Jihobbiest Security Advice

By Nicholas Weaver
Friday, October 30, 2015, 8:00 AM

The second issue of al-Risālah, the purported English-language magazine of Jabhat al-Nuṣrah, was released a few days ago, complete with soldier-of-fortune-esque cover showing a masked (stock?) photo horribly mishandling a couple of Glocks. In addition to all the other fodder designed to incite jihobbiests into action and what appears to be a shockingly conventional advertisement for Glock, there is some spectacularly bad computer security advice provided by the "Global Islamic Media Front". Although Joseph Cox in Vice covered the bad security advice, he underplayed the awfulness. But delving into the awfulness is important, because it clearly shows the difficulties faced by those attempting to evade the full attention of the modern surveillance state.

The mantra of paranoia is right on. "If the head of the Crusader West, America, uses these tools to spy on their own citizens and allies, then just imagine what it has deployed for the Mujahideen who fight for Allah." But the good advice ends there, with the rest seemingly written not by a wise cyber-Jihadi, but someone working for the British JTRIG designed to trip up potential jihobbiests with bad practices. (If this really was written by someone at the NSA or GCHQ, they really deserve their annual bonus.)

The first set of advice is on the choice of message encryption, advocating home-brew tools written for jihobbiests. The software the advocate in this issue is Amn al-Mujahid, a message encryption application. This software is incredibly crude, with the user having to cut and paste messages to encrypt and decrypt, complete with manual key handling. This is quite reminiscent of the old days of PGP, days so bad that there is now a cliché academic paper sequence which started with the famous "Why Johnny Can't Encrypt". Good secure encryption, such as Signal, is practically transparent to the user: if you can communicate you are doing it right. These tools are not.

But let us assume Jihobby Johnny actually manages to encrypt his messages. Well, these crypto apps, in addition to being of questionable security with the possibility of unknown backdoors, practically glow on the wire. Any network eavesdropper, be they NSA, GCHQ, DGSE, Unit 8200, Russian, or Syrian, can instantly pick out these messages. Even if the content is unknown, the metadata is the message. In this case, the message is "I'm a Jihobbiest".

And the bad doesn't end there. To obtain this software, Jihobby Johnny is instructed to go to an unencrypted web page, hosted in Germany, and download it, with his requests passing by an uncountable number of eavesdroppers. There is absolutely nothing preventing any spy from not only seeing the request but surreptitiously replacing it with a malicious version. If anything, the biggest problem might be which spy agency gets to take over Jihobby Johnny's computer?

As a final cherry on the sundae, Jihobby Johnny is limited to using Android or Windows, and specifically advised to only use Jihadi-approved software. Well, given that Apple devices are supposidely forbidden by ISIS for being untrustworthy, and iOS wouldn't allow the user to install Jihadi-branded cryptography, this isn't surprising. But it is unfortunate for Jihobby Johnny: the low-cost Android devices are so insecure that an NSA intern can break in with just a glance. Simply put, this advice seems to ensure that Jihobby Johnny is completely tracked, traced, and pwned by every intelligence agency in the area.

After dispensing advice sure to get Jihobby Johnny caught, the anonymous author then discourages the use of TrueCrypt full disk encryption based on some recent vulnerabilities. Yet these vulnerabilities do not affect the quality of encryption, and they don't actually prevent TrueCrypt from working how its supposed to. Disk encryption doesn't protect a computer from malcode, but protects it from theft.

The particular vulnerabilities are privilege escalation, attacks where some malcode running on the computer in a limited account is able to take over the system completely. Yet once the NSA malcode is running on Johnny's computer, the NSA has an entire suite of such vulnerabilities to exploit. Encouraging Jihobby Johnny to avoid TrueCrypt simply means that when Special Forces captures Johnny's computer, they can read all the information.

Finally, the anonymous authors offer contact information through Twitter, Telegram, and SureSpot. By default, both Twitter and Telegram messages are in the clear to the service providers, including Telegram's group chats, and all three clearly express metadata to the service providers even for encrypted messages. Again, its not a question of which intelligence agency is monitoring for contacts to these accounts, but how many agencies are grabbing the same data.

The biggest problem Jihobby Johnny has is introductions. A public introduction, like the ones presented here, may have large reach but instantly flag contacts as being interesting to those watching. Now Johnny could use a good anonymity system for the initial introduction, like Tor, but if Johnny already has the OPSEC (Operational Security) needed to contact the introduction point he is so far above average. The problem Johnny faces is how to learn OPSEC before he actually contacts anyone. But he only has need of good OPSEC after he starts down the road to becoming a jihadi!

In the end, Jihobby Johnny is at a huge disadvantage when facing off against the intelligence agencies. He can communicate securely, but he needs to know how before he walks down his path to Jihad. Because unless he knows what he's doing beforehand, he's going to be easy to spot. But in particular, we should all thank the Global Islamic Media Front and their great contributions to Jihobby Johnny's future.