• Mike (unregistered)

    RlJJU1Q=

  • Stephen Cleary (unregistered)

    Oh, yes.

    I always measure the world with "meter" units. Unless I use "metres".

  • unwesen (unregistered)

    If a Base64 implementation is worth $64k, then I've got one to sell. Wanna buy it?

  • unwesen (unregistered) in reply to Mike

    Didn't you mean RklSU1Q=?

  • boog (cs)

    You left out the part where Thijs B's company gets sued to oblivion for "bypassing security" and "reverse engineering" the software.

  • Deezil (unregistered)

    Frist to tell you that I can't download the whole XML file?

    CAPTCHA: decet - deceit without any intelligence (just like this company!)

  • Tarmil (unregistered)

    Well, if a Base64 implementation is worth $64k, you should definitely buy my Base128 implementation. Guess the price.

  • Whatever (unregistered)

    Wait, they rolled their own encoding scheme, and made it conform to Base64?
    Perhaps the package's developers did not like the $100000 pricetag for a base64 decoder, so they made it easy to decode.

  • boog (cs) in reply to unwesen
    unwesen:
    Didn't you mean RklSU1Q=?
    QXJlIHlvdSBuZXcgaGVyZT8K
  • Zylon (cs)

    "Completely reimplementing" Base64 is somewhat like completely reimplementing a for loop. What an odd choice of words.

  • MadJo (professional software tester) (unregistered) in reply to boog
    boog:
    You left out the part where Thijs B's company gets sued to oblivion for "bypassing security" and "reverse engineering" the software.

    Thijs is clearly not a US-name, and therefor the DMCA doesn't apply, thanks for playing, we have some lovely consolation prices for you backstage.

  • Dotan Cohen (unregistered) in reply to Zylon

    I take that to mean that to prevent reverse engineering, they did not make a call to the native .NET base64() functions.

  • ^E (unregistered)
    <FieldSmartConfiguration encoding=<b>"basic">

    They were not kidding about using basic "encryption". I wonder if the enterprise version uses an additional layer of triple ROT-13?

  • Misel (unregistered)

    Personally I find Base64 easy to identify. It was actually my first guess and had I been the developer this would have been my first try. So why the hassle with the debugger?

  • GFK (cs)

    Your configuration's not so smart now, is it?

  • boog (cs) in reply to MadJo (professional software tester)
    MadJo (professional software tester):
    boog:
    You left out the part where Thijs B's company gets sued to oblivion for "bypassing security" and "reverse engineering" the software.

    Thijs is clearly not a US-name, and therefor the DMCA doesn't apply, thanks for playing, we have some lovely consolation prices for you backstage.

    Funny, I didn't say anything about copyright in my answer.

    It may be that I wasn't talking about the DMCA at all.

  • Ken B. (unregistered) in reply to ^E
    ^E:
    <FieldSmartConfiguration encoding=<b>"basic">
    They were not kidding about using basic "encryption". I wonder if the enterprise version uses an additional layer of triple ROT-13?
    Um... Doesn't it say "encoding" and not "encryption"?

    On the other hand, being only the "basic" encoding, this uses only the double-ROT13 method.

  • PedanticCurmudgeon (cs) in reply to boog
    boog:
    unwesen:
    Didn't you mean RklSU1Q=?
    QXJlIHlvdSBuZXcgaGVyZT8K
    RGFybiwgYmVhdCBtZSB0byBpdCE=
  • boog (cs) in reply to PedanticCurmudgeon
    PedanticCurmudgeon:
    boog:
    unwesen:
    Didn't you mean RklSU1Q=?
    QXJlIHlvdSBuZXcgaGVyZT8K
    RGFybiwgYmVhdCBtZSB0byBpdCE=
    OikK
  • BentFranklin (cs)

    For the convenience of readers of this thread, several past threads, and, one assumes, many future threads, perhaps The Daily WTF could put a Base64 decoder widget in the sidebar. But please, not an encoder.

  • C-Octothorpe (cs)

    Most likely during development they realized that truly encrypting the config section(s) wreaked havoc with the rest of the app, or caused some bad performance issues and at the last minute they decided to simply encode it (they would have to anyway for it to live happily in XML)...

    If they were smart, they would've double encoded it. Now thats secure...

  • pettys (unregistered) in reply to MadJo (professional software tester)
    Comment held for moderation.
  • C-Octothorpe (cs) in reply to pettys
    pettys:
    @MadJo: On the other hand, you are the clear winner of a different sort of contest.
    Is the prize a sarcasm detector? Or perhaps an irony parser... Oh, I got it, the prize should be "Woosh be gone"...
  • Jo (unregistered)

    I once worked with an insane expensive industry-sector-specific software tool. It had several modules, each to buy separately for a specific number of users.

    And it had an info dialog to see the bought modules and the number of users allowed to use it. So there have been (say) 14 entries with a number.

    The license data files size was 28 bytes. One word for every line in that info dialog. Change it and voila...

  • GFK (cs) in reply to BentFranklin
    BentFranklin:
    For the convenience of readers of this thread, several past threads, and, one assumes, many future threads, perhaps The Daily WTF could put a Base64 decoder widget in the sidebar. But please, not an encoder.

    Here's a simple tutorial on how to decode Base64: RG93bmxvYWQgYW5kIGluc3RhbGwgTm90ZXBhZCsrDQpPcGVuIGl0DQpQYXN0ZSB0aGUgdGV4dCBpbiBhIG5ldyBkb2N1bWVudA0KR28gdG8gbWVudSBQbHVnaW5zID4gTUlNRSA+IEJhc2U2NCBEZWNvZGU=

  • PedanticCurmudgeon (cs) in reply to BentFranklin
    BentFranklin:
    For the convenience of readers of this thread, several past threads, and, one assumes, many future threads, perhaps The Daily WTF could put a Base64 decoder widget in the sidebar. But please, not an encoder.
    And whatever you do, definitely don't post banners of Base64 encoding.
  • trtrwtf (unregistered)

    From the vendor's perspective, this actually makes sense. I'd be willing to bet that this started when users were screwing up their configurations, because they were editing the XML my hand. This meant a lot of expensive support calls, so the vendor decides to be proactive and makes a config tool. Okay, now they have a config tool, and they want to make sure everyone uses it, but somebody along the way says "that cost us money to make it, you can't just give it away". Well, you can and you should, but tell that to the bean counter - so they come up with a way to make people want the tool: they obfuscate the XML. If someone looks close and realizes how simple it is, no problems - nothing changes. They use the product as they always have. If they're normal, they just spend the money and get a very minor benefit (a configuration widget) for a substantial price, which disappears into the budget. Either way, life goes on.

  • hoodaticus (cs)

    TRWTF is that the OP's immediate thought when seeing a random string of alphanumeric characters was that this was encrypted rather than base64 encoded. I would have at least decoded it with base64 first before determining whether the contents were encrypted.

  • ih8u (unregistered) in reply to GFK
    GFK:
    BentFranklin:
    For the convenience of readers of this thread, several past threads, and, one assumes, many future threads, perhaps The Daily WTF could put a Base64 decoder widget in the sidebar. But please, not an encoder.

    Here's a simple tutorial on how to decode Base64: RG93bmxvYWQgYW5kIGluc3RhbGwgTm90ZXBhZCsrDQpPcGVuIGl0DQpQYXN0ZSB0aGUgdGV4dCBpbiBhIG5ldyBkb2N1bWVudA0KR28gdG8gbWVudSBQbHVnaW5zID4gTUlNRSA+IEJhc2U2NCBEZWNvZGU=

    Finally! A funny base64 post. Ok people, pack it up. We're done here.

  • Me (unregistered) in reply to GFK
    GFK:
    BentFranklin:
    For the convenience of readers of this thread, several past threads, and, one assumes, many future threads, perhaps The Daily WTF could put a Base64 decoder widget in the sidebar. But please, not an encoder.

    Here's a simple tutorial on how to decode Base64: RG93bmxvYWQgYW5kIGluc3RhbGwgTm90ZXBhZCsrDQpPcGVuIGl0DQpQYXN0ZSB0aGUgdGV4dCBpbiBhIG5ldyBkb2N1bWVudA0KR28gdG8gbWVudSBQbHVnaW5zID4gTUlNRSA+IEJhc2U2NCBEZWNvZGU=

    I always use the following: ZWNobyBSRzkzYm14dllXUWdZVzVrSUdsdWMzUmhiR3dnVG05MFpYQmhaQ3NyRFFwUGNHVnVJR2ww RFFwUVlYTjBaU0IwYUdVZ2RHVjRkQ0JwYmlCaElHNWxkeUJrYjJOMWJXVnVkQTBLUjI4Z2RHOGdi V1Z1ZFNCUWJIVm5hVzV6SUQ0Z1RVbE5SU0ErSUVKaGMyVTJOQ0JFWldOdlpHVT0gfCBiYXNlNjQg LWQK

  • BlueBearr (unregistered) in reply to GFK
    Here's a simple tutorial on how to decode Base64: RG93bmxvYWQgYW5kIGluc3RhbGwgTm90ZXBhZCsrDQpPcGVuIGl0DQpQYXN0ZSB0aGUgdGV4dCBpbiBhIG5ldyBkb2N1bWVudA0KR28gdG8gbWVudSBQbHVnaW5zID4gTUlNRSA+IEJhc2U2NCBEZWNvZGU=

    RkFJTC4gTm90ZXBhZCsrIGRvZXMgbm90IGluY2x1ZGUgdGhlIE1JTUUgcGx1Z2luIGJ5IGRlZmF1bHQu

  • BSDGeek (unregistered) in reply to GFK

    SSBwcmVmZXIgdXNpbmcgJ2I2NGRlY29kZSAtcHIgL2Rldi9zdGRpbicK=

  • Kempeth (unregistered) in reply to hoodaticus
    hoodaticus:
    TRWTF is that the OP's immediate thought when seeing a random string of alphanumeric characters was that this was encrypted rather than base64 encoded. I would have at least decoded it with base64 first before determining whether the contents were encrypted.
    I can understand that. When you are facing a the "encryption" of a 100k product there's certainly a lot of "it couldn't be THIS easy" involved in the thinking process... Imagine fragging yourself through some action game and when you get to the endboss this little old lady with a walking cane enters the arena. You'd be wary too. I mean, it CAN'T be that easy, right? right?
    unwesen:
    If a Base64 implementation is worth $64k, then I've got one to sell. Wanna buy it?
    I have a lovely javascript implementation of Base85...

    Also ironically if they had "encrypted" it was rot13 as well it would have been a lot less obvious...

  • C-Octothorpe (cs) in reply to trtrwtf
    trtrwtf:
    This meant a lot of expensive support calls, so the vendor decides to be proactive and makes a config tool.
    Not likely, well not at least if they're in the business of making money...
    trtrwtf:
    Okay, now they have a config tool, and they want to make sure everyone uses it, but somebody along the way says "that cost us money to make it, you can't just give it away".
    Most likely it was probably a tool they used internally to speed up support issues. They probably saw an opportunity to make some cash by simply sprucing-up the UI and selling their power toy as a product.
    trtrwtf:
    If someone looks close and realizes how simple it is, no problems - nothing changes. They use the product as they always have.
    If you don't screw things up... I'm sure any warranty goes out the window as soon as you edit their encoded config (and they find out), or support price per hour quadruples for "corrupted config" support calls.
  • Zaratustra (unregistered) in reply to GFK

    I was really expecting the tutorial on how to decode Base64 to be like this:

    WWVhaCwgZXhhY3RseSBsaWtlIHRoYXQu

  • BentFranklin (cs)

    I didn't say I needed instruction on decoding. I said it would be convenient to have a widget on the same page, so decoding would be easier than encoding. Then maybe all the clever base64 comments would go away.

  • Hortical (unregistered) in reply to C-Octothorpe
    C-Octothorpe:
    Most likely during development they realized that truly encrypting the config section(s) wreaked havoc with the rest of the app, or caused some bad performance issues and at the last minute they decided to simply encode it (they would have to anyway for it to live happily in XML)...

    Couldn't they just base64 the encrypted xml?

    Double plus fun.

  • gizmore (unregistered)

    QmVuZTogTGlrZSAiVGhpcyBlbmNyeXB0aW9uIGlzIGJlbmUi

  • C-Octothorpe (cs) in reply to Hortical
    Hortical:
    C-Octothorpe:
    Most likely during development they realized that truly encrypting the config section(s) wreaked havoc with the rest of the app, or caused some bad performance issues and at the last minute they decided to simply encode it (they would have to anyway for it to live happily in XML)...

    Couldn't they just base64 the encrypted xml?

    Double plus fun.

    Then hash it... I'd like to see them brute force that. Of course this could affect application performance, but I'm willing to take that hit.

  • droid (unregistered)

    All your base-64 are belong to us.

  • hoodaticus (cs)

    If their config files are so important to keep away from the client, then why didn't they do that, replacing the file load with a webservice call?

  • Those who live in glass houses... (unregistered)

    I wish all you ivory tower wannabes would get off your high horses. Base-64 is encryption! Do you even know what encryption means? It means to put in a code. Base-64 is a code. Now STFU.

    An this is for all you pathetic jackwagons posting in Base-64:

    Wkj3382KEKjfjkTquIkllP=

  • I <3 my zune (unregistered) in reply to Me
    Me:
    GFK:
    BentFranklin:
    For the convenience of readers of this thread, several past threads, and, one assumes, many future threads, perhaps The Daily WTF could put a Base64 decoder widget in the sidebar. But please, not an encoder.

    Here's a simple tutorial on how to decode Base64: RG93bmxvYWQgYW5kIGluc3RhbGwgTm90ZXBhZCsrDQpPcGVuIGl0DQpQYXN0ZSB0aGUgdGV4dCBpbiBhIG5ldyBkb2N1bWVudA0KR28gdG8gbWVudSBQbHVnaW5zID4gTUlNRSA+IEJhc2U2NCBEZWNvZGU=

    I always use the following: ZWNobyBSRzkzYm14dllXUWdZVzVrSUdsdWMzUmhiR3dnVG05MFpYQmhaQ3NyRFFwUGNHVnVJR2ww RFFwUVlYTjBaU0IwYUdVZ2RHVjRkQ0JwYmlCaElHNWxkeUJrYjJOMWJXVnVkQTBLUjI4Z2RHOGdi V1Z1ZFNCUWJIVm5hVzV6SUQ0Z1RVbE5SU0ErSUVKaGMyVTJOQ0JFWldOdlpHVT0gfCBiYXNlNjQg LWQK

    This is my method: R2V0IGluIG15IGZha2UgaWNlIGNyZWFtIHRydWNrIGFuZCBkcml2ZSB0aHJvdWdoIHRoZSBuZWlnaGJvcmhvb2QuDQpUZWxsIGtpZHMgdGhleSBoYXZlIHRvIGdvIGluIHRoZSBiYWNrIHRvIGdldCB0aGUgaWNlIGNyZWFtIHRoZW1zZWx2ZXMuDQpUaGUgYm9kaWVzIGFyZSBwcm9wZXJseSBmcm96ZW4gYW5kIHBlcnNlcnZlZCBieSB0aGUgdGltZSBJIGdldCBob21lLg0KRGlubmVyIGZvciB0aGUgd2VlayBpcyB0YWtlbiBjYXJlIG9mLg0KTmV4dCBkYXkgYXQgd29yaywgYXNrIGEgY29sbGVndWUgd2hhdCBiYXNlNjQgaXMuDQpFeHBsYWluIHRoYXQgSSB3YXMgZ29pbmcgdG8gbG9vayBpdCB1cCBidXQgd2FzIG92ZXJjb21lIGJ5IGx1c3QgZm9yIG15IGNoaWxkIGNhbm5pYmFsaXNtL21hc3R1cmJhdGlvbiBmZXRpc2guDQpUaGV5IGNhbGwgdGhlIGNvcHMuDQpUYWtlIGEgd29tYW4gaG9zdGFnZSBhbmQgZ3VuIHBvaW50Lg0KUGFyYWRlIGhlciBhcm91bmQgb3V0c2lkZSB0aGUgYnVpbGRpbmcgd2hpbHN0IGFsc28gdmlvbGF0aW5nIGhlci4NCkZpbmFsbHksIGZvcmNlIGhlciB0byBsb29rIGRlZXAgaW50byBteSBleWVzIGFzIEkgc2hvb3QgbXlzZWxmIGluIHRoZSBmYWNlLCBlbnN1cmluZyBtYXhpbXVtIHNwbGFzaGFnZSBvZiBibG9vZCBhbGwgb3ZlciBoZXJzLg==

  • Anon (unregistered) in reply to MadJo (professional software tester)
    MadJo (professional software tester):
    boog:
    You left out the part where Thijs B's company gets sued to oblivion for "bypassing security" and "reverse engineering" the software.

    Thijs is clearly not a US-name, and therefor the DMCA doesn't apply, thanks for playing, we have some lovely consolation prices for you backstage.

    And, of course, absolutely no foreigners work in the US. And everybody has Anglo-Saxon Christian names.

  • onitake (unregistered)

    Looks a lot like the MSN Messenger protocol. XML stanzas Base64'd inside XML. Ingenious. Or was it some other uber encryption method? I don't quite remember...

  • Anon (unregistered) in reply to Those who live in glass houses...
    Those who live in glass houses...:
    I wish all you ivory tower wannabes would get off your high horses. Base-64 is encryption! Do you even know what encryption means? It means to put in a code. Base-64 is a code. Now STFU.

    An this is for all you pathetic jackwagons posting in Base-64:

    Wkj3382KEKjfjkTquIkllP=

    A brilliant troll!

    Either that or an epic fail. But I'll give them the benefit of the doubt.

  • I h8 ipod (unregistered) in reply to Kempeth
    Kempeth:
    Imagine fucking your way through some playground and when you get to the parking lot this little old lady with a walking cane enters the arena. You'd be wary too. I mean, she can't be that easy (the SLUT!), right? right?

    I have, many a lonely night.

  • C-Octothorpe (cs) in reply to hoodaticus
    hoodaticus:
    If their config files are so important to keep away from the client, then why didn't they do that, replacing the file load with a webservice call?
    Because that just obscures it. If they're determined enough, they can simply sniff the connection and intercept it... If you really want to lock the user out, I think the best approach would be to perform some sort of checksum or hash and have it call home on startup to verify (send back a public key encrypted response so they can't intercept and modify). No encryption needed, just check the integrity of the data, and bomb out badly when they try to make their own changes.
  • Some Dude (unregistered) in reply to Those who live in glass houses...

    Base64 is encoding not encryption. Do you even know what Base64 is?

  • C-Octothorpe (cs) in reply to Some Dude
    Some Dude:
    Base64 is encoding not encryption. Do you even know what Base64 is?
    Don't know what it is, but I know it's worth at least $64k!!!

Leave a comment on “Encrypted XML”

Log In or post as a guest

Replying to comment #:

« Return to Article