New Reports On Terror Attacks Underline Why Crypto Isn't A Serious Problem: It's Hard To Use And Easy To Get Wrong
from the multiple-missed-opportunities dept
As Techdirt has reported, politicians (and some journalists) haven’t waited for the facts to be established before assuming that encryption is to blame for recent terrorist attacks. But as detailed information starts to appear, it becomes clear once more that the bombings and shootings did not succeed because things had “gone dark,” but largely because intelligence agencies in both Europe and the US missed numerous clues and hints about the bigger picture. This emerges most powerfully from a long article in The New York Times, which charts the rise of ISIS over many years, and how the authorities were slow to catch on:
For much of 2012 and 2013, the jihadist group that eventually became the Islamic State, also known as ISIS or ISIL, was putting down roots in Syria. Even as the group began aggressively recruiting foreigners, especially Europeans, policy makers in the United States and Europe continued to see it as a lower-profile branch of Al Qaeda that was mostly interested in gaining and governing territory.
Arrests were made in Italy, Spain, Belgium, France, Greece, Turkey and Lebanon of European citizens that had been trained in Syria, and had returned to carry out terrorist attacks — usually unsuccessfully. And yet:
in each instance, officials failed to catch — or at least to flag to colleagues — the men?s ties to the nascent Islamic State.
Sometimes the inability to grasp what was really happening borders on the incredible, for example in the case of the person alleged to have killed four people in the Jewish Museum of Belgium, in 2014:
Even when the police found a video in his possession, in which he claimed responsibility for the attack next to a flag bearing the words “Islamic State of Iraq and Syria,” Belgium?s deputy prosecutor, Ine Van Wymersch, dismissed any connection.
“He probably acted alone,” she told reporters at the time.
Another article, from CNN, makes it clear that missed opportunities to spot connections between possible terrorists have continued right up until the recent attacks in Paris and Brussels. It reports on current efforts to locate “at least 8 suspects” with links to those attacks:
All but one of the suspects are said to have connections to Abdelhamid Abaaoud, the leader of the Paris attacks, or Salah Abdeslam, the only survivor among the Paris attackers, who was arrested earlier this month in Brussels.
The security bulletin gives a sense of ISIS’ geographical reach in Europe. Three of the suspects were residents or spent time in the Netherlands, Germany and Sweden respectively.
The picture that emerges from these two reports is of a large, well-established network of terrorists located across several European countries. Many of them were known in multiple ways to the authorities, which repeatedly failed to bring all this crucial information together, probably because there was too much, not too little, to sift through. What is conspicuous by its absence is any suggestion that the would-be attackers escaped arrest by using encrypted communications. Both stories do, however, reveal that ISIS-trained terrorists have used encryption tools, but in a non-standard way.
@thegrugq has written a good piece on Medium analyzing the system. It seems the discontinued encryption program TrueCrypt was provided by ISIS on a USB drive. The program was used to place one or more messages inside an encrypted volume, which was then uploaded to an inconspicuous online site. By employing a shared password to encrypt the volume, more than one person could read the messages in a relatively secure and anonymous way. The system creates a kind of digital dead letter drop that can’t be addressed simply by mandating crypto backdoors.
That might seem to confirm the worst fears of all those politicians (and journalists), but as @thegrugq explains, there are some serious operational problems with this approach, notably the following:
This system makes non-standard use of the tools, which means the user has to take a number of additional manual steps to compensate. Requiring users to do a manual process generally means there will be mistakes. For example, I would expect that the user might forget to put the message into the volume before sending. Or the user might send an old version of the volume rather than the latest one. Or the user might fail to save the volume after copying the message in, and the contents get lost. Or the user might attempt to download the volume while the current volume is still open, and experience failures saving to disk. There are a number of places that this protocol can break down.
Using crypto is hard, and easy to get wrong — which is probably why terrorists prefer to deploy old-fashioned means like burner phones. But don’t take my word for it, just ask the person who was using the TrueCrypt system described above. Here’s what the French police discovered when they arrested him last August:
Behind a couch, they found his USB stick from the Islamic State, and in his bag a piece of paper showing his login credentials for TrueCrypt.
Whoops.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: encryption, isis, terrorism
Comments on “New Reports On Terror Attacks Underline Why Crypto Isn't A Serious Problem: It's Hard To Use And Easy To Get Wrong”
Criticism of NYT article
Shortly after this Mar 30, 2016 New York Times story was published, the story received some criticism for its reporting of the technical facts.
“Sometimes techy details matter”, by Robert Graham, Errata Security (blog), Mar 30, 2016
Re: Criticism of NYT article
March 30, 2016 is inaccurate. The New York Times story is dated March 29th, 2016.
The next day’s criticism is dated March 30, 2016.
I regret the error.
Re: Criticism of NYT article
Just incidentally, if you follow that link, read down to the botom and jump through—
—Then scan that next article down to the bottom again, and jump through—
—Well, then, as they say in Fargo, “There you are. You betcha!”
Just incidentally there.
It's All in the History Books
Haven’t you read about the U.S. and U.K. repeatedly complaining before World War II about the Germans and Japanese “going dark” through the use of Enigma and Purple? Congress passed two declarations banning encryption, the Germans and the Japanese dutifully complied, and the war ended as abruptly as it had started. Problem solved.
The question that you should be arguing isn’t if Crypto isn’t currently a serious problem – that’s simply an implementation challenge to be solved.
What you should be asking is if it ever could reasonably be a problem.
Re: Re:
Better question: Would the problems caused by lack of encryption, or lack of secure encryption be larger than the problems that truly secure encryption might cause or allow down the road?
Secure encryption can absolutely prevent some crimes from being solved or even discovered, I don’t think anyone’s arguing otherwise, but I’m guessing that the number of problems caused by secure encryption are and likely always will be vastly smaller than the problems you’d get with ineffective encryption.
Re: Re: -- Why encryption doesn't matter
Encryption wouldn’t matter nearly as much if the money, physical resources, and social networks of those involved in actions of terror were traced; you know, /actual/ investigative work which has been so painstakingly designed in to modern law and civil operation.
If the government agencies were doing their actual jobs instead of spying on the mostly harmless banal existence of the citizens they’ve sworn to protect then encryption or not wouldn’t matter from the perspective of terrorism.
Belgian Authorities ignored evidence...
Good thing we have the FBI, where a group of 20 coming over to learn flying would be caught; where when someone was arrested who had a totally arrogant attitude and told his flight instructor he didn’t care about learning to land large aircraft – the FBI hierarchy would not be actively discouraging pursuit of warrants and deeper investigation, would they?
“He probably acted alone,” she told reporters at the time.
I am probably giving them more credit than I should, but it seems reasonable that they may also simply be trying to avoid a panic.
“He probably acted alone” sounds a bit better than “We found some things that strongly suggest a tie to a giant network of terrorists that could attack at any time but we are still investigating”.
Re: Re:
They always try to avoid a panic until they need to manufacture one. Don’t maybe have a brief panic over something real, have this sustained panic until we get what we want, over something we made up for some reason. And oh yeah, it allowed that thing to happen that we didn’t want you to panic about before. Feel free to panic about it now. But only with respect to this other thing we want to do.
So once again, how will passing laws deter terrorists?
Passing laws against encryption makes the rest of us unsafe, but does nothing to stop terrorists from using encryption.
So politicians are either clueless or lying about the reasons for the laws against encryption.
In either case, they don’t belong in office.
Or… as Techdirt and others have noted, politicians and some journalists claim repeatedly that encryption is to blame when it is already well-established that it is not.
Congressional Ignorance.
The ignorance of many in congress is unbelievable.
Watched an interview of Rep. Adam Schiff, a member of the House Intelligence Committee, where he gives the impression that encryption prevents them from collecting info using court approved wire taps!
The only thing affected by the encryption used by Apple on the iphone, is locally stored personal information, But calls, texts, emails that are transmitted over the cell network are certainly open to collection, unless additional efforts are taken to prevent that collection.
And honestly i don’t imagine someone willing to commit a terrorist attack will care about breaking any law against encryption.
Re: Congressional Ignorance.
And honestly i don’t imagine someone willing to commit a terrorist attack will care about breaking any law against encryption. Correct meaning the law will not have any affect on what the claim they are going after, only law abiding peoples 4th Amrndment rights
Context & Misquoting... (but yes, encryption has nothing to do with this)
“”He probably acted alone,” she told reporters at the time.”
Ok, so the Belgian police found an incriminating video & a flag, but so what? And ok, he made a longish phone call to Abdelhamid Abaaoud, but again, so what? Mehdi Nemmouche could have been his interior decorator for all anyone knew. At that time.
For the sake of accuracy, the full quote was “From the images we have seen, we can deduce that the perpetrator probably acted alone and was well prepared,” said Ine Van Wymersch, a spokeswoman for the Brussels prosecutor’s office.”
Which is a fair viewpoint when you see the images. Nemmouche had up till that point a criminal record. It’s my belief here that regular law enforcement isn’t sufficiently tied into anti-terror, at least for most parts of Europe. They have separate systems, distinct jurisdictions, often under different ministries. The UK & France especially so. Until they get their act together, more fish will slip through their nets. But when they do, my fear is that we will all be the poorer because of it.
Method
While I agree with th sentiment here I don’t think it serves us to focus on details such as ease of use or lack thereof. While that definitely impacts the number of people using strong encryption today that certainly won’t always be the case.
I think the most salient point we can make is that there is no end to methods of encryption. If we legislate or weaken one type, people will use another. That is true now and it will be true long after your corrupt government has fallen.
What's the endgame?
Sometimes I wonder what the point of all this anti-encryption rhetoric is. Even if we take at face value the claimed motivation of preventing, or at least better investigating, criminal activity, how does this get us there?
To start with, take backdoored encryption. How does this help? Say you could implement a perfect backdoor with a golden key that is physically and inextricably tied to a warrant. We’ve waved our magic wand and made all the problems and side effects vanish. What would that actually do?
Scenario A., criminals communicate over the backdoored channel, and their communications are available to law-enforcement. At first blush, that sounds great, but then you realize that any criminal who communicates over an effectively open channel knows shit about OpSec, and their communications would likely have been able to be intercepted even without the backdoor. So, what does this really gain for us?
Scenario B., criminals use a different, non-backdoored, encryption scheme to communicate. This will always be a possibility; you can’t legislate the math from working. But, say you went a step further and flagged, or even outlawed, non-backdoored encryption. Then the bad guys will have to either communicate in the clear or risk being identified as bad guys, right? Of course not. Let’s ignore for the moment simple codes (code phrases, book codes, etc.) which can be used to communicate securely over a compromised channel. You can implement full blown public key cryptography using steganograpgic encoding. The message would look like any other message in the channel, blending in with the noise, but could contain any amount of concealed information. So, what was the point, again?
Weakening encryption will only hurt normal citizens. The “bad guys” either can be caught already without weakening encryption, or weakening encryption won’t seriously impact them.