Yes, ISIS Is Using Encryption -- But Not Very Well

from the a-comedy-of-errors dept

I've been seeing a few anti-encryption supporters pointing to a new ProPublica report on terrorists using encrypted communications as sort of proof of their position that we need to backdoor encryption and weaken security for everyone. The article is very detailed and thorough and does show that some ISIS folks make use of encrypted chat apps like Telegram and WhatsApp. But that's hardly a surprise. It was well known that those apps were being used, just like it's been well known that groups like Al Qaida were well aware of the usefulness of encryption going back many years, even predating 9/11. It's not like they've suddenly learned something new.
So, the fact that they're now using tools like WhatsApp and Telegram is hardly a surprise. It also kinda highlights the idiocy of trying to backdoor American encryption. Telegram is not a US company and WhatsApp's encryption is based on the open source Signal protocol, meaning that any American backdoor encryption law isn't going to be very effective.

But, really, what strikes me, from reading the whole article beyond the headline notion of "ISIS uses encryption," is that it lists example after example of the fact that folks in ISIS use encryption badly and often seem prone to revealing their information. This is not unique to ISIS. Lots of people are not very good about protecting themselves. Hell, I'm probably not very good about my own use of encryption. But, of course, I'm also not trying to blow things up or kill people. Either way, story after story after story in the article highlights the rather bumbling aspects of teaching ISIS supporters how and why to use encrypted communications and to avoid surveillance. My favorite example:
On Jan. 4, 2015, an exasperated coordinator repeatedly explained to a befuddled caller with a Lebanese accent that he could only bring a basic cell phone to Syria, according to a transcript.

“The important thing is that when you arrive in Turkey you have a small cell phone to contact me,” the coordinator said. “Don’t bring smart phones or tablets. OK, brother?”

For the fourth time, the recruit asked: “So we can’t have cell phones?”

“Brother, I said smart phones: iPhone, Galaxy, laptop, tablet, etcetera.”

Sounding a bit like a frustrated gate agent at a crowded airport, the coordinator added: “Each of you can only bring one suitcase. If you come alone, just bring one suitcase. That is, a carry-on and one suitcase.”

“I didn’t understand the last thing, could you explain?”

“Brother, call me when you get to Turkey.”
Then there was the case where someone planned a plot using an encrypted WhatsApp conversation, but police were already bugging the guy so they heard what he was saying anyway:
In April, Italian police overheard a senior figure in Syria urging a Moroccan suspect living near Milan to carry out an attack in Italy, according to a transcript. Although the voice message had been sent through an encrypted channel, the Moroccan played it back in his car, where a hidden microphone recorded it.

In the message, the unidentified “sheik” declared: “Detonate your belt in the crowds declaring Allah Akbar! Strike! (Explode!) Like a volcano, shake the infidels, confront the throng of the enemy, roaring like lightning, declare Allah Akbar and blow yourself up, O lion!”

The suspects exchanged recorded messages over WhatsApp, an encrypted telephone application that is widely used in Europe, the Arab world and Latin America
All of these examples keep making the same point that many people have been making for a long time. Yes, encryption hides some aspect of communications. That's part of the point. But the idea that it creates a "going dark" situation is massively exaggerated. There are many other ways to get the necessary information, through traditional surveillance and detective work. And the report suggests that's working. And the fact that many ISIS recruits are particularly unsophisticated in understanding how and when to use encryption only makes that kind of thing easier for people tracking them. In discussing the Paris attacks, for example, the article notes that while some of the attackers were told to use encryption, they didn't.
Abaaoud’s operatives did not always follow security procedures, however. In June of last year, Turkish immigration authorities detained Tyler Vilus, a French plotter en route to Paris with someone else’s Swedish passport. Allowed to keep his cellular phone in a low-security detention center, Vilus brazenly sent an unencrypted text message to Abaaoud in Syria, according to a senior French counterterror official.

“I have been detained but it doesn’t seem too bad,” the message said, according to the senior official. “I will probably be released and will be able to continue the mission.”

Instead, U.S. spy agencies helped retrieve that text and French prosecutors charged Vilus with terrorist conspiracy.
Anyway, it's no surprise that terrorists are going to use encryption. Of course they have been for over a decade and will continue to do so. The issue is that it's not as horrible as law enforcement is making it out to be. Just as plotters have always been able to plan in ways that law enforcement has been unable to track (such as discussing in person, in other languages, or through simple ciphers or codes). That's always happened and somehow we managed to get by. Yes, sometimes law enforcement doesn't get to know absolutely everything about everyone. And that's a good thing. And sometimes, yes, that means that terrorists will be able to plan bad things without law enforcement knowing it. But that's part of the trade-off for living in a free society.

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    John Fenderson (profile), 14 Jul 2016 @ 9:50am

    Security is hard

    The easy availability of strong crypto does make security a bit easier, but it has always been true -- and will always be true -- that security is hard.

    That's because security is not a matter of deploying a tool, no matter how powerful. To be secure against serious threats requires careful attention to every aspect of procedures and behavior, both electronic and not. Weakness in any aspect of the overall effort weakens all aspects.

    As a common example of the truth of this, look at the excellent and common advice given regarding everyday passwords: never use a given password for more than one thing. That way if the password is exposed, only one thing is compromised.

    Behavior is at least as important to security as technology is.

    reply to this | link to this | view in chronology ]

  • icon
    hij (profile), 14 Jul 2016 @ 9:52am

    odd phrasings

    I had to re-read that phrase "anti-encryption supporters" 3 or 4 times. It seems like a double regressive statement to be a supporter of going backwards.

    As far as the effort itself, these folks are going to be quite shocked to find out that it is possible to create and install android apps on your own. When they find out it is possible to employ encryption without being blessed by the google they are likely going to blow a hemorrhoid. By their reasoning, that is going to mean it is time to make android illegal because terrorists use it.

    Then again terrorists use toilets. We should get rid of those things too. Nothing good ever came out of a toilet.

    reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 14 Jul 2016 @ 10:04am

    viva l'italia!!!

    Seems like good ole fashioned Police Work was the Italians answer to going "dark."

    The whole exchange:
    "The important thing is that when you arrive in Turkey"
    Reminds me of 15 years ago when I started out as a level 1 tech helping clueless users use fairly simple technology.

    There has to be something said about the person that's willing to blow themselves up for a "God." The law and media acts like these are sophisticated individuals when in reality they are borderline retarded.

    I read that somewhere else yesterday and just laughed at the Abbot and Costello-esque nature of the conversation.

    Even the "sheiks" rant was South Parkish in nature.

    reply to this | link to this | view in chronology ]

  • icon
    TasMot (profile), 14 Jul 2016 @ 10:04am

    One if by Land and Two if by Sea

    Those colonial terrorists used encryption too. Let's get me out of the history books. Oops, they used lanterns, so they were actually going light instead of going dark......

    reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 14 Jul 2016 @ 10:17am

    I missed this the first time from the 2001 article:
    "Hidden in the x-rated pictures on several pornographic web sites"

    Um... are we really going to believe devout Muslims are going to hide messages in porn and go to porn websites?(And visit strip clubs)
    Sound farfetched? It may because:
    "Us officials and experts say it's the latest method of communication"
    Oh. Whew. As long as its US officials and unnamed "experts" I'm ok. /s

    I thought the method was flash drives and couriers? Oops, there I go thinking again.

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 14 Jul 2016 @ 10:41am

    Not seeing the Forrest for the Terrorists

    Terrorists may use encryption, they may use it poorly, or not at all. Or they may then reveal an encrypted communication after the fact, not thinking.

    But you are missing the real issue about Going Dark.

    American Citizens are increasingly Going Dark by using encryption. For everyone's protection, decryption must be very easy, or even unnecessary for even the dumbest of cops. This makes it easier to access everything about your private life when looking for something to charge you with.

    reply to this | link to this | view in chronology ]

    • icon
      hij (profile), 14 Jul 2016 @ 11:37am

      Re: Not seeing the Forrest for the Terrorists

      The leader of the biggest, terrorist state in history, Julius Caesar, used encryption. In fact, the encryption technique he used is named for him. Although, if you disagree that Rome was a terror state and one of the good guys then you might want to argue that statistics should be outlawed because from that point of view the terrorists use basic frequency statistics as a way to defeat the Caesar Cypher.

      reply to this | link to this | view in chronology ]

      • identicon
        Ukdah, 14 Jul 2016 @ 12:31pm

        Re: Re: Not seeing the Forrest for the Terrorists

        you might want to argue that statistics should be outlawed because from that point of view the terrorists use basic frequency statistics as a way to defeat the Caesar Cypher.

        Yep. Sounds like a violation of the DMCA's ban on circumvention tools to me. Ban statistics!

        reply to this | link to this | view in chronology ]

  • identicon
    Capt ICE Enforcer, 14 Jul 2016 @ 10:58am

    Hidden messages

    Hiding messages in porn is how most women break up with their man overseas... You think it will be great until you see your friend with your woman then divorce papers come shortly after..

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 14 Jul 2016 @ 11:38am

    I am sure even as we speak the FBI are creating a false terrorism plot that heavily relies on encryption for the attack to work.

    When you fail to achieve your despot desires legally, just do it illegaly.

    reply to this | link to this | view in chronology ]

  • identicon
    Skeeter, 14 Jul 2016 @ 11:56am

    Released into the Wild

    There are, without doubt, several 'truly unbreakable' encryption algorithms already in use worldwide. Like nuclear weapons, to this point, it is predominantly a case of the rich, powerful and corrupt (aka: governments) which have them. We act like we don't fear the government, but they are most-assuredly wanting us to fear 'unbreakable encryption', so to that point, you have to ask, 'if you have it, and we aren't supposed to fear you, then why and who should we actually fear having it?'

    If a 'real, unbreakable encryption' was released onto the internet, with any time at all before it was noticed, especially in code-form (where any programmer could download it and compile it at his will), the whole fantasy of 'encryption control' would be forever gone. What then, once the government worked on a leveled playing field with the 'average Joe'? Governments seem to think they can print money, to finance any 'overcoming' of the little guy they might deem needed. What if that wasn't 'really' the case? It's only a matter of time...and a good C-programmer.

    reply to this | link to this | view in chronology ]

    • icon
      Groaker (profile), 14 Jul 2016 @ 2:49pm

      Re: Released into the Wild

      Unbreakable algorithms have been know for many years. With the advent of the PC one time pads have been trivial to create. A simple XOR, or possibly a more complex mutation, based on two numbers is unbreakable.

      One specifying a particular CD, the other the starting bit. This trivializes the bane of prePC one time pads -- the complexity of passing on the pad definition.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 14 Jul 2016 @ 3:01pm

        Re: Re: Released into the Wild

        Yep. Unbreakable crypto is well known and technically easy to do without the need for computers at all.

        The hard part is the key exchange. After all, if you have a secure channel to exchange keys, then why not send the message itself through that channel?.

        PKE is an engineering tradeoff -- the crypto is strong but not mathematically unbreakable, but the win is that the key exchange problem is rather dramatically improved (and, if you do it right, is solved).

        reply to this | link to this | view in chronology ]

        • identicon
          Tyl, 14 Jul 2016 @ 6:45pm

          Re: Re: Re: Released into the Wild

          After all, if you have a secure channel to exchange keys, then why not send the message itself through that channel?.

          Because of temporal and spacial differences. Keys can be exchanged at a time and place that secure channels are available, and then used later to communicate when secure channels are not available.

          reply to this | link to this | view in chronology ]

          • icon
            John Fenderson (profile), 14 Jul 2016 @ 9:05pm

            Re: Re: Re: Re: Released into the Wild

            Yes, of course. I should have been more precise -- I was referring more specifically to (the more common) cases where such coordination is not possible, such as people who are never physically in the same space at the same time.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jul 2016 @ 2:25pm

    Turns out ISIS weren't using encryption at all, everything they post is just madeup randomized crap.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jul 2016 @ 2:26pm

    OMG, it's encryption we just can't crack.......**panic**

    Knowing Daesh, their alcoholic, drug-taking paedophilic leader probably just fell into a drunken stupor, rolled their heads on the keyboard and accidentally pressed POST.

    reply to this | link to this | view in chronology ]

  • icon
    Groaker (profile), 14 Jul 2016 @ 2:41pm

    Terrorists

    Terrorists do lots of things. Generally wear shoes, eat, breath and possibly use encryption. Are we willing to ban shoes, food, and air to Americans because terrorist may use those things.

    Terrorists win by inducing the leaders to exert more and more restrictions on the citizenry, and creating irrational fears in the population. I have reason to be more afraid of police and other LEOs than I do of terrorists. Police will kill far more people in the US this year than terrorists will. Indeed, including the deaths from 2001, police have killed more people, many innocents, in five years than terrorists have killed in the last 15.

    Who is more to be feared?

    reply to this | link to this | view in chronology ]

    • icon
      John85851 (profile), 15 Jul 2016 @ 10:50am

      Re: Terrorists

      No, just ban all encryption.

      But don't complain when your credit card information gets stolen because Amazon can't encrypt their site. And don't complain when your bank account is drained because banks aren't allowed to encrypt their sites either.

      reply to this | link to this | view in chronology ]

    • identicon
      Pissed as Hell, 15 Jul 2016 @ 1:53pm

      Re: Terrorists

      There are a lot of FUCKNUTS in the world. Its not just a US problem. Most of the people cops shoot deserve it. Don't forget that.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Jul 2016 @ 8:40pm

        Re: Re: Terrorists

        Most of the people cops shoot deserve it. Don't forget that.

        How have they managed to miss you so far?

        reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 15 Jul 2016 @ 9:08pm

        Re: Re: Terrorists

        "Most of the people cops shoot deserve it."

        Cops don't get to decide who "deserves" it.

        And that "most" there in your sentence doesn't bother you any?

        reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 15 Jul 2016 @ 5:09am

    But, of course, I'm also not trying to blow things up or kill people.

    Do you keep your writers well restrained in cages? If not you could be contributing to the cause, even if unknowingly. /derp

    reply to this | link to this | view in chronology ]

  • identicon
    Pissed As Hell, 15 Jul 2016 @ 1:28pm

    Morbid Fascination

    Some asshole most likely a muslim just said that the west has a morbid fascination for the bloodshed in Nice, France. I have no doubt he is attempting to push his brotherhood islamists agenda on FRNC24.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Jul 2016 @ 9:22am

    "Um... are we really going to believe devout Muslims are going to hide messages in porn and go to porn websites?"


    I read somewhere that 'terrorists' use online forums to communicate on a regular basis. Some of these can be erotic sites. Who's gonna think that is even possible for bearded asexual anarchists? Perfect.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.