And the winner of the World War Two steganography competition is...

Filed Under: Cryptography, Featured

Last week, we wrote about a steganographic code that was used by the British during the Second Word War.

The idea was to provide a mechanism for captured officers to be able to send useful military intelligence home, hidden in plain sight in letters to their families.

You can't use a full-on cipher (where the entire text is scrambled unrecognisably) or a code (where each word is replaced by another from a giant codebook), because the enemy would be onto you immediately:

Dearest Mother. The Germans have granted me an extra letter home each month. APRFR BRSEF WEEVR MWEKR PAAWS TZJGA AQYIV RGEJF WSSUV NWKLP EESEM HGIJI. Please go to the Church on the Hill and say ambidextrous tractor wanderlust lumbago underground abundant xylophone.

It's not going to pass the censor, is it?

Also, of course, by the time you've been lost at sea, rescued, interrogated, shipped to a prison camp and fed for years on meagre rations, you might struggle to remember the minutiae of the cipher or the code, since it all has to be done in your head.

MI9 (no, I'd not heard of anything other than MI5 and MI6 before now, either) settled on a system of burying the raw words of one message inside another: steganography.

You mixed up the order of the words in your secret message using an easy-to-remember system, then you slotted them into your letter home.

Don't forget that your prose still had to look like a letter home, both to the Nazi censors and to your family, since for obvious operational reasons, even your nearest and dearest couldn't know about the subterfuge.

It's actually a lot harder than it sounds, and, outside a prison camp at least, quite fun to give it a try, so we ran a competition.

Take this fifteen-word bulletin:

Mix up the message and drop the words in a 4-5-4-5 pattern in your letter, like this:

. . . DAILY . . . . SEARCHED . . . DOUBLED . . . . AIR . . . HOUR . . . . BUNGALOWS . . . GUARD . . . . AND . . . 24 . . . . MOVEMENTS . . . COVER . . . . ARTILLERY . . . WITH . . . . RAILWAY . . . INCREASED . . . .

During the war, of course, there was a convoluted system for spelling out dodgy words like ARTILLERY, and artistic licence would have let you write words like BUNG instead of BUNGALOW, but we didn't allow shortcuts or longcuts.

We promised a Naked Security T-shirt to person who hid the military missive in the most believable cover letter describing something they'd done in the past week. (You can see the full list of solvers as comments to the original article.)

So here are our favourite entries.

An honourable mention goes to my friend and Naked Security colleague Graham Cluley, whom I challenged to turn the secret message into a rant about Facebook:

Impressive. But there were even better submissions, and anyway Graham can't win. He did it just for fun.

Another honourable mention goes to Randy Tayler, who submitted the first valid answer, and who created a most believable "keep the faith" letter home that a newly-incarcerated prisoner might have written:

Randy nearly won, but he cheated slightly by adapting ARTILLERY and RAILWAY to ART and RAIL, so we had to be strict spymasters and disqualify his entry.

Also deserving special mention is Joe, who wrote about the hassles he had at the tropical hotel where he just took a vacation:

The reason we liked Joe's answer is that it passed the realism test because we nearly deleted it as a genuine but unsolicited sales email. (For some reason Naked Security gets a fair amount of "aircon maintenance" spam.)

And top marks for trickery go to Blake, who managed to turn the message into an IT security story about passwords, though he was forced to admit it was "a bit of a copout":

And the winner is Neil Hunter, who used a story about house hunting as a cunning way to disguise BUNGALOW, ARTILLERY and RAILWAY:

Well done to everyone who had a go, especially to Emiliano, who not only isn't a native speaker of English, but also managed to turn what started as military information into a complaint about spam.

(I haven't repeated his entry here, for reasons that will be obvious if you look for yourself, but in his own words, "only sexual metaphors can make ARTILLERY and RAILWAY look a bit less suspicious.")

By the way, Neil, I can't seem to contact you via the information you posted with your winning entry.

So if you want to receive your prize, you'll have to email tips@sophos.com to tell us where to send it.

, , , , , , ,

You might like

3 Responses to And the winner of the World War Two steganography competition is...

  1. Awesome challenge.

  2. Clayton Olson · 439 days ago

    I was on board with your choice for winner until the last phrase, "RAILWAY use is now INCREASED." The use of the two words in the same phrase so closely match
    the original phrase that it would have been suspect.

    • Paul Ducklin · 436 days ago

      True, which is why in WW2 they'd no doubt have chosen better in the original message.

      But for a real estate deal in any English town in which the railway station survived Dr Beeching's axework, increased railway use on houses near the line is the sort of thing you might well write about.

      I so nearly overlooked Randy's "RAIL" and "ART", but...decided to be strict :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog