There have been quite a few generous people giving away their extra Steam keys lately, but they plainly paste them into the forum without knowing that bots will take them. I didn’t know this either when I first got here.
I’ve seen keys obscured in many different ways. For example:
QWERT-098?6-123AB 3+4=?
ABCDE-12345-?XYWV where ?=the last letter of the alphabet
MNB87-K走456-HG12昭 走=9 and 昭=C
So… let’s show these kind people all the different ways to be as sure as we can be that humans get them. What’s your style?
In case anyone is unfamiliar with the Caesar Cipher, basically it’s one of the first forms on encryption.
Back in the day, our boy Caesar had to send nudes strategical texts to his friends and couldn’t risk getting his secrets reveled, so what he did is he got the original message, for example
ATTACK AT DAWN
And shift the letters. So for example, if his friend and he agreed to do a +3 shift, you would have our alphabet…
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
…shifted by 3 words…
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
So A becomes D, B becomes E and so and so on. So ATTACK AT DAWN becomes…
DWWDFN DW GDZQ
It could be good for Steam keys because it can just be dropped into a translator if you know what the shift is (and that’s easy to inform) and it doesn’t involve a partial substitution of the key. Instead, it’s a shifting pattern applied to the key’s entirety, keeping both the same amount of letters and numbers.
DISCLAIMER: the Caesar Cipher is VERY weak by modern standards! So only ever use it if you WANT people to crack it, kay?
Yeah, and don’t include the name of the game, so after all that work to solve it, the person gets a copy of DISTRAINT or some other game that was given for free multiple times and they already have it.
The script shown in this thread took very little time and effort to write, and It would be easy to keep updating it everytime I came across a new method someone used to obscure a key, assuiming it can be handled programmatically, and many many things can be.
Your last example is especially weak, computers don’t care about what language you are using, the basic script I wrote already almost cracks that one, but I only wrote it to handle one substitution, it would be a simple matter to extend it for more.
The Caesar cypher that @coralinecastell posted is also extremely easy for a script to solve if you post the shift in the post, the script would just grep the post for key phrases such as “+n” or “shift by n” again with the author updating it everytime the script fails to work.
In fact, don’t bother me for a few hours, I’ll be… uh… nothing to see here… don’t worry about it
As @kovec says, if you don’t want a bot to get it, the answer is not to post it at all.
While it’s obviously silly easy for a script to decipher, the trick to the Caesar cypher is to not supply the key along with the message. Especially with something like a steam key that makes no sense guessing the shifts is impossible. So as long as you find an indirect way of relaying the shift info a bot would have a rather hard time with it.
Like say shift forward the number of letters in my first word. Sure if you tailored the bot to look for that particular info in this specific post then it would obviously be able to do it, but a human ninja would grab it before you altered the bot to do it.
Yes indeed, that’s why I was explicit about it being in the post.
I suppose the point I’m trying to make is that time and time again I see people go to what appears to be convoluted lengths to obfuscate a key, then often put it in a format that is extremely easy for a regex text parser to pull out.
The first time, yes, but if one subsequently used the same pattern, which let’s face it, many people would, because we are lazy, the key words “first” “shift” “word” or some such would be a very useful addition to the script
Edit: Ugh, trying to edit a post on mobile with quotes was just horrible.
This. Sorry if I didn’t make this more obvious in my post.
There are up to 26 shifts in Caesar, which is why it’s such a WEAK encryption method. Of course, a bot could try them one by one – would be pretty fast & simple – but one would hope a human would grab the key before then.
Although, 2 things:
A PM still feels like the most “secure” method after all and
I’m not sure how dedicated bots are towards farming keys from a small gaming forum. I was working on the assumption they aren’t that eager.
We could also, of course, use other, stronger, encryption methods (eg one-time pad), but at this point sending a PM just beats the hassle for everyone and proves to be the superior choice.
I’ve never looked at if there were APIs for steam key activation and if so, what the limit and cooldown was, now I was curios, so it seems after a quick search that there are quite a few APIs that people have written to do this and general testing shows a ~ 40 - 50 key activation limit per hour, there was no information on a required delay between attempts, although some sources reported that failed activations reduced the limit.
So assuming no delay between attempts, and the attempt takes say, 0.5 sec, even perhaps 1 second if we are dealing with blocking web-calls, (I’ve not bothered to look to closely at the source) it would take a script somewhere between 13 and 26 seconds to try all 26 Ceaser shifts, and on average you would expect it to find the right result much sooner than that.
I think most people would struggle to read that it’s a Caesar cypher, look up how to solve it and enter it within that time.
BRB - just adding the search terms: “Caesar”, “Emperor”, “Roman”, “Rome”, “Hadrian” and “Augustus” to the script. I’m gonna be rich!
Summary
NB - None of this is thoroughly researched, or even half-heartedly so, I’m just arsing around - in case it’s at all unclear. I won’t actually be working on a steam key stealer and I’m certainly not going to be rich!
