Convicted Terrorist Relied On Single-Letter Cipher 254
Hugh Pickens writes "The Register reports that the majority of the communications between convicted terrorist Rajib Karim and Bangladeshi Islamic activists were encrypted with a system which used Excel transposition tables which they invented themselves. It used a single-letter substitution cipher invented by the ancient Greeks that had been used and described by Julius Caesar in 55BC. Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim rejected the use of a sophisticated code program called 'Mujhaddin Secrets' which implements all the AES candidate cyphers, 'because "kaffirs," or non-believers, know about it so it must be less secure.'"
More spreadsheet abuse (Score:5, Funny)
Remember this kids: always use a proper database for your crap encryption scheme.
Re: (Score:2, Insightful)
This is pretty damn hilarious. Though also, probably an April Fool's joke.
Re:More spreadsheet abuse (Score:5, Informative)
Actually considering the story on The Register is from March, I'll stick with hilarious.
Re: (Score:2)
This isn't news. This is olds.
Re:More spreadsheet abuse (Score:4, Insightful)
This is pretty damn hilarious. Though also, probably an April Fool's joke.
Weirder stuff has happened. There already was some Mafia guy who got caught because he was using Caesar cipher. <predictablejoke>And then there was that one Caesar-based encryption scheme in Adobe DRM. I have problems telling these Mafia guys apart.</predictablejoke>
Still, pretty hilarious. Even ignoring Kerckhoffs's Principle, there's still a big difference between using a cryptosystem the infidels developed, and a cryptosystem the infidels developed and then then abandoned centuries ago because they broke it and Muslim mathematicians no doubt helped cracking it. People who ignore history will only repeat it. This is also a good example of what happens when you play a high-stakes game of "I have a problem - let's throw a little bit of Excel at it to solve it once and for all".
Re:More spreadsheet abuse (Score:4, Informative)
Muslim mathematicians no doubt helped cracking it.
Close. The Ceasar shift was broken before Islam even began. But the improved version known as the Vigenere cipher was broken (after being considered unbreakable for centuries) by the Arabic scientist Al-Kindi in the ninth century A.D.
Re:More spreadsheet abuse (Score:5, Funny)
It is said that upon breaking the Vigenere cipher, Al-Kindi's first comments were, "Death to America!"
I think that might be an apocryphal story, though.
Re: (Score:2)
If I only had a mod point for you. +1 Funny
Re: (Score:3, Informative)
Wait, huh? Wikipedia says the Vigenère cipher was created in the 16th century.
Re:More spreadsheet abuse (Score:5, Interesting)
The guy is a moron no matter who cracked the cipher, of course, because it doesn't really matter who, just whether somebody did or not(excluding the edge cases of certain comparatively modern ciphers, that might conceivably have been cracked in private).
Re: (Score:3)
breaking a cipher where characters just get replaced with others can be done by hand quite easily by brute forcing(even if the decoder was a very bad guesser and only had an encyclopedia to help him about which words might be even words).
it's obvious that he thought that he was a computer guru when in fact he had only basic office computer skills and no engineering thought patterns. he didn't really think that what excel was doing was actually pretty simple. he thought his crazy excel sheet was doing some m
not really "encryption" (Score:2)
That and you can't really even call it "encryption". This is a "substitution cipher" isn't it? So it's "encipherment", not "encryption"?
Encrypted messages rely on a translation that is relative to character position in the message, such that the substitution of a given letter at one position is usually not the same as the substitution for that same letter at any other position.
I read in the article that someone said they employed "five levels of encryption". I wonder how that compares with the effectiven
Re: (Score:3)
That and you can't really even call it "encryption". This is a "substitution cipher" isn't it? So it's "encipherment", not "encryption"?
Encrypted messages rely on a translation that is relative to character position in the message, such that the substitution of a given letter at one position is usually not the same as the substitution for that same letter at any other position.
Not true: AES will encrypt the same block the same way every time with the same key. AES is typically used in such a way [wikipedia.org] that it produces the results you describe, but the block encyption is still "encryption", whether used sensibly or not.
Re: (Score:2)
block, yes. character, no. AES in that mode is also referred to as a "block cipher" for that exact reason.
Stream mode is a much better idea for security, but can fail to be decoded if part of the transmission is lost or corrupted. Block ciphers usually only lose the damaged blocks and a block on each end of the damage.
Re: (Score:2)
I read in the article that someone said they employed "five levels of encryption". I wonder how that compares with the effectiveness of say, 5 x rot13?
I strongly suspect that the cops being quoted were judging level of super-double-ultra-security-ness with roughly the same enthusiasm for self-aggrandizement generally shown in such situations. Unless the public would be immediately capable of recognizing the perp as being a candidate for 'America's Funniest Home Videos: The Blooper Reels', they are typically accorded the status of 'terrifying criminal mastermind that yours truly managed to bring to justice; but might need more expansive powers to stop in t
Re: (Score:2, Interesting)
Re:More spreadsheet abuse (Score:5, Funny)
Not that a piece of paper could have done the job as well (or probably better given the use of a halfway decent crypto scheme).
Re:More spreadsheet abuse (Score:5, Funny)
Re: (Score:3)
Re:More spreadsheet abuse (Score:4, Informative)
Re:More spreadsheet abuse (Score:4, Interesting)
Being a terrorist leader, on the other hand, is pretty much a combination of the best parts of being a cult leader and being an extreme sports enthusiast: Groupies, adulation, adrenaline, explosions, sponsors, probably more burqa-babes than you admit to in public...
Re: (Score:2)
Access!?
which proves once again (Score:3, Insightful)
that extremists are usually complete idiots.
Re: (Score:2)
Nearly. It proves once again that the extremists who are complete idiots usually make the news more often for things such as using cesar ciphers and not accounting for DST when setting the detonation time on their bombs.
Re:which proves once again (Score:5, Insightful)
Re: (Score:2)
Just because some of the terrorist-minded extremists who got caught were idiots doesn't mean that the ones who haven't been caught are idiots as well.
Having said that, I really wish that you were correct.
Re: (Score:3)
He was considerate to the tax payer (Score:3, Funny)
I would say that once his emails are being read he's screwed. Either he has AES encrypted files which take a lot of expensive equipment to decrypt (and fail to do so in a reasonable time) resulting in lots of surveillance to catch most of the people involved or he forces some poor graduate to use excel and give away the rest of the 'cell'.
I don’t think once your emails are being intercepted you have much hope of carrying out a terrorist attack anyway.
Two types of cryptography (Score:4, Insightful)
According to Bruce Schneier, there are two types of cryptography - that which will keep secrets safe from your little sister, and that which will keep secrets safe from your government.
I don't think this counts as either.
Fail.
Re: (Score:2)
Re: (Score:2)
Re:Two types of cryptography (Score:5, Funny)
in this case, it wasn't even that secure...
He chose a cipher that millions of people crack every day on their way to work, before moving on the the more difficult crossword puzzle....
Re: (Score:2)
The problem isn't how secure the cipher is (Score:2)
I think in most case any cipher which prevents the adversary from cracking it within the same day is secure enough.
It's a matter of time, not a matter of how secure the cipher is.
If your cipher is uncrackable, or too secure, then the adversary will be guaranteed to torture you when you get captured.
If the cipher is crackable, but takes weeks, months, or years, this might actually be better for your physical security than the unbreakable code.
Basically the more secure the cipher, the greater the probability
Re: (Score:2)
Crypto is only as secure as the guy with the key.
Which means crypto is never completely secure unless the key is located between two top secret underground bunkers and only the President and his counterpart have access to it.
And even then it might not be completely secure.
Re: (Score:2)
By the time I was in high school I'd invented an ugly bit manipulation that had almost certainly been created and thrown away by real cryptologists and cypherpunks decades ago. But it was fun for messing with my friends, none of whom were the previously mentioned cypherpunks or cryptologists.
These days I'd use one made by an expert rather than my weak attempts. Anything that'll take a server farm more than a we
Re:Two types of cryptography (Score:5, Insightful)
Neither are safe from your gov (Score:2)
If you have a secret and they can't break the code, they'll torture you until you break.
mpm (Score:2)
ib ib, zpv dbo'u sfbe uijt!
Re: (Score:2)
uibu't xibu zpv uijol gsjfoe.
mpwf zb,
v.t. hpwfsonfou
Re: (Score:2)
pi opft!
Re: (Score:2)
Re: (Score:2)
Frobnitz! Frobnosia! Prob Fset Cond! Zmemqb Intbl Foo!
Re: (Score:2)
Rubber dinghy rapids! (Score:2)
No lines!
Silly terrorists... (Score:5, Insightful)
... everyone knows you don't roll your own crypto.
I guess this is further support for the theory that the ignorant have too much confidence in what they think they know.
Re: (Score:3)
Shhh. Terrorists should actually keep rolling their own crypto. Many innocent lives will be saved. ;-)
But this is also why the US government tortures (Score:2)
The excuse being that they have to break the terrorists because they can't break the code in time to stop the attacks.
Re: (Score:2)
Well just go out and start killing Bothans.
I'll tell you when to stop.
Finally a good one! (Score:2)
I dread coming to slashdot every year on this date. For several years it was cringe-worthy so the last couple I made it a point to not even bother. Glad I decided to have a look this morning! Always good to start the day with a LOL.
Re: (Score:2)
Actual text of encrypted message - try to crack it (Score:2)
Etsay emthay upway ethay ombbay, Abdulway. Ethay amelcay iesflay atway idnightmay.
Re: (Score:2)
or if you're french, "pffft!"
Kaffirs know about AES so it must be less secure. (Score:2)
I wonder if anyone informed him that 256-bit AES has about the same number of possible combinations as there are atoms in the universe? Although he probably would have used a password that you could crack with a dictionary attack. These people truly are stuck in ancient times.
symmetric encryption is secure (Score:2)
generally if it's symmetric it's going to be much harder to crack and there are many different ciphers that are very hard or very time consuming to crack. AES is just one of many.
The problem isn't the cipher. If you use AES then you'll be taken to Gitmo or some blacksite and tortured for the rest of your life until you give up the code. Or they'll take you to a psych ward, drug you, torture you, until you go insane and give up every secret.
This could take weeks, months, years or decades, they have trained p
was it a good idea to publish this? (Score:2)
Usually, transparency is a good thing. In this case though, wouldn't the smart play have been to let sleeping dogs lie? Karim can't have been the only terrorist to rely on breakable encryption.
Re: (Score:2)
Re: (Score:2)
Usually, transparency is a good thing. In this case though, wouldn't the smart play have been to let sleeping dogs lie? Karim can't have been the only terrorist to rely on breakable encryption.
It wont make much of a difference. No matter what code they use the code breakers have a way to break it.
AES can be broken if the random number generator isn't random.
The one time pad can be broken by breaking the user.
I had better when I was 16 (Score:3, Interesting)
I read this story a few days ago. What strikes me is that I had invented better a encryption scheme when I was 16. See, I had read somewhere that certain letters (such as 'e') show up more times in English than other letters (such as 'x'). I also read that using frequency analysis [wikipedia.org] is one way you can break single letter cipers. So, I did something that I was (was) rather proud of.
I found out the most frequent letters, and instead instead of having single letter ciper, I replaced each one with more than one other character. So, 'e' might have been '6', 'j' and 'q', while 's' in this scheme might have been '3', 'f' and 'o' (or whatever). I was attempting to foil any frequency analysis that someone (who I don't know) might have done on my secret messages.
Only trouble was, the first version of the program had a bug. I think it was underscore was replaced with the wrong character in the decryption phase. Once I caught that though, it was all good.
Of course, a couple of years latter I learnt about PGP and GPG and RSA and all that good stuff. I no longer rely on home-built faulty encryption that requires both parties to have the code to decrypted the message.
Ironic given the role of Arabs in history of crypt (Score:4, Interesting)
Yeah, one day in undergrad I decided I wanted to make my own polyalphabetic substitution cipher, so I sat down and basically reinvented the Vignere cipher [wikipedia.org] (actually the Gronsfeld cipher, which is identical except that the key is numeric. Also FWIW I was not in a technical major).
This story is made ironic by the fact that the Arabs were responsible for many historic advances in the history of pre-modern cryptography. [wikipedia.org]
Re: (Score:2)
I figured avoiding letter frequency wasn't secure enough; after all, you're still leaving word frequency clues. So I figured on a codebook that assigned each word in the English language a number of 64-bit integers in proportion to its frequency. (If "is" was 10,000 times more frequent than "anteport", then there would be 10,000 64-bit numbers assigned to "is" for every one assigned to "anteport".)
Implemented it with a rather restricted dictionary, then gave it up as a lot more bother than it was worth.
Wow (Score:2)
Is this the April-fools-day message? If not. It has been proven that terrorists can be as stupid as governments. What a relieve.
This shows the IQ level of your average radical (Score:2)
So while they're certainly dangerous they're not the world toppling danger they're made out to be. Far more dangerous are the corrupt governments around the world with proper armies, proper weapons and very smart intelligence people.
Re: (Score:2)
So while they're certainly dangerous they're not the world toppling danger they're made out to be. Far more dangerous are the corrupt governments around the world with proper armies, proper weapons and very smart intelligence people.
Not necessarily. A cipher is not going to last forever. The cipher in the case of the terrorist would just have to be secure long enough to complete the operation. When the operation is complete the cipher could be cracked and it would not make a difference.
So if the message is the day and time of the attack, the message only has to be secure until that day. If it's sent a week in advance then it only has to be secure for a week. There are many ciphers out there which would require more than a week to crack
Re: (Score:2)
Thank God (Score:2)
Thank God most terrorists / criminals are this dumb. Otherwise we'd probably all be dead.
If you *want* to talk secretly, describing messages that will end up with you in jail if they are discovered, use something a bit better than a schoolboy cipher. Seriously, I was doing better than that when I was 11/12 and programming.
When I have idle moments, I try to "counter-think" terrorists in order to see what I would do if I were one. Almost all of the things I come up with are less risk, more impact, cheaper
Just goes to show... (Score:5, Insightful)
Excel for Terrorists? (Score:4, Funny)
I always thought the Excel menu option "terrorist cell" was a bit suspect.
Kaffir != non believers. (Score:2, Informative)
additionally, you define apostate (Score:2)
as another muslim who believes in a slightly modified version of islam. and that same muslim believes you to be an apostate as well. add some "my religion makes it praiseworthy to kill apostates" and you have a nice recipe for centuries of genocide. isn't religion grand?
Re: (Score:2)
Minor correction: "najis" is a singular term, not a plural, so you should say "is najis". Actually, that's not quite true; you can say "najis are...", since it's really singular and plural. But in particular, it is NOT the plural of "naji", which is a common and honorable name.
Somebody becomes najis by coming into contact with an unclean thing, such as a pig or alcohol, or a person who is najis.
Re:Kaffir != non believers. (Score:5, Insightful)
One of my pet peeves, for example. Saudi Arabia does not permit women to drive. Saudi Arabian government has a deficit and it has external debt. Yes it is true. It is so incomprehensible. The oil wealth of Saudi Arabia does not belong to the people of Saudi Arabia. It is considered to be personal wealth of King Saud, and his descendants, about 5000 sheiks and their families. All the rest get some kind of government dole, but pittance compared to what the sheiks are raking in. They have imported some 500,000 drivers from India, Pakistan, Bangladesh and Phillipines (that is in addition to 1.5 million domestic servants).
You can talk till you are hoarse about why women should be allowed to drive their cars, based on principles of equality, or economic implications. You will not make any progress. You cant reach them. They would shut you out.
But, if you knew that Mohammad has ordered all Muslim women to be able to ride horses and camels, you could argue that not allowing women to drive cars contradicts the Hadith, so it is un Islamic. Not that you are going to win. They will come back some argument or another. But they won't be able to shut you out. You will enable a few women there to make similar argument, and who knows, ten years from now, they might relax it a little bit and allow women to drive their sick children to hospitals.
Chuck Norris had this story (Score:2)
a couple of days ago. [schneier.com]
Why are we laughing at this? (Score:2)
And we are supposed to believe that these... (Score:3)
...bumblers are so dangerous that we must give up our liberty in order to be safe from them?
Re: (Score:2)
the only thing as dangerous as false alarmism is a false sense of complacency. i'm not sure why you believe a bunch of religious nuts determined to kill you isn't a problem, just because they are low iq. that they are morons changes HOW you worry about them, yes, but it doesn't mean you stop worrying about them. a horde of low iq idiots committed to mass murder is still a problem
They also discarded a voice scrambling system (Score:3, Funny)
Ob. 3D XKCD (Score:2)
http://xkcd.com/538/ [xkcd.com]
One of my favorite ones...
Gitmo and Gnomeland Security you can thank for the drugs and wrenches...
Definition (Score:2)
Their decrypted message: (Score:2)
"Be sure to drink your Ovaltine"
Even more evidence... (Score:2)
..that these people are still living in the stone age.
Re: (Score:2)
You are off your rocker. For one thing the Red Crescent is the Islamic version of the Red Cross.
Re: (Score:3)
Precisely (Score:2)
Because if terrorists had a reliable key distribution network, they'd already be an army, not a loosely organized criminal band with minimal transportation infrastructure? One time pads are only as good as your distribution system. And the moment you run out of key bits and reuse them, your system is broken.
But even if they had a key distribution, they'd have no way to protect the keys and no way to protect the brains that know the keys.
Basically the weakness of the one time pad is the physical security of the brains that remember them, and the physical security of the keys. Because physical security is something the US government has a monopoly on, no terrorist group, gang, or mafia is going to be safe using any encryption cipher and that includes one time pads. The terrorists will be tortured brutally, psych
Re: (Score:2)
Because if terrorists had a reliable key distribution network, they'd already be an army, not a loosely organized criminal band with minimal transportation infrastructure? One time pads are only as good as your distribution system. And the moment you run out of key bits and reuse them, your system is broken.
Could a book code be used?
Gee, I wonder which book they'd use...
Re: (Score:2)
Because if terrorists had a reliable key distribution network, they'd already be an army, not a loosely organized criminal band with minimal transportation infrastructure? One time pads are only as good as your distribution system. And the moment you run out of key bits and reuse them, your system is broken.
Could a book code be used?
Which is why the governments want to know what books everyone reads. The book code would not work.
Generally speaking no encryption is 100% secure from the US government and the world has to accept that encryption is limited, just like guns are limited. They might protect you against civilians but they wont protect you against the military.
Only if they are prepared to commit suicide (Score:2)
Because if they use a one time pad, and get captured, they will be tortured.
Torture is how the one time pad is broken. You drug them, psychologically destroy them, eventually they'll want the pain to stop and they'll give up the key if they have it.
Infinite regress (Score:2)
In John Le Carré's A Perfect Spy the Soviet agent gives his British mole recruit a copy of Grimmelshausen's Simplicissimus before he even recruits him. This becomes a limitation because sigint eventually reveals that the communication with the mole has to be based on a single one time cipher. (Le Carré is in a position to know about this stuff.)
Re: (Score:2)
Of course then it isn't really a one time pad, it is a book code.
If someone else can get access to your OTP then it loses it's security. For OTP there should be precisely two instances. One used to encrypt and one used to decrypt.
Re: (Score:2)
whoops. sorry for troll mod misclick. Posting to undo.
Re: (Score:2)
Doh. Login fail :(
--Q
Re: (Score:2)
Re: (Score:2)
Yes, in fact it was right there at the beginning...
Re:Invented by Jews. (Score:4, Funny)
We should rename encryption "bacon", then they'd never use it.
Re: (Score:2)
Mmmm, bacon!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If your message is easily confused with noise then it might be fairly safe.
Re: (Score:2)
(Really, never understood the logic behind "you're a wonderful person, but because you don't believe in $DIETY I must assume your afterlife will be unpleasant". Makes me wonder if "Hell" is really a beach-front resort, filled with all the nice non-Christians...)
Re: (Score:3)
No, it's the other way around. Believing that the only goal of your life is to please and praise some guy called "The Lord" at any cost, means that you are a horrible person regardless of who "The Lord" is, and if he exists in the first place.