
CyberChef – A Cyber Swiss Army Knife - robin_reala
https://gchq.github.io/CyberChef/
======
yarrel
For those of you who don't know what GCHQ is, it's the UK's NSA with all the
problems that entails -

[https://en.wikipedia.org/wiki/Government_Communications_Head...](https://en.wikipedia.org/wiki/Government_Communications_Headquarters)

"In 2013, GCHQ received considerable media attention when the former National
Security Agency contractor Edward Snowden revealed that the agency was in the
process of collecting all online and telephone data in the UK via the Tempora
programme."

~~~
mgalka
Other than the anachronistic name (thought "cyber" wend out in the 90's), I'm
extremely impressed to see such an awesome tool come out of the public sector.
Kudos to GCHQ!

~~~
samwilliams
> thought "cyber" wend out in the 90's

A year ago someone in my research group claimed that they were 'getting into
cyber'. I looked around the room and almost every other member of the group
looked confused and a little concerned.

Apparently 'cyber' has become a byword for 'cyber security'. I hope that this
does not last.

~~~
Spooky23
The security group at work now fancies themselves as "Cyber Command".

We immediately began mocking them with a buzz lightyear graphic.

~~~
Godel_unicode
They might be interested in this:

[https://en.m.wikipedia.org/wiki/United_States_Cyber_Command](https://en.m.wikipedia.org/wiki/United_States_Cyber_Command)

~~~
stcredzero
Back in the late 90's on AOL, "cyber" was short for "cybersex."

------
lordelph
This looks like a handy tool, certainly for puzzles and exploring encodings.
It makes decoding puzzles like this very quick! 11100111 10111011 10011101
11100100 10111000 10001101 11100100 10111100 10011010 11100110 10010100
10111110 11100101 10111100 10000011 11100100 10111101 10100000

~~~
colordrops
They need a "google translate" operator, and then a text to emoticon operator
with a facepalm icon.

~~~
serf
on the Mandarin step I went to the 'languages' tab looking for something
similar to a google translate operator, so hear hear.

------
JanSolo
Glad to see that CyberChef supports Numberwang. There are many nefarious uses
that such a complicated numerical system could be put to. I'm happy that our
intelligence agencies are on top of this.

~~~
robin_reala
[https://github.com/gchq/CyberChef/blob/master/src/js/operati...](https://github.com/gchq/CyberChef/blob/master/src/js/operations/Numberwang.js)

 _/ / That's a bad miss!_

~~~
secfirstmd
Wonder what the meaning of this email in the code is: n1474335@gmail.com

~~~
graedus
Looks like it's one of GCHQ's developers:
[https://github.com/n1474335](https://github.com/n1474335)

------
mmaunder
This is actually quite useful if you're doing day-to-day forensic work and are
trying to de-obfuscate code or are creating proof of concepts.

The interface is really slick and it lets you create an infinite number of
recipes/permutations.

String processing is much of what we do in security.

Yay for GCHQ. You'll find me at the bottom of this page due to an omission of
obligatory IC bashing and Snowden fanboyism.

~~~
NetStrikeForce
Man, you had a perfectly nice comment and no one would have downvoted you (and
probably no one did), but I did just because of this:

> You'll find me at the bottom of this page due to an omission of obligatory
> IC bashing and Snowden fanboyism.

There was no need, really.

~~~
mmaunder
Are you objecting to my opinion or that I expressed one?

~~~
sillysaurus3
From the site guidelines:

 _Please don 't bait other users by inviting them to downvote you or announce
that you expect to get downvoted._

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
mi100hael
Though it doesn't say so, at a glance it looks like it's entirely browser-
based and doesn't communicate with a server in any way. Pretty handy project.
Code looks clean, too.

~~~
Ph0X
There's a download button at the top, though it just goes to the htm file, I
believe you can just save that and use it fully offline as you mention! Good
tool to have saved for sure.

------
fjarlq
It took me a minute to figure out that doubleclicking the actions in the left
column is required to add them to the recipe.

~~~
matt4077
Or drag-n-drop, which also lets you alter the sequence of operations.

------
supernumerary
Incidentally, at least one of the images comes from here: (and they're in
violation of the attribution license).

[https://commons.wikimedia.org/wiki/File:Farm-
Fresh_user_cook...](https://commons.wikimedia.org/wiki/File:Farm-
Fresh_user_cook_male_white.png)

I wonder if that image has had many visitors ...

~~~
codazoda
The graphics alone make me want to punch this tool in the face.

~~~
supernumerary
A kind of post-modern inversion of this:
[https://www.youtube.com/watch?v=hn1VxaMEjRU](https://www.youtube.com/watch?v=hn1VxaMEjRU)

Also worth considering:
[http://www.paglen.com/?l=work&s=symbology](http://www.paglen.com/?l=work&s=symbology)

------
zitterbewegung
Neat project and slick interface! Does the gchq use this tool internally? Did
you have a use case already in mind for this? This would be pretty useful as a
web developer. A good idea would be to add a JSON validator.

~~~
tlrobinson
I'm glad they're releasing this, but it gives me a slightly funny feeling.
"Here, have this tool we also use to hack you!"

~~~
beejiu
More like "Here, have this tool to distract you from our more powerful tools"

------
painted
[https://github.com/gchq/CyberChef](https://github.com/gchq/CyberChef)

------
jimmy171
I'm trying something very simple and I can't figure out if the flaw is on me
or on them.

1\. Take a base64 encoded payload as Input:
"AAAAI9Dw0qHYq9+61/XPtJS20bTAn+yV5o/hh+jK8J7rh+vLtpbr". I use the "From
Base64" module. 2\. The result is differential XOR crypt. The seed is 171. I
select the XOR module and use 171 as the key. Then i pick "differential"
option. Doesn't work.

Recipe: [{"op":"From Base64","args":["A-Za-z0-9+/=",false]}, {"op":"Drop
bytes","args":["0","4",false]},
{"op":"XOR","args":[{"option":"Hex","string":"AB"},false,true]}]

Am I missing something? This is a very simple example.

The simple python code that decodes it is this:

def decrypt(string): key = 171 result = "" for i in string: a = key ^ ord(i)
key = ord(i) result += chr(a) return result

string = "AAAAKtDygfiL/5r31e+UtsWg1Iv5nPCR6LfEsNGlwOLYo4HyhueT9tTu36Lfog=="

result = decrypt(base64.b64decode(string)[4:])

print "decoded: ", result print "Length: " , struct.unpack("I", string[0:4])

------
fatdog
Nice wysywyg security tool that will teach people concepts behind the
interface. In my day we'd just use perl or python, but this opens up the field
to beginners.

~~~
notyourwork
It took me a few years in my career to realize the interface usability is more
important than the cleanliness of the code. As an engineer I loved my code and
treated the interface like a second class citizen. After a bit of experience I
realized the interface is what the user judges your code by. First impressions
matter and the UI is your code's first impression.

------
rmchugh
oh look, the people who spy on the entire Internet are giving us free candy!

------
fatdog
Great honeypot as well. If a malware analyst dumps one of their intelligence
agency canary strings from one of their spyware packages, they can use it to
track the discoverer.

If I were a spook, I would totally be releasing reversing tools that alerted
on my encoded code words.

~~~
zerognowl
That's why you fetch the ZIP from Github here:
[https://github.com/gchq/CyberChef/tree/gh-
pages](https://github.com/gchq/CyberChef/tree/gh-pages)

Then you download it, and open it in a sandbox VM with no Internet access

------
_pdp_
This is a very handy tool - very full in terms of features as well. I really
like that you can drag and drop components and configure them in order to
create a transform. Very nice!

Here is my attempt to make something similar although less featureful:
[https://encoder.secapps.com/](https://encoder.secapps.com/)

I will try to incorporate some of these features.

------
Bartweiss
This is an interesting tool, and I'll happily use it for puzzle solving, but
I'm concerned that it misrepresents itself in a dangerous way.

From the About link:

> "CyberChef encourages both technical and non-technical people to explore
> data formats, encryption and compression."

> "It is expected that CyberChef will be useful for cybersecurity and
> antivirus companies."

From the backing Github readme, which as far as I can see is not directly
linked on the page:

> "Cryptographic operations in CyberChef should not be relied upon to provide
> security in any situation. No guarantee is offered for their correctness."

Now, it's fair to say that professional security types should assume the 'no
guarantee' bit. But it's _not_ fair to offer it up as a one-stop-shop for non-
programmers to handle encryption tasks, and then offer no caveat at all in the
primary reference page. It's even less acceptable when the About page implies
the opposite.

~~~
matt4077
Do you use nginx, chromium, bash, openssl, linux...? Because they all have
disclaimers with more or less the same meaning. It's boilerplate to avoid
liability, not warnings motivated by known shortcomings.

~~~
Bartweiss
I'm aware, but I think I was unclear - that's what prompted my comment on
professionals knowing this already.

My complaint was more that this is another entry in the pattern of handing
people black boxes labeled "this does cryptography!", without offering any
plain-English explanation of what they're actually getting.

It felt particularly important to me here because it's a comparatively new
initiative, and the caveat went on the Readme (seen by users who already know)
but not the About (targeting users who might not).

------
the_duke
Gaffer looks interesting: scalable Graph DB based on Hadoop.

[https://github.com/gchq/Gaffer](https://github.com/gchq/Gaffer)

The API seems a bit weird though...

~~~
dajohnson89
>The API seems a bit weird though...

Oh my God, you weren't kidding.

------
donpdonp
This would make an intersting server-side service. I was hoping I could POST
the json "code" and input, and get an answer in the HTTP body. Sort of a
"Lambda 101" project.

------
vinayan3
Thanks this is awesome. For some of this stuff I usually use the Python REPL.
But why go through the hassle when it's all here for stuff like date time
conversions etc..

------
jitbit
Trying to figure out the framework its built upon... Looks like vanilla JS.
Nice work.

------
thow_me
Shouldn't it be _British_ Army Knife?

------
homakov
Would be nice to "export as JS"

------
jnbiche
As cool as this looks, not sure how this is any easier to use than a simple
Python or Ruby script (or even Bash, if that's more your thing).

EDIT: In lieu of downvoting, would someone like to explain their disagreement?
I'm curious. Perhaps this would open up certain programming powers up to non-
coders, but for anyone who knows how to code, it seems much easier to just
write a script to make these kinds of transformations.

~~~
jxy
I got -4 just for stating the same opinion, and found out your comment at the
end of this page.

Since everything is really text here, the typical UNIX way of doing things
seems to be much more practical in dealing text transformations here. I second
your `Bash' opinion. I could imagine a package populate your PATH as

    
    
        PATH=DataFormat:EncryptionEncoding:PublicKey:…
    

and simply put nice little binaries, each of which does one thing and one
thing only, and you can use them like,

    
    
        cat FILE | toBase64 | entropy
    

A nice interface of such thing in Haskell or APL would really shine. I bet
GCHQ must have a much nicer internal library (which runs at a fraction of
their machines' peak FLOPS) in one of their favorite languages that they can
script and launch multiple tries by pushing a few buttons on their keyboard.
And of course they are not sharing that.

Alas, point-and-click lovers seem to be the majority here on HN.

~~~
bbcbasic
-4, that's a bit harsh. :-o

------
stcredzero
Now run the entire site through the "cheferizer" and we can have the
SwedishCyberChef!

------
nthcolumn
Why would anyone in the UK need these? They're gloating?

------
homerguy69
Is there an accessible REST api? Would be neat.

------
nthcolumn
Can't wait for 13 December!

------
phaed
Wish it wasn't food themed.

------
bahjoite
Ah look, it even has snowflakes.

------
ergot
What does it do? The about link does not gracefully degrade when JavaScript is
disabled, which is bad design.

~~~
jnbiche
This is a web app, not a web page. It's not supposed to anything with JS
disabled. It's an actual program that runs locally, without JS no can do.

As much of a problem as I have with web _pages_ using gratuitous JS, it should
be obvious that actual web applications such as this and gmail will not be
able to "gracefully degrade".

~~~
wyldfire
If it degrades into an announcement that "hey this is a JS-based SPA for doing
<frob> and for more details see <baz>" that would be a good start.

~~~
pvdebbe
That would be ideal for a web app like this.

------
45h34jh53k4j
GCHQ -- NSA without the ethics, answerable only to the King

------
johansch
After just having watched Oliver Stone's "Snowden" last night it's hard to
avoid wondering if there are any potential Snowdens in the GCHQ...

It's also a sobering thought that the people who wrote this stuff (seems neat)
may be able to uncover my deepest secrets in seconds if they were so inclined.

And being geeks, I'm sure they read this. _gulp_

(As far as I can tell, github.com/gchq is from the actual GCHQ.)

This is mostly a job ad. Don't go there. It's not moral.

~~~
askl56
What do you mean by it's a job ad?

~~~
duiker101
I think johansch means to say this is something someone should have made only
to add to his cv or similar(not even fully sure) rather than something that
people should use.

No one is telling the user what he should use this for, there's plenty of
situations where you might want to convert/encrypt/elaborate data without
being launch codes for nuclear missiles and this seems like a pretty good
tool, all browser based too, opposite of many other more famous tools that
require communication with a server.

~~~
johansch
I guess I should have been more explicit.

I am not talking about the actual encryption/decryption/data-wrangling stuff
in this HTML page. All of this is obviously very neat and very usable.

The reason I do think this is a job ad is the fact that it's the GCHQ that is
publishing it. Seriously, a spook agency is publishing neat open source stuff.
I can only think of two reasons for this to happen and both align:

a) employee happiness (few people enjoy doing stuff in secrecy, I think)

b) using the by now well-established mechanics of corporate branding to make
the GCHQ appealing to a larger amount of developers/hackers.

I think the latter is the dominant factor, and this is why I called this a job
ad.

~~~
rebuilder
c) helping private companies maintain good security might be a good fit with
GCHQ's mandate.

d)"Just-your-friendly-security-agency!"

~~~
johansch
...right.

