New Reports On Terror Attacks Underline Why Crypto Isn't A Serious Problem: It's Hard To Use And Easy To Get Wrong
from the multiple-missed-opportunities dept
As Techdirt has reported, politicians (and some journalists) haven’t waited for the facts to be established before assuming that encryption is to blame for recent terrorist attacks. But as detailed information starts to appear, it becomes clear once more that the bombings and shootings did not succeed because things had “gone dark,” but largely because intelligence agencies in both Europe and the US missed numerous clues and hints about the bigger picture. This emerges most powerfully from a long article in The New York Times, which charts the rise of ISIS over many years, and how the authorities were slow to catch on:
For much of 2012 and 2013, the jihadist group that eventually became the Islamic State, also known as ISIS or ISIL, was putting down roots in Syria. Even as the group began aggressively recruiting foreigners, especially Europeans, policy makers in the United States and Europe continued to see it as a lower-profile branch of Al Qaeda that was mostly interested in gaining and governing territory.
Arrests were made in Italy, Spain, Belgium, France, Greece, Turkey and Lebanon of European citizens that had been trained in Syria, and had returned to carry out terrorist attacks — usually unsuccessfully. And yet:
in each instance, officials failed to catch — or at least to flag to colleagues — the men?s ties to the nascent Islamic State.
Sometimes the inability to grasp what was really happening borders on the incredible, for example in the case of the person alleged to have killed four people in the Jewish Museum of Belgium, in 2014:
Even when the police found a video in his possession, in which he claimed responsibility for the attack next to a flag bearing the words “Islamic State of Iraq and Syria,” Belgium?s deputy prosecutor, Ine Van Wymersch, dismissed any connection.
“He probably acted alone,” she told reporters at the time.
Another article, from CNN, makes it clear that missed opportunities to spot connections between possible terrorists have continued right up until the recent attacks in Paris and Brussels. It reports on current efforts to locate “at least 8 suspects” with links to those attacks:
All but one of the suspects are said to have connections to Abdelhamid Abaaoud, the leader of the Paris attacks, or Salah Abdeslam, the only survivor among the Paris attackers, who was arrested earlier this month in Brussels.
The security bulletin gives a sense of ISIS’ geographical reach in Europe. Three of the suspects were residents or spent time in the Netherlands, Germany and Sweden respectively.
The picture that emerges from these two reports is of a large, well-established network of terrorists located across several European countries. Many of them were known in multiple ways to the authorities, which repeatedly failed to bring all this crucial information together, probably because there was too much, not too little, to sift through. What is conspicuous by its absence is any suggestion that the would-be attackers escaped arrest by using encrypted communications. Both stories do, however, reveal that ISIS-trained terrorists have used encryption tools, but in a non-standard way.
@thegrugq has written a good piece on Medium analyzing the system. It seems the discontinued encryption program TrueCrypt was provided by ISIS on a USB drive. The program was used to place one or more messages inside an encrypted volume, which was then uploaded to an inconspicuous online site. By employing a shared password to encrypt the volume, more than one person could read the messages in a relatively secure and anonymous way. The system creates a kind of digital dead letter drop that can’t be addressed simply by mandating crypto backdoors.
That might seem to confirm the worst fears of all those politicians (and journalists), but as @thegrugq explains, there are some serious operational problems with this approach, notably the following:
This system makes non-standard use of the tools, which means the user has to take a number of additional manual steps to compensate. Requiring users to do a manual process generally means there will be mistakes. For example, I would expect that the user might forget to put the message into the volume before sending. Or the user might send an old version of the volume rather than the latest one. Or the user might fail to save the volume after copying the message in, and the contents get lost. Or the user might attempt to download the volume while the current volume is still open, and experience failures saving to disk. There are a number of places that this protocol can break down.
Using crypto is hard, and easy to get wrong — which is probably why terrorists prefer to deploy old-fashioned means like burner phones. But don’t take my word for it, just ask the person who was using the TrueCrypt system described above. Here’s what the French police discovered when they arrested him last August:
Behind a couch, they found his USB stick from the Islamic State, and in his bag a piece of paper showing his login credentials for TrueCrypt.