CanYouCrackIt.co.uk ... Is it a Hoax?

BBC: GCHQ challenges code breakers via social networks

www.bbc.co.uk/news/technology-15968878

Perhaps GCHQ thinks it is 1 April, not 1 December?

SSL would not prevent anything being disclosed that isn't already on that site. Your IP would still be disclosed accessing the website and as none of the cracking is carried out over the wire everything bar the fact you have accessed the success page is known anyway. I'm sure thousands have accessed it already as it's posted on numerous websites so that's pretty useless information.

Posting snotty letters in an attempt to make yourself look clever while highlighting your lack of knowledge is pretty lame.

A quick check on the internet shows up the owner of the URL as TMP (UK) Ltd. Another quick check shows them as a UK based advertising company who specialise in recruitment campaigns. Oh, look, they even discuss the GCHQ advertising campaign on their website.

Domain name:
canyoucrackit.co.uk

Registrant:
TMP (UK) Limited

Registrant type:
UK Limited Company, (Company number: 5648039)

Registrant's address:
265 Tottenham Court Road
London
London
W1T 7RQ
United Kingdom

Let me help you a little; the original registration details were as follows;

Domain name:
canyoucrackit.co.uk

Registrant:
TMP (UK) Limited

Registrant type:
UK Individual

Registrant's address:
Somewhere
London
london
W0A 0AA
United Kingdom

Which is more typical of a phishing/fraud scam than a secure Government recruitment site.

You'll note too, GCHQ opted to use SSL for their main recruitment site;

https://apply.gchq-careers.co.uk/

If you want to recruit communications specialists into the Security Services... failing to protect the privacy/security/integrity of your communications against interception, using bogus registration details for your domain, and then failing to password protect your web site are rather fundamental and elementary errors.

Of course they use it for the recruitment part of their website. <big sigh>

SSL is mainly used to encrypt data between two parties so that a third party cannot eavesdrop on it. If you are submitting an application for a job then you are obviously transferring sensitive data across a public medium such as the internet so you would therefore want that data to remain private when transmitted.

SSL should NOT be used in every website. In this case the website shows the same image to everyone so there is nothing to protect with SSL. There are no login credentials to protect as there is no requirement to login and there isn't any sensitive data from the end user to protect so there is no need for SSL.

There is nothing to be gained by sniffing the traffic between a viewer and that website for the reasons I've already stated in this post and the last.

It's unfortunate when people like you try to harass others such as the folks at GCHQ who perform an exemplary job both now and in many years past.

Self proclaimed computer security experts are my pet hate because you go around spouting rubbish like you have hoping the average Joe doesn't know any better so can't contradict them.

As for helping me a little - I think it is I who has been helping you and it obvious for all to see. Firstly I've provided you with the correct address details, secondly I've shown you who the company who registered the domain is and what they do (not sure how you missed that) and thirdly I have explained what SSL does for you and why it is not needed in this case.

Normally I would ignore people like you but in this instance as you are making a pest of yourself to people who I hold a great deal of respect I thought I would point out your failings, just for the fun of it.

If you want to point out the other benefits of SSL I will happily explain to you, for all to see, why these aren't relevant to this kind of website.

Are you sure you want to carry on defending the people who launched this site? I wouldn't if I were you.

If GCHQ want to invite candidates to participate in a recruitment competition for a role in the Security Services... what aspect of that dialog would you recommend should be unencrypted?

I would expect.. none at all.

The fact that a given person might even be willing to consider applying for a role at GCHQ is acutely sensitive information.

And for the sake of £30? I would hope GCHQ might therefore purchase & install a £30 SSL certificate.

If nothing else because if the site is unencrypted, and the registration details are obviously false (as they were)... then it bears all the hallmarks of a phishing scam.

A site which is meant to attract and recruit code breakers for the Security Services should be

a) encrypted against hostile surveillance

b) registered using *valid* data, not bogus information

On a more general note, you might also be forgiven for hoping the 'you've cracked it!' page should might be inaccessible to anyone who hasn't actually 'cracked it'. And therefore, not indexed by Google either.

The UK public deserve better service from the people who run GCHQ.

And potential GCHQ candidates & recruits deserve better protection, from the moment they first consider applying for a job in the Security Services, to the moment they finally leave (and beyond).

Pest,

You really don't have any shame and will clutch at any straw you can in order to try and save some face. The term that suits you best is 'pest' so again, let me highlight where you are wrong. IT is very easy to do so given that you clearly lack the fundamental knowledge to base an argument on - although to be fair you have no argument in this case.

"If GCHQ want to invite candidates to participate in a recruitment competition for a role in the Security Services... what aspect of that dialog would you recommend should be unencrypted?"

-Any information which is deemed sensitive should be encrypted. In this instance there was no sensitive information so it did not warrant encryption.

"I would expect.. none at all."

-You would do well to educate yourself instead of going with expectations.

"The fact that a given person might even be willing to consider applying for a role at GCHQ is acutely sensitive information."

-This is not part of the application process it is a game to generate interest in GCHQ for potential candidates.

"And for the sake of £30? I would hope GCHQ might therefore purchase & install a £30 SSL certificate."

-An SSL certificate costing £30 is of the lowest quality there is and hardly worth using. Have you heard of the Comodo breach? The Digitnotar breach? Okay, you probably have not but proper SSL implemented in a secure manned is expensive.

"If nothing else because if the site is unencrypted, and the registration details are obviously false (as they were)... then it bears all the hallmarks of a phishing scam."

-Phishing tactics are used to glean information from end users who enter them to the site. Anyone with a concern relating to that would be able to deduct from the fact that there isn't any requirement to enter details that it is not a phising scam. Again, you are clutching at straws.

"A site which is meant to attract and recruit code breakers for the Security Services should be

a) encrypted against hostile surveillance

b) registered using *valid* data, not bogus information"

-a) I will tell you once again, in this instance there is nothing to survey and using SSL will not hide the fact that someone is acessing it.

-b) It is registered fine but even if it wasn't that is an issue to be taken up with Nominet. SSL will not help as one of the authentication checks an SSL provider can use is to prove you own the domain.

"On a more general note, you might also be forgiven for hoping the 'you've cracked it!' page should might be inaccessible to anyone who hasn't actually 'cracked it'. And therefore, not indexed by Google either."

-Why? It is a game. SSL will not prevent that either.

"The UK public deserve better service from the people who run GCHQ."

-GCHQ provide a stellar service behind closed doors and the fact that a little pest like you who has no idea what you are talking about seems to think that not using SSL on a website is an issue is laughable.

"And potential GCHQ candidates & recruits deserve better protection, from the moment they first consider applying for a job in the Security Services, to the moment they finally leave (and beyond)."

-You already mentioned that the application portal uses SSL so applications are provided with a secure portal. Secondly, GCHQ is not the security services, once again you let rant away and are completely wrong. Thirdly, the amount of traffic this site has garnered makes it impossible for a third party to use the data.

Lastly, emailing a clerk who has no idea what SSL is and informing her "you have cracked it" when you clearly have not and could not is very sad.

Now go pester someone else, pest.

Well. Your determination continues to amaze me.

If GCHQ want to attract the interest of people who fully comprehend security and cryptography, here's a list of recommendations;

1) Protect the privacy, security, and integrity of your communications with prospective applicants. If you want to attract cryptography experts, you need to demonstrate that you take the security of communications seriously and you are serious about protecting their welfare. With an SSL certificate costing so little, there is simple *no excuse* for failing to do this.

2) Don't register the domain using fake address details. It carries all the hallmark of a criminal phishing scam. There is simply *no excuse* for failing to do this.

3) Don't register the domain to a UK individual, particularly not an employee/former employee using their home address. There is simply *no excuse* for failing to do this.

4) Don't co-host the site with other domains, particularly gambling, miracle cures, or pornography. There is simply *no excuse* for failing to do this.

5) If you run a competition which depends on a solving a puzzle, protect, the objective with the password if you want to be taken seriously. There is simply *no excuse* for failing to do this.

6) Ensure that the target page cannot be indexed by Google or other search engines. There is simply *no excuse* for failing to do this.

7) Host the site in the UK, for reasons that should be obvious. There is simply *no excuse* for failing to do this.

Let me point out to you the reason why all this matters.

In 2006 and 2007... BT conspired with 121Media (a firm described by F-Secure as the developers of "the most widespread malicious rootkits of 2005") to intercept the web communications of hundreds of thousands of people and the businesses that served them.

121Media (now known as Phorm) subcontract their development to a company in Moscow called OCS Labs. The Director of Phorm, Kent Ertugrul, can be linked to the Russian Military. He ran a company called Migs Etc that offered joy rides on Russian Military aircraft.

The technology deployed by BT intercepted, modified, and divulged the content of unencrypted web communications to 121Media/Phorm. In essence it is an industrial espionage scam designed to capture economic intelligence from the content of private/confidential communications.

Mark Hughes was the Director of BT Group Security at the time (appointed in October 2005). Mark Hughes was also member of the Senior Stakeholder Group of the Centre for the Protection of National Infrastructure. Perhaps he still is. Apparently he didn't think it was necessary or appropriate to warn GCHQ/CESG/CPNI that such trials were taking place. Or if he did, he was ignored by GCHQ/CESG/CPNI.

Once these covert trials were exposed... BT went on to conduct a third trial in the open. Their director, Emma Sanderson, even appeared on television to announce her intentions.

In total 200,000 people are estimated to have had their communications illegally and covertly intercepted by BT/Phorm... and at no point in three years did GCHQ/CESG/CPNI intervene to stop it.

Let me quote from their web site; "GCHQ is one of the three UK Intelligence Agencies and a part of the UK's National Intelligence Machinery. GCHQ works in partnership with the Security Service (also known as MI5) and the Secret Intelligence Service (also known as MI6) to protect the UK's national security interests."

As part of the intelligence service specialising in communication security I would expect them to protect the UK from nationwide industrial espionage by foreign spies.

There are other threats I could detail.

I could tell you about TalkTalks covert trials of Chinese supplied mass surveillance technology, which is thought to have relayed the content of UK telecommunications to China.

I could elaborate the use of Bluecoat Proxy SG technology which is currently covertly relaying the content of Vodafone/3UK telecommunications to the USA.

In every case, there has been no intervention by the Security Services (which includes GCHQ), or law enforcement (despite complaints to the police, supported by evidence).

So if you believe that UK telecommunications are in any way secure against foreign espionage you'll need to try much harder to convince me or anyone else who fully comprehends the events the last 5 years.