Try to open this PDF, cont’d

Yesterday, I asked readers whether PDF encryption was actually effective, and offered up two sample PDFs as a test.

Two readers quickly cracked the easier of the files:

The first file only took about 30 seconds. Right now the second one is running and it’s hit 5 digits so far running at an average rate of 1,005,000 words/second. I’m on an i7 CPU, similar to what you could buy in a nice Macbook Pro laptop.

The vulnerability is the password. The password for the first PDF was a four-digit number. The password for the second PDF was a random 32-character string, which made brute force much less effective.

I ran multiple instances of the same app starting at different password lengths (6, 8, 10, 11, 12) so was getting upwards of 5M words/second. I let it run for 12+ hours or so but the possible combinations are staggering.

How staggering? Well, if you use a mix of upper and lower case letters and numbers, you get total of 62 possible characters:

0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz

Then, depending on your password length, math makes it awesome.

Length Combinations Laptop Dedicated Distributed
2 3,844 Instant Instant Instant
3 238,328 Instant Instant Instant
4 15 Million < 2 Secs Instant Instant
5 916 Million 1½ Mins 9 Secs Instant
6 57 Billion 1½ Hours 9½ Mins 56 Secs
7 3.5 Trillion 4 Days 10 Hours 58 Mins
8 218 Trillion 253 Days 25¼ Days 60½ Hours

I’ve adapted this chart from these numbers courtesy Ivan Lucas, which date back to 2009. I’ve arbitrarily labeled the three columns as “laptop,” “dedicated” and “distributed” to illustrate what kind of system might be used in 2014 to achieve these results. The point is that each additional character in the password really does make it much more difficult to solve.

In fact, even at the fastest rate on this chart, solving the 32-character combination on the second PDF would take longer than the age of the universe.1

One of the people who cracked the first PDF actually works in IT security. He warns against getting smug:

There are far more advance methods that utilize GPU hardware and elegantly-crafted combinations of known hash values, dictionary attacks, and brute force to get results much faster.

Hackers have refined their tools using a pool of hundreds of millions of real-world passwords stolen from servers. They don’t have to use brute force if they know that 80% of people follow certain patterns.

For PDF encryption, the consensus seems to be that the latest version of Adobe is pretty effective if you’re using the 128 or 256 bit option and have 8+ random characters. Random, as in not a word in a dictionary.

No standalone file is safe from someone with enough time and the right tools. But for something like a screenplay, encryption is quite a bit better than I expected.

Far from being useless, PDF encryption is potentially worth it. I may start using it more often.

  1. I’m almost sure I’ve done my math wrong, but I love a provocative statement.

Superhero music

You can’t have a superhero movie without epic theme music. Likewise, we can’t have a Scriptnotes live show about superheroes without a suitably giant arrangement of our piddly five-note jingle.

Luckily, Matthew Chilelli has it covered:


The pre-show cocktails are sold out, but there are still a few tickets available for our May 15th live show featuring Christopher Markus & Stephen McFeely, David Goyer, Andrea Berloff and Susannah Grant.


TV writer on set

Dara Resnick Creasey writes about her first time being the staff writer on set:

In the fall of 2007, my husband-and-writing-partner and I began production on the first episode of television we were ever asked to produce — an episode of Bryan Fuller’s Pushing Daisies called “Bitches” about a polygamist dog breeder (played by Joel McHale) who is killed by one of his four wives.

When the writer of an episode is on set, she has to balance the intention of the scene as scripted and the realities of production.

How often you give the director notes depends on the showrunner (does he care about whether the words are said precisely as they’re written on the page?), the director (is she collaborative or combative?), the actors’ moods (have there been eight Fraturdays1 in a row?), and several other factors. Ultimately, the director will move on to her next gig, and you will have to answer to the showrunner, who will want to know why you did or did not get that shot you all discussed in the concept meeting (yes, that’s another real TV term) before production started.

On the other hand, you also don’t want an entire set full of people grumbling because this is the 18th time today you stopped them from moving on because an actor didn’t say the words as you had them in your head.

In features, the screenwriter sometimes serves the same function, reminding the director why the scene is in the movie, and why it really does matter that this character says a specific line.

But there’s an important difference: the TV staff writer can say, “This is what Bryan wants.” If need be, she can evoke the authority of the showrunner. In features, the screenwriter rarely has that card to play, so he needs to find other means to get notes heard.

  1. “Fraturday” is when production starts late enough on Friday that you’re really losing your Saturday.

Try to open this PDF

I’ve gotten several password-protected scripts recently, and I’ve wondered whether it’s any more than security theater.

So I asked on Twitter:

Several people replied that the most recent update to Adobe Acrobat was pretty solid.

Looking around on the web, I’ve seen a similar range of opinions on how effective various encryption engines really are. But that’s with any theoretical document protected by any theoretical engine.

I’m curious how easy it is to crack the encryption on one simple document using a pretty standard engine. So I made two files, one “easy” and one “tough.”

Update! The easy PDF was cracked in less than a minute using a brute-force command-line tool for Windows. It was a four-digit number: 1806

Here’s the easy file: encryption_test

Here’s the tough file: harder_encryption

Some tips:

  • Each of these is just one page of plain text.
  • Each has instructions for where and what to email if you manage to get the PDF unlocked.
  • I don’t know the passwords. Both were generated randomly. So there’s no point trying to guess. (It’s not “umbrage.”)
  • The easy file has a shorter password.

Mostly, I’m curious whether there are any practical ways to get past these kinds of locks. I’ve avoided locked PDFs under the assumption that they’re useless, but maybe I’m wrong.

So if you’re able to open either document, I’d love to know how you did it.


Uncomfortable Ambiguity, or Nobody Wants Me at their Orgy

Scriptnotes: Ep. 141
Play

Nothing is cut-and-dried this week. John and Craig talk Game of Thrones rape, allegations against director Bryan Singer and the new report showing the same low employment numbers for female writers in film and TV.

Then, what happens when a writer writes fan fiction for the novel she wrote but doesn’t own? We talk about the weird situation L.J. Smith finds herself in with The Vampire Diaries, and what it could mean for screenwriters.

We’re now taking entries for the special live Three Page Challenge on May 15th. Click the link in the notes for details. We’re delighted to have Susannah Grant as our special guest judge for the evening.

LINKS:

You can download the episode here: AAC | mp3.

UPDATE 5-2-14: The transcript of this episode can be found here.


The General Meeting

I didn’t write this, but I’ve been in almost exactly this meeting at least twenty times.


by Anonymous

first person Hey, come in, come in. Wherever you like. Nice to finally meet you. I’m a big fan. Big fan. You have trouble parking? I know. This place has like a million ways out and only one way in and it’s impossible to find. Like a maze. I know, I know.

Now are you from around here or…? Oh, yeah? Nope, nope… New York, then Boston, then here. About twelve years. On the West Side. Not too far.

So… what do you know about us? Great… well let me tell you. First of all, we’re not like other producers. We don’t have 80 gazillion things in development. We don’t develop. That’s not what we do. If we decide to do something, then we do it. We make movies. We’re in the movie business, not the development business. Plain and simple.

The old days of buying up everything under the sun, that’s not us. That’s not what we do. We have our own money, so we can hire writers and get things going. Then we bring on a director, or we bring on a piece of cast, or we hire an in-house line producer to say, “Hey, this is how much this is going to cost.” Then we take all of that to the studio and we say, “Here’s the movie. Do you want to make this movie, with this script, with this director, with this cast at this amount of money?” Then we go.

Because they’re not looking for scripts anymore. They’re looking for movies. Amy? Donna? To a lesser extent, Stacey. That’s a whole separate thing because they’re dealing with Steven and who even knows what they’re doing over there anymore. But all of them… they’re looking for movies. They want us to bring them movies. And that’s what we do.

With Bumblebunny, that was a piece of material we found, we hired the writers, we worked on draft after draft, we put the package together and we said, “Here you go. Here’s your summer movie.”

Now what’re you working on? Uh-huh. Uh-huh. Yep, you don’t have to tell me. Okay, well, let me tell you what we have. Back up for just a second. Let me tell you where we were and where we are.

Do you know of a property called SLAPPY PAPPY? Why would you, right?

Well, it’s based on a best-selling children’s book and was like the number one show in all of Europe for like five years. And no one over here had heard of it. No one. So we bought it and brought it over here and we gave it to Attanasio who did a pass and then we gave it to McQuarrie who did a pass but no one could crack this thing. McQuarrie even said, “I love this, I love this, I love this… but I can’t solve it. Hahhahah. You know?” And that’s Slappy Pappy which I think you would be perfect for.

Oh, right… it’s about a kid who’s about nine-years-old and he smokes and cusses and is really irreverent, you know, because no one gives a shit in Europe, you know? And anyway, he has this old grandpa who’s always trying to hit him — I mean, we say “spank” we don’t say “hit” — but anyway, the kid finds out about these worm-people who are taking over his town and he has to convince his Pappy this is real but everyone thinks the Pappy is crazy, and he’s crazy, and maybe he is, you know? And that’s Slappy Pappy.

Okay, so what I’ll do is I’ll send you the book and I’ll send you this story document we wrote… I won’t send you any of the drafts because they’ll just… that’s NOT what we want to do, you know? And take a look. And if you spark to it, then we can talk some more.

Listen, this is a personal favorite of the studio’s. It’s their kind of movie and they’re looking for a franchise. They’re begging for this.

Okay, great. Yep, yep, exactly. Okay, did Veronica give you validation up front? Okay… well stop by there and she’ll stamp you. Seriously, terrific to finally meet you. Okay… yep, and we’ll send it over. Thanks!