Disk Encryption: Bin Laden Didn’t Use It. Did He Need To?.

You’ve probably heard by now that US authorities released a number of Osama Bin Laden’s documents that were captured last year during the Abbottabad compound raid.  One of the surprising revelations?  Osama Bin Laden didn’t use proper security when it came to his electronic files.  For example, USB sticks, memory cards, and other storage devices were not protected with disk encryption software like AlertBoot (not that AlertBoot would sell services to terrorist leaders and their henchmen.  But, the same encryption found in AlertBoot — AES-256 — is available in free encryption software, so terrorists do use it).

There are two camps of thought when it comes to this revelation: those who think that Bin Laden was being cavalier with his files and those who think that there was no point to encrypting files.

He Doesn’t Need To: What’s the Point?

I first ran across the Osama story on slashdot.org.  The reactions about the state of security were mixed, but there were plenty of commentators who pointed out that Osama was being pretty logical in not using encryption.

  • He only communicated via courier — and we’re not talking about FedEx — so the threat of an unknown interception — or any type of interception — was low.

  • The released documents are, for the most part, not something that would require encryption.  I mean, Osama calls for death to America?  That’s not an encryption-worthy secret.

  • If Osama was ever captured, they’d probably get the password to access the files from him: xkcd.com.

  • Even if Osama is not captured, the US would put its considerable intelligence resources on cracking encryption.

  • Etc.

Well, that sounds pretty reasonable.  I mean, the only reason why anyone would use encryption software to safeguard data would be because the revelation of said data to undesirable people would be “bad”: it would put people in danger (bin Laden and his cronies are already in danger); it would have legal repercussions (bin Laden already in legal trouble); it would alert others about their plans (we already know those plans: kill people.  Plus, we also know independent cells operate quite autonomously)… in other words, there’s very little to protect there.

Painting a Mosaic

I’d argue, however, that the viewpoints above are pretty shortsighted.  It’s the same type of argument you’d find in justifying not encrypting a massive database of email addresses, for example.  Since email addresses are not really personal data (think about it: you can have multiple ones, and conceivably someone else can sign up with your old email handle if you opt to kill an account), they don’t have to be protected under most (all?) US state and federal laws.

But, as we know, those email address can be used as a lever to real criminal activity.  Likewise, any details, however mundane they may be, could be the lever to crack down on significant aspects of a criminal organization.  Even if you can’t paint a detailed picture, a mosaic is more than enough in many cases.

But, hey, I’m not losing any sleep over this latest “non-encryption snafu.”

Incidentally, The Daily Show with Jon Stewart has an interview Peter Bergen on the Abbottabad raid where Bergen sheds a little light on how the CIA found Osama…and proves that even the smallest detail can be of high value.

Related Articles and Sites:

Comments (0)

Let us know what you think