Friday, April 01, 2016

ISIS infosec seems to be rubbish

How ISIS does information security

CNN reports:
"Last summer, a French student was arrested in Paris on suspicion of a plot to take hostages at a concert hall. His name was Reda Hame. According to a transcript of his interrogation obtained by CNN, Hame claimed he had been provided weapons training, including in the use of Kalashnikovs, by Abaaoud in a park in Raqqa in early June. But he'd backed out of the plot when he arrived in France."
According to security researcher the grugq, CNN further reported:
"Hame also revealed to interrogators that ISIS had set up an elaborate encrypted communication system so that it could keep in touch with its European operatives.

"While with ISIS in Raqqa, he said he was instructed to encrypt communications with a software tool called “Truecrypt,” which authorities found on a thumb drive he had been given by Abaaoud. Hame said he had been taught to copy a message into the software, select an encryption option and then paste the message into a password-protected sharing site."
The grugq asks: "How Crap Is This System?"

It's pretty bad - Errata Security has a post suggesting how any half-decent intelligence agency might hack into this ISIS protocol.

ISIS won't have any autonomous cryptographic capabilities - you have to be a first-world state to do that kind of thing right. It's forced to use third party tools and systems. But it's very, very difficult as amateurs to design a system that the NSA, GCHQ or half a dozen other competent organisations can't address.

If the ISIS operatives are not using a VPN, then a 'listener on the wire' will get the IP addresses of dead-drop users. As Errata Security explained, TrueCrypt volumes are not hard to detect in transit. Metadata like IP addresses lead straight to identities. But I doubt that most VPNs are safe either, not when their logs and traffic can also be monitored.

Perhaps the bad guys should just send a courier, clunky as that sounds. But last I heard, couriers speak in plain, not ciphertext; they say that bugging with microphones is pretty good these days.

I like a one-time pad, but distributing it is the trick. If you send those very long random bit sequences on a USB drive, how do you know the intelligence services haven't covertly grabbed and copied it in transit? And then you're toast.

I begin to see why ISIS has been so singularly unsuccessful in the UK this last decade.

---

Note: from one of the comments: "Counterterror experts who reviewed this protocol tell me it reminds them of what al-Qaeda did for yrs: saving "drafts" in Yahoo inboxes" - (these were apparently in plaintext).

*Head-in-hands*.

---

Our transition to a Planetary Hospital

Interesting and reasonably accessible article via Jess Riedel, "Mutation and Human Exceptionalism: Our Future Genetic Load" by Michael Lynch, GENETICS March 1, 2016. From the abstract:
"What is exceptional about humans is the recent detachment from the challenges of the natural environment and the ability to modify phenotypic traits in ways that mitigate the fitness effects of mutations, e.g., precision and personalized medicine.

"This results in a relaxation of selection against mildly deleterious mutations, including those magnifying the mutation rate itself. The long-term consequence of such effects is an expected genetic deterioration in the baseline human condition, potentially measurable on the timescale of a few generations in westernized societies, and because the brain is a particularly large mutational target, this is of particular concern.

"Ultimately, the price will have to be covered by further investment in various forms of medical intervention. "
The famous population geneticist W. D. Hamilton coined the phrase "Planetary Hospital", explained by Bruce Charlton like this:
"It is becoming hard to avoid the conclusion that we have been, for several generations, living in what WD Hamilton (in Narrow Roads of Gene Land, Volume 2) called the Planetary Hospital - in other words, a world in which almost everyone is suffering from significant genetic damage, and an increasing proportion of the population are suffering from genetic disease. "
The dystopian effects of relaxed selection and the removal of purifying selection are well-documented in the population genetics literature. The effects in just a few generations are, however, slight (c. 1% per generation).

Despite Dr Charlton's vividly-expressed concerns. I like to think we may still avoid Idiocracy.

No comments:

Post a Comment

Comments are moderated. Keep it polite and no gratuitous links to your business website - we're not a billboard here.