Wednesday, March 30, 2016

Sometimes techy details matter

How terrorists use encryption is going to become central to the Cryptowars 2.0 debate. Both sides are going to cite the case of Reda Hame described in this NYTimes article. On one hand, it shows that terrorists do indeed use encryption. On the other hand, the terrorists used TrueCrypt, which can't be stopped, no matter how many "backdoor" laws the police-state tries to pass.

The problem with the NYTimes article is that the technical details are garbled. (Update: at the bottom, I correct them). Normally, that's not a problem, because we experts can fill in the details using basic assumptions. But the technique ISIS used is bizarre, using TrueCrypt containers uploaded to a file-sharing site. This is a horrible way to pass messages -- assumptions we make trying to fill in the blanks are likely flawed.


Moreover, there is good reason to distrust the NYTimes article. Small details conflict with a similar article in the French newspaper Le Monde from January 6. Both articles are based on the same confession by Reda Hame from last August.

For example, in discussing a training accident with a grenade, the NYTimes article says "Mr. Hame did not throw it far enough and was cut by shrapnel". The Le Monde version says he tossed a stun grenade into a hut, then entered the hut, after which the grenade exploded. Stun grenades don't have "shrapnel". As the Le Monde article provides a direct quote, in the original French, it is more trustworthy:
"J’ai jeté la grenade dans la maisonnette, j’ai entendu une petite explosion, je suis rentré dans la maison, j’ai tiré dans trois cibles, puis la grenade a explosé"
Update: You would not throw a fragmentation grenade at a silhouette drawn on a wall, as the New York Times article describes. Throw it hard enough, and it just bounces back toward you. That's not how it works. How it does work is how Le Monde describes, wait for the a stun grenade to go off before entering the room. The interrogation of Reda Hame lasted over 17 hours over multiple days, so you can imagine that at some point, he might have retold the story in a different way that might be closer to how the NYTimes describe it, thus accounting for the discrepancy. But this is doubtful, since this is not things work.

This is just one example, there are several other discrepancies with Le Monde. If the reporter gets these types of details wrong, how can we trust her on getting details of TrueCrypt correct?

For example, the reporter describes "a piece of paper showing his login credentials for TrueCrypt", though a picture of TrueCrypt in the article shows the use of "keyfiles". However, there's no such thing as "login credentials for TrueCrypt". It's not a website or a computer, you don't "login" to it. There's no username. Instead, you have the passphrase to encrypt or decrypt the file. This is a perfectly fine detail to mess up in normal circumstances, because the average reader neither knows nor cares about the difference. But, since we techies are confused, and the reporter isn't trustworthy about getting small details correct, the difference suddenly looms large. Maybe the reporter is confused about the difference between "login credentials" for TrueCrypt and login credentials for the file upload site.

She then goes on to describe "he was to upload the encrypted message folder onto a Turkish commercial data storage site". Again, the terminology "encrypted message folder" in confusing. We assume it means the encrypted volume file, or the encrypted container file.

Also, what the heck is a "commercial data storage site"?? She goes on to tweet:
What does this mean "like dosya.co"? Is it that site, or another one?

Also, that site is a "file sharing" site, not a "data storage" site. File sharing services are designed to share files, usually copyrighted materials like movies, music, porn, games, and ebooks. Data storage services like DropBox are designed for data storage. It's an important detail, especially when you consider how intelligence services might be monitoring them for metadata.


I've written up a brief post on how intelligence services can track down terrorists using this technique, from either already collected metadata, or monitoring with their "XKeyScore" system. But I have little faith I've understood the details correctly from the NYTimes article, so there's a good chance my post is just nonsense.

This isn't an issue of being unnecessarily pedantic. I fully support the idea that reporters can use inelegant or "wrong" terminology in order to get the point across. The problem here is that I don't think the reporter is getting the point across. I'm confused. Moreover, we know that the reporter has gotten other details wrong, when comparing similar passages with the Le Monde article, which directly quotes the subject.

Update: And now I've read one of the original French documents where the subject describes what was on that slip of paper recovered from his apartment, and confirmed my suspicion that the NYTimes article got details wrong.

The document I saw says the slip of paper had login details for the file sharing site, not a TrueCrypt password. Thus, when the NYTimes article says "TrueCrypt login credentials", we should correct it to "file sharing site login credentials", not "TrueCrypt passphrase".

The original French uses the word "boîte", which matches the TrueCrypt term "container". The original French didn't use the words "fichier" (file), "dossier" (folder), or "répertoire" (directory). This makes so much more sense, and gives us more confidence we know what they were doing.

The original French uses the term "site de partage", meaning a "sharing site", which makes more sense than a "storage" site.

MOST importantly, according the subject, the login details didn't even work. It appears he never actually used this method -- he was just taught how to use it. He no longer remembers the site's name, other than it might have the word "share" in its name. We see this a lot: ISIS talks a lot about encryption, but the evidence of them actually using it is scant.

Update to this update: Runa Sandvik insists there are more than one pieces of paper in the story. Therefore, I could be talking about one piece of paper with "website login", while the NYTimes article could be talking about another with "TrueCrypt password":
But the original article references only a single piece of paper, "in his bag a piece of paper showing his login credentials for TrueCrypt". It's very strange that they are now claiming there existed separate pieces of paper that contained the website login credentials not mentioned in the original story.

She insists the reason for the bad technical terms was to make it more understandable to non-technical readers:
This, of course, is bogus. Nobody thinks that non-technical readers will understand "TrueCrypt login credentials" easier than "TrueCrypt password". Non-technical users understand "password" much better than "credentials".

Update: Somebody (@thegrugq) pointed out yet another discrepancy with a CNN story, describing the process of uploading to a file sharing site:
NYTimes: “basically a dead inbox”
CNN: "it operated like a dead letter drop"
The original phrase in French was "une boîte aux lettres morte" (a box of dead letters). The correct translation is "dead drop" (or "dead letter drop"), not "dead inbox". The word "boîte" can also refer to a person's inbox, so it's a reasonable error to make if you don't understand this is a specific spycraft term and are attempting to just translate the words according to French vernacular.

1 comment:

Kirk said...

It's refreshing to see that others notice those nuances, too, and recognize their potential negative ramifications!