Thursday, March 10, 2011

Code-Breaking For Fun and Profit

c. xkcd.com
Codes and ciphers are an area of puzzling that I haven't really written much about, but they've fascinated me since I first read Edgar Allan Poe's "The Gold Bug" as a child. As any history buff knows, cryptography and code-breaking has played a vital role in politics and warfare for at least 4000 years, and it has grown even more important in the digital age. Encryption is the key to the entire online economy. If it fails, the system fails.

Well, one small corner of the system has failed--spectacularly--and may have cost Microsoft at least $1.2 million.

All code breaking relies on the fact that everything, eventually, falls into a pattern, even if it's an incredibly complex--even shifting--pattern. Crack that pattern, and you crack the code. Modern computer cryptography is well beyond my knowledge set, but I do know that its relies on multiple branches of mathematics in order to create secure encryption keys.

But even the best keys have a pattern, and hackers have found the pattern for MS Points, the proprietary economy used by Xbox Live and other Microsoft services. People pay for games, multiplayer support, and in-game purchases with these points, which are normally purchased with real money.

MS Points are usually activated by entering a string of numbers and letters, and usually look something like H547J-3JK67-J84J0-etc...  Those numbers, however, are generated by a system, and that system has a pattern. Using old codes, some folks on the site The Tech Game (no, I'm not linking to it) discovered that pattern and created an algorithm to generate new, valid codes.

Microsoft isn't talking about this yet, but they've closed the exploit. We don't know yet if they'll be able to track down the scammers and take back their points. Of course, it's illegal and immoral, but it's a pretty impressive achievement. And a little bit terrifying.

By the way, let me veer slightly off-topic for a moment and just say that if you have a credit card with an RFID chip, get rid of it. Tech writers (including me) have been writing about the dangers of these chips for years. They are a hacker's dream. I've seen video of on-the-street tests of people using a few hundred dollars worth of equipment to read the credit card numbers from cards in people's wallets and purses. The RFID makers have implemented some pretty impressive cryptographic techniques in order to keep them secure, but one constant of computer security is the tendency to underestimate the determination and capability of hackers.

No comments:

Post a Comment

All ad-driven comments will be marked as spam and deleted.

Note: Only a member of this blog may post a comment.