Digital archaeology

I hacked myself to dig up a piece of my past

Pedro Alvarez

I’m sitting at my desk in California, eating a Chipotle lunch while controlling a mega-server located several hundred miles away in Oregon. With a few lines of code, I’m telling the server to pour all of its processing power onto a single file. My goal is to bypass this file’s security by brute-force cracking its password, testing millions of possible combinations before I find the right one. Normally, this mission would be deep into black-hat territory. But I’m not in any danger of breaking laws or attracting the Feds, because the file I’m trying to hack belongs to a younger version of me.

Over the holidays, I was digging through piles of old stuff in my mom’s basement when I found an old hard drive labeled “FILES ‘04-05.” The handwriting was clearly mine, but I had no memory of the drive, or what was on it. When I powered it up and plugged it into my laptop, the drive revealed a password-protected ZIP file, roughly 3 gigabytes in size, and nothing else.

I don’t normally password-protect my folders, but I can vaguely remember the context for this one. In 2004 and 2005, I was living at boarding school, in an all-boys dorm that tended toward raucousness. Most students had computers in their rooms, and semi-frequently, my dormmates would play pranks on each other, like making an important folder of school papers invisible, or changing the desktop background to a picture of hardcore porn. Either I had decided an unprotected external hard drive was a sitting duck for mischief, or there was something really awful on this drive that I hadn’t wanted anyone to know about.

Either way, I wanted to see it. I lost most of my pre-2010 files to a series of hard drive failures, and I knew this decade-old artifact could give me a window back into that era of my life. 2004 and 2005 were good years for me, and they’re years I’d long regretted not doing a better job of preserving. I wanted to figure out who I was then, what kinds of digital trail I’d left, and what unexpected pieces of my past might drift up from the deep. Most of all, I wanted to see if anything on the hard drive would help me preserve the memory of my high school girlfriend, who was tragically killed several years after we broke up. If I had any photos of her, or digital mementos from our relationship, that ZIP file was the only place I was going to find them.

I tried the obvious passwords first, then the less obvious ones. No luck. I ran back through a catalog of passwords I’d used in the past, then attempted to put myself back into a high school frame of mind. What did I care about in 2005? Who were my friends? What was my pet’s name? I tried dozens of different possibilities, but nothing worked.

I spent several fruitless minutes searching online for easy ways to circumvent ZIP passwords. As it turns out, even though it’s a very old file format, the ZIP password protection scheme is pretty good. So if I wanted my files, I’d have to resort to the brute-force method—using a program that tests every possible combination of letters and numbers until it finds the right password. In other words, unlocking this time capsule would mean hacking myself.

Brute-force password cracking is effective, but it can be slow and resource-intensive. The first app I download, a cracker called “Zip Password Recovery,” asks me to narrow down the criteria for its search. But I have no idea how many characters I’m looking for, or whether the password contains number and letters or just letters. I’m pretty sure I wouldn’t have included any special characters, such as % or !, but numbers aren’t out of the question. So I set the program to look for anything up to ten alphanumeric characters, in either uppercase or lowercase, not including special characters.

That’s a tall order. Do the math, and you come up with 6210 (or more than eight hundred quadrillion) possible combinations. The world’s fastest supercomputer is capable of 33,860 trillion calculations per second, so it might have a chance of testing them all. But I don’t have the world’s fastest supercomputer. I have a MacBook Air, and when I start Zip Password Recovery, it looks like it’s testing about four passwords per second. The characters flit by slowly, combination by combination, one starting letter after the next. At this rate, I’ll be done a few million years from now.


After a few minutes of this, I realize I need bigger guns. I ask a few programmer friends, who recommend using an EC2 instance to boost my computing power. EC2, for the unfamiliar, stands for “Elastic Compute Cloud.” It’s one of the many, many services offered by Amazon Web Services, the gigantic cloud computing business within Amazon that powers a terrifyingly large percentage of the Internet. EC2 allows you to rent cheap computing time on a high-powered server (an “instance”), for as much or as little time as you need it. You can add to or subtract from your server space (that’s the “elastic” part), and since everything lives in Amazon’s data centers, you don’t need to buy any expensive hardware or deal with lengthy set-up processes. You just plug in a few details about what kind of processing power you’re looking for, and in a remote data center somewhere on your side of the country, your server springs to life.

I navigate to AWS’s site, create an account, and launch an instance. My server is called “c3.4xlarge.” It runs on a Linux-based operating system Ubuntu, and it has sixteen 2.5GHz virtual processors. (Which makes my MacBook Air’s single 1.4GHz processor look positively puny.)

After setting up my instance, I need to install a brute-force cracking program on it, then set it loose on my ZIP file. This is where it gets complicated. My rented server doesn’t have a graphical interface—to do anything on it, you have to use a command-line tool known as SSH, which stands for “secure shell.” The screen looks like this:

shot 2

At this point, I’m in over my head, but Daniel Bachhuber, Fusion’s director of engineering, guides me through the next few steps. He finds code for a ZIP cracking program on Github (it’s called RARCrack), and shows me how to upload it, compile the code, and upload my ZIP file. Within fifteen minutes or so, my server is humming away. Into the command line I type:

rarcrack --type zip


And off it goes.

Most big Internet companies these days limit the number of times you can attempt a new password before getting locked out. (One reason Apple’s iCloud service reportedly got hacked last year was that it didn’t have an attempt limit, and hackers were able to brute-force their way into Jennifer Lawrence’s photo albums.) Lucky for me, ZIP files have no such limit. My AWS server begins blazing through 1,500 password attempts per second, many times more than my laptop was capable of.


As the server churns, I head over to my AWS billing console, where the price I’m paying for all of this computing power is starting to add up. Rented servers are cheaper than ever these days—a couple of bucks a day, for a relatively small set-up—but if cracking this password does take weeks or months, I could be looking at a big bill. I start to worry. What if what’s inside the ZIP file is … nothing? What if I go through all this hassle, spend all this money, and dig up some old Adam Sandler movies I pirated from Limewire?

That’s the thing about digital memory—the sheer scale of it makes accurate recall impossible. I’m fairly certain I could name three-quarters of the items in my closet, but when it comes to my digital belongings, there’s just too much to keep track of. In the era of cloud-based e-mail and data storage, everything is supposed to be accessible and searchable forever. So there’s no need to take stock of what’s available, because we assume everything is.

After a full day of searching, my EC2 instance still hasn’t found the password. And, more worrisome, despite trying thousands of passwords per second, it’s only up to five-character combinations.

It seems strange to spend so much time and energy—literally, in the sense that my remote server is sucking up untold watts from a grid somewhere in Oregon—on exhuming a piece of my past. But I can’t quit now. There’s a Borges short story called The Library of Babel, about a room that contains books filled with all possible permutations of a series of 25 characters. Most of the books are nonsense, of course, but the librarians realize that, because the room contains every possible sequence, the room must also contain the greatest books in the world. That’s kind of how I feel as my rented server churns away. It’s all gibberish for now, but someday soon, I’ll find a masterpiece.

I go out of town for a few days on a reporting trip, and I leave my EC2 instance running while I’m away. When I get home, I see something new in the window—a message that says:

Password: 405wcs


Eureka! “405wcs”—a shortened version of my childhood address—is my long-lost password. It’s not exactly what I expected, but it should have been on my initial guess list. (I used to use versions of it, though I’ve since learned that address-based passwords are a terrible idea, so it won’t help you hack me today.) Dizzy with adrenaline, I open the ZIP file, enter the password, and start poking around in my past.

Inside the ZIP file are thousands of old documents, e-mails, photographs, music files, and yes, a few Limewire movies. I spend the next two weeks sorting through it all. I cringe at the Black Eyed Peas albums and drafts of my over-earnest college essays. I smile at the birthday e-cards from my grandparents. I spend hours sorting through photos I took with my high school girlfriend, trying to remember the circumstances behind each one.

It’s a uniquely emotional experience, and one I wasn’t fully prepared for. I’d always expected that finding my old files would feel like opening a time capsule. But it’s not a hand-picked selection of significant items from the past; it’s just a huge, unfiltered data dump. Good, bad, poignant, mundane—it’s all in there, ready to be rediscovered. Having all of it wash over me was like being seventeen again, and re-feeling all the old attendant joys, stresses, and heartaches.

In all, my self-hacking experiment cost me eleven days and $231.84 in rented server power. (It would have taken much longer and cost much more if my password had been nine or ten characters long.) But it was well worth it. I now have real, preservable proof of a period of my life that had been all but lost to the abstraction of memory.

In an odd way, I’m glad I preserved these files on a physical hard drive, and not in the cloud. If I had put them on Megacloud, Nirvanix, or any of the other online file-hosting services that were popular back in 2005, I might have lost them when those services shut down. Everyone knows about “link rot,” the process by which out-of-date web pages become unavailable as sites shut down and change their URL structure. But “cloud rot” may be just as much of a problem in the future. No matter how triple-redundant your cloud-based servers are, or how securely encrypted you keep your data, you’re still leaving yourself at the mercy of a company that could disappear tomorrow. Even Google and Amazon could go bankrupt someday, or decide to get out of the data storage business. And if they do, trillions of hosted files could die with them. As Ars Technica wrote, “The tenants of cloud computing make software completely dependent on a single point of failure in the cloud, and we have no mechanism in place for preserving this software when we are done with it.”

Don’t get me wrong: local, offline storage isn’t perfect, either. If I had rediscovered this hard drive ten years from now, I might not have had the means to access it. (Just imagine how hard it would be to get data off a 5.25-inch floppy disk today.) But there would at least have been something to tinker with, and try to find backward compatibility for. When a cloud-based storage unit goes poof, it’s just…gone. You can’t bury an iOS app in the ground, wait a few dozen years, and dig it up for posterity.

After finishing my trip down memory lane, I move a few important files from my old hard drive onto my current computer, delete a few unimportant ones, and leave the rest. I shove the drive back into the corner of my closet, next to a handful of other external hard drives and USB storage keys I’ve long since abandoned. The only major difference is that, now, there’s no password-protection. I may not be as security-minded as my 17-year-old self, but I’m determined to spare myself another two-week hacking expedition the next time I get curious about my past.