12 Days competition: Day 4 – This isn’t the iCloud hack you’re thinking of

On the fourth day of Christmas/My iPad got a shock/$100 to unlock.

Click to hear the melody and sing along…

2014 will be forever associated with iCloud because it was strongly alleged to be the stronghold from which 100 very well known young women had some photos stolen.

But iCloud break-ins also featured in another, more mysterious and much more interesting episode three months before September’s internet meltdown.

The iCloud warning shot came in the form of a series of strange messages that appeared on the screens of some unfortunate Australian iPhone owners one morning in May.

Device hacked by Oleg Pliss. For unlock device YOU NEED send voucher code...

We dug into the story and found that it was ransomware, but not as we knew it:

Apple ransomware strikes Australia – pay Oleg $100 or elseAnd for your chance to win an exclusive, limited edition, Naked Security T-shirt, work out the answer to Paul Ducklin’s brain teaser below…

This December we’re celebrating Christmas by giving away five of our much-coveted, limited edition Naked Security T-shirts every day for 12 days!

We’ve selected twelve of the most interesting stories from 2014 and we’ll be writing about one of them each day.

All you have to do to win a T-shirt is read the story and answer the question.

We’ll pick 5 lucky winners out of a hat (OK, /dev/urandom) each day and those who answer the most questions correctly over the 12 days will be entered into our grand prize draw for a goody bag of geeky gifts valued at up to $500!

We need to know your email address so that we can contact you if you’ve won. When we contact you, we’ll need your T-shirt size, a delivery address and a contact number so we can ship your prize. We won’t use any of your personal details for anything other than this competition.

Entries close at 23:59 Pacific Standard Time (UTC-8) each day. Sophos staff, those pro­fessionally connected to the company, and their families, are welcome to submit answers for fun, but can’t win. T-shirt styles may vary from those depicted. Sophos’s decision is final, and so on. Please read our official competition terms and conditions.

What was Day 3’s answer?

Day 3’s question was fairly straightforward:

In megabytes, what is the largest amount of data you can steal in a single dodgy Heartbleed request? (Round your answer *up* to the nearest megabyte.)

Now, the amount must be more than zero bytes, or there wouldn’t have been a Heartbleed story in the first place.

So the final answer simply can’t be zero, because even if the leak were only one byte, we’d have to round up, and we’d get 1MB.

Of course, if the leak is anything up to or including 1MB, that’s exactly what the answer will be, because of the rounding up.

The maximum leak is strictly limited to 16 bits’ worth, because the heartbeat protocol uses a 16-bit field to store the size of the data that’s being requested.

A Heartbleed happens when the reply includes more data than it should, but it can never include more than 216-1 bytes, including the data that is supposed to be there.

So you definitely can’t have a leak more than 65535 bytes, which is the good old 64K limit all over again.

Therefore you round up to the next megabyte’s worth, and you get 1MB, final answer.

Easy, except that questions that are easy to get right are often just as easy to get wrong, especially if the correct answer “feels” wrong.

Indeed, one of our puzzlers was struck with self-doubt, giving the wishy-washy answer:

i guess 64k rounds up to 1mb...

I guess.

Another reader was even more torn by uncertainty (and stressed by over-analysing things), saying:

0. Zero. Tricky you are. I hope. Lol. Amount of 64k is almost 0. If it was 500k or more, I would have rounded up to 1. Or perhaps you wanted me to say 1. Aargh, where's my anxiety medicine?

The thing is, we weren’t being tricky.

One was the answer, plain and simple.