Congratulations to commenter kibblemom who figured out the “stock trade message” yesterday! The code used is one of the oldest in existence. The “Caesar Cipher” is named after Julius himself, who used it to code his messages. A “Caesar Shift” takes any letter in the alphabet and adds (or subtracts) a certain number of letters. In a cipher with a single “key” you could type AQZC, use a forward shift of 1 as the key, and you’d get BRAD. In the “stock puzzle” below, each purchase has a different shift. Take the first digit of the number of shares purchased, and shift the first letter of the stock symbol. “Pass Go” back around the alphabet if you add, say 1 to Z to get A.
- Buy 400 shares of NETE. N + 4 = R
- Buy 400 shares of AEZS. A + 4 = E
- Buy 100 shares of REXX. R + 1 = S
- Buy 200 shares of CLNE. C + 2 = E
- Buy 400 shares of WRES. W+4 = A
- Buy 300 shares of OHRP. O+ 3 = R
- Buy 100 shares of BIOS. B + 1 = C
- Buy 300 shares of ESCR. E + 3 = H
It’s an easy code to break, but the goal was not to create an unbreakable code…it was to put the code where nobody would think to look for it, say, in an Ameritrade account trading penny stocks. A typical day trader could make several hundred transactions a day without attracting attention, letting her send a long message anytime…and nobody “monitoring communications” at some Three Initial Organization would know it…
And this is where authors especially fail to understand what hacking really is. It’s not click clack clack on the keyboard, enhance enhance, ooh we’re through that firewall… Hacking is magic. Not sorcery magic, but your basic stage magic – sleight of hand, misdirection, look over there! Now you see it, now you don’t. Much of hacking is social engineering – if you can get people to give you their secrets, you don’t have to steal them.
Some of the greatest hackers never touch a keyboard. Think of Frank Abagnale, aka Leo DiCaprio in “Catch Me If You Can.” Sure he did some physical hacking, doctoring those checks, but for the most part? It was all smoke and mirrors, showing people what they wanted to see, making them believe.
I knew of a grifter who spent her late nights in a big city trolling through “put out.” That is, what people put out for the garbageman, or leave for someone to just take away. [PRO TIP: Don’t put out your garbage, or your recycle, with your name and address on a bunch of envelopes or magazines, the night before pickup day…]
And one night she found a box full of employee manuals from American Express. (This is back in the 90s, when shit like that was in paper binders.) And she was able to pick up enough insider lingo to call AmEx, convince the lady on the other end that she too was an AmEx veteran, and get her card “reissued.” Some reading, and a phone call, and poof pow.
“That’s not hacking, that’s grifting.” Well, see, that’s the problem. Putting these things into silos is to convince yourself that the security threat is easily identifiable. “Hackers attack our systems with SQL injections, yes, that is the danger we must be aware of.” “Terrorists use message boards to communicate, that is where we will look.” [Edit – this is a problem with the “engineering mindset,” too – Google’s self-driving cars are getting into accidents because…hey, we forgot to take into account the way humans actually drive their cars, because they don’t always you know adhere to a predictable rules-based system!]
The greatest security threat in the world is…a failure of imagination. It’s making everyone take off their shoes at the airport because one guy had a shoe bomb, therefore the only future threat we can prepare for is more shoe bombs. It’s thinking that you can’t train security people with a fun, crazy game because the “gravity” of the material is too serious to “play with.” That’s the enemy’s greatest asset – institutional failure to imagine, to play with possibilities, to cut loose from guarding only the predictable targets…to refuse to use your imagination is to leave that valuable tool in the hands of the attackers.
Hacking is creativity, it’s finding a “way in” to a system or a “way past” an obstacle. But it’s by no means only about clack clack clack on a keyboard. And authors who fail to “dream bigger” are letting down their audiences.
That’s the brilliance of it. You don’t have to be a master cryptologist to create a message “the enemy” will never decode. You just have to put it where nobody will think to look…