Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×

IBM using Napoleon Dynamite Quote to Encrypt Data 170

Posted by CowboyNeal from the masters-of-the-bo-staff dept.
schmack writes "A developer discovers a quote from the movie Napoleon Dynamite is being used as the cipher key by IBM to publish encrypted XML at this year's Wimbledon grand slam. But is this a rather glaring lapse in security or an easter egg for curious hackers, many of whom would surely be fans of the quirky movie?"
This discussion has been archived. No new comments can be posted.

IBM using Napoleon Dynamite Quote to Encrypt Data More

IBM using Napoleon Dynamite Quote to Encrypt Data

Comments Filter:
  • It was totally retarded, why do people like it?

    As to being a security issue, unless someone compiles all quotes from all movies into a text file, it is not.

    • Preemptive Questioning Your Own Answers (Score:5, Insightful)

      by soloport ( 312487 ) on Saturday July 01, 2006 @09:59AM (#15642500) Homepage
      It was totally retarded, why do people like it?

      Look, it's all right there:
      Q. Why do people like it?
      A. It was totally retarded.

      You're, uh, one step away from Yoda-speak.

    • Re:What is with that movie? (Score:5, Funny)

      by athakur999 ( 44340 ) on Saturday July 01, 2006 @09:59AM (#15642501) Journal
      It was totally retarded, why do people like it?


      roman_mir, don't be jealous that I've been chatting online with babes, all day. Besides, we both know I'm training to become a cage fighter.

      • And who might you be?

        • Re:What is with that movie? (Score:5, Funny)

          by Sage Gaspar ( 688563 ) on Saturday July 01, 2006 @10:29AM (#15642585)
          Whoever he wants to be. Gosh!
        • And who might you be?

          The fact that you didn't recognize one of the most often-used quotes of the movie means that you probably didn't watch it. Since you didn't watch it, how do you know that "it was totally retarded"? Did you read that somewhere and decide that it sounded cool and anti-trendy to hate the movie?

          • I saw the movie and recognized the quote. The movie was "totally retarded." The sad thing is that the "trendy" thing to do is like that piece of crap film.
          • The fact that you didn't recognize one of the most often-used quotes of the movie means that you probably didn't watch it. - I watched it, alright, but that's my point, why would I remember quotes from a retarded movie?
          • I did watch it, and wished I do so in theatres so I could ask for my money back. I spent however long that movie was of my life waiting for funny to come, and it didn't. I suppose I'll get modded down too, but it seems to me that if society demands a movie about someone so pathetic that it's (supposed to be) funny, we've got a long way to go. It easily gained my label of "worst movie ever" (and not even Comic Book Guy style), and I honestly can't imagine what it would take to be ousted from that title.

    • Re:What is with that movie? (Score:1, Interesting)

      by Anonymous Coward
      MOD PARENT +5 INSIGHTFUL!!!

      There is a disturbing trend in film today that automatically bills any film that is both watchable and different as a "cult classic" or a "hidden gem". I find it personally disturbing that people seem to be losing their ability to a) seperate humor from simple sarcasm or irony, and b) discern aesthetic merit -- not absolutely but just generally -- and seperate pure schlock from geuine plot-driven, substantive films.

      • Re:What is with that movie? (Score:4, Insightful)

        by shotgunefx ( 239460 ) on Saturday July 01, 2006 @10:31AM (#15642590) Journal
        I ain't modding him up, but I won't mod him down either.

        I really like the movie, granted it was annoying at times the first run through.

        I imagine one of the reasons it's popular because it's a movie about "losers", you don't really see that too often. Even when you do, they characters aren't really losers, just perceived that way (and usually not perceived that way by the final reel).
      • Of course it's a cult classic.

        A cult classic is a work (e.g. a movie or TV show) or group of works (e.g. songs by a certain band) that may not achieve widespread mainstream popularity but does attract devoted, even fanactical, attention from a select group. See cult film, cult televison, cult radio and cult following for related topics.
        en.wikipedia.org/wiki/Cult_classic

        There's plenty of people who don't like, or haven't seen, Napoleon Dynamite, but there are others who think it's one of the funniest mo

    • As to being a security issue, unless someone compiles all quotes from all movies into a text file, it is not.

      As TFA says, the line was in clear text elsewhere in the file. So it was like hiding the front door key under the doormat. Maybe its real purpose is to give legal weight to a claim that it wasn't published freely, in case they want to shut down anyone leeching it commercially. Probably it's a DMCA violation to crack the encryption.

      And I think you'll find that movie quotes ARE compiled into text fi

    • It's satire (Score:3, Informative)

      by shaneh0 ( 624603 )
      Dynamite was the most deft satire of high school life that I've ever seen. There are a ton of people that are twentysomething or younger that DONT'T like the movie, but in my experience, most do. And the older you get, the more you're removed from todays High School experience, the less likely that you'll enjoy the movie.
      • I first watched it when I was 28 or 29, don't remember exactly. Don't get me wrong, there were some funny moments in there that I enjoyed, but the overal impression from the flick was that of a total degradation, retardation and in general complete depression. And I enjoy a good dose of depression as much as the next guy, but all things considered, I would rather do something else than watch that movie ever again.
    • I think it was a pretty decent movie that just got beaten mercilessly into the ground by some rather retarded fans.

  • depends (Score:4, Interesting)

    by Spiked_Three ( 626260 ) on Saturday July 01, 2006 @09:48AM (#15642476)
    on whether or not they were encrypting anything important. If they were then they were idiots.
    • IDIOTS!

    • Re:depends (Score:5, Funny)

      by Minwee ( 522556 ) <dcr@neverwhen.org> on Saturday July 01, 2006 @11:34AM (#15642754) Homepage

      Once the terrorists gain access to the scores from Wimbledon then it's all over for the free world. They could use our own tennis scores against us.

      They had better be using the strongest encryption available for this kind of thing.

      • Once the terrorists gain access to the scores from Wimbledon then it's all over for the free world. They could use our own tennis scores against us.

        Be on the lookout for blacmanges with AK-47s.

      • Not to worry, I've secured the free world's tennis scores with my awesome dancing skills.

        That, and my pet liger.

    • Yes, but were they idiots for using a movie quote for the key as the summary suggests, or were they idiots for assuming that Flash is secure? I've seen a lot of "password protected" Flash apps out there, so there should be a lesson in this article, but the Slashdot summary doesn't exactly highlight the real problem. It is trivial to decompile Flash, folks. Your encryption keys are right there in plain text for all to see.

  • Huh? (Score:5, Insightful)

    by LordKaT ( 619540 ) on Saturday July 01, 2006 @09:49AM (#15642480) Homepage Journal
    I don't really see this as a "lapse" in security. I mean, it was an XML file with updated scares, not a SQL database with every known Social Security Number. The application in question (a flash scoreboard) doesn't exactly call for some kind of PKE scheme.

    • Re:Huh? (Score:5, Insightful)

      by Stiletto ( 12066 ) on Saturday July 01, 2006 @10:03AM (#15642518)

      If a project doesn't require strong encryption, does it require encryption at all?
      • Yes.
        If you don't want normal people to access the project, a standard encryption like 128bit AES is enough to feel safe.
        By normal people I mean bored people with only little computing power.

        But if you for some reason want to pass around data about your nuclear projects or such, you'd take many more precautions and use multiple and stronger encryption schemes, to be on the safer side of safe.
        These projects are in the interest of strong governments who have we don't know how much computing power and intention

        • Re:Huh? (Score:5, Informative)

          by gkhan1 ( 886823 ) <.oskarsigvardsson. .at. .gmail.com.> on Saturday July 01, 2006 @11:50AM (#15642791)

          There are a few things I wish to clarify about your post

          If you don't want normal people to access the project, a standard encryption like 128bit AES is enough to feel safe.

          First off, right now 128 bit AES is virtually unbreakable. I mean, the US government has approved 128 bit AES for use in encrypting classifed documents. That should tell you alot. It's true, maybe in 10 years or so, one might be able to crack 128 bit AES in a few weeks or so, which is kinda bad for a modern cipher. But you can rest assured, if you use 128 bit AES (correctly implemented, and with a good password), there isn't a force on earth that could crack it (right now, that is).

          By normal people I mean bored people with only little computing power.

          This statement makes no sense at all. Do you have any idea how fast AES is? On my puny, 2 year old, cheap crap Dell computer, I just benchmarked 256 bit AES, it can encrypt 55.3 MB/s. Fifty-five megabytes per second! That's fast as hell! By little computing power, are you reffering to ENIAC? 'Cause I bet even that transistor-less monster can crank out a few kbs per seconds, AES is that fast. I routinely watch Hi-Def movies on a drive encrypted by TrueCrypt. That means that the movie is decrypted on the fly, while I'm watching it!

          And even that will probably not be enough against black-ops a la your-favorite-secret-agent-franchise...

          I HATE IT when people say "Well, I'm sure that NSA could crack any cipher, their so secrative and so cool!" NO THEY COULDN'T. No one can crack a 256 bit AES with a correct implementation (and a good key). It's just not doable. I refer you to an earlier post of mine, [slashdot.org] where I got really pissed and did a few calculations. You cannot crack 256 bit AES. It's. Not. Possible.

          The mistake you seem to be making in your post is that you assume that most encrypted material get cracked because they used a weak cipher. That is not true. 99.9999% of all modern codes that are cracked are cracked because of a poor implementation. Some-one selects a bad password, maybe someone gets your PGP key from your computer, maybe a secret agent beat the crap out the poor IT guy and got in. Whatever. It's simply not feasable to crack modern ciphers by cryptanalysis. It's virtually impossible, and there are so many easier ways to do it.

          In conclusion: If you want your material safe, it's fine to use 128 bit AES, but there's no reason not to use 256 bit, so you could just as well use that. Just make damn sure that you use a good password and keep it safe. And no, a quote from Napoleon Dynamite is NOT a good password.

          • I HATE IT when people say "Well, I'm sure that NSA could crack any cipher, their so secrative and so cool!" NO THEY COULDN'T. No one can crack a 256 bit AES with a correct implementation (and a good key). It's just not doable. I refer you to an earlier post of mine, where I got really pissed and did a few calculations. You cannot crack 256 bit AES. It's. Not. Possible.

            Well, no they couldn't for brute force attacks on the key.

            But that's not the only attack vector out there for AES (or other block cipher

            • Re:Huh? (Score:4, Interesting)

              by gkhan1 ( 886823 ) <.oskarsigvardsson. .at. .gmail.com.> on Saturday July 01, 2006 @05:45PM (#15643795)

              This is exactly my point (maybe I wasn't very clear ;). If you want to break the encryptions, you don't do it using cryptanalysis. The only way is exploiting the human factors. The ciphers themselves are solid. That's why I said "using the correct implementation and a good key" all the time. If you encrypt something with a tool like TrueCrypt [truecrypt.org] which uses a rock solid, completly bulletproof implementation with a good password (and, ofcourse, assuming that no one has hacked your system) you will be completly safe from any potential snoopers.

              I really can't say enough good things about TrueCrypt. Every step of the process is done 100% right. What it does is that it it mounts a virtual drive on your system that is encrypted to a file on your harddrive. There is no trace in the files themselves that they are encrypted, they are completly idestinguisable to random noise. You can even hide a hidden drive inside a volume (so if someone forces you to reveal your password, you can still hide a bunch of files inside a volume). It is completly impossible to know whether a hidden drive even exists within a virtual drive if you don't have the password (for the hidden drive that is, which should be different from your standard drive password). It also includes tons of other features, you can choose any cipher you like, from Blowfish to 3-DES (although I have no idea why you wouldn't just go with 256 bit AES), you can backup the fileheaders if someone loses their password, you can use keyfiles in addition to your passwords, you can create "travel disks" so you can take your encrypted stuff on the road an not have to install TrueCrypt on every computer you wish to use, and any other feature you could possibly want if you want to encrypt data. If you don't want to bother with PGP, you could even make a tiny drive, add your files to it, and email it to someone! It's also fast as hell, as I said, you could watch Hi-Def movies from an encrypted drive and it will decrypt it on the fly and you wont notice a thing. All that, and it's open source! I really encourage anyone to use it that has a need to encrypt data.

      • Re:Huh? (Score:5, Insightful)

        by hyfe ( 641811 ) on Saturday July 01, 2006 @10:29AM (#15642586)
        If a project doesn't require strong encryption, does it require encryption at all?

        Of course it does. The lock to your house is most certainly breakable. Does that mean you should throw away the door?

        Weak'ish encryption protects you against untargetted attacks, such as network-snooping. Anybody doing untargetted attacks are probably going to have massive amount of data to search through. Even the most simplistic encryption algorithm involving keys is going to force the attacker to include state-information in his application.. which as we all is just plain painfull on high-traffic networks.

        • Re:Huh? (Score:3, Funny)

          by Deltaspectre ( 796409 )
          I think what he's saying is....

          If you're going camping you don't necessarily need to lock your tent door up, because it's such a trivial thing to do
          • With the tent door open, it's easy for people to see if the tent is empty and if it's safe to go inside and search the tent for valuables.

            With the tent door closed, they have to chance somebody lieing inside taking a nap

            Good choice of analogy.

      • Re:Huh? (Score:5, Insightful)

        by DerekLyons ( 302214 ) <fairwater AT gmail DOT com> on Saturday July 01, 2006 @10:50AM (#15642637) Homepage
        If a project doesn't require strong encryption, does it require encryption at all?

        Yes.
         
        It's a common misconception that encryption is supposed to be 'unbreakable' (for some large value of 'unbreakable'), in all instances. In the real world of security (I.E. DoD etc...) it's quite common to have the complexity and difficulty of the cipher or code to match the 'speed value' (to coin a term) of the information. For example, diplomatic messages need to be kept hidden essentially forever - thus strong encryption. Tactical communications between Army formations or Navy ships can have a much lesser grade of encryption applied because their value is almost always rendered moot before they can be broken.
         
        The 'need' for ultra-strong, resist-attack forever grade encryption for personal use is an artifact of the (not uncommon) geek need to be [bigger|faster|stronger] than anyone else when it comes to computer stuff.

        • It's a common misconception that encryption is supposed to be 'unbreakable' (for some large value of 'unbreakable'), in all instances. In the real world of security (I.E. DoD etc...) it's quite common to have the complexity and difficulty of the cipher or code to match the 'speed value' (to coin a term) of the information. For example, diplomatic messages need to be kept hidden essentially forever - thus strong encryption. Tactical communications between Army formations or Navy ships can have a much lesser

          • It's a common misconception that encryption is supposed to be 'unbreakable' (for some large value of 'unbreakable'), in all instances. In the real world of security (I.E. DoD etc...) it's quite common to have the complexity and difficulty of the cipher or code to match the 'speed value' (to coin a term) of the information. For example, diplomatic messages need to be kept hidden essentially forever - thus strong encryption. Tactical communications between Army formations or Navy ships can have a much lesse

        • You're missing the point. Using "simpler" (as in childsplay) crypto rather than standard well-tested crypto in low-security applications would make sense if doing so saved you significant amounts of programming-time, working-memory or cpu-time or had other significant advantages.

          That's not the case, infact the oposite is likely to be the case as aes(message,key) is likely to be well-tested, well-documented code you can simply use whereas xor_with_sillystring(message) is likely to first need being written

      • >If a project doesn't require strong encryption, does it require encryption at all?

        That is an insightful question.

        Historically, weak encryption had a niche for information whose value dropped sharply over time. If you have a lame algorithm that a cluster of supercomputers can crack in a week, you can still safely use it for messages like "unit 3, fall back to hill 41, await instructions".

        Sports scores might fall into that category, though the problem in this particular case was not weak encryption, it wa
        • You left out one important one:
          You want the information to appear to be protected, but to leak anyway.

          If you want this to ever work, you need to routinely use weak encryption on things of varying importance, so that the importance of a message is unpredictable from the contents. (Naturally you will make sure that nothing REALLY important ever gets encrypted weakly ... unless either you want it to leak, or a mistake was made.

          This is the category that includes easter eggs, etc. And I suspect that the Wimble
    • The movie was scary enough for some. I sure don't need an XML file full of them, especially if they get updated.

  • Let me be the first to say... (Score:5, Funny)

    by ChePibe ( 882378 ) on Saturday July 01, 2006 @09:50AM (#15642481)
    Idiots!

  • The client had the key anyway. (Score:5, Insightful)

    by vidarlo ( 134906 ) <vidarlo@bitsex.net> on Saturday July 01, 2006 @09:57AM (#15642497) Homepage

    If you read the article, you'll see that he found the key in the flash applet that presented the data to the website visitors. So even if they used a truly random key, it would be worth no more, since the client could just read the flash file (de-assemblers for flash is out there. Search on google.), and get the key. So really, there is no point of better encryption, because the determined people will get the key anyway.

    Remember that flash runs on your computer. Thus, the encryption key has to be on your computer so the flash application can decode the XML file and show you the results. As long as Trusted Computing does not excist, there is no way to stop a determined person from getting the key. Thus, using a stronger key would not make it more difficult. It is not like the key was discovered by accident. The writer of TFA was looking for the key in the flash file...

    Nothing here to see, please move along!

    • Exactly! (Score:5, Insightful)

      by FatSean ( 18753 ) on Saturday July 01, 2006 @10:03AM (#15642517) Homepage Journal
      Not sure why exactly they would want to encrypt the scores as they flew over the network though. The scores are public knowledge...who cares if they are sniffed? Technology demonstration? Wanted to use the 'encryption' buzzword perhaps?

      • Re:Exactly! (Score:5, Insightful)

        by vidarlo ( 134906 ) <vidarlo@bitsex.net> on Saturday July 01, 2006 @10:38AM (#15642605) Homepage
        Not sure why exactly they would want to encrypt the scores as they flew over the network though. The scores are public knowledge...who cares if they are sniffed? Technology demonstration? Wanted to use the 'encryption' buzzword perhaps?

        To force people interested in live stats either to view their website (=ad revenue) or watch their tv broadcast (=ad revenue). 3rd party apps accessing the information means less ad revenue. Simple as that.

      • Sports scores are time sensitive information to those that are betting on them. Thus, as pointed out elsewhere, the crypto need only delay the information by a few seconds to be effective. If this doesn't make the concept clear, then see this movie [imdb.com].
      • Because it's too easy to forge packets and create cheated scores. That's probably why someone dug deep enough to discover the key.

    • Re:The client had the key anyway. (Score:4, Informative)

      by daeg ( 828071 ) on Saturday July 01, 2006 @10:04AM (#15642519)
      You don't even need to decompile the flash. Unless recent flash versions have changed, the majority of actionscript is almost completely readable directly in the file with little-to-no obfuscation.
  • What ever happened to the DMCA?

  • Flash player 8 (Score:3, Interesting)

    by pjbgravely ( 751384 ) <pjbgravely2@gmai ... minus physicist> on Saturday July 01, 2006 @10:11AM (#15642538) Homepage Journal
    I see even so called Linux friendly IBM is blocking Linux users out because there is no Flash 8 for Linux yet. [wimbledon.org] Oh well maybe next Wimbledon. Is there a Flash player 8 out for Mac?

  • Microsoft uses "Wildebeest!!" as a password (Score:1, Interesting)

    by Anonymous Coward
    In Excel, the Solver, Analysis Toolpak and Autosave add-ins are protected using the password "Wildebeest!!", and the Internet Assistant VBA add-in uses the password "Weezaarde!?"... More info about it is here [mrexcel.com].

  • Gosh! (Score:4, Funny)

    by fdiskne1 ( 219834 ) on Saturday July 01, 2006 @10:28AM (#15642584)
    I wonder if the guy who cracked this has nunchuck skills and bowhunting skills too.
  • Yay for juxtaposition of tags! I never would expect these to go together

    TAGS: wimbledon | ibm | napoleon | dynamite | encryption | liger |

  • This is pretty much.... (Score:3, Funny)

    by Itninja ( 937614 ) on Saturday July 01, 2006 @10:40AM (#15642610) Homepage
    ....the worst post ever made.
    Please, ITninja, like anyone could even know that.
  • I just read that headline like Doyle Redland. Is this even news?

  • eets a slayjhammer (Score:3, Funny)

    by Anonymous Coward on Saturday July 01, 2006 @10:52AM (#15642646)
    It's a diversionary tactic, gosh!

    How do you keep a bunch of computer nerd hackers in suspense?...
  • The quote cipher was probably shifted over by one, reversed, and hashed a bazillion times. It's very unlikely that one of the /. script kiddies could ever figure it out.

  • Huh? (Score:1, Insightful)

    by maddogdelta ( 558240 )
    .|A(0{?y01/3z4xy0|?|B|L-Kfpkxey^tom5638BHQ{y9|G.Ak `he&5'|_pl_464:UO>{z7{G@C?D=yDACAFA{/z-z./2

    ??

    Somehow, I'm missing something about how obvious this "quote" is supposed to be.
  • So, he disassembled a flash program to get a key to "circumvent" encryption. Is the DMCA's formidable vagueness enough to cover this?

    It's not clear that the "work" is or isn't protectable (shouldn't be, but I remember a lot of fuss about similar sports related content from some other site). Or is it now enough to have token encryption like this to make it illegal to "circumvent" it?

  • Randomly Generated? (Score:5, Funny)

    by feepness ( 543479 ) on Saturday July 01, 2006 @12:31PM (#15642903)
    Is it not possible that this was a randomly generated key that simply happened to be a Napoleon Dynamite quote?
  • There is no "fair use" in the UK.

    No-one tell Darl
  • They should have used Jar Jar Binks and Westly Crusher quotes. Nobody wants to remember them.
    • They should have used Jar Jar Binks and Westly Crusher quotes.

      Westly Crusher? Is that a mixture of The Princess Bride and ST:TNG?

      Picard: "Mr. Crusher, engage."
      Crusher: "As... you... wish..."
       

Slashdot Top Deals

"It may be that our role on this planet is not to worship God but to create him." -Arthur C. Clarke

Close