New Reports On Terror Attacks Underline Why Crypto Isn't A Serious Problem: It's Hard To Use And Easy To Get Wrong

from the multiple-missed-opportunities dept

As Techdirt has reported, politicians (and some journalists) haven't waited for the facts to be established before assuming that encryption is to blame for recent terrorist attacks. But as detailed information starts to appear, it becomes clear once more that the bombings and shootings did not succeed because things had "gone dark," but largely because intelligence agencies in both Europe and the US missed numerous clues and hints about the bigger picture. This emerges most powerfully from a long article in The New York Times, which charts the rise of ISIS over many years, and how the authorities were slow to catch on: For much of 2012 and 2013, the jihadist group that eventually became the Islamic State, also known as ISIS or ISIL, was putting down roots in Syria. Even as the group began aggressively recruiting foreigners, especially Europeans, policy makers in the United States and Europe continued to see it as a lower-profile branch of Al Qaeda that was mostly interested in gaining and governing territory. Arrests were made in Italy, Spain, Belgium, France, Greece, Turkey and Lebanon of European citizens that had been trained in Syria, and had returned to carry out terrorist attacks -- usually unsuccessfully. And yet: in each instance, officials failed to catch -- or at least to flag to colleagues -- the men’s ties to the nascent Islamic State. Sometimes the inability to grasp what was really happening borders on the incredible, for example in the case of the person alleged to have killed four people in the Jewish Museum of Belgium, in 2014: Even when the police found a video in his possession, in which he claimed responsibility for the attack next to a flag bearing the words "Islamic State of Iraq and Syria," Belgium’s deputy prosecutor, Ine Van Wymersch, dismissed any connection.



"He probably acted alone," she told reporters at the time. Another article, from CNN, makes it clear that missed opportunities to spot connections between possible terrorists have continued right up until the recent attacks in Paris and Brussels. It reports on current efforts to locate "at least 8 suspects" with links to those attacks: All but one of the suspects are said to have connections to Abdelhamid Abaaoud, the leader of the Paris attacks, or Salah Abdeslam, the only survivor among the Paris attackers, who was arrested earlier this month in Brussels.



The security bulletin gives a sense of ISIS' geographical reach in Europe. Three of the suspects were residents or spent time in the Netherlands, Germany and Sweden respectively. The picture that emerges from these two reports is of a large, well-established network of terrorists located across several European countries. Many of them were known in multiple ways to the authorities, which repeatedly failed to bring all this crucial information together, probably because there was too much, not too little, to sift through. What is conspicuous by its absence is any suggestion that the would-be attackers escaped arrest by using encrypted communications. Both stories do, however, reveal that ISIS-trained terrorists have used encryption tools, but in a non-standard way.

@thegrugq has written a good piece on Medium analyzing the system . It seems the discontinued encryption program TrueCrypt was provided by ISIS on a USB drive. The program was used to place one or more messages inside an encrypted volume, which was then uploaded to an inconspicuous online site. By employing a shared password to encrypt the volume, more than one person could read the messages in a relatively secure and anonymous way. The system creates a kind of digital dead letter drop that can't be addressed simply by mandating crypto backdoors.

That might seem to confirm the worst fears of all those politicians (and journalists), but as @thegrugq explains, there are some serious operational problems with this approach, notably the following: This system makes non-standard use of the tools, which means the user has to take a number of additional manual steps to compensate. Requiring users to do a manual process generally means there will be mistakes. For example, I would expect that the user might forget to put the message into the volume before sending. Or the user might send an old version of the volume rather than the latest one. Or the user might fail to save the volume after copying the message in, and the contents get lost. Or the user might attempt to download the volume while the current volume is still open, and experience failures saving to disk. There are a number of places that this protocol can break down. Using crypto is hard, and easy to get wrong -- which is probably why terrorists prefer to deploy old-fashioned means like burner phones. But don't take my word for it, just ask the person who was using the TrueCrypt system described above. Here's what the French police discovered when they arrested him last August: Behind a couch, they found his USB stick from the Islamic State, and in his bag a piece of paper showing his login credentials for TrueCrypt. Whoops.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, isis, terrorism