An IT worker from British Airways jailed for 30 years for terrorism offences used encryption techniques that pre-date the birth of Jesus. Rajib Karim, 31, from Newcastle, was found guilty of attempting to use his job at BA to plot a terrorist attack at the behest of Yemen-based radical cleric Anwar al-Awlaki, a leader of al- …
Rule #1 of encryption, randomness, steganography, copy-protection or a million and one other related areas:
Just because you *think* it's better than a published algorithm reviewed by thousands of experts, doesn't mean it *IS* better.
Rule #2: Never "make up" your own encryption, random number generator, steganographic technique, copy protection etc. - it'll never work and if you *ARE* an expert, you'll know that you'll need to have people attacking it for decades before you declare it "secure enough". Even using the published ones "with a twist" or a new from-scratch implementation will compromise your encryption most of the time.
Rule #3: Don't trust in God when 2048-bit, peer-reviewed, PKE exists and has *never* been "cracked", even when terrorists used it and we needed access to the information contained within for anti-terrorist purposes. Seriously. There's never been a case where "real" encryption that wasn't hideously out-of-date was used and some random three-letter agency managed to decrypt it. There's a reason for that - that's what it was DESIGNED for.
Thank you so much for being so enthusiastic about helping terrorists to hide their secrets. If only they had YOU as their IT guy, all those infidels would have been dead by now. :)
Oh, they tried
"Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim also rejected the use of a sophisticated code program called "Mujhaddin Secrets", which implements all the AES candidate cyphers, "because 'kaffirs', or non-believers, know about it so it must be less secure"."
If they had had employed methods that the infidels are used to they might well have gotten away with it. But, with the typical 'wisdom' shown by hard-core beleivers they came up with a huge fail.
There is a highly technical solution but the twats though they were better.
What are you talking about? All encryption methods can be broken within 60 seconds. I have seen it on TV: the movie Swordfish, the show "24", so it must be true. :P
"This is Jack Bauer. I had to shoot the suspect. I am at his terminal of doom, but it requires a password."
"Ok, let's see what we can do." Clickety-clickety-click ... (60 seconds of ADVERTISING) "Jack, we got the password."
"Give it to me."
Although I would point out that, just because a particular type/strength of encryption hasn't been anounced to be cracked, doesn't mean that it's not crackable by GCHQ/NSA. It may be a routine crack, it may be very non-trivial but doable. They are very unlikely to announce they can crack particular cyphers.
Bear in mind that we now know that GCHQ operated PKE for years before it was "invented" by messers Rivest, shamir and Adleman.
History is full of cases where three-letter agencies or their equivalents have worked out how to crack what were believed to be state of the art encryption schemes. There's a reason for that too - that's their job. If they're doing it properly the first we'll know about it is when the documents are eventually declassified.
My money would be on it still taking them months to do, so for your average porn hiding requirements (which 99% of El Reg readers will be needing it for I bet) they probably wouldn't bother :D
Don't sweat it
They would never read The Register aways, it's run by infidels.
Normally it suffices to just brute force the password encrypting the real cypher, rather than actually crack the encryption.
GCHQ / NSA etc
I think it's reasonable to assume that these big orgs have the resources to invest in a distributed system that cracks files, large databases that host reverse hash lookups of every password of some arbitrary length, song lyrics, every book passages, religious verse, movie quotes, phrases, sayings and idioms and numerous other languages with appropriate transliteration. It's even likely they know of weaknesses in crypto that reduce the effort to brute force attack encryption reducing the number of rounds it takes.
What isn't likely is that there is some magic backdoor in the crypto. AES and its ilk has been analysed for years. The user's choice of passphrase is likely to be far more vulnerable than the algorithm. Therefore anticipate what the attackers are likely to be capable of and make the passphrase stronger than that.
Of course GCHQ / NSA aren't brute forcing random messages. They're probably eavesdropping on particular sites, and email providers, and cell phones and so forth. They probably have a fair idea that something is up and who the perps are simply from monitoring messages passing between certain people even if the content of said message is unknown. I bet this maroon was a suspect way before they got around to cracking his messages. Therefore it would be as important to communicate in a way which didn't arouse suspicion as much as it would the manner in which it was done.
Sure, here's title.
That's why I wouldn't touch Rijndael for anything I would ever want to hide from NSA et al. They've chosen it for AES ergo they might have some hidden reasons for it (like availability of cracking method).
Re Rule #1
Simply XOR the data with a secret key as long as the data and it's uncrackable, very old technology, the only weak point is keeping the secret key secret (and transporting it), don't reuse the key and there's no technical weakness in this encryption.
Re Re Rule #1
A secret, *perfectly random* key as long as the data.
The title is required, and must contain letters and/or digits.
I thought it was run by Lesbians...
@Re Re Rule #1
Yes; it's called a one-time pad, and it's the only form of encryption believed to be truly unbreakable, as long as the key is truly random and isn't left around somewhere where it can be found, and is never reused.
Now I have to change my password.
That most of the basic maths used in modern encryption were discovered in the Arab world.
Please clarify which Campbell
"Lunchbox" Campbell or
"Beneath the City Streets" Campbell?
The latter would be an excellent addition to Register correspondents!
(rot13 to reveal the message:)
Silly terrorist is silly
Hello Mr Terrorist,
We kaffirs all know about encryption so if you want my advice you should use lemon juice as invisible ink.
When your mate warms the paper in an oven it will show up your secret message. You should definitely do this because no one else uses it so it's more secure.
P.S. We also know about explosives so next time, use water bombs because we won't be expecting that and we'll be very afraid.
That is all.
allah be praised...
...they didn't have an cracker jack secret decoder ring or we'd have been completely screwed
i suppose its one step up from ROT13 though...
If the terrorists are using Microsoft products they're just making things harder on themselves.
Can we trick them into using Word and PowerPoint?
Word and Powerpoint - there's no way I could stumble upon any hidden code in them - they don't exist on my machine.
and why do you think they're so angry at the west?
No better denial of bomb planning tools exist today...
They should have used double ROT13 encryption
As 5 layers of substitution cypher is as strong as one layer...
Re: Wrong algorithm
No, they need to be even MORE secure and use ROT26! Thus, NObody will be able to figure out their secret messages!
@Re: Wrong algorithm
As long as they don't speak Arabic.
Maybe Bletchley Park
should sell them an app that simulates the Enigma machine. Then we can put a remade Colossus or Turing bomb to good use again. ;-)
You really have to laugh at their stupidity. I new how to decrypt single letter replacement schemes as a kid (10 or 12 y/o).
If you REALLY want to be secure, use a (sufficiently random) one time pad. This is provably uncrackable. Truly random bits can be obtained can be obtained in many ways (including the use of various quantum devices, and radioactivity (no bad Fukushima jokes please)).
It's bombe, not bomb
A balm? What are you giving him a balm for? It might bite him.
A bomb, for you...
Who told you to put the balm on?
I wouldn't be too sure that 2048 <whatever> hasn't been cracked, either. Most of the secret agencies in the world might crack it routinely, but they wold never let on, lest their enemies stop using it.
It's actually sad.
I wonder whether that kind of research can be found in the Qaeda fanzine. I remember something about mounting swords on 4x4 trucks, Persian-style, so it wouldn't be surprising.
Ppfmfp ppmffm mfmmmmfppmpm fmpmfpmppffm'fpmmpp pmpmffpmfpmfmppmpm FmpMppMfp fmmmppmmfpffmppfmp mmfppfmpmmpp fmpmfpmpp mmpmmmfmmfmpmmmpffmpmfmm
They'll know better.
Yup, expect "blank" wax tablets being posted around the world.
Or, if they're really crafty, they'll draw pictures of dancing men.
Pictures of dancing men
It was good enough for Captain Nancy
@Yup, expect "blank" wax tablets being posted around the world. →
My dear Holmes!
There's an encryption package called Mujhaddin Secrets?
How does it compare to PGP or whatevers used on Wikileaks insurance file?
Well I'm not googling that one. I don't fancy any more involvement with Cheltenham than my E/W on Denman.
There's an encryption package called Mujhaddin Secrets?
That's just to fool you. It's actually a Halal perfume.
Welcome to the idiot machine
Honestly, this is how I like my jihadist terrorists. I'd rather do without them entirely, mind, but if, then IT bods that insist on rot-N fit the bill nicely. This is NOT how I like the prosecution. Not even if they were prosecuting me*. Why do they insist on matching both sides on equal stupidity? Is this what's supposed to protect us? Hello?
More proof that the security circus is a waste of time and money and a fertile source of injustice. And no, not strictly because most "holy warriors" turn out to be, shall we say, a bit warped.
* I admit to no more untoward thing than general commentarding and occasional calling for firing and blackballing of egregiously incompetent shmucks from jobs that involve the public trust, guv.
Surely a substitution cipher is just obfuscation rather than encryption ?
2048 bit PKE isn't 'real' encryption, it is only a 'good' cypher. Real encryption is OTP.
BA should be ashamed of themselves
Imagine hiring this idiot as an IT specialist.
- Breaking news: Google exec in terrifying SKY PLUNGE DRAMA
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Google chief Larry Page gives Sundar Pichai keys to the kingdom
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL