Code Making and Breaking

Two years ago the Naked Scientists were joined by Sani Aliyu, an infectious disease consultant from Addenbrooke’s Hospital, who was about to embark on a secondment to Nigeria - a country with one of the world’s highest populations and also one of the world’s highest burdens of HIV infection. In his role as Director General of the National Agency for the Control of AIDS in Nigeria, Sani set up and ran their largest HIV survey ever conducted. He’s now returned and has come in to report to Chris Smith and Adam Murphy on what his survey showed...

Sani - Well it's important because HIV, as we know, is an epidemic. You need to know the numbers in order to know how much resources you need to put in. You also need to know the numbers in order to define where the location is, what the population risks are, et cetera. In other words, for you to have impact - both in terms of testing, and putting people on treatment - you need to have an idea of the data. Data is what drives programming. And that's why it's so critical to have a survey that's accurate, that's good, and that can allow us to invest money properly.

Adam - Now surely this study didn't cost nothing, so wouldn't it have been better to buy, say, anti-HIV medication with that instead of this?

Sani - Well in the first instance, you need to identify people living with HIV first before you buy the HIV drugs and put them on treatment. And the only way you can do that is knowing where to target. In other words, hotspots. And what surveys do is they allow us to identify the main risk factors within a population - what we call a population-location approach - so the population that's most likely to have HIV; and then allows us to know exactly where to put our resources in. So in other words you'll be throwing good money after bad money if you don't know what you're targeting. In fact the Nigeria programme was a typical example. The US government have spent more than 4.5 billion US dollars on HIV in Nigeria over the last 15 years, global fund more than 1.5 billion. But despite that we're still pretty far off from identifying people living with HIV.

Chris - Sani, it’s soon going to be 40 years since we first discovered the virus that causes HIV/AIDS. Why is it only now you're collecting this sort of data in Nigeria? And why just focus on Nigeria? Why not the whole world?

Sani - So as you said earlier on, Nigeria has a very large population: about 200 million people. And before we did our survey, the estimates in terms of HIV burden was about 3... we estimated about 3.2 to 3.4 million people were living with HIV, which made Nigeria have the second largest HIV burden in the world.

Chris - I mean that's 1 in 10 of the world's HIV patients, isn’t it.

Sani - Exactly. So if you're really talking about epidemic control, you cannot have epidemic control without getting on top of the HIV problem in Nigeria. This is the first time that money has been invested properly in a survey to define the problem, because I think our own partners realise that they can continue chasing cases, testing thousands, hundreds of thousands of people to get a few positives. We need to be able to test a few hundreds in order to get positives so that we can put money, we can have the greatest impact when it comes to our investment.

Adam - So what did this study actually find then out the other end?

Sani - In summary we had three or four findings. First of all the burden of HIV, the prevalence of HIV turned out to be half of what was initially expected. So we estimate about 1.9 million people are living with HIV in Nigeria now instead of the 3.2-3.4 million initially. So the prevalence went down from 2.8% to 1.4% for ages 15 to 49. So that's huge. Secondly we realised that there were a lot more women having HIV than men - although globally that's the case. But what was even more significant was that young women were at least three times more likely to have HIV than young men of the same age group.

Chris - Does this mean you can strategically target better? If you know that now, you can go in and target certain demographics, certain groups, certain geographies much more specifically than we could before. So before it's just a blanket bomb approach, we've got a problem with HIV in Nigeria and countries like it. Now you've got this data you can be much more strategic.

Sani - Absolutely. So I'll give you an example: in the North West of Nigeria, the HIV prevalence was 0.6%. In the South South it was 3.1%. Fivefold. So really where we should be investing, where we should be putting money, is where we have the problem. So in the past we've been putting money mostly in the North Central and we've saturated the North Central, as was seen by the population-level biological suppression rates, which were pretty good, they were more than 60% in the North Central. But in other parts of the country, particularly the South South, the numbers were so low in terms of the number of people on treatment and biologically suppressed. And if you're biologically suppressed you do not transmit the virus. That's the best way to cut the epidemic really. So in a way this has allowed us to identify the areas, the location identified, the people that are most at risk, and put more resources in. In fact the US government in March, we had a meeting in Johannesburg, and they have put forward the money to put half a million Nigerians on treatment between now and the end of December 2020. So if that trend continues, as a public health threat, HIV will cease to be a public health threat in Nigeria. And it's simply because of the value of the survey we've had.

Chris - But just very briefly, 30 seconds: why should someone who doesn't live in Nigeria care about what you found? Why is this important?

Sani - From a human angle, it's important that we make sure that those that do not have the money to be able to have treatment are provided with that opportunity. The only reason why we still have, we have about 1.1 million Nigerians on treatment, is because they have been on treatment for a while. If today that treatment is taken away most of them will be dead within five years. In fact we looked at the burden of the HIV epidemic in Nigeria: without an HIV program in Nigeria we would have had at least 1.5 million more people dead, and we would have had at least 5 million Nigerians infected with the virus by now.

Recently we were advised that to stop a seagull stealing our chips and ice-creams at the seaside, we should stare at them... but a recent study also revealed that gulls are making off with something else much more serious, and this is something staring can’t prevent: they’re picking up our superbugs. In Australia, one in five seagulls studied was harbouring antibiotic-resistant human bacteria. Chris Smith went to see Sam Abraham, the scientist behind the discovery…

Sam - I’m Sam Abraham, I’m a microbiologist from Murdoch University. Seagulls across Australia are carriers of bacteria that are resistant to drugs of last resort, the ones that we really need the doctors to have to save our lives. So we went across Australia to pretty much most states. We took the seagull droppings and then placed them onto agar plates which are infused with certain drugs. Then we took the bacteria out to confirm that they are absolutely a resistant bacteria.

Chris - Are they resistant in the same way that those sorts of bacteria that cause infections in humans are resistant?

Sam - Absolutely, they are identical. So if you have an infection with this bacteria from these gulls you cannot treat it with the drugs available.

Chris - Where did the gulls get it then?

Sam - It's a very interesting question. In Australia we have a lot of gulls all around in beaches, parks, everywhere. They are typically marine feeders, but they've also picked up a habit of foraging on food waste. So if you come to Australia you will get your chips attacked by our gulls.

Chris - My Sat Nav counselled me to do the windows up and don't let the seagulls steal my chips. And you think that's how they catch, how they get these bugs?

Sam - That's one of the ways they interact with us, but they interact with human waste from landfill. They also hang around in our sewage and there is a lot of contact with drug resistant bacteria, for example bread in hospitals or nursing homes, where there's a lot of antibiotics used. And if the gulls are foraging for food in that area, they get exposed to it.

Chris - Would gulls normally have E. coli living in their intestines?

Sam - Normally we wouldn't expect these bacteria to be part of gull gut. These are human pathogens. So it is actually not the gull bacterium picking up the resistance, it's actually resistant bacteria from humans going into the gulls. There are no genetic differences between the bacteria we got out of the gulls and the bacteria causing disease in humans.

Chris - Do you think it's just here in Australia? Something inside me says absolutely not because gulls are everywhere and human practises about how we handle our rubbish, our waste and our sewage, they're going on everywhere as well.

Sam - Absolutely. If you have similar foraging habits, similar waste treatment, and the birds had the same behaviour, it will be a global phenomenon and it’s just that in Australia we did a very comprehensive study to prove that this is there, and I'm sure it'll be the same in the UK or in New Zealand or even the US.

Chris - And just gulls? Are you going to extend this to other birds, because there are lots of other foragers, crows, the crow family, magpies for example, they're really good at picking through rubbish and they hang around in the same sorts of places that gulls do. Do you think that the same phenomenon may well emerge there?

Sam - That is an area that we are studying. So gulls are what we call “colonial breeders.” They live in large colonies with a limit of predation. Any birds that are scavengers and have similar lifestyle to gulls we expect to see that. So we are looking at ibises, ducks, we have a study running in penguins and pigeons as well.

Chris - So would you anticipate that, because they are these colonial breeders, they’re hanging around these big groups, that as soon as one picks this up, is going to poop it out into the environment where the others are all hanging around. So even if only one picks it up initially, it can quite quickly establish in the rest of the colony? Is that why you've got this dramatic prevalence?

Sam - That's the hypothesis that we're working on at the moment, because the colonial breeding habitat also provides for the accelerated dissemination.

Chris - Closing the loop, it's gone from a human into a gull, and quite possibly other bird species as well. Evidence that it could come back, or feed back into and cause human infection again?

Sam - It goes back to your Sat Nav that’s giving you information about what to do with gulls. So it's to do with… if we interact with the same areas where the gulls interact and live, beaches, parks. So for example, my child going and playing in the play equipment that had fresh seagull dropping, and if he goes and plays and puts his hand on some fresh dropping, and accidentally put his hand in the mouth, he's going to immediately get inoculated. That is where our public health concern for this finding lies actually.

This is the part of the show where we read out your correspondence. First up, Mark Jacobsen is pondering how a tank moves forward on its continuous track...

Chris - Right well, this is very similar to the way that a digger on tracks actually moves. Inside those tracks, there's a cog on each end of the digger, and that cog engages with a groove on the underside of the track, and as the cog moves around, and the same way as a bicycle crank moves the bicycle chain, it actually advances the track and because the track is basically being picked up at one end and laid down at the opposite end, the digger rolls forward inside the track it's leaning forward, and the enormous surface area that you've got with those tracks against the ground means you get an enormous amount of traction, which is why things like big heavy earth moving machinery and tanks use them.

Adam - Brilliant. And meanwhile Nev asks: Why does the time on my digital wristwatch always end up being five minutes ahead within three months? I always turn it back but it still jumps ahead. Every digital wristwatch I have ever had did this.

Chris - Yeah I'm with you Nev, happens to me as well. The reason is that lots of these watches use crystals, they actually use a piezoelectric crystal. Basically what you do is you apply a small electric current to the crystal. The crystal is very finely shaped so that it vibrates when you put the electricity in, and it vibrates a bit like a miniature tuning fork and it does it, usually in those crystals 32,768 times a second, which means you can use that to work out roughly how fast the watch is ticking, but it does that at a certain speed which is determined by the temperature, and if you warm the watch up it will vibrate a bit faster. If you cool it down it will vibrate a bit slower, and because most people's watches are not very well insulated and they’re not a constant temperature, there is a wandering of that vibrational frequency of the crystal. So the watch timekeeping wanders. Really high quality watches and timepieces do two things; one, they insulate the crystal to stop the temperature variations happening so much, and also they incorporate machinery to correct for temperature variation but cheap watches like you’re £2.50 one you get from a Christmas cracker don't do that. So you just have to put up with the fact you're gonna be either very early or very late for you’re meeting pretty quickly.

It's time look at the maths side of codes. In the studio with Chris Smith and Adam Murphy is mathematician James Grime. They're discussing the World War II Enigma machine and the fact that the Poles cracked Enigma, and even built a replica machine to decode it, without ever having seen the real thing...

James - I know and people don't know that. And people should know this.

Chris - Have you seen one, because you know you work on this?

James - Yes. Yeah. So the Polish Double, which is where they reconstructed what an enigma machine must be. They had one at the Polish Institute and I did do some work with the Polish Institute a few years ago, where I did a talk at the Polish embassy about the Polish mathematicians.

Chris - How did they do what they did at Bletchley Park, then? How did that Bombe technique that she mentions work in order to crack that code? And what was the nature of the code that made it so hard to actually grapple with?

James - Okay so there's two things that make enigma difficult. First of all, there are lots of combinations. So I think we talked about, there's lots of combinations; too many to check. But the other thing that makes it very difficult is the moving wheels.

Chris - Because the simplest level is just substituting one letter for another isn't it?

James - It is.

Chris - But you're saying is moving wheels, is that because the substitution isn't the same every time. It's not - today A is E and tomorrow A is Z, it’s actually, right now A is Z but next turn of the wheel it's going to be D or something.

James - You’ve got it exactly right. So when the wheels turn, each letter of the message, it's been sent with a different code essentially, which makes traditional code breaking techniques impossible.

Chris - So how did the Bletchley Park team attack that?

James - Yeah. So what they were doing when they built these large BOMBE machines, what it was doing it was a process of elimination. So actually was trying to work out the plugboard, if I can tell you the truth. That’s the little wiring at the front and it was trying to work that out, if it found it was impossible, it would move on to another position and if it's impossible, it would reject, and it would reject, and it would reject. And this process of elimination was actually faster. So whatever you can't reject must therefore be the correct answer.

Chris - So in other words what they're doing is basically, a brute force attack on this thing, you take what you've stolen as the encrypted message, try what you think might be the solution, and see if you can decode it.

James - Just one step cleverer than brute force, because once you reject one answer, there's a whole family of answers you can reject at a stroke.

Chris - Oh, so you narrow down the opportunities and so that speeds it up. So how long was it taking them to do the average, to get the code for that day.

James - So on a good day you could check all your positions and find the correct setting in 20 minutes.

Chris - Right. But then obviously the work began, because then you got to feed all of the messages you have intercepted in, using that code and break them for that day.

James - Yeah. And what the codebreakers at Bletchley could do is, they could be reading these messages, these secret messages from the German army before the Germans had a chance to decode what they said. It’s amazing you can do that.

Chris - And how does everyone know what the settings will be for each day? Was that published somewhere so the German army knew what settings to use for what date?

James - Yes, so the Germans were given a key sheet, a large sheet of paper, and for each day of the month it told you how to set the machine for that day. Nice little story: The Navy would write those on blotting paper. So if your ship gets torpedoed and wet, that would wash away. That's how you keep the secrets of those codebooks.

Chris - Now people thought this was unbreakable. Obviously, it wasn't because the clever people in Poland, and also at Bletchley Park did suss it out and they got to the bottom of it. Is it possible mathematically though James, to make codes that are not breakable?

James - Yeah. There is such a thing as an unbreakable code. So that is called a one time pad cipher. And it's not that difficult to explain. I could explain it now. So you might have tried as a child, a shift code where you shift the alphabet across. You might shift it three across, or four across.

Chris - Do you mean that every time I should write A, I write C or D or something?

James - Exactly. Yeah. So if we shift it one, A would become B and a B would become a C. Now there are 26 possible ways we could shift the alphabet. Now a one time pad, does the same idea but it uses a different shift for each letter of the message.

Chris - That's what an enigma does, isn’t it?

James - Exactly that's what it has in common with enigma. Now if you do that, me and my friend, we have to share that sequence of shifts. Then my friend can just reverse it and get the message back.

Chris - But the vulnerability is that I could find out what that series of shifts is because someone else knows it?

James - Yeah. If you can steal that key. Absolutely. That's one of the problems. But if you steal the code and don't know the key, you'd have to try every possible shift on each letter of the message. What you get is every possible decryption. What you're doing is taking each letter for the message and you're allowed to shift it as many places as you want. Now if you don't know and you just try every possibility, you could make it say any possible message

Chris - Oh. Oh that would be nasty wouldn't it? Is anyone actually using that? Is that in industrial use.

James - I have heard that it is something that is used between the president of Russia and the president of America. I can't believe Trump and Putin are sat there doing their one time pad ciphers. But that is something I've heard, but it is slightly impractical as a code. The closer we can get to that idea in principle, though, the closer we are to an unbreakable code.

Chris - And did you have a code as a kid? Because I mean people like Samuel Pepys wrote his diary in code. Julius Caesar wrote in code, did you have a secret James Grime code as a kid.

James - I did. I used to write my words backwards and put a Z at the end.  And I thought, Ah, no one will ever be able to break my secret code.

Chris - And?

James - Of course no one did. No one cared!

To consider how we keep modern technologies secure today, Chris Smith and Adam Murphy are joined by Cambridge University computer scientist Markus Kuhn... Do they really use a lava lamp to generate random numbers like that?

Markus - Not really! The lava lamp it's a bit of a PR gag. But it does illustrate that there is a problem that computers have. Computers are very deterministic devices: they do each time you ask them something to do exactly the same thing. So it's actually a problem: how do you cause a computer to generate a random number. For example you have devices that come off the end of a production line, there have been problems with things like Internet routers, Internet of Things devices, that had actually quite a lot of similar keys...

Chris - I'm with you. So when you build a security camera that's on a production line, the flaws in whatever the system are that makes it choose its secret number, that flaw is going to make all of them make a similar mistake make choosing similar numbers that make them more crackable?

Markus - There have been studies where people scanned the secret keys used by millions of Internet cameras, and they did find thousands that actually used the same key for that reason: because the manufacturer didn't have a lava lamp, or some other secure mechanism to create the random numbers!

Chris - So how do they then get round this?  What are they using?

Markus - So mouse movements are pretty good...

Chris - ...you're telling me, on a production line, there's a bunch of people wiggling a mouse like that! Surely not!

Markus - If it's a microprocessor that goes into one of these routers, Internet of Things things, the most modern ones actually have a special hardware random number generator on the chip, and what they normally use is a noisy amplifier. So they build a deliberately bad amplifier and a microphone input, and then they just sample the noise that comes out of that analog electronic amplifier for a second or so...

Chris - ...and that makes the random noise?

Markus - That's the randomness. Yes.

Chris - In recent years there's been a really big shift towards encrypted connections on the Internet. So when you go onto Facebook, or you go onto your email, nowadays we're looking for "HTTPS" and that little padlock icon. What does that actually mean?

Markus - So there's three things going on that the HTTPS protocol does: it encrypts your connection; it provides you with confidentiality, so if someone taps your phone line they can't actually see what you're doing on the network; it protects the integrity of the connection, so it prevents someone to modify the data, and it protects the authenticity of the connection. So, for example, if you go to the website of your bank you can be assured that this is actually the genuine bank's website and it's not the mafia having copied the bank website and redirected your traffic to it in order to steal your password.

Chris - How would you know, though, or how would you defend against, let's say I set up a Wi-Fi hotspot and Adam comes along and he connects to it, and he connects to his bank and does some online banking. But let's say I actually I take the data he's sending and I fool him into thinking he's got a secure connection - because I make one to him - and, meanwhile, I take what he sends to me and I send this to you the bank. And you both think you're talking to the right person, but actually I'm copying all the information that's flowing between the two of you. How is that defended against?

Markus - This can be done. This is known as a "grand master chess attack" because it's a very similar trick you could play to pretend to beat a grand master in chess where you just have two chess games with two different chess masters and you just pass their moves on to each other. And both of them think they are actually playing with you, whereas you are actually causing them to play against each other. And in cryptography, this is also known as a "middle person attack". So it's quite important that there is some confirmation of the authenticity that both of these communications are actually using the same keys. And this is done using something called a "digital certificate" to digitally sign the host name - the name of the computer - with the key that's being used by your bank for example. And there exists organizations call certification authorities that publish a kind of phone book of which organization is using which keys. Web browser does is it makes essentially this kind of telephone book look up: does the key that's being offered by your bank actually match the official key of that bank?

Chris - But if my web browser can do that, a criminal can do that can't they? What's to stop a criminal just looking up these keys and then emulating or copying them?

Markus -  They can look up the public key, but the public key is only useful to verify the authenticity: the public key cannot be used to actually signed the data packets that come across. For that you need the corresponding secret key, but that is being kept by the bank. So there's a piece of information in the bank computer that the criminal does not have access to.

Chris - What are the criminal masterminds doing to try to outwit this?

Markus - So most attacks against these systems on the on the Internet today are not actually breaking the cryptography, because the methods have been become extremely secure, extremely sophisticated. They mostly trick the users into not paying particular attention. They for example will change the name of the computer to sound similar to your bank. But, actually, some of the letters are from a different alphabet. So there have been cases where the name of a well-known bank has been spelled in the Cyrillic alphabet, where some letters look identical and people didn't realise they're actually talking to a slightly misspelled version of your bank. So it's quite important that you are very carefully look at the name of your bank in this bar above the web page.

Chris - And just in finishing, Markus, are there three top tips you could offer our listeners for the best way not to fall prey?

Markus - Using a password manager - using separate password on every website - is probably the top one. The second one is whenever you enter a password, make sure you first check the address that this is exactly the address that you are expecting. The third most important tip is, whenever you receive unsolicited e-mail, be extremely suspicious of any links in that e-mail, because very likely this is a fraudulent e-mail and it's just designed to lure you into a fake version of the company's Web site...