This isn’t new but but it was news to me.
As Bruce Schneier pointed out back in 2007, most of the aspiring terrorists arrested in the West have been, to put it bluntly, complete idiots, a trend that has been replicated in the Australian terror cases that have resulted in convictions. Here’s another example, from the United Kingdom.
In 2011, Rajid Karim, a British “IT specialist”, was sentenced to 30 years jail for planning terrorist attacks against his employer.
To communicate with his co-plotters in Bangladesh, Karim used a secret coding method devised by the group. As explained better by Duncan Campbell here, while the group had access to encryption tools that were state of the art – at least, they implemented the standard state-of-the-art encryption mehods from the open literature. The head of “Al-Queda in the Arabian Peninsula”, the now deceased Anwar Al-Awlaki, urged the group to use these tools. If he’d used them, the messages he sent would have been extremely difficult to descramble in transit.
However, because these methods had been invented by the “kuffs” (that is, people other than Islamist extremist wannabe terrorists), Karim preferred to use “Tadpole”, the group’s own custom encryption method.
Tadpole turns out to be a “monoalphabetic substitution cypher”. That is, they defined a table of substitutions
something like this one:
Original -> Coded
A -> W
B -> J
C -> K
Z -> L
Yep, that’s right. Each “A” gets replaced with a “W”, “B” with “J”, and so on.
This isn’t quite as easy to break as the classical Caesar cypher (the “shift X positions in the alphabet” method). But it’s still extremely easy. All you need is to count the frequency of letters in the coded message, and map it to a letter frequency table for the language the message is written in to narrow down the possibilities.
These cyphers have been known to be insecure for at least 1200 years, apparently; and, ironically enough, according to Campbell it was an Arabic mathematician who figured out how to decode them!
The details of this are of course available in any number of easily accessible books on cryptography, or indeed in Wikipedia, and the attack is simple enough that any half-competent programmer would have been able to verify it themselves. Heck, you don’t even need a computer – a simple letter frequency table and pencil and paper would do.
But these guys’ combination of paranoia about the “kuffs”, incompetence, and hubris led them to continue to attempt to secure their communications with the rough equivalent of Pig Latin.