Skip to content


Easy BlueTooth Car Hack: “Press OK to Continue”

Looking at a brand new vehicle console interface for BlueTooth connections we found it prompted the user to select a device name, yet used a limited visual space. The prompt, right in front of the driver on the center console, asks (changed slightly to mask offending vehicle manufacturer):

Would you like to connect…

Then the device name gets inserted immediately after. This led to the natural question whether we could dictate behavior instead of asking the user to make a decision.

We changed a phone name to “Press OK to Continue” put phone into discovery/connect mode and waited in a parking lot. Soon after we had a rogue connection to a car, as a driver thought “Press OK to Continue” was a prompt, not the device name.

Posted in Security.


American Pro-Slavery History Markers

Charlotte, North Carolina, has a history marker that I noticed while walking on the street.

It is in need of major revision. Let me start at the end of the story first. A search online found a “NC Markers” program with an entry for L-56 CONFEDERATE NAVY YARD.

Closer to the end of the war…tools and machinery from the yard were moved from Charlotte to Lincolnton. Before the yard could be reassembled and activated in Lincolnton, the war ended. After the war the yard’s previous landowner, Colonel John Wilkes, repossessed the property, for which the Confederate government had never paid him. Where the Confederate Navy Yard once operated, he established Mecklenburg Iron Works. It operated from 1865 until 1875 when it burned.

Note the vague “the war ended” sentence. This supposedly historic account obscures the simple context of the Confederates losing the war. I find that extremely annoying.

To make the problem more clear, compare the above L-56 official account with the UNC Charlotte Special Collections version of the same history:

The exact date of the formation of the Mecklenburg Iron Works is unknown, as is ownership of the firm until its purchase in 1859 by Captain John Wilkes. There is evidence, though, that the firm existed as early as 1846. The son of Admiral Charles Wilkes, John was graduated first in his class at the U.S. Naval Academy in 1847. Following a stint in the U.S. Navy, Wilkes married and moved to Charlotte in 1854. Two years after he purchased the iron works, the Confederate government took it over and used it as a naval ordnance depot. After the Civil War, Wilkes regained possession of the Iron Works, which he operated until his death in 1908. His sons, J. Renwick and Frank, continued the business until 1950, when they sold it to C. M. Cox and his associates.

So many things to notice here:

  1. There was a Captain John Wilkes, not Colonel, although neither story says for which side he fought. An obituary lists him as U.S. Navy and says he was active during Civil War
  2. Captain John Wilkes was the son of infamous Union Navy Admiral Charles Wilkes, who was given a court-martial in 1864. Was John, son, fighting for the North with father, or South against him?
  3. There is evidence these Iron Works were established long before the Civil War. NC Markers says “as early as 1846″. The Charlotte library says Vesuvius Furnace, Tizrah Forge and Rehoboth Furnace were operating 35 years earlier, with a picture of the Mecklenburg Iron Works to illustrate 1810.(1)
  4. Wilkes was not just “yard’s previous landowner”, he ran an iron works two years before the Confederate government took possession of it. Did he lose it as he went to fight for the North, or did he give it to help fight for the South? Seems important to specify yet no one does. In any case the iron works was pre-established, used during Civil War and continued on afterwards

The bigger question of course is who cares that there is a Confederate Navy yard in Charlotte, North Carolina? Why was a sign created in 1954 to commemorate the pro-slavery military?

Taking a picture of the sign meant I could show it to an executive business woman I met in Charlotte, and I asked her why it was there. She told me “Democrats put up that sign for their national convention”. She gave this very strangely political answer about the Democrats in her very authoritative voice while being completely wrong. She ended with an explanation that there was no mention of slavery because (yelling at me and walking away) “CIVIL WAR WAS ABOUT TAXES, NOT SLAVERY. I KNOW MY HISTORY”.

I found this also very annoying. Apparently white educated elites in North Carolina somehow have come to believe Civil War was not about slavery. She was not the only one to say this.

What actually happened, I found with a little research, was the North Carolina Highway Historical Marker Program started in 1935. They put up the signs, with no mention of Democrats of political conventions, as you can tell from the link I gave at the start of this post.

Here is how the NC Markers program explains the official purpose of a CONFEDERATE NAVY YARD sign on the street:

For residents the presence of a state marker in their community can be a source of pride

Source of pride.

Honestly I do not see what they are talking about. What are people reading this sign meant to be proud of exactly? Is a failed attempt by pro-slavery military to create a Navy a proud moment? Confederate yards failed apparently because of huge shortages in raw materials and labor, which ultimately were because of failures in leadership. That is pride material?

What am I missing here?

The sign is dated as 1954. Why this date? It was the year the U.S. Supreme Court struck down “separate but equal” doctrine, opening the door for the civil rights movement. It was the year after Wilkes oldest surviving child died. Does a pro-slavery military commemoration sign somehow make more sense in 1954 (city thumbing nose at Supreme Court or maybe left in will of Wilkes last remaining child) than it does in 2016?

A petition at the University of Mississippi to change one of their campus monuments explains the problem with claiming this as a pride sign:

Students and faculty immediately objected to this language, which 1) failed to acknowledge slavery as the central cause of the Civil War, 2) ignored the role white supremacy played in shaping the Lost Cause ideology that gave rise to such memorials, and 3) reimagined the continued existence of the memorial on our campus as a symbol of hope.

[…]

From the 1870s through the 1920s, memorial associations erected more than 1,000 Confederate monuments throughout the South. These monuments reaffirmed white southerners’ commitment to a “Lost Cause” ideology that they created to justify Confederate defeat as a moral victory and secession as a defense of constitutional liberties. The Lost Cause insisted that slavery was not a cruel institution and – most importantly – that slavery was not a cause of the Civil War.

Kudos to the Mississippi campaign to fix bad history and remove Lost Cause propaganda. The North Carolina sign’s 1950s date suggests there might be a longer period of monuments being erected. When I travel to the South I am always surprised to run into these “proud” commemorations of slavery and a white-supremacy military. I am even more surprised that the residents I show them to usually have no idea where exactly they are, why they still are standing or who put them up.

At the very least North Carolina should re-write the sign to be more accurate. Here is my suggestion:

MECKLENBURG IRON WORKS: Established here 1810. Seized by pro-slavery forces 1862 after defeat in Portsmouth, Va to supply Navy. Freed in 1865.

That seems fair. The official “essay” of the NC Markers really also should be rewritten.

For example NC Markers wrote:

in time it began to encounter difficulty obtaining and retraining trained workers

Too vague. I would revise that to “Southerners depended heavily on immigrants and Northerners for shipyard labor. As soon as first shots were fired upon the Union by the South, starting a Civil War, many of the skilled laborers left and could not be replaced. Over-mobilization of troops further contributed to huge labor shortages.

NC Markers also wrote:

given its location along the North Carolina Railroad and the South Carolina Railroad, it was connected to several seaboard cities, enabling it to transport necessary products to the Confederate Navy

Weak analysis. I would revise that to “despite creating infrastructure to make use of the Confederate Navy Yard it had no worth without raw materials. Unable to provide enough essential and basic goods, gross miscalculation by Confederate leaders greatly contributed to collapse of plans for a Navy”

But most of all, when they wrote “the war ended” I would revise to say “the Confederates surrendered to the Union, and with their defeat came the end of slavery”.

Let residents be proud of ending the pro-slavery nation, or more specifically returning the Iron Works to something other than fighting for perpetuation of slavery.

So here is the beginning of the story, at its end. Look at this sign on the street in Charlotte, next to Bank of America headquarters:

charlotte-pro-slavery-militia-memorial-sign


(1) 1810 – Iron Industry screenshot from Charlotte – Mecklenburg Library
1810-IronIndustry-Mecklenburg

Posted in History, Sailing, Security.


Elevator Social Engineering

I’ve spent years fiddling with social engineering at a bank of elevators. At first it was just part of the job (getting past security) and now it’s become something more of an analytic game.

Let’s say you have six doors, where you have to push the button and wait for one to open. A crowd forms, three, five, maybe even seven people. Should you try to jump in first when the door opens?

No.

Time and again I find it better to step towards the door and hold it open until it’s completely full. Everyone else will move sheepishly towards the first door they see, or at least the closest open one. Encourage this behavior and help as many people as possible quickly squeeze into a tiny box together. Maybe even push all the floor buttons for them. Then jump out and let the doors close without you inside. The more you pushed in the better.

Pat yourself on the back, push the elevator button again and step alone into the next elevator that opens its doors. Of course the congratulations really depends on how well you estimated flow of arriving passengers and where they’re going (could be a group together choosing a single floor).

It’s a great game of allocation logistics that soon will be replaced by computers assigning people to elevators using basic math. Enjoy it while you can.

Posted in Security.


Encryption is a good thing. It prevents crime.

Does encryption prevent crime?

Recently I wrote of how the ANC used encryption to help defeat apartheid rule in South Africa. Looking back at that example being on the right side of history meant being on the wrong side of a law, which ultimately meant committing a crime to prevent a crime. Privacy from surveillance was essential to creating change (e.g. ending the crime of apartheid) because a lack of privacy could mean arrest, imprisonment or even death. So yes, we can point to an example where encryption prevented crime, by enabling crime.

Confused?

When we hear encryption prevents crime we probably need to ask for hard evidence to give us perspective or context. Rather than look at a rather complex issue case by case by case, I wonder if a larger body of work already is available. Has anyone written studies of how encryption prevents crime across the board, over time? Although I have searched far and wide, nothing has appeared so far. Please comment below or contact me if you know of such a study.

A good example of where I have searched is the Workshop on the Economics of Information Security (WEIS). It has many great resources and links, with well-known cryptographers studying social issues. I thought for sure it would have at least several titles on this topic. Yet so far I have not uncovered any vetted research on the economics of preventing crime with encryption.

We may be left for now pulling from examples, specific qualitative cases, such as the ANC. Here is a contemporary one to contemplate: TJX used encryption for wireless communication, and yet ended up having their encryption cited as a major reason for breach, as explained by the Privacy Commissioner of Canada.

TJXonWEP

The point here is that, despite a fair number of qualitative technical assessments, we seem to lack quantitative study of benefits to crime fighting from encryption. We also lack nuance in how we talk about the use of encryption, which is why you might hear people claim “encryption is either on or off”. That binary thinking obviously does us no favors. Saying the lock is either open or closed doesn’t get at the true issue of whether a lock is capable of stopping crime. Encryption at TJX was on, and yet it was not strong enough to stop crime.

Another good example of where I have searched is the Verizon Breach report, arguably the best breach analysis in our industry. Unfortunately even those thorough researchers have not yet looked into the data to reveal encryption’s effect on crime.

What I am getting at is we probably should not passively accept people making claims about crime being solved, as if true and a foregone conclusion without supporting evidence. Let us see data and analysis of encryption solving crime.

While searching for studies I did find a 2015 Slate article that told readers encryption prevents “millions of crimes”. Bold claim.

…default encryption on smartphones will prevent millions of crimes, including one of the most prevalent crimes in modern society: smartphone theft. In the long run, widespread smartphone encryption will ultimately preserve law and order far more than it will undermine it.

Here is why I think it could be better to challenge these statements instead of letting them slip through. The author arrived at this conclusion through sleight of hand, blurring encryption with data from studies that say a “kill switch” option has been linked to lower rates of physical theft. These studies do not have data on encryption. Protip: encryption and kill switch are very different things. Not the same thing at all and data from one is not transferable to the other. Then, as if we simply swallowed without protest two very different things being served as equivalent, the author brings up ways that a kill switch can fail and therefore is inferior to encryption.

In logic terms it would be A solves for C, therefore use B to solve for C. And on top of that B is better than A because D. This is roughly like:

A: pizza solves C: hunger
B: therefore use water to solve for C: hunger
A: pizza gets soggy when wet, therefore B: water best to solve C: hunger because D: doesn’t get soggy

A careful reader should wonder why something designed to preserve and protect data from theft (encryption) is substituted directly for something designed to make a physical device “unattractive” to re-sellers (kill switch), which may not be related at all to data theft.

…kill switches—even if turned on by default—have serious shortcomings that default encryption doesn’t. First, the consumer has to actually choose to flip the switch and brick the phone after it’s been stolen. Second, the signal instructing the smartphone to lock itself actually has to reach the phone. That can’t happen if the crooks just turn the phone off and then take some trivial steps to block the signal, or ship the phone out of the country, before turning the phone back on to reformat it for resale. (Smartphone theft is increasingly an international affair for which kill switches are not a silver bullet.) And finally, enterprising hackers are always working to provide black market software solutions to bypass the locks, which is one of the reasons why there is a thriving market for even locked smartphones, as demonstrated by a quick search on eBay. Those same hackers, however, would be decisively blocked by a strong default encryption solution.

That last line is nonsense. If nothing else this should kill the article’s credibility on encryption’s role in solving crime. Hard to believe someone would say enterprising hackers always work to bypass locks in one sentence and then next say that “strong default encryption” is immune to these same enterprising hackers. Who believes hackers would be “decisively blocked” because someone said the word “strong” for either locks or encryption? Last year’s strong default encryption could be next year’s equivalent to easily bypassed.

What really is being described in the article is a kill switch becomes more effective using encryption, because the switch is less easily bypassed (encryption helps protects the switch from tampering). That is a good theory. No one should assume we can replace a kill switch with encryption and expect a straight risk equivalency. While encryption helps the kill switch, the reverse also is true. A switch actually can make encryption far safer by erasing the key remotely or on failed logins, for example. Encryption can be far stronger if access to it can be “killed”.

Does installing encryption by itself on a device make hardware unattractive to re-sellers? Only if data is what the attackers are after. Most studies of cell phone theft are looking at the type of crime where grab-and-run is profitable because of a device resale market, not data theft. Otherwise encryption could actually translate to higher rate of thefts because a device could be sold without risk of exposing privacy information. It actually reduces risk to thieves if they aren’t able to get at the data and can just sell the device as clean, potentially making theft more lucrative. Would that increase crime because of encryption? Just a thought. Here’s another one: what if attackers use encryption to lock victims out of their own devices, and then demand a ransom to unlock? Does encryption then get blamed for increasing crime?

Slate pivots and twists in their analysis, blurring physical theft (selling iPhones on eBay) with data theft (selling identity or personal information), without really thinking about the weirdness of real-world economics. More importantly, they bring up several tangential concepts and theories, yet do not offer a single study focused on how encryption has reduced crime. Here’s a perfect example of what I mean by tangential.

As one fascinating study by the security company Symantec demonstrated, phone thieves will almost certainly go after the data on your stolen phone in addition to or instead of just trying to profit from sale of the hardware itself. In that study, Symantec deliberately “lost” 50 identical cellphones stocked with a variety of personal and business apps and data, then studied how the people who found the unsecured phones interacted with them. The upshot of the study: Almost everyone who got hold of one of the phones went straight for the personal information stored on that phone. Ninety-five percent of the people who picked up a phone tried to access personal or sensitive information, or online services like banking or email. Yet only half of those people made any attempt to return the phone—even though the owner’s phone number and email address were clearly marked in the contacts app.

What is fascinating to me is the number of times encryption or crypto appears in that study: zero. Not even once.

Symantec did not turn on encryption to see if any of the results changed. That study definitely is not about encryption helping or hurting crime. Can we try to extrapolate? Would people try harder to access data once they realize it is encrypted, being the curious types, looking for a key or guessing a PIN? Would attempts to return phones go down from half to zero when contact information is encrypted and can’t be read, causing overall phone loss numbers to go up?

And yet clearly the Slate author would have us believe Symantec’s study, which does not include encryption, proves encryption will help. The author gets even bolder from there, jumping to conclusions like this one, a perfect example of what I mean by jumping.

There wouldn’t have been a breach at all if that information had been encrypted.

If encryption, then no more breach…Hey, I think I get it!

  1. Collect Encrypted Underpants
  2. ?
  3. Profit!

No. This is all so wrong. Look again at the TJX breach I mentioned earlier. Look especially at the part where encryption was “in place” when the breach happened.

TJX was using encryption technology for wireless networking, known generally as WEP, that used the RC4 stream cipher for confidentiality and CRC-32 checksum for integrity. There’s the encryption, right there, in the middle of a report discussing a huge, industry changing breach. Despite encryption, or arguably even because of misuse/overconfidence in weak encryption, we saw one of the largest breaches in history. Again, the crux of the issue is we aren’t using nuance in our discussion of encryption “solving” crimes. Far more detail and research of real-world applied encryption is greatly preferred to people saying “encryption is good, prevents crime” dropping the mike and walking off stage.

Studies of encryption effects on crime beg details of how we would define levels of “strong”, what is “proper” key management, “gaps” between architecture and operation…but my point again is we don’t seem to have any studies that tell us where, when or how exactly encryption prevented crimes generally, let alone a prediction for our future. Say for example we treat encryption as a tax on threats, an additional cost for them to be successful. Can we model a decline in attacks over time? I would love to see evidence that higher taxes lower likelihood of threats across time compared to lower taxes (e.g. as has been illustrated with US cigarette policies):

Smoking_Tax_Cancer_Plot

We know encryption can prevent types of crime. We no longer have an apartheid government in South Africa, proving a particular control has utility for a specific issue. I just find it interesting how easily people want to use a carte blanche argument for general crime being solved, greater good, when we talk about encryption. People call on us to sign a big encryption check, despite offering no real study or analysis of impact at a macro or quantitative level. That probably should change before we get into policy-level debates about the right or wrong thing to do with regulation of encryption.


Updated to add reference:

European Axis Signal Intelligence in WWII as revealed by TICOM Investigations and other prisoner of war interrogations and captured material, principally German, 1 May 1946

“Target Intelligence Committee.” The project, which was originally conceived by Colonel George A. Bicher, Director of the Signal Intelligence Division, ETOUSA, in the summer of 1944, aimed at the investigation and possible exploitation of German cryptologic organizations, operations, installations, and personnel, as soon as possible after the
impending collapse of the German forces.

Posted in History, Security.


How the ANC used encryption to help defeat apartheid

The following paragraph is from an opinion piece last year by CNN National Security Commentator Mike Rogers, called “Encryption a growing threat to security“:

Back in the 1970s and ’80s, Americans asked private companies to divest from business dealings with the apartheid government of South Africa. In more recent years, federal and state law enforcement officials have asked — and required — Internet service providers to crack down on the production and distribution of child pornography. And banks and financial institutions are compelled to prevent money laundering by organized crime and terrorists finance networks.

All of this is against companies’ bottom-line business interests, but it has been in the public interest. These actions were taken to protect the public and for the greater good. And all of it was done to mitigate a moral or physical hazard.

Don’t know about you but that “apartheid” line jumped right out at me. African history doesn’t come up enough on its own let alone in the crypto debates. So my attention was grabbed.

Let me just say I agree in principle with a “greater good” plea. That’s easy to swallow at face value. However, a reference to fighting wrongs of a South African government while talking about encryption as a threat to security…Rogers makes a huge error here.

My first reaction was tweeting in frustration how Biko might have survived (he was taken captive by police and beaten to death in prison) if he had better privacy. I mean history could have turned out completely different, far better I would argue, had activist privacy in South Africa not been treated as a threat to national security. Encryption could have preserved the greater good. I’ll admit that is some speculation on my part, which deserves proper research.

More to the point against Rogers, South Africa severely underestimated encryption use by anti-apartheid activists. That’s the fundamental story here that kills the CNN opinion piece. Use of encryption for good, to defeat apartheid, is not a secret (see “Revolutionary Secrets: Technology’s Role in the South African Anti-Apartheid Movement,” Social Science Computer Review, 2007) yet obviously it needs to be told more widely in America:

…development of the encrypted communication system was key to Operation Vula’s success

Basically (no pun intended) hobbyists had taught themselves computer programming and encryption using a British computer called the Oric 1 and some books.

CWpJ8WBUYAEYatt

An Oric 1 only cost £100 and was quite popular in the 1980s. You could say it had a following comparable to the Raspberry Pi today and therefore provides an extremely relevant story. With only a little investment, study and careful planning by ordinary people “Operation Vula” used encryption to fight against the apartheid regime.

When the operation was finally uncovered by the police in 1990 they knew too little and too late to disrupt Vula. Nonetheless to the very end the government accused people of terrorism when caught using encrypted communication; buildings using encryption were called “havens for terror“.

CLYPC_SUcAETi-u

So my second reaction was to tweet “please watch ‘Vula Connection’ how a South African man used encryption to turn against his gov and end apartheid” to try and generate more awareness. It had 247 total views on that day; now, nine months later, it still has only 7,766. Not bad, yet not exactly a huge number.

I also tweeted “The Story of the Secret Underground Encryption Network of Operation Vula, 1995” for those who would rather read Tim Jenkin’s first-person account of crypto taking down apartheid.

His prison-break (please read Escape from Pretoria – a video also is available) and secure communication skills are critical to study thoroughly for anyone who wants to argue whether encryption is a “threat to security” in the context of apartheid and the 1980s.

Here is Tim Jenkin explaining what he did and why. Note there are only 185 views…

My third reaction was to contact the organizers of the RSA Conference, since it has a captive crowd in the tens of thousands. I know my tweets have limited reach (hat-tip to @thegrugq for immediate sub-tweets when I raise this topic, extending it to far wider audiences). A big conference seemed like another way for this story to go more mainstream.

So I suggested to conference organizers we create a “humanitarian” award, setup a nomination system/group and then I would submit Tim Jenkin. While Tim might not get the formal nod from the group, we at least would be on the right road to bringing this type of important historic detail forward into the light.

All that…because an op-ed incorrectly tried to invoke apartheid history as some kind of argument against encryption. Nothing bothers a historian more than seeing horrible analysis rooted in a lack of attention to available evidence.

So here we are today. RSA Conference just ended. Instead of Tim Jenkin on stage we were offered television and movie staff. CSI, Mr Robot, blah. I get that organizers want to appeal to the wider audience and bring in popular or familiar faces. I get that a lot of people care about fictionalized and dramatized versions of security, or whatever is most current in their media and news feeds.

Not me.

It was painful to sit through the American-centric entertainment-centric vapidity on stage when I knew I had failed to convince the organizers to bring lesser-known yet important and real history to light. Even if Tim Cook had spoken it still would pale for me in comparison to hearing from Tim Jenkin. The big tech companies already have a huge platform and every journalist hanging on every word or press release. Big tech and entertainers dominate the news, so where does one really go for an important history lesson ready to be told?

What giant conference is willing to support telling of true war stories from seasoned experts in encryption, learning new insights from live interviews on stage, if not RSAC?

And beyond learning from history, Tim Jenkin also has become known for recent work on a free open source system helping people trade without money. Past or future, his life’s work seems rather important and worth putting out to a wider audience, no?

It would have been so good to have recognized the work of Tim, and moreover to have our debates more accurately informed by the real-world anti-apartheid encryption. If only RSAC had courage to bring the deeper message to the main stage outside of the cryptographer’s panel. I will try harder to encourage this direction next year.

Disappointed.

Posted in History, Security.


Why Were 150 Somali Militants Killed in a US-led Air Strike?

The US used aircraft to drop explosives in Somalia, killing a large number of people. This abruptly has reminded many people of the existence of ongoing US military operations there, under the aegis of Africa Command (AFRICOM), and I see confusion in my social networks. Perhaps I can help explain what is going on.

Allow me to back up a few years to give some context.

US military European Command (EUCOM) leaders realized ten years ago they needed a more focused and local approach if expected to run “stability operations” in Africa. Do you remember in 2006 when the Islamic Courts Union (ICU) defeated CIA-backed warlords in Mogadishu? In response, the US backed a 2007 Ethiopian invasion of Somalia to retake control and remove the ICU, as I wrote in posts here called “Ethiopia rolls 1950s tanks into Somalia” and in “Ethiopian invasion of Somalia“.

This EUCOM “stabilization” effort, to use Ethiopia as a proxy military power after the CIA lost direct control, effectively created a huge sucking sound; a vacuum of leadership and instability (free market) resulted from a neighboring state military operation. Although it might seem an obscure fact, most people actually have heard of sudden piracy issues in this region that became a major headache for global shipping. Al Shabaab was essentially what the ICU transitioned into at that time. A simple SIPRI graph illustrates the disastrous effect of President Bush’s foreign policy on this region:

Dunne_figure1

The question for US politicians in 2007, almost exactly like Britain’s in 1940, became how to turn a large-scale military operation to take control of the Horn of Africa into a light-touch state-building or at least state-support operation. (Setting aside the global piracy issues it created).

EUCOM knew even before 2006 that the US needed a more focused regional approach in Africa to achieve policy aims being set in front of it. More focused resources made a lot of sense not least of all because Africa really isn’t part of Europe. And so there is a quick overview for why in 2008 AFRICOM was created under President Bush:

This new command will strengthen our security cooperation with Africa and create new opportunities to bolster the capabilities of our partners in Africa. Africa Command will enhance our efforts to bring peace and security to the people of Africa and promote our common goals of development, health, education, democracy, and economic growth in Africa.

This presidential declaration of bringing peace might seem a long stretch from recent news of US warplanes bombing Somalia. Bear with me for another minute.

The mission of AFRICOM originally was described as cooperation and augmentation of African governments against destabilization; a mission of dealing with “failing states” rather than taking on war-fighting or “conquering state” objectives. This is of course a bit ironic, given how it rose from the ashes of Somalia invaded by Ethiopia. To be fair though AFRICOM being established under Bush offered the chance for a different future and more locally relevant options than under EUCOM.

Although I’ve studied military operations on the Horn of Africa all the way back to the 1930s, when someone asks why American forces today are in Somalia, this is why I would say the major policy shift in 2008 is a good place to start the story.

Creation of AFRICOM was not without controversy at the time, as explained by FOX news.

Most Africans don’t trust their own militaries, which in places like Congo have turned weapons on their own people.

So “they don’t trust Africom, either, because it’s a military force,” Okumu [Kenyan analyst at South Africa’s Institute for Security Studies] said. There is also “a suspicion America wants to use us, perhaps make us proxies” in the war on terror.

AFRICOM initially was to take control and run an existing base in Africa, as well as support the increasingly wider regional military objectives. Aside from pushing a 2007 Ethiopian invasion of Somalia to bring down the ICU, US policy was following at least two prior initiatives: One, in 2002 a US military Combined Joint Task Force base was established in the Horn of Africa (CJTF-HOA), staffed with thousands of military personnel. Two, by 2005 a “Flintlock exercise” among many African security forces was being led by the US across the Sahel region (from Djibouti to Senegal). Thus it makes sense why some worried US operational bases with proxy combat missions could be the result.

We may never know how AFRICOM was intended to roll out because, after Bush’s grand political hand waving about humanitarian missions and economic stabilization, Obama came into ownership in 2009. It seems to me the worries about intentions were well-founded because obviously Bush already had been caught lying in order to invade Iraq. His use of Ethiopia in 2007 appeared to similarly be a thinly-veiled destruction of Somalia’s sovereignty to maintain US access for renditions and executions on foreign soil without declaring war. It raised concerns about, for lack of a better phrase, dumb imperialist thinking.

However, the new president soon gave speeches that started a slightly different spin on US partnerships with African states:

When there’s a genocide in Darfur or terrorists in Somalia, these are not simply African problems — they are global security challenges, and they demand a global response.

A good indicator of where AFRICOM headed under new US leadership came with operation Celestial Balance, as I wrote in 2010. Tactics changed under an Obama doctrine through more intelligent and less heavy-handed methods of “direct action”, a euphemism for unmarked black helicopters appearing suddenly and killing people identified as threats to America…ahem, I mean global security.

Obama would say privately that the first task of an American president in the post-Bush international arena was “Don’t do stupid shit.”

The difference was significant between the president who believed evidence was an inconvenience and the one who wanted measured outcomes. Less fanfare, less flowery, clear and surgical operations, based on strong evidence, led to highly targeted missions, albeit without much outside review or transparency. And then, rather than condemn the new doctrine of AFRICOM and US “actions” in Africa, Somalia’s new government warmed to the program and called for even more collaboration against threats.

 In a series of interviews in Mogadishu, several of the country’s recognized leaders, including President Sharif, called on the US government to quickly and dramatically increase its assistance to the Somali military in the form of training, equipment and weapons. Moreover, they argue that without viable civilian institutions, Somalia will remain ripe for terrorist groups that can further destabilize not only Somalia but the region. “I believe that the US should help the Somalis to establish a government that protects civilians and its people,” Sharif said.

It appears, from my reading of the Somali perspective over time, we can not easily write-off AFRICOM as the proxy war engine it could have become. There have been no new American bases. We instead have seen state-building, or at least assistance in state self-defense, pointing in the direction of augmentation and support. We don’t have a lot of ground to call Obama’s “direct actions” policy a purely self-serving war using African states as proxies.

The Bush administration was right to heed EUCOM establishing new focus, creating AFRICOM; it appears only to have been wrong in its intelligence operations and economic policy. Hard to say whether Obama has been right, but we at least know it is not worse than prior.

Somalia, let alone the African Union Mission in Somalia (AMISOM), has continued talking about being a partner on global security efforts. This is an evolution from 2007 where US objectives seemed front and center with other nations being prodded into going along. Obviously new risks easily can emerge, yet the US is currently feted as a partner in regional stabilizing missions rather than owner or operator. Local stability and growth policy using global partnerships isn’t an entirely awful thing, especially when we see China talking about and doing much of the same in its foreign relations for this region and throughout Africa.

Ok, so enough background. Back to the present tense, what’s with bombing hundreds of people?

According to a tweet by the BBC Africa Security Correspondent, Tomi Oladipo:

both Al Shabab & residents confirmed militants hit. Dispute is over death toll.

Everyone on the ground seems to agree casualties were militants and not any civilians. I have not seen anything contradicting this: militants massed in a training camp were preparing to graduate and execute a mission to undermine regional stability. The only major caveat to the reporting and news is Al Shabaab has been known to infiltrate news organizations to murder journalists it disagrees with; local reporting can be hard to gather.

I asked Paul Williams, Associate Professor at GWU and author of “War & Conflict in Africa“, if this strike could be seen as a prevention measure, given recent Al Shabaab attacks. He quickly confirmed that as true:

#AMISOM reconfiguring after Leego, Janaale & ElAdde to avoid a repeat.

If you’re familiar with those three references to Al Shabaab attacking security camps you easily can see why this strike to their camp fits regional conflict patterns, with the US serving to help local government forces maintain control and protect civilians.

With this in mind I would like to address four questions raised by Glenn Greenwald about the attack:

One.

Were these really all al Shabaab fighters and terrorists who were killed? Were they really about to carry out some sort of imminent, dangerous attack on U.S. personnel?

Yes, we see credible accounts of imminent danger, in the pattern of recent attacks, from an Al Shabaab militant camp. It almost could be argued that this attack was in response to those earlier militant attacks; a better self-defense plan was called for by local authorities (Somalia and Kenya) after those disasters. US personnel were in danger of attack by nature of working with the authorities targeted by Al Shabaab. We also don’t have details on the attack planned but it very well could have been similar to Westgate or Garissa University.

Two.

There are numerous compelling reasons demanding skepticism of U.S. government claims about who it kills in airstrikes.

Yes, big fan of skepticism here. At the same time, by all accounts and recent events, this appears to be a clear case of a military camp being destroyed to prevent terrorist attack later. BBC made the casualty type clear. Recent Al Shabaab operations, attacking Kenyans while in camp, should further erode skepticism around motive and opportunity of attacking militants while in their camps. I have not yet seen evidence civilians were in these camps. South Sudan, just for comparison, has been a completely different story.

Three.

We need U.S. troops in Africa to launch drone strikes at groups that are trying to attack U.S. troops in Africa. It’s the ultimate self-perpetuating circle of imperialism

This is lazy and shallow reasoning. If US troops left Somalia there would still be attacks by Al Shabaab on the authorities there. Whether you agree or not with supporting the local regime, it is not fair to say the only purpose of US troops is to act like a target for the premise of self-defense to attack US enemies. We have credible evidence that it goes beyond a proxy conflict, and the US is in fact assisting local authorities who are under attack. We can debate the integrity of a US-backed authority and their role in calling for assistance, yet it is clear Al Shabaab is a threat to far more than just Americans.

Four.

Within literally hours, virtually everyone was ready to forget about the whole thing and move on, content in the knowledge — even without a shred of evidence or information about the people killed — that their government and president did the right thing.

Surely I will be called an exception, since I’ve studied conflict on the Horn for over two decades and have undergrad and graduate degrees focused on it, yet I do not find lack of interest to be true of the general population. In all the years I have studied there never has been more interest in this region than today.

This blog post is written because people are talking about the killings. The fact that the story initially was told as a drone attack meant it was given even more attention. Conversations went on for hours just about the technical feasibility of drones to carry out such a large attack.

Granted we should be paying more attention. That seems like a great general principle. I am seeing more people pay more attention than ever before to issues and a part of the world that used to be obscure. Within literally hours everyone was asking questions about what happened, who really was killed, and why. It is actually quite a shock to see Somalia so much in the news and Americans digging immediately into the details, asking what just happened in Africa.


Updated to add a “mapping militants” project chart of Somalia, which better illustrates why power fractures and allegiances are complicated.

mappingmilitants.somalia

Posted in History, Security.


RSAC 2016: Thoughts and Memories

Three things stood out to me at RSAC this year:

  1. Diversity
  2. Business and Innovation
  3. Collaboration

Diversity

Usually I have some general unease or complaint in this category. Not this year. While I did tweet there was an annoying lack of diversity in keynote speakers, overall the conference felt more diverse than ever before.

Walking the expo and the conference talks felt like being in a major international city. Waves of experienced and new, young and old, male and female were noticed, with many cultures clothing type and styles easily found. It felt like security community was being represented across an extremely wide spectrum, wider than I had ever seen before. I talked briefly with a woman wearing a Niqab attending sessions (might have to do this myself next year). And while it was easy to hear the big delegations of Israelis, Chinese, Russians, Germans wandering around I also was happy to run into a Palestinian cryptographer who wanted to talk Cloud.

Business and Innovation

Every year I do an extensive tour of the Expo and interviews to find useful products. Some tend to argue “security 1%-ers” are the only people who really would benefit from the expo and everything is positioned to be a silver bullet. That’s obviously untrue.

Adi Shamir walked with me to a booth, for example, so I could show him what I thought to be an interesting development in hardware authentication. The conversation went something like this:

  • Me: it’s interesting to see a stereo jack token form-factor. resilient, easy…
  • Adi: one form, another form, who cares. use the USB port instead. they’re all just form factors. energy harvesting? AHA! now THAT is interesting
  • Me: form factor is a problem space that needs better solutions. energy harvest wouldn’t get users excited but the security issues are something to review
  • Adi: yes, the things we can do with energy
  • Me: given low capacity we can blast with energy to cause to fail, break, overheat
  • Adi: this is not that interesting, but there are other things…

He and I were approaching things from completely different objectives. I was thinking about how to solve for user requirements; can we get these in hands immediately to improve multi-factor usage rates. He was thinking about how to solve for engineering requirements; can we break this thing.

Tools we were looking at and discussing with the vendors were not for the 1%. They were not silver bullets. They were meant for mainstream use and very focused in their application. Many such tools could be found. The problem really is not that this kind of every-person stuff does not exist. The problem is marketing is actually extremely hard in security. If you think the buzzwords, costumes and flashing plastic garbage are annoying, you’re probably right. It just verifies how hard it is to do marketing well, to reach a wide audience with a tight message.

And that’s one of the coolest things about RSAC. So many different approaches and ideas are launched just to see if they work; we might actually find something good. It is an opportunity to find or develop mainstream tools from a diverse field of ideas. This is where people are talking about all kinds of solutions and partnerships.

On the other hand, it’s also important to look carefully for 1%-er solutions.

About five years ago at RSAC I spoke with a flash memory vendor promoting their new devices, and quickly I figured out we were going to have problems with data destruction. It was a 1%-er issue then, an early look into what was coming. In the following years I saw papers being published, almost exactly like the conversation at RSAC, about ease of extracting data from flash. And now this year I found this 1%-er issue has gone mainstream: vendors push specialized products (an extreme opposite of silver bullet) towards commodity prices to close a gap. If you have flash devices and need to destroy data, there were some small engineering-oriented vendors you should have been talking with.

Intelligence and knowledge systems are the 1%-er space of today, which actually parallels a trend in general IT. Stock up on “threat” feeds, run analysis on it with visualization, and maybe even apply learning algorithms or think about how to leverage artificial intelligence. While I could beat up our industry for going all 1%-er on this area, the wider context of overall IT puts it in context and we’d be fools if our industry didn’t jump in now. The people adopting today, or at very least discussing, are at RSAC setting the stage for what will become 99% tools five years ahead.

A customer asked me a few weeks ago to build a specific threat feed solution. So at RSAC I set about the expo floor asking every single vendor I could to give me their proposed solution. It was actually comical and fun because it challenges the marketing folks to deliver on the spot.

Symantec came across as an utter disaster. They literally could not find anyone, over two days, to speak about their products. Sophos was all ears as I ended up telling them how good their data could be if they packaged it again for the right consumers. They apparently weren’t aware of the demand types and seemed curious. Kaspersky kept shaking my hand, saying the right people need to be found, and telling me we can do business together while not actually answering technical questions. Fireeye sent me to their head of a new group focused on the exact problem. Very impressed with the response and quick, competent handlers. Clownstrike said they have what we need and then just walked away. LOL. Recorded Future gave me a long and detailed hands-on demonstration that was very helpful…all of which ends up in a report that goes to a customer.

To put it bluntly, this year felt like the rise of private intelligence and I expect to see this field of “knowledge” tools for analysts grow significantly over the next 2-3 years.

The inverse of this type of prediction exercise is noticing the buzzwords most likely to have disappeared: GRC, DLP, APT. Apparently vendors are realizing that the great analyst hype for some of these “tool” markets did not pan out. Do we blame the analysts who predicted these markets would boom, and created the product race, or blame the vendors who jumped in to run it?

Regulations and compliance seemed to be showing up everywhere, being discussed all the time, without being pushed obnoxiously as some kind of new thing to buy. HIPAA! PCI! No, we didn’t see that at all. There was no yelling about regulators, and at the same time it was mentioned in talks and product marketing. Compliance was pleasantly subtle, perhaps indicating an industry maturity level achieved.

Last but not least I was sad to see a lack of drone research. Despite having talk tracks on the subject, and a huge boom in drone-related security concerns, we really didn’t find much evidence of a market for security in this space yet. An investor literally told me he’d find us a billion dollars to solve some very specific drone security issues, yet walking the expo there were no offerings and no evidence of products or strong technical skills in this area.

Collaboration

With new levels of diversity, and innovation, it probably goes without saying there was an air of collaboration. While there are plenty of private parties and VIP events (literally 1,000s of side-conferences) for business to be done by old friends behind closed doors, what fascinated me was the interactions out in the open. Bumping into strangers all day and night is where things get interesting, especially as you hear “let me introduce you to…” all around.

A big concern is that there are solutions lurking around and missing their target audience. I’m speaking with some ex-Cisco guys one day who have developed a healthcare IoT fingerprinting tool. Don’t ask me why they chose healthcare, yet that’s their very narrow approach right now. The next day I’m watching my twitter feed light up about the lack of security tools designed for healthcare IoT. How do I get these two groups collaborating? RSAC is a place where I can try to make it happen.

The keynotes emphasized collaboration in a fairly formal way. Government should talk with private sector, yada yada, as we always hear. More practical is the fact that you could walk into a booth and overhear the Norwegian military discussing some use case specific to their plans for invading Finland, and then jump in and start a broader discussion about different tools and procedures for protecting doctor privacy in Africa.

Walking up and talking to strangers led to some excellent follow-on meetings and conversations around how we could work together. I dragged three friends with me into a session on hacking oil and gas, which turned out to be great fodder for conversation with a guy from NIST and an invitation to present on supply chain security to the US government.

Cloudera had a booth where I spent the better part of an hour discussing how different Big Data platforms can work together better to create a common standard for security assessors, as different staff came and went and suggested ideas. It felt like we were compressing three weeks of scheduled meetings into one impromptu intense planning session.

There are so many collaboration channels it can be overwhelming at some point because you simply can not pursue all the opportunities to be found at RSAC. If you want to meet with some of the best minds in the world trying to solve some of the hardest security problems, or you want to expose your ideas to a wide set of minds and collaborate in a short time, this conference can’t be beat. It’s massively massive, not a quiet walk in the park with known friends, and that’s not such a bad thing as our industry has to learn how to welcome in more and more people.

Posted in Security.


Cyber Insecurity: The Cost of Monopoly

“How the Dominance of Microsoft’s Products Poses a Risk to Security”

27 September 2003

A paper authored by: Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman, Bruce Schneier

cyberinsecurity.pdf

Posted in History, Security.


Our Digital Right to Die

With so many, so many, blog posts about Apple and FBI I have yet to see one get to the core issue.

Do we have a digital right to die? After we are dead, in other words, who controls the destiny of our data and what authority do we have over them?

Having been in the security industry for more than two decades I have worked extensively on this problem, not only because of digital forensics. Over the past five years we’ve developed some of the best technical solutions yet to help kill your data, forever, at massive scale.

The market has not seemed ready. Knowledge in this area has been for specialists.

Although I could bring up many cases and examples, most people do not run into them because discussion is usually around how to preserve things. The digital death is seen as edge or outlying situations (regulatory/legal compliance, dead soldier’s email, hiker’s cell phone, famous literary artist’s archives).

It feels like this is about to change, finally.

Everyone seems now to be talking about whether the FBI should be allowed to compel a manufacturer to disable a cell phone’s dead-man switch, for lack of a better term. A dead-man switch (or dead man’s, or kill switch) is able to operate automatically if the person who set it becomes incapacitated.

Dead-man switches can have sophisticated logic. Some are very simple. In the current news the cell phone uses a simple count. After several failed attempts to guess a PIN for a phone, the key needed to access data on that phone is erased.

Philosophically this situation presents a very difficult ethical question: Under what circumstances should law enforcement be able to disarm a dead-man switch to save data from deletion?

In this particular case we have a simple, known trigger in the dead-man switch. Bypassing it in principle is easy because you turn off the counter. Without a count the owner can try forever until they guess the PIN.

Complicating the case is that the vendor in question sells proprietary devices. They, by design, want to be the only shop with capability to modify their devices. They do not allow anyone to modify a device without their approval.

If there is any burden or effort here, arguably it is from such a business model to lock away knowledge needed to make the simple configuration change (stop the counter) to a complex device. Some see the change as a massive engineering effort, others say it is a trivial bit flip on existing code, yet no one is actually testing these theories because by design no one but the manufacturer is allowed to.

Further complicating the case is that the person using the device is dead, and technically the device is owned by someone else. Are we right to honor the intentions, unknown, of a dead person who set the dead-man switch over the living owner of the device who wants the switch disabled?

Let me put it this way. Your daughter dies suddenly. You forget the PIN to unlock the phone you gave her to communicate with you. You ask the vendor to please help disable the control that will kill your daughter’s data. Is it your data, because your device, or your daughter’s data?

If the vendor refuses to assist and you go to court, proving that you own the phone and the data is yours, do you have a case to compel the vendor to disable the control so that your data will not die?

What if the vendor says a change to the phone is a burden too great? What if they claim it would take an entirely new version of the iPhone operating system for them to make one trusted yet simple change to disable the dead-man counter? How would you respond to self-serving arguments that your need undermines their model?

It is not an easy problem to solve. This is not about two simple sides to chose from. Really it is about building better solutions for our digital right to die, which can be hard to do right, if you believe such a thing exists at all.


Updated to add reference to “kill switch” regulation:

Apple introduced Activation Lock in iOS 7. The feature “locks” iOS devices with the owner’s iCloud account credentials, and requires that they be authenticated with Apple before the device can be erased and set up again.

Activation Lock was the first commercially available “kill switch” for mobile operating systems, and similar features have since been implemented by Google and Samsung. California passed a law last August requiring that all smartphones sold in the state implement kill switches by July 2015, and an FCC panel in December recommended that the commission establish a similar nationwide framework, citing Activation Lock as model deterrent.

Posted in Poetry, Security.


Polish Mathematicians Broke Nazi Enigma

Sadly this topic has remained a simmering controversy for far too long, mostly because of lack of effort on all our part. It isn’t hard to get it right, yet for some reason Poland isn’t getting credit due. The BBC in 2014 described a hugely important and historic event as simply a “quiet gathering”.

The debt owed by British wartime codebreakers to their Polish colleagues was acknowledged this week at a quiet gathering of spy chiefs. […] On the outskirts of Warsaw, some of the most senior spy bosses from Poland, France and Britain gathered this week in a nondescript but well-guarded building used by the Polish secret services. Their coming together was a way of marking the anniversary of a moment three-quarters of a century earlier when their predecessors held a meeting in Warsaw that played a crucial role in the victory over Hitler in World War Two.

I feel guilty. What have I done, as a historian of sorts, to help elevate this from quiet obscure ceremony to normalcy?

Mostly, for at least five years, I have bored friends with stories and tweeted about Poland’s contributions, which doesn’t feel like enough. So here’s my blog post to move the ball forward.

This is inspired by a new story in The Telegraph that the Polish government says more needs to be done.

Polish codebreakers ‘cracked Enigma before Alan Turing’
Diplomats say Poland’s key part in the deciphering the German system of codes in WWII has largely been overlooked

Time to stop overlooking. Let’s do this. Say it loud and proud, Poland broke the Nazi Enigma.

The Telegraph in 2012 versus 2016

News from The Telegraph in 2012 was: “Honour for overlooked Poles who were first to crack Enigma code”

…decades after Nazi Germany’s Enigma code was cracked, Poland has gone on the offensive to reclaim the glory of a cryptological success it feels has been unjustly claimed by Britain.

Frustrated at watching the achievements of the British wartime code-breakers at Bletchley Park lauded while those of Poles go overlooked, Poland’s parliament has launched a campaign to “restore justice” to the Polish men and women who first broke the Enigma codes.

[…]

The 2001 film Enigma, in particular, ruffled Polish feathers. The British production starring Kate Winslet and set in Bletchley Park made little mention of the Polish contribution to cracking the codes, and rubbed salt into the wounds by depicting the only Pole in the film as a traitor.

Some really good background in this 2012 article in The Telegraph. It is well written and accurate. Curious then how different it is from the story told to us in 2016.

Instead of pulling forward the earlier work, The Telegraph wrote a whole new version in 2016 filled with poorly researched ideas, pointing more towards the recent Turing movie, “The Imitation Game”.

Here are some questionable statements that jumped out at me.

Telegraph 2016: Poland Passed the Baton

…few people realise that early Enigma codes had already been broken by the Poles who then passed on the knowledge to Britain shortly before the outbreak of war.

It was not so simple. The Poles did not just pass along knowledge “shortly before” war. More to the point, given the escalation path of 1938, why was Britain waiting to the last moment before fall of Poland and declaration of war on Germany to receive crucial intelligence on German Enigma? Why were Brits far more focused on the Soviets as a threat instead of Germany, and why so interested in Spanish and Italian Enigmas instead of German?

Perhaps another way of asking this is what did the 1938 Munich Agreement, British appeasement of Nazi Germany, tell the Poles about trust in potential allies and giving away secrets?

Codebreakers from Britain early in 1939 had a kind of stalemate with Poland via talks setup by France. The three sides weren’t aligned exactly. Simply put it was British arrogance that led them to believe that their ability to break Enigma was best. When they met with the Polish the first time the British left thinking there was nothing they could gain.

Once war with Germany seemed unavoidable by summer of 1939, Poland simply ran out of time waiting for better terms of collaboration or warmer relations with British intelligence. Just before Germany rolled over Poland, codebreaking basically shifted to France, where negotiations continued with real alignment on German Enigma as the most pressing concern.

Months were basically wasted before the British were caught out as laggards and had to realize they had mistaken French and Polish cautions about Germany for incompetence. England realized their error fortunately before it was too late and rushed to learn from Poland, as war with Germany was announced.

Telegraph 2016: Poles Needed Help

By the time war broke out the Germans had increased the sophistication of the machine and the Poles were struggling to make more headway.

I hate the way this sounds. Hope it goes without saying Poles were struggling because…betrayal by Soviet defenses and invasion by Nazis while the world stood by and didn’t help. A highly secretive code-breaking team wasn’t going to just carry on effortlessly while their entire country was carved up and dismantled.

Sure the Germans had made a change, but that wasn’t the first time they altered Enigma (see Rajewski’s leading work on the Enigma Eintrittwalze – “entry wheel” – before the British figured it out, or transfer of Zygalski sheets to Bletchley, where they were known as Netz, short for Netz verfahren – “lattice method”). Difference by the time war broke out? The Polish had to destroy all their secret decoding systems and escape to France. I’ve read at first they tried to go to Britain and were denied due to confusion and secrecy (British embassy could not verify their roles). I’ve also read they went straight to France, where politics prevented them from moving to Bletchley. The bottom line is from the end of 1939 through early 1940 Turing and other Brits visited and studied Polish methods, learning of plans for new machines and preparing to build up operations in Bletchley Park.

“Struggling to make headway” is not a fair characterization relative to the many earlier mathematical struggles, which Poles obviously overcame on their own. The Poles had reconstructed Enigma and solved for daily keys. What made it hard to continue making headway? Staying under difficult conditions in Vichy France.

One of the original three who cracked Enigma, Rozycki, was killed in 1942 (lost at sea). The remaining Poles tried to escape to Spain that year. Langer, Ciezki and Palluth were captured by Germans. Rajewski and Zygalski escaped and landed in a Spanish prison. Only in 1943 these two finally enter England, where they were pushed aside into the Polish army in exile.

Struggling to make headway shouldn’t be blithely blamed on sophistication of the Enigma. Poles already had made plans to step up their game, which were handed over to England, as they tried to fight in Vichy France and stay alive.

Telegraph 2016: Blame Hollywood

…despite their help, history and Hollywood has largely ignored their role. The most recent film The Imitation Game, starring Benedict Cumberbatch, barely mentioned the Poles.

That’s right. And it’s a damn shame. Given that The Telegraph wrote in 2012 that a 2001 movie gave an unfair portrayal of the Poles, how did Imitation Game repeat the error? I found the movie highly disappointing.

Even more to the point there was in 2001 a book called “Stealing Secrets” that should have given Imitation Game producers all the background they needed on the true Turing story. Stealing Secrets doesn’t mince words here:

With the tide of the war having changed for the better, Bletchley’s leaders must have concluded in the cold calculus of realpolitik that is no longer had anything to gain from the Poles. […] Even now that the facts of the Poles’ Enigma breakthrough are out in the open, they must still compete in the marketplace of knowledge with earlier fictions. […] For a decade before the truth emerged about the Polish achievement, however, most of the English-speaking public was fed a steady diet of fiction masquerading as fact. […] Therefore, anyone who believes that Bletchley Park paved the road to victory in World War II must give credit to Poland for designing the road and mixing the pavement.

“Must give credit to Poland” as sage advice in 2001 and yet Imitation Game does none of that.

While visiting Bletchley Park I talked with the keepers about how Turing was portrayed relative to the Poles. They told me the film was rubbish and unfair. Their frankness surprised me and I found it refreshing. They basically had nothing good to say about the movie’s portrayal of events.

Telegraph 2016: Blame the Soviets

“We were trapped on the wrong side of the Iron Curtain during the Cold War which meant we did not get the credit that we should have received and nobody wanted to admit that anyone in Eastern Europe had anything to do with Enigma.

The Americans and English weren’t trapped by Soviets yet they too chose not to give credit. Does the world really need the Poles to repeatedly convince us of these facts as if the West doesn’t get it? And were the Poles blocked by Soviets? Sort of.

First, put this in terms of the 1940 Katyn massacre.

The Soviets in 1940 rounded up and assassinated 22,000 Polish military and intellectual elites (doctors, lawyers, professors), taking them into the woods and shooting them all in the back of the head. This massacre aimed to destroy any Polish resistance to Soviet control. America learned these details in 1943 from American POW forced by Germans to look at mass graves left behind by Soviets. Instead of bringing the news to light, the US kept it all a secret under the pretense of avoiding friction with Stalin.

That context makes it highly plausible the West was not about to credit Polish intellectuals for breaking Enigma when Stalin was around. But here’s the problem, nobody before the 1970s (20 years after Stalin) got public credit for cracking Enigma. There was literally no risk.

Second, put this in terms of the 1980 Solidarność.

Being on the wrong side of the Iron Curtain at that time is more relevant to our topic because that’s when Bletchley Park started leaking the stories. Now we’re talking about a prime time for strong characters and thaw stories, a time of Polish greatness and the Solidarity movement.

Remember the hardships the Polish cryptographers faced in 1940s France? None of them, even during German capture, leaked details of their work to anyone. Secrecy was crucial to success even after the end of the war. It was a top secret operation that only started to be verified more than 20 years after Stalin was out of the picture.

So really it isn’t about the Iron Curtain. It is about lazy historians in the West not doing a proper job with the facts. Blame is global and can’t be put on the Soviets repressing Poland’s voice, especially since we’re actually talking about the 1990s when these secret stories reached public sources; started to appeal to wider audiences. Still, Poland has to tell the world again and again until we accept it.

Telegraph 2016: Enigma is From End of WWI

The Enigma machine was invented by German engineer Arthur Sherbius at the end of the First World Wat [sic] and were used by the military and government of several countries.

Sherbius was applying for a patent for the Enigma in February 1918. WWI ended in November. Given events between those months I wouldn’t say Enigma came at the end. To me that would imply December or the start of 1919. There may even be some significance in timing relative to 1917; that was the year American scientist Vernam was given a task to invent a communication channel the Germans could not break, as patented in 1918. So “developed during the war” would be most appropriate in my mind.

In terms of several countries use…in 1927 the British government gave Enigma plans to Foss and Knox, code breakers, for review. A book about Knox’s role in breaking Enigma explains how Foss reported in theory it “could be broken given certain conditions” knowing as little as fifteen letters to figure out the machine settings. This effort led to the British and French working together on deciphering Spanish (Civil War) and Italian (invasion of Ethiopia) military communications in 1936.

Here’s the key issue. Britain was not as keen to monitor German Enigma traffic, despite it being the most advanced, until long after the French and Polish had warned of its importance. France was able to extract German documentation and gave it to Poland, who then cracked this most advanced Enigma by 1933. That should put in perspective Britain listening to “several countries” signals in 1936. That was the year Germany was pushing into Rhineland and getting no push-back from Britain.

Telegraph 2016: Poland Involvement Well Known in WWII

…Polish involvement was well known during World War Two but during the communist time it was not so convenient to admit that there had been so much cooperation between Britain and Poland. It was a very special and very secret alliance.

This just makes no sense to me. It was top secret work, as mentioned above. No one knew about involvement, except those working in secrecy who couldn’t tell anyone outside. The secrecy extended well into the 1970s. During the communist time is when the story was not actually known, rather than being a convenience issue.

Also, rather than “admit…so much cooperation” I’d call it acknowledge the lack of working relationship once the British realized the Polish were ahead and captured all their secrets, as forced by German invasion of France.

Revisting Bletchley Park

What really would be nice to see is Bletchley Park incorporate French and Polish exhibits, perhaps even curated by representatives from those countries, to give factual explanations of their roles. After all it is meant to be a place to read about the “allied” effort. The Park could benefit from the help for upkeep and maintaining records. Meanwhile, visitors would get a more robust and fair portrayal of a “world” war.

At some point maybe I’ll post my photos here from my trip there, which show some of the odd statements made by British historians, minimizing the efforts of the Polish.

Reasons Against Remembering

Some want to erase history to make others look good; ignoring the Polish role as Allies lets the British or Americans stand out more.

Some want to erase history to make themselves look less bad; ignoring Polish role as Axis lets the Germans stand out more.

Either way overlooking real Polish history is bad for WWII history as well as our understanding of security. Bringing facts forward today should have no risk.

If we give credit to Polish code-breakers we are not diminishing the still monumental contributions of Alan Turing during WWII. We can be more correct in the presentation of historic facts without much impact or edits to Bletchley Park.

When we give credit to those in Poland who fought against Nazis and did so much right, it does not mean we can forget wrongs done by others, such as Erich von Zelewski the Polish Nazi who proposed creation of Auschwitz (just one out more than 10,000 prisoner camps under Nazi control, let alone nearly 1,000 forced labor camps for Jews inside Poland). By 1946 Nuremburg trials this Polish Nazi testified while he had no issue with Jews sent to die in camps he had “tried to prevent the destruction of Warsaw” and his work “saved hundreds of thousands of civilians and tens of thousands of soldiers of Polish nationality”.

As more sunlight comes for the Poles who fought against Nazis, it may clear the air for us to also discuss and better understand their opposite, the Poles who collaborated. So far we have the book “Hunt for the Jews: Betrayal and Murder in German-Occupied Poland“, which discusses “how the Germans were able to mobilize segments of the Polish society to take part in their plan to hunt down the Jews”. And we have dramatization films like Ida and Poklosie (Aftermath)

The 1946 Kielce Pogrom provides a sad study of how some Poles continued to kill even after the war had ended to try and finish what Germans could not – elimination of Jews from Poland. With that in mind please note a bill has been introduced in Poland making it illegal to mention any Nazi collusion. Such a bill of denial would be a tragedy for those of us who try to bring out examples of bad as well as good and learn from the past.

Right now we should remember a Polish team of mathematicians working with human intelligence for what they were: the first to crack the Nazi Enigma.

As I said at the start, this is no quiet affair. Time to stop overlooking. Let’s do this. Say it loud and proud, Poland broke the Nazi Enigma.

Posted in History, Security.