Hiding in plain sight has a lot of different meanings. Cryptography stands out a lot more than bickering among old men. Besides, which tools to trust? The PRC clearly distrusts many western crypto systems, why would AQ feel any differently?
Who cares if the CIA has a backdoor? It's still better to encrypt his archives than using plaintext. The chance the CIA might have a backdoor is lower than the chance the CIA might decipher plaintext.
Of course, you'd have to use a non-networked computer for this, in case Truecrypt phones home...
Well, the article didn't say that they were archived in plain text. For what we know, it may have been encrypted with TrueCrypt, and it may be readable by CIA.
If I remember correctly, there was at least one homemade cryptographic system they used in the past, but the US got a hold of it(and probably found a hole in it).
well they probably were using a code (not a cipher). "when will the next batch of loaves be ready?" etc.
[i am disappointed the article doesn't even mention that kind of detail; never mind describing how they avoid traffic patterns (presumably they have protocols for changing email addresses, times and subjects)]
The idea for a criminal is to mix in with the world not enter in a technological arm wrestling match with a superpower. Their strength is obscurity, not tech muscle - and if they try to fight from that angle then it’s just a matter of time till they lose. The US army cannot hide itself (the pentagon has an address) but it can apply a lot of money in cracking their encryption. Al-Qida cannot invest heavily in R&D but can keep the US army confused by mixing in and out with the general public.
This is why a criminal tries to act and behave just like you, a non-criminal, so they mix in with the crowd and get attention off them so they can engage in what they do best, jumping jacks and monkey bars. ;)
Unless the US government has secretly made revolutionary advances in the field of cryptography, modern encryption algorithms cannot be cracked, no matter how much money or hardware you throw at the problem.
In my experience, people seem to think that the government can break any encryption, just because they're the government. I don't understand why people have this impression.
I've encountered this too. I attribute it to a lack of critical thinking skills. I think there's a fuzz between surveillance and codebreaking plus a simple lack of knowledge of how codes and codebreaking has changed so much due to use of computers. I think a lot of flawed understanding of codebreaking comes from fiction, where it's dealt with in a dramatic fashion as opposed to realistic.
I once worked with a computer programmer who did not "believe" that a one-way hash is theoretically possible. His reasoning was "if you transform something into something else with a computer program (a predetermined set of steps) it is also always possible, by reversing the steps, to get back to the original".
I dramatically adjusted down the amount of reasoning I thought the 'average' person is capable of over the months that I tried to explain / convince him. It's very well possible that I wasn't able to explain because I don't fundamentally understand myself; but even all the 'circumstantial' evidence couldn't convince him. And that was from a person who, statistically and objectively speaking, is at least above the median in intelligence and thinking power.
I've found that the easiest way to explain one-way hashes is to start with the simplest example possible, a function isEven which takes and Int and returns 1 is the argument is even and 0 otherwise. Most people have no trouble accepting that, given only the output, it is impossible to work out what the original input was. Once they've accepted that, building up from there is relatively painless
No, but it can throw more money at a problem. The point I was making is deeper pockets win, and no one can compete with the defense budgets. They can enlist the help of brighter minds than any criminal orginization (access to better talent pool).
India and China, who don't care about personal privacy as much as the US, gloat about doing this all the time, often to US companies' data. The US gov't does have the right to wiretap and snoop under the Patriot Act, but it does not have to have the luxury to share with the American public because Americans value privacy highly.
Historically speaking, your statement is not well supported. Essentially all cryptosystems proposed before 1970 have been cracked. Most cryptosystems proposed since then have been, too. Any particular cryptosystem might turn out to have a hard and usefully high lower bound on the difficulty of cracking it, but we can't even prove P ≠ NP yet, so we aren't even close to proving such lower bounds on cryptosystems.
Large amounts of money can and do buy the time of legions of sharp mathematicians who devote their lives to devising and cracking new cryptosystems. There are good reasons to suspect that this no longer gives the US government the kind of advantage that it used to enjoy, but hard evidence of that is also hard to come by.
There's also the possibility of using large amounts of money to trick someone into using weak encryption, a policy which was very successful with Crypto AG.
If you only need to crack one key, a weakness is found in the system that helps eliminate a huge chunk of the possible key space, and it's for a very high-value target like Bin Laden, putting the entire computing power of the TLAs onto the problem seems like it could yield results.
No. Exhaustive key search is vanishingly unlikely to yield results.
The universe contains about 2²⁶⁵ elementary particles and has existed for about 2¹⁰⁸ femtoseconds. So it probably cannot have done more than about 2³⁷³ classical computations. You can easily use triple-AES-256 to get an effective 512-bit key, dwarfing the possible computations the universe can have carried out for the foreseeable future.
The world GDP is about US$58 trillion per year, which is about 2³⁶ dollars per year. A computer that can test keys currently costs at least 2⁻⁸ dollars, although probably more, and cannot test more than about 2³⁵ keys per second, although probably less. There are about 2²⁵ seconds in a year, so that's 2⁵⁰ keys per year per processor, or 2⁹⁴ keys per year per previous year's worth of production.
So, suppose the entire world economy were devoted to producing computrons to crack a single crypto key. In N years, you can have tried ½N² · 2⁹⁴ = N² · 2⁹³ keys.
To try 2¹²⁸ keys, you need N² ≈ 2³⁵, so N ≈ 2¹⁷, a bit over a hundred millennia. (If you are willing to accept some chance of failure, say a 99.9% chance of failure, then you can skimp a bit and only try 2¹¹⁸ keys, N² ≈ 2²⁵, N ≈ 2¹², only four millennia.)
If bin Laden used AES-256 instead, you need to try 2²⁵⁶ keys to be sure of succeeding, so you need N² = 2²⁵⁶ / 2⁹³ = 2¹⁶³, so N ≈ 2⁸⁰ ≈ 10²⁴ years, which is 10¹⁴ times the current age of the universe. By comparison, the galaxies of the Local Group are expected to merge into a single supergalaxy in only 10¹² years while other galaxies are too far away to be detectable, star formation is expected to end in only 10¹⁴ years, all planetary systems are expected to have decayed in only 10¹⁵ years, and the supergalaxy is expected to have fallen apart in only 10²⁰ years. We're talking about a timescale ten thousand times longer than that. (http://en.wikipedia.org/wiki/Future_of_an_expanding_universe)
So the mere computing power of the TLAs is unlikely to yield results by brute force. Their ingenuity, however, could find a better way than brute force.
Thanks for the very informative demonstration of the scale of these numbers. I suppose I should have emphasized this part of my post: "a weakness is found in the system that helps eliminate a huge chunk of the possible key space". I was supposing that the combined intellectual effort of the NSA and CIA could find a vulnerability in Bin Laden's crypto implementation that would reduce the size of the key space to something that could be meaningfully attacked by their combined computational capacity.
"People"? Like the typical net surfer in a semi-rural Pakistani internet cafe? Or people like you? There is a minor difference of "what you make in a day, they make in a year: with varying consequences like starkly differing internet usage habits, levels of education, general interests, privacy precautions etc. You're obviously having a hard time wrapping your head around the context here.
The person sitting next to you in these cafes can barely read, the PCs are what was mainstream here in 1999. They are connected with 56k modems. I am not sure why you're struggling with getting out of your shoes.
"city like Abbottabad" <-- again, you’re deviating from the facts. The courier would take it many miles away to another small semi-rural setting, not Abbottabad.
“Do you have any basis for this belief?" Want me do YOUR research for you? You claimed the solution is HTTPS (or encryption in general), I said no, and you want me to prove the objection?
Anyway, aside from the fact that I was born and raised in Pak and lived there till I finished high school at the age of 17, I know what they do online and know the culture intimately, and understand how vast the tastes and interests are when income and education levels are so varied. The ISPs there are regulated, sites often blocked, and govt openly and proudly snoops (like I have said many times before).
Now before you tell me to look this up for you, do your own research, please amigo! You might be a great "mechanic" but you’re trying to drive a Ferrari in a rally, and arguing "Why not, its the greatest car!" Context is everything. This is getting tiring, boring and old, you take yours, I take mine, and off we go. :-)
Also, get a passport and travel a bit, you'll notice how invisible some things are to you in your environment, and how much you take them for granted. How many facts of life are not facts but assumptions.
I'm sure you more knowledge of Pakistan than I do, but I find it hard to believe that encryption is so rarely used that the Pakistani government can afford to monitor and investigate anyone who sends an encrypted communication.
It's also a little grating to have you lecture me on my assumptions, whilst simultaneously making unfounded assumptions about me.
Sorry you feel lectured buddy, was not my intention. And you're right, I did make unfounded assumptions about you.
Anyway, they did not overlook the oldest security technique in computer history (encryption/cryptography) without reason - and you gotta give those fuckers credit, those mountain goats gave the most powerful military in the world a run for its money for a decade.
I'm sure they had a reason, but I suspect a lot of it is that they lacked sufficient technical expertise, rather than it being a deliberate decision of an informed individuals. That they didn't encrypt all the information at their hideout indicates a lack of technical knowledge.
That said, you're right that they're extremely good at hiding via more conventional means.
This addresses the wrong question. As soon as you start using encryption, you also start using passwords and secret keys. The US government can detect encrypted messages and find those passwords and keys pretty easily.
Better to send scattered, seemingly innocuous plaintext messages, if the insidious information is coded well enough to look like normal conversation.
If you encrypt all your email, they just have to log every piece of encrypted mail they see and wait until they find the key to open all of them. If you do it the smart way, they have to hunt for each individual message, and you win the "security arms race".
No, but it's rather unlikely that the US government would use algorithms like AES if it suspected them to be insecure. There's also enough encrypted traffic on the net to not be particularly unusual.
Uncle Al once said: The best way to get caught is to send an encrypted email from a dusty little Pakistani town's internet cafe once a month (from where no one ever sends encrypted emails). It is like shooting a flare on a dark night.
But why travel miles to a remote rural village to send emails, when you could travel to a larger town that likely has more varied surfing habits, and many more people online?
Not as clear cut as rural/urban. The definition of urban there is not more developed, its more dense in population. The semi urban areas have huge populations, plus the population sympathizes with them - city folk hate these guys.
I think the basic argument is "use a one-time pad" but it assumes that an unencrypted but unique email account meets the same requirements as a cryptographic one-time pad, which I don't think I agree with.
That being said, I probably wouldn't use encryption anyway. I wouldn't do anything that might cause my correspondence to receive any further scrutiny whatsoever.
You use encryption every day already, you just don't think about it.
For all of HTTPS's faults, it's so transparent that you don't even think of it as encrypted communication. If PKI apps and MUAs didn't suck so much, we'd probably all treat email the same way.
I would definitely use HTTPS, but that's not really what I had in mind. When I said I wouldn't use encryption I was thinking specifically about PKI stuff like PGP, precisely because like you say, it sucks to use it. Badly enough that I think it would make you stick out and receive additional scrutiny if you did.
>It is absolutely amazing to me that terrorist organizations would not use encrypted email.
This is excellent observation, especially as so much of the justification for limiting, restricting, or circumventing encryption on the part of intelligence agencies has been that "terrorists" would employ it to communicate.
