The enemy is here and it is us.
I’m not sure if many people caught the news blip this week (our sources are: Fox News and Colorado Newsday) that clearly identified the primary recruiting communication method used ISIS/ISIL terrorists. Having learned from the Navy Seal-induced demise of their Satanic idol, OSL, that cell phones (when used for speaking) and couriers are ultimately trackable, this new terror blight on the planet channels contact through an open source app – SureSpot.
Potential jihadi recruits and brides are being groomed online using a phone app run by privacy and drug legislation campaigners in Boulder, Colorado by environmentalist, Cherie Berdovich and alleged hacker, Adam Patacchia. SureSpot is designed so messages are totally encrypted and cannot be intercepted by authorities.
When messages are deleted by the IS member, they automatically also erase from the phones used by the new recruitee so no trace of the incriminating conversation is left. (SureSpot was used by jihadi recruiters and the recent three ISIS-bound British teen-aged schoolgirls.)
We tried SureSpot here at BNI (Julia and Ed) and it works as well, if not better than advertised. We downloaded the app from Apple’s App Store and Google Play (to test ease of OS [operating system] cross-platform use) and easily employed not traceable communication in under a minute. Scarily fast and vapor-like. It was just as easy to permanently delete our messages (which were in print, voice and via graphics) as they are not collected and maintained on any server.
The app is available for free on internet stores run by Apple and Google and known jihadists direct teenagers to download the software using public profiles on Twitter.
Yet none of the technology giants appear to have acted to crack down on people using the app to speak to jihadists.
Let’s begin by breaking down how their encryption works: (We’re using SureSpot’s explanation.)
Traditional IM , SMS, etc. communications send messages in “plain text”. This means that the information is sent without anything done to protect the information from being read by anyone else. It is akin to sending a postcard.
Imagine you are on vacation in Italy, Florence to be precise, and you send a postcard to your sister in London. As the postcard travels anyone that touches it can read it. Typically you do not send information like a credit card number or your pin number or an intimate thought using the postcard format. Today this is what sending an email or a text message or an instant message or a picture is like. The message is the postcard which travels along many hops until it reaches its destination. At every one of these “hops” the message could potentially be read.
For example you, are reading an email at Starbucks. To read this email the information travels from the server (gmail) through their (Google’s) ISP, to Starbuck’s ISP, to the Starbucks location you are at. At any one of these points the email can be read. To illustrate this we can run the traceroute command which shows the hops your data is taking to reach its destination.
for example the traceroute from my house to mail.google.com looks like this:
- [adam@monkey ~]$ traceroute mail.google.com
- traceroute to mail.google.com (188.8.131.52), 30 hops max, 60 byte packets
- 1 DD-WRT.mugello (192.168.10.1) 0.506 ms 0.598 ms 0.794 ms
- 2 184.108.40.206 (220.127.116.11) 16.723 ms 17.837 ms 32.677 ms
- 3 ge-1-39-sr01.summit.co.denver.comcast.net (18.104.22.168) 17.710 ms 17.711 ms 17.828 ms
- 4 te-0-3-0-5-ar02.denver.co.denver.comcast.net (22.214.171.124) 21.140 ms 22.087 ms 22.145 ms
- 5 pos-0-7-0-0-ar02.aurora.co.denver.comcast.net (126.96.36.199) 25.333 ms 25.334 ms 25.448 ms
- 6 he-3-4-0-0-cr01.denver.co.ibone.comcast.net (188.8.131.52) 24.116 ms 20.657 ms 20.689 ms
- 7 * * *
- 8 184.108.40.206 (220.127.116.11) 17.512 ms 18.328 ms 18.402 ms
- 9 18.104.22.168 (22.214.171.124) 16.190 ms 16.218 ms 16.160 ms
- 10 126.96.36.199 (188.8.131.52) 16.674 ms 20.817 ms 21.715 ms
- 11 den03s06-in-f21.1e100.net (184.108.40.206) 17.238 ms 18.200 ms 18.152 ms
We can see that to get to Google’s server at mail.google.com, the data is being routed through at least 11 hops, anyone of which could have a chance to intercept the information. Now if you controlled the routing and could make the data on your network always pass through a certain one of these hops, you could monitor all of the “plain text” data being sent on your network. Not exactly “secure”.
Surespot solves these problems by using end to end encryption so that only the end users can decipher it. No one along the network route the message takes from one client to another, not any of the hops, not even the surespot server, can view the contents of the data. (Only Julia and Ed can see their messages.)
how does this work?
Encryption is an electronic lock and key system. You take a plain text message and encrypt it using a key (secret). You can then decrypt the message using the same key. Pretty simple. You encrypt data at one end using the key, send it over all the network’s hops and servers, and at the other end it can be read because the key is known. None of the hops and servers in-between can read it because they don’t know the key.
So Julia encrypts a message for Ed with a key, then Ed decrypts it using the same key. Simple right, except for the fact that Ed needs to know the key! Somehow we need to get the key to Ed but how can we send it over the network? We can’t encrypt it because we need a key to encrypt so we have a catch 22. Or a chicken and egg situation. The answer is we don’t send the key over the network.
public key encryption
When a user is created in surespot an associated key pair is generated. A key pair consists of a public key and a private key. These keys allow us to do magical things. So now Julia has a key pair and Ed has a key pair. The private key is stored on the device, the surespot server does not need and never will have access to it. The public key is given to the user that you wish to exchange messages with. So surespot ensures that Julia gives Ed her public key and vice versa. Now the brilliance of shared key derivation can shine. The key pair algorithm that surespot is using allows the following mathematics to happen: Julia can now take Ed’s public key and with his private key can derive a secret. Ed takes Julia’s public key and with his private key derives the same secret! Re-read that part a few times. This shared secret is unique to Julia and Ed, only they know, and assuming their private keys remain private, only they will ever know. This shared secret has never been and never will be exposed to the surespot server or any other hops along the network route that the message takes. This shared secret can now be used to exchange information securely. This is the crux of what makes surespot work.
In that SureSpot does not maintain information on a server anywhere, there are no records.
So, why haven’t our federal intelligence and law enforcement agencies shut down SureSpot?? Surespot’s owners insist that they are protecting an ‘essential liberty’ and have no responsibility to block IS. Is this app not directly providing material aid to the enemy? While I am a strong supporter of capitalism, today, technological advances need to also be balanced with security needs. Someone is dropping the ball in a very dangerous way but not addressing this perverted use of an otherwise great communication technology.
BNI Operatives: Street smart; info savvy.
As always, stay safe.