Wednesday, August 24, 2016

One small error on the Internet ...

This interesting Guardian article, "The takeover: how police ended up running a paedophile site", is discussed by Bruce Schneier.

Two high-profile, security-savvy paedophiles were taken down based on the smallest of errors.

The paedophile site
“... ran as a company or business,” Rouse says. Senior administrators took charge of individual boards, grouped around categories such as boys or girls, hardcore or non-nude. Users had to upload material at least every 30 days or risk exile. Each of its 45,000 accounts were ranked according to the quality of their output, with a “producer’s area” walled off to all but the most feted.

At the top was one man, “effectively the CEO”. He regularly started his messages with the cheery greeting “hiyas”.
The article explains how that one idiosyncrasy was enough to identify him.

The second paedophile took exhaustive steps to cleanse his uploaded material of any identifying information.
"Access to the full suite of Huckle’s material provided the breakthrough. It was not what he photographed, but what he photographed with. Embedded in some of his images, overlooked when he swept the files of metadata, was the brand and model of his Olympus camera. A tiny clue – but enough.

"Officers exhaustively swept photography sites such as Flickr and TrekEarth for photos taken in south-east Asia using the make and model."
Following that flimsy thread was, it turned out, enough.

I've long been convinced that it's essentially impossible to stay secret on the Internet if a major intelligence agency is on your case.

The article describes a fair amount of labour-intensive Internet searching by Australian police, but it's not hard to see how that could be mostly automated. And if the intelligence agency is allowed AI-based filtering of generic Internet streams, then security through obscurity doesn't really work either.

It would be interesting to know how agencies such as the NSA and GCHQ assess the Internet tradecraft of Islamic fundamentalists. Based on the levels of smartness and training we've heard about to date, I would guess that to any efficient agency with legal access to the right tools the wannabe terrorist is effectively saying, "Here's where I live. Come on in, rummage freely and stay as long as you want."

I think this explains the lack of successful attacks (touch wood) that we've seen in the UK the last few years. It's certainly not for want of attempts.

Of course, if your communications security agency is not up to speed - Hello, Belgium? - even incompetent jihadis can still make it happen.

No comments:

Post a Comment

Comments are moderated. Keep it polite and no gratuitous links to your business website - we're not a billboard here.