Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Crime Encryption Security United Kingdom IT

Convicted Terrorist Relied On Single-Letter Cipher 254

Hugh Pickens writes "The Register reports that the majority of the communications between convicted terrorist Rajib Karim and Bangladeshi Islamic activists were encrypted with a system which used Excel transposition tables which they invented themselves. It used a single-letter substitution cipher invented by the ancient Greeks that had been used and described by Julius Caesar in 55BC. Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim rejected the use of a sophisticated code program called 'Mujhaddin Secrets' which implements all the AES candidate cyphers, 'because "kaffirs," or non-believers, know about it so it must be less secure.'"
This discussion has been archived. No new comments can be posted.

Convicted Terrorist Relied On Single-Letter Cipher

Comments Filter:
  • by MichaelSmith ( 789609 ) on Friday April 01, 2011 @04:25AM (#35686642) Homepage Journal

    Remember this kids: always use a proper database for your crap encryption scheme.

    • Re: (Score:2, Insightful)

      by somersault ( 912633 )

      This is pretty damn hilarious. Though also, probably an April Fool's joke.

      • by somersault ( 912633 ) on Friday April 01, 2011 @04:29AM (#35686664) Homepage Journal

        Actually considering the story on The Register is from March, I'll stick with hilarious.

      • by WWWWolf ( 2428 ) <wwwwolf@iki.fi> on Friday April 01, 2011 @04:57AM (#35686756) Homepage

        This is pretty damn hilarious. Though also, probably an April Fool's joke.

        Weirder stuff has happened. There already was some Mafia guy who got caught because he was using Caesar cipher. <predictablejoke>And then there was that one Caesar-based encryption scheme in Adobe DRM. I have problems telling these Mafia guys apart.</predictablejoke>

        Still, pretty hilarious. Even ignoring Kerckhoffs's Principle, there's still a big difference between using a cryptosystem the infidels developed, and a cryptosystem the infidels developed and then then abandoned centuries ago because they broke it and Muslim mathematicians no doubt helped cracking it. People who ignore history will only repeat it. This is also a good example of what happens when you play a high-stakes game of "I have a problem - let's throw a little bit of Excel at it to solve it once and for all".

        • by Anonymous Coward on Friday April 01, 2011 @05:42AM (#35686922)

          Muslim mathematicians no doubt helped cracking it.

          Close. The Ceasar shift was broken before Islam even began. But the improved version known as the Vigenere cipher was broken (after being considered unbreakable for centuries) by the Arabic scientist Al-Kindi in the ninth century A.D.

        • by fuzzyfuzzyfungus ( 1223518 ) on Friday April 01, 2011 @05:46AM (#35686932) Journal
          IIRC, they 'layman's historical introduction to cryptoanalysis' type overviews do often mention that more or less the earliest clearly recognizable use of frequency analysis cropped up among islamic scholars working on the problem of separating authentic Muhammad quotations from the assorted non-canon stuff that had crept in, by examining word frequency distributions across different passages...

          The guy is a moron no matter who cracked the cipher, of course, because it doesn't really matter who, just whether somebody did or not(excluding the edge cases of certain comparatively modern ciphers, that might conceivably have been cracked in private).
        • by gl4ss ( 559668 )

          breaking a cipher where characters just get replaced with others can be done by hand quite easily by brute forcing(even if the decoder was a very bad guesser and only had an encyclopedia to help him about which words might be even words).

          it's obvious that he thought that he was a computer guru when in fact he had only basic office computer skills and no engineering thought patterns. he didn't really think that what excel was doing was actually pretty simple. he thought his crazy excel sheet was doing some m

          • That and you can't really even call it "encryption". This is a "substitution cipher" isn't it? So it's "encipherment", not "encryption"?

            Encrypted messages rely on a translation that is relative to character position in the message, such that the substitution of a given letter at one position is usually not the same as the substitution for that same letter at any other position.

            I read in the article that someone said they employed "five levels of encryption". I wonder how that compares with the effectiven

            • by lgw ( 121541 )

              That and you can't really even call it "encryption". This is a "substitution cipher" isn't it? So it's "encipherment", not "encryption"?

              Encrypted messages rely on a translation that is relative to character position in the message, such that the substitution of a given letter at one position is usually not the same as the substitution for that same letter at any other position.

              Not true: AES will encrypt the same block the same way every time with the same key. AES is typically used in such a way [wikipedia.org] that it produces the results you describe, but the block encyption is still "encryption", whether used sensibly or not.

              • by v1 ( 525388 )

                block, yes. character, no. AES in that mode is also referred to as a "block cipher" for that exact reason.

                Stream mode is a much better idea for security, but can fail to be decoded if part of the transmission is lost or corrupted. Block ciphers usually only lose the damaged blocks and a block on each end of the damage.

            • I read in the article that someone said they employed "five levels of encryption". I wonder how that compares with the effectiveness of say, 5 x rot13?

              I strongly suspect that the cops being quoted were judging level of super-double-ultra-security-ness with roughly the same enthusiasm for self-aggrandizement generally shown in such situations. Unless the public would be immediately capable of recognizing the perp as being a candidate for 'America's Funniest Home Videos: The Blooper Reels', they are typically accorded the status of 'terrifying criminal mastermind that yours truly managed to bring to justice; but might need more expansive powers to stop in t

      • Re: (Score:2, Interesting)

        Comment removed based on user account deletion
    • by azalin ( 67640 ) on Friday April 01, 2011 @04:55AM (#35686750)
      In related news: "Microsoft provides Terrorists with software to plan attacks"

      Not that a piece of paper could have done the job as well (or probably better given the use of a halfway decent crypto scheme).
    • by Narpak ( 961733 )
      Or One Time Pads [wikipedia.org].
    • by daem0n1x ( 748565 ) on Friday April 01, 2011 @06:29AM (#35687112)
      I'm glad terrorists are even more retarded than the government officials that try to catch them. Makes me feel a lot safer.
    • by JamesP ( 688957 )

      Access!?

  • by brezel ( 890656 ) on Friday April 01, 2011 @04:32AM (#35686674) Homepage

    that extremists are usually complete idiots.

    • by jamesh ( 87723 )

      Nearly. It proves once again that the extremists who are complete idiots usually make the news more often for things such as using cesar ciphers and not accounting for DST when setting the detonation time on their bombs.

    • by EdZ ( 755139 ) on Friday April 01, 2011 @07:41AM (#35687564)
      The ones holding the pointy end of the stick, yes. They're generally a bit lacking in cognitive faculties. Unfortunately, the ones handing out the sticks are often pretty clever, and rather ruthless in keeping their scam going.
    • cum hoc ergo propter hoc

      Just because some of the terrorist-minded extremists who got caught were idiots doesn't mean that the ones who haven't been caught are idiots as well.

      Having said that, I really wish that you were correct.

  • by nzac ( 1822298 ) on Friday April 01, 2011 @04:35AM (#35686686)

    I would say that once his emails are being read he's screwed. Either he has AES encrypted files which take a lot of expensive equipment to decrypt (and fail to do so in a reasonable time) resulting in lots of surveillance to catch most of the people involved or he forces some poor graduate to use excel and give away the rest of the 'cell'.
    I don’t think once your emails are being intercepted you have much hope of carrying out a terrorist attack anyway.

  • by Karellen ( 104380 ) on Friday April 01, 2011 @04:38AM (#35686698) Homepage

    According to Bruce Schneier, there are two types of cryptography - that which will keep secrets safe from your little sister, and that which will keep secrets safe from your government.

    I don't think this counts as either.

    Fail.

    • The problem, of course, is that even people who are quite good(and this guy obviously wasn't) have the nasty habit of coming up with ciphers that they cannot attack and mistaking them for secure ones...
    • Crypto is only as secure as the guy with the key.
      • by zippthorne ( 748122 ) on Friday April 01, 2011 @06:38AM (#35687154) Journal

        in this case, it wasn't even that secure...

        He chose a cipher that millions of people crack every day on their way to work, before moving on the the more difficult crossword puzzle....

        • My, these Americans have a most devious encryption... so secure that they send their messages in public! Flunky! Create me one of these... Cryptograms... mua ha ha...
      • by elucido ( 870205 ) *

        Crypto is only as secure as the guy with the key.

        Which means crypto is never completely secure unless the key is located between two top secret underground bunkers and only the President and his counterpart have access to it.

        And even then it might not be completely secure.

    • We played with the alphabet shift 'secret' messages in second grade, the teachers taught it to us.

      By the time I was in high school I'd invented an ugly bit manipulation that had almost certainly been created and thrown away by real cryptologists and cypherpunks decades ago. But it was fun for messing with my friends, none of whom were the previously mentioned cypherpunks or cryptologists.

      These days I'd use one made by an expert rather than my weak attempts. Anything that'll take a server farm more than a we
    • by namgge ( 777284 ) on Friday April 01, 2011 @07:02AM (#35687252)
      There are two types of cyptography: one that allows the Government to use brute force to break the code, and one that requires the Government to use brute force to break you.
    • If you have a secret and they can't break the code, they'll torture you until you break.

  • ib ib, zpv dbo'u sfbe uijt!

  • by the_raptor ( 652941 ) on Friday April 01, 2011 @04:39AM (#35686710)

    ... everyone knows you don't roll your own crypto.

    I guess this is further support for the theory that the ignorant have too much confidence in what they think they know.

  • I dread coming to slashdot every year on this date. For several years it was cringe-worthy so the last couple I made it a point to not even bother. Glad I decided to have a look this morning! Always good to start the day with a LOL.

  • Etsay emthay upway ethay ombbay, Abdulway. Ethay amelcay iesflay atway idnightmay.

  • I wonder if anyone informed him that 256-bit AES has about the same number of possible combinations as there are atoms in the universe? Although he probably would have used a password that you could crack with a dictionary attack. These people truly are stuck in ancient times.

    • generally if it's symmetric it's going to be much harder to crack and there are many different ciphers that are very hard or very time consuming to crack. AES is just one of many.

      The problem isn't the cipher. If you use AES then you'll be taken to Gitmo or some blacksite and tortured for the rest of your life until you give up the code. Or they'll take you to a psych ward, drug you, torture you, until you go insane and give up every secret.

      This could take weeks, months, years or decades, they have trained p

  • Usually, transparency is a good thing. In this case though, wouldn't the smart play have been to let sleeping dogs lie? Karim can't have been the only terrorist to rely on breakable encryption.

    • The Venn Diagram of terrorists who use crap encryption and those who read Slashdot has no overlap.
    • by elucido ( 870205 ) *

      Usually, transparency is a good thing. In this case though, wouldn't the smart play have been to let sleeping dogs lie? Karim can't have been the only terrorist to rely on breakable encryption.

      It wont make much of a difference. No matter what code they use the code breakers have a way to break it.
      AES can be broken if the random number generator isn't random.
      The one time pad can be broken by breaking the user.

  • by no known priors ( 1948918 ) on Friday April 01, 2011 @05:39AM (#35686908)

    I read this story a few days ago. What strikes me is that I had invented better a encryption scheme when I was 16. See, I had read somewhere that certain letters (such as 'e') show up more times in English than other letters (such as 'x'). I also read that using frequency analysis [wikipedia.org] is one way you can break single letter cipers. So, I did something that I was (was) rather proud of.

    I found out the most frequent letters, and instead instead of having single letter ciper, I replaced each one with more than one other character. So, 'e' might have been '6', 'j' and 'q', while 's' in this scheme might have been '3', 'f' and 'o' (or whatever). I was attempting to foil any frequency analysis that someone (who I don't know) might have done on my secret messages.

    Only trouble was, the first version of the program had a bug. I think it was underscore was replaced with the wrong character in the decryption phase. Once I caught that though, it was all good.

    Of course, a couple of years latter I learnt about PGP and GPG and RSA and all that good stuff. I no longer rely on home-built faulty encryption that requires both parties to have the code to decrypted the message.

    • by langelgjm ( 860756 ) on Friday April 01, 2011 @05:51AM (#35686960) Journal

      Yeah, one day in undergrad I decided I wanted to make my own polyalphabetic substitution cipher, so I sat down and basically reinvented the Vignere cipher [wikipedia.org] (actually the Gronsfeld cipher, which is identical except that the key is numeric. Also FWIW I was not in a technical major).

      This story is made ironic by the fact that the Arabs were responsible for many historic advances in the history of pre-modern cryptography. [wikipedia.org]

    • by SEE ( 7681 )

      I figured avoiding letter frequency wasn't secure enough; after all, you're still leaving word frequency clues. So I figured on a codebook that assigned each word in the English language a number of 64-bit integers in proportion to its frequency. (If "is" was 10,000 times more frequent than "anteport", then there would be 10,000 64-bit numbers assigned to "is" for every one assigned to "anteport".)

      Implemented it with a rather restricted dictionary, then gave it up as a lot more bother than it was worth.

  • by prefec2 ( 875483 )

    Is this the April-fools-day message? If not. It has been proven that terrorists can be as stupid as governments. What a relieve.

  • So while they're certainly dangerous they're not the world toppling danger they're made out to be. Far more dangerous are the corrupt governments around the world with proper armies, proper weapons and very smart intelligence people.

    • by elucido ( 870205 ) *

      So while they're certainly dangerous they're not the world toppling danger they're made out to be. Far more dangerous are the corrupt governments around the world with proper armies, proper weapons and very smart intelligence people.

      Not necessarily. A cipher is not going to last forever. The cipher in the case of the terrorist would just have to be secure long enough to complete the operation. When the operation is complete the cipher could be cracked and it would not make a difference.

      So if the message is the day and time of the attack, the message only has to be secure until that day. If it's sent a week in advance then it only has to be secure for a week. There are many ciphers out there which would require more than a week to crack

  • Comment removed based on user account deletion
  • Thank God most terrorists / criminals are this dumb. Otherwise we'd probably all be dead.

    If you *want* to talk secretly, describing messages that will end up with you in jail if they are discovered, use something a bit better than a schoolboy cipher. Seriously, I was doing better than that when I was 11/12 and programming.

    When I have idle moments, I try to "counter-think" terrorists in order to see what I would do if I were one. Almost all of the things I come up with are less risk, more impact, cheaper

  • by ZDRuX ( 1010435 ) on Friday April 01, 2011 @06:48AM (#35687194)
    This just goes to show how the whole Patriot Act has nothing to do with catching terrorists. They can barely communicate effectively, most of them just set their underwear on fire, and the rest live in far off lands, yet the nanny state is always local, ever present, and ever watchful... give me a break!
  • by richie2000 ( 159732 ) <rickard.olsson@gmail.com> on Friday April 01, 2011 @06:55AM (#35687222) Homepage Journal

    I always thought the Excel menu option "terrorist cell" was a bit suspect.

  • Infidels are the non believers, usually restricted to the Jews and Christians because they are the people of the Book, but they just don't accept Mohammad. Kaffirs are more like pagans, heathens, idolators. Then there are najis, the dirty. Then there are apostates. The ranking is muslim > infidels > kaffirs > najis > apostates.
    • as another muslim who believes in a slightly modified version of islam. and that same muslim believes you to be an apostate as well. add some "my religion makes it praiseworthy to kill apostates" and you have a nice recipe for centuries of genocide. isn't religion grand?

    • by jfengel ( 409917 )

      Minor correction: "najis" is a singular term, not a plural, so you should say "is najis". Actually, that's not quite true; you can say "najis are...", since it's really singular and plural. But in particular, it is NOT the plural of "naji", which is a common and honorable name.

      Somebody becomes najis by coming into contact with an unclean thing, such as a pig or alcohol, or a person who is najis.

  • If we were really smart we would all agree that the encryption method used by Rajib was super sophisticated and it was due some lucky break and a happenstance it was broken. Publicly proving their cryptography is a joke and thus humiliating them would make the switch to PGP or something. It takes a wise man to let his enemies underestimate his mental powers.
  • ...bumblers are so dangerous that we must give up our liberty in order to be safe from them?

    • the only thing as dangerous as false alarmism is a false sense of complacency. i'm not sure why you believe a bunch of religious nuts determined to kill you isn't a problem, just because they are low iq. that they are morons changes HOW you worry about them, yes, but it doesn't mean you stop worrying about them. a horde of low iq idiots committed to mass murder is still a problem

  • by Doghouse Riley ( 1072336 ) on Friday April 01, 2011 @08:52AM (#35688032)
    when it was realized that "Igpay Atinlay" might be incompatible with the Muslim prohibition of pork.
  • http://xkcd.com/538/ [xkcd.com]

    One of my favorite ones...

    Gitmo and Gnomeland Security you can thank for the drugs and wrenches...

  • What gives me solace regarding the danger posed by extremists (religious or otherwise) is that almost by definition these people are not terribly smart. If you induce yourself to believe some fairy tale about the afterlife, to the point that you are willing to kill people, you cannot be that rational. Of course the government needs to be watching out for these people (since they are dangerous), but I do not believe it takes all the powers that have been given to the government to keep track and arrest these
  • "Be sure to drink your Ovaltine"

  • ..that these people are still living in the stone age.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...