

Can you Crack It?  Break this cypher, get an interview with GCHQ - gacba
http://canyoucrackit.co.uk/index.asp

======
DanielRibeiro
Ok, now these kinds of challenges are not really good. The reason is that
without any extra property, they are trivial. Here is why:

Let's assume you have a cyphertext c, of length l (ie |c| = l). Now I take a
plaintext p of length also l (|p| = l). Let the key k be c xor p. Now

    
    
       c xor k = c xor (c xor p) = (c xor c) xor p = 0^l xor p = p
    

Where 0^l is a string of l zeros. So yeah, given one cyphertext, I can craft a
pair of key and plaintext such that there is a cypher (simple xor) that, given
the cyphertext and the key, outputs the plaintext.

What is worse? I can craft |E|^l of such plaintexts (where |E| is the size of
the alphabet).

So yeah: this test only checks if people know basic cryptography and boolean
algebra. Which tends not to be a very good test[1,2]

[1] <http://techcrunch.com/2011/05/07/why-the-new-guy-cant-code/>

[2] <http://devinterviews.pen.io/>

~~~
user24
also, it's even not a case of "crack this and get an interview" it's "crack
this and get to apply for the same vacancy that gchq publish on their
homepage": job id 35874.

But, it's a good publicity ruse.

edit: the pay's not even that great.

~~~
jc4p
Is that salary listed yearly? If so I can understand why they have to do
something like this to get people to apply, I earned more than that while
working in retail.

------
turnersr
Just in case no one gets it in time:

Pr0t3ct!on#cyber_security@12*12.2011+

~~~
quinndupont
<http://canyoucrackit.co.uk/soyoudidit.asp>

~~~
ricardobeat
Which leads to <http://www.gchq-careers.co.uk/cyber-jobs/>, then
[https://apply.gchq-
careers.co.uk/fe/tpl_gchq01ssl.asp?newms=...](https://apply.gchq-
careers.co.uk/fe/tpl_gchq01ssl.asp?newms=jj&id=35874). They don't even seem to
track who solved it or not, unless they look at the referral URLs on Google
Analytics.

~~~
gacba
-1 to GCHQ for not even tracking who solved their damn riddle and actually using that as a bozo filter. Duh.

~~~
alfiejohn_
The Australian equivalent (DSD) did a challenge like this last month. Same
deal - x86 assembly to decrypt a message and reveal a secret URL. They too had
no tracking.

------
chollida1
Can anyone here point me in the direction of what I should be reading in order
to attack a problem like this.

I literally have little to no idea how to start.

Give me a reading list, or outline the first few steps!

~~~
wbhart
Here's a good start to find out about the employer:

[http://www2.warwick.ac.uk/fac/soc/pais/people/aldrich/vigila...](http://www2.warwick.ac.uk/fac/soc/pais/people/aldrich/vigilant/lectures/gchq)

If they sound interesting to you then read the plenteous clues in the HN
thread from this morning.

It would be pretty hilarious if no actual British citizens figure it out for
themselves.

------
deutronium
According to <http://www.bbc.co.uk/news/technology-15968878> it's for GCHQ
rather than MI5.

~~~
gacba
My bad, corrected.

------
sounds
Working on it here: <http://forum.xda-
developers.com/showthread.php?p=19888836>

------
ntulip
don't know if this means anything at all but exif info on the photo has a
comment:
QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR78jKLw==

------
epenn
Previous discussion from earlier today:
<http://news.ycombinator.com/item?id=3299155>

------
nomdeplume
are we crowd sourcing intelligence tasks now?

------
jiggy2011
So did anybody genuinely manage to figure this out for themselves without
google?

------
JOnAgain
Why oh why wouldn't they put this up there in a copy-able format? Why an
image?

~~~
ctz
Spoiler: because the image displays some x86 code (its RC4 with a fixed key),
the image file itself contains the ciphertext (in a PNG iTXt block).

------
gnu8
Are Americans eligible to apply?

~~~
eru
I don't think so. They don't even take non-British EU citizens.

------
X4
/index.asp oh please, what's a challenge worth when I can find out the
solution without solving it, by going to the application url. My naive proxy
thought it's advertisment and didn't allow me apply hehe.

also we're lucky they exclude non-british folks, that way they interchange
doubtable trust measures with infosec beginners.

