Convicted Terrorist Relied On Single-Letter Cipher

Hugh Pickens writes "The Register reports that the majority of the communications between convicted terrorist Rajib Karim and Bangladeshi Islamic activists were encrypted with a system which used Excel transposition tables which they invented themselves. It used a single-letter substitution cipher invented by the ancient Greeks that had been used and described by Julius Caesar in 55BC. Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim rejected the use of a sophisticated code program called 'Mujhaddin Secrets' which implements all the AES candidate cyphers, 'because "kaffirs," or non-believers, know about it so it must be less secure.'"

More spreadsheet abuse

[MichaelSmith]

Remember this kids: always use a proper database for your crap encryption scheme.

Re:More spreadsheet abuse

[somersault]

This is pretty damn hilarious. Though also, probably an April Fool's joke.

Re:More spreadsheet abuse

[somersault]

Actually considering the story on The Register is from March, I'll stick with hilarious.

Re:More spreadsheet abuse

It seems, some of his beliefs were testable.

Re:More spreadsheet abuse

[azalin]

In related news: "Microsoft provides Terrorists with software to plan attacks"

Not that a piece of paper could have done the job as well (or probably better given the use of a halfway decent crypto scheme).

Re:More spreadsheet abuse

[WWWWolf]

This is pretty damn hilarious. Though also, probably an April Fool's joke.

Weirder stuff has happened. There already was some Mafia guy who got caught because he was using Caesar cipher. <predictablejoke>And then there was that one Caesar-based encryption scheme in Adobe DRM. I have problems telling these Mafia guys apart.</predictablejoke>

Still, pretty hilarious. Even ignoring Kerckhoffs's Principle, there's still a big difference between using a cryptosystem the infidels developed, and a cryptosystem the infidels developed and then then abandoned centuries ago because they broke it and Muslim mathematicians no doubt helped cracking it. People who ignore history will only repeat it. This is also a good example of what happens when you play a high-stakes game of "I have a problem - let's throw a little bit of Excel at it to solve it once and for all".

Re:More spreadsheet abuse

[L4t3r4lu5]

Not only that, it's over a week old.

This isn't news. This is olds.

Re:More spreadsheet abuse

Muslim mathematicians no doubt helped cracking it.

Close. The Ceasar shift was broken before Islam even began. But the improved version known as the Vigenere cipher was broken (after being considered unbreakable for centuries) by the Arabic scientist Al-Kindi in the ninth century A.D.

Re:More spreadsheet abuse

[fuzzyfuzzyfungus]

IIRC, they 'layman's historical introduction to cryptoanalysis' type overviews do often mention that more or less the earliest clearly recognizable use of frequency analysis cropped up among islamic scholars working on the problem of separating authentic Muhammad quotations from the assorted non-canon stuff that had crept in, by examining word frequency distributions across different passages...

The guy is a moron no matter who cracked the cipher, of course, because it doesn't really matter who, just whether somebody did or not(excluding the edge cases of certain comparatively modern ciphers, that might conceivably have been cracked in private).

Re:More spreadsheet abuse

[Narpak]

Or One Time Pads.

Re:More spreadsheet abuse

[daem0n1x]

I'm glad terrorists are even more retarded than the government officials that try to catch them. Makes me feel a lot safer.

Re:More spreadsheet abuse

[JamesP]

Access!?

Re:More spreadsheet abuse

[DrXym]

This and Flight Simulator. MS should be on the terrorist watch list.

Re:More spreadsheet abuse

[PopeRatzo]

But the improved version known as the Vigenere cipher was broken (after being considered unbreakable for centuries) by the Arabic scientist Al-Kindi in the ninth century A.D.

It is said that upon breaking the Vigenere cipher, Al-Kindi's first comments were, "Death to America!"

I think that might be an apocryphal story, though.

Re:More spreadsheet abuse

[Cwix]

If I only had a mod point for you. +1 Funny

Re:More spreadsheet abuse

[gl4ss]

breaking a cipher where characters just get replaced with others can be done by hand quite easily by brute forcing(even if the decoder was a very bad guesser and only had an encyclopedia to help him about which words might be even words).

it's obvious that he thought that he was a computer guru when in fact he had only basic office computer skills and no engineering thought patterns. he didn't really think that what excel was doing was actually pretty simple. he thought his crazy excel sheet was doing some magic like enigma when it was just being much simpler than that.

what's more, he hadn't read a single book about crypto history and had not even watched modern marvels cryptography ep. but of course reading that such stuff is already older than the muslim faith might have put a lid on his extremism and a dent to his ego. also, some people have no idea that such information isn't actually a secret in the west while there are a few places in the world where it is a "secret" and "forbidden information" if you got caught by local secret police.

Re:More spreadsheet abuse

[CaptSlaq]

I'm in if it involves attractive robots from the future.

Re:More spreadsheet abuse

[hairyfeet]

Sadly TFA is from March and thus probably not. As someone who has hung around cops at the shop and got them to tell some of their favorite "dumbass criminal" stories this frankly doesn't surprise me, hell let me add one of my favorites the cops told me:

This Einstein, which actually gained a little celebrity by ending up on "World's stupidest criminals" decides he is gonna rob this bank so he comes up with the cunning disguise of a bag over his head while wearing his work shirt with the company and his name in bold letters on the front. Not only that but he writes the note on a personal check he left behind at the scene! The cop I was talking to was one of the arresting officers and he had to let his partner do the talking during the arrest he said because he was too busy laughing at the criminal who was damned sure his disguise was perfect! He argued with them all the way to the station that there was NO WAY they could have seen him through the bag!

So a terrorist group with the brains of a bag of rocks really doesn't surprise me. from talking with the cops that come in my shop one thing I've learned is that for most crimes you sure as hell don't need Colombo, because the criminals make Homer Simpson look like Stephen Hawking.

Re:More spreadsheet abuse

[fuzzyfuzzyfungus]

Being a terrorist grunt is a sucker's game.

Being a terrorist leader, on the other hand, is pretty much a combination of the best parts of being a cult leader and being an extreme sports enthusiast: Groupies, adulation, adrenaline, explosions, sponsors, probably more burqa-babes than you admit to in public...

Re:More spreadsheet abuse

[StormShaman]

Wait, huh? Wikipedia says the Vigenère cipher was created in the 16th century.

Re:More spreadsheet abuse

[zkp]

http://webcache.googleusercontent.com/search?q=cache:gv3zaiLbCzMJ:www.theregister.co.uk/2011/03/22/ba_jihadist_trial_sentencing/+BA+jihadist+relied+on+Jesus-era+encryption&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a&source=www.google.com

Re:More spreadsheet abuse

[budgenator]

You say that like El Reg has too much journalistic integrity to backdate an April fool's day story; reading too much BOFH tends to warp you a bit.

Re:More spreadsheet abuse

[Darinbob]

Ya, they probably should have encrypted messages using PowerPoint instead. I can never understand what any of those slides are about.

Re:More spreadsheet abuse

[u38cg]

Nope, the first known rant by a Muslim against America was recorded by a Persian religious scholar in about 1798 or thereabouts. Citation omitted as I would have to walk to the next room.

Re:More spreadsheet abuse

[PopeRatzo]

Citation omitted as I would have to walk to the next room.

You mean you're not already sitting in the bat-cave?

Why would you ever leave?

Thanks for reminding me

I have been meaning to get around to watching Four Lions for a while.

Re:Thanks for reminding me

[stealth_finger]

Rubber dingy rapids

which proves once again

[brezel]

that extremists are usually complete idiots.

Re:which proves once again

[jamesh]

Nearly. It proves once again that the extremists who are complete idiots usually make the news more often for things such as using cesar ciphers and not accounting for DST when setting the detonation time on their bombs.

Re:which proves once again

[Dr.Syshalt]

Or just proves that Slashdot readers still don't check calendars :)

Re:which proves once again

[TheP4st]

Or proves that /. readers don't read the article which were published on 22nd March. ;-)

Re:which proves once again

[EdZ]

The ones holding the pointy end of the stick, yes. They're generally a bit lacking in cognitive faculties. Unfortunately, the ones handing out the sticks are often pretty clever, and rather ruthless in keeping their scam going.

Re:which proves once again

[matrim99]

cum hoc ergo propter hoc

Just because some of the terrorist-minded extremists who got caught were idiots doesn't mean that the ones who haven't been caught are idiots as well.

Having said that, I really wish that you were correct.

He was considerate to the tax payer

[nzac]

I would say that once his emails are being read he's screwed. Either he has AES encrypted files which take a lot of expensive equipment to decrypt (and fail to do so in a reasonable time) resulting in lots of surveillance to catch most of the people involved or he forces some poor graduate to use excel and give away the rest of the 'cell'.
I don’t think once your emails are being intercepted you have much hope of carrying out a terrorist attack anyway.

TFA headline is epic troll

"BA jihadist relied on Jesus-era encryption"

hahahahahahaha "Jesus-era" hahahahahaha

Two types of cryptography

[Karellen]

According to Bruce Schneier, there are two types of cryptography - that which will keep secrets safe from your little sister, and that which will keep secrets safe from your government.

I don't think this counts as either.

Fail.

Re:Two types of cryptography

[fuzzyfuzzyfungus]

The problem, of course, is that even people who are quite good(and this guy obviously wasn't) have the nasty habit of coming up with ciphers that they cannot attack and mistaking them for secure ones...

Re:Two types of cryptography

[mlush]

The problem, of course, is that even people who are quite good(and this guy obviously wasn't) have the nasty habit of coming up with ciphers that they cannot attack and mistaking them for secure ones...

And Boys and Girls this is why you don't use a crypto system that has not published the full details as to how it works!-)

Re:Two types of cryptography

[L4t3r4lu5]

Crypto is only as secure as the guy with the key.

Re:Two types of cryptography

[meerling]

We played with the alphabet shift 'secret' messages in second grade, the teachers taught it to us.

By the time I was in high school I'd invented an ugly bit manipulation that had almost certainly been created and thrown away by real cryptologists and cypherpunks decades ago. But it was fun for messing with my friends, none of whom were the previously mentioned cypherpunks or cryptologists.

These days I'd use one made by an expert rather than my weak attempts. Anything that'll take a server farm more than a week to decode is strong enough. I don't have anything to hide, I just don't like people sneaking peeks at my undies, so I want it to be a lot more inconvenient for them than for me.

I can imagine some spook having spent a week or more decoding an encrypted file I was carrying around, then suddenly pounding his head on the keyboard in frustration as he reads the results of decryption, some poorly written short story I'm too disappointed in to show to anyone, but too invested to just throw it away. Or maybe it just contains the password for the encryption and a reminder to not forget it...

Re:Two types of cryptography

[zippthorne]

in this case, it wasn't even that secure...

He chose a cipher that millions of people crack every day on their way to work, before moving on the the more difficult crossword puzzle....

Re:Two types of cryptography

[namgge]

There are two types of cyptography: one that allows the Government to use brute force to break the code, and one that requires the Government to use brute force to break you.

Re:Two types of cryptography

[anakha]

Obligatory XKCD reference - http://xkcd.com/538/

Re:Two types of cryptography

[AvitarX]

Hmm, I read it as a shifting of the letters, not a complete scramble.

This would make it simpler.

Re:Two types of cryptography

[elucido]

Crypto is only as secure as the guy with the key.

Which means crypto is never completely secure unless the key is located between two top secret underground bunkers and only the President and his counterpart have access to it.

And even then it might not be completely secure.

Re:Two types of cryptography

[pete_norm]

In this case, the full details of how it works have been known and published for a long time. Still not a good scheme though...

Re:Two types of cryptography

[osu-neko]

According to Bruce Schneier, there are two types of cryptography - that which will keep secrets safe from your little sister, and that which will keep secrets safe from your government.

What if your little sister works for the government?

Re:Two types of cryptography

[anyGould]

My, these Americans have a most devious encryption... so secure that they send their messages in public! Flunky! Create me one of these... Cryptograms... mua ha ha...

Re:Two types of cryptography

[anyGould]

What if your little sister works for the government?

Then you, my friend, are very screwed.

Re:Two types of cryptography

[Alex+Belits]

In this case, substitution table is the key, it can exist completely outside the code. Substitution cipher is bad because it can be easily broken by analysis of the message, not because of any peculiarity of implementation.

mpm

[neokushan]

ib ib, zpv dbo'u sfbe uijt!

Re:mpm

[hldn]

uibu't xibu zpv uijol gsjfoe.

mpwf zb,
v.t. hpwfsonfou

Re:mpm

[troon]

Xibu jt nptu tvsqsjtjoh jt uibu J dbo, boe xsjuf b sfqmz jo nz ifbe!

Re:mpm

[neokushan]

pi opft!

Re:mpm

[Hazel+Bergeron]

Frobnitz! Frobnosia! Prob Fset Cond! Zmemqb Intbl Foo!

Re:mpm

[AffidavitDonda]

erad ot kaerb siht ythgim rehpyc ytrid tsilairepmi

Re:mpm

[osu-neko]

erad ot kaerb siht ythgim rehpyc ytrid tsilairepmi

I actually had a spot of trouble with that one, since I used to make a game out of reading and writing "mirror-text", so I instinctively started by reading the entire sentence from right to left. Then I thought you were using a jumbled word order to make it more difficult, started reordering the words, and finally realized I'd just read it backwards.

Rubber dinghy rapids!

[SteeldrivingJon]

No lines!

Silly terrorists...

[the_raptor]

... everyone knows you don't roll your own crypto.

I guess this is further support for the theory that the ignorant have too much confidence in what they think they know.

Re:Silly terrorists...

[trifish]

Shhh. Terrorists should actually keep rolling their own crypto. Many innocent lives will be saved. ;-)

Re:Silly terrorists...

[the_raptor]

Well just go out and start killing Bothans.

I'll tell you when to stop.

Finally a good one!

[PingXao]

I dread coming to slashdot every year on this date. For several years it was cringe-worthy so the last couple I made it a point to not even bother. Glad I decided to have a look this morning! Always good to start the day with a LOL.

Re:Finally a good one!

[iDuck]

The biggest lol is that it's true.. (see date of original article)

Actual text of encrypted message - try to crack it

[paiute]

Etsay emthay upway ethay ombbay, Abdulway. Ethay amelcay iesflay atway idnightmay.

IT?

[moco]

TFA says he was an IT employee at British Airways. He was a dumb terrorist but also, a lousy IT professional, thinking that his substitution cypher was better than AES.

As they say: even worse than an idiot, is an idiot with initiative.

Re:IT?

[osu-neko]

Most IT professionals are worse than ignorant. If they were merely ignorant, they'd spend some time to learn what they don't know. The problem is not what they don't know, but what they think they do know that's just plain wrong.

Re:IT?

[budgenator]

TFA says he was an IT employee at British Airways. He was a dumb terrorist but also, a lousy IT professional, thinking that his substitution cypher was better than AES.

As they say: even worse than an idiot, is an idiot with initiative.

Call Karim an idiot is fitting for other reasons

Woolwich Crown Court was told that Bangladeshi Islamic activists who were in touch with Karim had rejected the use of common modern systems such as PGP or TrueCrypt in favour of a system which used Excel transposition tables, which they had invented themselves.

than his choice of security tools.

Is this a bot test?

[Adayse]

Imagine that a significant percentage of ./ is sock-puppets and bots. It's possible.. Posting an otherwise reasonable comment today, or yesterday is a fair indication of your true nature and a bug in your code.

Re:Is this a bot test?

[osu-neko]

Imagine that a significant percentage of ./ is sock-puppets and bots. It's possible.. Posting an otherwise reasonable comment today, or yesterday is a fair indication of your true nature and a bug in your code.

I was replaced by a small shell script years ago...

Kaffirs know about AES so it must be less secure.

[rhook]

I wonder if anyone informed him that 256-bit AES has about the same number of possible combinations as there are atoms in the universe? Although he probably would have used a password that you could crack with a dictionary attack. These people truly are stuck in ancient times.

Re:ROT 13 - Rotational 13

[rhook]

You are off your rocker. For one thing the Red Crescent is the Islamic version of the Red Cross.

Idiots

[Poorcku]

How about using a one-time pad. It is unbreakable (in a theoretical setting, of course). But better than 40BC tech.

Re:Idiots

[ShadowRangerRIT]

Because if terrorists had a reliable key distribution network, they'd already be an army, not a loosely organized criminal band with minimal transportation infrastructure? One time pads are only as good as your distribution system. And the moment you run out of key bits and reuse them, your system is broken.

Re:Idiots

[mlush]

Because if terrorists had a reliable key distribution network, they'd already be an army, not a loosely organized criminal band with minimal transportation infrastructure? One time pads are only as good as your distribution system. And the moment you run out of key bits and reuse them, your system is broken.

Could a book code be used?

Re:Idiots

[LordNacho]

Because if terrorists had a reliable key distribution network, they'd already be an army, not a loosely organized criminal band with minimal transportation infrastructure? One time pads are only as good as your distribution system. And the moment you run out of key bits and reuse them, your system is broken.

Could a book code be used?

Gee, I wonder which book they'd use...

Re:Idiots

[jecblackpepper]

Of course then it isn't really a one time pad, it is a book code.

If someone else can get access to your OTP then it loses it's security. For OTP there should be precisely two instances. One used to encrypt and one used to decrypt.

Re:Idiots

[mlush]

Could a book code be used?

Gee, I wonder which book they'd use...

Speaking off the cuff (and joking apart), I'd go for Harry Potter, the big problem with a bookcode is getting the same edition in different parts of the world. HP is ubiquitous enough to make this possible and sad enough to make it a plausible part of a terrorist possessions.

Re:Idiots

[elucido]

Because if terrorists had a reliable key distribution network, they'd already be an army, not a loosely organized criminal band with minimal transportation infrastructure? One time pads are only as good as your distribution system. And the moment you run out of key bits and reuse them, your system is broken.

Could a book code be used?

Which is why the governments want to know what books everyone reads. The book code would not work.
Generally speaking no encryption is 100% secure from the US government and the world has to accept that encryption is limited, just like guns are limited. They might protect you against civilians but they wont protect you against the military.

Re:Idiots

[Vegemeister]

Harry Potter is published in localized versions. You'd have to use something that would be the same no matter where you bought it.

Re:Idiots

[mlush]

I was in Japan a few years back and in need of some English language books to keep my boy happy... About the only books I could get were Harry Potter and His Dark Materials. Both were the UK editions

Re:Idiots

[pclminion]

I've never understood what the problem is with OTP distribution. It's expensive, but doable. A 3 TB drive of random bits is enough for a hell of a lot of communication, so long as you aren't using gobs of video or audio. In reality you need two such drives with the same random bits, one for each end of the communication channel. The expense isn't in buying the drives, but exchanging them securely. Pretty much, one guy has to fly over and physically bring one of the drives back with him. So for the price of a round-trip plane ticket and two 3 TB drives, you can do OTP for quite a long while.

It isn't hard to imagine how to organize a star topology network based on OTP. The hubs of the network will go through pad data at a faster rate than the leaves, but hey... it's all doable.

Re:Idiots

[_0xd0ad]

How about using a one-time pad. It is unbreakable (in a theoretical setting, of course).

A one-time pad is only as strong as the total number of possible "times" in your pad. You could make a pretty big one-time pad of nothing but alphabet replacement cyphers, but that wouldn't make the cypher any stronger.

There are 26! (about 4.03x10^26) possible alphabet replacement cyphers, but you can attack any one of them with a dictionary...

Re:Idiots

[Sulphur]

How about using a one-time pad. It is unbreakable (in a theoretical setting, of course). But better than 40BC tech.

Venona was broken because the one time pad was reused.

--

No spin version of ROT13 used here.

Re:Idiots

[compro01]

About the only books I could get were Harry Potter and His Dark Materials. Both were the UK editions

Did anyone else read that sentence and wonder when they came out with an 8th book?

Need more coffee.

I have head of

[dicobalt]

security through obscurity but never security through religion. Or wait, no, nm yea I have.

was it a good idea to publish this?

[hcdejong]

Usually, transparency is a good thing. In this case though, wouldn't the smart play have been to let sleeping dogs lie? Karim can't have been the only terrorist to rely on breakable encryption.

Re:was it a good idea to publish this?

[ShadowRangerRIT]

The Venn Diagram of terrorists who use crap encryption and those who read Slashdot has no overlap.

Re:was it a good idea to publish this?

[elucido]

Usually, transparency is a good thing. In this case though, wouldn't the smart play have been to let sleeping dogs lie? Karim can't have been the only terrorist to rely on breakable encryption.

It wont make much of a difference. No matter what code they use the code breakers have a way to break it.
AES can be broken if the random number generator isn't random.
The one time pad can be broken by breaking the user.

I had better when I was 16

[no+known+priors]

I read this story a few days ago. What strikes me is that I had invented better a encryption scheme when I was 16. See, I had read somewhere that certain letters (such as 'e') show up more times in English than other letters (such as 'x'). I also read that using frequency analysis is one way you can break single letter cipers. So, I did something that I was (was) rather proud of.

I found out the most frequent letters, and instead instead of having single letter ciper, I replaced each one with more than one other character. So, 'e' might have been '6', 'j' and 'q', while 's' in this scheme might have been '3', 'f' and 'o' (or whatever). I was attempting to foil any frequency analysis that someone (who I don't know) might have done on my secret messages.

Only trouble was, the first version of the program had a bug. I think it was underscore was replaced with the wrong character in the decryption phase. Once I caught that though, it was all good.

Of course, a couple of years latter I learnt about PGP and GPG and RSA and all that good stuff. I no longer rely on home-built faulty encryption that requires both parties to have the code to decrypted the message.

Re:I had better when I was 16

[SEE]

I figured avoiding letter frequency wasn't secure enough; after all, you're still leaving word frequency clues. So I figured on a codebook that assigned each word in the English language a number of 64-bit integers in proportion to its frequency. (If "is" was 10,000 times more frequent than "anteport", then there would be 10,000 64-bit numbers assigned to "is" for every one assigned to "anteport".)

Implemented it with a rather restricted dictionary, then gave it up as a lot more bother than it was worth.

Re:I had better when I was 16

[tool462]

I wrote a single letter cypher when I was about 12 that instead of using a fixed letter swap (like a->x or s->[3,f,o] in your case) it would use a pseudo-random number generator sequence and shift each letter by the next number in the sequence. The decryption key was the seed value to the PRNG. Since it was just a numerical shift, it worked on binary data as well as ascii. It would just shift each 8 bit chunk by the value in the generator. The PRNG I used was a pretty crappy one, but I was pretty pleased with the concept at the time. Still has the major weakness like you mentioned where access to the code or compiled program would pretty much give away the whole thing.

Wow

[prefec2]

Is this the April-fools-day message? If not. It has been proven that terrorists can be as stupid as governments. What a relieve.

Re:Yemen-based al Qaida leader.. is stupid

[SharpFang]

whoops. sorry for troll mod misclick. Posting to undo.

This shows the IQ level of your average radical

[Viol8]

So while they're certainly dangerous they're not the world toppling danger they're made out to be. Far more dangerous are the corrupt governments around the world with proper armies, proper weapons and very smart intelligence people.

Re:This shows the IQ level of your average radical

[elucido]

So while they're certainly dangerous they're not the world toppling danger they're made out to be. Far more dangerous are the corrupt governments around the world with proper armies, proper weapons and very smart intelligence people.

Not necessarily. A cipher is not going to last forever. The cipher in the case of the terrorist would just have to be secure long enough to complete the operation. When the operation is complete the cipher could be cracked and it would not make a difference.

So if the message is the day and time of the attack, the message only has to be secure until that day. If it's sent a week in advance then it only has to be secure for a week. There are many ciphers out there which would require more than a week to crack.

Re:This shows the IQ level of your average radical

[Viol8]

Well quite clearly it wasn't just for the day.

Irony

[MikeRT]

They'd rather use a cipher created by ancient pagans than one created by a nominally Christian culture (Christianity being allegedly a protected, semi-respected religion under Sharia).

Ironic given the role of Arabs in history of crypt

[langelgjm]

Yeah, one day in undergrad I decided I wanted to make my own polyalphabetic substitution cipher, so I sat down and basically reinvented the Vignere cipher (actually the Gronsfeld cipher, which is identical except that the key is numeric. Also FWIW I was not in a technical major).

This story is made ironic by the fact that the Arabs were responsible for many historic advances in the history of pre-modern cryptography.

There is no cure for stupidity....

[macson_g]

There is no cure for stupidity....

Re:Maths from Islam

[quarrel]

Doh. Login fail :(

--Q

Re:Maths from Islam

[east+coast]

Zero predates Islam and Christianity.

Re:Invented by Jews.

[rhook]

We should rename encryption "bacon", then they'd never use it.

Re:Invented by Jews.

[omglolbah]

Mmmm, bacon!

Re:Maths from Islam

[MichaelSmith]

Yes, in fact it was right there at the beginning...

Re:Some old ciphers can be pretty secure, but...

[MichaelSmith]

If your message is easily confused with noise then it might be fairly safe.

Infinite regress

[Kupfernigk]

So how do you encrypt your "common source" message. Ooops...

In John Le Carré's A Perfect Spy the Soviet agent gives his British mole recruit a copy of Grimmelshausen's Simplicissimus before he even recruits him. This becomes a limitation because sigint eventually reveals that the communication with the mole has to be based on a single one time cipher. (Le Carré is in a position to know about this stuff.)

Thank God

[ledow]

Thank God most terrorists / criminals are this dumb. Otherwise we'd probably all be dead.

If you *want* to talk secretly, describing messages that will end up with you in jail if they are discovered, use something a bit better than a schoolboy cipher. Seriously, I was doing better than that when I was 11/12 and programming.

When I have idle moments, I try to "counter-think" terrorists in order to see what I would do if I were one. Almost all of the things I come up with are less risk, more impact, cheaper and easier than the things that are reported in the news. Thankfully, it seems that terrorists, on average, consist mainly of dumb people who can't do that.

It's like the criminals who break into banks and don't covre their faces. Catching them is actually less fun than letting them do the crime and seeing how they try to get away with it.

Re:Thank God

[osu-neko]

Thank God most terrorists / criminals are this dumb. Otherwise we'd probably all be dead.

Unlikely. I know it's impolitic to say so, but if all terrorists were 100% successful in all their plans, a lot more people would die, but the odds you would be one of them would be vanishingly small, and it would not make a significant dent in the world population. I tend to worry about things like car accidents, street crime, and slipping on a wet surface in the bathroom: just three of the many things that kill several orders of magnitude more people every year than terrorism.

Just goes to show...

[ZDRuX]

This just goes to show how the whole Patriot Act has nothing to do with catching terrorists. They can barely communicate effectively, most of them just set their underwear on fire, and the rest live in far off lands, yet the nanny state is always local, ever present, and ever watchful... give me a break!

Re:Just goes to show...

[Tokolosh]

It goes to show that an open society, tolerant of diversity and dissent, will always be superior to a closed society (in the long run). Unfortunately, the powers-that-be in the USA are working to move us from the former to the latter.

Excel for Terrorists?

[richie2000]

I always thought the Excel menu option "terrorist cell" was a bit suspect.

Kaffir != non believers.

[140Mandak262Jamuna]

Infidels are the non believers, usually restricted to the Jews and Christians because they are the people of the Book, but they just don't accept Mohammad. Kaffirs are more like pagans, heathens, idolators. Then there are najis, the dirty. Then there are apostates. The ranking is muslim > infidels > kaffirs > najis > apostates.

Re:Kaffir != non believers.

[140Mandak262Jamuna]

First principle in any war is "know thy enemy". One must understand the terminology they use and try to understand their world view. That does not mean we agree with them. Often times most effective counterattacks would come from talking their language and their imagery.

One of my pet peeves, for example. Saudi Arabia does not permit women to drive. Saudi Arabian government has a deficit and it has external debt. Yes it is true. It is so incomprehensible. The oil wealth of Saudi Arabia does not belong to the people of Saudi Arabia. It is considered to be personal wealth of King Saud, and his descendants, about 5000 sheiks and their families. All the rest get some kind of government dole, but pittance compared to what the sheiks are raking in. They have imported some 500,000 drivers from India, Pakistan, Bangladesh and Phillipines (that is in addition to 1.5 million domestic servants).

You can talk till you are hoarse about why women should be allowed to drive their cars, based on principles of equality, or economic implications. You will not make any progress. You cant reach them. They would shut you out.

But, if you knew that Mohammad has ordered all Muslim women to be able to ride horses and camels, you could argue that not allowing women to drive cars contradicts the Hadith, so it is un Islamic. Not that you are going to win. They will come back some argument or another. But they won't be able to shut you out. You will enable a few women there to make similar argument, and who knows, ten years from now, they might relax it a little bit and allow women to drive their sick children to hospitals.

Re:Kaffir != non believers.

[jfengel]

Minor correction: "najis" is a singular term, not a plural, so you should say "is najis". Actually, that's not quite true; you can say "najis are...", since it's really singular and plural. But in particular, it is NOT the plural of "naji", which is a common and honorable name.

Somebody becomes najis by coming into contact with an unclean thing, such as a pig or alcohol, or a person who is najis.

Re:Kaffir != non believers.

[osu-neko]

Somebody becomes najis by coming into contact with an unclean thing, such as a pig or alcohol, or a person who is najis.

Does that only count for the faithful, or do infidels (like Christians) or kafirs (like myself) become najis if we eat bacon and drink alcohol, even though we lack any proscription against it within our own faiths? I've heard that, although muslims don't approve of it per se, they're at least "okay" with knowing we're doing it, even doing it in their own country, as long as we're not blatantly doing it in front of them.

Re:Kaffir != non believers.

[jfengel]

The body of the kafir is itself najis, just because of the state of non-belief, so the kafir is not further defiled by touching najis.

But the kafir can be dealt with, especially the People of the Book (Jews and Christians). It's distasteful, and you may have to purify yourself afterwards. You don't have to destroy it, any more than you have to destroy urine or blood. You just avoid touching it, and purify yourself when you do.

Muslims in a state of najis are expected to know better, and can be shunned or admonished, so that he may go and be purified without further corrupting others.

Chuck Norris had this story

[wiredog]

a couple of days ago.

Re:Invented by Jews.

[SpiralSpirit]

obviously you don't understand jews. We'd still us it, we'd just feel guilty. Our mothers would bring it up everytime we saw them.

Re:Invented by Jews.

[SpiralSpirit]

*use

Why are we laughing at this?

[140Mandak262Jamuna]

If we were really smart we would all agree that the encryption method used by Rajib was super sophisticated and it was due some lucky break and a happenstance it was broken. Publicly proving their cryptography is a joke and thus humiliating them would make the switch to PGP or something. It takes a wise man to let his enemies underestimate his mental powers.

Ha Ha You almost got me

[GoodBuddy]

I didn't think about this being April Fools Day until I browsed to /..

And we are supposed to believe that these...

[John+Hasler]

...bumblers are so dangerous that we must give up our liberty in order to be safe from them?

Re:And we are supposed to believe that these...

[circletimessquare]

the only thing as dangerous as false alarmism is a false sense of complacency. i'm not sure why you believe a bunch of religious nuts determined to kill you isn't a problem, just because they are low iq. that they are morons changes HOW you worry about them, yes, but it doesn't mean you stop worrying about them. a horde of low iq idiots committed to mass murder is still a problem

Re:And we are supposed to believe that these...

[circletimessquare]

this is an interesting example of someone who confuses analogy and reality

Re:Invented by Jews.

[PRMan]

OK, this was funny. But I think he was saying that Muslim terrorists wouldn't use it if it were called Bacon.

They also discarded a voice scrambling system

[Doghouse+Riley]

when it was realized that "Igpay Atinlay" might be incompatible with the Muslim prohibition of pork.

Ob. 3D XKCD

[DarthVain]

http://xkcd.com/538/

One of my favorite ones...

Gitmo and Gnomeland Security you can thank for the drugs and wrenches...

Extreme-missed...

[MaxNomad68]

We've had the Shoe Bomber. The Underwear Bomber. And now the Alphabet Soup Bomber.

If this level of genius keeps surfacing I think they'll crack the mysteries of Invisible Ink any day now!

Re:Maths from Islam

[Tokolosh]

If zero predates christianity, then why isn't there a year zero? We go straight from 1 BC to 1 AD!

not really "encryption"

[v1]

That and you can't really even call it "encryption". This is a "substitution cipher" isn't it? So it's "encipherment", not "encryption"?

Encrypted messages rely on a translation that is relative to character position in the message, such that the substitution of a given letter at one position is usually not the same as the substitution for that same letter at any other position.

I read in the article that someone said they employed "five levels of encryption". I wonder how that compares with the effectiveness of say, 5 x rot13? ;)

Re:not really "encryption"

[lgw]

That and you can't really even call it "encryption". This is a "substitution cipher" isn't it? So it's "encipherment", not "encryption"?

Encrypted messages rely on a translation that is relative to character position in the message, such that the substitution of a given letter at one position is usually not the same as the substitution for that same letter at any other position.

Not true: AES will encrypt the same block the same way every time with the same key. AES is typically used in such a way that it produces the results you describe, but the block encyption is still "encryption", whether used sensibly or not.

Re:not really "encryption"

[fuzzyfuzzyfungus]

I read in the article that someone said they employed "five levels of encryption". I wonder how that compares with the effectiveness of say, 5 x rot13?

I strongly suspect that the cops being quoted were judging level of super-double-ultra-security-ness with roughly the same enthusiasm for self-aggrandizement generally shown in such situations. Unless the public would be immediately capable of recognizing the perp as being a candidate for 'America's Funniest Home Videos: The Blooper Reels', they are typically accorded the status of 'terrifying criminal mastermind that yours truly managed to bring to justice; but might need more expansive powers to stop in the future, cough cough'...

Re:not really "encryption"

[v1]

block, yes. character, no. AES in that mode is also referred to as a "block cipher" for that exact reason.

Stream mode is a much better idea for security, but can fail to be decoded if part of the transmission is lost or corrupted. Block ciphers usually only lose the damaged blocks and a block on each end of the damage.

Re:not really "encryption"

[JTsyo]

Hmm I wonder how much longer it takes to break five layers of Caesar cipher than just one. Guessing a ratio of 1.

Re:not really "encryption"

[Vintermann]

Any serious user of AES, or any block cipher, is going to use cipher block chaining or a similar technique. Just encrypting each block separately is called "electronic code book" mode and is vulnerable to replay attacks.

Re:not really "encryption"

[budgenator]

I've used some pretty sophisticated cyphers in my career, and they always boil down to how badly you want to keep your information private compared to how badly the other guys want your information, and that is moderated by how long your private information needs to be private. Having said that a single character substitution cypher is fine for a word or two,but for much more frequency analysis is going to bite your ass. Using double characters allows you to add multiple code groups per character based on frequency and even for word spaces, so now that would be good for sentences or even paragraphs. Triple character code groups allow you to add common words as well as characters so you can increase traffic quite a bit before frequency analysis bites you.
Now here's one thing to keep in mind, using cyphers and encryption only draws attention to your communications, and sometimes who you are talking to is as important or more so than what your saying.

Re:not really "encryption"

[lgw]

You're not using these words in the way that everyone else is. "Block Cipher" is not a "mode",: to quote the Wikipedia article you were too lazy to click on: "In cryptography, modes of operation enable the repeated and secure use of a block cipher under a single key".

A character-by-character substitution cyphyer is just a block cipher with a block size of one character. A playfair cipher has a block size of two characters, etc.

Re:not really "encryption"

[lgw]

But regardles of mode, use of AES is still called "encryption", was my point. The person I was replying to was confused about the terms. ECB and other modes are described in the link I provided.

Re:Actual text of encrypted message - try to crack

[TheGratefulNet]

or if you're french, "pffft!"

additionally, you define apostate

[circletimessquare]

as another muslim who believes in a slightly modified version of islam. and that same muslim believes you to be an apostate as well. add some "my religion makes it praiseworthy to kill apostates" and you have a nice recipe for centuries of genocide. isn't religion grand?

Re:additionally, you define apostate

[osu-neko]

as another muslim who believes in a slightly modified version of islam. and that same muslim believes you to be an apostate as well. add some "my religion makes it praiseworthy to kill apostates" and you have a nice recipe for centuries of genocide. isn't religion grand?

Yeah, makes you really appreciate non-religious types like Stalin who understood how much better it is to kill millions for other reasons.

Humanity is "grand". Religion is guilty of nothing more than being around to be used an excuse for doing what you wanted to do anyway. Take religion away, and human history would be just as bloody, we'd just cite different reasons for our genocidal ways. Indeed, given the number of religiously motivated pacifists, conscientious objectors, and so on in the world, it's a hard case to make that history would be less bloody without religion rather than more.

Re:additionally, you define apostate

[circletimessquare]

awesome: "there's no need to stand against the things that make people justify their atrocities because people suck"

thanks for not believing in progress, asshole

Neither are safe from your gov

[elucido]

If you have a secret and they can't break the code, they'll torture you until you break.

Definition

[Meneguzzi]

What gives me solace regarding the danger posed by extremists (religious or otherwise) is that almost by definition these people are not terribly smart. If you induce yourself to believe some fairy tale about the afterlife, to the point that you are willing to kill people, you cannot be that rational. Of course the government needs to be watching out for these people (since they are dangerous), but I do not believe it takes all the powers that have been given to the government to keep track and arrest these loonies.

Re:Definition

[stdarg]

If you induce yourself to believe some fairy tale about the afterlife, to the point that you are willing to kill people, you cannot be that rational.

The dangers are organizations like al Qaida, the Taliban, al Shabaab, etc. They have to be fairly rational to remain organized. You may see their motivations and ultimate goals as irrational but that has nothing to do with their plans and methods. I mean the summary says an al Qaida leader was urging him to use AES, but he's probably still a religious extremist.

Of course the government needs to be watching out for these people (since they are dangerous), but I do not believe it takes all the powers that have been given to the government to keep track and arrest these loonies.

When you start tracking certain groups of people then you get accused of profiling.

Re:Definition

[Meneguzzi]

Profiling is only wrong (or at very least politically incorrect) if you do it on the basis of attributes over which the profiled people have no obvious control, like ethnicity and nationality. Law enforcement agencies have a long history of psychological profiling (which is, arguably, also not under somebody's control) that has been accepted by most people as effective, though I myself have no knowledge to ascertain that indeed is effective.

The problem isn't how secure the cipher is

[elucido]

I think in most case any cipher which prevents the adversary from cracking it within the same day is secure enough.
It's a matter of time, not a matter of how secure the cipher is.

If your cipher is uncrackable, or too secure, then the adversary will be guaranteed to torture you when you get captured.
If the cipher is crackable, but takes weeks, months, or years, this might actually be better for your physical security than the unbreakable code.

Basically the more secure the cipher, the greater the probability that you'll be tortured.

Re:The problem isn't how secure the cipher is

[AvitarX]

Only if it is innocent information stored. I suspect anything incriminating found is used as an excuse to torture and find out what was said in person.

Many places allow torture to prevent an immenent attack, emails planning an attack would definitely be the type of thing that could be used as evidence of the pending attack.

Re:The problem isn't how secure the cipher is

[elucido]

Only if it is innocent information stored. I suspect anything incriminating found is used as an excuse to torture and find out what was said in person.

Many places allow torture to prevent an immenent attack, emails planning an attack would definitely be the type of thing that could be used as evidence of the pending attack.

Many places? Every place, including the USA. Torture is commonly used on suspected terrorists.

Encryption wont protect you from the fucking torture, but it will protect your message to be delivered along with your dead tortured body to your grave.

But this is also why the US government tortures

[elucido]

The excuse being that they have to break the terrorists because they can't break the code in time to stop the attacks.

Their decrypted message:

[lullabud]

"Be sure to drink your Ovaltine"

symmetric encryption is secure

[elucido]

generally if it's symmetric it's going to be much harder to crack and there are many different ciphers that are very hard or very time consuming to crack. AES is just one of many.

The problem isn't the cipher. If you use AES then you'll be taken to Gitmo or some blacksite and tortured for the rest of your life until you give up the code. Or they'll take you to a psych ward, drug you, torture you, until you go insane and give up every secret.

This could take weeks, months, years or decades, they have trained psychologists, doctors, and professional torturers who enjoy testing new drugs and techniques.

So it's entirely pointless to try to keep secrets from the feds. The point is to keep secrets from Mallory.

Re:symmetric encryption is secure

[JTsyo]

Seems your message should be easy to decrypt for a false message with a second layer for the true message.

Re:symmetric encryption is secure

[elucido]

Which would result in you getting tortured for the rest of your life until you tell them what they want to hear, which is that you are a terrorist and that the more scary message is the real one.

Only if they are prepared to commit suicide

[elucido]

Because if they use a one time pad, and get captured, they will be tortured.

Torture is how the one time pad is broken. You drug them, psychologically destroy them, eventually they'll want the pain to stop and they'll give up the key if they have it.

Precisely

[elucido]

Because if terrorists had a reliable key distribution network, they'd already be an army, not a loosely organized criminal band with minimal transportation infrastructure? One time pads are only as good as your distribution system. And the moment you run out of key bits and reuse them, your system is broken.

But even if they had a key distribution, they'd have no way to protect the keys and no way to protect the brains that know the keys.

Basically the weakness of the one time pad is the physical security of the brains that remember them, and the physical security of the keys. Because physical security is something the US government has a monopoly on, no terrorist group, gang, or mafia is going to be safe using any encryption cipher and that includes one time pads. The terrorists will be tortured brutally, psychologically and physically, one by one, until they break and give up the keys. The base which stores all the keys will be raided, the computer which generates the keys will be stolen, the fact that it's very difficult to create massive numbers of truly random numbers means that more than likely it will be pseudo-random and if the number generator is stolen so are all the keys.

The one time pad is the most secure cipher on paper, in an academic setting, where there are laws, and rules. In war the one time pad does not work unless one has an army of sophistication and skill as the adversary, which means the one time pad is only useful for governments. It's not a cipher which would be useful for terrorists, gang members, etc.

Re:Precisely

[Pence128]

It's absolutely trivial to generate lots of random numbers:
Tune a radio between stations.
Plug it into your sound card.
Hit record.
Wait a few hours.
????
Gigabytes of randomness.

Even more evidence...

[golgotha007]

..that these people are still living in the stone age.

Re:Religious Extremist.......

[anyGould]

If you are a decent person you are on the good path to salvation. And being an asshole.... What did you guys expect? There, fixed that for ya.

(Really, never understood the logic behind "you're a wonderful person, but because you don't believe in $DIETY I must assume your afterlife will be unpleasant". Makes me wonder if "Hell" is really a beach-front resort, filled with all the nice non-Christians...)

Re:Maths from Islam

[osu-neko]

If zero predates christianity, then why isn't there a year zero? We go straight from 1 BC to 1 AD!

Bizarrely, when people number things they're counting, they usually number the first item "one", the second item "two", etc. Take five apples and put them in a box, remembering the order you put them in. Now, point to the first apple. Point to the fifth apple. And now, point to apple zero. What do you mean there's no apple zero? Uh huh...

Re:Kaffirs know about AES so it must be less secur

[matrim99]

Cubits.

Modern crypto was designed by imperialists

[Nicolas+MONNET]

... that's why he chose a Cæsar cipher instead.

Re:Modern crypto was designed by imperialists

[Dr.+Gamera]

Exactly, since Julius Caesar was never crowned emperor.

Job Freedom

[__aanhjr1420]

> Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim rejected the use of a sophisticated code program[...]

I don't think a guy with a job description of "blow yourself up" cares what HQ thinks.

Re:ROT 13 - Rotational 13

[Sulphur]

Regarding the ROT 13 story, this was not an active subvert developed by MIA to "confuse, dismay and throw into disarray,” the Islamic Militia who were subjected to food supply control based forced Christian conversion last year by the Red Cross. Please treat this story as true as of this moment. Thank you for your time ...

Missing In Action?

--

No Spin version of ROT13 used.

Re:Einstein? You want to know about EINSTEIN?? Ok!

[Kagura]

Take a step back and realize you're stalking some dude on the internet. Ignore his posts from now on, he won't even KNOW if you read them or not!

Re:Religious Extremist.......

[Alex+Belits]

No, it's the other way around. Believing that the only goal of your life is to please and praise some guy called "The Lord" at any cost, means that you are a horrible person regardless of who "The Lord" is, and if he exists in the first place.

Re:Religious Extremist.......

[anyGould]

No, it's the other way around. Believing that the only goal of your life is to please and praise some guy called "The Lord" at any cost, means that you are a horrible person regardless of who "The Lord" is, and if he exists in the first place.

Let's be fair - there are plenty of very nice people who just happen to believe in $DIETY. I don't think there's a correlation at all between belief and "goodness". The difference (if there is one) is that some people need that belief that someone is watching them, and some don't.

Re:Invented by Jews.

[sorak]

obviously you don't understand jews. We'd still us it

You'd try to haggle with it?

Re:Religious Extremist.......

[Alex+Belits]

That does not make either of them less dangerous.

Just imagine that someone involved with nuclear weapons had a hallucination of "The Lord" asking him to play Abraham/Isaac shit on few millions of people.

Old Truism

[Nom+du+Keyboard]

The old truism is that anybody can make a code that they can't break themselves.

One is also left to wonder if the old equipment that terrorists use had left him subjected to the dreaded Pentium FDIV bug? Or did he use it as a feature?

Re:Invented by Jews.

[rhook]

Woosh!