I don't know if you could say they are "stupid," so much as you could say that the mindset and educational background from which terrorists self-select may not be that of even a moderately technological person, and that what technical education and training they do receive will be directed more towards weapons, transportation, and operations than it will be to communications technology.

Small cell organization typical mitigates against sophistication in communication requirements, too. Most "secret" communication is done in venues or over systems (POTS) where personal identification is readily done.
posted by paulsc at 4:06 PM on August 11, 2006

Because they're bumbling idiots. Read chapter 7 of the 9/11 report and this Atlantic article to get an idea of what kind of people we're dealing with.
posted by cillit bang at 4:09 PM on August 11, 2006

I don't know anything about how terrorists work, but I do understand gpg and other strong encryption products very well.

They're a major pain in the ass to use correctly. And even if you do use the software itself correctly, all you need to do is slip up some other way to be compromised. Say, let someone TEMPEST your computer from 100 feet away, or have a keystroke logger installed, or have a spy in your organizaiton, or...

Encryption math is cool and all, but the math is usually the strongest part of the system. The real tools people use are weak. I think current consumer crypto is most effective at protecting yourself from someone hoovering up all traffic looking for suspicious material. But a specific intercept with a specific target in mind? Much harder to defend yourself from that.
posted by Nelson at 4:10 PM on August 11, 2006

There's no guarantee they aren't. We in the private sector realistically have no idea how advanced the government's cryptography systems really are.

I'm reminded of the first US standard algorithm, DES. Back in '75 during the evaluation phase the NSA modified seemingly inconsequential portions of DES before accepting it as a standard. It took researchers working in the private sector until 1990 to figure out that the tweaks greatly improved DES's resistance to attack.

It took top non-government researchers 15 years just to understand the NSA's motives.

In short, I don't think you can make assumptions about the government's inability to break a cipher.
posted by crunchyk9 at 4:14 PM on August 11, 2006 [1 favorite]

I don't understand their motives.

Pointer?
posted by baylink at 4:25 PM on August 11, 2006

"When terrorist groups learned that the National Security Agency could track electronic communication only when it was in transit -- not when it was sitting in an inbox -- users started drafting messages in free e-mail accounts, then allowing others to log in to the accounts and read the drafts." (source)

That was pretty clever, especially if they used SSL, and yet easy for the non-technical to use.
posted by smackfu at 4:27 PM on August 11, 2006

Have fun being tried for espionage when your name is demanded by the government and mathowie is forced to give it up or be tortured. You gave them the idea to use strong encryption, traitor.

/only mostly kidding...


Actually though, some of them do use strong encryption and are very tech savvy. Most of them, however, don't because they're just operatives and talking in code, getting disposable cell phones etc seems sufficient to them.
posted by twiggy at 4:43 PM on August 11, 2006

Are they just stupid?

At the low levels, yes. And at these low levels, it really doesn't matter if 20 guys get picked up. You can always find 20 more.

So, what you have, then, is tiered operational security. As long as you keep both a real and a virtual distance between tiers of the organization, these 20 pawns are just that -- pawns to be sacrificed while the smart guys stay out of harm's way. Consider that al-Qaida keeps releasing audio and videotapes. Those have to come from somewhere, right? But we haven't caught them or really know much about them (or maybe we do and we're not admitting it).

In other words, we catch who we can because they fuck up and break security. We don't catch the ones that don't fuck up, because they rarely do.
posted by frogan at 5:16 PM on August 11, 2006 [1 favorite]

Terrorists: One time pad.
posted by beerbajay at 5:50 PM on August 11, 2006

I think that they are thinking in terms of "small fish, big ocean". How much internet traffic is there in a day? How much of that traffic is related to planning and commission of terrorism?

Their best defense is to be unsuspected. Using strong encryption to send and receive email between western cities and Pakistan is like painting a big "HEY, LOOK AT ME!" sign on their traffic.

Maybe it makes the traffic unreadable. But it also makes the authorities pay attention and maybe look for other kinds of information about the sender and receiver.

Yes, those encryption tools are commonly available and there are people using them for innocuous purposes (or cultural jamming purposes) but the vast majority of people don't know how to use them and don't care to try. As long as encrypted traffic is very unusual (and it is) then terrorists using it would do themselves more harm than good. Arguably.

They'd be much better off using some form of steganography.
posted by Steven C. Den Beste at 5:50 PM on August 11, 2006

A one-time pad has the same drawback. "HEY! LOOK AT ME! I'M DOING SOMETHING SUSPICIOUS ON TRAFFIC BETWEEN LONDON AND KARACHI!"
posted by Steven C. Den Beste at 5:51 PM on August 11, 2006

Is there not another form of selection going on though? ie we've heard about this weakly encrypted* message, because it was intercepted and decoded. We have no idea about other messages which are sent in a more sensible manner.

*Subject to the concerns raised above about the posttible decryption abilities of the NSA etc.
posted by pompomtom at 6:05 PM on August 11, 2006

That line in that article really stuck out for me as well. If we're really "at war" here, shouldn't we avoid letting the terrists know our interception and decryption capabilities as much as possible? Don't the smarter higher-up terrists that we didn't catch yet now know that they can't send messages like the order to "Do your attacks now." without it being intercepted? What if that message had been encrypted? Now they know that the level of encryption they used and the mode of communication they used is useless. Could you imagine a line like that in some paper during World War II? "Due to the Allies' ability to decrypt all Enigma messages..."
posted by donkeymon at 6:21 PM on August 11, 2006

baylink: NSA's Involvement in the design of DES
posted by jepler at 6:26 PM on August 11, 2006

I'm pretty sure a message like "do your attacks now" would not be encrypted (because that raises flags) but encoded and sent in the clear. The MSNBC quote says:

That message was intercepted and decoded earlier this week

A cell might agree that "good apricot crop" means attack now while "bad apricot crop" means delay attack. If you are monitoring the communications of suspects, and all of a sudden you find them all trying to work apricots into seemingly casual conversation then there is a good chance they are speaking in code.
posted by MonkeySaltedNuts at 6:40 PM on August 11, 2006

It's the terrorists who get caught who aren't using strong encryption. The government will, in general, catch the stupidest terrorists first.

But the whole terrorist threat is overblown anyway. Scared citizens = more money for the departments in the goverment who handle that kind of threat. Bigger budget = more people = higher pay and more status in the government, because your pay and relative status is based on how many people you supervise.

So they have powerful motivations to try to scare you... it means a raise next year.
posted by Malor at 6:50 PM on August 11, 2006

The perfect way to communicate with operatives in the field (regardless of who you are) would be to use steganographic programs to hide (one-time pad encrypted) data in the least significant bits of pictures which you then post to flickr.
posted by phrontist at 7:44 PM on August 11, 2006

But surely the government can fetch all the pictures on flickr and look for messages--better to send them via email, no?
posted by equalpants at 8:18 PM on August 11, 2006

Afraid not. Information theory has been applied to cryptography; that's one of the reasons there was a complete revolution in cryptography starting in the 1960's. It turns out that a well handled cipher produces output which is indistinguishable from noise. Which is to say that it has nearly zero entropy, which is a different way of saying that it has no discernable pattern.

The text being sent obviously is meaningful, but the encryption bitstream is some sort of pseudonoise, and when they're XOR'ed together the resulting cipher also looks like noise. If you then use that to modify image files, which are then posted using a lossless format (i.e. PNG) then as long as you don't try to put very much text in each picture it's impossible to detect. (It isn't very easy to do this with JPG, by the way, because JPG is lossy and your text can be trashed.)

If you include too much text per image, it's possible to determine statistically that it is an outlier. When it comes to something like a PNG file, the easy way to determine that is to determine how much a large population of PNG files compress, to get some idea of range and deviation, and then to look for image files which compress a whole lot less than that. But if you use an image which compresses better than average and don't include a lot of text (i.e. you don't add very much noise to the image) then the resulting image+steganographic-text will still land within the normal range and it won't stand out.

There's no direct algorithm or heuristic which can pick out an image with minimal steganographic text included. The government can fetch all the pictures on flickr, but cannot easily look for messages. What, exactly, would you look for?
posted by Steven C. Den Beste at 12:07 AM on August 12, 2006

It isn't necessary to use a "one time pad"; there's really no point. Using a common pseudo-noise generator with an agreed upon seed is more than good enough, and a "one time pad" has the substantial drawback of not being long enough.
posted by Steven C. Den Beste at 12:10 AM on August 12, 2006

It would seem to me, based on the available evidence that the IDF and Mossad don't seem to know nearly enough about Hizbollah and Iran, that the more professional sorts know all about strong encryptation.
posted by wilful at 12:42 AM on August 12, 2006

The 'message' didn't exist. Nothing was 'intercepted & decoded'

Notwithstanding the good and valid points made above, do you really think that the media reports are filled with anything that they haven't been given by the press releases? Of course not, right?

Those press releases are hardly likely to say that, for example, an inside contact reported the 'Go' command being issued are they?

I think sometimes we over-complicate what is really more likely to be a simple solution...
posted by DrtyBlvd at 12:56 AM on August 12, 2006

The government can fetch all the pictures on flickr, but cannot easily look for messages. What, exactly, would you look for?

I was just saying that you'd be better off not posting your message-picture permanently on a public website. Perhaps they can't identify your message now, but they might be able to in the future; why take the risk? At least make them intercept your email if they want to see it!

If they're already monitoring you, then using flickr doesn't get you anything--they can see you posting to flickr, and check out your image.

If they aren't already monitoring you, then you worry about what they're going to be able to learn once they find you. If you sent your picture over email, then they may or may not have intercepted it; if you posted it to flickr, then it's definitely available.
posted by equalpants at 7:40 AM on August 12, 2006

This thread is closed to new comments.