Steel City Cowboy

Tuesday, October 18, 2005

IT in Iraq

According to Sachi at Big Lizards (who in turns cites this MSNBC article):
The US military captured Abu Dijana, a top propaganda agent for Al-Qaeda in Iraq. Abu Dijana was the Webmaster of a "members-only" website called Al-Qaeda in Iraq. He was responsible for blogging the day-to-day operations of al-Qaeda, such as bombing American convoys, Iraqi police, or citizens exiting from a mosque.

The headline for the MSNBC article reads "U.S. nabs al-Qaida Web site producer". Doesn't sound like too big of a catch, eh? Maybe not. The write up on Big Lizards mainly talks about the propaganda content and the popularity of the website that was taken down. I'd like to point out a few of the IT aspects of this case.

The original article mentions that in addition to the website U.S. forces shut down, there are "unsecured" websites (what we think of as open forums) that are currently under scrutiny for intelligence data. In my opinion, that's going to be mostly fruitless. With secure alternatives available, only the most naive and stupid jihadis are going pass actionable intelligence via open forums. So anyone we're going to catch or any intelligence we'll gather from these forums and websites is going to be of negligible value.

Also, registration for these forums can be done virtually anonymously. All you need is a screen name and an email address, which can be untraceable. The user database of any of these forums, even if fully compromised, would not yield anything interesting.

The main case in the article, though, is a different story. The website was being used as a communications medium between people who were actually carrying out jihadi assaults. That means that the users were bad, dangerous people. We also know that their real identities were known, at least to some of the people administering the site, because they would have had to know real information about them in order to validate their membership in the group. From the article: "For reasons of security, each new member of the site must be approved by a committee of existing members." If the guy they captured is any kind of decent IT manager, he would have the database of user information encrypted well enough that the NSA would have a tough time breaking it. Actually, if he had a good head for security protocols, he would have had real information fully encrypted, and at a separate, unrelated, secure location, used only to verify identities from time to time if the need arose.

But not everyone has a good head for security. If he didn't, then he may have had all of the user data that had been used to authenticate jihadi forum membership right there with him. Maybe even on the same computer. People get lazy. Sometimes we get lucky. If that's the case, this is a major coup.

Absolutely zero information is given about how they found him or when. This is one of those captures where not releasing the news of it could have enormous benefits. You can listen in to the terrorists as they make their plans. But then, you run into the WWII problem of trying to disrupt the enemy's plans without tipping them off to the fact that you have fully compromised their communication lines, sending them looking for alternatives and leaving you with a dead phone line. As we shut the site down just prior to the Constitutional Referendum, it would seem that either we couldn't maintain silence that we had captured the guy, or that we felt acting on intelligence we had already gathered from the site, even if it disclosed the site's compromise, was more important than not doing so. You make the call.

As to how we tracked him down, often (but not always), we see the phrase "local residents/tipsters phoned the terrorists' location to U.S. forces." We don't see that here. Did we zero in on him via digital means? If so, that's a good reason not to disclose even the notion that you did it that way. It's certainly possible. You identify the hosting company (or Internet provider if it's a private, local server) of the website, lean on them to let you log the administrative traffic. You trace the traffic down the pipe to it's source, identify the local service provider, who in this case is probably a nasty person too, since they have to know what they're hosting. Then, you just grab their customer address list and start matching up IPs.

Of course, it couldn't have been that simple. In fact, it probably wasn't. If I were setting this up, I would have had the site available for administration via secure login from any internet connection. I'd have an ever-changing list of people with high speed Internet connections who were willing to do uploads at a moment's notice. I'd do all propaganda/media editing on a non-networked laptop. When I had something to post, I'd dump it on an iPod (if it was big) or a USB memory stick if it was small, then give it to a courier with one of the addresses from the list. Set up a one-time login for that file and bingo. Change locations. Repeat. Recipient gets to keep the portable device as "payment."

I don't know how you catch me under that scenario, other than getting phenomenally lucky. But, as we're not given any real information, we have no idea as to the terrorists' security precautions or lack thereof.

So kudos again to our wonderful forces in Iraq. Maybe this was just a nice moral victory - a way to make them shut their yaps for a while. Or maybe we now have the goods on a whole lot of bad people.

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home