Hacker News new | past | comments | ask | show | jobs | submit login
CyberChef – A Cyber Swiss Army Knife (gchq.github.io)
785 points by robin_reala on Nov 28, 2016 | hide | past | web | favorite | 139 comments

For those of you who don't know what GCHQ is, it's the UK's NSA with all the problems that entails -


"In 2013, GCHQ received considerable media attention when the former National Security Agency contractor Edward Snowden revealed that the agency was in the process of collecting all online and telephone data in the UK via the Tempora programme."

All the contributors have rather cryptic usernames: https://github.com/orgs/gchq/people

And then there is james257.

Haha, I would never have noticed that if you hadn't written it!

Take a hint

Other than the anachronistic name (thought "cyber" wend out in the 90's), I'm extremely impressed to see such an awesome tool come out of the public sector. Kudos to GCHQ!

> thought "cyber" wend out in the 90's

A year ago someone in my research group claimed that they were 'getting into cyber'. I looked around the room and almost every other member of the group looked confused and a little concerned.

Apparently 'cyber' has become a byword for 'cyber security'. I hope that this does not last.

> Apparently 'cyber' has become a byword for 'cyber security'. I hope that this does not last.

I wouldn't get your hopes up, from the people who brought you forensic (i.e. legal) as a byword for science.

The security group at work now fancies themselves as "Cyber Command".

We immediately began mocking them with a buzz lightyear graphic.

Back in the late 90's on AOL, "cyber" was short for "cybersex."

Nah, "Cyber Security" is becoming the defacto term for referring to what I would have called IT Security in the past (some interesting reading on the topic here http://cyber.uk/cyber/)

The other day someone was telling me they used to run a website called CyberHomes. All I could think of was how weird that would sound today.

> "cyber" wend out in the 90's

I take it you have no exposure to the public sector? Referring to "Cyber" as "IT/Info/Computer/Network Security" will immediately identify you as an outsider in man public sector positions.

And vice versa outside of government!

According to Google Trends, "cyber" overall slowly going out of use, but "cyber security" has a reverse trend. At the same time, Cyber Monday is winning it all.



EDIT: I've managed to get rid of this pesky Cyber Monday out of the graph!


Google trends is not good for this kind of analysis. Google trends is based on the number of searches for a particular term relative to all other searches. So you see the same trend when you look at other tech topics like Linux, programming, SSH, computer science, etc. It's not that these things are necessarily becoming less popular, just that tech oriented people were over represented on the early internet, and thus Google search. As more non tech people started googling stuff, tech topics fell in their relative importance.

Re-read the comment you replied to, cyber security is trending in the opposite direction of Cyber (or SSH). That would seem to invalidate your thesis; Cyber security is gaining popularity relative to other topics.

Edit: there's also an interesting spike in Google trends for "cyber" every November. National Cyber Security Awareness Month is in October.

There were two assertions made in tener's comment. The first was that the term "cyber" was going out of use, the second was that the term "cyber security" was increasing. My comment was referring to the first assertion.

'Cyber' usage has recently become de rigueur by people in positions of authority. see http://www.theatlantic.com/technology/archive/2016/09/trumps...

It would be better if we knew they weren't using it for evil.

How to update it for this decade: Replace Cyber with Data !

Data Sex?

This is the best part of this site, I completely forgot what this article was about and I'm 60 comments deep about the history and trends of the word "cyber". There needs to be a site dedicated to these entertaining comment threads / bravo

Shouldn't it be called Cyber UK Army knife instead of Cyber Swiss Army Knife, then?

I was a little blown away that it was that GCHQ.

That said, how could they possibly collect or intercept this, isn't it a bunch of client side scripts, all hosted on GitHub?

Theoretically, they could sabotage the crypto algorithms, hope that someone uses it, intercept that communication, and decrypt it using the sneaky weakness they introduced.

Or the right circumstances could cause the library to make requests to their secret government hacking command-and-control server.

Seeing that they released this at github.com/gchq/..., I'd keep my eyes open for requests to secret-hacked-data-backchannel.open-exploit-project.gchq.co.uk

(Or, with less sarcasm: this is probably the project on github with the lowest possibility of containing government backdoors).

(or maybe that's just what they want you to believe)

(or maybe that's just what /we/ want you to believe)

(or maybe that's just what /I/ want you to believe)

You should probably read the manual before using a webapp for your encryption needs. From the Readme:

>it should be noted that the analyst is not a professional developer and the code has not been peer-reviewed for compliance with a formal specification

>Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness.

I did read that, and I don't believe it provides any clarity related to what I wrote.

Proof that technology is neutral and isn't all about freedom and ethics; will be avoiding anything published by them.

Why? You admit yourself technology is neutral.

Yes which means I have to apply my own reasoning and ethical thinking.

So does your chain of reasoning go like this: GHCQ made the application. GHCQ is a spy agency. Therefore, GHCQ must have planted a backdoor in the application?

Because that would be a logical fallacy.

This looks like a handy tool, certainly for puzzles and exploring encodings. It makes decoding puzzles like this very quick! 11100111 10111011 10011101 11100100 10111000 10001101 11100100 10111100 10011010 11100110 10010100 10111110 11100101 10111100 10000011 11100100 10111101 10100000

They need a "google translate" operator, and then a text to emoticon operator with a facepalm icon.

on the Mandarin step I went to the 'languages' tab looking for something similar to a google translate operator, so hear hear.

My Python solution:

print("".join(chr(int(x,2)) for x in "11100111 10111011 10011101 11100100 10111000 10001101 11100100 10111100 10011010 11100110 10010100 10111110 11100101 10111100 10000011 11100100 10111101 10100000".split()))

I don't deny that other tools might make this faster.

Also, nice puzzle! :-)

Yeah, I always used to use Python for this kind of thing - it offered easy ways of doing most interesting operations, made experimenting and chaining operations really easy, and it was easy to write my own helper functions if necessary.

I'll have to admit... that was not what I expected.

Never going to let you down...

mother f....

I am so sorry.

For all the people who decoded it, only to get another "encoded" message.

Well played. :)

This is the most interesting way I been... tricked.

Cyber security is one continuously evolving puzzel, hence this very broad tool.

Oh come on..

Glad to see that CyberChef supports Numberwang. There are many nefarious uses that such a complicated numerical system could be put to. I'm happy that our intelligence agencies are on top of this.

Wonder what the meaning of this email in the code is: n1474335@gmail.com

Looks like it's one of GCHQ's developers: https://github.com/n1474335

1474335! That's Numberwang!

Indeed and also an indictment into the age range of those involved in this project perhaps. But good to see such comfy chairs(Python), are still used.

"Things that aren't Jackie Chan" is missing though

"The contestants today are Julie, from Kent, and Simon, who's also from Manchester"

This is actually quite useful if you're doing day-to-day forensic work and are trying to de-obfuscate code or are creating proof of concepts.

The interface is really slick and it lets you create an infinite number of recipes/permutations.

String processing is much of what we do in security.

Yay for GCHQ. You'll find me at the bottom of this page due to an omission of obligatory IC bashing and Snowden fanboyism.

Man, you had a perfectly nice comment and no one would have downvoted you (and probably no one did), but I did just because of this:

> You'll find me at the bottom of this page due to an omission of obligatory IC bashing and Snowden fanboyism.

There was no need, really.

Are you objecting to my opinion or that I expressed one?

From the site guidelines:

Please don't bait other users by inviting them to downvote you or announce that you expect to get downvoted.


I don't think there's IC bashing for the sake of it. At least no more than Apple bashing, Microsoft bashing, Facebook bashing, ... You get it :)

There's bashing against malpractice, illegal data gathering and in general against any abuse of other people's freedom.

But my comment was about the guidelines. There's no need to call that out and helps no one. You could have accomplished a better outcome just by highlighting positive stuff about the IC, like this very same set of tools. And please don't get me wrong, I'm not trying to patronize anyone here, I'm just a mere HN reader.

Actually, I think that there was a need. The IC in the Anglosphere does good, commendable work.

I for one am glad to see that there's at least one other person on HN who appears to share my views on the IC & Snowden.

> This is actually quite useful if you're doing day-to-day forensic work and are trying to de-obfuscate code or are creating proof of concepts.

Are you serious? Any programming language with an interactive interface would work much better than this kind of web app for any day-to-day work.

Of course, this is great for introducing kids to real programming.

Yup, totally serious.

Though it doesn't say so, at a glance it looks like it's entirely browser-based and doesn't communicate with a server in any way. Pretty handy project. Code looks clean, too.

There's a download button at the top, though it just goes to the htm file, I believe you can just save that and use it fully offline as you mention! Good tool to have saved for sure.

It took me a minute to figure out that doubleclicking the actions in the left column is required to add them to the recipe.

Or drag-n-drop, which also lets you alter the sequence of operations.

Or dragging them

Incidentally, at least one of the images comes from here: (and they're in violation of the attribution license).


I wonder if that image has had many visitors ...

The graphics alone make me want to punch this tool in the face.

A kind of post-modern inversion of this: https://www.youtube.com/watch?v=hn1VxaMEjRU

Also worth considering: http://www.paglen.com/?l=work&s=symbology

Neat project and slick interface! Does the gchq use this tool internally? Did you have a use case already in mind for this? This would be pretty useful as a web developer. A good idea would be to add a JSON validator.

Yeah I'm not GCHQs biggest fan but got to admit, this tool is a very useful and neat piece of work.

I'm glad they're releasing this, but it gives me a slightly funny feeling. "Here, have this tool we also use to hack you!"

More like "Here, have this tool to distract you from our more powerful tools"

The JSON-minify and -beautify steps also do validation (although they seem to just show the error, not allow for a custom workflow)

It is on Github. Nothing to stop you submitting a pull request!

I doubt you'd get an answer from them.

I'm trying something very simple and I can't figure out if the flaw is on me or on them.

1. Take a base64 encoded payload as Input: "AAAAI9Dw0qHYq9+61/XPtJS20bTAn+yV5o/hh+jK8J7rh+vLtpbr". I use the "From Base64" module. 2. The result is differential XOR crypt. The seed is 171. I select the XOR module and use 171 as the key. Then i pick "differential" option. Doesn't work.

Recipe: [{"op":"From Base64","args":["A-Za-z0-9+/=",false]}, {"op":"Drop bytes","args":["0","4",false]}, {"op":"XOR","args":[{"option":"Hex","string":"AB"},false,true]}]

Am I missing something? This is a very simple example.

The simple python code that decodes it is this:

def decrypt(string): key = 171 result = "" for i in string: a = key ^ ord(i) key = ord(i) result += chr(a) return result

string = "AAAAKtDygfiL/5r31e+UtsWg1Iv5nPCR6LfEsNGlwOLYo4HyhueT9tTu36Lfog=="

result = decrypt(base64.b64decode(string)[4:])

print "decoded: ", result print "Length: " , struct.unpack("I", string[0:4])

Nice wysywyg security tool that will teach people concepts behind the interface. In my day we'd just use perl or python, but this opens up the field to beginners.

It took me a few years in my career to realize the interface usability is more important than the cleanliness of the code. As an engineer I loved my code and treated the interface like a second class citizen. After a bit of experience I realized the interface is what the user judges your code by. First impressions matter and the UI is your code's first impression.

oh look, the people who spy on the entire Internet are giving us free candy!

Great honeypot as well. If a malware analyst dumps one of their intelligence agency canary strings from one of their spyware packages, they can use it to track the discoverer.

If I were a spook, I would totally be releasing reversing tools that alerted on my encoded code words.

That's why you fetch the ZIP from Github here: https://github.com/gchq/CyberChef/tree/gh-pages

Then you download it, and open it in a sandbox VM with no Internet access

If I were a spook doing this, I wouldn't release it on the official GCHQ github organisation.

This is a very handy tool - very full in terms of features as well. I really like that you can drag and drop components and configure them in order to create a transform. Very nice!

Here is my attempt to make something similar although less featureful: https://encoder.secapps.com/

I will try to incorporate some of these features.

This is an interesting tool, and I'll happily use it for puzzle solving, but I'm concerned that it misrepresents itself in a dangerous way.

From the About link:

> "CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression."

> "It is expected that CyberChef will be useful for cybersecurity and antivirus companies."

From the backing Github readme, which as far as I can see is not directly linked on the page:

> "Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness."

Now, it's fair to say that professional security types should assume the 'no guarantee' bit. But it's not fair to offer it up as a one-stop-shop for non-programmers to handle encryption tasks, and then offer no caveat at all in the primary reference page. It's even less acceptable when the About page implies the opposite.

Do you use nginx, chromium, bash, openssl, linux...? Because they all have disclaimers with more or less the same meaning. It's boilerplate to avoid liability, not warnings motivated by known shortcomings.

I'm aware, but I think I was unclear - that's what prompted my comment on professionals knowing this already.

My complaint was more that this is another entry in the pattern of handing people black boxes labeled "this does cryptography!", without offering any plain-English explanation of what they're actually getting.

It felt particularly important to me here because it's a comparatively new initiative, and the caveat went on the Readme (seen by users who already know) but not the About (targeting users who might not).

I'm going to chime in to say that I wouldn't give implicit trust to this unless the crypto/hash routines are all using standard/known libraries.

I guess I am paranoid about potential backdoors - something that non-crypto people wouldn't know or understand. Heck - who knows, there could be something in there that even the crypto community could miss...?

In our current world, I don't think my paranoia is misplaced. This project may be perfectly safe, offered transparently and no funny business. But then again, who really knows? Unless you are one of those experts in cryptography (and even then, as I understand it, that doesn't guarantee anything) - there could be subtle changes that could potentially open things up for "bad actors"...

I guess I'm saying "trust but verify"...?

I guess as long as a diff between it's version and this one doesn't pull up anything suspicious...?

> "Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness."

Fair point, but I'd imagine that's just something that their legal dept. made them put up.

Gaffer looks interesting: scalable Graph DB based on Hadoop.


The API seems a bit weird though...

>The API seems a bit weird though...

Oh my God, you weren't kidding.

This would make an intersting server-side service. I was hoping I could POST the json "code" and input, and get an answer in the HTTP body. Sort of a "Lambda 101" project.

Thanks this is awesome. For some of this stuff I usually use the Python REPL. But why go through the hassle when it's all here for stuff like date time conversions etc..

Trying to figure out the framework its built upon... Looks like vanilla JS. Nice work.

Shouldn't it be British Army Knife?

Would be nice to "export as JS"

As cool as this looks, not sure how this is any easier to use than a simple Python or Ruby script (or even Bash, if that's more your thing).

EDIT: In lieu of downvoting, would someone like to explain their disagreement? I'm curious. Perhaps this would open up certain programming powers up to non-coders, but for anyone who knows how to code, it seems much easier to just write a script to make these kinds of transformations.

I made a field visit to an MSSP[1] and they used a tool just like this (although not nearly as complete). Most security analysts don't know how to code. Even if they do know how to code, it's faster to take advantage of a nice interface that's already been made.

The security analysts need to consider data from thousands of different alerts on a daily basis. There is definitely room for automation, but I think there will always be some need for human judgement and manual analysis (which tools like this will greatly expedite).

[1]: https://www.wikiwand.com/en/Managed_security_service

I got -4 just for stating the same opinion, and found out your comment at the end of this page.

Since everything is really text here, the typical UNIX way of doing things seems to be much more practical in dealing text transformations here. I second your `Bash' opinion. I could imagine a package populate your PATH as

and simply put nice little binaries, each of which does one thing and one thing only, and you can use them like,

    cat FILE | toBase64 | entropy
A nice interface of such thing in Haskell or APL would really shine. I bet GCHQ must have a much nicer internal library (which runs at a fraction of their machines' peak FLOPS) in one of their favorite languages that they can script and launch multiple tries by pushing a few buttons on their keyboard. And of course they are not sharing that.

Alas, point-and-click lovers seem to be the majority here on HN.

-4, that's a bit harsh. :-o

Making all of these available and chaining all of these together wouldn't be a simple script. It would be a humongous collection of different scripts.

> Making all of these available and chaining all of these together wouldn't be a simple script.

All transformations are readily available in the standard library of a language like Python or Ruby. And note that this CyberChef tool doesn't chain them together either. The user does that. Likewise with a Python or Ruby script.

I guess I can see how this would be useful if you don't know how to code, but I don't know anyone who would be able to use a tool like this who doesn't know how to code.

Also, I can see how this would be useful in the same way that a web app like jsfiddle is useful, to make a quick example to share with others.

In any case, I clearly wrong, since I've been so highly downvoted.

Even if you know how to code, this would still be faster for lots of use cases...

Are you comfortable using a scripting language like Python, Ruby, or Bash, and a shortcut-driven text editor like Vim or eMacs?

Perhaps because I'm skilled at Vim, using Python and Vim is unquestionably quicker for me than using a mouse to drag/paste/click a bunch of boxes around for any imaginable use case. I suppose if you're used to using mouse-driven programming environments like Windows often is used, this might be quicker...

Now run the entire site through the "cheferizer" and we can have the SwedishCyberChef!

Why would anyone in the UK need these? They're gloating?

Is there an accessible REST api? Would be neat.

Can't wait for 13 December!

Wish it wasn't food themed.

Ah look, it even has snowflakes.

What does it do? The about link does not gracefully degrade when JavaScript is disabled, which is bad design.

In ergot's defense, he said the "about link" does not gracefully degrade. Which seems reasonable that someone would want to read what an app does before deeming it worthy of enabling scripts.

I might actually do this from now on. Have my <noscript> be more than just "You must enable JS to use this" but instead actually display useful information about what it does.

Yah I think it's a totally valid complaint. Normally I'm all about telling folks they're not able to use the modern web with JS disabled, but asking for the about page to give a hint with no JS feels like exactly the level of effort everyone should exert for the noscript folks.

Seeing as it's quite literally a JavaScript application, it doesn't do anything with JavaScript disabled.

What sort of things can I do with CyberChef?

There are well over 100 operations in CyberChef allowing you to carry simple and complex tasks easily. Here are some examples:

    Decode a Base64-encoded string
    Convert a date and time to a different time zone
    Parse a Teredo IPv6 address
    Convert data from a hexdump, then decompress
    Display multiple timestamps as full dates
    Carry out different operations on data of different types

This is a web app, not a web page. It's not supposed to anything with JS disabled. It's an actual program that runs locally, without JS no can do.

As much of a problem as I have with web pages using gratuitous JS, it should be obvious that actual web applications such as this and gmail will not be able to "gracefully degrade".

If it degrades into an announcement that "hey this is a JS-based SPA for doing <frob> and for more details see <baz>" that would be a good start.

That would be ideal for a web app like this.

> gmail will not be able to "gracefully degrade".

Actually, gmail in particular DOES have a no-js version.

Go to "Setting," click on "Help," then enter "Basic HTML view" in the search field, then click on "Standard view and basic HTML view," then "basic HTML view," then, if you wish to preserve the setting, on "set basic HTML as default view."

OK, fair enough. But that's a huge effort to duplicate an app like this with a server-side version, and much less user-friendly as well.

Getting all core functionality to work without JS is a huge effort. Getting an about link to show some text is pretty basic however.

GCHQ -- NSA without the ethics, answerable only to the King

After just having watched Oliver Stone's "Snowden" last night it's hard to avoid wondering if there are any potential Snowdens in the GCHQ...

It's also a sobering thought that the people who wrote this stuff (seems neat) may be able to uncover my deepest secrets in seconds if they were so inclined.

And being geeks, I'm sure they read this. gulp

(As far as I can tell, github.com/gchq is from the actual GCHQ.)

This is mostly a job ad. Don't go there. It's not moral.

What do you mean by it's a job ad?

I think johansch means to say this is something someone should have made only to add to his cv or similar(not even fully sure) rather than something that people should use.

No one is telling the user what he should use this for, there's plenty of situations where you might want to convert/encrypt/elaborate data without being launch codes for nuclear missiles and this seems like a pretty good tool, all browser based too, opposite of many other more famous tools that require communication with a server.

I guess I should have been more explicit.

I am not talking about the actual encryption/decryption/data-wrangling stuff in this HTML page. All of this is obviously very neat and very usable.

The reason I do think this is a job ad is the fact that it's the GCHQ that is publishing it. Seriously, a spook agency is publishing neat open source stuff. I can only think of two reasons for this to happen and both align:

a) employee happiness (few people enjoy doing stuff in secrecy, I think)

b) using the by now well-established mechanics of corporate branding to make the GCHQ appealing to a larger amount of developers/hackers.

I think the latter is the dominant factor, and this is why I called this a job ad.

c) helping private companies maintain good security might be a good fit with GCHQ's mandate.



I think he is actually saying it is an effort to get people to say "look at the cool stuff we make" and go work for the organization. In this case that organization appears to be the UK equivalent of the CIA/NSA in the US and he clearly feels their mission erodes people's rights.

Why do you think the GCHQ is publishing stuff that appeals the developers/hackers rather than just being secretive? Of course it's similar to a corporate branding exercise. There's a hard fight for tech talent these days.

It seeming neat is the point.

This is propaganda.

One could argue (although I'm not 100% sure if I actually believe in it) that making institutions such as GCHQ more attractive would actually help. Their pool of applicants must be starkly different in terms of ideology than other applicant pools (say: google), even though the requirements are similar.

If they succeed in broadening their pool of applicants, ideological diversity would increase. That may make it more likely that objections such as yours are raised internally.

(counterarguments: their productivity may rise quicker than their morals can, making the net effect negative, or the institution is stronger and changes the individual instead of the other way around)

Well, maybe one take-away from the Snowden movie - in case it's actually accurate - is that by recruiting traditional freedom-loving hackers there will be more potential whistleblowers in the future.

Another disparate thought:

The NSA we've seen so far appears to have been infinite reach, but with very limited analysis capability. E.g. they have have an army of humans trying to make sense of the mountains of data. Just imagine their capabilities when they have applied (already, perhaps) deep learning to this data feed. This is scary shit.

Suddenly they will have a very deep profile on every connected individal on earth (like 75% by now?).

Yeah I mean it's totally "propaganda", but so what?

Rarely is propaganda actually useful. Are "Swiss" army knives propaganda for the Switzerland military?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact