A remote team of three hobbyist cryptologists have solved one of the Zodiac Killer’s cipher after a half century. And while the name of the elusive serial killer remains hidden, the breakthrough represents a triumph for cryptology and the basic building blocks of cybersecurity — access control and segmentation.
The Zodiac serial killer is believed to have murdered at least five people — and likely more — in and around the Northern California area in the late 1960s and early 1970s. The still-unnamed murderer sent a series of four coded messages to local newspaper outlets, bragging about his crimes and containing cryptic icons, which earned him the moniker “Zodiac”.
The 340 Cipher
The first cipher was quickly decoded. But the second, the 340 Cipher, named after its 340 characters, was trickier to figure out — until this week, almost 50 years later, when an unlikely team of cryptographers broke the code.
This cipher was sent to the offices of the San Francisco Chronicle in in 1969. David Oranchak, a web designer based in Virginia, has been trying to solve it for 14 years — but a breakthrough remote collaboration with other code breakers was the key.
Oranchak made a series of YouTube videos about about the cipher which attracted the others to the project. Building off Oranchak’s work, Australian-based mathematician Sam Blake calculated that there were 650,000 possible ways to read the code, and Jarl Van Eycke, whose day job is as a warehouse operator in Belgium, wrote the code-breaking software, according to a Vice report and interview with Oranchak.
An ‘Algorithmic’ Approach
“When I watched those, I thought ‘This is a really good analytical approach that he’s taken to try to solve this.’ And I sort of saw a couple of things that I thought might be interesting for him to try,” Blake told Vice in a recent interview. “So I reached out to him originally through a YouTube comment, and then we got chatting, and it went from there. I got serious about it in March of this year, and we spent a lot of time on it between March and now, just going through, having no success, no success, no success. And then…we just started to piece it together.”
He explained the appeal of Oranchak’s approach as “algorithmic,” in the interview.
“There’s been a lot of solutions in the past that have required artistic creativity and a lot of bending and massaging of the cipher in order to get it to make a few legible words… then something like a sentence, and often then the name of somebody who could be associated with the case,” Blake said. “What we did was a very different approach to that. We looked at different possible ways you could read the cipher—what other reading directions could they have taken in terms of trying to write it out—and we then ran them through supercomputers and looked for a solution in that direction.”
According to Oranchak and team, the message reads:
“I HOPE YOU ARE HAVING LOTS OF FUN IN TRYING TO CATCH ME THAT WASNT ME ON THE TV SHOW WHICH BRINGS UP A POINT ABOUT ME I AM NOT AFRAID OF THE GAS CHAMBER BECAUSE IT WILL SEND ME TO PARADICE ALL THE SOONER BECAUSE I NOW HAVE ENOUGH SLAVES TO WORK FOR ME WHERE EVERYONE ELSE HAS NOTHING WHEN THEY REACH PARADICE SO THEY ARE AFRAID OF DEATH I AM NOT AFRAID BECAUSE I KNOW THAT MY NEW LIFE IS LIFE WILL BE AN EASY ONE IN PARADICE DEATH”
The group has been officially recognized by the FBI for breaking the cipher.
“The FBI is aware that a cipher attributed to the Zodiac Killer was recently solved by private citizens,” Cameron Polan, spokeswoman for the FBI’s San Francisco office told The Chronicle. “The Zodiac Killer case remains an ongoing investigation for the FBI San Francisco division and our local law-enforcement partners.”
The statement concluded, that “out of respect for the victims and their families, we will not be providing further comment at this time.”
The key, according to Blake was looking at other directions the cipher could be read, and processing those with the 650,000 possibilities through a supercomputer at the University of Melbourne, he added.
The scheme, Blake added, can be found in a 1950s Army cryptography field manual, but Zodiac wrote the code so that it needed to be read diagonally. But what made it nearly impossible to crack was actually an error that he made.
“So he had a pattern in the way in which he was writing out where he would go one row down, two columns across, write a letter; then go one row down, two columns across and write a letter, and so on,” Blake told Vice. “And in that second segment, at some stage—it looks like an accident—instead of going one row down, two columns across he’s just gone one down, one across. And that broke the symmetry.”
Two of Zodiac’s ciphers remain unsolved.
Besides the historical break in a 50-year-old murder case, the back-to-basics cryptographic feat serves as a reminder about the importance of tried-and-true fundamentals when it comes to cybersecurity, according to Fortinet CISO Phil Quade.
“The backbone of the science of cybersecurity is built from cryptography, access control and segmentation,” Quade said in his 2019 book, The Digital Big Bang. “As a science, practice and discipline, cybersecurity has only a few silver bullets. For now, cryptography is the rare exception, a simple powerful way to provide substantial protection against the torrential downpour of cyberattacks. But while cryptography remains one of cybersecurity’s most powerful tools today, we must always prepare for the risks we will face tomorrow.”
Every time there’s a new “cipher” (i.e., crytographic algorithm in today’s vernacular), others will try to break it. And vice versa. Earlier in December, researchers claimed a breakthrough in the arms race that cryptography has become.
Researchers from the University of Science and Technology of China explained in the journal Science claimed quantum supremacy: they were able to get a system they named Jiuzhang to perform a calculation in minutes that would have taken a traditional supercomputer an estimated 10,000 years to solve.
The security concern is that quantum computers will be able to crack RSA public key cryptography, used to protect data in transit. That means security teams will have to pivot to new post-quantum cryptography solutions. A conservative estimate from a 2019 DigiCert report said teams will need to have protections from quantum computing breaches in place by 2022.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!