Some questions about espionage and cryptography today

[Toffe]

So I’ve been reading a bit about espionage recently (fiction and non-fiction), and got to wondering how the old cloak-and-dagger stuff would work today, both in terms of reality and fiction. It might be hard to get factual answers on this, but let’s see what we can get:

-How does espionage work these days? I’ve read a bit about private intelligence companies (eg Control Risks Group, Hakluyt &co) – how do they do their recruiting, and how do they do their work? (Is it mainly just investigative journalism that doesn’t get published?)

-How might someone break into the espionage/intelligence-for-sale/not-quite-legal arms dealing business today, and how might they find business? I’m thinking of the curious case of a pair of stoners that ended up selling ammunition to Afghanistan for the US government, and wondering how else it could work. Case studies would be great. (yes, I’ve read about Viktor Bout too)

-Let’s imagine I’m writing some fiction about a group of non-government spies in a private worldwide network. How might they communicate amongst themselves online without being “listened in on” by government agencies? What, if any, are some of the options for completely secure (say, almost certain to remain secure for 10 years even if the NSA wants to try to crack it) communication that John Q. Public can get hold of for less than US$150 (hardware or software)?

-What’s a good place online to learn about cryptography methods and systems today, for a guy whose only knowledge of cryptography comes from reading Neal Stephenson’s Cryptonomicon?

Disclaimer: none of this is to promote anything illegal, it’s some research distantly related to a thesis I’m writing and for an idea I have of maybe writing some fiction in the future.

Assume the standard jokes (“if you have to ask, then you’re not qualified”, “I could tell you, but then I’d have to kill you”, etc) have all been told already, unless you have a particularly amusing variant.

[Fish_Cheer]

Toffe:

What, if any, are some of the options for completely secure (say, almost certain to remain secure for 10 years even if the NSA wants to try to crack it) communication that John Q. Public can get hold of for less than US$150 (hardware or software)?

I don’t know about ten years, but Rijndael and a decent password should last a good while. There’s probably lots of free software that you could use.

[septimus]

Toffe:

-Let’s imagine I’m writing some fiction about a group of non-government spies in a private worldwide network. How might they communicate amongst themselves online without being “listened in on” by government agencies?

I don’t know about espionage, but there are ways to embed information into the “noisy” bands of images. (Embedding and detecting such info is a research topic in image processing.) The images could be stored on public parts of the Internet (Usenet? Facebook?) and should preferably get high hits (nude women? ) so the clandestine downloading wouldn’t attract attention.

Detecting and decrypting clandestine messages is (was?) a huge multi-billion dollar part of U.S.A. security. With advances in clandestine messaging, I really wonder what the state of NSA’s efforts now is. (My guess is that they’re happily in business “picking the easy fruit” since 99% of bad guys won’t use sophisticated encryption.)

[Ruminator]

Toffe:

-Let’s imagine I’m writing some fiction about a group of non-government spies in a private worldwide network. How might they communicate amongst themselves online without being “listened in on” by government agencies? What, if any, are some of the options for completely secure (say, almost certain to remain secure for 10 years even if the NSA wants to try to crack it) communication that John Q. Public can get hold of for less than US$150 (hardware or software)?

As it was mentioned, the technique is to hide the information inside other information. That process is called steganography.

It wouldn’t take much cpu horsepower for the average citizen to hide information in a way that NSA’s billion dollar super computers could not crack. Yes, their computers and forensic cryptographers could detect that that there was some kind of hidden information but they wouldn’t be able to decrypt it. In those cases, it would be easier to employ Rubber-hose cryptanalysis.

[kferr]

A good intro to crypto is The Code Book by Simon Singh.

Most readily available encryption algorithms (3DES, AES, RSA) are pretty strong. It’s far easier for the CIA to torture the password/secret key out of you than for the NSA to crack the cipher. The only provably uncrackable cipher is a one time pad, but it still suffers the same key distribution and key security issues as the other ciphers.

[Donnerwetter]

State of the art encryption technology is available free of charge for everybody and, for all practical purposes, unbreakable, even for the government:

Brazilian banker’s crypto baffles FBI

18 months of failure

Cryptographic locks guarding the secret files of a Brazilian banker suspected of financial crimes have defeated law enforcement officials.

Brazilian police seized five hard drives when they raided the Rio apartment of banker Daniel Dantas as part of Operation Satyagraha in July 2008. But subsequent efforts to decrypt files held on the hardware using a variety of dictionary-based attacks failed even after the South Americans called in the assistance of the FBI.

[…]

Brazilian banker's crypto baffles FBI

[Toffe]

Thanks everybody, that was all fascinating and very helpful! That gives all sorts of ideas about passing messages and occasional images. What about covertly sharing large files online, like video, audio, and big databases? From what I understood they’re too big to practically hide through steganography. Programs like Dropbox or Sugarsync aren’t entirely secure, and a members-only area behind an innocuous site would presumably still be entrusted to the ISP, and given reason to investigate, authorities should quite easily be able to trace who has accessed an account through either system – or can that be effectively hidden through proxies?

[Ruminator]

Toffe:

What about covertly sharing large files online, like video, audio, and big databases? From what I understood they’re too big to practically hide through steganography.

For gigantic files, you’d have to try something such as masquerading the file as another file of equal size instead of embedding it in a larger file.

For example, you have a terabyte (one thousand gigabytes) of secret oil exploration and geological data that you want to send to someone else. You could run an algorithm to scramble all the bytes to make it “look like” a terabyte of noisy microwave data collected from outerspace (because you’re an astronomy hobbyist searching for alien life forms.) The problem there is that you have to convince the FBI or whoever that there’s a plausible chain of circumstances for you to have 1 terabyte’s worth of microwave data. The FBI then says, “ok, where’s your microwave dish? I don’t see one in your backyard.” And then you stumble for words and then say, “oh… I don’t have the dish myself – my SETI friends in various countries have the dish hardware and send me the data to analyze, etc, etc.” And the the FBI continues with more questions… until you eventually get to the rubber-hose cryptanalysis.

[Donnerwetter]

Toffe:

Thanks everybody, that was all fascinating and very helpful! That gives all sorts of ideas about passing messages and occasional images. What about covertly sharing large files online, like video, audio, and big databases? From what I understood they’re too big to practically hide through steganography. Programs like Dropbox or Sugarsync aren’t entirely secure, and a members-only area behind an innocuous site would presumably still be entrusted to the ISP, and given reason to investigate, authorities should quite easily be able to trace who has accessed an account through either system – or can that be effectively hidden through proxies?

If you want to use a service like Dropbox for your clandestine communication, just encrypt your file before uploading it (for instance using GPG: GNU Privacy Guard - Wikipedia ).

This wouldn’t even be really suspicious because encrypting files you put online is a reasonable thing to do anyway (at least I do it all the time).

I read somewhere that Al Qaeda operators in the past used Yahoo email accounts for sharing files. They didn’t even bother to actually mail these files. Instead, they shared user names and passwords in advance and then just uploaded the data.

[Toffe]

But can’t Dropbox, an ISP, or an any authority with a warrant trace who (and when and where) has accessed a Dropbox or email account? Or are proxy servers really enough to get around that?

[iamthewalrus_3]

Toffe:

But can’t Dropbox, an ISP, or an any authority with a warrant trace who (and when and where) has accessed a Dropbox or email account? Or are proxy servers really enough to get around that?

The only “who” that Dropbox or an ISP can give you is the IP address and the name on the account, and possibly some information about the browser or other client that accessed the service. If you do your downloading from a coffee shop, then they can maybe get the MAC address of the network interface you connected with and might be able to get some security camera footage from around there at the time.

If you (a) don’t reuse coffee shops, (b) spoof your network card’s MAC address, and (c) do your Dropbox access from a fresh virtual machine running a stock browser install that you’ve used for nothing else, they’re not really going to have anything to identify you with. The proxy server helps too, since it might keep them from finding the coffee shop at all.

Also: pay for the coffee with cash

[Toffe]

Thanks, all of you; I really appreciate this info. I’ll pick up the Singh book too.

Anyone have any responses to my first two questions in the OP?

[Chronos]

For transmitting large files, you could establish a direct connection, use standard cryptographic techniques to verify that the person you’re talking to is who it’s supposed to be, and then transmit it over that direct connection, without the files ever needing to be stored on any computer you don’t control. As for your cover story if the feds notice large amounts of data moving this way, the simplest would probably be to (eventually) admit it was some other, lesser, crime, like copyright infringement (which is common enough to be unremarkable, but still gives a plausible reason for you to be covering your tracks).

[tellyworth]

Toffe:

But can’t Dropbox, an ISP, or an any authority with a warrant trace who (and when and where) has accessed a Dropbox or email account? Or are proxy servers really enough to get around that?

Yes and no.

Absent a proxy or other measures, the destination service (Dropbox, say) doesn’t really know who or where you are. They know the email address and whatever else you provided at signup. Your IP address provides them with some information about your location, but they never really know how reliable that is, and often it’s quite misleading. Tying a file on Dropbox to a specific person or physical address would require information from both Dropbox and the source ISP. Law enforcement can and will request that info if they want it; whether or not they get it depends on Dropbox’s policies and the location of the source ISP. (I’m using Dropbox as an example, the same deal applies to any other web service).

In other words: under normal circumstances your ISP could tell that you’re accessing Dropbox, if they want, but generally[sup]1[/sup] not which account or files you’re using. Dropbox knows your apparent IP, which tells them which network you’re on, and gives some indication of where you are, but they can never be sure how accurate that is. Only someone with the resources to extract information from both Dropbox and the ISP can tie one account to the other.

Using a regular proxy will sometimes hide your true IP address from Dropbox. If it’s a SSL-encrypted proxy, it will certainly make it harder for your ISP to know that you are accessing Dropbox (but may not make it impossible). And, encrypted or not, it will at least decrease the certainty Dropbox has about the location of your computer, and may obscure it to them entirely. But as far as law enforcement is concerned, all you’ve done is increase the number of places they need to extract information from two to three: first Dropbox, then the proxy, then the source ISP.

It might be that Dropbox, or the proxy, or the ISP refuses to hand over that information, or doesn’t log it in the first place. Maybe they’re in a different jurisdiction and the warrant isn’t valid. But you can never really know who is logging what. And each of those services is required to comply with the law in their respective locations - when the law says to hand over the logs, it’s not optional. If your life depends on it, you don’t want to have to rely on unknown and untrusted third parties to maintain your security. That’s especially true of free proxies, open wi-fi and the like: in fact some of them are run with the express purpose of compromising the security of those who use them.

You can chain proxies of course. But again, all you’re doing is increasing the number of sources from which your adversary must extract information, from three to four or five. Each added proxy decreases reliability, and increases the chance you’ve picked one that is compromised. If your adversary is incompetent or doesn’t have the resources to extract information from an overseas proxy, then one secure offshore proxy may well be enough, assuming you trust them.

Your next step would be to use TOR. In a nutshell, this automates the process of chaining your traffic through multiple proxies. It uses cryptographic techniques to ensure that each proxy in the chain knows nothing more than where to route the traffic for its next hop. It’s specifically designed so that even if most of those proxies are hostile or compromised, they still can’t determine the source and destination of the traffic. And, while there are no doubt some TOR nodes run specifically to help compromise traffic, the genuine operators are careful not to log any details of the traffic they carry, as a matter of self-preservation. Given no other means of investigation, tracing traffic through TOR is essentially impossible[sup]2[/sup].

So really it comes down to your threat model, and how well resourced your adversary is. If they only know the name of a dropbox account or file, and they have no idea at all who is accessing it, their chances of passively tracing activity back to one of several billion potential suspects is relatively low to begin with, and essentially zero if you correctly use TOR. Note that this doesn’t mean you’re untouchable; it only means that you can’t be traced by passive monitoring. It doesn’t make you immune to plain old investigation.

1. If you’re not using SSL/HTTPS to use Dropbox, your ISP could log your HTTP traffic, and by examining that may be able to identify the account or files you’re accessing. But that’s too resource-intensive to do as a matter of routine; if it happens at all, it would only be done in response to a request by law enforcement to monitor a specific account’s traffic. And if you’re using SSL/HTTPS, the ISP can’t do that at all; the best they could do is confirm that you’re using Dropbox, and report the times and sizes of requests up and down. The contents of SSL encrypted activity are unreadable to them.

2. If a resourceful adversary wanted to check if a specific known person was accessing a specific Dropbox account, they may be able to correlate traffic from Dropbox and that person’s ISP, regardless of whatever proxies might be in the middle, including TOR. Note that I’m not talking about tracing from Dropbox back to an arbitrary source ISP; I mean when both the Dropbox account and the ISP account are both already known, and they are merely trying to confirm if the two are connected. But if you’re using TOR, at best that will give them a correlation. Not enough to stand up in court. If you’re the world’s most wanted terrorist, on the other hand, and the MIB are at the point where they just need to confirm which of 5 known safe houses you’re using to upload your grocery list, then ever TOR is probably not going to help you.

[coffeecat]

People use web sites set up as tor hidden services to sell illegal drugs and weapons covertly, like some kind of sketchy ebay…

[BobArrgh]

This may be slightly tangential, for it is more about other parts of espionage rather than just cryptography, but the entire espionage game is becoming more difficult.

This article talks about the problems that biometric scanners at ports-of-entry are causing for the espionage community.

In the “old days”, spies were able to move around freely because their respective services were so good at producing fake documents (visas, passports, etc.). However, with biometrics (such as iris scanning) are so accurate that spies simply do not have the freedom-of-movement they once had.

I don’t think the article I linked to is the one that I had first read. Sorry, my google-fu is not up to the challenge, but I read an article about a month ago on this very subject. In that original article, it talks about how in many places, a country’s intelligence services can tap into the computer systems of the hotels (or, at least the 4- and 5-star hotels) to extract data regarding hotel guests. The smaller, less-reputable hotels may not have the sophisticated computer systems, but the spies run the risk of having their covers blown. For example, a person masquerading as a successful businessman would be out of place staying in a fleabag dump of a hotel.

Many intelligence services saw the seeds of this being sown prior to 9/11/2001, but after that date, but the anti-terrorism measures implemented after that has truly changed the espionage game.

[Stranger_On_A_Train]

Since the technical aspects of cryptography and steganograpy have already been covered fairly expansively, I’ll address the questions regarding human intelligence and physical surveillance.

In theory, surveillance should be much better, and the old trade methods of passing messages and conducting meets should be obsolete. Indeed, when a target is known and surveillance is in place, it is relatively easy to track and listen to a target in ways that are nearly impossible for a single person to defeat. This doesn’t even require esoteric technology; commercial single chip GPS, multi-gigabyte videocameras the size of a camera battery, fiber optic camera with pinhead lenses, et cetera put such technology easily within the reach of the average person.

The problem is knowing who to watch, and for untargetted mass surveillance (crowds, transit points, et cetera) sifting the dta to find something of significance. The sheer amount of data and the frequency of false positives (which, for methods such as automatic facial recognition, may be vastly more than true positives) tend to overwhelm even the most expert analysis.

Human intelligence, or HUMINT, is undoubtedly the most valuable source of information in terms of signal-to-noise ratio. However, developing usable HUMINT sources requires not only effort but talent, and there is always the question about the vey human motives of such sources polluting the intelligence or even giving deliberately false intelligence. There is also the physical and immediately legal risks of recruiting spies, especially in foreign territory, versus electronic methods and signal interceptions.

Although much of the focus for defense against espionage today is on cybersecurity, the real weakness is always people, and both the Russian and Chinese intelligence services have focused on the use of social networking (both in-person and using Internet sites) to find, recruit, and blackmail suitable sources. Private intelligence companies no doubt do the same thing.

As for arms dealing and munition smuggling, while this was a free-for-all thouh the mid-'Nineties, it has now become a serious industry for several national interests, and small players are likely to find themselves outbid, or equally likely, gutted and left in a ditch in some African country that changes hands more often than a hot Glock in Baltimore. The people who used to be free-lancers for the East or West are now representing arms manufacturers and distributors directly. Getting a foot in the door probably means apprenticing with someone in the industry.

Stranger

[tellyworth]

coffeecat:

People use web sites set up as tor hidden services to sell illegal drugs and weapons covertly, like some kind of sketchy ebay…

Cite please.

[coffeecat]

tellyworth:

Cite please.

Drugs and guns.

[Toffe]

Thanks again for great information, all! Special thanks to tellyworth for the detailed security explanation.

BobArrgh, I read something similar in the Economist last year - a short piece saying that Facebook and other social media are undermining the spy business, as it’s becoming hard to create a credible cover ID with an online identity. With Facebook displaying all activity with dates that now typically go years back for most users, a newly-created page for a cover ID (such as your example of a successful businessman) will generally be suspicious - and apparently, creating a fake online identity on something like Facebook is surprisingly difficult.

Stranger_On_A_Train:

As for arms dealing and munition smuggling, while this was a free-for-all thouh the mid-'Nineties, it has now become a serious industry for several national interests, and small players are likely to find themselves outbid, or equally likely, gutted and left in a ditch in some African country that changes hands more often than a hot Glock in Baltimore. The people who used to be free-lancers for the East or West are now representing arms manufacturers and distributors directly. Getting a foot in the door probably means apprenticing with someone in the industry.

Thanks for the analysis. Do you have any sources for the above? It gels with my experience and research, but I’d love to see an in-depth look at what brought about the change.