TIMBOBIMBO hahahhaha
I've got a look at his number generator for the secure one-time pad, and Melissa O'Neil would be proud. Almost pcg. It uses the powerbasic system Rand LCG to switch between 3 new rand1-3 functions, two of them with different LCG's.
https://github.com/Vulacode/RANDOM/blob/d6a1a1d694b22e6a115b...
And the original programmer wrote a of this while having to pick up crypto and BASIC on the go, too. Never roll your own crypto is the first rule, unless you were in the late 80s and working with fancy new tech…
Nowhere near good enough for an actual One Time Pad, obviously.
Man that one time pad generation is...... not good, I would bet that its very possible to recover the seed state for the different generators, LCGs are trivial to reverse engineer. It looks like the PRNG's are seeded by the system RNG as well, which means that you only need to recover the initial seed of the system's LCG to reverse engineer the one time pads
I don't know what the seed size is of the system LCG, but if its 32-bit (which I think it is), you could simply bruteforce the seed state, and do entropy analysis on the result to crack it in like an hour tops
Operation Vula ... 8-bit computers, DTMF tones, acoustic couplers
CIA/NSA got a whiff of Operation Vula using off the shelf Philips PX-1000 with build in DES and backdoored the product by bribing Philips https://www.cryptomuseum.com/crypto/philips/px1000/
Which Tim Jenkins did overcome by using his own systems and own crypto. No backdoored DES, but ultimately secure one-time pads transported via floppies by the stewardess to each party. If they got hold of such a floppy in SA, it would only compromise the messages of this one receiver. Which would be detected sooner or later.
Probably using ANY commercial encryption tech, you're doomed.
But it is naive to generate the key for a one-time pad using a PSEUDO random number generator!
The whole point of the one-time pad is to achieve true security because you can use truly random keys. The kind of key that used here could have been created locally by just exchanging the seed, which would have prevented putting all these stewardesses in danger ;-).
I understand the developer was self-taught (and "learn as you go" on top), so it's understandable, but whoever reads this and has truly important secrets, don't be that silly.
Having said this it is no easy to generate truly random numbers in large quantities. Again, you will need to build yourself your own hardware device, because most likely, all commercially available gear is rigged.
One thing I found fascinating about Vula was how the lack of usability of the system was its downfall.
You had highly committed activists, fighting for freedom, up against a murderous regime - and yet they still failed to use the system properly.
Activists left documents unencrypted. Keys were easily obtainable. Some important communications were sent in the clear because people found the software so cumbersome.
We all know that setting up PGP and using it properly is a pain in the neck. Security is usability.
I wrote a bit more about Vula at https://shkspr.mobi/blog/2014/01/the-hardest-problem-in-encr...
imagine losing your house keys and never being able to enter it again.
usability, most of the times, reduces security.
"Imagine"? There are plenty of folks who lost access to the crypto wallets with millions in it.
Fascinating. We have been through so much here in SA. Hoping that this GNU of ours sets back the Doomsday Clock.
Recommendation - Action Kommandant. A peek into the life of Ashley Kriel, one of our martyrs and the pride of Bonteheuwel.
Thank you so much for sharing his name - it has been a passion of mine to learn about some of the gifted fellow travelers of the ANC, whose stories (and diverse talents!) are often overlooked…
I learned about Athol Fugard in secondary school English, from a bolshie teacher who fled from SA to Canada in the 80s to avoid surveillance, and it opened my eyes.
My best wishes to the SA people as well. A nation of so many gifted people and natural riches deserves so much better. At least it seems like the era of sclerotic internal politics in the ANC is over.
If you want to crack "old" ZIP and you know a few characters in the archive there is nothing better than: https://github.com/kimci86/bkcrack
The program the entire article is about?
Read through the whole article to see the password reveal. Was not disappointed!
That wasn't the password of the zip file that John cracked. TIMBOBIMBO was the password of a file that was inside the zip file, specifically a program. The program prompted for that password before it would continue running.
The blog post doesn't say the zip file password. It's not clear to me if the program that cracked the zip file even found the zip file password. It might just be able to find the plaintext but not the password.
I too was waiting to see what the ZIP password was after all these years. I wonder if there is a way to reverse the decryption key into the password, or is it a sausage machine like password hashing?
How long would it take to brute-force this on a modern PC?
I spent a lot of power trying to reverse the actual password and got this far:
The author kindly modified bkcrack based on Tim's fuzzy recollection of what he thought he might have chosen for the password: https://github.com/kimci86/bkcrack/pull/56 and https://github.com/kimci86/bkcrack/pull/126. However, I ran out of time to work on this part and it seemed more important to get the actual code running.Also, in the course of things I discovered that Tim used PKZIP inside the BASIC code using a password that used non-printing characters.
Wow, that would make brute-forcing it an order of magnitude slower if you're having to cycle through control characters too. I wouldn't have thought to do this, as I wouldn't risk it not being supported.
The keys were personalized though. So this was for Timbo