The Code Book

Simon Singh’s The Code Book proves, once again, that he is a superlatively skilled writer on technical and scientific subjects. Thanks to his book, I now actually understand how Enigma worked and how it was broken: likewise, the Vigenere Cipher that has been built into this site for so long. This book manages to capture both major reasons for which cryptography is so fascinating: the technical aspects, centred around the ingenuity of the methods themselves, and the historical dramas connected, from the execution of Mary Queen of Scots to the use of ULTRA intelligence during the Second World War.

Anybody who has any interest in code-making or code-breaking should read this book, unless they already know so much about the subject as to make Singh’s clear and comprehensible explanations superfluous. Even then, it may arm them with valuable tools for explaining interesting concepts to the less well initiated.

At the end of the book is a series of ten ciphers for the reader to break. Originally, there was a £15,000 prize for the first person to crack the lot. Now, they exist for the amusement of amateur cryptologists. I doubt very much I will get through all ten, but I am giving it a try. The first ciphertext is on his website and is helpfully labeled ‘Simple Monoalphabetic Substitution Cipher.’ I expect to crack it quickly.

Continue readingThe Code Book

M’s PL, XII

(220), (210), (241), (310), (250)
(350), (380), (317), (271), (346)
(222+1), (212), (302), (258), (280)
(127), (100), (556), (452+1), (599)
(621), (633), (590), (392), (387)
(414), (423), (539), (572), (157)
(142), (128), (189), (529+2), (412)
(361+1), (351), (200), (229), (174)
(409), (440), (594), (532), (539)
(608), (259+1), (310), (271), (100)
(143), (98), (478), (530), (599)
(369+1), (343), (321), (370), (375)
(389), (413), (530), (58), (79)
(33), (87), (211+1), (251), (346)
(556), (608), (631), (640), (546)
(579), (549), (492), (481), (429)
(336), (387), (442+1), (219), (213)
(439), (450), (551), (632), (245)
(396+1), (589), (539), (418), (499)
(422), (460+2)

Hint: second Beale cipher.

Strengthening substitution ciphers

Fountain in Gatineau

The biggest problem with substitution ciphers (those that replace each letter with a particular other letter or symbol) is that they are vulnerable to frequency analysis. In any language, some letters are more common than others. By matching up the most common symbols with what you know the most common letters are, you can begin deciphering the message. Likewise, you can use rules like ‘a rare letter than almost always appears to the left of one specific more common letter is probably a Q.’ What is needed to strengthen such ciphers is a language in which words have no such ‘personality.’ Here is how to do it:

First, take all the short words (less than three letters) and assign them a random three digit code. Lengthening very short words further strengthens this approach because short words are the most vulnerable to frequency analysis; a single letter sitting with spaces on either side is probably ‘a’ or ‘i.’ Using three digit groups and 26 letters, you can assign 17,576 words. Now, take as many words from the whole language as you want to be able to use. For the sake of completeness, let’s use the entire Oxford English Dictionary. The 456,976 possible four letter groups more than suffice to cover every word in it, leaving some space for technical terms that we may want to encrypt but which might not be included. If we need even more possibilities, there are 11,881,376 five letter combinations.

This approach is cryptographically valuable for a number of reasons. Since the codes representing words have a random collection of letters, the letter frequency in a ‘translated’ message is also random. You no longer need to worry that some English letters are more common than others. Just as important, there are none of the ‘Q’ type rules by which to later attack the substitution cipher. The dictionary of equivalencies would not need to be secret; indeed, it should be widely available. Having the dictionary does not make encrypted messages more vulnerable, since they will have passed through a substitution cipher before being distributed and are fundamentally more robust to the cryptoanalysis of substitution ciphers than a message enciphered from standard English would be.

In the era of modern algorithms like AES, I doubt there is any need for the above system. Still, I wonder if there are any historical examples of this approach being used. If you have a computer to do the code-for-word and word-for-code substitutions, it would be quite a low effort mechanism to increase security.

Botnets

The rise of the botnet is an interesting feature of contemporary computing. Essentially, it is a network of compromised computers belonging to individuals and businesses, now in control of some other individual or group without the knowledge or permission of the former group. These networks are used to spread spam, defraud people, and otherwise exploit the internet system.

A combination of factors have contributed to the present situation. The first is how virtually all computers are now networked. Using a laptop on a plane is a disconcerting experience, because you just expect to be able to check the BBC headlines or access some notes you put online. The second is the relative insecurity of operating systems. Some seem to be more secure than others, namely Linux and Mac OS X, but that may be more because fewer people use them than because they are fundamentally more secure. In a population of 95% sheep, sheep diseases will spread a lot faster than diseases that affect the goats who are the other 5%. The last important factor is the degree to which both individuals and businesses are relatively unconcerned (and not particularly liable) when it comes to what their hijacked computers might be up to.

Botnets potentially affect international peace and security, as well. Witness the recent cyberattacks unleashed against Estonia. While some evidence suggests they were undertaken by the Russian government, it is very hard to know with certainty. The difficulty of defending against such attacks also reveals certain worrisome problems with the present internet architecture.

The FBI is apparently on the case now, though the task will be difficult, given the economics of information security.

A fax is not more secure than email

The way complex organizations assess technology and security is often very silly:

A: “Here is the signed document, as a PDF file that I scanned and emailed.”

B: “No good. We need a hard copy.”

A: “Well, I can mail one to you within about a week.”

B: “That’s far too long. Why don’t you just fax it?”

A boots laptop

A opens PDF file

A clicks ‘print,’ plugs laptop into telephone, sends the fax.

Result: a lower quality version of precisely the same thing is transferred, at greater expense.

Document metadata

It remains somewhat amazing to me that governments and major international institutions so frequently forget what it means to distribute documents in Word format. In particular, people are surprisingly ignorant of how Word tracks changes: making documents into a palimpsest of revisions, not all of which you want the outside world to see. You don’t want the comment about how pointless one of the ‘key items’ in your ‘corporate vision’ is making it into the file that gets passed to the New York Times. Even the early copy of the Summary for Policymakers of the 4th Assessment Report of the IPCC that I have includes a few notes about edits that still need to be done.

Hopefully, closed standards like Word documents will fall by the wayside during the next decade or so. It is insane to be distributing so much information in a proprietary format for no good reason (just one more manifestation of monopolistic dominance). Hopefully, whichever open document format eventually comes to be standard will have better means for assessing and controlling what information you are inadvertantly embedding in your press releases, reports, spreadsheets, etc. Until then, lax security is likely to keep offering some interesting glances into the drafting processes of such publicized documents.

PS. One other thing to remember is that the standard jpg images produced by Adobe Photoshop include thumbnail files that are not edited when you change the image. As such, a face blurred out of the large version may still be recognizable in the embedded thumbnail version. The same goes for areas that may have been cropped from the image entirely. I am sure Cat Schwartz isn’t the only person who has suffered public embarassment because of this. No doubt, many other pieces of software include such counter intuitive and potentially problematic behaviours.

A show of force in the Gulf

No matter how much one tries to focus on the non-security bits of international relations, anyone who reads the news and is concerned about the world will get exposed to it pretty regularly. Yesterday, for instance, nine American warships carrying 17,000 military personnel were sent into the Persian Gulf. Some speculate that this was intended as a corollary to an announcement from the International Atomic Energy Agency (IAEA) about Iran’s ongoing nuclear program. The strike group included two Nimitz carrier battle groups and 2,100 marines in landing ships. The ongoing war games will apparently “culminate in an amphibious landing exercise in Kuwait, just a few miles from Iran.”

According to the IAEA, Iran has about 1,300 centrifuges online at Natanz, with another 600 likely to become available over the summer. Having 3,000 operational centrifuges would produce enough weapons-grade uranium for one bomb per year.

The question of how to deal with challenges to the existing non-proliferation regime is an acute one. More and more states will gain the technical capacity to make bombs in the next few decades. Many will be in dangerous parts of the world, with hostile neighbours who can be plausibly expected to be building bombs of their own. Furthermore, the inability of the current regime to prevent the North Korean test raises the question of how much influence the international community really has, especially when some states are willing to become pariahs.

Millennium Development Goal 7

Church Walk sign

Prompted by my international law and developing world revision, I had another look at the eight Millennium Development Goals which were adopted by the 192 UN member states in 2000, and which are meant to be achieved by 2015. All eight are quite ambitious and represent worthy ambitions and intentions.

Some of the goals give themselves over easily to quantitative evaluation. For instance, reducing the maternal mortality ratio by three-quarters. While there are the ever-present concerns about data quality and the danger of people fudging their numbers, at least there is an empirically verifiable objective being targeted.

The environmental category (MDG7) has the general heading “Ensure environmental sustainability” and among the most vague provisions in the whole list:

  1. Integrate the principles of sustainable development into country policies and programmes; reverse loss of environmental resources.
  2. Reduce by half the proportion of people without sustainable access to safe drinking water.
  3. Achieve significant improvement in lives of at least 100 million slum dwellers, by 2020.

To begin with, ‘sustainable development’ is not as objective a concept as it is sometimes considered. If it requires a society that could continue to operate in its present form indefinitely, then no society that exists today meets the standard. Of course, the term ‘development’ contradicts the idea of stasis. So too does the inclusion of the term in the MDGs generally, since all of them would require large-scale changes in both domestic and foreign policies.

When it comes to sheer vagueness, “reverse loss of environmental resources” must take the cake. What are ‘environmental resources?’ And what would ‘reversing their loss’ involve? With a few exceptions, such as the breakdown and slow recovery of stratospheric ozone, it is not terribly clear what this could mean. Even in cases where the general thrust of the idea seems applicable, such as reforestation or the protection of coral reefs from damaging fishing practices and increasingly acidic oceans, it doesn’t provide much in the way of guidance, or much of a standard for achievement.

Access to water

The second goal, about access to water, is much more in keeping with the qualitative targets that the MDGs generally seek to establish. A map of the world showing who has poor access to water and another showing the incidence of deaths from cholera demonstrates just how unequal quality and availability of water around the world is. All the technology required to provide safe drinking water to everyone exists. The degree to which the present situation is the result of a lack of will makes it a very appropriate target for a high-profile initiative like the MDGs.

While I have never believed that water is a likely cause for large-scale wars (countries that can afford to fight large-scale wars can afford desalination plants, which are expensive but cheaper than wars), there is every reason to believe that water will become a more acute problem in coming decades. One minor example is how a sea level rise of about 100cm could essentially eliminate Malta’s major sources of fresh water. Expect bigger problems in places like India or Bangladesh.

The Economist printed a good Survey on Water back in 2003. Accessing it requires a subscription.

Slum dwellers

Slums were mentioned here quite recently. Improving the lives of 100 million slum dwellers is certainly a worthy aim. As many as 1.2 million people may live in just the Kibera slum in Nairobi. In sub-Saharran Africa, where more than 70% of the urban population already lives in slums, the rate is growing at 4.53% per year. Improving their lives probably requires two sets of approaches. One is based around providing basic needs, including water, health care, sanitation, lighting, security, and education. The other is based around reforming legal systems. Providing secure title to land, for instance, would likely reduce opportunities for bribery, provide access to credit, and generally reduce the level of insecurity in people’s lives. Actually implementing either set of approaches is an awfully tricky proposition, not least because of entrenched interests that value slums as a source of bribes from those who live there as well as a source of cheap labour for the city in which they are embedded. That being said, there are potentially huge improvements in human welfare to be achieved from success in this area.

All told, there seem to be a lot of reasons to be hopeful about the MDGs. They demonstrate, at least, that there is universal awareness within the international system about some of the most pressing problems of the present day. There is likewise at least some energy and initiative being committed to their resolution. The extent to which such efforts are successful will probably have a big impact on the kind of world in which we find ourselves in fifty years time: one in which most of humanity has reached a situation in which their basic needs are met and their basic rights are respected, or one that may be even more unequal and conflict-prone than the situation at present.