesting.
Line 1: 17
Line 2: 23
Line 3: 20
Line 4: 23
Line 5: 17
TOTAL: 100 with 4 dashes close to 104 or 26*4 alphabets
104 is also 52 twice which brought me to a deck of cards cipher. Research brought me to inventor Bruce Schneier.
The frequency layout has a good group of zeros lumped together as the common end of the alphabet.
Wish it was already solved so I can know. lol
Hello from Spain
–In my humble opinion the master key is in the 2nd note, last line.
–I see that: “O-W-m-4 H8L XORLX”
Can you see which letters aee repeated and where?
Can you remember the Arthur´s C. Clarke joke about HAL 9000?
Yes? Then my solution is……
+If O=O, W=W and R=R
+If m=N, H=I and L=M using Caesar Code B or +1
+If X= Variations of the letter “C” (MC,C and MC) using shorthand
+If 4= four= FOR by phonetic solution like SMS language.
+If 8= eight= eit= ei= letter “A” by phonetic solution like SMS language (example L8= late or leight, H8= hate ….)
+If the hyphen join the letters in a word.
+If we add vowel “i” by transcription shorthand solution.
“O-W-m-4 H8L XORLX” means “OWN-FOR I AM MCCORM(i)CK”.
It is the signature, last will or testament of Mccormick.
+ If you think “4″ is not “4″ but “y”
+ If you think “8″ is not “8″ but “I” then the solution is:
“Y”= wai= WHY or WAY by phonetic solution, similar sound.
“I”= ai= letter “A” by phonetic graphic representation.
“O-W-m-Y HIL XORLX” =
“OWN-WHY? I AM MCCORMICK”
It is a Stenographic problem.
Seems amazing how so many of you are blaming cops, but you certainly can't do anything constructive but complain. The man was found dead in a field LONG after he had died. So not only was there decomp, but weather removed most evidence. He had been evicted before his death, so there was no home to look for clues or fingerprints. His family didn't know how he earned money. So without breaking his personal language, the police have no physical evidence. They actually cannot even rule his death a homicide because while there was evidence of a head injury, there was not enough to say it wasn't just from a simple fall. So shut up and figure it out, or just shut up. Unbelievable. Arm chair cops, but most of you are just pu**y 9-5 guys who can't get laid.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.