Someone SOLVED The Minecraft Code No One Has Solved
Вставка
- Опубліковано 23 вер 2024
- WATCH THE SERIES HERE: • The tominecon.7z Saga
How to choose a secure password: www.microsoft....
Link to the RGN Discord: / discord
Music by RetroGamingNow
"Unknown Enigma" - • "Unknown Enigma" - Mus...
"The Depths" - • "The Depths" - Music b...
"A Secret Mission (Outro Theme)" - • "A Secret Mission (Out...
#minecraft #mystery #secret #mojang #tominecon
Finally...the end to the saga. What do you think?
Well, it was a fun (if not obvious) conclusion, but it’s about the journey not the destination I spose
Cool ending
i like the story and end, but it felt slow to me
This one was also a decoy and the real tominecon.7z is hidden somewhere else with a different name
I think, I knew someone was gonna find the password, even if brute-forcing might seem infeasible.
They found pack.png, I knew someone will find this password.
*Love the rollercoaster that this story was:*
1. We don't know the password but we know the decoy's
2. We will never crack the password because it's so secure and nobody probably remembers it anymore, stop wasting resources and go touch some grass
3. Dinnerbone knows the password and it's confirmed to be MC 1.0, but we should not feel entitled to know the password
4. Lol guess what we got the password and it wasn't secure at all, took like 2 seconds to crack ez
it took 2 seconds **with the help of a leak that happened sometime in the past
i knew for a fact all along it would be cracked because mojang admitted it was used for other accounts and that confirms beyond a reasonable doubt that there is a similar or identical password somewhere in a password leak database
it sure is lmao
He never said the password wouldn't get cracked, he only said that brute forcing it was very unlikely and time consuming
The password was found out by trying leaked Minecraft passwords
It took 2 seconds to crack, but it took a decade and a half for the password leak to make it that easy.
get ready next week for: "The dark truth behind the meaning of boxpig41"
😂 and the video is 50 minutes long documentary
Fr
It would be funny
And I’d watched it 😂
It would be so predictable but awesome.
you NOT having a password manager sponsor at the end of the video to immediately have one of the best ad transitions of all time will keep you up at night my man.
Seriously, I was totally looking for a Bitwarden promo.
It would have been a perfect opportunity haha
It feels like a fun way to teach kids about internet security
Then viewers will conclude that a password like this is actually secure because it took 13 years to crack!
no password manager protects you from data leaks
(except that it makes it more convenient to change all your passwords regularly)
I imagine "boxpig41" is related to how notch made the creeper
wait you got a point there
I was going to say sounds like an internal reference to the creeper..
or maybe it has to do the fact that the pig is in the shape of a box...
Box, Check
Pig, Check
41cm Tall, Uh-oh
3:00
Hackers in movies: The fool! He wrote down all his passwords in a book marked “Passwords”! Now all of his accounts are mine!
Hackers in real life: “Hey, the Smash Mouth forum’s passwords got leaked.”
“Cool, let’s try them on online banking.”
"Hm, I have to change my password on this website again because company policies.. oh let me just change the last number from boxpig41 to boxpig42."
Yeah, thats true
XKCD reference? :D
@/hvtrs8%2F-wuw%2Cymuvu%60e%2Ccmm-cjalngl-UA6HGwPagRXKB0S5SERFNawe yes!
Lol this is why I generate passwords based on physical objects I happen to have around me when I need a password, so unless they happen to know I brought home a party hat 7 years ago when I made my account, nobody will find my password (of course, not an actual example)
Can't believe that the RGN community destroyed the password after 13 years. That's unexpected.
common Retro W
common doge W
Nah the RGN community didn't crack it. It was a combined effort between people from RGN, tominecon.7z team, CTMC, mc@home, Omniarchive, MCBYT's server, Dinnerbone, and more, but ultimately it was Doge from MCBYT's server who discovered the leak and the password. Technically the password was never brute forced. Nonetheless, without Retro's video, this probably would have never happened.
No one from RGN destroyed any password. Just some guy from our server tried a password and it worked. Madlad for that.
The tominecon discord server got some people very very pissed about that btw 😂
Bro did you watch the video? Where did the "RGN community" come from?
Finally, after 13 years of fucking around we found out
Remind me in 5-6 years to add a promiscuous encrypted zip file on the website of the game I'm working on.
xD
RGN: This mystery will probably never be solved, and maybe that's for the best...
Doge: **Cracks Knuckles** solved it
RGN: .....oh
Yes. 😂
boxpig41 huh? i hope no other mojang passwords use a similar naming convention because otherwise there'll be chaos
It's already leaked that is how the password was uncovered.
They said they changed the passwords long time ago. This one is no problem.
@@fantastikboom1094 *7 hours from now a critical information was leaked from multiple Mojang user accounts, servers and personal employee devices leading to discovery of multiple inside problems the company has, now that it belongs to Microsoft, uncovering reason why **_yearly_** updates give one block and one mob per 3 months*
Apparently the most disastrous side effect was that this used to be Mojang's Wi-Fi password.
@@D0Sampwhich is suprising because they didn’t use WPA enterprise (user and password required, not just a password)
This shit still is goingbon😭😭😭
Dang that's a good password
It never ends lmao
thats what im sayin HAHA
I thought it was another ARG 😂
nah that shit over
no fr i thought it ended last ep 😭
3:24 thanks for the shout out retro!!!!!
good job for getting shouted-out! what did you do?
@@sans1331 I told him where the muffin man lives and gave him cheese believe it or not
@@A.pplefrittermm cheese
@@ZphyZphyer w cheese
Cool but ?
I am now throughly convinced RGN has the Minecraft lore more complete then Matpat's theroys. Matpat may dominate FNAF, but this guy has Minecraft down pat.
fr dawg he would be like the perfect man for any mystery(excluding mat)
and its actual proof not theories too
This doesn't really have anything to do with his theories but true
@@Halfendymion lol this guy usually covers it insanely well tho it's a bit out of context sorry
Give Matpat credit for making this guy step up. Being The Voice for lore on a specific community is boring. Lets one get complacent. Plus seeing people bounce off eachother can be fun so long as it's not toxic.
boxpig is the perfect way to describe a minecraft pig
Or a creeper ;)
0:41 missed opportunity for putting the yellow text on this video’s thumbnail on the bottom right
i know it would have been such a cool littla rainbow
i think he didn't do it cuz the bottom right corner of thumbnail is covered by time
It would be a microsoft logo, but I love the idea of 4 color rainbow@@Deadbay
wait… 00:41!? just like the password, "boxpig41"?!
It's a double shame since minecraft's yellow splash text is in bottom right, and it's the final missing position based on the previous three thumbnails
i still think it's notch's manifesto
maybe notch’s manifesto was the friends we made along the way
Imagine if this is another decoy
The Microsoft Revolution and its consequences; By Notch Person
They paid Amazon to mask the update time so it didn’t seem like the file was updated
@@ItsJoeyG not to be a killjoy but Notch's manifesto was the I N S A N E right wing ramblings on Twitter that made every normal and smart person stop liking him
not gonna lie, dinnerbone's reaction seems strongly exaggerated now in hindsight. like, bro, just say that you didnt consider being cautious about stuff like password security because mojang was a small studio at the time, and tell the guy who made the videos/kept the original file to take them down, and make a few comments about how important password security is
i agree. also like. what did he hope to accomplish by telling internet sleuths "don't try to crack mystery boxes"?? m8 read the room 😁
@@zbsfm it's not about telling internet sleuths not to crack mystery boxes, he directly addressed his actual problem -- entitlement. he felt that a lot of codecrackers involved felt they were entitled to the 7z's contents, when the original version was legitimately never intended for them. his real sentiment was "not everything _is_ a mystery box. sometimes it's just a box that isn't yours."
box pig has a very good chance of directly corelating to the creeper, as it's most iconic mob it probably made for a funny and easy to remember password for 2009.
The 41, although I can not be certain, I've also used that specific number for other things when I need a "random numer". My thought process is that 42 is a very common number because of the The Hitchhiker's Guide to the Galaxy, so i subtracted 1 to make it more unique. Notch has also made some references (i think theres even a splash text) relating to The Hitchhiker's Guide to the Galaxy making this more likely
That makes sense.
The ID for a block of gold in Minecraft is 41
@@HoStallin Hmm, interesting.
I love how "We couldn't let the password to the file be found because it was also used on some critical sutff"
turned into "So we found the password from this critical stuff, that was leaked ages ago, and it was the password"
Instead of the password being found from cracking the 7z, and then used on the dangerous stuff, the reverse happened instead.
It's like if your friend asked to use your phone, and you refused because it's password is also your bank pin, and he's like OH I already know that!
Task failed successfully XD
Collecting breaches?
Totally not suspicious at all 👀
wait until they start talking about rainbow tables
Eh, probably pretty standard if you do penitration testing and such.
You don't really collect the breaches, the information from them is all available online and you search and filter these online databases to check if your company or emails are compromised.
@@BrainStormzFTC
Ah well, makes sense.
Wouldn't want my data to be found in a breach.
Better check your stuff via sites like haveibeenpawned.
@@Nichrysalis
Yeah, if your passwords are in a breach, you're kinda screwed anyway.
On second thought, it's all Mojang's fault for reusing the password lmao.
This is what he told me on Reddit when I asked him:
Do you know which breach contained the password? Is it something you had laying around or did you find it on the Internet?
- Yes, it was in the bitly breach. I’ve been collecting such data for around 10 years now. But the crazy thing with bitly is that the hashes are missing the salts / function is unknown, so only a few people have ever been able to crack those hashes, and they are assumed to be those involved with the original breach and know the salts / function. Somewhere along those years I found cracked bitly hashes and I don’t remember where even. This is the reason why the hash wasn’t cracked sooner - I wasn’t the first to try breached passwords, my collection was just far better. (It is over 4 billion unique records)
2:50 Mate, this is BASIC security advice here. The fact that people don't know you shouldn't reuse passwords in the year of our Lord 2024 continues to baffle me to this day.
It is indeed basic, yet SO many people still don't follow it. Most people are just plain lazy and don't care to get a password manager or even write them down on a notepad, so they'll use and reuse the simplest passwords
Well, actually, it would have been 2011.
@@SnoFitzroy yes, but the advice was aimed at viewers now, in 2024. And it still applies just as much
i mean the 2020 pandemic taught us most people never even wash their hands regularly, so i don't think basic common sense is that common
@@nathanhollow0 Ong man. Humans tend to think they are better than they are.
i had no idea you wrote the music in the background, they were all so amazing to listen to!
The things to be learned from all of this:
1. Don't pick locks that are there with reason without permission. (Obvious.)
2. Be careful with information, sensitive or not. (Obvious.)
3. Dinnerbone is a swell dude, and I'm glad he could give some well worded insight onto the topic.
I agree. I have literally learned an important moral lesson from this saga.
Don't give your locks out to the public is more like it.
1:45 creeper reference
RGN: use different passwords!
Me, who uses roughly 8 variations of the same password: im five paralelle universes ahead of you
Hey babe new RGN video just dropped
honestly it was a great journey to see so many people work on one project for such a long time. More of this energy to other parts of the world would make this place such a better place.
This whole mystery can be a good Ad for password managers and 2FA security awareness
Best example of rollercoaster trilogy
We don't talk about Roller Coaster Tycoon World...
I think the Devs also did it very well, they even gave a longer password for the decoy than the original file, so a lot of people going to start normally crack from the lenght of the decoy's password.
The don’t reuse passwords really had me thinking the was going to be the start of an ad read.
hadusinthefirsthalf.jpg
this just reminds me how the password for the GameCube disc drive firmware was just "password" then when hackers cracked it, Nintendo improved the security of it on the Wii by changing it to "PASSWORD" all caps. truly a security improvement.
2:54 don't tell me what to do, I'm not gonna reveal my passwords anyways
This mystery teased my brain for years. Huuuuuge thanks to your community for solving it!
"I'm not sure what this means" minecraft is a game where everything, including pigs, is made of boxes. I don't think theres any more meaning to that, just an allusion to how everything in minexraft is boxes, with a number tacked on the end to make it more secure.
I was half expecting “this video is sponsored by Dashlane” at the end.
Being able to check the candidates so quickly means that there is some way other than running it through the key algorithm half a million times. This is either bypassing the iterations with a direct computation, or using pre-built hashes or something like that. That would indicate a lack of "salt", which is there to prevent the use of pre-built tables.
Boxpig, prolly a refrence to mincraft pigs, the creation of creepers, overworld pigmen and what later trickeled down into nether pigmen/piglins
It was only 8 characters all along? Did anyone even try to brute force it? It seems like this could had be done in a reasonable amount of time even without the password breach.
Some of the early forum posts saying they had brute forced it may be true
You're still looking at about a 2-5 year timeline of constantly running a brute force program 24/7 before you find the password. That's just not feasible let alone practical. The other thing is that we didn't know that it was only 8 characters, so there's no reason to conduct brute force attacks assuming that it was.
@@Johndoe-mv5iiI disagree, people are severely overestimating the capability of modern technology. People are not understanding that when you use AES-256 you aren't creating a hash instantly, you are creating that hash 500,000 times. When you know the password, this feels instant because computers are really good at computation. When you don't know the password though, it takes forever and it puts a load on the hardware to keep calculating. This encryption is intended as a deterrent because of its computational load, because cpu and gpus do have a finite life span. You will likely render your hardware unoperational before finding the password therefore bruteforcing it not only comes with the cost of time but also wear and tear on your cpu/gpu. Even when the user who found the password filtered it down to a few thousand possibilities, it still took 5 minutes. And assuming hashcatz was proceeding alphabetically we know that it wasn't even through all of those options. You're looking at years of 24/7 trying to brute force an 8 character password. It's just not reasonable to expect anyone to have done that.
7z's has a key-stretching factor of 2^19. This is effectively adding another 8-9 random letters/numbers to the password, which means completely brute-forcing it becomes unrealistic.
However a wordlist attack should still have worked if someone actually committed to it, it would just take an unreasonable amount of time and resources
I brute forced 6 characters and gave up
whats the next tominecon vid gonna be?
It turns out that this tominecon.7z was also a decoy and we have to find the real one
@@Sploobicious it wasn't a decoy there's literally proof of the file being the same as the original
@@fightingtable I know lol I was just making up a reason that there would be another vid on it
@@fightingtable actually dinnerbone created a time machine and was able to replace what we all thought was the original with a decoy, and its now impossible to find the true original because it never got uploaded to the minecraft website in this timeline, so there will probably be a follow up video soon
@@fightingtable Unless that wasn't the original and it was created before even minecon was a thing back in 2009 and it's actually a typo and it was supposed to be minecoin and has Notch's digital wallet information and...
who's ready for the 5th video next week?!
there's nothing else to add, this is the conclusion
This story really allows us to think more about other "mysteries" like this. Great videos!
This was a shockingly fast-moving saga.
Dude it's been up for more than a decade
only 12 years no big deal
I new this video was going to come out. After saying “this will take millions of millennia to crack” I knew it was gonna take like a week
The lesson of the day:
1.15*10^77 possible answers means nothing when you aren't smart/careful about your one answer.
"Let me upload this video, it surely won't become a 4 episode long series within a few weeks, right?"
-RGN two weeks ago
this could have all been one perfect ad for a password/VPN service
Next video title: "There's MORE to the secret Minecraft file no one cracked until now."
I've just noticed you are the producer of every music of this video... It fits so well in it that's incredible keep going!!
The problem is, remembering passwords for all websites is super difficult if not impossible. Password managers can also be leaked and there are multiple occasions where passwords get leaked from commercial password managers. Password-based authentication is never safe as long as humans keep making mistakes. Nowadays, I never trust any websites without any second authentication layers.
Was anyone else just WAITING for it to be an ad for a password manager? "It was just a crummy commercial?!"
I was hoping it would've been something embarrassing.
Mojang is now frantically checking all there other passwords
"Will it ever get solved?"
"Nah we will never solve it"
"Well, we have some info"
"Here is the password ez"
0:48 "hash cracking as a hobby" WHAT
damn, bro didnt even get a password manager sponsorship on the perfect video for a password manager sponsorship
It's crazy that every video in this series felt like it would be the last one
Oh god I could've totally done this, I feel so dumb for thinking someone already checked the big data breaches already. Gg anyways. That also explains why Dinnerbone said it was important at the time, as it was a corporate email.
Pretty sure the pig was one of the most well known mobs of Minecraft back then, Story Mode's icon is even a pig. So "boxpig41" is just a box (a compressed file) including the "pig game" and 41 is just for added protection. But idk, maybe someone will farm some more videos in the future trying to overanalyze it.
Woah another update... I think it's the end every video really happy to see this one more time
i think they made the right call by swapping the original file with a decoy. if people noticed it was suddenly missing, that would only make opening it a more tantalizing mystery to solve. the decoy did its job well, especially considering that the password wasn't secure in the first place
You, sir, are quite the mystery reporter and serial writer. 😁👍 You forced me to willingly watch through all 4 episodes of your investigation in a single sitting.
What did we learn from this? The same thing every single cybersecurity company has ever known since the beginning of time.
Why do I can almost see Jeb faceslaping and going like: "I fucking told them..."? Because I'm pretty sure he's been asked about this file more times than he cared to count...
So they legit swapped it out to make it worth all this craziness. That's a very Mojang thing to do
It's exactly what the mojang devs said it was. Both that it was minecraft 1.0, and that it wasn't exciting. At least this served as a lesson to be more secure with passwords!
Yoo thanks for the serie!! This serie is very fascinating, and finding the password was surprising in a beautiful way. You led the trail for people to go and try guess the password and that is very cool!!
this would've been the perfect video for a password manager sponsor integration. I'm almost upset there wasn't one tbh lol
video 1: *This has contents too dangerous to show to the world.*
video 2: probably not
video 3: definitely not
video 4: databreach go brrrrr
Never underestimate the ability of the internet to waste massive amounts of time and resources solving a completely pointless problem, or creating one.
Love that we got to be a part of this mystery as it unfolded! Thanks for your dedication Retro!
Glad to have a update. Your videos are amazing Retro. Thank you
its insane how this story went to something only a handful of people remember, to being solved, in only a couple weeks because of the first video
Love how Dinnerbone didn’t want to release the 7z password because it was also a login for an email account, only for a hacker to use that compromised email account to crack the 7z password
You know what's easier than using a different password for every site? Dealing with the fallout when one of your accounts gets hacked.
really? but if one gets hacked, then they all get hacked. hackers share lists of their victims and passwords
The best way is to balance both options. Use the same passwords for most sites where the fallout is low, then use unique passwords for higher risk sites like your bank and email.
@agafaba I'm sorry that is just plain wrong. Any account that gets compromised is a win and can be used as a beach head for further attacks
@@xTerminatorAndy so you think having people use a unique password for everything is realistic? What I said is a lot more realistic and it would be safer than what I replied to.
@agafaba of course it's realistic. Use a password manager
boxpig41? really? took that long to crack boxpig41? come on dude
The problem lies in the fact that no one really tried, AND it was unknown where to start.
@@mrShift_0044 exactly, in hindsight it certainly seems obvious to start a modest brute force effort with a library of words related to the game. It's also very short so bruteforcing from all A to _that_ shouldn't have taken long. Like???? it seems so obvious now
It’s fun seeing this build now on the wiki’s version history.
box pig 41 is a reference to cube pigs
Thank you for not taking a password manager sponsor ship.
boxpig might be related to Creepers? Since they were born from a mis-modeled pig
dinner bone is mad af after his rant about not all secrets must be discovered looooool
So it WAS sensitive info at the time of that guy that said it was when he cracked it years ago, but not anymore, just as you theorized.
Some things may seem impossible at first, but sometimes all you need is to approach the problem in a different way. This is a good example that shows that you should never give up.
Box pig must indicate creeper I thought because I heard that Creeper is created during the failure of the pig design also creeper is so boxy... But I don't know what does 41 means in this...
Crazy. They just said that password used to be critical to Mojang in some way...
This is literally eight lowerkey ASCII-chars with two numerals. It is scary just to
think that any big company with critical userdata would use that for anything.
Everybody just thought that the password was secure, a false lead, and in the
end this may actually have been bruteforceable easily as lower and num are the
first sets anyone begins with 💀
aww man it would've been fun to have this thumbnail's text be in the bottom right so it'd fit with the others with each having their text in different corners
This series easily deserved a subscription!
On you first iceberg video there is a comment from www.youtube.com/@shoulderoforion115
That says "Gamemode 4 was real, its just very obscure and existed in a test branch of beta minecraft. Cant remember what version but it was around october 2010. The game mode was called "Frail" and you had a single heart that was replaced with a glass jar texture. It wouldnt have been gamemode 4 in 2010, but Im pretty sure this is what the iceberg is refering to. Ive never seen any videos about this mode but I definitely was given access to it on an early test branch they never added officially. I believe this mode was scrapped for the far more intriguing hardcore mode. Back in those test branch days you had to sign a NDA but Im sure if someone searched hard enough they could find a video of the gamemode."
(I am the one who told him/her it was from an ARG)
Sincerely
W.C.Gordon
This is the definition of the journey being more fun than the destination. really enjoyed this trilogy.
let’s go I can finally play that version and see what was added on this version
miss the opportunity to advertise lastpass or dashlane
Well, that was anticlimactic. At least I can sleep now
Finally I went through all these videos! I mean I have to get back to work, but I just couldn't stop watching haha.
I mean I agree with Dinnerbone, you're not entitled to know the password and the fact that he gave you a screenshot of the files should've been enough. I agree that the internet knowing the password is a big opsec risk, I guess people on the IT field saw that one coming from the phrasing of Dinnerbone, but for someone to have read in-between lines and gone though the breached passwords is just hammering the point down.
And yet I couldn't stop myself from watching this last video 🤷
Hi retrogamimgnow! I've been a fan if your channel for about a year now and I've been hoping you'll do a lore cover of the trail ruins and sniffers? And im looking forward to your coverage of the trial chambers sometime aswell!
This man is crazy if he thinks I'll use a different password for each of my 758,276 accounts 💀
Those saying "don't open something that isn't meant for you to open" are the some of the most annoying people there are
Damn this ARG is interesting, but you can't convince me that it ends here
Even if the password wasn't in an existing data breach, it still wasn't particularly secure, and could've been bruteforced by any particularly determined person with a decent computer.