Password complexity in the 1940s

Over the last couple of weeks I’ve been fortunate enough to have two demonstrations of Enigma machines. For those who are not familiar with these marvelous mechanical computers, they were used to encrypt communications. Most notably by German forces during World War 2.

The first of the demonstrations was at Milton Keynes Geek Night, where PJ Evans (@MrPJEvans) gave an entertaining talk on the original Milton Keynes Geeks.

Then, earlier this week, I was at Bletchley Park for Node4’s Policing First event, which wrapped up with an Enigma demonstration from Phil Simons.

The two sessions were very different in their delivery. PJ’s used Raspberry Pi and web-based emulators, along with slides and a demonstration with a ball of wool. Phil was able to show us an actual Enigma machine. What struck me though was that the weakness that ultimately led to Bletchley Park cracking wartime German encryption codes. It wasn’t the encryption itself, but the way human operators used it.

Downfall

The Enigma machine was originally invented for encrypted communications in the financial services sector. By the time the German military was using it in World War 2, the encryption was very strong.

Despite having just 26 characters, each one was encoded an electrical signal which passed through three rotors from a set of five, changed daily, with different start positions and incrementing on each use, plus a plug board of ten electrical circuits that further increased the complexity.

There’s a good description of how the Enigma machine works on Brilliant. To cut a long story short, an Enigma machine can be set up in 158,962,555,217,826,360,000 ways. Brute force attacks are just not credible. Especially when the setup changes every day and each military network has a different encryption setup.

But there were humans involved:

  • Code books were needed so that, the sending and receiving stations set their machines up identically each day.
  • Young soldiers on the front line took short-cuts. Like re-using rotor start positions. They would spell out things like BER, PAR (for their home city, where they were stationed, girlfriend’s name, etc.).
  • Some networks issued guidance that all 26 letters needed to be used for a rotor start position each 26 days. This had unintended consequence that the desire for perceived variety meant the letter being used was predictable. It actually reduced the combinations as it couldn’t be one of the ones used in the previous 26 days.
  • Then there was the flaw that an Enigma machine’s algorithm was designed to take one letter and output another. Input of A would never result in output of A, for example.
  • And there were common phrases to look for in the messages to test possible encryption combinations – like WETTERBERICHT (weather report).

All of these clues helped the code-breakers at Bletchley Park narrow down the combinations. That gave them the head start they needed to use to try and brute force the encryption on a message.

Why is this relevant today?

By now, you’re probably thinking “that’s a great history lesson Mark, but why is it relevant today?”

Well, we have the same issues in modern IT security. We rely on people following policies and processes. And people look for shortcuts.

Take password complexity as an example. The UK National Cyber Security Centre (NCSC) specifically advises against enforcing password complexity requirements. Users will work around the requirements with predictable outcomes, and that actually reduces security. Just like with the “use all 26 letters in 26 days” guidance I cited in my Enigma history lesson above.

And yet, only last month, I was advising a client whose CIO peers maintain that password complexity should be part of the approach.

One more thing… the Germans tried to crack Allied encryption too. They gave up after a while because it was difficult – they assumed if they couldn’t crack ours then we couldn’t crack theirs. But, whilst German command was distributed, the Allies set up what we would now call a “centre of excellence” in Bletchley Park. And that helped to bring together some of our greatest minds, along with several thousand support staff!

Postscript

After I started to write this post, I was multitasking on a Teams call. I should have concentrated on just one thing. Instead, went to open a DocuSign link from the company HR department and fell foul of a phishing simulation exercise. I’m normally pretty good at spotting these things but this time I was distracted. As a result, I clicked the (potentially credible) link without checking it. If you want an illustration of how fallible humans are, that’s one right there!

Featured image: author’s own.

Weeknote 20/2020: back to work

This content is 4 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Looking back on another week of tech exploits during the COVID-19 coronavirus chaos…

The end of my furlough

The week started off with exam study, working towards Microsoft exam AZ-300 (as mentioned last week). That was somewhat derailed when I was asked to return to work from Wednesday, ending my Furlough Leave at very short notice. With 2.5 days lost from my study plan, it shouldn’t have been a surprise that I ended my working week with a late-night exam failure (though it was still a disappointment).

Returning to work is positive though – whilst being paid to stay at home may seem ideal to some, it didn’t work so well for me. I wanted to make sure I made good use of my time, catching up on personal development activities that I’d normally struggle to fit in. But I was also acutely aware that there were things I could be doing to support colleagues but which I wasn’t allowed to. And, ultimately, I’m really glad to be employed during this period of economic uncertainty.

Smart cities

It looks like one of my main activities for the next few weeks will be working on a Data Strategy for a combined authority, so I spent Tuesday afternoon trying to think about some of the challenges that an organisation with responsibility for transportation and economic growth across a region might face. That led me to some great resources on smart cities including these:

  • There are some inspirational initiatives featured in this video from The Economist:
  • Finally (and if you only have a few minutes to spare), this short video from Vinci Energies provides an overview of what smart cities are really about:

Remote workshop delivery

I also had my first experience of taking part in a series of workshops delivered using Microsoft Teams. Teams is a tool that I use extensively, but normally for internal meetings and ad-hoc calls with clients, not for delivering consulting engagements.

Whilst they would undoubtedly have been easier performed face-to-face, that’s just not possible in the current climate, so the adaptation was necessary.

The rules are the same, whatever the format – preparation is key. Understand what you’re looking to get out of the session and be ready with content to drive the conversation if it’s not quite headed where you need it to.

Editing/deleting posts in Microsoft Teams private channels

On the subject of Microsoft Teams, I was confused earlier this week when I couldn’t edit one of my own posts in a private channel. Thanks to some advice from Steve Goodman (@SteveGoodman), I found that the ability to delete and/or edit messages is set separately on a private channel (normal channels inherit from the team).

The Microsoft Office app

Thanks to Alun Rogers (@AlunRogers), I discovered the Microsoft office app this week. It’s a great companion to Office 365 (or , searching across all apps, similar to Delve but in an app rather than in-browser. The Microsoft Office app is available for download from the Microsoft Store.

Azure Network Watcher

And, whilst on the subject of nuggets of usefulness in the Microsoft stable…

A little piece of history

I found an old map book on my shelf this week: a Halford’s Pocket Touring Atlas of Great Britain and Ireland, priced at sixpence. I love poring over maps – they provide a fascinating insight into the development of the landscape and the built environment.

That’s all for now

Those are just a few highlights (and a lowlight) from the week – there’s much more on my Twitter feed

Bill Gates’ last day at Microsoft

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

So, after a 2 year transition, today is the day that Bill Gates steps down from his full-time job at Microsoft (although he will remain Microsoft’s chairman and will be involved in select projects based on direction from CEO Steve Ballmer and the rest of Microsoft’s leadership team).

The original founders of MicrosoftI commented on Gates’ departure a couple of years back and more recently wrote about Mary-Jo Foley’s concept of Microsoft 2.0.

It’s 33 years since Microsoft was formed and 30 years since the famous photo with most of the founding employees was taken in Albequrque. 30 years is a long time in IT. The remaining Microsoft Founders- shortly before Bill Gates' retirementCome to think of it, 30 years is most of my life (I’m 36) and I was interested to read about how the famous photo had been recreated for 2008.

Meanwhile, Stephen Levy has written an article for Newsweek entitled “Microsoft After Gates. (And Bill After Microsoft.)”.

There’s a Microsoft video looking back at Gates’ life – and forward to the future but I prefer the version from the 2008 CES keynote:

Some people love to hate Microsoft. Some people can’t stand other people being successful – and it’s difficult to deny that Gates has been successful. For 14 years now, I’ve followed a career in IT, during which I’ve worked largely with Microsoft products, so I’d like to say “thank you and good luck” to the world’s most famous geek as he does what all of the world’s richest people should do at some stage in their life and changes his focus to work with helping those who are less fortunate.

Belated birthday wishes to Microsoft Windows

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

It’s my first day back at work after the Christmas holidays and I’m catching up on my administration. Whilst working through a pile of unread IT news I realised that late last year, in amongst all of the Windows Vista launch news and comment, I missed Windows’ 21st birthday. Whilst I don’t intend to turn this blog into a history of personal computing, I’ve previously noted significant anniversaries (35 years of the Internet, 30 years of Microsoft, 30 years of Apple, 15 years of the world wide web and 25 years of the IBM PC) and as Microsoft Windows has had such a huge impact on my computing life it seems that this is another birthday that should not pass un-announced. For those who are interested to read why this is so significant, Martin Veitch wrote an interesting article about Windows’ 21 eventful years in IT Week recently.

The IBM PC – 25 years old today

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

After reporting on the 15th anniversary of the world wide web earlier this week, there’s another important milestone in computing history to highlight today – the 25th birthday of the original IBM PC – the 5150.

IBM PC

Whilst the 5150 was not the first personal computer, the use of components that were available to other manufacturers led to the development of IBM-compatible PCs and today’s PCs and PC servers are direct descendents from the original IBM PC, albeit much more powerful than the 4.77MHz Intel 8088 with between 16 and 640KB of RAM.

Amstrad PPC640

I didn’t get my first IBM-compatible PC until 1988 when my parents bought me an Amstrad PPC640 portable computer (it’s still in my loft at home) with an NEC V30 8MHz processor, 640KB of RAM, a full-size 102-key keyboard, two 720KB 3.5″ floppy disk drives and a 2400 baud modem (which my secondary school let some of my friends and I use for short periods of time to access bulletin boards). It was best described as “luggable” but, paired with the Citizen 120D dot matrix printer (that I also still have at home), it was more than adequate for word processing and saw me through my first year at Uni’ until I used all my childhood savings to buy an Intel 80386-based PC clone with a 1MB graphics card, MS-DOS 5.0, and Windows 3.0.

Fast forward 15 years and you can pick up a PC for just a couple of hundred pounds – or, if you’ve got a few thousand to spend then it’s possible to specify some very high specification PC servers! Earlier this week I was specifying some servers for a virtualisation solution that I’m working on. Each of these servers is an HP DL585 with 4 dual-core 2.6GHz AMD Opteron 64-bit CPUs, 32GB of RAM and has a fibre-channel connection to an HP Modular Storage Array with many terabytes of data storage. How mighty oaks from little acorns grow.

Happy birthday to the world wide web

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A couple of years ago, I wrote a post highlighting the 35th anniversary of the Internet. Today it’s the turn of the world wide web – for which Tim Berners-Lee (now Sir Tim Berners-Lee) posted a message on the alt.hypertext newsgroup encouraging people to try out the concept on 6th August 1991.

At that time, I was studying for my BSc in Computer Studies and this is just one example of how irrelevant that degree was (I’m still struggling to think of anything learned in my studies that has been useful in the subsequent 12 years that I’ve been working in IT). Although there was some object oriented programming in Modula-2 (along with some C/C++) we were still learning COBOL. Up and coming operating systems (e.g. OS/2 and Windows NT) were ignored in favour of Unix and the low level language I used was 68000 assembler (not 8086). In my final year of studies (1993-1994) I did at least have the opportunity to study distributed computing but there was no mention of such concepts as hypertext in my classes. Perhaps all of this is a little harsh at it would have been difficult back then to forsee the effect that the world wide web has had on our lives.

It was not until 1995 that I first used a graphical web browser and was introduced to the delights of Yahoo! and Altavista. My first online service was a CompuServe account and later I migrated to dial-up Internet access before finally getting a broadband connection in 2002. Today, in common with many others, I rely on the world wide web for an increasing number of services – at home and at work.

Read more about the creation of the web.

Happy birthday Apple

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last year, I wrote about Microsoft’s 30th anniversary – this time round it’s Apple.

Until recently just a niche player in the personal computer marketplace, the company founded in 1976 by Steve Jobs and Steve Wozniak (Woz) is doing better now than ever – and that’s nothing to do with the Macintosh PC line but with the company’s allegedly monopolistic online music sales tactics. According to Associated Press, Jobs is the “marketing whiz” behind the company (his return to the CEO spot a few years back certainly marked a turning point in the company’s fortunes) and Wozniak the “engineering genius” (I’ve heard Woz on TWiT – he sure loves his technology). Time will tell where Apple’s business model goes as a result of current court action but if Microsoft’s anything to go by, it won’t make too much difference.

Apple products are different – different because they look good. Why can’t all PCs look as good as a Mac Mini or a Power Mac? I’m one of the people who would pay a premium for a Macintosh – I really fancy a Mac Mini (if I can hook it up to a standard TV as my 32″ Sony Trinitron will probably outlive any affordable flat panel that I could buy today) and I reckon it might pass the wife approval factor (WAF) test for a position in the living room (my “black loud crap” has long since been confined to my den). I’m also a heathen because I would (at least try to) run Windows XP Media Center Edition and SUSE Linux on it… let’s just hope the current rumours of Windows running on a Mac turn out to be true!

Apple might not have achieved mass market domination in the PC world, but they sure have things sorted (at least for now) with digital media. Happy birthday Apple.

Happy Birthday Microsoft

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Microsoft turns 30 today. We tend to associate Information Technology (IT) with a rapidly expanding market of young start-up companies but whilst it is nothing compared to the global giants IBM, Hewlett-Packard (HP) and Fujitsu, 30 years is significant.

Microsoft has become ubiquitous – largely through its Windows operating system and Office productivity suite, but recently (and somewhat worryingly for someone who makes a living architecting solutions based on Microsoft technology), Microsoft has been drifting and MSFT stock prices (which were once rising at astronomical levels, splitting nine times between the company’s IPO in 1986 and 2003) have been virtually static in recent years leading to a number of reports suggesting that the company has lost its way. Maybe it was because Bill Gates stepped down as CEO, maybe it was just the sheer size of the giant, which employs almost 60,000 staff in 100 countries and had annual revenues of $39.75bn in 2004/5 (up 8% on 2003/4), generating profits of $12.25bn (up 50%).

On the surface, these figures look great – 8% growth and 50% increase in profits. But a look at the figures for the last 10 years shows that growth has slowed from 49% in 1995/6.

The trouble is that Microsoft has been losing ground to young upstarts like Google (mission: “to organize the world’s information and make it universally accessible and useful”). Let’s face it, it was Microsoft that was the young upstart when Bill Gates and Paul Allen persuaded IBM to make MS-DOS the operating system for the first PC in 1981 (ousting CP/M). After being slow to embrace the Internet and a series of legal wrangles (some justified, others not), Microsoft was also late to embrace search technologies, whereas the current industry darling dominates with 36.5% of the web search market.

It didn’t help that for a period between 1995 and 2001, the flagship product (Windows) was split between the (unreliable and insecure) Windows 95, 98 and ME product line and the expensive business version, Windows NT (later Windows 2000). Since Microsoft finally converged the two product lines with the launch of Windows XP (which is still based on the Windows NT kernel) there has been a push towards delivery of a trustworthy computing platform, and despite its critics, I think Microsoft generally does pretty well there. If you have the largest market share you will get attacked my malware writers – that means Microsoft for PC operating systems and Nokia for mobile handsets!

The trouble is that since Windows 2000 and XP sorted out the security issues, operating system upgrades have been a little dull, with limited innovation. It doesn’t help that any bundling of middleware seems to result in a lengthy courtroom battle but without innovation, there is no reason for consumers to upgrade, and in the business market, where IT is a business tool (not the business itself), IT Managers are under pressure to reduce costs through standardisation. That often means standing still for as long as possible.

I really hope that Windows Vista/Longhorn and Office 12 are not the death of Microsoft. Microsoft’s mission is “enabling people and businesses to realize their full potential” and this week, in an attempt to realise its own potential, a massive re-organisation was announced, with the aim of making the giant more dynamic (and hence able to respond to the industry – let’s face it, Microsoft has never been the innovator but it is very good at marketing other people’s ideas and making them work – even MS-DOS was licensed from Seattle Computer Products). Maybe the new organisation will help the timely delivery of products but it’s amazing how the rising fortunes of the Mozilla Foundation’s Firefox browser has focused Microsoft on delivering a new version of Internet Explorer after years of poor standards compliance) with very few new features and how the desktop search functionality provided by Google (and others) has focused Microsoft’s attention in this space (even if the current MSN Search strategy appears to be failing). Maybe increased competition in the operating system market (come on Apple, give us OS X for the PC – not just Intel-based Macs, which are really just Apple PCs and could also run Windows…) in the shape of the major Linux distributions (Red Hat and Novell SuSE) or free UNIX distributions like the x86 version of Sun Solaris will focus the giant on delivering great new features for Windows.

Microsoft was built on a dream of “a computer on every desk and in every home”. Despite all of the negative publicity that Microsoft tends to attract, it seems to me that (at least in the “developed” world) this dream has largely been realised. Let’s see what the next 30 years brings.

Find out what the moon is made of using Google maps

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Today is the 36th anniversary of the Apollo 11 moon landings (thought by some to be a hoax, and by others to be a fantastic scientific achievement on the part of mankind). To celebrate this, Google has added some NASA imaging to Google Maps and if you zoom in really close, you can really see what the moon is made of! The Google Moon FAQ has more details of Google’s plans for expanding Internet search features beyond the boundaries of planet earth!

Reminiscing about my first computers

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Alex‘s post about his first home computer got me reminiscing about mine – a Sinclair ZX Spectrum+. Then I remembered having an emulator for one a few years ago but couldn’t find it anywhere until I stumbled across World of Spectrum, which features Spectrum emulators for a variety of platforms along with a stack of games and other resources. I downloaded SPIN, which seems great, and a few games that I haven’t seen for years like Manic Miner, Horace Goes Skiing and Jet Set Willy (unfortunately the copyright owners have denied distribution for my old favourite – JetPac). There are other emulators around on the ‘net (e.g. Speculator), but SPIN was free and seems pretty good to me.

I know exactly what Alex meant when he talked about playing on his Texas Instruments TI99/4A emulator “Whilst grinning like an idiot. And chuckling. Out loud. On my own”.

There are also emulators for the Spectrum which run on Windows CE and Symbian Series 60, so I could soon be having 1980s fun on my mobile devices too!

The Spectrum+ wasn’t my first computer though. We had Acorn/BBC Bs, a Commadore PET, Sinclair ZX81s and ZX Spectrums at my middle school and then I did most of my GCSE/A Level stuff (and early hacking) on Research Machines Nimbus PCs (the only PCs I’ve ever come across that used the Intel 80186 CPU rather than the 8086 or 80286 of the time).

As for my first laptop – I still have an Amstrad PPC 640 in the attic!

Oh, those were the days…