New Reports On Terror Attacks Underline Why Crypto Isn't A Serious Problem: It's Hard To Use And Easy To Get Wrong
from the multiple-missed-opportunities dept
As Techdirt has reported, politicians (and some journalists) haven't waited for the facts to be established before assuming that encryption is to blame for recent terrorist attacks. But as detailed information starts to appear, it becomes clear once more that the bombings and shootings did not succeed because things had "gone dark," but largely because intelligence agencies in both Europe and the US missed numerous clues and hints about the bigger picture. This emerges most powerfully from a long article in The New York Times, which charts the rise of ISIS over many years, and how the authorities were slow to catch on:
For much of 2012 and 2013, the jihadist group that eventually became the Islamic State, also known as ISIS or ISIL, was putting down roots in Syria. Even as the group began aggressively recruiting foreigners, especially Europeans, policy makers in the United States and Europe continued to see it as a lower-profile branch of Al Qaeda that was mostly interested in gaining and governing territory.
Arrests were made in Italy, Spain, Belgium, France, Greece, Turkey and Lebanon of European citizens that had been trained in Syria, and had returned to carry out terrorist attacks -- usually unsuccessfully. And yet:
in each instance, officials failed to catch -- or at least to flag to colleagues -- the men’s ties to the nascent Islamic State.
Sometimes the inability to grasp what was really happening borders on the incredible, for example in the case of the person alleged to have killed four people in the Jewish Museum of Belgium, in 2014:
Even when the police found a video in his possession, in which he claimed responsibility for the attack next to a flag bearing the words "Islamic State of Iraq and Syria," Belgium’s deputy prosecutor, Ine Van Wymersch, dismissed any connection.
Another article, from CNN, makes it clear that missed opportunities to spot connections between possible terrorists have continued right up until the recent attacks in Paris and Brussels. It reports on current efforts to locate "at least 8 suspects" with links to those attacks:
"He probably acted alone," she told reporters at the time.All but one of the suspects are said to have connections to Abdelhamid Abaaoud, the leader of the Paris attacks, or Salah Abdeslam, the only survivor among the Paris attackers, who was arrested earlier this month in Brussels.
The picture that emerges from these two reports is of a large, well-established network of terrorists located across several European countries. Many of them were known in multiple ways to the authorities, which repeatedly failed to bring all this crucial information together, probably because there was too much, not too little, to sift through. What is conspicuous by its absence is any suggestion that the would-be attackers escaped arrest by using encrypted communications. Both stories do, however, reveal that ISIS-trained terrorists have used encryption tools, but in a non-standard way.
The security bulletin gives a sense of ISIS' geographical reach in Europe. Three of the suspects were residents or spent time in the Netherlands, Germany and Sweden respectively.
That might seem to confirm the worst fears of all those politicians (and journalists), but as @thegrugq explains, there are some serious operational problems with this approach, notably the following:
This system makes non-standard use of the tools, which means the user has to take a number of additional manual steps to compensate. Requiring users to do a manual process generally means there will be mistakes. For example, I would expect that the user might forget to put the message into the volume before sending. Or the user might send an old version of the volume rather than the latest one. Or the user might fail to save the volume after copying the message in, and the contents get lost. Or the user might attempt to download the volume while the current volume is still open, and experience failures saving to disk. There are a number of places that this protocol can break down.
Using crypto is hard, and easy to get wrong -- which is probably why terrorists prefer to deploy old-fashioned means like burner phones. But don't take my word for it, just ask the person who was using the TrueCrypt system described above. Here's what the French police discovered when they arrested him last August:
Behind a couch, they found his USB stick from the Islamic State, and in his bag a piece of paper showing his login credentials for TrueCrypt.
Whoops.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, isis, terrorism
Reader Comments
Subscribe: RSS
View by: Time | Thread
Criticism of NYT article
“Sometimes techy details matter”, by Robert Graham, Errata Security (blog), Mar 30, 2016
[ link to this | view in chronology ]
Re: Criticism of NYT article
The next day's criticism is dated March 30, 2016.
I regret the error.
[ link to this | view in chronology ]
Re: Criticism of NYT article
Just incidentally there.
[ link to this | view in chronology ]
It's All in the History Books
[ link to this | view in chronology ]
What you should be asking is if it ever could reasonably be a problem.
[ link to this | view in chronology ]
Re:
Secure encryption can absolutely prevent some crimes from being solved or even discovered, I don't think anyone's arguing otherwise, but I'm guessing that the number of problems caused by secure encryption are and likely always will be vastly smaller than the problems you'd get with ineffective encryption.
[ link to this | view in chronology ]
Re: Re: -- Why encryption doesn't matter
If the government agencies were doing their actual jobs instead of spying on the mostly harmless banal existence of the citizens they've sworn to protect then encryption or not wouldn't matter from the perspective of terrorism.
[ link to this | view in chronology ]
Belgian Authorities ignored evidence...
[ link to this | view in chronology ]
I am probably giving them more credit than I should, but it seems reasonable that they may also simply be trying to avoid a panic.
"He probably acted alone" sounds a bit better than "We found some things that strongly suggest a tie to a giant network of terrorists that could attack at any time but we are still investigating".
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
So once again, how will passing laws deter terrorists?
So politicians are either clueless or lying about the reasons for the laws against encryption.
In either case, they don't belong in office.
[ link to this | view in chronology ]
Or... as Techdirt and others have noted, politicians and some journalists claim repeatedly that encryption is to blame when it is already well-established that it is not.
[ link to this | view in chronology ]
Congressional Ignorance.
Watched an interview of Rep. Adam Schiff, a member of the House Intelligence Committee, where he gives the impression that encryption prevents them from collecting info using court approved wire taps!
The only thing affected by the encryption used by Apple on the iphone, is locally stored personal information, But calls, texts, emails that are transmitted over the cell network are certainly open to collection, unless additional efforts are taken to prevent that collection.
And honestly i don't imagine someone willing to commit a terrorist attack will care about breaking any law against encryption.
[ link to this | view in chronology ]
Re: Congressional Ignorance.
[ link to this | view in chronology ]
Context & Misquoting... (but yes, encryption has nothing to do with this)
Ok, so the Belgian police found an incriminating video & a flag, but so what? And ok, he made a longish phone call to Abdelhamid Abaaoud, but again, so what? Mehdi Nemmouche could have been his interior decorator for all anyone knew. At that time.
For the sake of accuracy, the full quote was "From the images we have seen, we can deduce that the perpetrator probably acted alone and was well prepared," said Ine Van Wymersch, a spokeswoman for the Brussels prosecutor's office."
Which is a fair viewpoint when you see the images. Nemmouche had up till that point a criminal record. It's my belief here that regular law enforcement isn't sufficiently tied into anti-terror, at least for most parts of Europe. They have separate systems, distinct jurisdictions, often under different ministries. The UK & France especially so. Until they get their act together, more fish will slip through their nets. But when they do, my fear is that we will all be the poorer because of it.
[ link to this | view in chronology ]
Method
I think the most salient point we can make is that there is no end to methods of encryption. If we legislate or weaken one type, people will use another. That is true now and it will be true long after your corrupt government has fallen.
[ link to this | view in chronology ]
What's the endgame?
To start with, take backdoored encryption. How does this help? Say you could implement a perfect backdoor with a golden key that is physically and inextricably tied to a warrant. We've waved our magic wand and made all the problems and side effects vanish. What would that actually do?
Scenario A., criminals communicate over the backdoored channel, and their communications are available to law-enforcement. At first blush, that sounds great, but then you realize that any criminal who communicates over an effectively open channel knows shit about OpSec, and their communications would likely have been able to be intercepted even without the backdoor. So, what does this really gain for us?
Scenario B., criminals use a different, non-backdoored, encryption scheme to communicate. This will always be a possibility; you can't legislate the math from working. But, say you went a step further and flagged, or even outlawed, non-backdoored encryption. Then the bad guys will have to either communicate in the clear or risk being identified as bad guys, right? Of course not. Let's ignore for the moment simple codes (code phrases, book codes, etc.) which can be used to communicate securely over a compromised channel. You can implement full blown public key cryptography using steganograpgic encoding. The message would look like any other message in the channel, blending in with the noise, but could contain any amount of concealed information. So, what was the point, again?
Weakening encryption will only hurt normal citizens. The "bad guys" either can be caught already without weakening encryption, or weakening encryption won't seriously impact them.
[ link to this | view in chronology ]