Comments on: Decoding the Verizon DBIR 2009 Cover

By: Allison Ego

Allison Ego — Mon, 17 Jan 2011 20:53:11 +0000

I like the valuable info you provide in your articles. I’ll bookmark your blog and check again here frequently. I’m quite sure I’ll learn many new stuff right here! Best of luck for the next!

By: Psst, psst! A clue to Verizon data breach report challenge | ZDNet

Psst, psst! A clue to Verizon data breach report challenge | ZDNet — Wed, 11 Aug 2010 19:25:03 +0000

[...] year, after I dropped a big clue on Threapost, Grant Stavely, Chris Eng and others decoded the hidden message on the cover of the report in record [...]

By: haxor

haxor — Mon, 04 May 2009 18:18:10 +0000

Lame encryption.

By: Breaking good

Breaking good — Sun, 03 May 2009 21:32:39 +0000

[...] really like Chris Eng’s post on how he broke the code on the cover of the 2009 Verizon Data Breach Investigations Report. He [...]

By: isaac dawson

isaac dawson — Sun, 03 May 2009 16:32:25 +0000

Hey Chris,
Enjoyed the quick write up on the steps you took to crack it. After you got to the part where you realized it was a Vigenere cipher and started explaining how that works, I realized a SSO implementation I tested a little while back was the same type of algorithm! However, I had the luxury of an encryption oracle and could just choose the plaintext I wanted encrypted ;>.
Hope things are going well with you,
^isaac

By: Erzengel

Erzengel — Fri, 01 May 2009 16:46:03 +0000

Your final solution (guess the word and work back from there) reminds me of what I did when “Order Of The Stick” (a webcomic) had a character (Haley) whose brain broke and so she ended up talking in cypher garbage. I guessed that it was cypher (Belkar, another character, later confirmed it in a 4th wall break), and started, much as you did, with Caesar shifts, but when that failed I tried frequency analysis but didn’t really come up with much from such a small sample size. So I just guessed what she might be saying, based upon what was happening, and found the substitution cypher that way. Then the author changed the cypher on the next comic, with an even smaller sample size, so I kind of gave up. I’m not a cryptographer, though, so I don’t exactly have the tools or knowledge you do at figuring these out.

By: Chris Eng

Chris Eng — Thu, 30 Apr 2009 18:41:02 +0000

@Nate: Yeah, I think that's the approach that this Vigenere brute force applet implements (the one Grant Stavely found and used to win the contest). I was surprised to see just how effective that method was, considering the relatively small sample size of 900 characters. I don't quite understand why the dot products work, though I'm sure it would become more apparent with a little experimentation.

By: Nate

Nate — Thu, 30 Apr 2009 17:53:45 +0000

Nice work, Chris. While this kind of cipher does level out the frequency of individual characters, it only reduces the distance between the least and most frequent letters, it doesn’t eliminate the variation. This is because each group of ciphertext characters (where group is determined by the length of the key) is dependent on the same key bits as every other group. So a quick way to solve it is to first find the length of the key by breaking the message up into sets of regular groups and then doing frequency analysis between the groups with the index of coincidence (freq count of pairs or triplets, etc).

By: Alex

Alex — Tue, 28 Apr 2009 22:52:39 +0000

@ Jebediah – actually, that was the first thing we thought of. Unfort. using a brand name would be problematic.

By: Jebediah Webb

Jebediah Webb — Mon, 27 Apr 2009 21:44:05 +0000

I was really wishing it has said “Be sure to drink your Ovaltine”….