Every schoolboy knows the story - how the legendary maths wiz Alan Turing and his eccentric team of Times crossword experts cracked the German enigma code and won the Second World War.

That's not to belittle the amazing work done by the cryptanalysts at Britain's Bletchly Park, but the full story as it unfolds under the expert pen of Hugh Sebag-Montefiore is even more incredible than the myth.

And it holds serious lessons for all involved in system administration and computer security. For the real story is about how a very secure system of encoding was broken not by mathematical genius, but by much more subtle methods.

The problem for the analysts was not to break the code - enough messages in a given code can eventually be broken. The problem was to break them fast enough for the contents of the messages to be acted on, and it was how this was achieved that was the -real- genius of the enigma code breakers.

in order to speed up the breaking of the code they needed what they called a 'crib'. A crib was a guessed piece of plain text message which matched up to a stretch of cipher text. How did they guess the plain text message? Therein lies the genius. The cipher was produced by a machine, but the message itself, and the decisions about how the message was to be enciphered, were decided by people. And people, even the most conscientious of them, make mistakes and drop into routines.

So to crack the code, they looked at what -people- were doing, and seized on all the mistakes that those people made.

In many ways the story told in this book is the story of how the users of the code screwed up their security by making mistakes. Sounds like a familiar story of everyday computer hackers, doesn't it?

The mistakes made by the Germans included such gross errors at allowing submarines bound to lay mines in British inshore waters to go to sea with an enigma machine and a full set of code books. Then there were the occasions when they re-transmitted messages already sent in a previously broken less secure code. They also sent messages (for instance weather reports) in the same plain text format over a long period of time. And sometimes they started the messages with the same piece of plain text - for example 'To: Admiral Commanding XYZ'.

At one stage there was extra randomness inserted by having the operator pick a random set of letters from a table. Once the cryptanalysts had obtained a copy of the tables used (and that's another story), they did a statistical analysis of the picked groups and discovered that operators tended to use a fairly small sub-set of the table. Basically the operators tended to pick groups of letters from near the top of the middle columns of the middle pages of the tables!

But the parallels with modern day hacking go even further - the British admiralty was so careless in its use of the information that on a number of occasions the Germans - especially Admiral Karl Doenitz, head of the German U-boat force - suspected that the codes had been compromised. Unfortunately for Doenitz German security experts were totally convinced that the code was uncrackable. So every time he raised the issue they produced technical explanations of how it was impossible to crack the code, rather than analysing whether the code had, in fact, been compromised! Now where have I heard that one before?

This book is not just a thundering good yarn by someone who know how to research and write a good story, but it is also a salutary object lesson in how easy it is for bad operating procedures and the failure to take account of real people's ways of working is more than enough to compromise even the best security systems.

A must read for sysadmins and computer security buffs!

'Enigma - The Battle for the Code' by Hugh Sebag-Montefiore, published by Phoenix, ISBN 0 75381 130 8.

Alan Lenton
2 June 2002

Return to the reviews page

Back to the Phlogiston Blue top page

If you have any questions or comments about the articles on my web site, click here to send me email.