About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Home » Industry Watch » The Technological

Twitter Twits Discover ROT-13

They never cease to dismay.


Buy It

Try It

TWITTERWORLD (Rixstep) — Five years down the line and they're still going weak. And they're not only weak - they're stupid too.

Actually they're astoundingly stupid.


Remember how the Twitter Twits decided to disallow certain passwords? And how some unfortunate soul found the passwords embedded in their home page?

Some clever Twitter engineer decided to try to trick all the curious out there. By using advanced encryption. Something called ROT-13.



ROT-13 was invented back in the days of the Caesar reign. So it's not exactly 'state of the art'.

First: here are Twitter's magnificent headers. Some of them. Note the name of their web server software. Note the redundant status values. Note the expiry date, the two cookie sets, their dates, and their redundancy too.

Twitter engineers are a force to reckon with.

HTTP/1.1 200 OK
Server: hi
Status: 200 OK
X-Frame-Options: SAMEORIGIN
X-Runtime: 0.01049
Content-Type: text/html; charset=utf-8
Content-Length: 50435
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding
Connection: close

Time for some blazing bleeding edge JavaScript. Hold onto your hats!

<script type="text/javascript" id="banned_passwords">
 twttr.BANNED_PASSWORDS = [];
 (function() {
   var r = ["000000","111111","11111111","112233","121212","123123","123456","1234567",
            "12345678","123456789","131313","232323","654321","666666","696969","777777",
            "7777777","8675309","987654","nnnnnn","nop123","nop123","nopqrs","noteglh",
            "npprff","npprff14","npgvba","nyoreg","nyoregb","nyrkvf","nyrwnaqen","nyrwnaqeb",
            "nznaqn","nzngrhe","nzrevpn","naqern","naqerj","natryn","natryf","navzny","nagubal",
            "ncbyyb","nccyrf","nefrany","neguhe","nfqstu","nfqstu","nfuyrl","nffubyr","nhthfg",
            "nhfgva","onqobl","onvyrl","onanan","onearl","onfronyy","ongzna","orngevm","ornire",
            "ornivf","ovtpbpx","ovtqnqql","ovtqvpx","ovtqbt","ovtgvgf","oveqvr","ovgpurf","ovgrzr",
            "oynmre","oybaqr","oybaqrf","oybjwbo","oybjzr","obaq007","obavgn","obaavr","obbobb",
            "obbtre","obbzre","obfgba","oenaqba","oenaql","oenirf","oenmvy","oebapb","oebapbf",
            "ohyyqbt","ohfgre","ohggre","ohggurnq","pnyiva","pnzneb","pnzreba","pnanqn","pncgnva",
            "pneybf","pnegre","pnfcre","puneyrf","puneyvr","purrfr","puryfrn","purfgre","puvpntb",
            "puvpxra","pbpnpbyn","pbssrr","pbyyrtr","pbzcnd","pbzchgre","pbafhzre","pbbxvr","pbbcre",
            "pbeirggr","pbjobl","pbjoblf","pelfgny","phzzvat","phzfubg","qnxbgn","qnyynf","qnavry",
            "qnavryyr","qroovr","qraavf","qvnoyb","qvnzbaq","qbpgbe","qbttvr","qbycuva","qbycuvaf",
            "qbanyq","qentba","qernzf","qevire","rntyr1","rntyrf","rqjneq","rvafgrva","rebgvp",
            "rfgeryyn","rkgerzr","snypba","sraqre","sreenev","sveroveq","svfuvat","sybevqn","sybjre",
            "sylref","sbbgonyy","sberire","serqql","serrqbz","shpxrq","shpxre","shpxvat","shpxzr",
            "shpxlbh","tnaqnys","tngrjnl","tngbef","trzvav","trbetr","tvnagf","tvatre","tvmzbqb",
            "tbyqra","tbysre","tbeqba","tertbel","thvgne","thaare","unzzre","unaanu","uneqpber",
            "uneyrl","urngure","uryczr","uragnv","ubpxrl","ubbgref","ubearl","ubgqbt","uhagre",
            "uhagvat","vprzna","vybirlbh","vagrearg","vjnagh","wnpxvr","wnpxfba","wnthne","wnfzvar",
            "wnfcre","wraavsre","wrerzl","wrffvpn","wbuaal","wbuafba","wbeqna","wbfrcu","wbfuhn",
            "whavbe","whfgva","xvyyre","xavtug","ynqvrf","ynxref","ynhera","yrngure","yrtraq",
            "yrgzrva","yrgzrva","yvggyr","ybaqba","ybiref","znqqbt","znqvfba","znttvr","zntahz",
            "znevar","znevcbfn","zneyobeb","znegva","zneiva","znfgre","zngevk","znggurj","znirevpx",
            "znkjryy","zryvffn","zrzore","zreprqrf","zreyva","zvpunry","zvpuryyr","zvpxrl","zvqavtug",
            "zvyyre","zvfgerff","zbavpn","zbaxrl","zbaxrl","zbafgre","zbetna","zbgure","zbhagnva",
            "zhssva","zhecul","zhfgnat","anxrq","anfpne","anguna","anhtugl","app1701","arjlbex",
            "avpubynf","avpbyr","avccyr","avccyrf","byvire","benatr","cnpxref","cnagure","cnagvrf",
            "cnexre","cnffjbeq","cnffjbeq","cnffjbeq1","cnffjbeq12","cnffjbeq123","cngevpx","crnpurf",
            "crnahg","crccre","cunagbz","cubravk","cynlre","cyrnfr","cbbxvr","cbefpur","cevapr",
            "cevaprff","cevingr","checyr","chffvrf","dnmjfk","djregl","djreglhv","enoovg","enpury",
            "enpvat","envqref","envaobj","enatre","enatref","erorppn","erqfxvaf","erqfbk","erqjvatf",
            "evpuneq","eboreg","eboregb","ebpxrg","ebfrohq","ehaare","ehfu2112","ehffvn","fnznagun",
            "fnzzl","fnzfba","fnaqen","fnghea","fpbbol","fpbbgre","fpbecvb","fpbecvba","fronfgvna",
            "frperg","frkfrk","funqbj","funaaba","funirq","fvreen","fvyire","fxvccl","fynlre",
            "fzbxrl","fabbcl","fbppre","fbcuvr","fcnaxl","fcnexl","fcvqre","fdhveg","fevavinf",
            "fgnegerx","fgnejnef","fgrryref","fgrira","fgvpxl","fghcvq","fhpprff","fhpxvg","fhzzre",
            "fhafuvar","fhcrezna","fhesre","fjvzzvat","flqarl","grdhvreb","gnlybe","graavf","grerfn",
            "grfgre","grfgvat","gurzna","gubznf","guhaqre","guk1138","gvssnal","gvtref","gvttre",
            "gbzpng","gbctha","gblbgn","genivf","gebhoyr","gehfgab1","ghpxre","ghegyr","gjvggre",
            "havgrq","intvan","ivpgbe","ivpgbevn","ivxvat","ibbqbb","iblntre","jnygre","jneevbe",
            "jrypbzr","jungrire","jvyyvnz","jvyyvr","jvyfba","jvaare","jvafgba","jvagre","jvmneq",
            "knivre","kkkkkk","kkkkkkkk","lnznun","lnaxrr","lnaxrrf","lryybj","mkpioa","mkpioaz",
            "mmmmmm"];
   for (var i = r.length - 1; i >= 0; i--){
     twttr.BANNED_PASSWORDS.push(r[i].replace(/[a-z]/gi, function(l){
         var c = l.charCodeAt(0), n = c + 13;
         if((c<=90 && n>90) || (n>122)) { n -= 26; }
         return String.fromCharCode(n);
     }));
   };
 })();
</script>

The jabberwocky in quotes at the beginning is the list of 'banned passwords'. The actual algorithm to put them to use is at the end. It's 'sort of' a giveaway. Like an interstate billboard.

   for (var i = r.length - 1; i >= 0; i--){
     twttr.BANNED_PASSWORDS.push(r[i].replace(/[a-z]/gi, function(l){
         var c = l.charCodeAt(0), n = c + 13;
         if((c<=90 && n>90) || (n>122)) { n -= 26; }
         return String.fromCharCode(n);
     }));
   };

Wikipedia:

Applying ROT13 to a piece of text merely requires examining its alphabetic characters and replacing each one by the letter 13 places further along in the alphabet, wrapping back to the beginning if necessary. A becomes N, B becomes O, and so on up to M, which becomes Z, then the sequence continues at the beginning of the alphabet: N becomes A, O becomes B, and so on to Z, which becomes M. Only those letters which occur in the English alphabet are affected; numbers, symbols, whitespace, and all other characters are left unchanged. Because there are 26 letters in the English alphabet and 26 = 2 × 13, the ROT13 function is its own inverse.

Rocket science worthy of Ruby programmers.

Twitter's Banned Passwords Detwitted

Perhaps the twits at Twitter wanted to keep the passwords away from Google? Who knows. And why would they want to do that? Perhaps the Twitter Twits haven't happened upon a real password dictionary yet and maybe they think they've now covered everything?

Who knows, who cares. Twitter is an utter mess anyway. But here they are. Note how 'ILOVEYOU', a bush kangaroo, a friend of Winnie's, two friends of Austin Powers, Pete Mitchell, Tom Kazansky, and a gay 1980s air force movie all cut the muster. Note how 'abc123', 'asdfgh', 'letmein', 'monkey', 'password' are in there twice. Browse and have fun. Thanks to Sean Collins of Core IT Pro for use of some advanced decryption services.

000000 111111 11111111 112233 121212 123123 123456 1234567 12345678 123456789 131313 232323 654321 666666 696969 777777 7777777 8675309 987654 aaaaaa abc123 abc123 abcdef abgrtyu access access14 action albert alberto alexis alejandra alejandro amanda amateur america andrea andrew angela angels animal anthony apollo apples arsenal arthur asdfgh asdfgh ashley asshole august austin badboy bailey banana barney baseball batman beatriz beaver beavis bigcock bigdaddy bigdick bigdog bigtits birdie bitches biteme blazer blonde blondes blowjob blowme bond007 bonita bonnie booboo booger boomer boston brandon brandy braves brazil bronco broncos bulldog buster butter butthead calvin camaro cameron canada captain carlos carter casper charles charlie cheese chelsea chester chicago chicken cocacola coffee college compaq computer consumer cookie cooper corvette cowboy cowboys crystal cumming cumshot dakota dallas daniel danielle debbie dennis diablo diamond doctor doggie dolphin dolphins donald dragon dreams driver eagle1 eagles edward einstein erotic estrella extreme falcon fender ferrari firebird fishing florida flower flyers football forever freddy freedom fucked fucker fucking fuckme fuckyou gandalf gateway gators gemini george giants ginger gizmodo golden golfer gordon gregory guitar gunner hammer hannah hardcore harley heather helpme hentai hockey hooters horney hotdog hunter hunting iceman iloveyou internet iwantu jackie jackson jaguar jasmine jasper jennifer jeremy jessica johnny johnson jordan joseph joshua junior justin killer knight ladies lakers lauren leather legend letmein letmein little london lovers maddog madison maggie magnum marine mariposa marlboro martin marvin master matrix matthew maverick maxwell melissa member mercedes merlin michael michelle mickey midnight miller mistress monica monkey monkey monster morgan mother mountain muffin murphy mustang naked nascar nathan naughty ncc1701 newyork nicholas nicole nipple nipples oliver orange packers panther panties parker password password password1 password12 password123 patrick peaches peanut pepper phantom phoenix player please pookie porsche prince princess private purple pussies qazwsx qwerty qwertyui rabbit rachel racing raiders rainbow ranger rangers rebecca redskins redsox redwings richard robert roberto rocket rosebud runner rush2112 russia samantha sammy samson sandra saturn scooby scooter scorpio scorpion sebastian secret sexsex shadow shannon shaved sierra silver skippy slayer smokey snoopy soccer sophie spanky sparky spider squirt srinivas startrek starwars steelers steven sticky stupid success suckit summer sunshine superman surfer swimming sydney tequiero taylor tennis teresa tester testing theman thomas thunder thx1138 tiffany tigers tigger tomcat topgun toyota travis trouble trustno1 tucker turtle twitter united vagina victor victoria viking voodoo voyager walter warrior welcome whatever william willie wilson winner winston winter wizard xavier xxxxxx xxxxxxxx yamaha yankee yankees yellow zxcvbn zxcvbnm zzzzzz

A Twitter Tip for the Twitter Twits

Things like this are way over their pointy heads but WTF.

UNIQ(1)                   BSD General Commands Manual                  UNIQ(1)           | TWITTER NOTES |

NAME
     uniq -- report or filter out repeated lines in a file

SYNOPSIS
     uniq [-c | -d | -u] [-i] [-f num] [-s chars] [input_file [output_file]]

DESCRIPTION
     The uniq utility reads the specified input_file comparing adjacent lines,
     and writes a copy of each unique input line to the output_file.  If
     input_file is a single dash (`-') or absent, the standard input is read.
     If output_file is absent, standard output is used for output.  The second
     and succeeding copies of identical adjacent input lines are not written.
     Repeated lines in the input will not be detected if they are not adja-
     cent, so it may be necessary to sort the files first.

     The following options are available:

     -c      Precede each output line with the count of the number of times
             the line occurred in the input, followed by a single space.

     -d      Only output lines that are repeated in the input.

     -f num  Ignore the first num fields in each input line when doing compar-
             isons.  A field is a string of non-blank characters separated
             from adjacent fields by blanks.  Field numbers are one based,
             i.e., the first field is field one.

     -s chars
             Ignore the first chars characters in each input line when doing
             comparisons.  If specified in conjunction with the -f option, the
             first chars characters after the first num fields will be
             ignored.  Character numbers are one based, i.e., the first char-
             acter is character one.

     -u      Only output lines that are not repeated in the input.

     -i      Case insensitive comparison of lines.

ENVIRONMENT
     The LANG, LC_ALL, LC_COLLATE and LC_CTYPE environment variables affect
     the execution of uniq as described in environ(7).

EXIT STATUS
     The uniq utility exits 0 on success, and >0 if an error occurs.

COMPATIBILITY
     The historic +number and -number options have been deprecated but are
     still supported in this implementation.

SEE ALSO
     sort(1)

STANDARDS
     The uniq utility conforms to IEEE Std 1003.1-2001 (``POSIX.1'') as
     amended by Cor. 1-2002.

HISTORY
     A uniq command appeared in Version 3 AT&T UNIX.

BSD                              July 3, 2004                              BSD           | TWITTER NOTES |

ROT-13 Fun

Surf to rot13.com. Create some really dirty ROT-13 passwords - mess with the Twitter Twit minds. For once your dirty ROT-13 password gets popular, they'll have to include it on their home page. But then it'll be unencrypted.

Furrfu.

See Also
rot13.com: awesoma powa!
Twitter Search: Over+Capacity
Radsoft's Rants: Twitter is a Mess
Rixstep's Software Reviews: #NewTwitter
The Technological: Happy Twitter Holidays
Wikipedia's Rocket Science Series for Ruby Programmers: ROT-13
Twitter home page (accessible by dropping 'Tweet' button in any text entry field)

About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.