tl; dr: Write email. Copy to USB. Give it to courier who takes it to a distant internet cafe and sends it out. Incoming email is copied into the same USB and delivered back.
Turns out the most spectacular part of it was how dedicated he was to it, with apparently hundreds of flash drives full of emails.
Even that isn't so spectacular though, considering this is someone dedicated enough to his cause to successfully plan and execute terrorist acts as a career.
This flags up all sorts of wrong. A counter terrorism official demands anonymity to tell us some very mundane facts:
1) Bin Laden sent e-mail.
2) He sent it via a very simple if slow method.
3) The US has these e-mails including the receiving address.
Why would they publish this tipping off their targets?
Why does the official require anonymity?
A nasty thought does occur which is that this makes an excellent reason for governments to insist that ISPs and email providers hold all emails indefinitely for future investigations.
For all the cheering about Bin Laden's demise, its this trove of information that people really should be cheering about. It sounds like they basically got a full snapshot of the Al Quada organization at the time of the raid. Intelligence analysts right now must be the having the most thrilling yet most critically intense time of their careers.
The hype-to-content of this article is ridiculous.
It was a slow, toilsome process. And it was so meticulous that even veteran intelligence officials have marveled at bin Laden's ability to maintain it for so long.
Really? Really? It's still more efficient than traditional post, and I'm guessing there wouldn't be this level of hullabaloo if that had been the mode of communication.
Also, the www became more or less mainstream in the mid 90s and mainly for college students and young professionals or tech workers in western countries. He went in full hiding in 2001 but was already hard to find since a couple of years and living in Afghanistan.
For how long did he really used email? The answer is probably anything from zero years to five. Like you said, looks to me that the system he was using was a faster and more efficient system than the classic pen and paper he used all his life.
I remember watching the movie "Traitor" a few years back and wondering if Al Qaida used something similar to what the fictional terrorists were using in that movie.
(From what I remember, they were merely writing messages and saving them as drafts. Then others would log on and read the drafts. No emails were sent.)
Interesting though how much he relied on couriers.
Lots of malware actually uses this to communicate with infected hosts now-a-days. You see it a lot in the backdoors used for more targeted attacks.
AFAIK, going wayyy back, this strategy was first talked about by Sophsec at an infosec conference in 2006. They made a library called libomg that would log into social networks and webmail to communicate with infected bots and they had various strategies for doing so. The most hilarious was the myspace module which automatically set up networks of teen girls who chatted in uh teen-speak, which were actually hidden commands for the other bots to log in and retrieve. It was awesome.
The most hilarious was the myspace module which
automatically set up networks of teen girls
who chatted in uh teen-speak
Makes sense - teen-speak barely means anything and it's frustrating as hell to read, so normal people usually turn away before starting to see suspicious patterns.
I recall that this was the strategy that the 9/11 terrorists used to communicate. I suppose that the Richard Stallman approach is the next evolution of it.
Synchronizing mail (and other online assets) offline via a periodic push/pull process, similar to the USB-stick process.
For personal reasons, I do not browse the web from my computer. (I
also have not net connection much of the time.) To look at page I
send mail to a demon which runs wget and mails the page back to me.
It is very efficient use of my time, but it is slow in real time.
Also elsewhere he says that he rarely has an active internet connection, so presumably the demon runs and mailserver flushes during the window that his internet is on.
Surely the lamest thing I read today. I was expecting some elaborate multiple encryption and obfuscation scheme involving proxies and anonymisers in addition to sneaker net in and out of the hideout.
Hiding in plain sight has a lot of different meanings. Cryptography stands out a lot more than bickering among old men. Besides, which tools to trust? The PRC clearly distrusts many western crypto systems, why would AQ feel any differently?
Who cares if the CIA has a backdoor? It's still better to encrypt his archives than using plaintext. The chance the CIA might have a backdoor is lower than the chance the CIA might decipher plaintext.
Of course, you'd have to use a non-networked computer for this, in case Truecrypt phones home...
Well, the article didn't say that they were archived in plain text. For what we know, it may have been encrypted with TrueCrypt, and it may be readable by CIA.
If I remember correctly, there was at least one homemade cryptographic system they used in the past, but the US got a hold of it(and probably found a hole in it).
well they probably were using a code (not a cipher). "when will the next batch of loaves be ready?" etc.
[i am disappointed the article doesn't even mention that kind of detail; never mind describing how they avoid traffic patterns (presumably they have protocols for changing email addresses, times and subjects)]
The idea for a criminal is to mix in with the world not enter in a technological arm wrestling match with a superpower. Their strength is obscurity, not tech muscle - and if they try to fight from that angle then it’s just a matter of time till they lose. The US army cannot hide itself (the pentagon has an address) but it can apply a lot of money in cracking their encryption. Al-Qida cannot invest heavily in R&D but can keep the US army confused by mixing in and out with the general public.
This is why a criminal tries to act and behave just like you, a non-criminal, so they mix in with the crowd and get attention off them so they can engage in what they do best, jumping jacks and monkey bars. ;)
Unless the US government has secretly made revolutionary advances in the field of cryptography, modern encryption algorithms cannot be cracked, no matter how much money or hardware you throw at the problem.
In my experience, people seem to think that the government can break any encryption, just because they're the government. I don't understand why people have this impression.
I've encountered this too. I attribute it to a lack of critical thinking skills. I think there's a fuzz between surveillance and codebreaking plus a simple lack of knowledge of how codes and codebreaking has changed so much due to use of computers. I think a lot of flawed understanding of codebreaking comes from fiction, where it's dealt with in a dramatic fashion as opposed to realistic.
I once worked with a computer programmer who did not "believe" that a one-way hash is theoretically possible. His reasoning was "if you transform something into something else with a computer program (a predetermined set of steps) it is also always possible, by reversing the steps, to get back to the original".
I dramatically adjusted down the amount of reasoning I thought the 'average' person is capable of over the months that I tried to explain / convince him. It's very well possible that I wasn't able to explain because I don't fundamentally understand myself; but even all the 'circumstantial' evidence couldn't convince him. And that was from a person who, statistically and objectively speaking, is at least above the median in intelligence and thinking power.
I've found that the easiest way to explain one-way hashes is to start with the simplest example possible, a function isEven which takes and Int and returns 1 is the argument is even and 0 otherwise. Most people have no trouble accepting that, given only the output, it is impossible to work out what the original input was. Once they've accepted that, building up from there is relatively painless
No, but it can throw more money at a problem. The point I was making is deeper pockets win, and no one can compete with the defense budgets. They can enlist the help of brighter minds than any criminal orginization (access to better talent pool).
India and China, who don't care about personal privacy as much as the US, gloat about doing this all the time, often to US companies' data. The US gov't does have the right to wiretap and snoop under the Patriot Act, but it does not have to have the luxury to share with the American public because Americans value privacy highly.
Historically speaking, your statement is not well supported. Essentially all cryptosystems proposed before 1970 have been cracked. Most cryptosystems proposed since then have been, too. Any particular cryptosystem might turn out to have a hard and usefully high lower bound on the difficulty of cracking it, but we can't even prove P ≠ NP yet, so we aren't even close to proving such lower bounds on cryptosystems.
Large amounts of money can and do buy the time of legions of sharp mathematicians who devote their lives to devising and cracking new cryptosystems. There are good reasons to suspect that this no longer gives the US government the kind of advantage that it used to enjoy, but hard evidence of that is also hard to come by.
There's also the possibility of using large amounts of money to trick someone into using weak encryption, a policy which was very successful with Crypto AG.
If you only need to crack one key, a weakness is found in the system that helps eliminate a huge chunk of the possible key space, and it's for a very high-value target like Bin Laden, putting the entire computing power of the TLAs onto the problem seems like it could yield results.
No. Exhaustive key search is vanishingly unlikely to yield results.
The universe contains about 2²⁶⁵ elementary particles and has existed for about 2¹⁰⁸ femtoseconds. So it probably cannot have done more than about 2³⁷³ classical computations. You can easily use triple-AES-256 to get an effective 512-bit key, dwarfing the possible computations the universe can have carried out for the foreseeable future.
The world GDP is about US$58 trillion per year, which is about 2³⁶ dollars per year. A computer that can test keys currently costs at least 2⁻⁸ dollars, although probably more, and cannot test more than about 2³⁵ keys per second, although probably less. There are about 2²⁵ seconds in a year, so that's 2⁵⁰ keys per year per processor, or 2⁹⁴ keys per year per previous year's worth of production.
So, suppose the entire world economy were devoted to producing computrons to crack a single crypto key. In N years, you can have tried ½N² · 2⁹⁴ = N² · 2⁹³ keys.
To try 2¹²⁸ keys, you need N² ≈ 2³⁵, so N ≈ 2¹⁷, a bit over a hundred millennia. (If you are willing to accept some chance of failure, say a 99.9% chance of failure, then you can skimp a bit and only try 2¹¹⁸ keys, N² ≈ 2²⁵, N ≈ 2¹², only four millennia.)
If bin Laden used AES-256 instead, you need to try 2²⁵⁶ keys to be sure of succeeding, so you need N² = 2²⁵⁶ / 2⁹³ = 2¹⁶³, so N ≈ 2⁸⁰ ≈ 10²⁴ years, which is 10¹⁴ times the current age of the universe. By comparison, the galaxies of the Local Group are expected to merge into a single supergalaxy in only 10¹² years while other galaxies are too far away to be detectable, star formation is expected to end in only 10¹⁴ years, all planetary systems are expected to have decayed in only 10¹⁵ years, and the supergalaxy is expected to have fallen apart in only 10²⁰ years. We're talking about a timescale ten thousand times longer than that. (http://en.wikipedia.org/wiki/Future_of_an_expanding_universe)
So the mere computing power of the TLAs is unlikely to yield results by brute force. Their ingenuity, however, could find a better way than brute force.
Thanks for the very informative demonstration of the scale of these numbers. I suppose I should have emphasized this part of my post: "a weakness is found in the system that helps eliminate a huge chunk of the possible key space". I was supposing that the combined intellectual effort of the NSA and CIA could find a vulnerability in Bin Laden's crypto implementation that would reduce the size of the key space to something that could be meaningfully attacked by their combined computational capacity.
"People"? Like the typical net surfer in a semi-rural Pakistani internet cafe? Or people like you? There is a minor difference of "what you make in a day, they make in a year: with varying consequences like starkly differing internet usage habits, levels of education, general interests, privacy precautions etc. You're obviously having a hard time wrapping your head around the context here.
The person sitting next to you in these cafes can barely read, the PCs are what was mainstream here in 1999. They are connected with 56k modems. I am not sure why you're struggling with getting out of your shoes.
"city like Abbottabad" <-- again, you’re deviating from the facts. The courier would take it many miles away to another small semi-rural setting, not Abbottabad.
“Do you have any basis for this belief?" Want me do YOUR research for you? You claimed the solution is HTTPS (or encryption in general), I said no, and you want me to prove the objection?
Anyway, aside from the fact that I was born and raised in Pak and lived there till I finished high school at the age of 17, I know what they do online and know the culture intimately, and understand how vast the tastes and interests are when income and education levels are so varied. The ISPs there are regulated, sites often blocked, and govt openly and proudly snoops (like I have said many times before).
Now before you tell me to look this up for you, do your own research, please amigo! You might be a great "mechanic" but you’re trying to drive a Ferrari in a rally, and arguing "Why not, its the greatest car!" Context is everything. This is getting tiring, boring and old, you take yours, I take mine, and off we go. :-)
Also, get a passport and travel a bit, you'll notice how invisible some things are to you in your environment, and how much you take them for granted. How many facts of life are not facts but assumptions.
I'm sure you more knowledge of Pakistan than I do, but I find it hard to believe that encryption is so rarely used that the Pakistani government can afford to monitor and investigate anyone who sends an encrypted communication.
It's also a little grating to have you lecture me on my assumptions, whilst simultaneously making unfounded assumptions about me.
Sorry you feel lectured buddy, was not my intention. And you're right, I did make unfounded assumptions about you.
Anyway, they did not overlook the oldest security technique in computer history (encryption/cryptography) without reason - and you gotta give those fuckers credit, those mountain goats gave the most powerful military in the world a run for its money for a decade.
I'm sure they had a reason, but I suspect a lot of it is that they lacked sufficient technical expertise, rather than it being a deliberate decision of an informed individuals. That they didn't encrypt all the information at their hideout indicates a lack of technical knowledge.
That said, you're right that they're extremely good at hiding via more conventional means.
This addresses the wrong question. As soon as you start using encryption, you also start using passwords and secret keys. The US government can detect encrypted messages and find those passwords and keys pretty easily.
Better to send scattered, seemingly innocuous plaintext messages, if the insidious information is coded well enough to look like normal conversation.
If you encrypt all your email, they just have to log every piece of encrypted mail they see and wait until they find the key to open all of them. If you do it the smart way, they have to hunt for each individual message, and you win the "security arms race".
No, but it's rather unlikely that the US government would use algorithms like AES if it suspected them to be insecure. There's also enough encrypted traffic on the net to not be particularly unusual.
Uncle Al once said: The best way to get caught is to send an encrypted email from a dusty little Pakistani town's internet cafe once a month (from where no one ever sends encrypted emails). It is like shooting a flare on a dark night.
But why travel miles to a remote rural village to send emails, when you could travel to a larger town that likely has more varied surfing habits, and many more people online?
Not as clear cut as rural/urban. The definition of urban there is not more developed, its more dense in population. The semi urban areas have huge populations, plus the population sympathizes with them - city folk hate these guys.
I think the basic argument is "use a one-time pad" but it assumes that an unencrypted but unique email account meets the same requirements as a cryptographic one-time pad, which I don't think I agree with.
That being said, I probably wouldn't use encryption anyway. I wouldn't do anything that might cause my correspondence to receive any further scrutiny whatsoever.
You use encryption every day already, you just don't think about it.
For all of HTTPS's faults, it's so transparent that you don't even think of it as encrypted communication. If PKI apps and MUAs didn't suck so much, we'd probably all treat email the same way.
I would definitely use HTTPS, but that's not really what I had in mind. When I said I wouldn't use encryption I was thinking specifically about PKI stuff like PGP, precisely because like you say, it sucks to use it. Badly enough that I think it would make you stick out and receive additional scrutiny if you did.
>It is absolutely amazing to me that terrorist organizations would not use encrypted email.
This is excellent observation, especially as so much of the justification for limiting, restricting, or circumventing encryption on the part of intelligence agencies has been that "terrorists" would employ it to communicate.
There doesn't seem to be a mention of encryption anywhere. I'm surprised they didn't avail themselves of a little PGP. If a giant notorious terrorist organization isn't using public key cryptography, who is?
The nuances that make an open source tool like GPG attractive to us are unlikely to make much of an impact on terrorists that believe in vast US/West conspiracies.
I think the biggest mistake the first world can make in securing its future is assuming that it has a monopoly on knowledge, intelligence, and expertise.
Yet several had the expertise to fly commercial airliners. A number of top Al Qaeda leaders went to college in the U.S. It wouldn't be implausible for some terrorists to take courses in computer science.
While I don't doubt Al Qaeda has some skilled technical folks, piloting a commercial airliner isn't much of a feat if you don't intend to land the thing.
Landing in good weather is not particularly difficult. What's difficult is handling error conditions: the landing gear won't go down, an engine has failed, some instruments are out or misbehaving. Landing the airliner, safely, under those conditions require critical thinking, good flying skills, and practice. If you are planning on only taking one flight, you don't need to be good at this stuff, because it's unlikely that you will encounter any problems on that particular flight.
(Lots of people have died because of inadequate training in these areas. Eastern Flight 401 is a good example: http://en.wikipedia.org/wiki/Eastern_Air_Lines_Flight_401. The crew was so busy debugging a faulty light bulb that they forgot to fly the plane. It crashed into a swamp.)
Can any foreign terrorist organization count on having encryption that would defeat the National Security Agency's efforts to break the encryption? Surely the first thing for anyone hiding from the United States government to do is simply practice good tradecraft (as bin Laden and his group have long done) and never let the message be accessible to the United States government in the first place. I wouldn't count on PGP or any other software solution for encryption that is readily available worldwide to be secure against NSA attempts to decrypt it. That's especially what any "high value" terrorism suspect should keep in mind.
I wonder if that would actually work against them. Assuming the government has some system that is reading all emails sent to country x, they may specifically sniff emails that match a certain signature... such as one that was encrypted. Its probably less revealing to setup a code around every day language and problems.
I think strong crypto + several VPN providers would be as safe and easier to automate.
(This, BTW, is why I am generally against anti-piracy enforcement actions and warantless wiretapping. When you force normal people to use strong cryptography and VPN providers or mesh networks, the terrorists are much harder to pick out. They just look like kids downloading movies.)
Doesn't this system still lead to a large trail of emails going back to Pakistan (assuming the courier didn't go all the way into Afghanistan to send each email). Presumably, some of the computers that were on the receiving end of those emails have been seized by US intelligence in various raids. The IP of the sender would be easy to trace for the CIA, and the content of the emails would have at least indicated that the sender was in a key decision-making position within the organization.
Without some other security steps, like VPNs or proxies, the US would have certainly been able to trace the country of origin of these communications.
Pretty lo-tech solution but it worked for many years so why not. What's surprising is that they left behind so many usb flash drives; with them being so cheap why not buy hundreds of low capacity drives and destroying them after each dispatch.
Cryptography doesn't do you any good if there are guys with a car battery asking you very pointed questions, like "where did you get this encrypted disk"?
With MicroSD in your mouth, they wont even get the idea to question you.
We didn't exactly give bin Laden a lot of time to answer any questions. We found him and shot him. Encrypted documents would have remained safe after his death, but that MicroSD would be a goldmine of information that will compromise his other operatives.
I was addressing the transportation step of the message, not its long term storage. From OBL to net-cafe, the dude carrying it would be safer with a MicroSD, encrypted or otherwise.
yes. but apparently he had a group of couriers, so we don't know if the couriers who were running the USB disks to internet café's were the same as the two brothers who owned the house
apparently he had a number of trusted couriers, and judging from what I have read on tracking these couriers down[1], it wouldn't surprise me if he had multiple levels of courier for his email
[1] apparently the couriers were so good at counter-surveillance that even when the CIA had tracked one of the brothers down to Pakistan, it took them two years to link them to the compound, since they both took exhaustive counter-intelligence measures to make sure they were not tracked. amazing story
