Some Enigmatic Points About IT Security
The cracking of the German Enigma cryptosystem has inspired a host of books, including and sometimes combining both history and fiction. Its a compelling tale for technical professionals because that World War II effort required a combination of both brilliant people and breakthroughs in computational hardware.
After seeing this past summer the Michael Apted movie "Enigma"made in 2001 from Robert Harris 1995 book of the same nameI wondered how careful the moviemakers had been in depicting the Allies massive and complex bombe machines. These were room-filling electromechanical systems that automated much of the brute-force attack against the space of possible Enigma settings.
I found, as part of an entry in the often-controversial Wikipedia, a picture of a bombe that looked astonishingly like the ones Id seen in the movie. The photo even had the same bright colorsrather remarkable, given that color photographs were uncommon in the 1940s. On further digging, I discovered that this was actually a photo of a cardboard mock-up of a bombeand not just any mock-up, but a piece of the scenery built for "Enigma" that had been donated to the Bletchley Park museum. No wonder it looked like the one in the movie. It was the one in the movie.
From this point in my story, I could go in almost as many directions as an Enigma machine has settings. The first voyage that comes to my mind is to sail the Internets seas of unchecked data, where a chain of not-quite-rightness can seem to anchor a badly flawed conclusion. The next time I see a story about employers using Google searches for cheap background checks on prospective new hires, Ill think of the time that I almost used a photo of a fake to confirm that fakes own correctness.
This is not to say that Wikipedia, as a whole, is inaccurate or sloppy. It took only one additional click, after noting the crucial phrase "mock-up" in that Wikipedia photo caption, to get me to the photos fully annotated provenance. Yes, I had to look for it, but at least it was there.
Providers of all sorts of critical data, even within a single enterprise, could learn from this exampleand be equally forthcoming about the sources and the quality of the data that they offer to users.
Enterprises aspiring to that standard of care can evaluate products like Designate, from Mathsoft Engineering & Education, for tracking provenance through the math parts of their decisions. CommandAware, a decision support product from PortBlue, offers similar capability for after-the-fact understanding of who took which actions based on what information.
Another quite-different path that I could take, also inspired by my Enigma research, is to tour the crucial errors that were made by Enigmas userswithout which even the bombe breakthrough would have been inadequate. What the bombe required, in addition to time, was a likely guess as to what some portion of an encrypted message might be saying. Careless patterns of repetition, including the German navys standardized message formats, would not have made Enigma vulnerable to unaided humansbut were fatal in the face of powerful hardware.
Any modern IT security apparatus has the same potential to be brought down, not by any intrinsic flaw in how it works, but by predictable behaviors of users.
The third and perhaps most interesting path that Id like to point out is the one that led to the final success, early this month, of a 10-year effort to rebuild a working bombenot a cardboard piece of movie sceneryby a team of more than 60 volunteers. They spent more than two years merely finding and sorting the needed blueprints.
For IT security people, the message is this: Never underestimate how hard people will work to figure out something that they really want to know.
For IT operations people, the rather different message is this: Dont put yourself into a position where dozens of people will need 10 years to reconstruct how you did somethingespecially if youd like to do it again.
Peter Coffee can be reached at email@example.com.
Check out eWEEK.coms for the latest news, reviews and analysis on IT management from CIOInsight.com.