explain xkcd - User contributions [en]

1323: Protocol

2025-12-05T08:16:25Z

Stephan Leeds: /* Explanation */ uninformative restrictive clause to informative nonrestrictive

{{comic
| number = 1323
| date = January 29, 2014
| title = Protocol
| image = protocol.png
| titletext = Changing the names would be easier, but if you're not comfortable lying, try only making friends with people named Alice, Bob, Carol, etc.
}}

==Explanation==
{{w|Alice_and_Bob|Alice, Bob, and Eve}} are role names traditionally used in describing cryptographic protocols. Rather than talking about "Person A", "Person B", "Person C", names beginning with each letter are used instead, and giving them different genders lets pronouns be used to shorten discussions. For example: "Person A sends Person B a message encoded with Person B's public key" is much easier to parse when written as "Alice sends Bob a message encoded with his public key." Eve is short for "eavesdropper" - a person trying to find out what's being said in the conversations between the other people. The classic situation involves Alice wanting to send a secret message to Bob, while Eve (the eavesdropper), attempts to read the message, ideally without Alice or Bob ever finding out. Additional participants such as Carol (Person C) can be added if necessary. The list of names has become very standardized over time as described at {{w|Alice and Bob}}.

The joke here is that any computer scientist, hearing the names used, will think that they are listening to a cryptography problem. By changing the names in a story to these role names, you can induce them to listen carefully to boring stories. The fewer the interesting details, the more it sounds like a general problem, so very boring stories are actually the easiest.

The title text shows a more radical approach to the problem, for people "who do not feel comfortable about lying". In this approach, you only make friends with people who have the appropriate names already, which means that technically you tell the story like it is. But this approach means investing a lot more effort into curating such a situation, possibly even to ensure that the Eve that you befriend is an actual habitual eavesdropper.

The comic title also can be interpreted in two ways. First, the computer scientist thinks the conversation is about an encryption protocol. Second, the way the conversation is carried resembles a protocol used by many data communication systems, where one side sends data while the other sends back an {{w|Acknowledgement (data networks)|acknowledgement}} upon receiving the data. In this case, the data are the lines of the boring story.

In comic [[177: Alice and Bob]] these names are used in the same context. Instead of Alice and Bob being perfectly innocent people who just want to communicate in private, Bob is actually having an affair with Alice. Eve —his former partner— cracked the encryption to see what the message contained. Thus, this comic seems to continue the Alice/Bob romance, jealous-Eve plot, with Eve apparently confronting Alice over her text message to Bob. The names are also mentioned in [[2691: Encryption]].

==Transcript==
:[Cueball is telling a story to a Computer Scientist who is seated at his desk.]
:Cueball: Alice sends a message to Bob saying to meet her somewhere.
:Computer Scientist: Uh huh.
:Cueball: But Eve sees it, too, and goes to the place.
:Computer Scientist: With you so far.
:Cueball: Bob is delayed, and Alice and Eve meet.
:Computer Scientist: Yeah?
:CAPTION: I've discovered a way to get computer scientists to listen to any boring story.

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Computers]]
[[Category:Cryptography]]
[[Category:Multiple Cueballs]]

1323: Protocol

2025-12-05T08:13:15Z

Stephan Leeds: /* Explanation */ grammatical number or tense

{{comic
| number = 1323
| date = January 29, 2014
| title = Protocol
| image = protocol.png
| titletext = Changing the names would be easier, but if you're not comfortable lying, try only making friends with people named Alice, Bob, Carol, etc.
}}

==Explanation==
{{w|Alice_and_Bob|Alice, Bob, and Eve}} are role names traditionally used in describing cryptographic protocols. Rather than talking about "Person A", "Person B", "Person C", names beginning with each letter are used instead, and giving them different genders lets pronouns be used to shorten discussions. For example: "Person A sends Person B a message encoded with Person B's public key" is much easier to parse when written as "Alice sends Bob a message encoded with his public key." Eve is short for "eavesdropper" - a person trying to find out what's being said in the conversations between the other people. The classic situation involves Alice wanting to send a secret message to Bob, while Eve (the eavesdropper), attempts to read the message, ideally without Alice or Bob ever finding out. Additional participants such as Carol (Person C) can be added if necessary. The list of names has become very standardized over time as described at {{w|Alice and Bob}}.

The joke here is that any computer scientist, hearing the names used, will think that they are listening to a cryptography problem. By changing the names in a story to these role names, you can induce them to listen carefully to boring stories. The fewer the interesting details, the more it sounds like a general problem, so very boring stories are actually the easiest.

The title text shows a more radical approach to the problem, for people "who do not feel comfortable about lying". In this approach, you only make friends with people who have the appropriate names already which means that technically you tell the story like it is. But this approach means investing a lot more effort into curating such a situation, possibly even to ensure that the Eve that you befriend is an actual habitual eavesdropper.

The comic title also can be interpreted in two ways. First, the computer scientist thinks the conversation is about an encryption protocol. Second, the way the conversation is carried resembles a protocol used by many data communication systems, where one side sends data while the other sends back an {{w|Acknowledgement (data networks)|acknowledgement}} upon receiving the data. In this case, the data are the lines of the boring story.

In comic [[177: Alice and Bob]] these names are used in the same context. Instead of Alice and Bob being perfectly innocent people who just want to communicate in private, Bob is actually having an affair with Alice. Eve —his former partner— cracked the encryption to see what the message contained. Thus, this comic seems to continue the Alice/Bob romance, jealous-Eve plot, with Eve apparently confronting Alice over her text message to Bob. The names are also mentioned in [[2691: Encryption]].

==Transcript==
:[Cueball is telling a story to a Computer Scientist who is seated at his desk.]
:Cueball: Alice sends a message to Bob saying to meet her somewhere.
:Computer Scientist: Uh huh.
:Cueball: But Eve sees it, too, and goes to the place.
:Computer Scientist: With you so far.
:Cueball: Bob is delayed, and Alice and Eve meet.
:Computer Scientist: Yeah?
:CAPTION: I've discovered a way to get computer scientists to listen to any boring story.

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Computers]]
[[Category:Cryptography]]
[[Category:Multiple Cueballs]]

327: Exploits of a Mom

2015-01-29T18:49:09Z

Stephan Leeds: /* Explanation */ use–mention distinction; floating hyphen instead of em dash

{{comic
| number = 327
| date = October 10, 2007
| title = Exploits of a Mom
| image = exploits_of_a_mom.png
| titletext = Her daughter is named Help I'm trapped in a driver's license factory.
}}

==Explanation==
[[Mrs. Roberts]] receives a call from her son's school. The caller, likely one of the school's administrators, asks if the she really named her son <code>Robert'); DROP TABLE Students;--</code>, a rather unusual name. Perhaps surprisingly, Mrs. Roberts responds in the affirmative, claiming that he uses the nickname "Little Bobby Tables". As the full name is read into the school's system's databases without {{w|Data sanitization#SQL injection|data sanitization}}, it causes the student table in the database to be deleted.

The title of this comic is a pun—''exploit'' can mean an accomplishment or heroic deed, but in computer science the term refers to a program or technique that takes advantage of a vulnerability in other software. In fact, one could say that her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). The title can also refer to her choice of name for her son, which is rather extraordinary.

In {{w|SQL}}, a database programming language, commands are separated by semicolons <code>;</code> and strings of text are often delimited using single quotes <code>'</code>. Parts of commands may also be enclosed in parentheses <code>(</code> and <code>)</code>. Data entries are stored as "rows" within named "tables" of similar items (e.g. <code>Students</code>). The command to delete an entire table (and every row of data in that table) is <code>DROP</code>, as in <code>DROP TABLE Students;</code>).

The exploited vulnerability here is that the single quote in the name input was not correctly "escaped" by the software. That is, if a student's name did indeed contain a quote mark, it should have been parsed as one of the characters making up the text string and not as the marker to close the string, which it erroneously was. Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as {{w|SQL injection}}. Mrs. Roberts thus reminds the school to make sure they have added data filtering code to prevent code injection exploits in the future.

For example, if the site was running PHP, the code might store the student's name in a variable called <code>$name</code>, and generate an SQL statement to search the database and check that the name is valid, like this:

<code>$sql = "SELECT * FROM Students WHERE (first_name=<nowiki>'</nowiki>'''$name'''<nowiki>'</nowiki>);";</code>

For a student named "Annie", this would give the following SQL command:

<code>SELECT * FROM Students WHERE (first_name=<nowiki>'</nowiki>'''Annie'''<nowiki>'</nowiki>);</code>

which is a valid command where the 5-character string "Annie" has been substituted for "$name" in the PHP code above. However, with Mrs. Roberts' exploit, the SQL command becomes:

<code>SELECT * FROM Students WHERE (first_name=<nowiki>'</nowiki>'''Robert'); DROP TABLE Students;--'''<nowiki>'</nowiki>);</code>

As semicolons separate statements, this will be read by the interpreter as three commands:

<code>SELECT * FROM Students WHERE (first_name='Robert');</code><br/>
<code>DROP TABLE Students;</code><br/>
<code>--');</code>

The first line runs as normal, caused by the '''<code>');</code>''' punctuation in part of Little Bobby Tables' name properly closing the current command. The second injected command then does the damage, deleting the student records from the school's database. The third line begins with two hyphens <code>--</code> which are used to mark a comment in SQL, meaning that the interpreter ignores it as well as the partial fragment of code originally after <code>$name</code> in the PHP statement.

For this to work, it helps to know a little about the structure of the database. But it's quite a good guess that a school's student management database might have a table called <code>Students</code>. Mrs. Roberts' exploit also assumes that the person who wrote the code used exactly one set of parentheses around <code>(first_name='$name')</code> in the PHP example, so that the single close parenthesis in the name could match it, which apparently was a successful guess. Of course, in real life most exploits of this kind would be performed not by engineering a person's name such that it would eventually be entered into a database query, but rather by accessing some kind of input system yourself (easy with websites that use any kind of search interface, for example) and guessing various combinations by trial and error until something works, perhaps by first trying to inject the <code>SHOW TABLES</code> command to see how the database is structured.

This xkcd comic has become rather famous, spawning at least one site about preventing SQL injection named http://bobby-tables.com.

==Transcript==
:[Mrs. Roberts receives a call from her son's school.]
:Caller: Hi, This is your son's school. We're having some computer trouble.

:Mrs. Roberts: Oh, dear - did he break something?
:Caller: In a way -

:Caller: Did you really name your son <code>Robert'); DROP TABLE Students;--</code> ?
:Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him.

:Caller: Well, we've lost this year's student records. I hope you're happy.
:Mrs. Roberts: And I hope you've learned to sanitize your database inputs.

{{comic discussion}}
[[Category:Comics featuring Mrs. Roberts]]
[[Category:Comics featuring Little Bobby Tables]]
[[Category:Comics featuring Elaine Roberts]]