John

Try to open this PDF, cont’d

April 30, 2014 Follow Up, Geek Alert

Yesterday, I [asked](http://johnaugust.com/2014/try-to-open-this-pdf) readers whether PDF encryption was actually effective, and offered up two sample PDFs as a test.

Two readers quickly cracked the easier of the files:

> The first file only took about 30 seconds. Right now the second one is running and it’s hit 5 digits so far running at an average rate of 1,005,000 words/second. I’m on an i7 CPU, similar to what you could buy in a nice Macbook Pro laptop.

The vulnerability is the password. The password for the first PDF was a four-digit number. The password for the second PDF was a random 32-character string, which made brute force much less effective.

> I ran multiple instances of the same app starting at different password lengths (6, 8, 10, 11, 12) so was getting upwards of 5M words/second. I let it run for 12+ hours or so but the possible combinations are staggering.

How staggering? Well, if you use a mix of upper and lower case letters and numbers, you get total of 62 possible characters:

0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz

Then, depending on your password length, math makes it awesome.

Length	Combinations	Laptop	Dedicated	Distributed
2	3,844	Instant	Instant	Instant
3	238,328	Instant	Instant	Instant
4	15 Million	< 2 Secs	Instant	Instant
5	916 Million	1½ Mins	9 Secs	Instant
6	57 Billion	1½ Hours	9½ Mins	56 Secs
7	3.5 Trillion	4 Days	10 Hours	58 Mins
8	218 Trillion	253 Days	25¼ Days	60½ Hours

I’ve adapted this chart from [these numbers](http://www.lockdown.co.uk/?pg=combi) courtesy Ivan Lucas, which date back to 2009. I’ve arbitrarily labeled the three columns as “laptop,” “dedicated” and “distributed” to illustrate what kind of system might be used in 2014 to achieve these results. The point is that each additional character in the password really does make it much more difficult to solve.

In fact, even at the fastest rate on this chart, solving the 32-character combination on the second PDF would take longer than the age of the universe. ((I’m almost sure I’ve done my math wrong, but I love a provocative statement.))

One of the people who cracked the first PDF actually works in IT security. He warns against getting smug:

> There are far more advance methods that utilize GPU hardware and elegantly-crafted combinations of known hash values, dictionary attacks, and brute force to get results much faster.

> Hackers have refined their tools using a pool of hundreds of millions of real-world passwords stolen from servers. They don’t have to use brute force if they know that 80% of people follow certain patterns.

For PDF encryption, the consensus seems to be that the latest version of Adobe is pretty effective if you’re using the 128 or 256 bit option and have 8+ random characters. Random, as in not a word in a dictionary.

No standalone file is safe from someone with enough time and the right tools. But for something like a screenplay, encryption is quite a bit better than I expected.

Far from being useless, PDF encryption is potentially worth it. I may start using it more often.

Superhero music

April 30, 2014 News

You can’t have a superhero movie without epic theme music. Likewise, we can’t have a Scriptnotes live show about superheroes without a suitably giant arrangement of our piddly five-note jingle.

Luckily, Matthew Chilelli [has it covered](https://soundcloud.com/matthew-chilelli/scriptnotes-superhero-spectacular):

The pre-show cocktails are sold out, but there are still a [few tickets available](https://www.wgfoundation.org/screenwriting-events/scriptnotes-summer-superhero-spectacular/) for our May 15th live show featuring Christopher Markus & Stephen McFeely, David Goyer,
Andrea Berloff and Susannah Grant.

TV writer on set

April 30, 2014 Directors, Psych 101, Television

Dara Resnick Creasey writes about her first time being the [staff writer on set](http://hollywoodjournal.com/industry-impressions/youre-all-set/20140423/):

> In the fall of 2007, my husband-and-writing-partner and I began production on the first episode of television we were ever asked to produce — an episode of Bryan Fuller’s Pushing Daisies called “Bitches” about a polygamist dog breeder (played by Joel McHale) who is killed by one of his four wives.

When the writer of an episode is on set, she has to balance the intention of the scene as scripted and the realities of production.

> How often you give the director notes depends on the showrunner (does he care about whether the words are said precisely as they’re written on the page?), the director (is she collaborative or combative?), the actors’ moods (have there been eight Fraturdays ((“Fraturday” is when production starts late enough on Friday that you’re really losing your Saturday.)) in a row?), and several other factors. Ultimately, the director will move on to her next gig, and you will have to answer to the showrunner, who will want to know why you did or did not get that shot you all discussed in the concept meeting (yes, that’s another real TV term) before production started.

> On the other hand, you also don’t want an entire set full of people grumbling because this is the 18th time today you stopped them from moving on because an actor didn’t say the words as you had them in your head.

In features, the screenwriter sometimes serves the same function, reminding the director why the scene is in the movie, and why it really does matter that this character says a specific line.

But there’s an important difference: the TV staff writer can say, “This is what Bryan wants.” If need be, she can evoke the authority of the showrunner. In features, the screenwriter rarely has that card to play, so he needs to find other means to get notes heard.

Try to open this PDF

April 29, 2014 Apps, Geek Alert

I’ve gotten several password-protected scripts recently, and I’ve wondered whether it’s any more than security theater.

So I [asked on Twitter](https://twitter.com/johnaugust/statuses/461262646398840832):

Serious question: Are password-protected PDFs actually secure, or is it like a cheap cable lock for your bike?

— John August (@johnaugust) April 29, 2014

To clarify, I'm talking about password-to-open, not password-to-print for PDFs. I assume anything that can be seen can be copied.

— John August (@johnaugust) April 29, 2014

Several people replied that the most recent update to Adobe Acrobat was pretty solid.

Looking around on the web, I’ve seen a similar [range](http://pcsupport.about.com/od/toolsofthetrade/tp/pdf-password-remover.htm) of [opinions](http://lifehacker.com/231955/how-to-crack-password-protected-pdfs) on how effective various encryption engines really are. But that’s with any theoretical document protected by any theoretical engine.

I’m curious how easy it is to crack the encryption on one simple document using a pretty standard engine. So I made two files, one “easy” and one “tough.”

**Update! The easy PDF was cracked in less than a minute using a brute-force command-line tool for Windows. It was a four-digit number: 1806**

Here’s the easy file: [encryption_test](http://ja-vincent.s3.amazonaws.com/encryption_test%20-%20CONFIDENTIAL.pdf)

Here’s the tough file: [harder_encryption](http://ja-vincent.s3.amazonaws.com/harder_encryption%20-%20CONFIDENTIAL.pdf)

Some tips:

– Each of these is just one page of plain text.
– Each has instructions for where and what to email if you manage to get the PDF unlocked.
– I don’t know the passwords. Both were generated randomly. So there’s no point trying to guess. (It’s not “umbrage.”)
– The easy file has a shorter password.

Mostly, I’m curious whether there are any practical ways to get past these kinds of locks. I’ve avoided locked PDFs under the assumption that they’re useless, but maybe I’m wrong.

So if you’re able to open either document, I’d love to know how you did it.

« Previous Page