matt blaze Profile picture
Dec 23, 2020 31 tweets 4 min read Read on X
Christmas cryptography: In “A Christmas Story”, Ralphie is shown with what appears to be a 1940 edition of the official Orphan Annie decoder badge, which would be appropriate for the time in which the film is set. The prop used appears to be an original badge. 1/
I know this because I have one in my collection (Enigma machines being too rich for me). Unfortunately, this is where things go a bit off the rails, cryptographically speaking. 2/ Image
These decoder badges had two rings, one with the numbers 1-26, and the other with a permutation of the 26 letters of the alphabet. The badge could be set to one of 26 offsets (a keyspace of under 5 bits) by rotating one ring with respect to the other. 3/
The key could be denoted by specifying a number and its corresponding letter, revealing a static monoalphabetic substitution. Ciphertext would be numeric , plantext alphabetic. On the Orphan Annie radio show, keys would be given prior to reading the plaintext numbers. 4/
This is, as any cryptographer will recognize, a terrible practice. The system only has a 5 bit key to start with, but that security is immediately negated by revealing the key! Fortunately, Orphan Annie’s adversaries were apparently dumb as rocks and never caught on. Anyway, 5/
The permutation would be changed with each year’s badge. This was presumably intended to force you to send in new boxtops each year if you wanted to keep decoding messages. (Although you could still cryptanalyze message by frequency analysis). But I digress. 6/
In the film, Ralphie is shown excitedly transcribing his first message. He is told the key is “B-2”, instructing him to set the badge so B on the letter ring lines up with the digit 2. Then the plaintext is read out: 12, 11, 2, 8, 25, 14, 11, 18, 16, 23, 12, 23, 21, 3, 25. 7/
That’s a 15 character message (traffic analysis!). Now, it’s possible that we are intended, through the magic of film grammar, to assume some time passes between the beginning and the end of the message, but it definitely starts 12, 11, 2, 8 and ends with 21, 3, 25. 8/
The punchline of the scene is that the message turns out to be “BESURETODRINKYOUROVALTINE”, and Ralphie learns hard lessons in both cryptography and capitalism. But something else is wrong here. 9/
Even assuming missing characters in the middle, we know that this couldn’t possible have been the plaintext. Remember, the key is B-2. So “BESURE…” would have to start with 2, not 12. So maybe this was a small script typo, and the key was supposed to be B-12”. But… 10/
I dutifully set my decoder badge to B-12. That yielded a decoded message of BESXRHEIDNBNKUR. At least it starts with BES, but then it just gets horribly lost. And we know that since E=11 here, the ciphertext would have to have ended with 11. It’s all just wrong. 11/
Using the codes from badges from other years works no better (I said I had a collection, remember?) It’s as if Shep just gave up after the first three characters.

I’m sorry if I’ve ruined a beloved holiday film for you. But truth matters.

Happy Holidays. 12/12
I said “plaintext” when I plainly meant “ciphertext” when referring to the numeric message above. But you knew that. In any case, the Radio Orphan Annie cipher isn’t very secure. Don’t use it to protect important secrets.
NB: the Orphan Annie (and later Captain Midnight) code-o-graph decoder badges had a keyspace of about 5 bits. Adjusted for Moore’s Law (which makes no sense to do, but stay with me), that’s roughly equivalent to the strength of DES today. No export restrictions, either. Image
Picking up this thread, to save you from having to drink enough Ovaltine get sufficiently many boxtops to get your own decoder badge, I've cataloged the alphabet permutations on the official Radio Orphan Annie Secret Society badges from the various years they were made.
1935 (the first year ROA badges were issued):
AMZNBLYOKCQXJDRWIESVHGTFUP
1936: AGTPBHMCSQDFZLNEVJYIWUROKX
1937:
AQIPBNMDSQCFXEHLVJYTWURGKZ
1938:
ALVYUTXZWJSNQIBMGPFCKRODHE
1939:
ACEBFDGPMNLKQRWVXUYSHJTIZO
1940:
ACEBGHFDJILMKWNORPQSUTVYZX
1940 was the last year for Radio Orphan Annie's Code-O-Graph badges. But don't worry! Ovaltine switched its sponsorship to Captain Midnight, whose Secret Squadron issued suspiciously similar badges to those who could prove their loyalty with boxtops, starting in 1941.
1941 (the first year for Captain Midnight's Secret Squadron badges):
AXNQEGMKFWZHIOBLTDSRCJVUPY
1942:
AEXDTZKNYCJWSGUMBOQHRIVFPL
No new Secret Squadron badges were issued in 1943 or 1944 due to wartime shortages, but they continued to use the 1942 code.
1945:
AFXDTZKNYCJWSGUMPOQHRIVEBL
1946:
AGHTVQSEPYJIFLXKDCWRBONZMU
1947:
ATMPQUOVFYBHJNGIXSDKRGMLEZ
1948:
ALVYUTXZWJSNQIBMGPFCKRODHE

(This is the same as the 1938 Radio Orphan Annie code - very bad tradecraft!)
1949 (The last year for the Secret Squadron badges):
AEHDORKCFPGMBIQNSJWZXTUYVL
Captain Midnight issued some "decoder planes" in the 1950's, but I don't have any of those in my collection, so you'll have to ask the NSA or something if you want the permutations for those.

Happy decrypting, Squadron members.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with matt blaze

matt blaze Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattblaze

Nov 14, 2022
Radio nerditry: Yes, I've heard that KrakenRF pulled their passive radar code, and no, I'm not looking forward to revisiting ITAR after all these years.
There isn't, as far as I can tell, enough publicly-known information about the facts here to even speculate about whether this is an easily-resolved misunderstanding, over-caution, or a serious concern. I can imagine ways it could be any of the three. Hopefully not the latter.
Cryptography in the US, even open source software, used to be (and to a limited extent, still is) regulated under ITAR. It was a big attenuator on open research. But because different countries interpreted ITAR for cryptography differently, it wasn't as bad as it could be here.
Read 5 tweets
Nov 13, 2022
Unpopular and uncomfortable election integrity reality: While BS about "hacked elections" has been most loudly amplified by the Right in the US, they have no monopoly on it. This nonsense was mostly started by (and continues to be spread by) marginal activists on the Left.
Two difficult-to-reconcile truths about US election integrity. Any serious discussion of the subject must acknowledge both of them:

- There genuinely are some real vulnerabilities in some of our election infrastructure

- There's no evidence an election outcome has been hacked.
Whatever your political preferences, asserting than an election as been hacked is an EXTRAORDINARY claim, requiring compelling evidence. If someone makes such a claim, demand evidence.

The remedy for BS is truth, not equal-and-opposite BS.
Read 7 tweets
Nov 12, 2022
Even if it taxes your patience, being careful and following procedures in tallying votes is not evidence of fraud. In fact, it's the opposite of that.
"Isn't it suspicious that it's only tight races that are undecided?"

No. That's exactly what we'd expect.

Any "winners" reported so far are media projections from partial tallies released so far. The closer the race, the higher the % of votes cast they need to project a winner.
Very few jurisdictions across the US have reported 100% tallies in any races yet, and even those are still unofficial, uncertified results. State laws can delay full results until well after election day; in some, mail-in votes can't start to be processed until after polls close.
Read 4 tweets
Nov 10, 2022
Remember that Twitter's main asset is us users and our data, and the three people responsible for protecting it all quit simultaneously this morning.

Twitter may not even be around long enough to buy us all a year of free credit monitoring at this rate.
Any Twitter engineer being asked to certify compliance to a regulatory agency (such as the FTC) should seek independent (their own) legal advice before signing anything or making any statement to regulators.

This is a bus you do NOT want to be thrown under.
I can't emphasize how perilous this can be. "Self-certification of compliance" with an FTC consent decree might be presented as merely routine paperwork, no big deal.

No. It's a big deal, and if you're even thinking about agreeing to this, you need competent legal advice first.
Read 4 tweets
Nov 8, 2022
As election results start to come in this week, some losing candidates and supporters may claim that their election was "rigged" or "hacked". To sort fact from fiction, you have to understand how elections actually work. Here's a great reference: nap.nationalacademies.org/catalog/25120/…
A large fraction of “stop the steal” mis- and disinformation was OBVIOUS BS to those who understood the basics of election logistics, and tech. But it could sound convincing to the uninitiated. Learn how your local elections work, especially how ballots are handled and counted.
And many aspects of elections vary across states and counties. For example, in some places, for procedural and technical reasons, mail-in ballots aren’t processed until AFTER the polls close. If the number of those ballots is large, it can take a while before results are known.
Read 4 tweets
Nov 7, 2022
I've been using Mastodon for a couple days now. A couple (nonexpert) observations

The system as a whole functions. The major servers (that you're likely to sign up for) federate with each other, which means you can, in principle, follow and be followed just about anywhere. 1/
However, the system is clearly (and unsurprisingly) also straining under the newfound load right.

Many servers are closed to new signups, so you have to look for one that will take you, which may not be where most of your friends are. That's OK (see above), except that... 2/
... likely because of the load, timelines across different server instances are often a bit of a mess - out of order, slow to update, duplicate posts, etc. So it doesn't always feel like Twitter. Sometimes more like Twitter if the tweets were delivered by actual carrier pigeons.
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(