How we recovered $300k of Bitcoin(reperiendi.wordpress.com)
"I’m currently looking for work in a staff or senior staff engineering or data scientist role. If you’ve got interesting technical analysis or optimization problems, please reach out to me and let’s talk."
That is probably the best CV I've ever read by accident.
You should broaden your job hunt criteria to technical content marketing - seriously!
Very rare to possess the skill to tell a story in an entertaining, approachable and detailed technical fashion.
> That is probably the best CV I've ever read by accident.
Exactly what I was thinking.
I saw this post and initially skipped it because I know how crypto threads go on HN. Then saw on LinkedIn it was from you. Can confirm, this gent is a great engineer and is actually a nice guy.
> If you’ve got interesting technical analysis...
FYI, not sure if english is your first language or not but this should be "If you have interesting technical analysis..."
"If you've got" may not be formal "correct" English, but everyone understands it and it's used quite commonly in daily speech (and writing). I would wager that "if you've got" may actually be preferable to "if you have," in order to engage the reader at a more comfortable, personal level.
So correct, that I distinctively remember learning it from school books in English class in Germany.
Germans tend to pronounce A's in English as if they were E's ("cat" is pronounced as "k-eh-t" instead of "k-ah-t" -- which I don't really understand since A in German is pronounced as "ah"), so I'm not sure if everything you learned in English class is correct ;-)
English class in Germany told me to pronounce it the "k-ah-t" way because they were primarily teaching British English, but I think a lot of exposure to US Media brings people to pronounce it "k-eh-t" (and maybe overdoing it in trying to do so).
That's another thing I distinctively remember from English class in Germany, being taught the British pronunciation that, at that young age, was much less familiar to me than American pronunciation, and some slight confusion around that.
Definitely overdoing it! :)
I’m a native (non-American) English speaker and the American pronunciation, to me, doesn’t sound like keht at all. (German was technically my first language, although English became my main language at an early age, so I’m quite used to German accents, so it’s definitely not caused by the native accents imho)
I once (when I was ~15 or so) had an argument with a kid who simply would not believe me that the letters C-A-T aren’t pronounced keht
The English books seemed to teach the correct thing, however, using the correct IPA and giving the correct hints. Just like with "I've got [something]".
It's also definitely not the case that the "a" in American English "cat" is pronounced like "a" usually is in German. In that case, the "a" sounds much closer to a German "e" then a German "a". The IPA for AE "cat" is kæt, not kat (where in some parts of Britain it actually is kat).
Thanks, that was interesting :)
Perhaps it is the american accent they are taught, americans would say keht. I always thought it was strange football was fussball in german, yet they'd call in soccer in english.
Except the American accent doesn’t say keht — maybe there’s a slight hint (cough accent) of it, but it’s very slight, while the German way sounds rather odd, I bet even to Americans.
The soccer thing is pretty funny though. :)
FWIW "you've got" seems very US American to me (native en-gb).
“You’ve got mail!”
Yep, sure is.
Not only that, but in speech, the 've is often dropped entirely, like "Hey if you got a few more minutes can I ask another question?"
I wouldn't write this, but I would absolutely say it, and it doesn't carry the rough affect of something like ain't.
I'd say "if y'all got".
To one person?
Yes. For many, it's "all y'all" ;)
The issue is, I think, "you've got analysis" vs either "you've got an analysis" (singular) or "you've got analyses" (plural).
Still, pretty minor thing to nitpick about.
You're misparsing the sentence: "If you’ve got interesting technical analysis [or optimization] problems". "Technical analysis" is an adjective, not a noun.
So I am. I was reading off the GP's (incomplete) quotation it seems.
FYI, not sure if english is your first language or not but this should be "If you have interesting technical analysis..."
I'm not sure if English is your first language, but this should be, "if you have interesting technical analysis..."
Everyone can pick apart the mistakes of others, find mine!
It may not be formal English, but it's idiomic language that a native speaker would use.
> Where have expresses a state rather than an event it is replaceable by the idiom have got.
The Cambridge Grammar of the English Language, 2.5.6(c).
Native American English speaker. "If you've got" like this is perfectly idiomatic.
You’ve got mail! —native English speaker
Ha! Case closed I believe.
> If you’ve got the time... We’ve got the beer. Miller beer.
If you’ve got the money honey / I’ve got the time. —Willie Nelson (American Treasure)
I share your sentiment. This seems to be a great engineer, storyteller, and a person able to make a complex technical story accessible to a layperson with only minimal dumbing down (except if I'm too ignorant to perceive the magnitude of the possible dumbing down, in which case, oh well).
In any case, dear author, thanks for the write up, it makes for great reading, and I hope you receive offers for endeavors that give you as much intellectual stimulation as it is useful to society at large, and a large enough paycheck.
Sadly its not a well paid skill on average (As in, excluding famous youtubers or whatever)
What's different from other CVs? Seems similar to pitches on most personal sites.
This "CV" is the embodiment of show, don't tell: it's a lot more convincing than a bullet point saying "experienced cryptographer".
Yeah but that's because you're on his site. Go on other personal sites and you will experience the same, no?
He didn't say it was the only job pitch that he'd read at the end of an article. He said it was the best one.
I didn't say it was the only one he read, i was asking how it's any better than all the other same ones lol.
The author is a very talented applied cryptographer with a very impressive resume (he is looking for new projects).
The following CV line stands out however:
Google: Software Engineer, Ads Review. June 2014– March 2016.
Angular / Java developer on the internal tool used by contractors to review Google ads for policy violations.
How did that saying about "brightest minds working on ads" go?
I am not blaming the author as I would have done the same(and I imagine author was not told when hired that he'd be working on Java/Angular ad tool).
Again it is not that Java or Angular are bad per se, but working on ad CRUD seems completely orthogonal to author's talents.
> How did that saying about "brightest minds working on ads" go?
The sentiment is a bit older than ads. It goes:
" I saw the best minds of my generation destroyed by madness, starving hysterical naked, dragging themselves through the negro streets at dawn looking for an angry fix,
angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night,
who poverty and tatters and hollow-eyed and high sat up smoking in the supernatural darkness of cold-water flats floating across the tops of cities contemplating jazz,
who bared their brains to Heaven under the El and saw Mohammedan angels staggering on tenement roofs illuminated,
who passed through universities with radiant cool eyes hallucinating Arkansas and Blake-light tragedy among the scholars of war,
who were expelled from the academies for crazy & publishing obscene odes on the windows of the skull,"
Howl by Allen Ginsberg:
Some might consider your post to be off-topic or worse a "well, actually" interjection, I found it fascinating to learn the source of the "best minds of my generation" framing. Thanks.
I see no reason to think Ginsberg originated the phrase "best minds of a generation," but it doesn't appear cliche enough of a phrase to even have an etymology I could look up.
First, that's a different, much more specific variation that is clearly from Howl. I have heard the phrase "the best minds of a generation" in old movies and books before, but they would have been around 1950 so maybe Howl came first. Second, your link isn't actually about the Howl quote anyway, which makes me suspicious that you didn't even read the link you posted. The link investigates a quote from 2011 that contains a play on the first line of Howl and investigates that quote, not Howl, nor the phrase which appears in Howl that we're discussing.
We are discussing the quotation from 2011. See the original comment upthread which reads 'How did that saying about "brightest minds working on ads" go?'
The comment by DavidAdams to which you replied was thanking someone for mentioning the Ginsberg connection in relation to the topic under discussion, i.e. the 2011 'framing' which unambiguously draws on Ginsberg.
I think you're just making trouble, to be honest.
Yeah we shouldn't credit anyone for popularizing anything unless they were the absolute first to fathom the idea.
I didn't say that. I didn't even suggest that he didn't create the term. I just said that there's no reason to assume, just because a phrase exists in famous work of art, that it is the origin or popularizer of the phrase. The person I was responding to said it was interesting to learn the origin of the phrase, except no one actually posted anything indicating it was the origin. It just contained it. Maybe it's the origin. I'd be interested in a good source for it. But the normal places I go to to get reliable etymologies (there are plenty of terrible sources for etymologies, unfortunately) don't have that phrase in there.
In other words, I was saying "that's a bad assumption, but I can't actually confirm or deny whether the conclusion is true."
I don't know where you or other people responding to me got the idea that I was saying anything other than exactly what I said. I'm not sure where the breakdown in meaning has occurred.
I can only claim to know the previous iteration. I'm sure the sentiment is actually as old as civilization its self.
"Out of all the things I have lost, I miss my mind the most."- Ozzy Osbourne
Yeah, and it's why I left that job for something else.
Thank you for your work on PRTK. As a forensic practitioner during your time at AD, it was always an invaluable tool in my kit.
Glad to hear it!
Just wanted to say that was such a fantastic read. Incredible stuff. I aspire to be as talented in Applied crypto.
What's the best way to reach you? I know a few people who might be quite interested and interesting to work with.
> How did that saying about "brightest minds working on ads" go?
I think it goes something like the Open Source saying "that person doesn't owe anyone their intelligence to work on so-called important problems for free, just because it might be nice if they did".
Want smart people to solve important problems? Find a way to pay more for that, than for ads, or find a way they don't need to earn money to live at the standard they want.
Never going to happen. Look at other important jobs - doctors and nurses can have very low wages, while professional footballers earn millions. We all know which one is more important, but there's no way the medics will ever get paid comparably.
Some top doctors can earn at least nba coach level figures. Frontline workers testing people will never make that amount because the skill level is lower so more people can do the work. If everyone refused and only a handful of people were left they couldn't reproduce the same impact anyhow and the program would close instead of paying them millions. Together they have a big impact and one on one they have a big impact but a single first responder doesn't have the attention or connection of millions. Would you put a poster of Jill, Nurse 56 from Grandrapids who works in the covid wing cleaning sheets? Probably not, even though the job is extremely important.
>Some top doctors can earn at least nba coach level figures //
Sure everything from plastic surgeons to heart specialists. Not everyone has to be a doctor to the stars or go on shark tank to make millions. Does your local walkin clinic doctor make that? No, but would make 500k before expensives.
>Want smart people to solve important problems? Find a way to pay more for that, than for ads, or find a way they don't need to earn money to live at the standard they want.
This is essentially the Nuremburg Defense, but it's "just following money" rather than "just following orders".
Unless we reach some magical Utopia, we will always have the choice between making money through ethical or unethical means, with the former being beneficial to society, and latter being more lucrative to the individual.
This is the tragic thing I think. There are some really cool things that I want to work on but very few people paying for it. Awesome doesn't necessarily mean valuable.
OP actually did a lot of bright minded work on the side of the Ads stuff.
"You want doctors and researchers to be paid more than football players? Just find a way to make them more lucrative than ads."
It's a rather reductive and defeatist view. There's nothing more harmful than looking at a specific state of affairs and going "eh, that's just the way the world works", as if our current economic system was an immutable law of nature.
I don't know how you get from "find a way to change things" to reading "the current state is immutable", but I meant exactly the opposite, it's changeable and dynamic and changing.
The brightest minds are working on ad-tech, not as an immutable law of nature, but because that's where the incentives are, and if the parent commenter wants that to change, whining about how the OP isn't more charitable won't solve it, like whining that open source developers don't work on what users want instead of what they want won't change it; If it's all about incentives, we  should look towards finding a way to incentivise the more desired outcome.
 parent commenter alone, or society generally.
Getting paid $300k / year to work on CRUD apps seems pretty nice to me.
Working in easy or boring stuff for a lot of money is nice if you need it, but miserable if you're an intrinsically motivated person.
Being bored for 10 hours a day when you have the capability to do so much really is terrible. Couldn't agree with you more.
I'm kind of in this situation now, and it doesn't feel super great to be sort of trapped in a golden handcuffs kind of situation. The effect would be less intense if it weren't an entirely mental exercise.
I have two thoughts:
1) I generally take the higher paying gigs but mostly so I can accelerate retirement 2) Even in the crappiness of high paying jobs (I often think I'm essentially being bribed to put up with all the BS) I can generally maneuver myself into doing interesting work. It takes about 1.5 years of concerted effort, but once I understand how stuff works, I can generally start nudging stuff in the right direction, and can eventually find some form of fulfillment amongst the BS.
I'm only commenting on 1, not on the rest of your comment:
> I generally take the higher paying gigs but mostly so I can accelerate retirement
My problem with this outlook is that sacrificing my current well-being for increased future well-being is risky. I don't know how long I will live or what my health will be like. I have to make the best of the time I have now (without sacrificing too much future well-being, of course!)
Not that I don't do the same, just, it feels risky, on its own. I think the rest of your comment is super important for this reason.
It's a tricky balance to strike. I used to think that you should just work if it's available to you, but now I'm much more inclined to work so you can afford to not work in the near-term rather than only at the hypothetical end. If you can afford to be laid off or quit and just willingly chill and do whatever for a while, that's a good option to take.
Absolutely. I’m painfully aware that I didn’t offer any solution either, because it is a balance that everyone must find for themselves. The main thing I was trying to get across is that sacrificing now for a reward in the possibly distant (relatively speaking) future is too risky for me since I don’t know what the future holds (and given how many people I know who have died young makes me reluctant to take for granted that I would reach retirement age (even early))
The sentiment is certainly shared.
Having worked in startups for most of my career, I see a lot of engineers who yo-yo between high paid, boring jobs in FAANG-esque companies and burnout-inducing early stage gigs.
I love working at startups and hated working at a large company. You learn 10x more in a fast paced environment where you get a chance to work on a little bit of everything and talking to partners and investors compared to a large scale company where you’re tweaking a small area of the company. Startups are obviously not for everyone and I know plenty of people that prefer the corporate environment either because they like the stability, hours, or the salary.
Which is a really weird situation when you think about it! This gives credence to the theory I've heard that corporate jobs are "unsustainable" in that they will only hire "smart" people, but actively make their employees dumber.
Whether that's the particular mechanism or not, I think this bears investigation.
Well, that's how it is, and that's how it's been for decades.
Entire industries are taking the "best and the brightest", and wasting them on some of the most menial jobs imaginable.
If you already do this every day for 1/10th of that compensation with no way out, the misery and boredom are already the norm.
That's a part of my point. The compensation is arbitrary past a certain point where your actual needs are met, unless you're driven by the stuff you exchange the money for. For myself, it's evident even in the post necessity phase where I know I still need to bank some cash to be able to assume some future volatility, but am not in the market for anything out of my reach to buy, so the money stops having tangible value.
> so the money stops having tangible value
I couldn’t agree with this sentiment more. My current job isn’t the highest paying job I’ve ever had (or could currently get). But the value in what I’m learning and exposed to keeps increasing over time. I am not the smartest person in the room and super happy about that
One can exercise motivation outside of work.
It’s hard to do when you get home with 0 brain power left after working for 8-10 hours straight doing mind-numbing work
But if you are over qualified your effort is lower. Working at a startup I felt I had nothing left in the tank compared to corporate job that I could checkout easily at the end of the day go home and write more code.
Even more so if you're already at home.
No doubt, that's how most people do it. But ideally you don't want your life to be one of hating most of what you're doing and then just compensating for it in a way that keeps the feedback loop working.
Why be unhappy for 8+ hours a day? Life is short enough as it is, sacrificing 1/4 of it seems rather silly to me unless you have to.
(It was probably a lot more than that)
(Who knew you have to pay top dollar for talented people)
wait what?! where are you getting these numbers from?
Unlikely OP earned only $300K/yr
I should move to USA.
Reads the news
I will stay where I live.
This kind of story is pretty standard at Google:
1. Hire the best of the best, typically PhD level.
2. Assign them to random crap project that have precious little to do with their specialty and strengths.
3. Assume that if they were smart enough to earn a PhD on topic X, they'll learn quickly how to do work on Y, even if X and Y are completely unrelated.
I've seen some CS and math PhD grads being employed for software engineering roles where all that mattered was knowing framework X by heart, memorizing GoF patterns, TDD, DDD, SOLID, clean code and all what uncle Bob was preaching in the '90s and early 2000.
I think both CS and software engineering have their own importance but they are not the same. It's better to hire the right person for the job.
Looks like the Google job was relaxing enough to complete a PhD in Computer Science in 2015 at the same time.
Had to squeeze in th PhD after
> Biosimilarity, LLC: Partner. February 2013–May 2014.
Developed a decentralized massively scalable database based on the π-calculus and a secure distributed social network
Actually, being involved in ad tech can get you involved in some really cool tech. It's an incredibly fast-paced industry, lots of parallels to HFT.
And yes, everyone in the industry knows that ads don't work, you have all the ad blockers, etc.
> lots of parallels to HFT.
Including the fact that it might make its practitioners rich, while creating nothing of social value.
In the case of ads, arguably negative social value.
Connecting people to goods and services they may want or need in a targeted way that tries to make them more relevant seems positive if anything to me.
Good thing we have search engines. If I want to find a good or service, I'll go look up reviews or the like. Ads only serve to sell me things that I don't need, in the vast majority of cases. I think it's fair to say that making people want more stuff is socially negative.
> making people want more stuff is socially negative
I don't really think so in the general case. Personally I've eaten a lot of food I found out about from ads and wouldn't have known I wanted otherwise, and I'm glad iit happened.
If you want to try new foods, that's cool, I do too. Read local food reviews.
But if ads convince you to try 47 different restaurants and that otherwise you would have been perfectly happy to eat at home, then the ads did a disservice to society.
Relatively nobody goes out of their way for local food reviews. If advertising was suddenly banned I feel like people would end up much less likely to try anything new and life would be more stagnant overall. New businesses would struggle to attract customers and everyone would gravitate to McDonald's and Wal Mart even more than they already do.
I disagree. I and I lot of people I know go out of our ways for local food reviews, and word of mouth is also incredibly powerful.
And you must remember that for every local food ad there are 300 ads for McDonalds or Walmart, and they are just as effective, altough likely for another demographic.
Great, So when do we start?
I would love to see ads that are only relevant to my life instead of penis pills.
I'm seeing lots of good ads for local business on instagram at the moment, e.g. local bars doing home delivery.
Same for HFT
Why work on something that you know doesn't work and makes the world worse?
Some people are absolutely OK with that. Some people, it bothers deeply. Same about weapons work, or other engineering tasks of various applicable moralities. We all have to make our choices. I know I've worked on things of minimal value, just because I needed to pay for life. I've switched to other things when able.
There's nothing unfairly wrong with Google Ads. It's the trackers that are bad.
And who do you think makes the trackers?
I'm starting to consider any company whose revenue primarily comes from ads to be immoral. It's the business of hijacking people's minds. Part of this means stimulating the worst aspects of thinking: addiction, fear, pain, all that ads seek to satisfy.
You open a business. You sell something or offer a service. Day one is "let people know that I exist". Pretty much every form this take is advertising. No business live without making its customers aware of it.
It's not immoral in specializing on how to advertise. It's immoral to overstep some boundaries when doing it.
Disclosure: I worked in a company whose primary revenue was selling tools to create ads.
I don't think there is any way to get rid of ads from society, as you say. I don't think ads were that big of a problem historically. The problem is that the recent (20ish years) era where the fast response of internet ads (a click on the ad immediately tell you it worked), compared to a tv ad (you wait a month to infer ad effectiveness from the revenue numbers), has enabled rapid A/B testing of ad design.
What that means is that ad design is rapidly iterated upon to maximize revenue of the company . We also know from first principles that ads can have negative influences on people (making people dissatisfied with their bodies or lives, or making them engage in medically harmful behavior like smoking etc etc.). Now, there is very little legal regulation of what can be in an ad, except that factual statements in the ad are true; and ad creators rarely self-regulate.
So you have one variable A=product revenue. You have another variable B=negative psychological impact on viewers of ads. The ad optimization process only optimizes A, and places almost no constraints on B while doing so. Guess what? A significant percentage of ads end up with both high A and B.
This is the problem. I am not proposing any solutions, but the problem exists.
. Also the techniques learned from internet ads are applied to tv, print and billboard ads.
Discovery is a problem that can be solved in a million other methods. If (hypothetically, somehow) ads were outlawed from existence tomorrow, a thriving industry of independent reviewers would instantly pop up to serve the need of product discovery.
Painting the advertising industry as "humble startup putting up a sign in the downtown square" is also disingenuous. Most advertisements you see are done by big corporations. What's the excuse of Coca-Cola or McDonalds to plaster the streets with psychologically-crafted pictures of their unhealthy products, then?
> If (hypothetically, somehow) ads were outlawed from existence tomorrow, a thriving industry of independent reviewers would instantly pop up to serve the need of product discovery.
Hardly. You buy a domain name, put something on it and then what, wait for an independent reviewer to monitor the registrars? And that review would be discovered how?
> Painting the advertising industry as "humble startup putting up a sign in the downtown square" is also disingenuous. Most advertisements you see are done by big corporations. What's the excuse of Coca-Cola or McDonalds to plaster the streets with psychologically-crafted pictures of their unhealthy products, then?
I have no idea how did you reach that conclusion from what I wrote.
"If (hypothetically, somehow) ads were outlawed from existence tomorrow, a thriving industry of independent reviewers would instantly pop up to serve the need of product discovery."
By "independent reviewers", you mean bought youtube influencers, right? Because that's what's often happening in industries where external reviews plays a big role.
You're absolutely correct, but leave it to "the market" and it will drill through your very self if it finds a dime at the bottom.
I understand and agree with your point but I think this site overvalues CS graduates by a lot. There are bright minds everywhere, doing math, physics, literature, medicine, law and a long etc. That "some" minds, because of greed/need-to-subsistence or whatever the reason choose that path is a shame but hardly a loss in the great scheme of things. Most intellectual pursuits are already fiercely competitive as it is.
You might want to read OPs's CV before dismissing his brightness
Sometimes you have no choices than working on something not fitting your skills.
Imagine those with a university degree working at McDonald's serving menus
Wasn't Einstein a patent clerk? Can't imagine working on glue code at Google is all that bad.
”Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest motherfucker in the world. If I moved to a martial-arts monastery in China and studied real hard for ten years. if my family was wiped out by Colombian drug dealers and I swore myself to revenge. If I got a fatal disease, had one year to live, devoted it to wiping out street crime. If I just dropped out and devoted my life to being bad. Hiro used to feel that way, too, but then he ran into Raven. In a way, this is liberating. He no longer has to worry about trying to be the baddest motherfucker in the world. The position is taken.”
Thanks for this quote. I've added Snow Crash to my want-to-read list.
> Recovering the key was usually instantaneous, but to help people feel like they’d gotten their money’s worth, we’d put on a little animated show like a Hollywood hacking scene with lots of random characters that gradually revealed the right password.
and later ...
> I’m currently looking for work in a staff or senior staff engineering or data scientist role. If you’ve got interesting technical analysis or optimization problems, please reach out to me and let’s talk.
I can't help but wonder if this write-up (which is fascinating) may not be one of those little animated shows to help propspective employers feel like they'll get their money's worth.
Slightly offtopic, but I always laughed at these types of animations in hacker movies. Until one day I made a tool to extract strings (mostly passwords or hashes, purely for academic purposes!) through SQL injections in SQL Server when the error message did not return anything useful. I scanned each character bit by bit and depending on the value, I would either return control immediately or delay the response by a couple of hundred ms. That allowed me to reconstruct the string bit by bit, and as new information was acquired for each character - it would change on the screen. It looked exactly like some of these hacker movie scenes... =)
That little animation was put there by the guy who hired me. We got rid of it in the Password Recovery ToolKit that combined all the modules I'd written into a single tool. In that one, we had a big list of any encrypted files we found and their passwords. With enough modules, it was entertaining enough to watch the list grow. And it was very satisfying when the user reused a password on something trivial to crack that let us open a Word 97 file.
That's an incredibly cynical take.
The animated show isn't useful. This article is useful because it actually reveals information about the author.
Also even if you're not interested in the author, it has useful information about cryptography, cryptanalysis, and optimization.
the animated show is useful, it is part of the UX and it can be focal in communicating the intention and expectation behind the software.
it is not part of the main business logic but neither are well designed icons.
That animation was 20 years ago. The author probably has different priorities now?
@metaweta: The technical side is interesting, but seems like the admin side would be too; how did the administration and contract side play out?
Someone needed to front an estimated $100k of GPU costs, without being sure it would work - and then pay for your work on top; who risked that? You had no proof the claimed Bitcoins inside were real, or as many as claimed. You're in New Zealand(?) and the customer is in Russia - you need the file to study it and if you crack it then you have the Bitcoins as well - how did they become comfortable that you wouldn't steal them and say you couldn't crack it? Did it worry you that the owner might not be able to convert them to cash, e.g. if the Exchange was shady and there was very little recourse?
How much work did it take to convince your partner to stop what they were doing, and write GPU code for a crack which might not work?
I'm in the USA. He paid us for some work up front and agreed to pay the rest on delivery of the key. He expected to spend most of the $100K he'd budgeted on GPU costs, so we got much less than that for the work; we took the job because it sounded like fun. We didn't need the information in the archived files, just the encryption headers, so he set most of the bytes to zero. I couldn't have spent the coins even if I wanted to.
Thank you, that is interesting; he's wealthy enough and technically capable enough to make that all go a lot easier. (I guessed from going back to check on the process ID on his laptop that you must have had his laptop, and didn't know you could do that with just headers).
Not only are the cryptography skills of Mr. Mike Stay is obviously impressive, his presentation of things which happened 20 years ago in a vivid yet subtle manner seems extraordinary to me.
Especially since, I can't remember what I did 2 weeks back to write in my blog.
Can you give us the secret of your documentation/notes workflow Mr. Mike (@metaweta)? Please don't say that you recalled from your memory!
I kept a Cryptonomicon!
I always assumed that the encryption used on zip files was relatively trivial and could be broken given the right software and hardware.
Well, it looks like it's a lot harder than I thought. You still need the right software and hardware but you also need the right person to do it.
Most of what I read was above my understanding but it was good reading anyhow. Good job on the recovery and good job writing about it.
You're not alone, wikipedia for zip says
> ZIP supports a simple password-based symmetric encryption system generally known as ZipCrypto. It is documented in the ZIP specification, and known to be seriously flawed. In particular, it is vulnerable to known-plaintext attacks, which are in some cases made worse by poor implementations of random-number generators. https://en.wikipedia.org/wiki/Zip_(file_format)#Encryption
IMO the fact that the author was able to recover the password at all indicates weakness. Something encrypted with AES-GCM would presumably be all but impossible.
Wonder if he tried hashcat first: https://hashcat.net/hashcat/
We won’t really know the true value of bitcoin until options are widely available on retail exchanges like fidelity or at least tdameritrade using people’s normal brokerage and ira accounts.
This may be the plutonic ideal of a Hacker News story. It's also sort of a Travis McGee story but the salvage consultant is a cryptographer.
Perhaps you meant platonic; plutonic has to do with rocks ;)
It got me with SoftIce. Although I never thought to print them out; I needed to watch all the registers change as I was doing similar work or reverse engineering encryption schemes.
I did not have a printer at that time. Notepad with a lot of addresses and registers' values... Also, did not realize one can print from the SoftIce directly, as I assumed it run at the lowest level before all the printer drivers. Certainly, it would be super useful!
I've always wondered what the development process looks like for these type of algorithms. If you have to run the program for a year to know if it will work, how can you have any confidence that what you've written is going to do the trick?
Perhaps you try it on smaller, "test" data to see if it works?
Exactly. We created some zip files we knew the password to and then checked that our code found the right one. Each stage would generate a bunch of files with different candidate ranges, so when testing the next stage, we'd choose the one file we knew had the correct key in it.
It brings interesting trade-offs for program design. You can write the code one way which may be 10x faster but harder to reason about, or another way which is more straightforward but takes an extra 5 days go execute. How confident are you in your code or debugging ability? How many iterations will you need? I'm assuming this was written in CUDA based on the block/thread ID mix-up.
Funny this. Back when I had more time on my hands I liked to do project euler problems. I'd start with the dumbest brute force method to find the answer, and let that run. Then I'd see if I could figure out the math and implement it correctly before the brute force finished. I'd say I had about an 95% success rate at beating the dumb brute force (course it really depends on the problem search space).
What was interesting, is that implementing the brute force solution and running it probably saved me time in the long run, because it managed to turn off a part of my brain that worries about wasted time. As long as I knew the brute force was potentially making progress, I didn't care if I ended up with false starts, or took a long time trying to understand the math, so it was easier to focus on the smarter solution.
This is part of the reason why the software industry's decision to use algorithm problems as time-bounded interview questions is so frustrating.
Right away, you have to make a choice between doing it the reliable way (brute force) and taking a gamble on being able to out-smart the problem and doing it the math-y way. This adds a ton of pressure, no matter which path you choose.
If you choose to start with brute-force, you're stressed that you look stupid because you don't know the trick. If you spend precious minutes looking for the trick, you're stressed because there's no guarantee you'll crack it in the given time.
I've just gone through a gambit of software interviews and this is the biggest thing that determines whether I'll enjoy solving a problem or not. If they start with "find an efficient solution" or "the data set is in the millions" or something along those lines, I know I'm doomed if I don't recognize the form of the problem. If they encourage me to get to a working solution first, and _then_ figure out the trick, I'll typically do well regardless of whether the question is familiar or not.
Does anyone have links to stories that are as good as this? I want to binge blog posts that teach and entertain at the same time.
I've been learning Rust. Reading "The Rust Book" and "Rust By Example" gave me a similar feeling as reading this blog post.
The Soul Of a New Machine is a book that seemed similar to me. A non-fiction story about the creation of a computer.
I kept expecting to read that the password on the zip file turned out to be “password123” or something like that.
I want to know the password too. If it was machine generated looking at that algo might have been useful.
NEARProtocol.com is hiring. Please have a look. https://nearprotocol.com/careers/#openings and I can connect you with our recruiting team. Thanks :)
You are smart beyond my comprehension. Your article was amazing.
Although blockchain technology fits your skillset, I hope you will choose to do something [actually|more] worthwhile to our societies.
"I knew of one place that ran the software for nine months before finally getting in."
And what a beautiful new baby password crack it was.
Attacking the wetware would have been worthy try :) Would hypnosis work to recover the forgotten password?
He actually tried that without success.
Any reason why a dictionary based attack wasn't tried first?
Or did your client remember selecting something really hard in the first place?
Yeah, he knew it was a long passphrase.
Collected the biggest archive of Bitcoin wallet.dat files with balance and lost passwords. https://allprivatekeys.com/wallet.dat The collection consists of 32 files total for 2500+ BTC. The biggest wallet 576 BTC, the most interesting wallet.dat files with pre-mined coins from 2009-2010. Let's try other wallets for a share?
Great story and impressive work at Pyrofex. Can you share your perspective on the crypto industry right now?
There's no way that the AccessData job I had would exist today. Most services are online, with data encrypted in transit and stored in the cloud. TLS security has improved dramatically over the last decade in response to attacks like BEAST and BREACH and CRIME and POODLE. Google drops (? is going to drop?) your SEO ranking if you don't have proper certs installed. Nowadays, it's rare to find an attack on the connection from the browser to the server. Instead, it's either malware on the client or hacking into the servers, where the operators have terrible security practices like storing data unencrypted at rest.
The field of cryptography has grown tremendously, and there's still a lot of research being done. There have been many competitions for developing strong cryptographic primitives. There's a lot of work being done on zero knowledge proofs and verifiable computation. Cryptocurrency has encouraged lots of bright young minds to get involved.
One thing we learned from the Snowden revelations is that crypto works where it's applied, so every little bit of crypto helps. Run a Tor node if you can.
Thanks. Is an implementation of the Casanova and c delta blockchain papers in the works? I don’t see it on GitHub.
The technical proficiency on display here makes me swoon.
No one said TLDR this article, ever. This account has all the components of great book. It reminds me of 'The Soul of a New Machine'.
How off was the 100k compute time estimation?
I think he ended up only spending around $5-10K on compute. I'd have to check with Nash.
What am amazingly fun read. Beyond the obvious technical skills, OP is a great writer.
Great story. I just wish the title was in BTC rather than USD.
The story would be less thrilling, I think: someone bought around 35 BTC, and then later he desperately wanted access to them, because they were worth 35 BTC!
Nah, he just needs to update it from time to time.
Resume of the decade!
excellent story. can you share the number of bitcoins that were retrieved and how the customer lost the password in the first place?
> Back in January of 2016, he had bought around $10K or $15K of Bitcoin and put the keys in an encrypted zip file.
Based on the price of Bitcoin back then, it seems like this was about 30-40 Bitcoin?
About 40 BTC would be in the neighborhood of $300k these days, as well.
Was the computer stolen or did he actually forget the password?
> Luckily, he still had the original laptop and knew exactly when the encryption took place.
This is such a cool story. Thank you, Mike!
That was an amazing read!
This is pretty hardcore
What a great story - a surefire cure for Dunning-Kruger. I'm in awe of this guy.
The easiest way to earn Bitcoins? Just change your browser to CryptoTab and receive payments to your balance every 10 minutes. You will get BTC for simply using it, even if just having CryptoTab browser window open. It takes less than 1 minute to start earning - Hey, everybody! Check out the brand new CryptoTab browser! You just use it like a regular browser (watch Youtube, browse websites or social media networks, etc.) and earn income in BTC at the same time thanks to its built-in mining algorithm! Hi friends! I want to share with you something totally new and incredibly simple - CryptoTab Browser, a great browser with familiar Chromium interface and nice mining feature. The best thing about it is that you can you earn Bitcoins by just browsing the web and bringing new users in. Sounds too good to be true, but it is! Try it here - https://inorangepie.biz/10323306
How could you be sure you didn’t just help heist someone’s bitcoin that this Russian snatched with some malware?
> Luckily, he still had the original laptop and knew exactly when the encryption took place.
But how do you prove that? It’s trivial to replicate the hardware the file was lifted from if the malware grabbed the standard sys info. File create/modify times could also give you a pretty damn good guess as to when the encryption happened.
I don't know why, but these headlines disgust me. There is no insight. Just. Headline of greed.
"How we cracked a zip file" would have been pretty shitty though, right?
If some random Russian dude shows up and offers to pay $100k to crack something with untraceable digital currency inside, don't you worry about getting killed if you fail to do it? Maybe I watch too much TV.
This is racism.