Security: Yesterday, Today & Tomorrow: ACCU Conference at Bletchley Park, November 7th 2009

ACCU (http://accu.org/) is "an organisation of programmers who care about professionalism in programming and are dedicated to raising the standard of programming". Bletchley Park (http://www.bletchleypark.org.uk/) was the wartime home of the British Code and Cipher school, where the Axis' Enigma military codes were broken.

The conference was organised by ACCU as a benefit for Bletchley Park, which, despite being one of the most importants sites both in the history of Computing and the Second World War, is continually starved for funds and struggles to remain open and intact.

Bletchley Park is well worth a visit even when there's not special event on, but this conference was exceptional. I've been to three conferences in the last few weeks (they call came at once this year), and they were fairly different from each other - FOWA (http://phase.org/blog/31336) was a big conference that mixed business and tech, Stack Overflow a slightly smaller one that was purely programming with tasters of various languages and systems, and this one was, for me, a bit of a wildcard. The focus was on security and cryptography, neither of which are particularly areas of expertise for me, although they're definitely interests. I'm also somewhat fascinated by the history of the Second World War, and of Bletchley Park and Enigma in particular.

So, I didn't particularly know what to expect, except that some big names would be speaking on topics that should be interesting; and that it would benefit Bletchley. Oh, and that it meant getting up early on a Saturday to get to Bletchley by 9:30.

When I got there, it was a distinctly chilly autumn morning, but bright sun meant that the park and Mansion looked stunning in the morning. The mansion, if you've never seen it, is a unique building; it's not even the same as itself, in that no two parts of it seem to share the same architectural style:



I managed to grab a quick coffee and danish before Tony Sale started his talk. Tony is, quite deservedly, something of a legend at Bletchley; not only did he help start the National Museum of Computing and Bletchley Park Trust, he's also an authority on Enigma and led the rebuilding of Colossus (the world's first electronic computer) from absurdly little evidence.

He's also, I discovered, an excellent presenter. His energy and passion while explaining 'How the Germans gave away their "unbreakable" codes' by human error was incredible, and not only is he an expert on the Enigma machines and Lorenz SZ encrypted teletype system, but he can also present that material in a way that's simultaneously easy to understand, technically complete and entertaining. His resounding cry of "DURRRRRR" when describing a particularly foolish operator error is something I'll remember fondly for a long time. The talk was obviously widely enjoyed and led to one of the most heartfelt rounds of applause I've heard at a technical presentation.

Video of Tony talking on some of these subjects, and a mass of information on Colossus, Enigma and the Lorenz system can be found on Tony's site at http://www.codesandciphers.org.uk/

After Q&A from Tony, and coffees, we were given a guided tour of National Museum of Computing, featuring the Lorenz intercept and decoding station, the replica Colossus 2, and some (marginally) more modern exhibits such as the Witch computer, early mainframes and desktops. It was great to see the Colossus actually running and explained by Tony. We also got an explanation of the replica Bombe - all elements visible on the standard public tours at Bletchley Park, but given today at a more involved and technical level for a much more technical audience.

Colossus:



The Bombe:




After that, lunch (a mass of buffet sandwiches, hardly Cordon Bleu but pretty edible) and then Phil Zimmerman.

Phil, of course, is the creator of Pretty Good Privacy, a project based on Public Key Cryptography that sought (as Phil put it) to give political groups such as the american peace movement, and similar groups worldwide, the privacy to operate without government surveillance and interference.

For his pains, and his attempts to export this cryptographic system (classified as a munition) worldwide, he spent years under federal investigation. While he still seems to feel he did the right thing, his new project takes a very different angle.

PGP, as Phil puts it, was "a reaction to government attitudes to cryptography that were born, in part, at Bletchley Park"; that is that cryptographic security and research had to be the preserve of governments and military, tightly controlled and under the utmost security.

Phil's new project is ZRTP, a secure but open-source telegraphy protocol which he classifies not as a political project to protect citizens from overzealous goverments, but as a necessary technological project to protect all of us - including governments and the military - from global organised crime. He cites the increasing risk of interception of voice communications as they move off relatively secure PSTN networks onto inherently public IP networks, populated by packet sniffers and zombie desktops, and thereby open to interception by crime syndicates which may use the information for blackmail, insider trading or aggression. This technology is used, for example, by police in the south-west of the USA working against Mexican drug smugglers, who would otherwise have the capability to intercept these communications.

As well as ensuring an encrypted channel for voice communications, the ZRTP protocol has an impressive range of measures to prevent interception by man-in-the-middle attacks, which I didn't quite understand well enough to explain here...

Phil also had a very long Q&A session and a lot of technical detail, which I won't cover in much depth, but I'll drop in a few quotes (which I hope are accurate if slighly paraphrased - none of this was recorded, sadly) which give the tone:

"You can make a case that ... the harm from governments losing the ability wiretap theis citizens ... is much less than the harm that would result from criminals wiretapping us".

"Our protocol ... will affect organised crime more than governments ... as criminals tend to be more interested in the content of messages (for blackmail, interception etc) whereas governments tend to have to rely on traffic analysis against criminals using codes and codephrases".

In a response to a question on how his product differed from Skype: "Skype... won't release source code, or even say how their security works. How can I trust that?"

"The UK and China - the two greatest observation infrastructures in the world... How do you guys put up with it?"

After a fairly involved - but fascinating - discussion of key exchange, entropy and crime with Phil, we changed tone again with a talk from Simon Singh, starting with Stairway from Heaven - played backwards.

The first time you hear this extract, even if you're told there's a voice in it, you won't hear much. Then, when you're told what the message is (Simon ran this through a karaoke-style word highlighter), it's so clear you can't believe it's the same recording.

However, all this proves is just how far the human mind will go to find patterns and messages where none exist.

Then, an example of the importance of code security, in Mary Queen of Scots' intercepted plot to overtrow Elizabeth the First, easily decrypted even back in the 16th century, which led to her execution.

Simon's main talk was about the Cypher Challenge which featured in his Code book, and how it was solved. This featured substitution cyphers and frequency analysis, book ciphers - and the importance of finding the right book, Enigma machines, and how to accidentally turn a triple-DES challenge into a single-DES one. The talk included a demo of Simon's very own original Enigma machine - which of course obeyed the universal law of demonstrations by refusing to encypher symetrically. However, Phil Zimmerman was almost entranced by it, a reaction I can thoroughly relate to!



Finally, back to the human ability to treat coincidence as revelation, courtesy of "The Bible Code", which claims that hundreds of prophecies are hidden within the Bible. However, the bible is a vast corpus of text, and once you give yourself loose enough rules, you can "find" messages all over it. However, you can also find remarkably similar messages in Moby Dick using those rules.

Simon's summary of a range of historical ciphers and code-breaking rounded the day off well, and was followed by a few words from Simon Greenish, Director of Bletchley Park. He recounted that, while Bletchley Park is one of the most important historical sites in the UK, at least in terms of technological and military history, it has existed on a shoestring. "It has often bumped along the bottom financially... and very nearly didn't make it on more than one occasion". Fortunately it's now in slightly less dire straits, but still needs more funds to do more than just survive - there are now vast amounts of repair and restoration to do, before fulfilling the plans that will make the site a truly outstanding museum.

Fortunately, the day raised around £7000 towards these efforts. It was an excellent day, and I'll be delighted to retun if, as planned, it's repeated next year.
Posted by parsingphase, 2009-11-07 22:33

Anonymous user

Login

Blog

Contact

I'm currently available for contract work in London as a Senior PHP Developer. Contact me for a CV, rates, or a chat.

Twitter @parsingphase
Email richard@phase.org
Github parsingphase
LinkedIn Richard George
Flickr parsingphase