Geek Alert

Checking batches of PDFs

May 13, 2014 Apps, Follow Up, Geek Alert

Last week, I [wondered aloud](http://2ja.co/ymstb) how I could check creator codes on a folder full of PDFs without checking them one-by-one.

[Zoë Blade](https://twitter.com/zoeblade/status/465787514427822080) wrote in with a Terminal command, but it turns out I could do it in Automator very easily. Here’s the workflow.

automator workflow

Why didn’t I try Automator first? Past experience.

Over the years, I’ve tried doing a dozen things in Automator, only to run into obstacles where it can’t do quite what I need. Often, the breakdown is conditional logic, or the need to transfer a value from one section to the next. ((Having played with other building-block environments like Scratch, I know it’s absolutely possible to do logic and variables in a drag-and-drop way, but I have a feeling Automator isn’t getting updated.))

This is the rare case where Automator does almost exactly what I want. I’ve saved this workflow as an application so I can periodically test batches of files.

Which apps are screenwriters using?

May 9, 2014 Follow Up, Fountain, Geek Alert, Highland, Screenwriting Software

We had [57 entries](http://johnaugust.com/threepagelive) for the Three Page Challenge we’re conducting on May 15th.

I wondered which apps these screenwriters were using, so I checked the metadata for each file. ((Mac Nerds: After a lot of Googling, I couldn’t find a way to display creator information for each file in a folder; I had to do them one-by-one using Finder’s Get Info. If you have a command-line trick for this, I’d love to know it.))

| **App** | **# of Entries** | **% of Total** |
|—————|————–|———–:|
| Final Draft 8 | 18 | 32% |
| (unclear) ((The (unclear) category is for PDFs that don’t have a recognizable creator. For example, some PDFs show up as being from Preview on the Mac, which is primarily a reader but can be used to paste together multiple files.)) | 7 | 12% |
| Fade In | 7 | 12% |
| Final Draft (Windows) | 6 | 11% |
| Slugline | 5 | 9% |
| Final Draft 9 | 4 | 7% |
| Screenwriter | 3 | 5% |
| Celtx | 2 | 4% |
| Final Draft 7 | 2 | 4% |
| Highland | 1 | 2% |
| TextEdit | 1 | 2% |
| Word | 1 | 2% |
| **Total** |**57** | 100% |

Adding up its various incarnations, we find that Final Draft created just over half the entries. That’s about what I would have expected.

But I find it interesting that so many users have stuck with Final Draft 8, rather than version 9. There are still holdouts with version 7 as well.

I was happy to see six dedicated screenwriting apps (Final Draft, Fade In, Slugline, Screenwriter, Celtx and Highland) among the entrants. I didn’t find any Adobe Story or WriterDuet scripts. ((If you submitted a script written in Adobe Story or WriterDuet, let me know and I’ll amend the figures.))

Writers submitting to the Three Page Challenge are, almost by definition, listeners to the Scriptnotes podcast, in which we’ve discussed Final Draft, Fade In, Slugline and Highland among other apps. I wonder to what degree that has influenced their choices.

Three Page Challengers are also generally aspiring screenwriters, rather than working pros. To me, that makes entrants more likely have recently purchased software (or web-based subscription services) than established writers, who tend to stick with what they know.

The online submission for Three Page Challenges worked well enough that we’ll keep using some version of it. In the next incarnation, we’ll ask upon submission which app the writer used.

Try to open this PDF, cont’d

April 30, 2014 Follow Up, Geek Alert

Yesterday, I [asked](http://johnaugust.com/2014/try-to-open-this-pdf) readers whether PDF encryption was actually effective, and offered up two sample PDFs as a test.

Two readers quickly cracked the easier of the files:

> The first file only took about 30 seconds. Right now the second one is running and it’s hit 5 digits so far running at an average rate of 1,005,000 words/second. I’m on an i7 CPU, similar to what you could buy in a nice Macbook Pro laptop.

The vulnerability is the password. The password for the first PDF was a four-digit number. The password for the second PDF was a random 32-character string, which made brute force much less effective.

> I ran multiple instances of the same app starting at different password lengths (6, 8, 10, 11, 12) so was getting upwards of 5M words/second. I let it run for 12+ hours or so but the possible combinations are staggering.

How staggering? Well, if you use a mix of upper and lower case letters and numbers, you get total of 62 possible characters:

0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz

Then, depending on your password length, math makes it awesome.

Length	Combinations	Laptop	Dedicated	Distributed
2	3,844	Instant	Instant	Instant
3	238,328	Instant	Instant	Instant
4	15 Million	< 2 Secs	Instant	Instant
5	916 Million	1½ Mins	9 Secs	Instant
6	57 Billion	1½ Hours	9½ Mins	56 Secs
7	3.5 Trillion	4 Days	10 Hours	58 Mins
8	218 Trillion	253 Days	25¼ Days	60½ Hours

I’ve adapted this chart from [these numbers](http://www.lockdown.co.uk/?pg=combi) courtesy Ivan Lucas, which date back to 2009. I’ve arbitrarily labeled the three columns as “laptop,” “dedicated” and “distributed” to illustrate what kind of system might be used in 2014 to achieve these results. The point is that each additional character in the password really does make it much more difficult to solve.

In fact, even at the fastest rate on this chart, solving the 32-character combination on the second PDF would take longer than the age of the universe. ((I’m almost sure I’ve done my math wrong, but I love a provocative statement.))

One of the people who cracked the first PDF actually works in IT security. He warns against getting smug:

> There are far more advance methods that utilize GPU hardware and elegantly-crafted combinations of known hash values, dictionary attacks, and brute force to get results much faster.

> Hackers have refined their tools using a pool of hundreds of millions of real-world passwords stolen from servers. They don’t have to use brute force if they know that 80% of people follow certain patterns.

For PDF encryption, the consensus seems to be that the latest version of Adobe is pretty effective if you’re using the 128 or 256 bit option and have 8+ random characters. Random, as in not a word in a dictionary.

No standalone file is safe from someone with enough time and the right tools. But for something like a screenplay, encryption is quite a bit better than I expected.

Far from being useless, PDF encryption is potentially worth it. I may start using it more often.

Try to open this PDF

April 29, 2014 Apps, Geek Alert

I’ve gotten several password-protected scripts recently, and I’ve wondered whether it’s any more than security theater.

So I [asked on Twitter](https://twitter.com/johnaugust/statuses/461262646398840832):

Serious question: Are password-protected PDFs actually secure, or is it like a cheap cable lock for your bike?

— John August (@johnaugust) April 29, 2014

To clarify, I'm talking about password-to-open, not password-to-print for PDFs. I assume anything that can be seen can be copied.

— John August (@johnaugust) April 29, 2014

Several people replied that the most recent update to Adobe Acrobat was pretty solid.

Looking around on the web, I’ve seen a similar [range](http://pcsupport.about.com/od/toolsofthetrade/tp/pdf-password-remover.htm) of [opinions](http://lifehacker.com/231955/how-to-crack-password-protected-pdfs) on how effective various encryption engines really are. But that’s with any theoretical document protected by any theoretical engine.

I’m curious how easy it is to crack the encryption on one simple document using a pretty standard engine. So I made two files, one “easy” and one “tough.”

**Update! The easy PDF was cracked in less than a minute using a brute-force command-line tool for Windows. It was a four-digit number: 1806**

Here’s the easy file: [encryption_test](http://ja-vincent.s3.amazonaws.com/encryption_test%20-%20CONFIDENTIAL.pdf)

Here’s the tough file: [harder_encryption](http://ja-vincent.s3.amazonaws.com/harder_encryption%20-%20CONFIDENTIAL.pdf)

Some tips:

– Each of these is just one page of plain text.
– Each has instructions for where and what to email if you manage to get the PDF unlocked.
– I don’t know the passwords. Both were generated randomly. So there’s no point trying to guess. (It’s not “umbrage.”)
– The easy file has a shorter password.

Mostly, I’m curious whether there are any practical ways to get past these kinds of locks. I’ve avoided locked PDFs under the assumption that they’re useless, but maybe I’m wrong.

So if you’re able to open either document, I’d love to know how you did it.

« Previous Page