British investigative journalist Duncan Campbell speaks at DeepSec Conference about the use of cryptography by terrorists and outlines the related threatscape.
Thanks very much and good morning. I’m gonna talk, or try and talk, about what real terrorists do with modern encryption tools in the 21st century, do they succeed in communicating securely, do they know how to, how they build their own effective methods. I’ll try to respond to these questions using evidence, including a strain of real terrorism cases in which specialists, including myself, have examined computers and Internet records. But first, throw out everything you’ve read in the press (that, by the way, is my other profession). In the real world the evidence is never going to be complete or perfect, we’ll look at some of that in a minute.First, I’m going to look at the myths, the constant drum-beat of loud and fearful claims that we have endured for 2 decades about the risks of letting cryptography into the hands of Joe and Jane public. I’m going to review the terrorists’ teaching on cryptography and come up to a program invented recently by a group linked to al-Qaeda. That system code-named “Tadpole” is being used in the Indian subcontinent and was involved in an alleged plot to bring down transatlantic flights, so we’ll take the lid off Tadpole. According to the London Counter Terrorism Command, breaking Tadpole (see screenshot) was the most sophisticated decryption task of its kind ever undertaken (we’ll see).
Techno-fear rules – alongside techno-fear, the advocates of more Internet control have for 20 years invoked the spectres of Four Horsemen that would use the Internet and crypto to harm us: paedophiles, narcotics distributors, organized crime, and, of course, the big one, international terrorists.Those of us who are a little bit older will remember that 20 years ago Phil Zimmermann invented PGP and was threatened with jail for distributing it and making it available, and in 1993 President Clinton announced the counter-measure, the so-called Clipper and Capstone chips (see image) that included backdoor entry for the U.S. National Security Agency.
So the spectre of terrorism networks hiding behind unbreakable encryption has been a war cry for security agencies, supporting their claim for key registration for 20 years. If you were around then you’ll remember ‘key escrow’ that had required us to entrust governments with a database of registered backdoors to all crypto systems. What’s not to like about that? International campaigning groups challenged the Clipper plan as illegal and by 2001 they’d lost, the key escrow program proposals went right into the trash. Who now remembers the EES, the Escrowed Encryption Standard?In the run up to 9/11 there was a new scare story out there in the media. On the 5th of February, 2001, ‘USA Today’ published an exclusive report “Terror groups hiding behind Web encryption” (see screenshot), and it says that “Hidden in X-rated pictures on pornographic websites and sports chats are the plans for the next terrorist attack on the United States”. Well, I only hope these chaps spent a lot of time looking at porn over the 9 months, but it didn’t do them a lot of good. “Computer software is allowing secret plans to go back and forth in the Internet undetected”. That’s the porn again. Farfetched they suggested it might have been, farfetched it was. But it gained currency again, just after 9/11. The ABC programme ‘Primetime’ in the United Stated claimed there was new evidence of Bin Laden using Internet steganography that has absolutely astounded American law enforcement intelligence agencies. Wow! The ABC programme featured an interview with the president of WetStone Security Company, and it showed him entering a secret code on screen to unlock pictures and plans from a rather large familiar graphic (see image).
Was any of this true? These images were downloaded from WetStone’s website by a couple of researchers from the University of Michigan, they broke the steganography pretty quickly, about one minute, they found that the password to extract the secret content was “ABC” – the name of the network, and that was the so-called terrorist file, but the viewers of ABC television were never told.The next improbable allegation was published on another website by the Pentagon reporting that al-Qaeda was planning a major biological attack, with evidence from a former National Security Agency instructor. He claimed to have discovered plans of a much larger attack being arranged on the Internet and using coded instructions to direct sleeper agents. Scary stuff!
This novel was just published in Britain (see cover), it’s about a British Islamist terrorists cell who are about to mount a suicide attack on London. They gather secretly in a safe house. “Have you heard of steganography?”, says Salim. “There’s a kafir site (kafir that’s the rest of us, the unthinkables, the upper states, the infidels), called “babesdelight”, with naked girls. You choose lots of pictures and you need to type on one called ‘Olya’. Embedded in that, in a particularly intimate place, is your hourly last-minute instructions.” There it is, and just touching the intimate place for your instructions.The hijackers who attacked New York and Washington did not use encryption at all. On the 18th of September 2001, FBI Assistant Director Ronald L. Dick, who was head of the U.S. National Infrastructure Protection Center, told reporters at an FBI briefing that records of the Internet messages between the 19 hijackers had not involved any encryption or concealment. He said it was simple e-mails back and forth. That was it: no encryption. A decade of fear, the biggest plot ever, the biggest loss of life – no encryption. And exactly the same conclusion was reached in the large official 9/11 report (see image). The hijackers had used regular e-mail services like Hotmail, they’d been taught to use simple codebook substitutions, such as calling the White House “The Faculty of Politics”, or the World Trade Center “The Faculty of Commerce”. They did not encrypt. No stag porn. Nothing, zilch.