Thursday, 5 January 2012
Was there an ulterior motive behind the GCHQ cyber challenge _Can you crack it?
Last month I posted a solution to the GCHQ cyber challenge _Can you crack it?
The challenge was purportedly part of a recruitment drive to attract talented software engineers and cryptologists to apply for a job at the secret government communications agency.
But is this the whole story behind the challenge, or could the competition actually form part of a strategy to flush out skilled ringleaders and experts in hacker and hacktivist communities in order to study and observe these groups?
This strategy wouldn't depend on anyone actually applying to join GCHQ because there's enough uniquely fingerprintable aspects of the challenge to allow government agents to remotely observe those solving the challenge.
Additionally, completion of each of the three stages required connecting to a website assumed to be under the control of GCHQ, thereby giving away one's IP address at each stage.
Would anyone tackle it simply for the bragging rights? I've found many hundreds who seem to have done just that. The challenge acted like a barium meal fed to the hacking community, lighting up areas of activity where hackers congregate to discuss solutions.
Code snippets and other signatures from the challenge can be found across the internet from pastebin to twitter. Some videos posted on YouTube solving the challenge have amassed nearly 35,000 views, indicating strong interest in the code.
Benefits as a recruitment tool
It's certainly feasible this was at least part of a recruitment drive. It's reasonably widely known that GCHQ is struggling to attract and retain analysts and software engineers at a time when major multinational tech cos are offering very good salaries for similar roles in the commercial sector, and today it was reported that staff working on cyber security would be offered bonuses to help retain much-needed skills.
As a recruitment tool it appears to serve two purposes. Firstly and without question it's a good publicity stunt, perhaps reducing the cost of advertising vacancies. As a social/viral advertising strategy it's also self-targeting. People interested in cyber security will share it - via social networks, etc - to other people with a shared interested in cyber security.
Secondly, because it's spun as a competition there's an illusion that the challenge acts as a filter to prevent unworthy applicants. Only the highly skilled will be able to solve the challenge and apply, right?
Well, no. This is where the strategy falls over. There's a phenomenon well known by those in the security community that the internet vastly reduces the lifespan of a secret. In plain English, someone will not only solve the puzzle but also explain in detail to the world, via the internet, how to solve the puzzle. Online communities are full of show-offs!
Very soon after the puzzle is solved someone will tell others how to solve it and its value as a filter to find skilled applicants is vastly diminished. Would it be wise to spend presumably significant time and money creating an incredibly intricate challenge useful only for the first 5-10 applicants?
Whilst I waited for the puzzle to officially close before posting my solution, many didn't. In the last couple of weeks of the competition it was trivial for anyone with access to a search engine to apply for a job via the challenge website. (And before you ask, yes I solved it well before the deadline - and I have witnesses!)
What the challenge tells us about the particular cyber skills GCHQ are seeking
There's another odd aspect to the challenge itself. Whilst it requires an incredibly deep knowledge of software engineering and computer science to solve, I found it can be solved without any cryptanalysis and only a very slight passing knowledge of cryptography.
This seemed odd as I assumed life at GCHQ would have a heavy focus on cryptography.
Puzzled by this I spent a bit of time reading how others solved the puzzle and it turns out there's broadly two methods of solving the challenge. The way I approached it, by engineering and reverse-engineering the provided software to give the answers to each stage; or, by identifying the ciphertext in each stage and decrypting that using a small [TBC] flaw in the encryption. This second approach obviously does require a detailed knowledge of cryptographic techniques and cryptanalysis.
Monitoring hacktivists and cyber gangs?
In any case, the main thrust of my point here is that it can be solved using skills rife in the hacking community; namely coding, executing machine code and bytecode, and reverse engineering executable software.
And I found dozens of threads where enthusiasts put their skills to the test solving the challenge. Example here, with over 400 comments.
Now the vast majority of hackers and those solving the GCHQ code will be upstanding citizens. But sources inside the Met Police specialist eCrime unit PCeU told me, after a conference last year, there is a great deal of scrutiny on amorphous hacking collectives like Anonymous.
Take it as a given that government intelligence agencies are doing something to track and monitor how such loose-knit groups operate. Part of this intelligence gathering would almost certainly involve identifying ringleaders and "members" skilled in all the areas tested by the GCHQ challenge.
Watching those hiding in plain sight
Whatever your views on Anonymous as a force for good or evil it's just one of many groups or communities interested in hacking. There's nothing wrong with hacking itself, it's what people then choose to do with their skills: code computer games, develop secure communications (as I used to do for a day job), improve computer security, fight political battles or steal credit cards and commit other fraud.
What may seem strange to many outsiders is that many such communities operate in plain sight; they discuss all their plans, tactics and tools on public discussion boards. Even many gangs operating firmly at the criminal end of the hacking spectrum operate in this way.
After studying the challenge certain text strings and number sequences stand out as unique and central to solving each stage of the code. Searching for these unique sequences (e.g. hqDTK7b8K2rvw) identifies blogs, forums and - via social media - IRC channels dedicated to solving the challenge. Watching these threads over time allows an observer to identify bright participants with the most to offer.
Injecting such a challenge to groups with an interest in cyber security for whatever reason allows outside observers to watch which groups take on the challenge, observe how members of the groups interact when solving problems and identify the pseudonyms of ringleaders or those displaying skills in particular areas.
Was there a team in Gloucestershire tasked with watching these spaces and investigating those solving the puzzle, or am I being overly paranoid? Could this be part or all of the reason behind the GCHQ cyber challenge?