Tuesday, June 23, 2009

Hack My Password

If I told you that this (l1v3l0n9&pr05p3r) was one of my passwords, would you be able to figure out how I remembered it? You might ask that if you know the password, why would you care how I remember it? Well, knowing the logic key that unlocks that password, might enable you to figure out my passwords to other systems.

I am an unabashed fan of Star Trek. Its positive vision for the future of humans resonates with me and has for 40 years. I like other SciFi genres as well, but for me nothing compares with Star Trek. I am also a fan of Wired Magazine. It is the only magazine subscription for which I pay. Stay with me a moment, the tie in will be obvious.

Security through obscurity is likely the biggest challenge corporate programmers have, not so much because our developers aren't smart, but rather because we can't think in the time scales of hackers. We often believe that if something is complicated enough, it is secure because no one would have the time to guess it out. We tend to confuse layers of security with added complexity - but these are not the same.

Corporate developers have to produce results on a deadline, within fixed constraints of time, money, and other programmers. The concept of unlimited time in which to work through complicated system is a foreign to us as glee to a Vulcan (trust me, it's foreign). But to a hacker, time is an endless quantity. Consider some of these systems which have been hacked:
Hacking these systems took time; time to figure out the security and work around it. Wired Magazine recently published an edition with the help of J. J. Abrams - the director of the recently released Star Trek film. The magazine is filled with puzzles and games. In some cases, there are no clues that a page contains a puzzle - you just have to look, and think, and ponder, and hack.

I had a lot of fun with this Wired and was surprised when a month later, in the Letters to the Editor, someone pointed out that the spine label of the magazine (usually a series of uniformly spaced blocks) was itself a coded message. Can you figure it out? I'll give you this one, if you promise to think about how someone who wasn't even told that the spine contained a puzzle, figured out the FIVE BIT BINARY CODE that spells "Trekkie."

If you are concerned about the security of your system, don't rely on obfuscation and complexity. If you can figure it out, someone else will too. The only things you can rely on being secret are passwords and certificates (because they can be changed after the solution is deployed). Assume everything else is knowable. I know a lot of developers who have trouble with that, because they assume that it is impossible to build systems that the original programmer can't break into. Not true. If this sounds like you - here's a good book; Writing Secure Code by Howard and LeBlanc.

Lastly, there are three puzzles in this post for you to solve:
  • How to hack my password (what's the key that helps me remember it)?
  • What's Commander Data's password?
  • What is the name of the sculpture which contains a code the CIA cannot crack?
A hacker with experience and unlimited time will find this task to be child's play. A corporate developer under deadline may find it a little more challenging. I've pretty much laid out the answers for you. Good luck, and let me know how it goes.

Follow by Email