"Knock it off, Napoleon! Just make yourself a dang quesa-dilluh!".

This phrase, from the movie Napoleon Dynamite, is the cipher key IBM are using to publish encrypted XML at this year's Wimbledon grand slam. But is this a rather glaring lapse in security, or simply an anticipatory nod to curious hackers, many of whom surely rank amongst the fans of this quriky 2004 movie?

Background

For the last year or so, I've been creating a scoreboard widget for Mac OS X each time one of the four grand slam tournaments (Australian, French, & US Opens and Wimbledon) roll around. The widget, built on AJAX, would connect to the official tournament web server and pull down a bunch of publically accesable XML files containing next day's schedule of play and results for all completed games. While this XML data isn't advertised by IBM, it's easily discoverable and as each user of the widget would download the data I didn't feel I was overstepping any legal boundaries by republishing this information. The task was made a lot simpler by the fact IBM are the single technology partner for all the four tennis majors, so each site has an identical back-end.

Wimbledon 2006

As I was in the process of putting together a widget for this year's Wimbledon tounament, I was dismayed to find IBM had revised their back-end and as a result the XML files I had been using for the past 12 months were no longer available. Close to giving the lucrative field of free widget development away, I decided to take one last look a IBM's new Flash-based results viewer to see if these files had simply been relocated to another directory.

What I found instead was reference to a single XML file, the contents of which looked like this:

<j>
<h>1151675689|M|15|300</h>
<m>
.|A(0{?y01/3z4xy0|?|B|L-Kfpkxey^tom5638BHQ{y9|G.Ak`he&5'|_pl_464:UO>{z7{G@C?D=yDACAFA{/z-z./2 </m>
...
</j>

Now, I'm no cryptography expert, but this was obviously encrypted data. And from the look of it, barely encrypted. Digging a little deeper through the Flash applet I found the intriguing quote above (spoken by Napoleon's grandma, in response to his complaints about running out of steak), along with the simple encryption and decryption methods written in Flash's scripting language, ActionScript. In more recent versions of Flash, ActionScript is virtually interchangable with JavaScript -- so it was only a couple of minutes work before the obfuscated XML strings were rendering into pure, refreshing, clean ASCII data:

1151676399|M|15|300|0|A,3|A|1104|5||1|A|B|M.Mirnyi|atpm595:BLR||:|J.Blake(8)|atpb676:USA||:|GADAEACA|EAGAGAAA|1|1|110

As an added bonus, after running this data through a parser available in one the JavaScript files on wimbledon.org, it was apparent this data was much more current than the feeds available at previous events. In fact, this data is only delayed by a minute or two and updated every 60 seconds. The current Wimbledon 2006 widget, using this font of live data, can be downloaded here. Is IBM going to be pissed one they realise the liger is out of the bag? I don't think so. No one could really take this token level of obfuscation seriously. And if you're the developer behind this, I hope you don't get fired! But if worst comes to worst, you've always got your bow-hunting skills to fall back on. I hear the wolverines are abundant in Alaska this time of year...