Yes, ISIS Is Using Encryption — But Not Very Well
from the a-comedy-of-errors dept
I’ve been seeing a few anti-encryption supporters pointing to a new ProPublica report on terrorists using encrypted communications as sort of proof of their position that we need to backdoor encryption and weaken security for everyone. The article is very detailed and thorough and does show that some ISIS folks make use of encrypted chat apps like Telegram and WhatsApp. But that’s hardly a surprise. It was well known that those apps were being used, just like it’s been well known that groups like Al Qaida were well aware of the usefulness of encryption going back many years, even predating 9/11. It’s not like they’ve suddenly learned something new.
So, the fact that they’re now using tools like WhatsApp and Telegram is hardly a surprise. It also kinda highlights the idiocy of trying to backdoor American encryption. Telegram is not a US company and WhatsApp’s encryption is based on the open source Signal protocol, meaning that any American backdoor encryption law isn’t going to be very effective.
But, really, what strikes me, from reading the whole article beyond the headline notion of “ISIS uses encryption,” is that it lists example after example of the fact that folks in ISIS use encryption badly and often seem prone to revealing their information. This is not unique to ISIS. Lots of people are not very good about protecting themselves. Hell, I’m probably not very good about my own use of encryption. But, of course, I’m also not trying to blow things up or kill people. Either way, story after story after story in the article highlights the rather bumbling aspects of teaching ISIS supporters how and why to use encrypted communications and to avoid surveillance. My favorite example:
On Jan. 4, 2015, an exasperated coordinator repeatedly explained to a befuddled caller with a Lebanese accent that he could only bring a basic cell phone to Syria, according to a transcript.
?The important thing is that when you arrive in Turkey you have a small cell phone to contact me,? the coordinator said. ?Don?t bring smart phones or tablets. OK, brother??
For the fourth time, the recruit asked: ?So we can?t have cell phones??
?Brother, I said smart phones: iPhone, Galaxy, laptop, tablet, etcetera.?
Sounding a bit like a frustrated gate agent at a crowded airport, the coordinator added: ?Each of you can only bring one suitcase. If you come alone, just bring one suitcase. That is, a carry-on and one suitcase.?
?I didn?t understand the last thing, could you explain??
?Brother, call me when you get to Turkey.?
Then there was the case where someone planned a plot using an encrypted WhatsApp conversation, but police were already bugging the guy so they heard what he was saying anyway:
In April, Italian police overheard a senior figure in Syria urging a Moroccan suspect living near Milan to carry out an attack in Italy, according to a transcript. Although the voice message had been sent through an encrypted channel, the Moroccan played it back in his car, where a hidden microphone recorded it.
In the message, the unidentified ?sheik? declared: ?Detonate your belt in the crowds declaring Allah Akbar! Strike! (Explode!) Like a volcano, shake the infidels, confront the throng of the enemy, roaring like lightning, declare Allah Akbar and blow yourself up, O lion!?
The suspects exchanged recorded messages over WhatsApp, an encrypted telephone application that is widely used in Europe, the Arab world and Latin America
All of these examples keep making the same point that many people have been making for a long time. Yes, encryption hides some aspect of communications. That’s part of the point. But the idea that it creates a “going dark” situation is massively exaggerated. There are many other ways to get the necessary information, through traditional surveillance and detective work. And the report suggests that’s working. And the fact that many ISIS recruits are particularly unsophisticated in understanding how and when to use encryption only makes that kind of thing easier for people tracking them. In discussing the Paris attacks, for example, the article notes that while some of the attackers were told to use encryption, they didn’t.
Abaaoud?s operatives did not always follow security procedures, however. In June of last year, Turkish immigration authorities detained Tyler Vilus, a French plotter en route to Paris with someone else?s Swedish passport. Allowed to keep his cellular phone in a low-security detention center, Vilus brazenly sent an unencrypted text message to Abaaoud in Syria, according to a senior French counterterror official.
?I have been detained but it doesn?t seem too bad,? the message said, according to the senior official. ?I will probably be released and will be able to continue the mission.?
Instead, U.S. spy agencies helped retrieve that text and French prosecutors charged Vilus with terrorist conspiracy.
Anyway, it’s no surprise that terrorists are going to use encryption. Of course they have been for over a decade and will continue to do so. The issue is that it’s not as horrible as law enforcement is making it out to be. Just as plotters have always been able to plan in ways that law enforcement has been unable to track (such as discussing in person, in other languages, or through simple ciphers or codes). That’s always happened and somehow we managed to get by. Yes, sometimes law enforcement doesn’t get to know absolutely everything about everyone. And that’s a good thing. And sometimes, yes, that means that terrorists will be able to plan bad things without law enforcement knowing it. But that’s part of the trade-off for living in a free society.
Filed Under: encryption, fud, going dark, isis, law enforcement, terrorism
Companies: telegram, whatsapp
Comments on “Yes, ISIS Is Using Encryption — But Not Very Well”
Security is hard
The easy availability of strong crypto does make security a bit easier, but it has always been true — and will always be true — that security is hard.
That’s because security is not a matter of deploying a tool, no matter how powerful. To be secure against serious threats requires careful attention to every aspect of procedures and behavior, both electronic and not. Weakness in any aspect of the overall effort weakens all aspects.
As a common example of the truth of this, look at the excellent and common advice given regarding everyday passwords: never use a given password for more than one thing. That way if the password is exposed, only one thing is compromised.
Behavior is at least as important to security as technology is.
I had to re-read that phrase “anti-encryption supporters” 3 or 4 times. It seems like a double regressive statement to be a supporter of going backwards.
As far as the effort itself, these folks are going to be quite shocked to find out that it is possible to create and install android apps on your own. When they find out it is possible to employ encryption without being blessed by the google they are likely going to blow a hemorrhoid. By their reasoning, that is going to mean it is time to make android illegal because terrorists use it.
Then again terrorists use toilets. We should get rid of those things too. Nothing good ever came out of a toilet.
Seems like good ole fashioned Police Work was the Italians answer to going “dark.”
The whole exchange:
“The important thing is that when you arrive in Turkey”
Reminds me of 15 years ago when I started out as a level 1 tech helping clueless users use fairly simple technology.
There has to be something said about the person that’s willing to blow themselves up for a “God.” The law and media acts like these are sophisticated individuals when in reality they are borderline retarded.
I read that somewhere else yesterday and just laughed at the Abbot and Costello-esque nature of the conversation.
Even the “sheiks” rant was South Parkish in nature.
One if by Land and Two if by Sea
Those colonial terrorists used encryption too. Let’s get me out of the history books. Oops, they used lanterns, so they were actually going light instead of going dark……
Re: One if by Land and Two if by Sea
Tristate digital. The founders where digital terrorists! Who’d a thunk?
I missed this the first time from the 2001 article:
“Hidden in the x-rated pictures on several pornographic web sites”
Um… are we really going to believe devout Muslims are going to hide messages in porn and go to porn websites?(And visit strip clubs)
Sound farfetched? It may because:
“Us officials and experts say it’s the latest method of communication”
Oh. Whew. As long as its US officials and unnamed “experts” I’m ok. /s
I thought the method was flash drives and couriers? Oops, there I go thinking again.
“Hey, boss, we’ve found that the terrorists are communicating by hiding messages in porn pics. We’ve put together a team to monitor this channel 24/7….”
Re: Re: Re:
I’d volunteer. 🙂
Re: Re: Re:
Yep, that’s why we are looking at porn at work all day long.
Um… are we really going to believe devout Muslims are going to hide messages in porn and go to porn websites?
ABC News reported on this yesterday. Retired Lt. Gen. Michael Flynn, a former head of the Defense Intelligence Agency is quoted as saying:
Not seeing the Forrest for the Terrorists
Terrorists may use encryption, they may use it poorly, or not at all. Or they may then reveal an encrypted communication after the fact, not thinking.
But you are missing the real issue about Going Dark.
American Citizens are increasingly Going Dark by using encryption. For everyone’s protection, decryption must be very easy, or even unnecessary for even the dumbest of cops. This makes it easier to access everything about your private life when looking for something to charge you with.
Re: Not seeing the Forrest for the Terrorists
The leader of the biggest, terrorist state in history, Julius Caesar, used encryption. In fact, the encryption technique he used is named for him. Although, if you disagree that Rome was a terror state and one of the good guys then you might want to argue that statistics should be outlawed because from that point of view the terrorists use basic frequency statistics as a way to defeat the Caesar Cypher.
Re: Re: Not seeing the Forrest for the Terrorists
you might want to argue that statistics should be outlawed because from that point of view the terrorists use basic frequency statistics as a way to defeat the Caesar Cypher.
Yep. Sounds like a violation of the DMCA’s ban on circumvention tools to me. Ban statistics!
Hiding messages in porn is how most women break up with their man overseas… You think it will be great until you see your friend with your woman then divorce papers come shortly after..
I am sure even as we speak the FBI are creating a false terrorism plot that heavily relies on encryption for the attack to work.
When you fail to achieve your despot desires legally, just do it illegaly.
Released into the Wild
There are, without doubt, several ‘truly unbreakable’ encryption algorithms already in use worldwide. Like nuclear weapons, to this point, it is predominantly a case of the rich, powerful and corrupt (aka: governments) which have them. We act like we don’t fear the government, but they are most-assuredly wanting us to fear ‘unbreakable encryption’, so to that point, you have to ask, ‘if you have it, and we aren’t supposed to fear you, then why and who should we actually fear having it?’
If a ‘real, unbreakable encryption’ was released onto the internet, with any time at all before it was noticed, especially in code-form (where any programmer could download it and compile it at his will), the whole fantasy of ‘encryption control’ would be forever gone. What then, once the government worked on a leveled playing field with the ‘average Joe’? Governments seem to think they can print money, to finance any ‘overcoming’ of the little guy they might deem needed. What if that wasn’t ‘really’ the case? It’s only a matter of time…and a good C-programmer.
Re: Released into the Wild
Unbreakable algorithms have been know for many years. With the advent of the PC one time pads have been trivial to create. A simple XOR, or possibly a more complex mutation, based on two numbers is unbreakable.
One specifying a particular CD, the other the starting bit. This trivializes the bane of prePC one time pads — the complexity of passing on the pad definition.
Re: Re: Released into the Wild
Yep. Unbreakable crypto is well known and technically easy to do without the need for computers at all.
The hard part is the key exchange. After all, if you have a secure channel to exchange keys, then why not send the message itself through that channel?.
PKE is an engineering tradeoff — the crypto is strong but not mathematically unbreakable, but the win is that the key exchange problem is rather dramatically improved (and, if you do it right, is solved).
Re: Re: Re: Released into the Wild
After all, if you have a secure channel to exchange keys, then why not send the message itself through that channel?.
Because of temporal and spacial differences. Keys can be exchanged at a time and place that secure channels are available, and then used later to communicate when secure channels are not available.
Re: Re: Re:2 Released into the Wild
Yes, of course. I should have been more precise — I was referring more specifically to (the more common) cases where such coordination is not possible, such as people who are never physically in the same space at the same time.
Turns out ISIS weren’t using encryption at all, everything they post is just madeup randomized crap.
OMG, it’s encryption we just can’t crack…….**panic**
Knowing Daesh, their alcoholic, drug-taking paedophilic leader probably just fell into a drunken stupor, rolled their heads on the keyboard and accidentally pressed POST.
Terrorists do lots of things. Generally wear shoes, eat, breath and possibly use encryption. Are we willing to ban shoes, food, and air to Americans because terrorist may use those things.
Terrorists win by inducing the leaders to exert more and more restrictions on the citizenry, and creating irrational fears in the population. I have reason to be more afraid of police and other LEOs than I do of terrorists. Police will kill far more people in the US this year than terrorists will. Indeed, including the deaths from 2001, police have killed more people, many innocents, in five years than terrorists have killed in the last 15.
Who is more to be feared?
No, just ban all encryption.
But don’t complain when your credit card information gets stolen because Amazon can’t encrypt their site. And don’t complain when your bank account is drained because banks aren’t allowed to encrypt their sites either.
There are a lot of FUCKNUTS in the world. Its not just a US problem. Most of the people cops shoot deserve it. Don’t forget that.
Re: Re: Terrorists
Most of the people cops shoot deserve it. Don’t forget that.
How have they managed to miss you so far?
Re: Re: Terrorists
“Most of the people cops shoot deserve it.”
Cops don’t get to decide who “deserves” it.
And that “most” there in your sentence doesn’t bother you any?
But, of course, I’m also not trying to blow things up or kill people.
Do you keep your writers well restrained in cages? If not you could be contributing to the cause, even if unknowingly. /derp
Some asshole most likely a muslim just said that the west has a morbid fascination for the bloodshed in Nice, France. I have no doubt he is attempting to push his brotherhood islamists agenda on FRNC24.
“Um… are we really going to believe devout Muslims are going to hide messages in porn and go to porn websites?”
I read somewhere that ‘terrorists’ use online forums to communicate on a regular basis. Some of these can be erotic sites. Who’s gonna think that is even possible for bearded asexual anarchists? Perfect.