Project EVIL

For Mein Fraulein...

What is Project EVIL? ::: Who is Mein Fraulein? ::: Conclusions ::: Links ::: Contact

Messages for Mein Fraulein: 1 ::: 2 ::: 3 ::: 4 ::: 5 ::: 6 ::: 7 ::: 8 ::: 9 ::: 10 ::: Easter Eggs

Conclusions

This is mostly a condensed version of our talk we gave at DEFCON, with a few corrections and notes thrown in for clarity and to answer questions we've seen popping up a lot.

Why?

Two reasons, first because it seemed like a cool idea. Second, because we wanted to see if we could estimate the size, power, and organizational potential of the Online Cryptographic Community.

The reason given in the description of our DEFCON talk about creating channels to send covert messages in plain sight, while plausible and maybe even relevant, was just a smoke screen to keep the real topic secret until our talk.

What we learned

These are our general observations about the Online Cryptographic Community as a whole. They are not directed at any individual, or group that was attempting to break the Mein Fraulein codes.

First, the Community tends to ignore answers that it doesn’t like, even if they are correct.

Example, the following post appeared on June 2nd, by someone named Chronos:

“But the starter of such a game could hardly count on anyone calling the phone number and asking about it online, so the person who first noted it would almost certainly have to be in on it, if not the instigator himself. So that might be a more productive line of enquiry.”

This couldn't have been more correct. However, the community seemed to ignore this wisdom. We received only one reply back to our original email asking us where and how we found the message. We sent a lame reply to this, something to the effect of 'My friend found it and sent me a link because he knows I'm into this stuff.' No further questions were asked.

Second, The community organizes only to the lowest level necessary.

Example, the main resource for people attempting to decrypt the messages were the forums on Homeland Stupidity. While Michael Hampton made a valiant effort to organize the information, and make it easy to find, the format didn't lend itself well to a cooperative effort. A newcomer would have had to wade through many pages of posts, often containing misinformation and lots of duplicated effort. Hampton attempted to mitigate this somewhat by setting up a Wiki, but it lacked the tools necessary to become a focal point in the decryption effort.

And third, the Community is very powerful, but not proportionally insightful.

As it is with society, where we find ourselves standing on the shoulders of some very smart freaks that invented things like electricity and medicine, the Cryptographic Community seems to rely upon a very few insightful members of the herd to advance their cryptanalysis efforts.

We observed that these insightful members of the group often were simply drowned out by the signal to noise ratio, or they failed to appear as misinformation and confusion built within the mass of the Community.

Example, Our original plan called for someone to attempt to find a key collision between two messages. On the day of our talk we performed a Google search for "Mein Fraulein" and "key collision", which returned zero results.

Proposed solution

Our suggestion to solve these problems, presented during our talk, was to build an easily deployable Cryptanalysis Web Portal that can be used for these type of online crypto games. We concentrated on the following points:

Make it easily deployable so that non-systems admins can get it up and running easily.

Base it on open source so it can be easily extended.

Have it contain common cipher tools. There is code already written to create and examine almost every type of transpositional cipher ever made, but it is not collected in the same place, and it is often not presented in a user friendly way.

Have it work from a common data set. One of the problems we observed was that many people were confused by typos and transcription mistakes in the data they were finding posted online. Having everyone work from one 'master' set of data will eliminate most of these problems.

And finally, have the system use some type of standardized data reporting. If a newcomer can quickly determine which tests have been performed, and which ciphers tested, their ideas become more valuable as they get up to speed faster. This addresses the insightfulness problem. It also makes it possible for information to be imported and compared between different Crypographic challenges.

How not to run a Crypto Challenge

Here are some simple things you can do to help yourself should you ever decide to host a crypto challenge:

1) Learn from our mistakes.
2) Be organized. Have all of your content ready before you start.
3) Don’t underestimate the community, but don’t over complicate your challenge.
4) Have a plan to handle copycats. You will have them.

And while we're mentioning copycats, we have to include the best one ever:

http://orlando.craigslist.org/mis/178214941.html

Reply to: pers-178214941@craigslist.org
Date: 2006-07-04, 1:17AM EDT

Mein Fraulein,

Stop calling me. I told you yesterday I do not love you. Give me my records back and my good leather jacket.

Some Stats

In total, we received approximately 6,100+ phone calls. We estimate, based on the number of comments we saw online, and our call detail records, that this number represents about 1/3 of the people who actually called the numbers. After the pre-paid VoIP minutes ran out, the calls would no longer route through to our Asterisk box, so we would have no record of the call.

During the day the first two numbers were on Slashdot, they received 2,180 calls

In total, the first four messages received 58% percent of all calls.

The entire project, including this website, cost us exactly $202.00. We spent approximately twice that much having one run of T-shirts made afterwards. Eat your heart out Viral Marketing Droids.