Some Enigmatic Points About IT Security

By Peter Coffee  |  Posted 2006-09-18 Print this article Print

World War II cryptography offers many modern-day tech lessons.

The cracking of the German Enigma cryptosystem has inspired a host of books, including and sometimes combining both history and fiction. Its a compelling tale for technical professionals because that World War II effort required a combination of both brilliant people and breakthroughs in computational hardware.

After seeing this past summer the Michael Apted movie "Enigma"—made in 2001 from Robert Harris 1995 book of the same name—I wondered how careful the moviemakers had been in depicting the Allies massive and complex bombe machines. These were room-filling electromechanical systems that automated much of the brute-force attack against the space of possible Enigma settings.

I found, as part of an entry in the often-controversial Wikipedia, a picture of a bombe that looked astonishingly like the ones Id seen in the movie. The photo even had the same bright colors—rather remarkable, given that color photographs were uncommon in the 1940s. On further digging, I discovered that this was actually a photo of a cardboard mock-up of a bombe—and not just any mock-up, but a piece of the scenery built for "Enigma" that had been donated to the Bletchley Park museum. No wonder it looked like the one in the movie. It was the one in the movie.

From this point in my story, I could go in almost as many directions as an Enigma machine has settings. The first voyage that comes to my mind is to sail the Internets seas of unchecked data, where a chain of not-quite-rightness can seem to anchor a badly flawed conclusion. The next time I see a story about employers using Google searches for cheap background checks on prospective new hires, Ill think of the time that I almost used a photo of a fake to confirm that fakes own correctness.

This is not to say that Wikipedia, as a whole, is inaccurate or sloppy. It took only one additional click, after noting the crucial phrase "mock-up" in that Wikipedia photo caption, to get me to the photos fully annotated provenance. Yes, I had to look for it, but at least it was there. Providers of all sorts of critical data, even within a single enterprise, could learn from this example—and be equally forthcoming about the sources and the quality of the data that they offer to users.

Enterprises aspiring to that standard of care can evaluate products like Designate, from Mathsoft Engineering & Education, for tracking provenance through the math parts of their decisions. CommandAware, a decision support product from PortBlue, offers similar capability for after-the-fact understanding of who took which actions based on what information.

Code on the Internet battlefield needs protection against reverse engineering. Click here to read more. Another quite-different path that I could take, also inspired by my Enigma research, is to tour the crucial errors that were made by Enigmas users—without which even the bombe breakthrough would have been inadequate. What the bombe required, in addition to time, was a likely guess as to what some portion of an encrypted message might be saying. Careless patterns of repetition, including the German navys standardized message formats, would not have made Enigma vulnerable to unaided humans—but were fatal in the face of powerful hardware.

Any modern IT security apparatus has the same potential to be brought down, not by any intrinsic flaw in how it works, but by predictable behaviors of users.

The third and perhaps most interesting path that Id like to point out is the one that led to the final success, early this month, of a 10-year effort to rebuild a working bombe—not a cardboard piece of movie scenery—by a team of more than 60 volunteers. They spent more than two years merely finding and sorting the needed blueprints.

For IT security people, the message is this: Never underestimate how hard people will work to figure out something that they really want to know.

For IT operations people, the rather different message is this: Dont put yourself into a position where dozens of people will need 10 years to reconstruct how you did something—especially if youd like to do it again.

Peter Coffee can be reached at Check out eWEEK.coms for the latest news, reviews and analysis on IT management from
Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel