This looks like a handy tool, certainly for puzzles and exploring encodings. It makes decoding puzzles like this very quick! 11100111 10111011 10011101 11100100 10111000 10001101 11100100 10111100 10011010 11100110 10010100 10111110 11100101 10111100 10000011 11100100 10111101 10100000
Yeah, I always used to use Python for this kind of thing - it offered easy ways of doing most interesting operations, made experimenting and chaining operations really easy, and it was easy to write my own helper functions if necessary.
Glad to see that CyberChef supports Numberwang. There are many nefarious uses that such a complicated numerical system could be put to. I'm happy that our intelligence agencies are on top of this.
I don't think there's IC bashing for the sake of it. At least no more than Apple bashing, Microsoft bashing, Facebook bashing, ... You get it :)
There's bashing against malpractice, illegal data gathering and in general against any abuse of other people's freedom.
But my comment was about the guidelines. There's no need to call that out and helps no one. You could have accomplished a better outcome just by highlighting positive stuff about the IC, like this very same set of tools. And please don't get me wrong, I'm not trying to patronize anyone here, I'm just a mere HN reader.
"In 2013, GCHQ received considerable media attention when the former National Security Agency contractor Edward Snowden revealed that the agency was in the process of collecting all online and telephone data in the UK via the Tempora programme."
Other than the anachronistic name (thought "cyber" wend out in the 90's), I'm extremely impressed to see such an awesome tool come out of the public sector. Kudos to GCHQ!
A year ago someone in my research group claimed that they were 'getting into cyber'. I looked around the room and almost every other member of the group looked confused and a little concerned.
Apparently 'cyber' has become a byword for 'cyber security'. I hope that this does not last.
Nah, "Cyber Security" is becoming the defacto term for referring to what I would have called IT Security in the past (some interesting reading on the topic here http://cyber.uk/cyber/)
I take it you have no exposure to the public sector? Referring to "Cyber" as "IT/Info/Computer/Network Security" will immediately identify you as an outsider in man public sector positions.
According to Google Trends, "cyber" overall slowly going out of use, but "cyber security" has a reverse trend. At the same time, Cyber Monday is winning it all.
Google trends is not good for this kind of analysis. Google trends is based on the number of searches for a particular term relative to all other searches. So you see the same trend when you look at other tech topics like Linux, programming, SSH, computer science, etc. It's not that these things are necessarily becoming less popular, just that tech oriented people were over represented on the early internet, and thus Google search. As more non tech people started googling stuff, tech topics fell in their relative importance.
Re-read the comment you replied to, cyber security is trending in the opposite direction of Cyber (or SSH). That would seem to invalidate your thesis; Cyber security is gaining popularity relative to other topics.
Edit: there's also an interesting spike in Google trends for "cyber" every November. National Cyber Security Awareness Month is in October.
There were two assertions made in tener's comment. The first was that the term "cyber" was going out of use, the second was that the term "cyber security" was increasing. My comment was referring to the first assertion.
This is the best part of this site, I completely forgot what this article was about and I'm 60 comments deep about the history and trends of the word "cyber". There needs to be a site dedicated to these entertaining comment threads / bravo
So does your chain of reasoning go like this: GHCQ made the application. GHCQ is a spy agency. Therefore, GHCQ must have planted a backdoor in the application?
Theoretically, they could sabotage the crypto algorithms, hope that someone uses it, intercept that communication, and decrypt it using the sneaky weakness they introduced.
Or the right circumstances could cause the library to make requests to their secret government hacking command-and-control server.
Seeing that they released this at github.com/gchq/..., I'd keep my eyes open for requests to secret-hacked-data-backchannel.open-exploit-project.gchq.co.uk
(Or, with less sarcasm: this is probably the project on github with the lowest possibility of containing government backdoors).
(or maybe that's just what they want you to believe)
(or maybe that's just what /we/ want you to believe)
(or maybe that's just what /I/ want you to believe)
You should probably read the manual before using a webapp for your encryption needs. From the Readme:
>it should be noted that the analyst is not a professional developer and the code has not been peer-reviewed for compliance with a formal specification
>Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness.
Though it doesn't say so, at a glance it looks like it's entirely browser-based and doesn't communicate with a server in any way. Pretty handy project. Code looks clean, too.
There's a download button at the top, though it just goes to the htm file, I believe you can just save that and use it fully offline as you mention! Good tool to have saved for sure.
Neat project and slick interface! Does the gchq use this tool internally? Did you have a use case already in mind for this?
This would be pretty useful as a web developer. A good idea would be to add a JSON validator.
I'm trying something very simple and I can't figure out if the flaw is on me or on them.
1. Take a base64 encoded payload as Input: "AAAAI9Dw0qHYq9+61/XPtJS20bTAn+yV5o/hh+jK8J7rh+vLtpbr". I use the "From Base64" module.
2. The result is differential XOR crypt. The seed is 171. I select the XOR module and use 171 as the key. Then i pick "differential" option. Doesn't work.
As cool as this looks, not sure how this is any easier to use than a simple Python or Ruby script (or even Bash, if that's more your thing).
EDIT: In lieu of downvoting, would someone like to explain their disagreement? I'm curious. Perhaps this would open up certain programming powers up to non-coders, but for anyone who knows how to code, it seems much easier to just write a script to make these kinds of transformations.
I made a field visit to an MSSP[1] and they used a tool just like this (although not nearly as complete). Most security analysts don't know how to code. Even if they do know how to code, it's faster to take advantage of a nice interface that's already been made.
The security analysts need to consider data from thousands of different alerts on a daily basis. There is definitely room for automation, but I think there will always be some need for human judgement and manual analysis (which tools like this will greatly expedite).
I got -4 just for stating the same opinion, and found out your comment at the end of this page.
Since everything is really text here, the typical UNIX way of doing things seems to be much more practical in dealing text transformations here. I second your `Bash' opinion. I could imagine a package populate your PATH as
PATH=DataFormat:EncryptionEncoding:PublicKey:…
and simply put nice little binaries, each of which does one thing and one thing only, and you can use them like,
cat FILE | toBase64 | entropy
A nice interface of such thing in Haskell or APL would really shine. I bet GCHQ must have a much nicer internal library (which runs at a fraction of their machines' peak FLOPS) in one of their favorite languages that they can script and launch multiple tries by pushing a few buttons on their keyboard. And of course they are not sharing that.
Alas, point-and-click lovers seem to be the majority here on HN.
> Making all of these available and chaining all of these together wouldn't be a simple script.
All transformations are readily available in the standard library of a language like Python or Ruby. And note that this CyberChef tool doesn't chain them together either. The user does that. Likewise with a Python or Ruby script.
I guess I can see how this would be useful if you don't know how to code, but I don't know anyone who would be able to use a tool like this who doesn't know how to code.
Also, I can see how this would be useful in the same way that a web app like jsfiddle is useful, to make a quick example to share with others.
In any case, I clearly wrong, since I've been so highly downvoted.
Are you comfortable using a scripting language like Python, Ruby, or Bash, and a shortcut-driven text editor like Vim or eMacs?
Perhaps because I'm skilled at Vim, using Python and Vim is unquestionably quicker for me than using a mouse to drag/paste/click a bunch of boxes around for any imaginable use case. I suppose if you're used to using mouse-driven programming environments like Windows often is used, this might be quicker...
This is a very handy tool - very full in terms of features as well. I really like that you can drag and drop components and configure them in order to create a transform. Very nice!
This is an interesting tool, and I'll happily use it for puzzle solving, but I'm concerned that it misrepresents itself in a dangerous way.
From the About link:
> "CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression."
> "It is expected that CyberChef will be useful for cybersecurity and antivirus companies."
From the backing Github readme, which as far as I can see is not directly linked on the page:
> "Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness."
Now, it's fair to say that professional security types should assume the 'no guarantee' bit. But it's not fair to offer it up as a one-stop-shop for non-programmers to handle encryption tasks, and then offer no caveat at all in the primary reference page. It's even less acceptable when the About page implies the opposite.
Do you use nginx, chromium, bash, openssl, linux...? Because they all have disclaimers with more or less the same meaning. It's boilerplate to avoid liability, not warnings motivated by known shortcomings.
I'm aware, but I think I was unclear - that's what prompted my comment on professionals knowing this already.
My complaint was more that this is another entry in the pattern of handing people black boxes labeled "this does cryptography!", without offering any plain-English explanation of what they're actually getting.
It felt particularly important to me here because it's a comparatively new initiative, and the caveat went on the Readme (seen by users who already know) but not the About (targeting users who might not).
I'm going to chime in to say that I wouldn't give implicit trust to this unless the crypto/hash routines are all using standard/known libraries.
I guess I am paranoid about potential backdoors - something that non-crypto people wouldn't know or understand. Heck - who knows, there could be something in there that even the crypto community could miss...?
In our current world, I don't think my paranoia is misplaced. This project may be perfectly safe, offered transparently and no funny business. But then again, who really knows? Unless you are one of those experts in cryptography (and even then, as I understand it, that doesn't guarantee anything) - there could be subtle changes that could potentially open things up for "bad actors"...
> "Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness."
Fair point, but I'd imagine that's just something that their legal dept. made them put up.
This would make an intersting server-side service. I was hoping I could POST the json "code" and input, and get an answer in the HTTP body. Sort of a "Lambda 101" project.
Thanks this is awesome. For some of this stuff I usually use the Python REPL. But why go through the hassle when it's all here for stuff like date time conversions etc..
Nice wysywyg security tool that will teach people concepts behind the interface. In my day we'd just use perl or python, but this opens up the field to beginners.
It took me a few years in my career to realize the interface usability is more important than the cleanliness of the code. As an engineer I loved my code and treated the interface like a second class citizen. After a bit of experience I realized the interface is what the user judges your code by. First impressions matter and the UI is your code's first impression.
Great honeypot as well. If a malware analyst dumps one of their intelligence agency canary strings from one of their spyware packages, they can use it to track the discoverer.
If I were a spook, I would totally be releasing reversing tools that alerted on my encoded code words.
In ergot's defense, he said the "about link" does not gracefully degrade. Which seems reasonable that someone would want to read what an app does before deeming it worthy of enabling scripts.
I might actually do this from now on. Have my <noscript> be more than just "You must enable JS to use this" but instead actually display useful information about what it does.
Yah I think it's a totally valid complaint. Normally I'm all about telling folks they're not able to use the modern web with JS disabled, but asking for the about page to give a hint with no JS feels like exactly the level of effort everyone should exert for the noscript folks.
There are well over 100 operations in CyberChef allowing you to carry simple and complex tasks easily. Here are some examples:
Decode a Base64-encoded string
Convert a date and time to a different time zone
Parse a Teredo IPv6 address
Convert data from a hexdump, then decompress
Display multiple timestamps as full dates
Carry out different operations on data of different types
This is a web app, not a web page. It's not supposed to anything with JS disabled. It's an actual program that runs locally, without JS no can do.
As much of a problem as I have with web pages using gratuitous JS, it should be obvious that actual web applications such as this and gmail will not be able to "gracefully degrade".
Actually, gmail in particular DOES have a no-js version.
Go to "Setting," click on "Help," then enter "Basic HTML view" in the search field, then click on "Standard view and basic HTML view," then "basic HTML view," then, if you wish to preserve the setting, on "set basic HTML as default view."
After just having watched Oliver Stone's "Snowden" last night it's hard to avoid wondering if there are any potential Snowdens in the GCHQ...
It's also a sobering thought that the people who wrote this stuff (seems neat) may be able to uncover my deepest secrets in seconds if they were so inclined.
And being geeks, I'm sure they read this. gulp
(As far as I can tell, github.com/gchq is from the actual GCHQ.)
This is mostly a job ad. Don't go there. It's not moral.
I think johansch means to say this is something someone should have made only to add to his cv or similar(not even fully sure) rather than something that people should use.
No one is telling the user what he should use this for, there's plenty of situations where you might want to convert/encrypt/elaborate data without being launch codes for nuclear missiles and this seems like a pretty good tool, all browser based too, opposite of many other more famous tools that require communication with a server.
I am not talking about the actual encryption/decryption/data-wrangling stuff in this HTML page. All of this is obviously very neat and very usable.
The reason I do think this is a job ad is the fact that it's the GCHQ that is publishing it. Seriously, a spook agency is publishing neat open source stuff. I can only think of two reasons for this to happen and both align:
a) employee happiness (few people enjoy doing stuff in secrecy, I think)
b) using the by now well-established mechanics of corporate branding to make the GCHQ appealing to a larger amount of developers/hackers.
I think the latter is the dominant factor, and this is why I called this a job ad.
I think he is actually saying it is an effort to get people to say "look at the cool stuff we make" and go work for the organization. In this case that organization appears to be the UK equivalent of the CIA/NSA in the US and he clearly feels their mission erodes people's rights.
Why do you think the GCHQ is publishing stuff that appeals the developers/hackers rather than just being secretive? Of course it's similar to a corporate branding exercise. There's a hard fight for tech talent these days.
One could argue (although I'm not 100% sure if I actually believe in it) that making institutions such as GCHQ more attractive would actually help. Their pool of applicants must be starkly different in terms of ideology than other applicant pools (say: google), even though the requirements are similar.
If they succeed in broadening their pool of applicants, ideological diversity would increase. That may make it more likely that objections such as yours are raised internally.
(counterarguments: their productivity may rise quicker than their morals can, making the net effect negative, or the institution is stronger and changes the individual instead of the other way around)
Well, maybe one take-away from the Snowden movie - in case it's actually accurate - is that by recruiting traditional freedom-loving hackers there will be more potential whistleblowers in the future.
Another disparate thought:
The NSA we've seen so far appears to have been infinite reach, but with very limited analysis capability. E.g. they have have an army of humans trying to make sense of the mountains of data. Just imagine their capabilities when they have applied (already, perhaps) deep learning to this data feed. This is scary shit.
Suddenly they will have a very deep profile on every connected individal on earth (like 75% by now?).