Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker. - Kevin Mitnick
If it’s too good to be true, then it probably is. – Ancient adage
The #1206 “fiction” series continues …….
“Do you mean to tell me that terrorists can communicate as much as they want right now and their communications are untraceable and uncrackable? Is that what you are telling me?”
The man at the head of the table sat back, fully consumed by anger and frustration that the billions of dollars being spent on national security seemed to be at best, filled with gaps in providing valuable intel and at worst, totally useless.
Cries of protest suddenly erupted, with people representing different agencies all clamouring to refute the question from their Commander-in-Chief.
One person was silent, waiting for the din of people in cover-their-ass mode to settle down.
When the noise had subsided, he leaned forward and spoke quietly. His soft voice was almost impossible to hear and the other members of the meeting leaned forward to hear him.
“Mr. President”, he said, “despite assurances from the smartest people in the country that this is not possible, I believe it is not only possible but highly probable. I would go on to suggest that overconfidence in our capabilities is a primary reason why this is being dismissed.”
“How can this be?”, came the instant denial of the head of one of the agencies. “We’ve tapped every phone and every Internet connection. We have the best decryption algorithms and the most powerful computers in the world. Information does not move without our knowledge of content, origin and destination.”
“Perhaps”, came the reply as the quiet man sat back thoughtfully, his fingertips pressed together.
“Explain”, demanded the President.
“Very well”, said the quiet man. “Everyone here is familiar with numbers stations, stations that have been broadcasting codes over ham radio frequencies for decades. Even the US Government makes use of such techniques to send coded messages in numeric format to agents around the world. The point of origin can usually not be traced if the broadcast is insufficient in time duration and we have no idea who is hearing the message. It is totally untraceable.”
“That may well be”, piped up another member of the group, “but there is no code that we haven’t cracked so even if we don’t know who the sender and receiver are, we still know what is in the message.”
“That is not true”, replied the quiet man. “One-time pads, often shrugged off by experts like the people in this room as being too unwieldy or with inherent implementation weaknesses are resurfacing with newly-discovered value.”
“You are absolutely correct about their weaknesses”, came a response from across the table. “One-time pads are only theoretically perfect. In practice, they require a true randomness that does not exist within the computational power available to organizations not represented here. As long as there is the slightest hint of non-randomness, the coded message is exposed to possible or probable decryption.”
“And so you admit that if the randomness that creates the one-time pad were perfect, we would have a problem?”, asked the quiet man.
“Possibly”, came a tentative reply.
“And so what if I told you that some people were taking truly random things, say, cosmic background radiation levels and using that value as a seed number in a permutation generator that ultimately creates the one-time pad. Totally random – totally uncrackable. In fact, the only thing protecting you then is the competence of the person using the one-time pad. I for one prefer to create my own luck and not rely on someone else’s.”
There was silence in the room for a moment and then a quiet “Oh my God” was heard by the attendees.
“There is”, continued the quiet man as he leaned forward over the conference room table, “a solution if you are interested.”
In a hot, sweltering room in an obscure village somewhere in the Middle East, a teacher prepared to lecture his students. This wasn’t the typical classroom offering things like English-as-a-second-language, rudimentary math skills or anything common in such a location.
He was preparing to give an introductory class in ham radio communications and a crash course in how to obtain cosmic background radiation values.
In a quiet room, a group of men silently watched monitors showing the proceedings of the Presidential national security advisors as well as the class being taught to the sweating students in the small village in the Middle East.
“Clever”, said one quietly. “Provide one side with a perceived unstoppable tool of war while preparing the other side with a means of how to deal with such an unstoppable tool.”
“I thought so too”, one of his colleague replied. “The best part is that both groups of recipients don’t see the alternate intention, that the information being provided actually puts them at risk instead of enabling them.”
“That is often the case when something looks too good to be true”, commented another colleague, “but despite their belief in rejecting that which is too good to be true, they often don’t realize it until examining it in retrospect.”
“Very true”, said the first speaker. “Fortunately for us it won’t matter by then.”
They turned their attention back to the monitors and resumed their observations.
To be continued.
© 2013 – Harry Tucker – All Rights Reserved
Background: While this is “fiction”, the existence of one-time pads and their strengths and weaknesses have long been researched by crypto experts. Numbers stations are also real and have been used by government agencies, including our own, for decades. Some details of both have been omitted here for brevity and other reasons.
The other difficulty we have is that we assume that a perceived “large” or “complex” problem requires a “large” or “complex” solution which is not always true. The more complex our solution, the greater the opportunity that we will miss something in our implementation of that solution, creating gaps in that solution. We must be careful that we don’t get so full of ourselves when it comes to the solutions that we create that we don’t assume that no one else is as smart as we are. Suffering from the overconfidence effect opens the door to someone else who may surprise us with simple counters to our complex measures.
Addendum – Current Surveillance Methods Ineffective
A report that came out on January 13, 2014, revealed that for all the data mining that is currently in progress by the NSA, very little if any can be proven to be effective in anti-terrorist activity. The news item is here.
If the massive data collection does not serve to deter or prevent terrorist attacks and acknowledging that the people who collect the data are very smart people, what other purpose does such data collection serve?
Addendum 2 – January 13, 2015 – Banning Encryption Doesn’t Solve Anything
There is an interesting item in the news that has been circulating around since the Charlie Hebdo attack in Paris last week and that is the notion that some government and intelligence service leaders are looking to ban the use of encryption tools because they undermine surveillance agencies.
Such a ban will only affect law abiding citizens while those who are not law abiding will continue to use encryption as they please.
It is also disconcerting to realize that billions of dollars in surveillance technology can be undermined by the scenario I described in this post. In addition, confusion can be created by leaving false communication in the clear to be intercepted by our surveillance industry while the really important, factual communication takes place via the scenario I described.
It makes me wonder if we can be made secure at all.
What do you think?
This series, a departure from my usual musings, is inspired as a result of conversations with former senior advisors to multiple Presidents of the United States, senior officers in the US Military and other interesting folks.
While this musing is just “fiction” and a departure from my musings on technology, strategy, politics and society, as a strategy guy, I do everything for a reason and with a measurable outcome in mind. :-)
This “fictional” musing is continued from ……
Be Careful What You Wish For – October 27, 2013
When Avoidance Produces The Unavoidable – September 26, 2013
By Way of Deception, Thou Shalt Do War – August 30, 2013
Serving Two Masters – August 22, 2013
Growing the Rot From Within – August 6, 2013
The Coming Storm – June 8, 2013
The Master of Distraction – May 15, 2013
Living on the Edge – How Close Do You Dare? - March 29, 2013
Preventing A Disaster – Or Preparing To Survive One - November 29, 2012)
Divide and Conquer - August 5, 2012
Financial Crisis – March 11, 2008
There is benefit to reading those first (oldest to newest) but it is not required.