Tag Archives: Encryption

The CIA Dark Triad – Windows, macOS & Linux

According to the WikiLeaks Vault 7 dump the CIA deploys malware that includes the capability to hack, remotely view and/or clone devices running the Windows, macOS, and Linux operating systems.

This seems to suggest that the agency has no problem bypassing encryption, proxies, VPN and that Tor anonymity is a myth.

This does not mean that each of the point solutions offering a product under each of the above headings have been compromised. Rather it means that the OS level hack capability of the CIA – as seen on iOS and Android – means that they can gain full control of the device and render any point solution counter measures moot.

Therefore they subvert the platform which by extension means that anything that is running on the platform is subverted.

Tablet, laptop, smart-phone, AV device – it seems they are all fair game and in that case so is everything that you do on them.

You have been warned.

You are being watched.

ENDS

Is Moxie Still An Anarchist, Are Farcebook Deliberately Hobbling WhatsApp & Does SIGNAL Leak?

Recently I wrote in a blog post “When The Privacy Advocate Becomes An Apologist For The Opponent” about the main stream media sponsored spat that had @Moxie from @WhisperSystems siding with @WhatsApp and @Facebook in a face off against @Guardian and their contributor @tobiasboelter (Security and Crypto at UC Berkeley) in a “man in the middle” versus “design” versus “vulnerability” versus “backdoor” versus “privacy” versus “convenience” versus “user experience” tit for tat.

1. Is Moxie Still An Anarchist?

I said of Moxie Marlinspike that:

“When the advocates become apologists for the mainstream then they longer deserve to be called advocates in the purest sense of the word. And Moxie does consider himself “pure”. He is not. In July 2016 Wired wrote “Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us” but being an “anarchist” and an ally of Zuckerberg are incompatible ideological stances.”

The blog post drew some comment on Peerlyst and elsewhere that took the debate in a number of different directions that I think are worthy of note. My personal belief is that WhatsApp is a more inferior app than most people will accept and that Moxie’s stance also leads me to doubt the once unassailable position of Signal as a trustworthy option.

Peter Stone on Peerlyst commented that:

“Your assertion that Moxie‍ fundamentally is no longer an anarchist when he sides with Zuck holds. And you’re right it matters that they made this design choice, and yes it can be a threat if you have Governments in your threat model. I cannot argue with you at all. My only point, and thanks for the mention, was that it wasn’t, as such, a backdoor.”

Conclusion: Moxie is not an anarchist

2. Are Farcebook Deliberately Hobbling WhatsApp?

This comment led me to ask:

“I agree with you Peter and my post is only expressing my view from the lens of being one of those “crypto geeks” that you and Dave Howe were discussing on the original thread. I accept all of the points that you both make about barriers to entry / usage and cost factors for “average” users in adopting escalating levels of security. But would you agree with the statement that:

“WhatsApp have made a design choice that can be exploited as a backdoor – the rest is semantics”?

Any takers?”

Boelter in his articles laments the fact that Farcebook, after being notified of the weakness in the “design-choices” that they had made for WhatsApp, still refused to take action.

This to me betrays an unwillingness to properly secure the platform for whatever reason and while I accept that a legitimate interim position between releases of a product is to state “it is good enough – for now – but lets see if we can make it even better” that does not seem to be what the Farcebook approach is to ongoing WhatsApp app hardening.

I really liked what Dave Howe had to say in reply to my original comment:

“I can agree totally on the first part of that. WhatsApp have made a design choice that can be exploited as a backdoor.

In fact, I would go further; WhatsApp have made a series of poor design choices which impact severely the security of the solution.

The first is that mail will be retransmitted without an option to block if a new device is added.

The second is that a new device can be added and, by default, this will be silently accepted by the system, and

The third is that the account holder has no reliable way to know a new device was added unless WhatsApp notify them – which of course for a TLA “listening tap” will not happen.

However, “the rest is semantics” I disagree with.

The impact of these poor choices is severe, but the solution is still better than it was before the protocol was added, and more importantly, now WhatsApp is aware of the mistake, it is in a position to fix it.

The detail is therefore important, and while a lot of crypto purists would class anything not a provable success as an abject failure, a more pragmatic security enthusiast will take any improvement as an improvement, and work to build on that platform.

Similarly, to a purist, a system is broken if, given a compute cube the size of the moon, you could break a message on average every thousand years or so – while a pragmatist would say “it’s good enough – for now – but lets see if we can make it even better”

We need to push them to get better. If nothing else, this “backdoor” publicity put this in the public eye (only for Brexit and Trump to push it back under cover of course).

I have to wonder if there is some sort of instruction preventing them from doing so – I know they can insist on that in the UK now, but I wasn’t aware this was true in the US yet (See my blog post Silencing the Canary & The Key Powers & Reach of The IPA)

Solution is obvious though – increase user choice, and make it so they can turn that *off* if they want to, not off by default.

New device added? Have confirmation of new devices as an option.

Until confirmed, new messages will *not* be encoded to the new key, so you can email the old keyset asking if they really have added a new device.

Options can have “auto accept” “ask” and “deny” with the default set to “ask”.

Unacknowledged messages? Have that only resend if the new device is confirmed, and not until; that takes care of that problem too.

If users then choose to disable the “annoying popup” then that’s their choice, not something imposed on them by Farcebook.”

Aside from the poor “design choices” that are covered in “When The Privacy Advocate Becomes An Apologist For The Opponent” and above by Dave here are a few more “design choices” WhatsApp chose not to include from the SIGNAL protocol:

Ability To Password Protect The WhatsApp App

WhatsApp does not have any password system built into the app. WhatsApp say there are many apps in the Google Play store that provide that functionality so just tag on a third party app to make it even weaker

screen-shot-2017-02-01-at-20-41-45

“Disappearing Messages” Option in WhatsApp 

There is no “disappearing messages” option in WhatsApp.

Conclusion: Yes Farcebook are deliberately hobbling WhatsApp IMHO. Their reasons? I do not know but I do not accept “user experience” as a justification.

3. Does SIGNAL Leak? 

Would anyone care to comment on this statement regarding the signal app and “leakage”:

“Note that Open Whisper Systems, the makers of Signal, use other companies’ infrastructure to send its users alerts when they receive a new message. It uses Google on Android, and Apple on iPhone. That means information about who is receiving messages and when they were received may leak to these companies.”

Found at on a post on ELECTRONIC FRONTIER FOUNDATION Surveillance Self-Defense.

Conclusion: I don’t know

ENDS

When The Privacy Advocate Becomes An Apologist For The Opponent

It does not matter to me whether the “The Guardian Falsely Slammed WhatsApp For a “Security Backdoor” – It’s Actually Not” according to a Peter Stone thread on Peerlyst.

Bruce Schneier also weighed into the debate saying “This is not a backdoor. This really isn’t even a flaw. It’s a design decision that put usability ahead of security in this particular instance.”

Tellingly though he went to say that “How serious this is depends on your threat model. If you are worried about the US government — or any other government that can pressure Facebook — snooping on your messages, then this is a small vulnerability. If not, then it’s nothing to worry about.”

The main stream media sponsored spat had @Moxie from @WhisperSystems siding with @WhatsApp and @Facebook in a face off against @Guardian and their contributor @tobiasboelter (Security and Crypto at UC Berkeley) in a “man in the middle” versus “design” versus “vulnerability” versus “backdoor” versus “privacy” versus “convenience” versus “user experience” tit for tat.

If you take Schneier’s statement about who should worry about the WhatsApp “design choice” in handling “blocking” / “non-blocking” then irony drips from Moxie’s apologist defence of the WhatsApp handling of key changes when one notes that in a Jun 12, 2013 blog post he wrote “We Should All Have Something To Hide” .

Moxie at Open Whisper Systems, the designers of the well respected SIGNAL encrypted voice and messaging app, responded to the “backdoor” allegations in WhatsApp’s implementation of the SIGNAL protocol in a blog post on their site.

It was in response to Mr. Boelter’s piece in the Guardian newspaper “WhatsApp vulnerability explained: by the man who discovered it” which they say was in response to the Facebook denial that the vulnerability was a deliberate loophole.

The debate is complicated for people not involved in the security industry there are pro’s and con’s in the arguments that both sides make. Some of it is pure semantics, some of it represents shades of opinion other aspects are “interpretations”.

It all essentially stems from WhatsApp approach to handling encryption key changes in certain scenarios and their attitude to “non-blocking”. SIGNAL handles all key changes with “blocking” but WhatsApp chooses to go with “non-blocking”. There is therefore a fundamental difference between the WhatsApp app’s implementation of the Open Whisper System protocol and the implementation that underpins the SIGNAL app.

The integrity of the SIGNAL app is not being questioned. The Wall Street Journal stated about the latter in a Jan. 24, 2017 11:16 a.m. ET article that “Messaging App Has Bipartisan Support Amid Hacking Concerns” describing SIGNAL “as a smartphone app that allows users to send encrypted messages, is gaining popularity in the political world amid rising fears about hacking and surveillance in the wake of a tumultuous election year.”

My worry is not about WhatsApp’s Open Whisper Systems implementation because frankly I would not use it. I would not use it because I do not trust Facebook (the owners of WhatsApp or Zuckerberg). Zuckerberg because he tried to cover up the Facebook facilitation of the NSA PRISM program before the Snowden revelations embarrassed him into trying to apply a retrofit fix to his betrayal of Facebook users. And WhatsApp because frankly they are sharing their users data with Facebook despite denials.

When the advocates become apologists for the mainstream then they longer deserve to be called advocates in the purest sense of the word. And Moxie does consider himself “pure”. He is not.

In July 2016 Wired wrote “Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us” but being an “anarchist” and an ally of Zuckerberg are incompatible ideological stances.

ENDS

Mass Surveillance & The Oxford Comma Analogy

Acknowledgments, Contributions & References: This blog post was written in collaboration with and using contributions from Mr. Dean Webb (find Dean’s profile on PeerLyst). The clever and insightful bits are all Dean, the space fillers and punctuation are mine – except the “Oxford Comma” analogy, which even though it is lifted from @Grammarly on Twitter, is mine – and I like it (a lot). Enjoy.

Who Do We Like, Who Do We Dislike (Today)

Wearable tech is on its way, for surveillance during times when one is away from the vidscreen. But we need this stuff in order to protect against Eurasia. We have always been at war with Eurasia. We will always be at war with Eurasia until 20 January, at noon. Then we will always have been at war with Eastasia. And then we will need all this stuff to protect against Eastasia.

On a more serious note, anonymity has been dead for quite some time. As an example, about 10 years ago Dean Webb was running a web forum for students involved in an academic competition.

He and other teachers had volunteered to be admins for the board. They had a student that began to harass others on the board and post some highly inappropriate material. They banned his account, and he would connect again with another account.

So, Dean took down the IP addresses he’d used for his accounts and did a quick lookup on their ownership. They were at a certain university, so he contacted that university with the information and the times of access and they were able to determine which student was involved.

He was told to stop posting, or face discipline at the university. That got him to stop.

Simple Methods, Complex Implications

The point is, that IP address and timestamp for most people is going to be what gets them in the end. They don’t know what a VPN is from a hole in the ground, let alone what a TOR node is.

At best, most of them will use a browser in anonymous / incognito mode, without realising that cookies are still retained and updated, credit card transactions remain on the record, and ISPs will still retain IP address information with timestamps.

It could be argued that a Layer 2 hijacking of someone else’s line is the way to go anonymously, but that involves a physical alteration of someone’s gear, and that means physical evidence, which is very difficult to erase completely.

Even if anonymity is not completely dead (mostly dead, perhaps?), it is certainly outside the reach of most people because they lack general IT knowledge about the basics of the Internet.

I (Graham) was met with the following comment when I posted a tweet some time before Xmas 2016 about Identity Theft:

“despite the hysteria the theft of most peoples personal information is / will be inconsequential”

The use of the word “inconsequential” by the commenter on my post reminded me of the hilarious Doctor Evil therapy session monologue in the Austin Powers movie when Doctor Evil stated, when asked about his life, that “the details of my life are quite inconsequential”. But 60 seconds of monologue later it was quite clear that they were far from “inconsequential” – it is a matter of perspective as to what is and what is not. That is the problem. And that is the potential worry.

Threat Awareness & Counter Measures

The vast majority of people and their browsing habits are innocuous. The point though that the comment misses and which is the point that Dean makes in his comments about the average John Q. Citizen’s awareness of the threats and the countermeasures available is that the public in general has moved their private communications on to a platform where they do not understand the implications of the ability of externals to eavesdrop or to store and reference data at a future point.

There was a blog post I (Graham) made some time ago about the risk of “profiling” and of “false positives” and the threat that they posed especially with respect to miscarriages of justice. (See “The Sword of Islam” story below)

The point is not whether “the theft of most peoples personal information is / will be inconsequential” or the storage of most peoples browsing history or contacts with other parties is / will be inconsequential or not – the point is that it can be made to look very different to what was actually happening originally.

Like a misquoted partial comment in a newspaper article – actions taken out of context can look very different.

The Oxford Comma Analogy

Recently I posted a tweet about the Oxford comma and it does indirectly inform the point that I am trying to make here:

Excerpt begins from Grammarly

“Unless you’re writing for a particular publication or drafting an essay for school, whether or not you use the Oxford comma is generally up to you. However, omitting it can sometimes cause some strange misunderstandings.

“I love my parents, Lady Gaga and Humpty Dumpty.”

Without the Oxford comma, the sentence above could be interpreted as stating that you love your parents, and your parents are Lady Gaga and Humpty Dumpty. Here’s the same sentence with the Oxford comma:

“I love my parents, Lady Gaga, and Humpty Dumpty.”

Those who oppose the Oxford comma argue that rephrasing an already unclear sentence can solve the same problems that using the Oxford comma does. For example:

“I love my parents, Lady Gaga and Humpty Dumpty.”

could be rewritten as:

“I love Lady Gaga, Humpty Dumpty and my parents.”

Excerpt Ends

The analogy serves to demonstrate one of the main concerns of mass surveillance and mass retention of user data. People are now being profiled and tracked and their behaviours stored and analysed and they do not know why or by whom or for what purpose – they barely understand how to use a browser.

In the wrong hands that potentially makes them cannon fodder. Accuse me of being alarmist and dramatic – fair enough – so did everyone four years ago when I wrote about mass immigration as a weapon, the rise of radical Islam and the dangers of the USA supporting a sectarian Shi’a government in Baghdad, the marginalisation of Sunnis and the Ba’ath party, the randomness of the Arab Spring, the threat of Libya turning into a terrorist haven and so on.

The point is people ignore these developments at their peril but you may as well be talking to a concrete block. You can make all the compelling philosophical points that you like to someone but if they do not have the capacity to understand them then you are wasting your time.

And most of our politicians fall into that category.

Mass Profiling, Mass Surveillance Will Be Inconsequential Until It Isn’t

Dean once met a man named Saifal Islam. He has a devil of a time getting on an airplane because a terror group has the same name – “Sword of Islam”.

He is constantly explaining that the man (him) isn’t the group (them) and that he’s had his name longer than they’ve had theirs. That, yes, the group (them) should be banned from getting on airplanes, but that, no, the man (him) should be allowed on the plane.

Hell of a false positive, and that’s not the only one. Mismatches on felon voting lists, warrants served to the wrong address for no-knock police invasions, people told that they can’t renew driver’s licenses because they’re dead, the list goes on.

Be happy in the knowledge though that your data is apparently “inconsequential” and this privacy debate and the growing intrusion on your personal life is all “hysterical” alarmism.

You can use that statement when you are in the dock defending your very own hysterical “false positive” – no charge.

The next post will be “KarmaWare & Thieves of Thoughts” again in collaboration with Mr. Dean Webb.

ENDS

The Irish PM, Cabinet Ministers & Head of Police Force use Gmail for Official Business

The leader of the country whose government presides over the data protection compliance of a host of global social media sites uses Gmail for government business.

Let’s just think about that for a second. The guy uses a service who in a 2013 filing, while defending a data-mining lawsuit, said that people have “no legitimate expectation of privacy in information” voluntarily turned over to third parties.

Ireland sits next door to the most surveilled society on the planet who last week passed into law the most intrusive surveillance laws ever enacted in a democracy. This is what the British have publicly declared they are willing to do to their own citizens and foreign residents and they even had the audacity to spin “that the protection of privacy is at the heart of this legislation“.

What do you think they might have in their more covert bag of tricks for use on foreign governments?

One wonders why the Irish so close to the British geographically are as so far removed from realising the national security implications of having a kindergarten knowledge level with respect to mass surveillance, industrial espionage and cyber security.

The whole sorry mess and the puerile responses from the PM’s spokespersons made to queries regarding the Irish prime minister’s use of the service were widely covered in the last two weeks by The Irish Daily Mail and The Irish Mail on Sunday in articles by  Senior Reporter Seán Dunne.

How much of Ireland’s bargaining strategy with respect to the Brexit negotiations will the British authorities possess foreknowledge of when a teeny-bopper hacker who took a few hacking 101 classes at the local tech could access the comms of the Irish politicians centrally involved in the discussion.

This blog has made it’s view of Ireland as a Privacy Advocate and the abilities of the Office of the Data Protection Commission in Ireland well known.

The office of the Data Protection Commissioner in Ireland was established under the 1988 Data Protection Act. The Data Protection Amendment Act, 2003, updated the legislation, implementing the provisions of EU Directive 95/46.

The Acts set out the general principle that individuals should be in a position to control how data relating to them is used. The Data Protection Commissioner is allegedly responsible for upholding the rights of individuals as set out in the Acts, and enforcing the obligations upon data controllers.

The Commissioner is appointed by Government and is allegedly “independent” in the exercise of his or her functions but has fallen foul several times to allegations that they are inherently political in their motives and policy.

The DPC have been censured by The High Court in Ireland regarding their a decision to refuse to investigate a data privacy complaint by Austrian law student Max Schrems against Facebook and his attempt to expose the cosy attitude to abuses of Safe Harbour.

Digital Rights Ireland have also claimed in a 2016 lawsuit that the Irish State has not properly implemented EU legislation on data protection. They claim “Ireland’s data protection authority doesn’t meet the criteria set down by the EU case law for true independence,” it added “As the Irish government has refused to acknowledge this to date, we are turning to the courts to uphold Irish and EU citizens’ fundamental rights.”

The group also claims Ireland has not properly implemented EU legislation that requires data protection authorities to be genuinely independent from the government.

DRI had previously taken a case to the Court of Justice of the European Union that led to an EU data-retention directive, then the basis for Irish law, being thrown out in 2014.

Facebook love the Irish Data Protection Commission as do all the other social media giants who not only get a free run enjoying multi-billion dollar tax breaks while the people of Ireland pay for their free ride with swingeing austerity.

Last week I received an email from Twitter and when I clicked the link I read:

“Twitter’s global operations and data transfer – Our services are a window to the world. They are primarily designed to help people share information around the world instantly. To bring you these services, we operate globally. Twitter, Inc., based in the United States, and Twitter International Company, based in Ireland, (collectively, “we”) provide the services, as explained in the Twitter Terms of Service and Privacy Policy. We have offices, partners, and service providers around the world that help to deliver the services. Your information, which we receive when you use the services, may be transferred to and stored in the United States, Ireland, and other countries where we operate, including through our offices, partners, and service providers. In some of these countries, the privacy and data protection laws and rules on when data may be accessed may differ from those in the country where you live. For a list of the locations where we have offices, please see our company information here.”

The section above that I have highlighted and italicised prompted me to tweet:

I followed this tweet up with an emailed request for clarification – which much like my many failed attempts to acquire the elusive “Blue Tick” was met with a stony silence. Which is code I think for “Please go away Mr. Penrose you are a massive pain in the neck”.

I also sent an email to the lovely Ms. Dixon, Irish Data Protection Commissioner requesting a comment. Do I need to tell you what I received? Well – just in case you own an irony bypass – I received nothing.

When regulation is in the hands of amateurs and when policy is set on subjects by people with no qualifications in the matter and when both of them are in the pay of those they are inspecting then what hope do we have really? Again recognising that some do not recognise rhetorical questions, the answer is that we have none.

END

State Surveillance in Ireland Part 4: Creeping Extra-Judicial Law Enforcement Powers

The resources of the Irish police force and military intelligence were traditionally focussed squarely oncounter terrorism ops against militant republicans and loyalists. In that respect their expertise in terms of surveillance, intelligence gathering, the use of informants, infiltration methods and technical expertise was sought out by international colleagues during the 80’s and 90’s.

Terrorism, Gangland Violence & Islamic Extremism

During those years specialised law enforcement in ireland were one of very few Western alphabet agencies who possessed hands on domestic counter-terror threat experience.

In the late 80’s and early 90’s momentum gathered for a peace deal to end the “Troubles” which culminated in the Good Friday Agreement signed on 10 April 1998. This led to a massive reduction in direct hostilities and the associated criminal activities used to fund same.

Thereafter, the degree to which these counter terror resources and general counter-extremist expertise were required in Ireland diminished greatly. The main counter-terror focus was now in dealing with small, isolated dissident republican groups involved in internecine feuds. During this time some “dissident” groups branched out into general criminality.

Dublin and Limerick became the focus of a new threat in the form of gangland and drug cartel violence and in the late 90’s the resources previously deployed against terrorist outfits were partly re-deployed against this emerging threat.

Over the course of the next few years specialised law enforcement evolved in response to changes in the nature of offences being tackled in the courts.

A unique set of legal challenges began to appear when investigating especially in terms of covertsurveillance and technical surveillance methods and the ease (or not) with which they could be sanctioned and deployed – especially in time sensitive scenarios.

It also became clear that gangs and gang members were proving difficult to tackle and gatheringevidence to support trials met with barriers which previous Privacy and security legislation in the Irish statute books made difficult if not downright illegal. (see 2011 Communications (Retention of Data) Act).

The Criminal Justice Act 2006

The Criminal Justice Act 2006, legislated for during the tenure of Michael McDowell as the Irish Minister for Justice, created a new offence of membership of an organised crime gang, or “criminal organisation”, and made it an offence to assist the activities of an organised crime gang.

Evolving this legislation the Criminal Justice (Surveillance) Act 2009 provided for the use in criminal trials of material obtained during covert surveillance. The Criminal Justice (Amendment) Bill further defined membership of a criminal organisation and made it an offence to direct the activities of one.

There were also a host of newly created scheduled offences contained in the legislation which allowed gang members to be tried in the non-jury Special Criminal Court.

The Criminal Justice (Surveillance) Act 2009

In Section 8 of the Bill a declaration was made that the ordinary courts were inadequate and were not in a position to effectively administer justice as there was a pervasive threat of jury tampering and intimidation.

Despite this there was no evidence that the ordinary courts had previously failed repeatedly to justify such a sweeping alteration of the normal rules of habeas corpus, the right to silence (removed by the introduction of “inferences”), the right to trial by jury and the fundamental right of the presumption of innocence.

To support this general view that the legislation was ill-conceived and introduced to reduce the workload / evidence required in securing convictions in these cases Central Criminal Court Judge Mr. Justice Paul Carney came on record and stated that when gang members were brought before a jury in his court there were no difficulties in securing convictions.

The Radical Islamist Blindspot

Despite the extensive arsenal of covert surveillance (traditional and technical) powers and the reduction in the “body of proof” requirements to secure convictions under these various new powers, little has been done in Ireland to turn this formidable and questionably legal set of instruments toward tackling Radical Islamism.

Ireland is not overrun with Radical Islamists. Salafi Jihadist preachers are not spouting hate and intolerance in the majority of Ireland’s mosques. Apart from some small pockets in Dublin there is not the same level of Islamic ghettoisation in Ireland as opposed to say sweden where so called no-go areas are widespread and the city of Malmö is infamous for radicalisation and general anti-Western sentiment.

G2 Military Intelligence & the Garda Special Detective Unit’s Middle Eastern Desk

These bodies are tasked with monitoring potential jihadists in Ireland and Irish citizens who fight abroad in war zones – specifically Syria and Iraq – for Muslim extremist organisations such as the self-proclaimed “Islamic State”.

Their activities are obviously covert and their objectives and methods are clearly not publicly available or discussed – and rightly so. However, despite numerous attempts by associates it seems that there is no specific publicly available over-arching and non-compromising strategy document (heavily redacted or otherwise) that is available via the FoI Act.

It would be helpful and indeed, in the public interest, to see such a document to determine what level of significance is given to certain potential threats or what the attitude of these units is to the ramshackle approach to some key issues that the public sees via the Irish Court system.

Recent Developments

Islamic State is suspected to have been using Ireland as easy access to the U.K. The Islamic State militant group (ISIS) suspects will now it seem be prevented from using Irish ports as an easy access to get to Britain after the Irish police decided to crack down on the threat after concerns were expressed by their UK colleagues.

GCHQ has been monitoring Irish Jihadists and the ISIS support structure in Ireland including radicalisation threats, money laundering activities, fund raising and funnelling efforts and the use of Irishdocuments to assist jihadis with international travel.

“Sovereign” Ireland & GCHQ

All Irish internet comms cables and internet traffic is monitored by GCHQ in Cheltenham – without the knowledge of the Irish authorities.

Today in a statement it was reported that ‘Operation Mutiny’ began a number of weeks ago after doubts arose that there might be suspects using Irish ports – due to their weak security and surveillance systems– to penetrate the UK to facilitate attacks there.

Security at Irish ports was considered so porous by U.K. authorities that they intervened to reduce therisk that IS terrorists would use Ireland as a staging point for attacks – as the Battle for Mosul escalated – rather than their preferred previous use of Ireland as a soft backdoor for access to Europe.

Ireland has long been seen by Islamic extremists as a country where their support activities for foreignterrorism were largely ignored by the law enforcement community in Ireland in favour of the more highprofile gangland feuds.

An under-resourced Irish police force and domestic intelligence community with a set of IT systems that were woefully out of date did not present a serious threat to compromising extremist comms over emerging encryption and secure communications tools such as Telegram, Hushmail and Tor – despite the sweeping powers introduced to the Irish statute books in 2006, 2009 and 2011.

END

Hijacked Jihadi Forum “Asrar Al­Ghurabaa’“ – Offense & Exploitation

In late 2013, following on from the general panic surrounding the reliability of previously trusted technologies – as a direct result of the revelations made by snowden‍ and greenwald‍ – ISIS‍ “declared” that they had launched a new encryption‍ service called Asrar Al­ Ghurabaa’.

It was described as being the first website for secure communications. A forum used by jihadists calledShabakat Al Iraq Wal Sham announced the launch. The announcement declared that the new resourcefor jihadis would be a rival to Asrar AlMujahideen (Mujahedeensecrets which was launched circa 2007).

The new service was an NSA‍ front and was to be found at asrar006.com. It allowed the input of text which was then encrypted‍ or decrypted‍ , as required. Simply put, rather like the google translate service it applied the required encryption keys to inputted text strings resulting in a “translation”.

It did not allow for message transmission but was more “accurate, secure, and user friendly than Asrar Al­Mujahideen” according to the statement. The service required no software downloads or installations and therefore removed several points of potential risk associated with the Asrar Al­Mujahideen alternative. No code could be injected, files infected and so on.

Within a couple of days the Global Islamic Media Front (GIMF‍ ) denounced the new encryption platform in a statement “Warning About the Use of the Program ‘Asrār al-Ghurabā” stating:

“We warn all the brothers using the new encryption program called “Asrar al-Ghurabaa” – the program is suspicious and its source is not trusted. Likewise, we confirm that there wasn’t any relationship between the program “Asrar al-Ghurabaa” and the Front’s encryption program “Asrar al-Mujahdeen”, and therefore, we advise and warn the brothers not to use the program “Asrar al-Ghurabaa” entirely!

We also warn of using any encryption program which hasn’t been published through the Global Islamic Media Front or Al-Fajr Center for Media. And lastly, we remind that the sole source to download all of the technical programs for the Media Front: Mobile Encryption Program Asrar al-Dardashah Plugin Asrar al-Mujahideen Program”

END