Sean Penn's Opsec

This article talks about the opsec used by Sean Penn surrounding his meeting with El Chapo.

Security experts say there aren't enough public details to fully analyze Penn's operational security (opsec). But they described the paragraph above as "incomprehensible" and "gibberish." Let's try to break it down:

  • Penn describes using "TracPhones," by which he likely means TracFones, which are cheap phones that take calling cards so they're not linked to a credit card or account. They're often called burners, but you don't actually throw it in the trash after a call; instead you might swap out the SIM card or use different calling cards for different people. Hollywood loves these! Katie Holmes reportedly used one to plan her divorce from Tom Cruise. They're a reasonable security measure, but it still creates phone records that live with, and can be requested from, cell phone carriers.

  • Penn says he "mirror[ed] through Blackphones," which are relatively expensive phones sold by Silent Circle that offer a more secure operating system than a typical off-the-shelf phone. It runs Internet through a VPN (to shield the user's IP address and encrypt their Web traffic) and end-to-end encrypts calls and messages sent to other Blackphones. Unlike with the TracFone, Penn would have a credit card tied to the account on this phone. It's unclear what Penn means when he says he "mirrored" through the phone; the phrase "mirrored" typically means to duplicate something. As he wrote it, it sounds like he duplicated messages on the secure Blackphone that were being sent some other, potentially less secure, way, which would be dumb, if true. "I'm not sure what he means." said Silent Circle CEO Mike Janke via email. "It's a strange term and most likely he doesn't know what he is saying."

  • Penn says he used "anonymous" email addresses and that he and his companions accessed messages left as drafts in a shared email account. That likely means the emails were stored unencrypted, a bad security practice. If he were sharing the account with a person using an IP address that was the target of an investigation, i.e. any IP address associated with El Chapo's crew, then all messages shared this way would be monitored. For the record, that did not work out very well for former CIA director David Petraeus, who used draft messages to communicate with his mistress and got busted when her IP address was targeted in an online harassment investigation.

  • Elsewhere in the article, Penn says Guzman corresponded with Mexican actress Kate del Castillo via BBMs (Blackberry messages). Those only have unique end-to-end encryption if a user has opted for BBM Protected. Law enforcement has been able to intercept BBMs in the past. And Mexican officials have told the media that they were monitoring del Castillo for months, following a meeting she had last summer with El Chapo's lawyers, before she had reached out to Penn. Law enforcement even reportedly got photos of Penn's arrival at the airport in Mexico.

  • In the most impressive operational, if not personal, security on display, Sean Penn says that when he traveled to Mexico, he left all of his electronics in Los Angeles, knowing that El Chapo's crew would force him to leave them behind.

There has been lots of speculation about whether this was enough, or whether Mexican officials tracked El Chapo down because of his meeting with Penn.

Posted on January 14, 2016 at 6:32 AM • 55 Comments

Comments

WinterJanuary 14, 2016 6:43 AM

About the term mirrored.

If I want to make sense of it it might be an arrangement where one person calls a certain number where the call is somehow (acoustically?) passed through a Blackphone to the recipient.

I have no idea whether that could be organized in a way that would increase security.

.January 14, 2016 6:47 AM

They were already tracking him before the meeting. They had one a phone tapped for one of his guys.

RamriotJanuary 14, 2016 7:26 AM

They are right that much of the articles Opsec does not make immediate sense. But the Sean is a self admitted tech Luddite.

Parsing what was written in the best light there are some reasonable Opsec actions there.

1/ Tracfones: purchased for cash and topped up the same way can work for anonymity, provided all communicators use same practice and never call or recieve calls from targeted devices. Because unless all a nations metadata is processed for small world rings there is no way to sift out those in the ring from normal traffic. Though swapping SIM's does not substantially improve things as phones have codes too.

2/ Email drafts, are actually a reasonable precaution for anonymity provided they are accessed over HTTPS and both parties can ensure no MITM or third party that knows the email address. It would still be better for security to also only put pre-encrypted messages up but that may be asking a lot from Sean.

3/ Black phone mirroring I think is where Sean and Kate discuss with only each other what happens using the other two methods, which are used to communicate to the Mexicans. That way even though their metadata indicates they are communicating the subject is unknown due to strong encryption. But is the top two modes were identified the combined metadata can be used to make inferences.

4/ BBN messaging: do we know they were not opting for E2E security? Seems reasonable from everything else that they would be.

All that said, it may not have helped if LEO were following Kate and then Sean as good police work often makes useless the best Opsec. Though in this case I think the leak that resulted in capture was not Sean or Kate.

Although primed by the interest in following them it was perhaps a single Opsec mistake on the other side of turning on a phone to take the handshake photo and then forgetting to either turn it off or put it in Airline mode, resulting in a momentary long range fix being obtained.

Bob PaddockJanuary 14, 2016 7:37 AM

"Penn would have a credit card tied to the account"

Go to AAA or someplace else that sells them that doesn't care about ID and get a prepaid card. I use those any time I have to deal with sites with questionable security and/or ethics like Facebook or Amazon Fire Online Store (that card was compromised within a week there even tho it was only used to set up the account and never to buy anything).

Tip learned from experience: NEVER BUY ONE OF THESE CARDS WITH AN OTHER REAL CREDIT CARD.
Security issues aside, that is treated as a cash advance and the interest starts to compound by the minute. :-( ALWAYS use check or cash (obviously if security is the issue) to buy prepaid cards.


Burner phone failJanuary 14, 2016 7:46 AM

In addition to OPSEC problems outlined, Bad Boy Bruce has already pointed out that burner phones are easily traced to persons of interest.

Burner phones, for both CDMA (US Sprint, US Verizon Wireless) and GSM (Ever other carrier network in the world), are easy to trace. Carriers specifically segregate burner/prepaid traffic from normal subscriber traffic. Yes, this is primarily used to control which type of traffic should receive priority, but it’s used by LEOs to easily identify network traffic used by targets.


Bruce Schneier recently commented on what the NSA is actively doing in regards to burner phones. In a recent lawsuit between the NSA and the EFF, the court documents show that one of the ways the US keeps track of burner traffic, is by fingerprinting the number of unique contacts, and the times of the calls. With this information, it’s much easier to keep track of whose phone is whose.

Therefore, we can assume the NSA wanted to prove they were better at tracking cartel leaders who have fallen out of favor with the CIA (in the 'War on Some Drugs'), than the spaced-out Hollywood glitterati. They simply must justify the huge expenditure for the military welfare state from time to time.

ianfJanuary 14, 2016 8:00 AM


@ B, as, unlike the amateur Sean Penn, you OBVIOUSLY must be a seasoned professional OPSEC practitioner, so tell us ?‍how‍? you would have gone about arranging a guaranteed "LEO-impervious," undetectable meeting with a high-profile fugitive (that doesn't involve telepathy or magic). Don't bogart that joint my'friend…

[If no response, then you could be a windbag].

willmoreJanuary 14, 2016 9:09 AM

WRT moving SIMs from phone to phone as some security measure, that doesn't make sense.

When a GSM phone access the network, both the IMSI (the ID in the SIM) and the IMEI (the ID in the phone) are transmitted. They are also recorded in the CDR (Call Data Records) of the network equipment.

If you move a SIM from one phone to another, all you are doing is changing the IMEI of any network interaction you have. The IMSI from the SIM will be the same and provide an easy means of persistant tracking.

If you want security from burners, you have to:
1) use a burner on both sides of the call
2) only use them in pairs (only A can call B and vise-a-versa, no calling C or taking calls from C allowed)
3) Burn the IMSI/IMEI as a pair--throw them both away as reuse of either will ease tracking
4) limit the time frame during which the burner pair is used
5) turn the device off (take out the battery) when you are not communicating

There are other things you can do with directional antennas to make triangulation harder, but, for the phone to work, you have to talk to a cell tower and the location of that tower is part of the call record.

Bruce, would you be interested in a blog post about what all data gets logged in CDRs? When people talk about 'call metadata', they don't seem to be aware of the wealth of data that's actualy in CDRs.

A definite windbagJanuary 14, 2016 9:13 AM

I know this doesn't strictly relate to security issues, but I think it is worth putting this whole cartel drama / stage-play into a broader context. Particularly since numerous sources point out the involvement of US intelligence / DEA / Delta Force in this particular raid.

1. We know the feds constantly link the War on Drugs with the War on Terrorism. However, it is well-documented that US agencies and interventions (CIA in particular) have a long history in this area e.g. US connection with French mafia re: heroin smuggling (the French Connection in the 60s), Golden Triangle & opium during the Vietnam War (apparently going through US bases), Afghanistan & poppies during the war with the Russians etc.

So, they can't have it both ways. If they want to use drug profits for black ops, a pretext for US military interventions, and to allow funding support for their chosen rebels in each decade, then they need to own it.

2. If drugs were legalised and controlled, research suggests harm to society would be greatly diminished in terms of usage, health outcomes, imprisonment of millions on possession charges etc. You only need to look to the outcomes of Portugal, the US after prohibition of alcohol was removed, the abstract of various RAND reports and so on.

Clearly the demonisation of drugs is about social control of the lower classes, who are deemed to be superfluous in the failing economy. Plus, it gives a large boost in the arm to the privatised prisons and general Police/Surveillance State policies.

Coming back to our friend El Chapo, if coke is such a problem, then just like tobacco we should tackle it effectively via education, prevention and rehabilitation instead of terrorising the nation and empowering scumbags.

Three ex-presidents in Mexico have stated that criminalization of drugs is the problem, with legalization and regulation being the obvious answer.

3. A very large portion of drug profits are laundered (necessarily) through the transnational banking system - think back to HSBC and the billions they assisted the Mexican cartels with over the years.

Nobody claimed HSBC suits were 'terrorists'. Not a single indictment. Funny that. God only knows what untold billions flows through the system every year enriching the financial elite and end up in tax havens.

The US govt might consider taking on the captured financial institutions that regularly have terrorists from friendly nations as clients. Otherwise the hoi polloi might get the mistaken idea that there is a different set of rules for the 1%...

4. The vast majority of arms for the Mexican cartels come from the US, which is the world's largest arms exporter by far. Consider also that the Feds have been busted before for military-grade arms making their way into the hands of the cartels (see "The Fast and Furious" scandal with the ATF for instance).

If they really care about violent cartels, they might consider cutting off arms exports as part of the solution.

5. Police actions, out of state actions, and a bloated military / DEA / Homeland apparatus gets even more obese in the never-ending War on Drugs. Since this is very costly economically and socially, while poor people starve in major cities, it is hardly justified.

Drugs have never been cheaper, more accessible or this pure. Clearly the war has failed on any objective measure and will never achieve its stated goal. Indeed, El Chapo was probably replaced by the time he poked his little rat-face out of the sewers in his short-lived getaway.

In summary, the technical details of how El Chapo was captured are interesting to ponder. But, the capture of cartel leaders are small fry when juxtaposed with obvious pretexts for counter-insurgency operations, drug policy impacts for power centers & the financial elite, a never-ending erosion of civil liberties, US trade in deadly weapons, and the obvious nexus between the funding source of terrorists (friend or foe) and the 'War on Some Drugs'.

You may now return to your standard security programming... we apologize for the interruption.

BestOPSEC?January 14, 2016 9:22 AM

It's really interesting to hear what Penn might have done wrong. And the article he wrote about it was hilariously bad.

However, it may be a great blog post to go through this scenario and outline, step-by-step, the most secure way of doing what Penn did.

If a "security expert" were to do this, how would it be done with the tech and situations we have in January 2016? From start to finish?

(I would also hope the security expert can write a magazine article better than Penn did, leaving out the sophomoric prose. Bruce certainly could.)

ianfJanuary 14, 2016 9:26 AM


@ Winter […] mirrored… might be an arrangement where one person calls a certain number where the call is somehow (acoustically?) passed through a Blackphone to the recipient.

Mirroring alludes to duplication, so I'd call your description "tunneled." In some spy/ kidnapping thrillers of the past there were such scenes, where a call placed to a landline ended up in an empty room with one telephone feeding audio OTA to another handset. It wasn't v. realistic because the receiving unit would have had to "lift the receiver" first, and because open but silent landlines usually went offline after some minutes.

Far more realistic was a scene in one of 3rd season episodes of the BBC "Coupling" sitcom, where two handsets were manually placed in a "69" position, so the callers could flirt with one another.


Re: Sean Penn's use of TracFones… I bet he got the idea from “The Wire,” where a drug gang handyman drives around Baltimore buying up such burner phones 2 at a time (but then his GF bitches about getting some Chinese chow, so BF buys 8 of them in one place, and that's how the police later latch onto the gang's comms method). Wonder if Sean Penn also went for a drive around Baltimore for greater authenticity? (the Method Actor method)

willmoreJanuary 14, 2016 9:34 AM

@Ianf. The phone line to phone line device you're thinking of is called a 'cheese box'.

ianfJanuary 14, 2016 10:26 AM


@ willmore

I told of a movie device (=a narrative method), not of some physical phreaking boxes that would not have worked out on the silver screen without at least a flux capacitor doodah (since everybody now intuitively knows what these are good for).

[lowercase] ianf

Robert WallaceJanuary 14, 2016 10:27 AM

Here's one treatment on basic OPSEC that seems to have slipped through the cracks:

"Don't Believe the Hype: Encryption Isn't Enough to Protect Our Privacy," AlterNet, February 26, 2015.

Repeats several points made above by Willmore.

milkshakeJanuary 14, 2016 10:47 AM

IMHO the Sean's Penn bumbling approach was used to mask the actual source of information - there was just too much heat after El Chapo second escape, and his two flamboyant sons are reportedly useless at running things - so this would make a perfect time for cartel leadership change. Someone able who keeps low profile, not pursuing a biopic with a telenovela starlet...

rJanuary 14, 2016 11:38 AM

what i think is funny about this: if there are/were identifiable security blunders people may be signing mr. penn's death warrant.

BearJanuary 14, 2016 1:12 PM


Even if you can do good opsec, most of the time it's not something you should be doing. I use a very consistent routine and set of channels for all my routine communications. When and as the guys with the expensive sunglasses and cheap shoes want to know what I'm saying and doing, they know exactly where to look. What IP address, what MAC, what ISP, all my mail metadata, etc. That's just plain open, and aside from the occasional encrypted email and ordinary https connections, it's all plaintext.

Of course, that's when I'm *NOT* arranging meetings with heavily monitored foreigners who are on the wrong side of lots of law-enforcement and intelligence activity.

The objective is that my behavior online for routine operations gives absolutely no clue how I handle things that require genuine security.

That said, thrift stores are your friend. Old second-hand film cameras can take that handshake image and don't have GPS locators or transceivers in them. Shaving mirrors, sunlight, and Morse code are a much more secure channel for low-bandwidth communication over a couple of miles than anything with a SIM card. If you can do something in a way that doesn't involve electronics, do it in a way that doesn't involve electronics. Sneakernet (as extended by dead drops or couriers) has acceptably high bandwidth for most purposes given a little patience with the logistics. Instead of trying to find a way to use the Internet without being tracked, it's more fruitful in terms of OpSec to find a way to NOT USE THE INTERNET.

milkshakeJanuary 14, 2016 1:41 PM

@r : The strange fawning tone of the interview with regard to El Chapo sons and the strenuous attempts to explain how he took precautions (while their cartel escort seemed much more relaxed about the op security) suggests that Sean Penn is pretty nervous.

Anonymous CowJanuary 14, 2016 1:51 PM

1) TracPhones can be reloaded by credit/debit card. Better opsec is to buy a gift card and use that for reload, assuming the gift card does not require it's own registration/activation whereby you have to provide PII (I've encountered that).

2) Many stores in my area will not accept credit cards for buying any airtime card, not just TracPhone.

3) A TracPhone phone does not work out of the box until you either call or go online and register, including providing name and address info. And said phone activation is not instant, it can take several hours (I have personal experience).

wumpusJanuary 14, 2016 2:18 PM

Quick question: could Hollywood stars have better opsec than armchair security types? Could they have better opsec than real pros?

Consider the paparazzi, while the word on Hollywood may well be "the only worse than being talked about is not being talked about", I'm sure many stars are sick to death of paparazzi (didn't Sean Penn punch one out? It may be the only thing I remember about him until this interview). The thing about paparazzi is that they provide instant feedback the moment you make a mistake (well nearly instant, unless twitter is paying for tweets). Of course "D-list" and lower (and Sean must have been in this group for decades) may well think that their methods are finally working. I wouldn't be surprised if there is real understanding of opsec in the Hollywood elite.

Tony SchwatyzJanuary 14, 2016 2:49 PM

I am not a conspiracy theorist though I see nothing wrong with it. When two or more people gather and believe the same thing - IT is a conspiracy. I am talking more in the popularized sense though. I believe in what facts & common sense tell me. Sean Penn had little or nothing to do with this. Who gives a sh*t about some irrelevant actor? Well every American does and some security experts it seems? If you can add Hollywood names, games or DRAMA to an event the public and planet seem to love it. Look "EL CHAP" worked for and with the CIA. Give me and yourselves a break. OPsec my ***

AnonJanuary 14, 2016 3:19 PM

We're assuming Penn practised good OpSec, and wasn't followed, but what if he actually was, and they waited until after the meet to apprehend El Chapo to hide who led them there (unknowingly or otherwise)?

Basic fact: some guy from Hollywood gets a 7-hour face-to-face with a guy the US can't find, but has been looking extremely hard (as far as we know).

Either: Penn and whoever else are awesome at OpSec, or they really aren't, and everyone has been duped.

Maybe Penn stumbling over his explanations of how he did it is to hide how competent he really is?

Not everything is as it seems.

BoppingAroundJanuary 14, 2016 3:27 PM

wumpus,
> could Hollywood stars have better opsec than armchair security types?

They could. I suppose it is easier to arrange if one has loads of money to blow on mailboxes, ghost addresses, the so-called privacy consultants etc. Theoretically they could. Practically it would probably boil down to personal discipline first and foremost.

DanielJanuary 14, 2016 4:41 PM

The biggest problem with a burner phone is not the means of payment. The biggest problem with a burner phone is the fact that all purchases of phones and gift cards are going to be recorded by the video camera at the store in which they are purchased. It's true enough that that this alone does not reveal all one's PII but in the case of Penn, whose visage is well-known, it would be easy enough to tell he was up to something even if one didn't know precisely what and then put a tail on him or intercept his other communications to find out what was going on.

So in my view the dumb thing was not the fact that Penn was a "tecno luddite". The problem was that they went with a celebrity whose actions by definition were going to be closely monitored. I can easily see a scenario where a member of the paparazzi tipped off the local LEA who tipped off the FBI who tipped off their Mexican counterparts. They didn't even have to know that Penn would lead them to Guzman. All they had to do was figure out that something was going down and tail him to find out what it was. That's probably why Guzman got away the first time...the LEA could have been as unprepared to find him as he was to find them.


L. W. SmileyJanuary 14, 2016 5:57 PM

@Bob Paddock

As for cash purchases of Tracfones etc recall the California "hoax" kidnapping, see

https://www.schneier.com/blog/archives/2015/07/bizarre_high-te.html

"The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer: a white male with dark hair and medium build. AT&T turned over records showing the phone had been used within 650 feet of a cell site in South Lake Tahoe."

POS is generally under video surveillance with time, and s/n and p/n of electronic items. It's evidence, even if your name is not attached, and if they catch a straw purchaser/cut out instead, how long before they give you up?

Add facial recognition to video surveillance for marketing / law enforcement purposes...
Licence plate readers roaming about and at every traffic light...

Just how do you guarantee an untraceable purchase?

SpartanusJanuary 14, 2016 5:59 PM

Well, so then is Sean Penn going to get the 5 million dollar reward "for infromation leading to the arrest and conviction of" El Chapo? :)

Tony H.January 14, 2016 6:20 PM

@Bear
"That said, thrift stores are your friend. Old second-hand film cameras can take that handshake image and don't have GPS locators or transceivers in them."

But just as using encryption makes you stand out of the crowd, surely in 2016 buying film and having it developed will make you stick out even more. Hey, maybe you can develop it yourself. Of course arty photography as a hobby has been used as a cover for buying drug precursors for years, so the DEA et al are already all over that. Maybe cardboard pinhole cameras and homemade gelatin plates... And how much will that stuff make you stand out?

GodelJanuary 14, 2016 6:57 PM

I suspect that the Mexican Feds were told of El Chapo's infatuation with the TV Soap star by someone within his organization, and were surveiling her and tapping her comms from early in the piece.

If you've been positively identified then it doesn't really matter how good your Opsec is from then on, they've already got you.

Dirk PraetJanuary 14, 2016 8:04 PM

@ Godel

I suspect that the Mexican Feds were told of El Chapo's infatuation with the TV Soap star by someone within his organization, and were surveiling her and tapping her comms from early in the piece.

I wouldn't be surprised that he was ratted out by someone from within the organisation and that the entire Sean Penn story is nothing more than a very elaborate but highly convenient case of parallel reconstruction.

gkJanuary 14, 2016 9:36 PM

I wonder if the Blackphone mirroring could involve buying a TracFone and mirroring the IMEI to a Blackphone so you could get Blackphone security with anonymous TracFone service. Most Android devices make it rather easy to modify radio/baseband firmware and change IMEI.

Nick PJanuary 14, 2016 10:58 PM

@ AnonymousCow

"A TracPhone phone does not work out of the box until you either call or go online and register, including providing name and address info. "

I recall Net10 allowed anonymous signup back when I looked into this. Not sure if it still does.

@ Robert Wallace

Thanks for the link mainly for the article on Sarah Harrison. So weird that I haven't heard of her before in any detail. Amazing lady. Article itself is good referencing carriers and private radio networks already used to dodge law enforcement. Such things can't be referenced enough given the backdoor debate: they nullify the claim those will stop any group that's a serious threat. We know from experience they'll work around it with their own tech or just people.

@ Daniel

" The biggest problem with a burner phone is the fact that all purchases of phones and gift cards are going to be recorded by the video camera at the store in which they are purchased"

Good catch. That's exactly why you get the hood or high school kids to buy them. ;)

@ All

The other thing to remember is that burner phones won't secure you against an NSA style threat entirely. They work with phone companies on call logs. Phone companies themselves have enough visibility to spot burners and cell OPSEC. Hint: they're the ones turning on and off regularly in certain areas for certain conversations. It's like a red flag of its own.

Probably easier to hide in messaging or Internet services these days that aren't what they seem. I always advocated hiding them behind HTTPS or something common. Covert channels in the packets either send the real message or activate special handling of the data. Can have a secure device sitting on the line in front of the main clients and servers doing this without advertising its presence.

65535January 14, 2016 11:47 PM

For an uninformed perspective the first major OpSec blunder was talking with Sean Penn:

“I tell him, up front, that I had a family member who worked with the Drug Enforcement Agency…” -Penn

http://www.rollingstone.com/culture/features/el-chapo-speaks-20160109

I cannot image the DEA not being interested in one of their employees kin who is a high profile star and possibly a “partier” …cough Hollywood coke parties. Penn could have been a courier if he was not so wealthly. Why not put him under surveillance?

Speaking of couriers, Kate del Castillo supposedly got a video of Guzman via a courier. It would appear she know the courier business or has no qualms about it.

@ Anon

Either: Penn and whoever else are awesome at OpSec, or they really aren't, and everyone has been duped.

I agree.

@ Spartanus

“Well, so then is Sean Penn going to get the 5 million dollar reward "for infromation leading to the arrest and conviction of" El Chapo?”

That is an interesting question. The “DEA relative” of Mr. Penn could probably use the big bust to polish his career.

Next, to the Blackberry.

@ Rory Byrne

Your post is well though out. Contrary to what Silent Circle says it is clear that the DEA had the Blackberries sets under surveillance.

See article with transcripts of conversation [it is in Spanish. I am sure this crowd can translate it]:

http://www.milenio.com/policia/chapor_armas-captura_chapo-cartas_kate_chapo_sean_penn_0_663534049.html

So much for BlackBerry security in the USA.

Now, to the TacFone issue.

@ Anonymous Cow

“A TracPhone phone does not work out of the box until you either call or go online and register, including providing name and address info. And said phone activation is not instant, it can take several hours (I have personal experience).”

How true it is.

@ Daniel

“the fact that all purchases of phones and gift cards are going to be recorded by the video camera at the store in which they are purchased.”

Yes. Almost every major retailer has a camera on the till and who uses it. The purchase is recorded.

@ L. W. Smiley

"The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer…”

On target so to speak.

See:
https://www.schneier.com/blog/archives/2015/07/bizarre_high-te.html

@ willmore

“When a GSM phone access the network, both the IMSI (the ID in the SIM) and the IMEI (the ID in the phone) are transmitted. They are also recorded in the CDR (Call Data Records) of the network equipment.”

Spot on. These and other numbers have to be recorded for billing or reduction in “minutes” on a Mobile phone with only a card balance. Further, some countries cannot be reached by using a TracFone without a real debit/credit card attached to it [The calls may exceed the balance on the handset].

There is probably a way to use a pre-paid land line setup to call those countries that cannot be reached by TracFone. But, that would probably blow your Opsec via an address or billing statement [which is eventually be paid by bank account].

@ A definite windbag

“We know the feds constantly link the War on Drugs with the War on Terrorism.”

How true. Worse, the Feds then hid arrest evidence under the guise of “National Security.”

As for the legalization of drugs issue that is difficult because of the large numbers of people who are in the game. Those in the drug game are not only the Drug cartels, the users, the DEA, the police, but lawyers, judges, corporate prisons and so on.

The biggest leap in the War on drugs is the 1970 Controlled Substance Act signed by Nixon.

In that Act is a schedule list. It ranges from One to Six or I to VI. With Schedule I drugs being the most dangerous and Schedule 6 being least. Yet, many people would say that the least hazardous drug is pot. It is still mixed in with Heroin and LSD. That seems to give the Feds a foot hold into a minor vice crime. If I were an advocate of deescalating the War on Drugs I would move pot down into the Schedule 2 or 3 range [Ethical drug range]. It should really be an individual state issue.

“Marijuana and its cannabinoids. Pure (–)-trans-Δ9-tetrahydrocannabinol is also listed in Schedule III for limited uses, under the trademark Marinol. Ballot measures in several states such as Colorado, Washington, Oregon and others have made allowances for recreational and medical use of marijuana and/or have decriminalized possession of small amounts of marijuana – such measures operate only on state laws, and have no effect on Federal law. Despite such ballot measures, and multiple studies showing medicinal benefits, marijuana nevertheless remains on Schedule I, effective across all U.S. states and territories.” Wikipedia

[and]

“Moreover, it is illegal, and indeed a Class 1 federal felony, even to conduct any otherwise legitimate scientific research of any kind on Schedule I substances.”- Wikipedia

https://en.wikipedia.org/wiki/Controlled_Substances_Act

If I were interested in deescalating the War on Drugs I would first start with the Controlled Substance Act its schedules and adjust them downwards. Next, I would work on the actual criminal penalties that apply to said lists.

I doubt that will happen anytime soon because of the number of actors involved in the Drug War Game.

Wanting a Kneading DictionaryJanuary 15, 2016 2:48 AM

@ A definite windbag

So, they can't have it both ways. If they want to use drug profits for black ops, a pretext for US military interventions, and to allow funding support for their chosen rebels in each decade, then they need to own it.

It's very cute that you think you understand what they need.

Clive RobinsonJanuary 15, 2016 6:19 AM

@ Wumpus,

After various celebs got their "personal" iPhones etc hacked, I suspect that those who could think or had publicity agents that could think, got a better class of OpSec fairly quickly.

@ ALL,

Which brings me to that "paragraph" that is apparently causing security experts so much difficulty... Perhaps they should read it point by point in reverse order, it kind of makes more sense if you do [1],

>My head is swimming, labeling TracPhones (burners), one per contact, one per day, destroy, burn, buy, balancing levels of encryption, mirroring through Blackphones, anonymous e-mail addresses, unsent messages accessed in draft form. It’s a clandestine horror show for the single most technologically illiterate man left standing. At 55 years old, I’ve never learned to use a laptop.

What do,

1, I've never learned to use a laptop.
2, [I'm] the single most technologicalky illiterate man left standing.

Tell you?

Simple he is not in the driving seat on this and that he almost certainly is not going to use terms in a domain specific way.

But also he is probably not "touching the tech" he's got the equivalent of a personal secretary etc to do that. This is afterall the way it has been done since ancient times untill the early 1990's. The boss would dictate, the scribe/secretary would make it look nice etc etc.

So backwards and upwards,

3, unsent messages accessed in draft form.

There is nothing particularly wrong with this provided you know what you are doing.

Firstly and importantly "don't use plain text". Secondly don't use widely geographicaly seperated IP addresses for sender and recipient, unless you are both using a "known" VPN / Tor / mixnet node to stop the email service supplier detecting you appear to be in two or more widely different places. Google for instance has been known to cause problems if they see widely dispersed connect points. Thirdly the account needs real or real appearing traffic going through it in both send and receive for some months befor an operation and afterwards so it does not stand out like the proverbial "boil on a pigs bum" (one way to do this is to become a user of "mail lists"). There are several other things to do but you should have the general idea. But if as I suspect this is being done for him by a scribe/secretary then he would not be hence the way it reads.

As for,

4, anonymous e-mail addresses

If he is a inexperienced with the ways of the likes of major web based e-mail services, then the addresses would look nonsensical, anonymous or not. So there is not much percentage arguing over a meaning for this.

5, mirroring through blackphones

Don't think of "mirroring" in a technical way think in a much more ordibary way which would be akin to "reflecting" or "bouncing". Or in more technical terms "relaying through a switching point".

So you would use a pair of "burner" phones as the first step in the link. At the first node the "opperator" reads the message off the burner and types it into the Blackphone to send it out of country to the second Blackphone who's operator reads the message off and then forwards to the appropriate recipient. This importantly means that no international or long distance charges get put on the first burner phone thus avoiding attention and payment issues. Also the first and second nodes have a high degree of mobility making tracking difficult and expensive for an agency.

Back in the day the likes of Mossad used switching centers and the like to bounce messages around the globe. It's a technique that works, pluss if done correctly gives issolation as "getting a node" will not alow you to go any further.

6, balancing levels of encryption

Now this is where it gets interesting, and defiantly indicates he had a team working for him.

As most readers are aware there are "types" of encryption and "modes" of encryption, but "levels" indicates a less common approach these days.

There are "codes" and "ciphers", in times past a message would be coded with the addition of message identifiers. Then it would have routing information added before it was "super enciphered" then key and other identifiers would be added before it was sent, where it might additionaly be enciphered by link encryption. This was often explained as "levels of encrption".

Most people not involved with traffic level activities where the use of computers and their applications is either not allowed or not possible don't tend to think about this "old school" behaviour and it's pros and cons.

A "code book" serves two purposes one is "message compression" another is as a form of "substitution cipher" which uses unknown length plaintext as input and fixed length --often numeric-- codes. The down side of code books is what do you do with words, names, phrases and other data not in the code book. The usuall solution is to spell them out in some way, which has disadvantages. A better way is to have an "adaptive code book" these work in a similar way to some compression algorithms where the new data gets sent once and has a "spare code" appended to it, which is then entered into both code books at either end of the link.

An adaptive code book can get very high compretion ratios if used properly and thus an SMS when suitably coded could contain the equivalent of a sentance for every 2 or three char code.

This can be done by a well trained scribe / secretary who puts what the boss said into a standard form before coding (almost the same as "short hand" of days gone by). If you are used to using such systems when super enciphered correctly they will be a match if not beat many modern systems.

It's certainly a "low tech" "pencil and paper" way of communicating various people are still taught to use even these days.

7, labeling TracPhones (burners), one per contact, one per day, destroy, burn, buy

Asside from the possible "lost in translation" on "TracPhones" which could have been due to dictation, word pro spell checker or even the magazines sub-Ed etc the rest is correct.

When it comes to "burner phones" you do have "one per person per time interval" and when that interval is up, if you are wise you do indeed "destroy and burn" with a hammer and a use once picnic barbeque and it you can get hold of it "coal or coke" where the burn tenprature can be up in the 1200C range.

As for "buy" yes you buy them one at a time, preferably second hand in the area you are to use it. Then you move to an entirely different area for the next one.

As I've indicated befor those in certain types of crime in London own or have good relations with "second hand phone" stalls. The crook borrows a phone uses it for just a couple of messages and then it's back on that or another stall somewhere else 24hours later to be sold on to some unsuspecting person.

8, My head is swimming

Yup clear indicator he's very new to the game, and thus probably had a support team doing it for him.

If I was a betting man it was not the communications side of things that gave the location away, but something else.

The question you should ask is "why did they meet where they did", almost rule number one is "don't mess on your own doorstep" it's not wise for anything even mildly illicit like a one night stand, and realy ill advised when you are a big time fugitive...

And if not the comms "who gave the location away" that is the Five Million Dollar question, and if you were the smart person picking that money up or getting rid of the boss man, then you would have prepared several different "scape goats" after all it's not just your life on the line, it's also the rather unplesant way you would probably lose it...

[1] The same is true for quite a few posts on this blog over the years. That is non experianced narrators tend to put what they think is important first, when in fact they should be putting what they see as the least important first as it leads an unknown reader in, in a way they can best understand.

JonJanuary 15, 2016 7:17 AM

As an aside in. re. the CIA, it's not that espionage is indistinguishable from organized crime - Espionage IS organized crime.

J.

ianfJanuary 15, 2016 7:48 AM


Tsk, tsk Jon, you know full well that the espionage that we get to hear about is closer to disorganized than organized crime. Or perhaps activity, since it is sanctioned by at least the initiating state-party.

Nick PJanuary 15, 2016 12:19 PM

@ Clive Robinson

"3, unsent messages accessed in draft form.

There is nothing particularly wrong with this provided you know what you are doing."

I thought NSA specifically looks for this since some terrorists did it once. It's also been in at least one movie. I wouldn't trust it. Better off logging into a website whose address and publicly-visible functionality *looked* like email, normally sent email, and had covert pub-sub mechanism.

JonJanuary 15, 2016 5:20 PM

Indeed, @ianf, the operative phrase there being "that we get to hear about". Akin to the stereotype of all criminals being stupid, there's just a little selection bias in there - Smart thugs don't get caught.

And whether any activity is sponsored or authorized by some authority is entirely irrelevant if that authority has no authority over where the activity was taking place. Jurisdiction matters.

Did that sentence make any sense to anyone else? Annnyhow... It should surprise nobody that the CIA and the Mafia are more alike than different.

J.

big alJanuary 15, 2016 7:31 PM

I have grown to respect Sean Penn.

I sense he is trying to actually do something good.

JonJanuary 15, 2016 8:26 PM

I will grant Mr. Penn points for trying. But he sucks at it.

I sit here in my armchair and criticize him while he actually goes out, finds people, writes about them, while I just occasionally lift my thigh enough to fart, but he's not very good at what he is trying to do.

His opsec is atrocious. His understanding of the technology involved is, by his own admission, nil. His writing is abyssmal. There must be nice people propping him up or he would fall down the first flight of stairs.

What he needs is a ruthless editor. Someone who can tell him, "No" and make it stick. That is what he does not have - nobody's really told him 'no' since he acquired fame, and as a result he's not learned a darn thing, despite moving into careers beyond acting, and until someone does, he never will.

I criticize not because I can do better, but because I know there are people out there who can, and do, do better on a regular basis. I am not a journalist - I am a couch potato. But I have seen things written by journalists, and I have seen things written by Sean Penn, and with all due respect to him for effort, he is not (yet) a journalist. Perhaps with time he could be.

Jon

65535January 15, 2016 8:36 PM

@ Nick P

"3, unsent messages accessed in draft form…” –Clive

“I thought NSA specifically looks for this since some terrorists did it once. It's also been in at least one movie.” – Nick P

I think Nick P is correct. As I understand it, when using “Web email” you are essentially going to corporate website and logging on to their server somewhat a thin client setup would do. Hence, when type a draft or unsent email or sms into end point device the corporate server records it – but doesn’t send it to the web emailbox or different email provider [this unlike POP3 or IMAP4]. Thus, if the corporate email server is in the 5eyes jurisdiction your mail will probably be read.

Granted I could be wrong since I only work with Exchange, but both Gmail and Exchange allow for the use of POP3 and IMAP4 but most setups use the standard webmail.

@ Clive


“So you would use a pair of "burner" phones as the first step in the link. At the first node the "opperator" reads the message off the burner and types it into the Blackphone to send it out of country to the second Blackphone who's operator reads the message off and then forwards to the appropriate recipient.”

This sounds good in theory, but the last time I looked into Blackberry Business services one had to “signup with Blackberry” giving away billing information.

And, it appeared that Blackberry wanted to have access to your Kerberos service or similar authentication services [this is just from memory – don’t hold me to it]. In short your are still blowing your OpSec by giving out billing information or a trial that leads to said server [then the Feds would just NSL you and get the information]

**********

[Medium article]

“Update 19:28 GMT - Now confirmed in this case. It appears the BBM communications between Kate del Castillo and “El Chapo” were intercepted for many months.” –medium.com

[Poor translation from the URL below]


“KATE DIRECTLY

PM.- 11:00:36 Dad: Pretty Hi, friend, how are you? What a pleasure to greet you, even for this medium.

11:06:11 PM.- M: Guapa: Finally. I could not connect. Please send me sooo modern appliance! How are you?

PM.- 11:08:46 Dad: Guapa: Good friend, thank you. How good that you liked. I say you graduate you fired them, you'll be on Friday with friends. What good, I am happy to greet you personally. I finally will. Thanks friend.

PM.- 11:10:11 Dad: Give preference to Guapa.

11:23:44 PM.- M: Guapa: Thanks to you I will meet you, and do not know the emotion I feel. Thanks for your confidence. I've been trying to make an important team with real people, respected in Hollywood. I want you to listen ... But regardless of our project, I get very excited to see you in the eye, in person. THANKS. For me the most important is that you feel comfortable without any compromise at all, and I tell me what you think after our meeting. I suppose that I will receive instructions about where to go and all the details.

PM.- 11:28:57 Dad: Guapa: Amiga, go to Sinaloa. Have confidence that all is well, if not, do not invite. I'll take care, that you'll see when you come, I will touch you take your tequila. As I mentioned, I am not the policyholder, but you take for the sake of be living with you. Thank you very much for being such a fine person. How beautiful you are, friend, in all aspects.

11:46:52 PM.- M: Guapa: I confess that I feel protected first. Already you know my story when we have time to talk, but for some reason I feel safe and I know you know who I am, not as an actress or public person but as a woman, as a person. I take my tequila to share with you, because it is a dream that I was playing comply. And thank you. See you soon, buddy. Blessings.

PM.- 11:51:38 Dad: Guapa: Thank you, friend. One question: please tell me at what time I can send you message to not distract from your busy schedule you have. Please you tell me, I do not feel bad, I know of commitments, so you tell me what time do not interrupt.

27 SEPTEMBER 2015

12:13:23 AM: M: Guapa: I leave tomorrow to Los Angeles at 9:00 am and I will be alone all day at home. You can write me anytime after 11 am ET LA, which is two hours behind Mexico. At that time I'll be landing, but as quiet and lonely. In the week I'm very quiet too. Except on 1 October, I'll be filming all day. If you write me and did not answer soon, it's safe because I'm in something, but will answer as soon as possible.

12:18:23 AM.-Dad: Guapa: Thanks friend, it will. I'll mark it on the schedule that you tell me, friend. Thank you for being such a good person. I wish you a good trip. You're well today and always. See you soon friend.

12:38:13 AM: M: Guapa: soon;)

10 OCTOBER 2015

10:25:59 AM: 1: Hello, friend, sorry, was asleep. Good trip, I wish with all my heart. We are waiting. I love you.

3:54:07 PM.- Ermoza: very tired, but already here, working :)

3:54:34 PM.- Ermoza: What about you, how are you?

4:15:44 PM.- 1: Okay, friend, then came to rest, relax, friend.

4:18:37 PM.- Ermoza: lol, I love it, but have to eat = '(.

4:22:00 PM.- Ermoza: and do not sleep much since I saw you, I'm excited about our history ... is the truth. It's the only thing I think ...

4:29:42 PM.- 1: I tell you I'm more excited about you that in history, friend.

4:35:07 PM.- Ermoza: lol, I love to know.

Ermoza PM.- 4:54:19: I chiveaste, friend;).

5:10:18 PM.- 1: It's the truth, friend. What you tell me your partner? What are those men doing?

5:27:51 PM.- Ermoza: !, are excited waiting for what follows, just like me!

5:40:25 PM.- Ermoza: and ended Makeover me, now I'm going to open a film festival here ... I do not want to take me because it seems risky, since my other devices I have to take on. .. For if you see me disappear.

Ermoza PM.- 5:40:53: I hope not finish so late today ...

5:41:10 PM.- 1: Here hope when you like. You told me that the first week of November, here will be on the lookout for them and will have the tequila ready to take it, friend, I will give much pleasure to serve them, friend.

5:45:28 PM.- Ermoza: yes, we want, but first my companion wants to go to Washington and New York with what you're going to send news to bring.

Ermoza PM.- 5:54:38: I write if not late at night when you return = - *

6:03:26 PM.- 1: We'll see how to make them arrive this week. You go to work, you abandon it as we chat, friend. Be fine.

23 OCTOBER 2015

11:41:27 AM: 1: V good morning. Happy Birthday wishes you who appreciates you and loves you: your friend. I hope you're having a great time in company of your own. I wish you well today and always.

3:46:20 PM.-Ermoza: what good birthday !!! Thank you! We embrace and soon.

24 OCTOBER 2015

1:58:45 PM.- 1: Good afternoon, how is the good of this world and the most intelligent woman, I admire a lot? I handed the phone to the lawyer you talk to him you tell him who gives memory of the photos, friend. This is the phone 5565173626.

2:03:10 PM.- Ermoza: lol, thanks !!! Hello, beautiful friend, I call him, will be a number of USA, I call today! Take care! And thanks = - *

2:10:32 PM.- 1: Thank you, friend, for your good wishes. Be fine. Your friend wants you. Bye.

Ermoza PM.- 2:13:59: I love my friend, bye.

29 OCTOBER 2015

10:15:23 PM.- 1: Dude, you have to see us. Everything will be quiet if he was not sure would not invite you. I want you to interview lords and ladies of my ranch. I tell my mom wants to meet you. I told you. Do not be discouraged, nothing happens. All I have to 100.

31 OCTOBER 2015

3:44:16 PM.- Ermoza: a lawyer who would favor a large signing bonus if what you proposed my companion can be done, that's him and I think back on Wednesday.

4:04:30 PM.- 1: I hear you, and if you tell me that this is better, go ahead, I have every confidence in you and what you counsel me know what is right.

4:13:20 PM.- Ermoza: thanks for the confidence, I hope that this second proposal can be done! I'm warning you.

4:19:26 PM.- 1: It's fine. Then on Wednesday already you know something about your friend, both of the firm as it was to do with the memory that made you get. That you tell me how it went, by fa.

4:23:31 PM.- Ermoza: Of course! If I know something before I'll let you know, okay?”

https://medium.com/@roryireland/sean-penn-and-el-chapo-operational-security-errors-314a1847e3a0#.kxs226daj

*************

From the above it looks like the Feds were listening in for a length of time [and probably had all the metadata].

@ Clive

Your idea of a one phone per contact and dispose afterward each conversation sounds somewhat safe. But, as I understand it, every new mobile ID or phone number that comes on the grid gets monitored for a certain period of time. So, using a “seasoned phone” and giving it to some unsuspecting person makes sense.

Clive RobinsonJanuary 16, 2016 1:33 AM

@ 65535,

Thus, if the corporate email server is in the 5eyes jurisdiction your mail will probably be read.

They will also see it on the network just upstream of the webmail service as well. Which is why the devil as always in the details.

What you and @Nick P, did not read were the conditions of using a webmail drafts box as a "communications system". I will repeate them again,

    Firstly and importantly "don't use plain text". Secondly don't use widely geographicaly seperated IP addresses for sender and recipient, unless you are both using a "known" VPN / Tor / mixnet node to stop the email service supplier detecting you appear to be in two or more widely different places.

Let me put it another way, you are using it "as encrypted communications" the content is no more or less vulnerable than an equivalent encrypted communication. That is it is you are using it for "store and forward" or the electronic equivalent of a dead letter drop in a public space.

The point of using a VPN / Tor / Mixnet is to hide the recipient and sender locations. Which is the electronic equivalent of making sure you are "not tailed" to or from the drop point.

It's important to not have a "knee jerk reaction" to something because somebody else broke the rules and lost their job because of it. Because I suspect that the releasing of "Petraous Sacked for Using Drafts Folder on WebMail" was done by LEO/IC "to send a message" or three one of which was precisely to scare people out of using what is an otherwise well proven fieldcraft method.

The important thing about OpSec is "details matter", it's getting them wrong that causes you pain as the General found out.

But if you want a slightly more secure method than webmail go find my past posts on this blog about how to set up Command and Control for Botnets without using a server that can be got at by the authorities or amatures.

With regards,

This sounds good in theory, but the last time I looked into Blackberry Business services one had to “signup with Blackberry” giving away billing information.

Blackphone is from "Silent Circle" not Blackberry...

Anyway it's not very difficult to set up anonymous "shell companies" and "disconect" the shell company via the likes of a "Limited Liability Partnership" (LLP) a nice little "financial vehicle" the auditors insisted the UK government set up to protect their proffits. It just so happens that money launders, tax avoiders, those bribing officials to get business contracts in the likes of Saudi etc just love to use LLP's for a whole variety of reasons.

As for NSL's they only work on US based entities, you can set up servers in various parts of the world with shell companies to suit.

Interestingly I'm not sure if NSLs travel down a corporate tree. That is a US firm that has a business relationship with a company in another country can act as a legal "fire break" if setup correctly, that is as an "investor / shareholder" not "owner" of the company (it's yet another use of LLP's that major US Corps use for various mortgages and IP protection).

ianfJanuary 16, 2016 3:18 AM


irrelevant if the sponsoring authority has no jurisdiction over where the activity was taking place.

Let's get real, Jon. Even friendly states spy on one another because everybody knows that everybody else says one thing while doing another. Alliances waver. Cross-border coöperation is an euphemism for regulated damage limitation of frenemyship. Etc. Spying alleged to be the second oldest profession of the world, or is it prostitution? Nice if one can combine the two, be a Mata Hari, get played on the silver screen by Greta Garbo. Worth the neck.

BTW. ever wondered how come current President of EU Council, the Pole Donald Tusk, got his 100% Scottish-sounding name? Easy… his forebears were Scots fur- and timber traders/ commerce spies who settled in once-Hanseatic Danzig, now Gdansk, by the Vistula river in the Baltic in XVIIth(?) century. And today nobody holds this against him!

So, intelligence gathering services of BOF-nations may have secret agreements of "not fishing in the ponds of each other," but when one side's interests really are at stake, such accords are of little value, and any non-lethal transgressions that they may cause are usually overlooked and filed away as leeway for the affected party's own future transgressions.

CIA is not like Mafia. Mafia kills other mafiosi. CIA dresses designated enemies up in VERY UNFASHIONABLE orange jump suits, put them away in Gitmo for decades, withholds deodorant. I know which I'd prefer, but CIA wouldn't give me any choice in the matter.

Copshave BestdrugzJanuary 16, 2016 8:23 PM

Sean Penn don't know shit about security. Don't use phones, don't use computers and don't use the internet.A hammer makes a smart phone secure.

A simple letter would have been 1000 times more secure than his approach. Dumb arse El Chapo deserved to get caught, why the hell not earn a legitimate income. Yes it's not as much as billions from coke and murder, but it's honest, and when the government faRks you, at least you still have some knowledge you did the right thing.

I realise Mexico is a tough place, but first world countries are more corrupt, just much more sophisticated at it. Australia has been robbing it's neighbours of 100s of Billions for a long time and let's Indonesia invade and murder Timor and West Paupa in return for keeping their mouths shut.
The West is just really good at keeping it's dirt mostly out of the headlines, hey, and journalists disappear all the time.

I've watched the Minister of Police snort cocaine in front of 6 year old children while sitting next to the top cop and the Premier in front of 30 customers in a restaurant.That was before smart phones though.

65535January 16, 2016 9:45 PM

@ Clive

“What you and @Nick P, did not read were the conditions of using a webmail drafts box as a "communications system". I will repeate them again,
“Firstly and importantly "don't use plain text". Secondly don't use widely geographicaly seperated IP addresses for sender and recipient, unless you are both using a "known" VPN / Tor / mixnet node to stop the email service supplier detecting you appear to be in two or more widely different places.
“Let me put it another way, you are using it "as encrypted communications" the content is no more or less vulnerable than an equivalent encrypted communication. That is it is you are using it for "store and forward" or the electronic equivalent of a dead letter drop in a public space.” – Clive

As I understand it, you are saying to encrypt the email then some how use Webmail as a dead drop. That sounds good in theory. What set of programs or browsers would you use to encrypt a Gmail draft?

‘…I suspect that the releasing of "Petraous Sacked for Using Drafts Folder on WebMail" was done by LEO/IC "to send a message" or three one of which was precisely to scare people out of using what is an otherwise well proven fieldcraft method.’ – Clive

Maybe that is the case. But, the fact remains that the draft was readable and sendable by said LEO/IC operative. Thus, all the big email providers such as Gmail, Yahoo, hotmail and so on have that problem. I you know of another secure email provider that can do what you suggest let me know.

Take a look at the new changes to so called USA Freedom Act and you will see the vast methods of tracking a person via searching a “Facility” in a bulk fashion and chaining the data/metadata.

See the links to emptywheel in this post [they are fairly explanatory]:
https://www.schneier.com/blog/archives/2016/01/should_we_allow.html#c6715365

I think you will see how wide a net the NSA is casting when searching Facilities.

I don’t think the dead drop will work much longer in major communications providers – unless the encryption is done before it hits said providers servers [and the keys are securely transferred]. Again, if you know of a Webmail provider who you think is secure let me know – I’ll give them a go.

As for Silent Circle’s encryption, it was reportedly successfully monitored according to Medium dot Com’s article in the above post of mine. How it was done is unknown at this time.

https://medium.com/@roryireland/sean-penn-and-el-chapo-operational-security-errors-314a1847e3a0#.kxs226daj

Clive RobinsonJanuary 17, 2016 4:45 AM

@ 65535,

As for Silent Circle’s encryption, it was reportedly successfully monitored according to Medium dot Com’s article in the above post of mine.

Err, the article you provide a link to mentions the BlackBerry Messenger (BBM),

    ... this should immediately have suggested avoiding a tool like BlackBerry Messenger (BBM), as it it widely suspected that a number of states, including the US government, have the ability to intercept these communications.

Which was used between the fugitive and the actress for many months pior to the visit. But the article does not mention Silent Circle or the BlackPhone at all currently.

BBM has been known to have been broken for some years now, with various countries demanding and getting access to the RIM managed servers Pakistan being the most recent in the news.

It's an open question as to if the other "business oriented" BlackBerry service where the "business" runs the server can be got at or not.

With regards,

As I understand it, you are saying to encrypt the email then some how use Webmail as a dead drop. That sounds good in theory. What set of programs or browsers would you use to encrypt a Gmail draft?

What I am saying is you first transform the secret plaintext content of your message into a non secret form, and you do this outside of the communications link / letter drop.

For arguments sake transform with pencil and paper and OTP by hand, you encrypt the secret plaintext into ciphertext. Just as very many spies have over the years. Then type the cipher text into the webmail.

Rule number one of all spycraft / fieldcraft / OpSec is - You never ever communicate secret plaintext over a communications link.

You can encipher or code or use another transformation method but the secret plaintext does not go outside of your direct "physical control" or that of the recipient.

So unless you are using "energy gapped" computers to transform the plain text, then computer programs are out of the question. Which is why I talked about adaptive code books and,

    There are "codes" and "ciphers", in times past a message would be coded with the addition of message identifiers. Then it would have routing information added before it was "super enciphered" then key and other identifiers would be added before it was sent...

With regards the USA Freedom nonsense you mention,

Take a look at the new changes to so called USA Freedom Act and you will see the vast methods of tracking a person via searching a “Facility” in a bulk fashion and chaining the data/metadata.

It's just a way of putting lipstick on a pig. That is the pig is already doing it's thing and won't change, the lipstick is just for the onlookers to make the pig look more human and thus garner a bit of sympathy from those who can not see through it. Terry Pratchett drew attention to this human failing with cats, he observed that because they look cute and fluffy and playfull, that this prevents many from seeing "what nasty buggers they are underneath".

When you apply this to the IC you will see the FISC etc being used as "lipstick" with the LEO's you will see NSL's and ambiguously worded wiretap requests likewise being used as "lipstick", all to preserve the vener of legal niceties whilst in fact they are rapping the citizens back front and sideways.

So if the IC/LEOs can not get a legal stamp on what they do it does not stop them, they simply change the meaning of words to either make things fit or cover them up. They have been doing this since befor the ink was dry on the Church Report. The only change for the pigs is technology is making them fat and lazy, which actually means they are becoming grossly inefficient and torpid porkers. Thus like a couch potato quater back they can talk a good game to get their food, but the practical asspects of the game are quickly becoming out of their reach.

The real players are thus fit and fleet of foot and can run circles around the porkers if they have the knowledge of the best paths to take to keep out of the porkers sight / way.

When it comes to privacy then knowing "good OpSec" and what "Methods and sources" the porkers are using can keep you ahead of the game, all you have to do is stay "fit, knowledgeable and fleet of foot", but also take care not to hamstring yourself by practicing poor or bad OpSec.

The problem is that with OpSec the "Devil is in the details" and the policy of "Collect it all" catches errors and ommisions, and saves them away untill some one sees them. But to do that they have to "join the dots", which as Marcie Wheeler points out is what the algorithms they use --and are not covered by legislation-- are all about.

For algorithms to work they have to be able to distinguish signals from noise in a way that humans can understand otherwise false positives go up and up. Thus there are two approaches you can take "become noise" or more subtly "become a false negative".

The art to "become noise" is to appear in a random way where your covert actions appear to have no visable relations to each other or your overt actions. The art to "become a false negative" is in part the issue of "Ceaser's Wife" in that you become "above suspicion". Combining both is what "moles" and "infiltrators" do over and above the more general spycraft activities.

Whilst this is getting harder in the electronic data communications realm, the fact that this is where the IC/LEOs are expending their effort makes non electronic communications fieldcraft easier. The trick is to subsume a limited set of electronic communications into what are traditionaly non elrctronic communications fieldcraft skills.

An example of this --that went wrong hence we know about it-- was what has been dubbed the "Moscow Spy Rock" ( https://www.theguardian.com/world/2012/jan/19/fake-rock-spy-russia-britain ).

As I've said the devil is in the details, I suspect the Moscow Spy Rock was found by months of very close traditional counter espionage on a known target and a process of elimination not other high tech methods that people tend to fixate on these days.

It's known that such fixations are flawed. After various incidents the US pulled out of HumInt and became heavily reliant on SigInt and Imagery. This has been found to be a mistake for a number of reasons and we now see the IC/LEOs falling into the same for mass citizen surveillance of "collect it all". Thus aquainting yourself with the various reasons why SigInt failed is a worthwhile activity if you want to protect your privacy.

65535January 18, 2016 12:02 AM

@ Clive

“For arguments sake transform with pencil and paper and OTP by hand, you encrypt the secret plaintext into ciphertext. Just as very many spies have over the years. Then type the cipher text into the webmail.”

That's an idea. How do you get the One Time Pad to Gutzam under today’s boarder search environment [this include the “Boarder exception rule” where any type of search is possible]. The key has to be transferred by some method.

“…You never ever communicate secret plaintext over a communications link. You can encipher or code or use another transformation method but the secret plaintext does not go outside of your direct "physical control" or that of the recipient. So unless you are using "energy gapped" computers to transform the plain text, then computer programs are out of the question…”
That is sound advice – but is it viable? Consider the Guzman case where electronic endpoint devices were use extensively. This would include the phone that took the photograph of Penn and Guzman. How is a modern reporter to keep his sources private without some sort of electronic endpoint device?

“With regards the USA Freedom nonsense you mention… It's just a way of putting lipstick on a pig. That is the pig is already doing it's thing and won't change…So if the IC/LEOs can not get a legal stamp on what they do it does not stop them, they simply change the meaning of words to either make things fit or cover them up… The problem is that with OpSec the "Devil is in the details" and the policy of "Collect it all" catches errors and ommisions, and saves them away untill some one sees them. But to do that they have to "join the dots", which as Marcie Wheeler points out is what the algorithms they use --and are not covered by legislation…”

I understand your basic thrust. It’s translates into, “The public has been duped by the Intelligence Community and Law Enforcement. They just change the words to fit their needs.” Sure, the NSA's logarithms to parse terrorists data is not public but using military level weapons on civilian crimes doesn't seem to comply with the Fourth Amendment [or what is left of the Fourth Amendment].

I don’t disagree but I think Marcie Wheeler’s emphasis is the huge capabilities of the NSA/FBI/DEA and her suspicion that the USAF Act as actually Expanded the legal capabilities of the IC’s surveillance capabilities [and possibly covers illegal aspect of past surveillance]. I don’t think “USA Freedom [Act] is 'nonsense' to this discussion. It appears to be a very real threat and will probably be emulated by other countries.

‘It's an open question as to if the other "business oriented" BlackBerry service where the "business" runs the server can be got at or not.’- Clive

“Law enforcement has been able to intercept BBMs in the past. And Mexican officials have told the media that they were monitoring del Castillo for months, following a meeting she had last summer with El Chapo's lawyers, before she had reached out to Penn. Law enforcement even reportedly got photos of Penn's arrival at the airport in Mexico.” – Bruce S [See above post]

That sentence suggests to me that the Government can intercept BBM’s transmission or NSL the provider for them. Granted, I don’t know the complete details.

‘Penn says he "mirror[ed] through Blackphones," which are relatively expensive phones sold by Silent Circle that offer a more secure operating system than a typical off-the-shelf phone. It runs Internet through a VPN (to shield the user's IP address and encrypt their Web traffic) and end-to-end encrypts calls and messages sent to other Blackphones… As he wrote it, it sounds like he duplicated messages on the secure Blackphone that were being sent some other, potentially less secure, way, which would be dumb, if true. "I'm not sure what he means." said Silent Circle CEO Mike Janke via email. "It's a strange term and most likely he doesn't know what he is saying."’ – Bruce S [See the above post]

As for the 'Blackphones mirrored' [possibly through BBM or even in the clear] statement I cannot ascertain the facts are at this time. I will have to have more information.

Due to the expanse of topic mention in your post I will have to think about them for a while before responding. I have to get back to work.

swadeJanuary 18, 2016 2:19 PM

I don't understand why everyone seems to think it's Penn's responsibility for the OpSec. He's not the one running from the law. I would expect that whatever he did he was just following directions from the cartel. If the capture was the result of Penn's visit, it's the cartel that FU'd. I agree with whomever above said Penn is a parallel reconstruction to cover for how the guy was really captured. Penn kind of alluded to this on 60 mins last night - they asked if he was fearing his life, and he said "no" and among other things, something about the cartel being experienced with misinformation.

Clive RobinsonJanuary 18, 2016 4:30 PM

@ swade,

I don't understand why everyone seems to think it's Penn's responsibility for the OpSec.

Not everyone does, however as the old saying goes "It takes two to Tango". Thus each party should be responsible for maintaining OpSec to the level needed by either the other part(ies) or which every party is in efect most vulnerable, that is the accepted baseline you work from.

The problem with this meeting was that atleast four parties were involved, all with marginally differing agendas. You had the boss, the bosses team, the actress and the old actor trying to be a journalist/producer.

As it is being portrayed the boss set up communications with the actress and this was known to the authorities. Who had put her under surveillance. How they came to know this is unknown but appears to predate the old actor getting involved.

Thus the meeting was blown irrespective of the old actor's actions. That is even if he had practiced exemplary OpSec the Boss-Actress comms were revealing most if not all the authorities needed.

Personaly, I think the Boss made mistakes because of the actress being present. Put simply he wanted to impress her in nice/opulant suroundings, that was in effect the Bosses primary base at the time. If the boss had just been meeting the old actor then the meeting could have been held in an old shack in the middle of nowhere, that could have been tourched into oblivion immediately after the meeting.

Thus the Boss was not being as cautious as he should have been and now people are dead because of his boldness.

If you are playing high stakes poker as a general rule you concentrate on the other players the cards and the deal, and you don't fool around with some woman untill after the game is over...

DragonJanuary 23, 2016 2:12 PM

What's this "OpSec" you're babbling about, dipshit?

Sean Penn is an *actor* not a spook - his "OpSec" was exactly what a thinking being would expect from an actor not a spook.

Remember - ACTOR not SPOOK.

Chant it like a mantra. . . Actor not Spook. . .

Keep repeating it til you get a fucking clue.

Clive RobinsonJanuary 23, 2016 4:41 PM

@ Dragon,

What's this "OpSec" you're babbling about

Operational Security (OpSec) is just a way of behaving. Surprisingly for some, we know that a number of actors can be quite good at it, as was seen during WWI, WWII and later. Likewise Journalists get quite good at OpSec it goes with the job if your are an investigative journalist of just about any type.

One aspect of OpSec is what we call "social engineering" these days, which is the "age old art of the con" or "gulling" which is to get people to be more helpfull than they should. More refined versions are known as "Honey Pots" and various forms of blackmail. Gulling is something many actors do naturaly, it's what makes them believable in their roles, especialy character actors.

Another aspect of OpSec is "field craft" this generaly has to be taught to people, but an agile mind can work out much of it. At the lower levels it is taught to agents very easily in a couple or three half hour meetings. Such as how to avoid being followed, how to setup escape routes, how to setup and use dead letter drops and arange pickup flags etc. It's known that drug dealers can teach their street customers the last of these fairly easily even the badly strung out types on the edge of rationality.

Another aspect of OpSec is "Situational Awareness" some people have a natural tallent for it others have to learn it. The "Trick Cyclists" have a term for the state many people have to be in for good situational awareness and that's "Hyper-vigilante", people who are not naturaly vigilant sometimes say it feels like they are running on their nerves or with nerves stretched. It can be a natural high or "buzz" when it's use is short term. However long term it can come at a significant cost in terms of mental fatigue which with out Rest and Respite can lead to initial cognative impairment, depression, panic attacks, paranoia and in some cases trigger other mental health issues that can quickly become self reinforcing. In some ways it can be like "shell shock".

There is also another aspect to Situational Awareness what Bruce refers to as "Thinking Hinky" not everybody can do it and even in those who can it takes time to do it well. Put simply it's a feeling often physical not mental for subtle "tells" that indicate something is not normal. Thus you hear about "a prickly feeling at the back of the neck" or a shiver "like somebody's walked across their grave" or just "a gut feeling". As has been said before "it's the monkey brain setting you up for flight not fight" and it's purpose is to get you up in a tree before you can think. If you take the cautious aproach and over react to the tells as an agent then normaly no real harm is done, it just slows things down. As a police officer etc this has a significant down side in that people make official complaints about "over zealous policing" / discrimination / thuggery etc. If an agent is not cautious and under reacts then they could end up in a world of hurt or dead. However if a policeman or similar under reacts then it's likely not just them but other people can end up in a whole world of hurt or worse.

Then there are the "technical asspects" of OpSec that often arise as new technology gets absorbed into fieldcraft. Early examples were methods of covert entry and egress much the the same as burglary, poisons, kinetic weapons, disposing of corpses including making murder look like an accident, through the likes of invisable inks to more modern times with cameras, radios, listening devices and these days computer hardware and software.

These technical asspects usually need domain experts to teach them at the lowest levels to field opratives up through field specialists such as radio operators right through "the backroom boys" to what today would be called nerds / geeks / gurus or the James Bond stories legandry quatermaster "Q" (actually based on a real person). At the upper end the domain experts are of graduate or higher level training but due to the novelty of what they do have a very large chunk of "self taught" inovation. Some who are employed by the agency are field support officers, others such as "Secret Squirrels" technical telecom's etc specialists loaned out by their employers, others contractors some tied others freelancers. Occasionaly with very new tech that has not had the bugs knocked out a domain expert such as the inventor / designer / inovator will go out into the field, but it happens less these days than it used to due to amongst other things trust issues and that the targets these days are "us" not "them".

The important thing to note is that "principles" and "field officers" are not expected to get to deeply into the technical asspect side of OpSec, it's not their job. It's what the "field support specialist" officers are there to do.

So now you know a little more about OpSec you might want to re-think your opinions.

BoppingAroundJanuary 24, 2016 9:15 AM

Clive,
Perhaps a daft question [A], whilst I'm familiar with some aspects of what
you have described, are there any books about this stuff (i.e. opsec,
particularly situational awareness and 'thinking hinky')? Sadly my cursory
searches haven't yielded much besides a few pop-science books with
disproportionate emphasis on 'pop'.

-------------------------------------

[A] I sense that it might be one of those arts that don't get featured in
books too much.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.