-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Undercover communication
It should be obvious by now, that the only way to communicate
stealthily and securely is to avoid raising suspicion to the
level at which the authorities might consider it worthwhile
to put you under active surveillance (e.g., park a van with
TEMPEST equipment by your apartment).
It has long been my view that, if the authorities have enough information
on you to enable them to park a surveillance van outside your home, then
you have failed utterly, and the battle is already lost.
Notwithstanding that, I still had to laugh at the story posted in Slashdot
the other day about he kid who was being investigated who noticed that, when
searching for WiFi connections, one of the SSIDs was "FBI SURVEILLANCE VAN".
Moreover, the medium for such a communication must be the Internet,
since since it is the only publicly available medium that has seen
any serious development of anonymous and/or secure communication.
Agreed.
Let's go over some specific methods of clandestine information
exchange over the net:
Encrypted e-mail
Although apparently secure, this method puts the communicating
parties at great risk of detection. E-mail servers are centralized,
and accounts are easily associated with message transmission times
and locations. Once a single member of the communication network
becomes suspect, the whole network is immediately exposed. This
holds for all similar server-dependent protocols.
Encrypted email does not prevent traffic analysis; it merely prevents anyone
from trivially discovering the message contents. If you can be located, you
can be compelled to decrypt your messages, whether through legal threats or
the authorities simply beating the passphrase out of you -- so-called
"rubberhose cryptography".
The only way this can be avoided, is to periodically change one's encryption
sub-key. If the old encryption sub-keys are securely destroyed, then the
previous message traffic encrypted with those keys is not recoverable. Keys
can be changed according to one's level of paranoia -- weekly, bi-monthly,
monthly, quarterly, or randomly.
E-mail accessed exclusively over onion routing
This is a much better approach than just e-mail, but it is still
susceptible to traffic analysis, and to control of the communication
channel by an external party.
Agreed.
Usenet posts
This is a good approach to clandestine communication. Since Usenet
is a distributed system, traffic analysis is non-trivial, and
messages can be steganographically hidden inside innocent-looking
posts (e.g., SPAM) in some high-traffic unmoderated group. Many users
will read the message, oblivious to its true contents -- thus protecting
the message recipient from scrutiny.
While I agree that the distributed nature of Usenet makes traffic analysis
non-trivial, I completely disagree with the use of steganography to protect
your traffic. For starters, the authorities are not unaware of the existence
of steganography -- as such, it is really suitable only for rendering your
message traffic oblivious to the greater public. Also, by disguising it as
spam, it may be filtered-out by some news providers.
If you're going to secure your messages, then the best way to do so is to
use strong encryption. The best way to hide strongly-encrypted messages is
to post them to a newsgroup where strongly encrypted messages make-up
virtually all of the traffic in the group. If you're looking for such a
secure, high-traffic group, you really need look no further than
alt.anonymous.messages (a.a.m.) -- it was designed for this very purpose.
Furthermore, as I relate in the example case below, any real volume of PGP-
encrypted traffic in newsgroups other than alt.anonymous.messages /will/ be
noticed.
One of the most frequent uses for alt.anonymous.messages is as the target of
nymserver reply-blocks. Use of such reply-blocks renders any nymserver email
address untraceable, as the encrypted mail can be picked-up from any news-
server that carries alt.anonymous.messages. Furthermore, there are utilities
(e.g.aamfetch, available from sourceforge) that can be used to fetch all
one's messages from alt.anonymous.messages making it impossible to determine
precisely what messages are being retrieved.
Nymserver accounts are setup/maintained by sending specially-constructed
email messages to the nymserver. If these messages are sent via a chain of
mixmaster remailers, even the nymserver operator cannot determine who owns
a particular nymserver account, even if they were to start keeping logs,
perhaps at the insistence of the authorities. If one uses a randomly-chosen
chain of mixmaster remailers, then it is not possible to the authorities to
compromise the remailers you are using -- in order to trace you, they would
have to effectively compromise the entire mixmaster network.
Accordingly, the only way a nymserver account holder can then be traced is
through their reply-block associated with the account. If the reply block
points to alt.anonymous.messages (a.a.m.), then the authorities will reach
a dead-end. They will not be able to trace the nym account owner, nor will
they be able to read their message traffic.
Now, you might ask: "Just how secure is this setup?"
You'd be surprised at just how effective it is -- it was enough to thwart a
combined investigation by the FBI and the Australian Federal Police (AFP),
the Queensland Police Service (QPS), Europol, Interpol, The Department of
Internal affairs New Zealand, and the Toronto Police Service.
Let me tell you a little story....
In just a few days, it will be exactly 3 1/2 years ago, that the American
Federal Bureau of Investigation (FBI), the Australian Federal Police (AFP)
and the Australian Queensland Police Service announced the existence of
"Operation Achilles" which led to the breakup of what they claimed was one
of the largest child pornography rings uncovered up to that time.
The individuals comprising this pedophile ring called themselves "the group"
and they believed themselves untouchable, beyond the reach of the police.
(For many of them, -- one-half to two-thirds, depending on which affidavit
you believe -- this did, indeed, turn out to be the case. This includes the
ringleader, who is known by the handle Yardbird.)
The number of persons reportedly involved varied -- one affidavit stated
that there were 61 persons involved, another 45, and yet another 48. All in
all, there were 22 persons arrested: 2 in the UK, 4 in Germany, 2 in
Australia, and 14 in the U.S.
The FBI podcast, "Inside the FBI" states that the number of persons involved
was 60, of which 22 were positively identified. You can listen to the podcast
and read the transcript at the following URL:
https://www.fbi.gov/news/podcasts/inside/operation-achilles.mp3/view
Another superb source of information is the so-called "Castleman Affidavit"--
this affidavit was used to justify the arrest of group member Daniel Castleman.
The Castleman affidavit explains the group's methodology (or modus operandi)
in detail.
It can be seen at: http://www.rep-am.com/newsdocuments/affidavit.pdf
Another good source of information is:
http://www.policyb.org/downloads/Operation_Achilles.pdf
Depending on which affidavit you believe, only about 1/3 to 1/2 of the
alleged members of this pedophile ring were ever identified and apprehended.
As I said earlier, the alleged leader of this ring used the nic "Yardbird".
Yardbird made a re-appearance on Usenet in both 2009 and 2010 on the date
corresponding to the first and second anniversaries of the busts in 2008.
His intent was to show that he was still free, and to answer people's
questions.
One of the most important things Yardbird stated were that everyone in the
group who used Tor and remailers remained free, while those who relied on
services such as Privacy.LI were arrested and convicted.
Yardbird further commented that several members of the group, including his
second-in-command Christopher Stubbings (Helen) and Gary Lakey (Eggplant)
were Privacy.LI users -- in fact he stated that they used it for everything.
(Helen is currently serving a 25-year sentence in the UK, while Eggplant is
serving life in an Arizona prison.)
Eggplant literally became notorious because of his constant promotion of
Privacy.LI -- he continually boasted that he could not be caught because
Privacy.LI did not keep logs, and they were located outside of U.S.
jurisdiction.
I pointed out to anyone who would listen that services such as Privacy.LI
were for /privacy/ -- not for anonymity. In an ideal situation, one needs
both to be private as well as anonymous. Essentially, what Privacy.LI
supplied was a type of VPN service, providing an encrypted tunnel for data
to travel between two endpoints--the customer's computer being one endpoint,
while the Privacy.LI servers provided the other. While there was a degree of
privacy, there was NO anonymity at all--so it really didn't come as a
surprise that Privacy.LI's customers were among those arrested. It is also
worthy of note that Privacy.LI earned a 2005 entry in cryptographer Bruce
Schneier's "doghouse" as I pointed out more than once.
See: http://www.schneier.com/blog/archives/2005/07/the_doghouse_pr.html
As I pointed out repeatedly, NO service operator is going to go to prison to
protect the identity of his customers -- every last one of them will roll
over on you, if given the opportunity.
You might ask, "How was the existence of 'the group' discovered?"
Simple. Through one of the oldest investigative techniques of all -- the
informer. The Australian police arrested a man on totally unrelated child
pornography charges -- presumably as part of a plea deal, he revealed the
existence of 'the group' and handed over a PGP public/private keypair and
password.
Now, it is worthy of note that the Department of Internal Affairs of New
Zealand had earlier informed the Australian police of the existence of PGP-
encrypted traffic in a number of Usenet newsgroups.
These messages, from users with handles like "Big Block" and Subject: lines
like "New Car Contracts" were rather odd, to say the least. I also noticed
some of these--it was quite clear that there were a group of people
communicating in private, but obviously there was no way to determine /who/
was communicating, or /what/ they were communicating about.
If the Australian police had not had a lucky break, by arresting one of the
members of the group on totally unrelated child pornography charges, they
would, in all likelihood, /still/ be in the dark about what was going on.
Having acquired from the informer the current group PGP public/private
keypair, and its passphrase meant that the police could assume this group
member's identity, and furthermore, read all the encrypted traffic posted by
members of the group.
So it was that Constable Brenden Power of the Queensland Police Service used
this assumed identity from August 31, 2006 through December 15, 2007.
Constable Power spent almost 18 months working out of FBI HQ in Washington,
DC while working on this case.
In many ways, this case was unprecedented. No similar pedophile ring had
ever previously employed the types of security measures that this group did;
also unprecedented was the information provided by the informant, who gave
the police the tools needed to infiltrate the group--without the informant's
help, they could _never_ have succeeded.
Once the group was penetrated, the police were able to take advantage of a
few factors:
1) They had the informant's computer, with all its email, PGP keys and the
like. This provided a history, which made it easier to continue the
impersonation.
2) By the time it was penetrated, the group had been operating for about 5
years. By this time, the group had jelled into a community -- people were
familiar with each other, they often let their guards down, and would
sometimes reveal tidbits of personal information. This is especially the
case when they thought their messages were secure, and beyond the ability
of the police to intercept--they would say things that they would *never*
say in the open.
So, as you can see, the group was pretty much an of open book to the police;
they were completely and thoroughly penetrated. Despite that, however, the
majority of the group were _still_ able to remain at large, and were neither
positively identified nor arrested.
This is due to the privacy tools (i.e. tor, nymservers, remailers) that were
employed. Even with everything else being an open book, those using these
tools still managed to elude capture.
By now, you're probably thinking, "Why is he going on about pedophiles?"
"Pedophiles are disgusting! They should all be shot!"
Leaving aside my personal feelings about pedophiles, I brought up this case
as an example for several reasons:
1) Child pornography is a serious crime in virtually every jurisdiction.
As this example demonstrates, police will work together, even across
national boundaries, to investigate these crimes. They are willing
to invest considerable time, manpower and money in pursuit of these
suspects. The only other crimes which usually merit this type of
approach are drug/gun-running or terrorism. The level of effort
expended in pursuing this group can be seen in that even FBI
executive assistant director J. Stephen Tidwell was involved.
Normally one would not expect FBI personnel that highly placed
to be involved -- this shows the level of importance placed on
this particular investigation. (A year or so after the busts,
Yardbird himself expressed astonishment that the FBI would
consider his group such a priority.)
2) This case is the only one that I'm aware of, where suspects were
using sophisticated tools like PGP, Tor, anonymous remailers and
nymservers.
3) This case underscores the effectiveness of these tools even against
well-funded, powerful opponents like the FBI, Europol, and Interpol.
(N.B.: FWIW, those who were caught used either inappropriate and/or
ineffective tools and techniques to protect themselves.
4) I fully understand most people's disgust at the types of crimes/
criminals being discussed here. That said, it is important to
remember that one simply cannot design a system that provides
protection for one class of people, but denies it for another.
You can't, for example, deploy a system that provides privacy/
anonymity for political dissidents, or whistle blowers, and yet
denies it to pedophiles -- either *everyone* is safe, or NO ONE
is safe. This may not be palatable, but these are the facts.
Final Thoughts
==============
While this case shows the strengths of the current technologies, it
nevertheless underscores that the human element cannot be disregarded. It
must continually be borne in mind that the weakest element in /any/ security
system is the human element. This has been true since before Sun Tzu wrote
his immortal treatise, The Art of War about 2500 years ago. It is, in fact,
for this reason that Sun Tzu is still studied in military academies to this
very day. It is not for nothing that Sun Tzu devoted an entire chapter in
his seminal work to the use of spies.
As we have seen, infiltration is still a highly effective tactic. The group
was particularly susceptible to this, as the members were unknown to each
other, by deliberate design. If someone were to be apprehended, they could
be forced to turn over PGP private keys, passphrases, etc. These can then be
used by the authorities to PGP-sign messages, which normally would be taken
as proof that the messages in question are genuine and untampered-with. This
is likely what happened in the case of the group.
Traditionally, espionage cells have been made up of only a handful of persons,
each known to the other -- the idea behind this was to limit the damage in
the case of the cell being either penetrated or exposed.
The only types of organizations that cannot be penetrated by the authorities
are those close-knit, bound by blood or other kinship ties. The only possible
recourse for the authorities in these cases is to try to turn someone on the
inside against his fellows.
Baal <Baal@nym.mixmin.net>
PGP Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x1E92C0E8
PGP Key Fingerprint: 40E4 E9BB D084 22D5 3DE9 66B8 08E3 638C 1E92 C0E8
Retired Lecturer, Encryption and Data Security, Pedo U, Usenet Campus
- --
Sed quis custodiet ipsos Custodes?" -- "Who will watch the Watchmen?"
-- Juvenal, Satires, VI, 347. circa 128 AD
If you accept that freedom of speech is important, then you are going to
have to defend the indefensible. -- Neil Gaiman
He that would make his own liberty secure must guard even his enemy from
oppression.
-- Thomas Paine
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJOVwOSAAoJEAjjY4weksDowfgH/0YD0y+/rb8yeDemIgHiVKob
Jz8PX9njZKADBxAREMwqGjwZ2tfOr7HDouB/moHE0ZtBvjYmON3LJZFueb661DuA
8AP5tFfJgHx95JKbt/4WWwsKzs534izVnjrL1IW1GdOuVDuooWvBJK50+b9n58p1
o3Pq8N00vGwRAOXwX5ltMJ98zUzDlkVXNMPbs19u8lFdqQNoTVSYYm9rvxcVtqrK
MJ/T4oozZz1/RryiOC8wGyEvl5GMAFr0pcFUegIIpjIpMpxXM2d8cqp3yPxXYU6+
ZWmLQbkdgyhkRAOOIMPFWXC0+WKcy6A+xuK0bEyb7ZaJz0ibKAeo0BOgD+IqwlQ=
=/sG0
-----END PGP SIGNATURE-----