Thursday, December 23, 2010

What I learnt from the Gawker hack

Over the years I've gradually increased my online security through better passwords, using SSH, VPNs, SSL, always have up to date anti-virus, using up to date software, and not using strange computers, typing in random junk for 'security questions', etc. Even with all that I'm paranoid about online security.

But what I've learnt from the Gawker hack and breaking people's passwords is that lots of people aren't. In fact, even well-known people who should know better pick bad passwords. A lot of the passwords I've seen are so poor that hackers are likely to be able to break the passwords of well-known people just by guessing. It's no wonder that people like Sarah Palin get hacked

For example, I looked at the passwords of journalists (senior editors or high-profile technology writers). Many of these were single words all in lowercase. I saw a mixture of using the name of the publication they were writing for or the name of a family member.

This sort of poor security means that hacks like the Gawker one are completely unnecessary. Hackers can just sit back and guess a password based on a little research.

In other cases, the passwords were just a single English word written in lowercase. To defend against people guessing those words many sites prevent too many log ins with the wrong password. But there's a flaw in that: since many people use the same password across multiple sites a smart hacker can try out guesses on different sites flying below the radar.

For example, there are users who had the same password on Gawker, Twitter, Facebook, etc. Suppose your target's password is in the top 3,000 words in English (scrubbed of words longer than 8 and less than 6 characters). Now suppose you know they have accounts on 6 sites. Picking randomly from the list you'd expect to get their password in 1,500 guesses or 250 per site.

If you allowed yourself three guesses per site per day it would take 80 days to crack their password. Of course, the more sites the person uses the same password on the quicker it's crackable. And any site that allows many guesses would make the process even quicker.

That's yet another reason to use different passwords, and don't use something that a hacker can find out with a simple Google search.

Wednesday, December 22, 2010

Why do Christmas lights all go out when one bulb blows? (and how to find the broken one)

The answer is rather simple: traditional Christmas lights (I'm ignoring newfangled LED varieties) were typically connected directly to the mains power supply and wired in series like this:


Only if the filaments of all the bulbs are intact will a current flow around the circuit; if one bulb breaks then the circuit is broken and all the lights go out. The reason the bulbs are wired in this, inconvenient, manner is that it's convenient for the manufacturer.

Although the supply voltage is 230v (or 110v) the bulbs are rated for a much lower voltage. At home I have a string of 20 lights like this with 12v bulbs. This works because of the rules of series circuits. In my home lights there are 20 bulbs each with some unknown resistance R. The total resistance of the circuit is 20R and the entire circuit is a sort of voltage divider.

The current flowing through the entire circuit is I = 230/20R and the voltage across any individual lamp is V= R * 230/20R or 230/20. So my 20 bulbs are each getting 11.5v. That's handy for the manufacturer because they can use cheap, small bulbs that use a low voltage.

BTW Some bulbs have a second piece of wire called a shunt that passes current when the filament breaks. With a shunt the manufacturer can still use series wiring and cheap bulbs, but a blown bulb doesn't stop all the lights from working.

Finding the broken bulb

A really fast way to find which bulb is broken is to perform a binary chop. To do that you need a multimeter (or similar meter to test continuity).

0. Unplug the string of lights from the power.

1. Remove the first and last bulbs and check that they are ok.

2. Remove the bulb in the centre of the string of lights. Using the multimeter check to see if there's an electrical connection between the contacts in the centre bulb socket and each of the end bulb sockets that you remove the bulbs from (you can actually look at the wiring to see which way the wires go and which contact that corresponds to).

3. Pick the half where there's no connection. The broken bulb is there. Remove the bulb that's in the middle of that half of the string and check it. If it's ok proceed to checking the electrical connection between the socket of the bulb you just removed the two nearest bulbs you removed (which will be the middle of the string and one end).

4. Proceed like that following where there's no electrical connection and dividing in half until you find the broken bulb.

This is a technique from computer science and you will find the broken bulb much faster (on average) than if you proceed checking each bulb in turn.

My password generator code

Some people have asked me about the code for my password generator. Here it is:

use strict;
use warnings;

use Crypt::Random qw(makerandom_itv);
use HTML::Entities;

print "<pre>\n ";
print join( ' ', ('A'..'Z') );
print "\n +-", '--' x 25, "\n";

foreach my $x ('A'..'Z') {
print "$x|";
foreach my $y (0..25) {
print encode_entities(
chr(makerandom_itv( Strength => 1,
Uniform => 1,
Lower = >ord('!'),
Upper => ord('~')))), ' ';
}
print "\n";
}
print '</pre>';

Monday, December 20, 2010

Royal Festival Hall condundrum

When I went to record Shift Run Stop at the Royal Festival Hall a few weeks ago I noticed that the display on the 5th floor lift was not showing 5 but a bit pattern. I snapped a quick photo and decided to look into it later:


And here's a close up of the top of it.


If you look carefully you'll see that there are 8 columns of on or off squares. I transcribed the squares with on = 1 and off = 0 to get the following list: 11111111 11000100 11011000 11101100 00000000 00010100 00101000 01001110 01110100 10001000 10011100 10110000 11000100 11011000 11101100 00000000 00010100 00101000 00111100 01010000 01100100 01111000 10001100 10100000 10110100 11001000 11011100 11110000 00000100 00011000 00101100 01000000 01010100 01101110 10001110 10110100 11001000 11101110 00000010 00010110 00101010 01010000 01111000 10001100 10110010 11001110 11101100 00000000 00100110 00111010 01100000 10000110 10011010 11000000 11010100 11111010 00100000 01001100 01101100 10000000 10010100 10101000 10111100 11010000 11100100 11111000 00001100 00110110.

Apart from the first item which is all 1s all the others have a right-most bit of zero. At first I thought this might be 7-bit ASCII (LSB first), but decoding that just gives a mess. Then I wondered if it was machine code, but I think that's unlikely given the fact that one of the bits is always zero. I don't think this is random data.

Here it is as hex with LSB on the right.

ff c4 d8 ec 00 14 28 4e 74 88 9c b0 c4 d8 ec 00 14
28 3c 50 64 78 8c a0 b4 c8 dc f0 04 18 2c 40 54 6e
8e b4 c8 ee 02 16 2a 50 78 8c b2 ce ec 00 26 3a 60
86 9a c0 d4 fa 20 4c 6c 80 94 a8 bc d0 e4 f8 0c 36

And reversed:

ff 23 1b 37 00 28 14 72 2e 11 39 0d 23 1b 37 00 28
14 3c 0a 26 1e 31 05 2d 13 3b 0f 20 18 34 02 2a 76
71 2d 13 77 40 68 54 0a 1e 31 4d 73 37 00 64 5c 06
61 59 03 2b 5f 04 32 36 01 29 15 3d 0b 27 1f 30 6c

So, what could it be? I'm assuming that the display is showing something from either its internal memory or from the memory of its controller and that we are looking at consecutive memory locations (this could, also be incorrect).

Anyone else want to take a stab at this? Anyone know what company made the controller for the display or the lift?

The other thing that's odd is that there are lots of monotonic increasing sequences in the data. e.g. drop the ff and observe:

c4 d8 ec
00 14 28 4e 74 88 9c b0 c4 d8 ec
00 14 28 3c 50 64 78 8c a0 b4 c8 dc f0
04 18 2c 40 54 6e8e b4 c8 ee
02 16 2a 50 78 8c b2 ce ec
00 26 3a 60 86 9a c0 d4 fa
20 4c
6c 80
94 a8 bc d0 e4 f8
0c 36

Friday, December 17, 2010

Write your passwords down

Here's my advice on password security based on the collected opinions of others:

1. Write them down and keep them in your wallet because you are good at securing your wallet. (ref)

2. Use different passwords on every web site because if you don't one site hacked = all your accounts hacked. (ref)

3. Use passwords of at least 12 characters. (ref)

4. Use mixed-case, numbers and special characters. (ref)

Research says you need 80-bits of entropy in your password so it needs to be long, chosen from a wide range of characters and chosen randomly. My scheme gives me 104 bits of entropy.

My passwords are generated using a little program I wrote that chooses random characters (using a cryptographically secure random number generator) and then printing them out on a tabula recta. If you were to steal my wallet you would find a sheet of paper that looks like this in it (I have a second copy of that sheet left with a friend in an envelope):


I use that sheet as follows. If I'm logging into Amazon I'll find the intersection of column M and column A (the second and third letters of Amazon) and then read off diagonally 16 characters. That would be my Amazon password (in this case, TZ'k}T'p39m-Y>4d); when I hit the edge of the paper I just follow the edge).

The security of this system rests on the randomness of the generated characters and the piece of paper.

PS Yes, it's a total pain to use long, random, different passwords.

PPS If it's not obvious to people you can add a second factor to this (something only you know) in the form of the algorithm for picking the password from the sheet. For example, instead of using the second and third characters from the site name you could pick any combination. And you could change the letters as well (e.g. for Amazon you could use the last two letters moved on one place in the alphabet; you'd have PO as the key). Also you don't have to read diagonally but could use any scheme that works for you (e.g. a spiral pattern, read vertically, read characters at offsets from the start based on the Fibonacci sequence, etc.).

Thursday, December 16, 2010

Inside the Gawker hack: the .uk domains

The other day I talked about the Gawker hack and I thought it would be interesting to look a little deeper at the .uk domains that are in the file. There are 7,599 accounts with email addresses that have hash values suitable for attacking with John the Ripper.

I've now let it run for 24 hours and have cracked 2,512 of the accounts (which is 1/3). Here are some fun facts based on the cracked passwords.

1. There are two government accounts with Government Secure Intranet email addresses from the Crown Prosecution Service and The Charity Commission with very simple passwords. Plenty of schools and universities are represented, as is ACAS and Tesco. Plus a smattering of people from the NHS.

2. The top ten passwords are 123456, 12345678, password, liverpoo (note that the Gawker system truncates at 8 characters), letmein, arsenal, chelsea, starwars, daniel and qwerty. Clearly, football (Liverpool, Arsenal and Chelsea) are important when cracking UK-based passwords. Further down in the list the football theme continues with manchest, manunite and ronaldo.

3. The top ten domains by cracked password are hotmail.co.uk, yahoo.co.uk, live.co.uk, blueyonder.co.uk, tiscali.co.uk, aol.co.uk, o2.co.uk, homecall.co.uk, yahoo.com.uk and zen.co.uk.

4. Journalists seem to be quite bad at picking passwords. There are easily cracked passwords from senior figures (editors) at The Guardian, The Observer, The Times and The Daily Telegraph. Note to hacks: using the name of your paper as a password is probably a bad idea.

5. Worrying for individuals are people whose email address includes their full name (or they have a custom domain) and their password is a word that is likely significant to them. Since they probably think that password is safe they'll likely use it elsewhere. Real risk there of being able to attack those individuals.

6. There's a senior figure from the Liberal Democrats (not an MP) whose password is an easily guessed word.

Casting outside the .uk domains it's possible to find British companies like BP, British Telecom, HSBC, Shell, Barclays, BHP Billiton, Unilever, ... Many have easily cracked passwords.

System administrators would do well to check their own domains, as I did, to make sure their users are not exposed and do a bit of password security education.

PS Just in case you think I'm some kind of l33t h4x0r for this, bear in mind that password cracking tools are widely available on the Internet, the complete database is circulating widely and can be found via Google, and running JtR is not hard at all. No uber-skills required.

Wednesday, December 15, 2010

Plan 28 gets some professional PR

Last week I announced that Doron Swade had joined Plan 28. I'm happy to say this week that we're getting some professional help with our announcements (and more) from global PR firm AxiCom. AxiCom handles clients such as Dell, Panasonic, Ericsson, Fujitsu, Logitech, McAfee, Qualcomm, Salesforce.com and more.

And now, on a pro bono basis, they are handling Plan 28. Here's their official blog announcement of their involvement.

Having professional PR is another big boost for the project because it takes a load off my shoulders and AxiCom can reach people and places I simply can't. I expect that their involvement will help Plan 28 enormously. Expect to see more news stories about the project over the coming months and more announcements about additional support for the project.

As always there's lots more going on, once details are finalized I'll announce. And please remember that Plan 28 still needs your financial support to make it a reality.

Tuesday, December 14, 2010

Don't write to me asking me to support your crusade against global warming science

I've received yet another email indicating that the author thinks I don't believe man is responsible for global warming. This comes about because of an insidious sort of tribalism that has turned conversations about climate change into a "you're either with us or against us" situation.

For the record, my reading of the scientific literature and my own reproductions of Met Office data convince me that (a) the world is warming and (b) the most likely reason for this is man.

Much of the 'debate' about climate change reminds me of the pro-choice/pro-life non-debates in the US. Once you split down what look suspiciously like faith lines you're no longer doing science at all. Many people seem to mistake my criticism of the quality of source code used by UEA's CRU as indication of some underlying belief on my part.

Poppycock.

To be clear, I think the code I saw from CRU was woeful and had many easily identified bugs. I also think that source code used for scientific papers should be routinely be made available. And, yes, I did find errors in Met Office software. People who discuss those errors often seem to omit the fact that correcting them reduces the error range for global temperatures thus increasing the confidence that the temperature trend is up since the 1970s.

I find it very sad that I can't criticize the one area of climate change science I know something about (software) without suddenly being thought of as 'on the side of the skeptics/deniers'. I'm not on anyone's side. I'll call it like I see it.

Shift Run Stop

Some time ago I recorded a long interview with the fine folks at Shift Run Stop. The interview covered all sorts of topics, but focussed on Plan 28 with detours through Kinect hacking, GAGA-1, Tron and The Geek Atlas.

The podcast comes out this Thursday, but here's a sneak preview.

John Graham-Cumming from shiftrunstop on Vimeo.

Monday, December 13, 2010

Many of the Gawker passwords are easily cracked

This morning the hack of Gawker Media (including sites like LifeHacker and Gizmodo) is big news and I grabbed the torrent to make sure that no one in my office had been compromised. Happily there were no causata.com email addresses in that file.

But there were email addresses of people I know. I did a quick check by downloading all my email contacts as a CSV and then doing a grep.
$ cut -d, -f 15 contacts.csv | xargs -I % grep 
% real_release/database/full_db.log | wc -l
17

So, 17 people I know were in the list. The algorithm used to store the passwords is a DES hash which is quite readily attackable using John The Ripper. So I set it to work on the people I know. (At the same time I emailed them all to tell them).

Within seconds I had the passwords of 3 of the 17 (including the password of one well-known tech personality and one person who was using the password 'password') and within a few minutes another two. I didn't keep a record of the passwords.

If you use any of the Gawker sites change your password; if you use the same password on a different site: STOP NOW (and change all your passwords to something different).

PS I'd stay away from the Gawker sites for a while. The entire source code was compromised and so I expect hackers will be already reading the code looking for vulnerabilities and additional hacks me occur in the coming days.

As part of a hack a long list of compromised accounts was distributed. The top 15 passwords cracked are:
3057 123456
1955 password
1119 12345678
661 lifehack
418 qwerty
333 abc123
311 111111
300 monkey
273 consumer
253 12345
247 letmein
241 trustno1
233 dragon
213 baseball
208 superman

Please don't use simple passwords like this! Use a password manager like KeePass and generate random passwords for each site.

Saturday, December 11, 2010

Friday, December 10, 2010

Are some Oxford colleges racist?

As a follow up to yesterday's post about statistics on black students applying to and being accepted by Oxbridge colleges and thought I'd follow up on the "Merton problem". In the original article the author writes: "Merton College, Oxford, has not admitted a single black student for five years".

Two questions come out from that. First, how likely is the event "A single Oxford college doesn't admit a single black student for five years in a row" and secondly, "are some Oxford colleges racist?".

In an email from Ben Goldacre the first question is answered. Ben calculates the p-value of the "Merton problem" as (0.29^5) * 38 = 0.0779423662. i.e. given the small number of black students applying to Oxford you can't with statistical confidence say that the "Merton problem" is anything more than a natural consequence of randomness.

So, let's turn to the second question. Happily, the article author has published the documents he received from Oxford and Cambridge and from them we can calculate the rate at which black students are accepted at each of the colleges (for some reason there's no acceptance data for Hertford and Harris-Manchester).

Here's the data:


There I've shown just the total number of black students applying to each college from 1999 to 2009, the total number accepted and calculated an acceptance rate. You'll notice that some colleges get more applicants than other. Interestingly, Merton received the lowest number of black applicants which goes along way to understanding why they didn't accept more students.

Now, let's turn to the acceptance rate. Do the acceptance rates tell us that some colleges are more racist than others? For the statistical test take the null hypothesis as "black students are accepted at the same rate by all Oxford colleges" (i.e. what I'm asking the test is "does this data look like it's not uniformly distributed?").

Using my old friend the chi-square test we get a value of 39.161 for 27 degrees of freedom (there are 28 colleges with data). Looking that up in a chi-square table gives p-values of 40.11 (p=0.05), 46.96 (p=0.01) and 55.48 (p=0.001). That means we can't reject the null hypothesis. This data doesn't give us evidence that the acceptance rates at Oxford colleges are anything other than uniform.

Thursday, December 09, 2010

The utter balls people write about Oxbridge

I start by apologizing for the profanity, but when I hear people spouting questions like "What is it about the famed Oxbridge interview system that counts against students who didn't attend a top public school?" it makes me very angry. The implication in the article is that there's a race bias (or is it a school bias, or a north/south divide bias... I actually lost track of the number of biases the article is claiming).

The answer to the question is rather simple (as long as the question is reframed as "What is it about the famed Oxbridge interview system that counts against some people?"). The Oxford interview process is bloody hard. So hard that 25 years on I use questions asked of me at 17 years old to screen candidates for programming jobs. The interview process is not designed to discriminate against people who didn't go to a top public school, it's meant to discriminate against people who aren't up to studying there.

I attended Oxford at the same time as David Cameron and his chums (Michael Gove was in the room next to me for a year). There certainly were lots of people from public schools (perhaps they did get in because their Dad went to Oxford, or perhaps it was because of the level of education they received), but there were also lots of people like me who didn't, in the stereotype, go to Eton.

I went to Oxford from a large comprehensive school. I sat that grueling entrance exam in mathematics, I was invited for interview and stayed days in Oxford being interviewed over and again. I didn't get special tuition to make it into Oxford, I'm not a public school boy and no one in my family has an Oxford connection. Neither of my parents have degrees.

I was asked extremely searching questions about mathematics and computer science that were well outside any A level curriculum and the purpose was to see how I would think. One interviewer pointedly asked me why I hadn't done a particular question on the entrance exam and then made me answer it at a blackboard in front of him. Another made me stand in front of a blackboard and solve a problem in computer science.

While I was at Oxford I was asked to go into comprehensive schools to encourage people to apply. Many people write themselves off and don't even try. This is a problem and the linked article doesn't help the situation by portraying Oxford as racist.

The author should have asked himself why so few black students were applying to Oxford and so few were getting top A level grades. You'd think he might have done that given that he was Minister for Higher Education under the previous government. But it's a lot easier to point the finger at some imagined evil institution than ask the hard questions about the state of education in British schools.

And he really shows his deep knowledge of the subject when he states: "Cambridge doesn't employ a single black academic." Sorry, Dr Okeoghene Odudu, Dr Justice Tankebe (inter alia) I guess you don't count for some reason.

It is tragic that such a small number of black students are getting top grades, but whacking Oxford and Cambridge without attacking the root cause is almost criminal. It's betraying the people the author wishes to be believed to be trying to help.

He also states: "You will not find these figures on the Oxford or Cambridge websites. ". Wanna bet? How about Oxford's Undergraduate Admissions Statistics 2009 entry and let's look at Ethnic Origin.

And we'll just compare "Whites" to "Black African, Caribbean and Other". So 8,378 white applicants; 221 black. Swap to acceptances we have 2,316 white acceptances; 27 black. So 28% of white applicants got in and 12% of black. Evidence of race bias or something else?

To quote the site: "Oxford’s three most oversubscribed large (over 70 places) courses (Economics & Management, Medicine and Mathematics) account for 44% of all Black applicants – compared to just 17% of all white applicants." and "Subject breakdown: 28.8% of all Black applicants for 2009 entry applied for Medicine, compared to just 7% of all white applicants. 10.4% of all Black applicants for 2009 entry applied for Economics & Management, compared to just 3.6% of all white applicants."

So you've got a small number of candidates applying into the most oversubscribed subject areas. 44% of black applicants are applying for courses with acceptance rates of 7.9%, 12.1% and 19%.

Put those figures together and assume no bias and for the 44% you've got a 12 black students who get admitted out of 97 who apply to those subjects. That's a success rate of 12%. That gibes with the figure given above: and that's assuming that the acceptance rate for those three subjects has no bias at all.

What about the other 56%? That's 123 students of which 27 - 12 got accepted. So that's also 12%. The problem with interpreting that is those 15 students are a tiny portion of the pool of 11,896 students who applied. And without knowing what subjects they applied for it's hard to dig into them.

But it is possible to work backwards. Suppose that 28% of those 123 black students were accepted (the average rate for whites) then there'd be 34 accepted. So the total would be 34 + 12 out of 221 or 20.8%. Comparing that with the overall 12% rate it's clear that the acceptance rate for black students is lower than white students in the non-oversubscribed subjects. But knowing why is hard.

If they are all applying for earth sciences (acceptance rate 44.9%) then there's a problem, if they are applying for law (acceptance rate 17.7%) then a different picture emerges. And if it's Fine Art (acceptance rate 12.9%) they are close to spot on. The only way to the bottom of that puzzle is a breakdown by subject and ethnic origin. But with such a tiny group of applicants even a change of acceptance of a single student could cause wild swings in percentage acceptance rates.

The other laughable misuse of statistics in the article come in the form of cherry-picking. "Merton College, Oxford, has not admitted a single black student for five years." Hardly surprising. If 2009 isn't anything to go by just 27 black students were admitted to the entire university. There are 38 colleges in Oxford. It's not possible to divide 27 by 38 evenly and no surprise that a specific college would have no black student for a number of years.

The bottom line is that getting into Oxbridge is hard and that the number of black students applying is tiny. Imagine for a moment that black students got in at the same rate as white students. There would still only be 62 black students at the university. Let's attack the real problem and raise up the education level of black students.

Update: Follow up post looking into the Merton Problem.

Update: I emailed Oxford asking if they'd release the breakdown by ethnic origin and subject so that per-subject bias can be examined in the non-over subscribed subjects. Will blog if I get a result.

Update: I saw a comment on Twitter that said that it was "delusional of the author [i.e. me] to doggedly say there is no way oxbridge has any institutional issues at all." Clearly, I haven't said that Oxford has no institutional issues (in fact, it would be utterly amazing if it didn't), and in a comment I stated: "If anyone would like to point me to statistically significant data that shows bias I'd be happy to write about it." I don't see it from the data, but if it's there it should be examined.

Backgrounder document on Plan 28

Doron and I have prepared a short document that describes the background and goals of the project. This is primarily intended for use with third-parties (such as sponsors, institutions and the press), but in the spirit of openness here's a copy that anyone can read.



A brief introduction to the Plan 28 Project by John Graham-Cumming/Doron Swade is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

If you want to understand the Analytical Engine, start with the Difference Engine No. 2

There are large similarities between Charles Babbage's Difference Engine No. 2 and the Analytical Engine. Critically, Babbage designed the Difference Engine No. 2 after the Analytical Engine and it incorporates improvements discovered during the design of the Analytical Engine.

And the printer that's part of the Difference Engine No. 2 is identical to the printer needed for the Analytical Engine. Babbage said that the same printer would be used for both. The memory of the Analytical Engine is very similar to the figure wheels in the Difference Engine No. 2.

Here's Doron Swade demonstrating and explaining the Difference Engine No. 2:



And here's a lovely video of the machine in motion. Now try to imagine the Analytical Engine which will have 8x the number of parts and be vastly bigger.

Babbage books as stocking stuffers

If you're following along with Plan 28 (the project to build Charles Babbage's Analytical Engine) then you might like to do some background reading. Here are four suggestions for stocking stuffers for the coming holiday:

1. Doron Swade's The Difference Engine (also published with the title The Cogwheel Brain).



This is Doron's account of the Difference Engine No. 2 as envisaged by Babbage and as built by the Science Museum in London.

2. William Gibson and Bruce Sterling's The Difference Engine.



A fancy based that imagines what would have happened if the Analytical Engine had been built in Babbage's time.

3. Cultural Babbage



A set of essays inspired by the Difference Engine No. 2 that discuss the cultural significance of Babbage and his life.

4. Charles Babbage's Passages from the Life of a Philosopher



Babbage's autobiography.

More background reading here.

Tuesday, December 07, 2010

A boost for Plan 28

Up until a couple of weeks ago Plan 28 was a one man show. Although Plan 28 has received enormous press coverage and many people have pledged money, services, material and time, the project was still just me.

I'm happy to say that that's no longer the case.

Doron Swade, the pre-eminent Babbage expert, who, as curator of computing a the Science Museum, masterminded the project to build Babbage's Difference Engine No. 2 has joined me on the project. Doron and I now share responsibility for finishing Babbage's work.

Doron and I met over coffee a few weeks ago to discuss the Analytical Engine and it was clear that both of us had been dreaming of building the physical engine for public display. Happily, Doron had been doing a lot more than dreaming. His deep knowledge of Babbage's engines and his continuing study of Babbage's plans and notes have placed him in the unique position of being the key figure in any attempt to build the world's first digital, programmable, automatic computer.

Much more has been happening behind the scenes that we cannot yet discuss, and the project's success is by no means guaranteed, but Plan 28 has received a major boost in the form of Doron Swade.

PS You can still pledge to the project; your promise of $, € or £ is much needed!

Monday, December 06, 2010

GAGA-1: The Camera Hole

This weekend's work on GAGA-1 was mostly around mounting the camera inside the capsule. The capsule walls are 95mm thick so a hole had to be cut all the way through for the thinnest part of the lens and then part way through for two other parts. A second trench had to be cut into the polystyrene for the part of the camera where the batteries are held.

The other thing I worked on was the positioning and mounting of the computers and where the batteries will sit. Here's a shot inside the box showing the camera pushed into place and flush against the capsule sides. There's a single battery pack in roughly the spot where it will be fixed and the recovery computer on the wall opposite the camera. The two gold connectors are the GSM and GPS antenna SMA connectors.


And here's a show showing the hole pierced through the capsule wall to allow the camera to take photos (yes, I have checked that the capsule wall is not seen in the photos). The recovery computer can be clearly seen at the back. I will be painting the hole the same yellow as the rest of the capsule just to make it look nicer.


The hole was cut with a very sharp, thin knife. A bit messy but the end result is certainly good enough. Here's the camera in the hole.


I insulated the trench with space blanket to keep the camera as warm as possible, but left the lens hole untouched because the walls are very thick there. The black circles are velcro pads used to help keep the camera in place during the flight.

Friday, December 03, 2010

Breaking the Reddit code

A few days ago an entry on Reddit asked for help breaking a code. Because I was laid up in bed yesterday with something chesty and nasty I couldn't help but wonder about the decryption of the message (see also the Fermilab code). At the time no one had broken it.

I managed to break it; here's how.

The original message was written on paper like this:


So I did my own transcription of the message and obtained the following four lines:

SSNTTNNDERPEVEEEHNOTONNAAEWMAEEMUDRITRNTNDOAWNETOHTVEEDMRMRTTFOGT
HUUFSHIIEMAHVOIANRTOARRSJRGEHHIEREELSEANMSTEMEWYEOHAMDEOMITTIECI
OLCHHIMDBRPPCAPROMRADIMEOSISLTSTYMEIATYOOEDSTHIEVLVEOBECWGEOORYA
TYERNOAEONLWRSLESKEEHTAEYIODSAAOIHWIUTMNWEONTHATPLVRLAPLIEOAAOUN

There were a couple of things that stood out immediately. Just eyeballing the text it looks like it's English (lots of E's, T's, etc.) and so I ran it through a letter frequency checker and sure enough it looks like English.


So given that, the code was most likely some kind of transposition cipher. I blindly ran through a bunch of classic ciphers using anagramming to try to find likely words. Wasted ages on this and got nowhere. Although I did discover that the last 16 letters can be rearranged to say POPULAR I LOVE ANAL.

Then I went back and looked at the text. There are clues within it. First, it's broken into four separate rows and that's likely significant. Secondly the first row is one character longer. That made me think that character must be the last one in the message.

After much messing around with the order of the rows I discovered that reversing the first and third rows resulted in the word THAT appearing in the first column:

TGOFTTRMRMDEEVTHOTENWAODNTNRTIRDUMEEAMWEAANNOTONHEEEVEPREDNNTTNSS
HUUFSHIIEMAHVOIANRTOARRSJRGEHHIEREELSEANMSTEMEWYEOHAMDEOMITTIECI
AYROOEGWCEBOEVLVEIHTSDEOOYTAIEMYTSTLSISOEMIDARMORPACPPRBDMIHHCLO
TYERNOAEONLWRSLESKEEHTAEYIODSAAOIHWIUTMNWEONTHATPLVRLAPLIEOAAOUN

And, in fact, if you read down the columns from left to right (and add some spaces) you get:

THAT GUY YOUR EFFORTS ON THE ORIGAMI WERE COMMENDABLE HOWEVER VOV
STILL HAVE ONE STRIKE THE NOTE WAS HARD TO READ SO ENJOY TRYING TO READ
THIS I HEAR I MADE YOUR TIMESHEET WELL I ASSUME IT WAS ME NO NAME WAS
MENTIONED NO MATTER HOW MANY OTHER PEOPLE HAVE A CRVMPLED PAPER
PROBLEM DID I MENTION THAT I HATE CONCLUSIONS

Notice that I made a few transcription errors. I suspect that VOV is really YOU and CRVMPLED must be CRUMPLED.

Guess I'll have to get back to Kryptos now.