top | item 10590713

(no title)

helicon | 10 years ago

The IRA were known to recruit top stem students from universities in Ireland during their campaign to make bombs. Surely an entity as large and as well financed and ISIS would have little trouble finding bright young engineers & technologists sympathetic to their cause to simply build their own encrypted services? And then so much for the spooks 'backdoors'

discuss

mike_hearn|10 years ago

Because PGP has been so successful?

The tactic you're suggesting has been tried before (the software was called Asrar, I think). It doesn't work well for them, for a couple of reasons:

1) Custom terrorist software is no easier to use than something more mainstream like PGP, but is a lot more incriminating if you're found to be using it.

2) Is it really made by fellow jihadis? Or is it a backdoored plant by western intelligence? How can you know?

The latter question is a bigger issue than you'd expect. Terrorists don't like to helpfully announce their real names and backgrounds on their websites, so the provenance of jihadi software is frequently unknown. It just sort of floats around on the internet. So it can be much harder to trust than just a plain old copy of PGP.

You might think that IS can solve these problems because it's bigger and more organised than a group like al-Qaeda. But it's not like IS has an official website with a nice SSL certificate and a big download button (CA's will generally not sell to sanctioned entities). They use networks of ad hoc and quickly suspended twitter accounts to communicate, and apparently, Telegram. So for them to distribute custom crypto software wouldn't be easy.

helicon|10 years ago

Ah... But let's say you and I have already met up in a training camp in Afghanistan or Syria and installed an apk on our smartphones!

But those are interesting points.

BinaryIdiot|10 years ago

> Surely an entity as large and as well financed and ISIS would have little trouble finding bright young engineers & technologists sympathetic to their cause to simply build their own encrypted services?

You wouldn't even need the brightest engineers. In fact so many encryption algorithms have been opened sourced and / or in library form for so long that it's easy for practically any developer to do.

drdaeman|10 years ago

Just having a library that does something doesn't magically bring security. The issue is, engineer still needs to know a lot of stuff (or strictly conform to the instructions) to use the thing correctly. There are too many ways to screw the thing up without even knowing it.

So, if the thing's to slap some nice GUI upon an existing library that implements the security bits, then almost no knowledge's required. But if one has a library full of primitives but still has to combine them in a meaningful way - it's a damned minefield.

nickpsecurity|10 years ago

That statement shows you haven't spent any time researching the security of secure messaging solutions. Or security software in general. Virtually all of them had protocol or implementation flaws with most having flaws so severe that cryptographers and top programmers saw fit to write books detailing how to do it right.

Books most people making "private" apps still haven't read. ;)

fucking_tragedy|10 years ago

Having traffic encrypted with illegal algorithms pass through the Internet would make you a target.

arpa|10 years ago

How would one determine whether a legal algorithm was used or an illegal one? Even without steganography?

kbart|10 years ago

"illegal algorithms"

Wow, how do you define that? So, start banning math now?