Bin Laden's Sneakernet Email System

Hugh Pickens writes "Osama bin Laden was a prolific writer who put together a painstaking email system that thwarted the US government's best eavesdroppers despite having no Internet access in his hideout. Holed up in his walled compound in northeast Pakistan with no phone or Internet capabilities, bin Laden would type a message on his computer, save it using a thumb-sized flash drive that he passed to a trusted courier, who would head for a distant Internet cafe. At that location, the courier would plug the drive into a computer, copy bin Laden's message into an email and send it. Intelligence officials are wading through thousands of the email exchanges after around 100 flash drives were seized from the compound by US Navy Seals."

Why didn't he just use

[Shanrak]

RFC 1149?

Painstaking?

[j00r0m4nc3r]

How is that painstaking? That's like calling writing a telegram painstaking.

Re:Painstaking?

[gstoddart]

How is that painstaking? That's like calling writing a telegram painstaking.

Or, no more complicated than the tradecraft of cold-war era spies.

This sounds like nothing more than well-established stuff that likely goes back to WWII if not before, and that you can read about in any Tom Clancy novel.

Who knew ... the easiest way to avoid getting detected by a massive, international signals intelligence network, is to not use methods that give them anything to listen to.

I'm completely shocked ... next thing they'll tell us about one-time-pads.

Re:The Onion Router

[badran]

A tor node in Pakistan would not be suspicious at all.

Didn't prevent anything

[mr1911]

Merely delayed it. A bullet in the head is a bullet in the head.

Re:Didn't prevent anything

[Skuto]

They found him through a courier. So actually, email did get him killed, sortof.

Re:Didn't prevent anything

[Anne_Nonymous]

Network lag killed him?

UUCP

[Dynamoo]

Kind of like mail over UUCP then. (Yes, I am showing my age)

RTFA

They called it painstaking because the courier was forced to use hotmail to forward the emails.

More info from New Scientist

[wjousts]

I was about to submit this from New Scientist:

If this newly discovered messaging method is a surprise to western intelligence, however, it means they may not have been monitoring the recipients of his USB-facilitated missives - possibly because Al-Qaida is thought to be using short-lived email addresses after an earlier trick of theirs was rumbled.

That trick? Before 9/11 some of the attackers evaded email surveillance by not sending email. Instead they used webmail services but saved messages as drafts - and then shared their logins with their co-conspirators.

Re:More info from New Scientist

[mcmonkey]

That trick? Before 9/11 some of the attackers evaded email surveillance by not sending email. Instead they used webmail services but saved messages as drafts - and then shared their logins with their co-conspirators.

That's pretty clever.

I've often wondered if some gibberish spam contains convert messages of nefarious intent. If you're a known bad guy and want to send email without identifying your cohorts to anyone watching, why not send the same message to thousands (or millions) of addresses? (Assuming your message is adequately coded/encrypted. You don't want to broadcast your plans in plain text.)

Even if the good guys know one of the recipients is a bad guy, they don't know which recipient, and burn a lot of resources eliminating the red herring.

Yes, I know supposedly those gibberish emails are for poisoning spam filters. At least, that's what they want you to believe.

I've thought the same about those spams that were sections of text from famous literature. Again, supposedly targeted to spam filters. Could be a signal for a terrorist in a sleeper cell to go to the local library, go to a certain book, open to a certain page, where the secret plans have been hidden.

Yes, I am convinced all spammers are terrorists.

Re:More info from New Scientist

[phantomlord]

I'm not sure how "surprising" or novel that is... when I was on Prodigy back around 1991, a bunch of us belonging to a AD&D "group" did something quite similar to avoid the per-message fees for sending to other people. We'd all share a sub-account and deliberately bounce messages so others could log on and read them. If Prodigy closed a sub-account after noticing irregularities (high number of bounces, multiple people trying to log onto the account at the same time, etc), we'd all move to a different sub-account.

All this...

[steevven1]

Yet he never discovered that flash drives are rewritable...

Re:All this...

[datapharmer]

More likely he didn't trust using them again after they were plugged into an internet cafe computer. Virus anyone?

Re:All this...

[UnknowingFool]

I thought it was interesting that he didn't destroy those drives after using them.

This explains it then..

Totally explains why he took forever to accept FB friend requests.

Re:The Onion Router

[x6060]

Tor does have a few potential vulnerabilities and it would not surprise me in the least if the NSA did have a way of tracking it. The way Osama decided to do it shifted the vulnerability from an electronic one to a personal loyalty one. With his age, experience and knowledge im sure he was able to better control and protect the later rather than the former. Its also very similar to his previous methods. Low tech - High concept.

Re:The Onion Router

[darjen]

Because everyone knows the FBI/CIA/NSA operate "anonymous" Tor nodes.

Re:The Onion Router

[x6060]

I also feel the need to point out that this was probably not so much an attempt to thwart eavesdropping, but to mask his location.

Not the first, won't be the last

[amw]

Although people seem amazed about this, it's not the first time that this has happened.

Back in '98, I worked on a network where it was against Government regulations to connect it in any way to the Internet, and an 'air gap' was required between the two. I was one of a very small team that wrote a system (using Zip disks for storage) that pulled data from a mail server on our secure network and pushed it to a mail server on the Internet, and vice versa. It had very high latency - people were assigned to do the mail drop only twice a day - but it worked well.

Re:Not the first, won't be the last

[pz]

Although people seem amazed about this, it's not the first time that this has happened.

Back in '98, I worked on a network where it was against Government regulations to connect it in any way to the Internet, and an 'air gap' was required between the two. I was one of a very small team that wrote a system (using Zip disks for storage) that pulled data from a mail server on our secure network and pushed it to a mail server on the Internet, and vice versa. It had very high latency - people were assigned to do the mail drop only twice a day - but it worked well.

My understanding is that in Victorian England, the Royal Mail made hourly deliveries daily to The City (the central-most part of London), and it was entirely possible to carry on a conversation through the day via post, rather like we do today via email. The point here is that nominally the latency in a conversation is not always dominated by the delivery method, but rather the delays associated with being away from one's desk for meetings, coffee, lunch, events, seminars, errands, flirting with the cute receptionist downstairs, etc., performing work unrelated to reading email, in addition to the time it takes to compose replies to received messages. How often do you manage to get 3 or more back-and-forth cycles on an email thread with someone in one day? Yes, it happens, but probably not that often for most correspondence. It was readily possible in London over 100 years ago!

Re:Sneakernet?

[x6060]

The term sneakernet harkens back to the early days of computing where the only way to get information was to put it on a disk and walk it over to another computer and load it there. Thus a network using your sneakers (your shoes) as the transportation method. So this would be partially true for this instance.

http://en.wikipedia.org/wiki/Sneakernet

Such an intricate plan...

[pushing-robot]

"Hey, are you headed to the Internet cafe? Could you send this for me? I'd love to go myself, but you know, the $25000000 bounty..."

"You ALWAYS use that excuse! 'I'd love to go to the grocery store, but my bounty...I'd love to go to the laundromat, but my bounty...'"

"Oh, and could you print out the latest Digg articles?"

"...fuck it, I'm calling the Americans."

Re:The Onion Router

[conspirator57]

10,000 tor nodes with hundreds going up and down every day in different locations would be as difficult to track through as physically going door-to-door searching the entire populace. that's part of why tor was built: to enable communication of persecuted minorities. when we built tor we were thinking post-tienanmen democracy advocates in china. our noble intentions in building tor don't keep the technology from being useful to other persecuted minorities that we don't like.

Re:The Onion Router

[LWATCDR]

Well Tor has been shown to be vulnerable from time to time http://www.google.com/search?aq=1&oq=Tor+vu&sourceid=chrome&ie=UTF-8&q=tor+vulnerabilities and the US has a lot of resources to throw at the problem I wouldn't bet on that being as good of a solution.
Frankly The lack of wifi, cell, internet, and phone in a big expensive home in a well to do town in Pakistan was probably a bit red flag. I mean really it is like going to a Rave in a three piece suit, sunglasses and sporting a buzz cut.
  If they where smart they would have had a few cell phones that they used to call women on and chat about going out, and an internet connection where they went and played Farmville.

This isn't *that* great

[brit74]

> "thwarted the US government's best eavesdroppers despite having no Internet access in his hideout."

So, here's my question: by having an intermediary go to the internet cafe, Bin Laden could avoid being seen. However, how does this avoid eavesdropping? It seems to me that if they ever find one of Bin Laden's emails (by sniffing packets or by capturing one of his email targets and tracing back his email to the original IP address), then you could get back to the original internet cafe. Depending on the number of internet cafes in the area, you could start monitoring traffic and figure out which guy was sending them. Then, you could follow the guy to see where he went, which would lead you to Bin Laden. Also, if you infect the computers in the local internet cafes with a keylogger, you could get into Bin Laden's email accounts. By using the intermediary, Bin Laden only added a step or two to the whole procedure and avoided being seen in an internet cafe himself. It wasn't some sort of foolproof method for sending emails.

I don't believe a single word of this

[joh]

Why? Let's check possible scenarios:

1) They have indeed found loads of data, disks, CDs and DVDs, hundreds of thumb drives and so on. They can now do one of two things:
a) Go through that data and come up with press releases every few days to keep the media interested in this. The news will spread everywhere. Every terrorist who even suspects his name, e-mail adress or similar among this data will now immediately try to cover his tracks, abandon accounts, change his location and generally get away. Rather silly to warn them, isn't it?
b) Keep silent, don't tell anyone about what they've found and try to track down whoever they can find with this silently. That would be clever.

2) They haven't found anything to speak of. Now they can again one of two things:
a) Tell the media and anyone interested they haven't found anything. Terrorists may believe this or not, but they won't be in any hurry to get away. Silly.
b) Despite finding nothing, come up with a media campaign telling all the world they have found a "mother lode" of data and make sure to refresh this lie again and again with made-up stories. The terrorists will now change names, delete accounts, change location, cut communication channels, build new ones, etc. This not only disrupts their organizations, it may also create a certain buzz which makes it easier to catch them. Again, clever idea.

So, what do you think: Have they found a "mother lode of data" or not? I don't think so. Because if they did, they wouldn't tell all the world about that. They would silently analyze that data and act on it. What we're seeing here is a carefully orchestrated campaign as a second choice because they didn't find anything useful.

Re:It's strange to use an internet cafe

[LunaticTippy]

The population of Pakistan, Afghanistan, and Yemen total about the same as the USA. There are literally hundreds of thousands of internet cafes. I'm sure the CIA is trying, and they did find Osama, but it is a huge difficult task.

Re:The Onion Router

[Scooter's_dad]

I've got loads of whimsy. It's moxie I lack.

Re:The Onion Router

[Shotgun]

What makes you think he, or anyone in his organization, had/have any idea, whatsoever, what Tor is? Why do you assume that your area of expertise is common knowledge throughout the world?

Re:The Onion Router

[conspirator57]

https://www.torproject.org/about/torusers.html.en#activists

* Human rights activists use Tor to anonymously report abuses from danger zones. Internationally, labor rights workers use Tor and other forms of online and offline anonymity to organize workers in accordance with the Universal Declaration of Human Rights. Even though they are within the law, it does not mean they are safe. Tor provides the ability to avoid persecution while still raising a voice.
        * When groups such as the Friends Service Committee and environmental groups are increasingly falling under surveillance in the United States under laws meant to protect against terrorism, many peaceful agents of change rely on Tor for basic privacy during legitimate activities.
        * Human Rights Watch recommends Tor in their report, “ Race to the Bottom: Corporate Complicity in Chinese Internet Censorship.” The study co-author interviewed Roger Dingledine, Tor project leader, on Tor use. They cover Tor in the section on how to breach the “Great Firewall of China,” and recommend that human rights workers throughout the globe use Tor for “secure browsing and communications.”
        * Tor has consulted with and volunteered help to Amnesty International's recent corporate responsibility campaign. See also their full report on China Internet issues.
        * Global Voices recommends Tor, especially for anonymous blogging, throughout their web site.
        * In the US, the Supreme Court recently stripped legal protections from government whistleblowers. But whistleblowers working for governmental transparency or corporate accountability can use Tor to seek justice without personal repercussions.
        * A contact of ours who works with a public health nonprofit in Africa reports that his nonprofit must budget 10% to cover various sorts of corruption, mostly bribes and such. When that percentage rises steeply, not only can they not afford the money, but they can not afford to complain — this is the point at which open objection can become dangerous. So his nonprofit has been working to use Tor to safely whistleblow on government corruption in order to continue their work.
        * At a recent conference, a Tor staffer ran into a woman who came from a “company town” in the eastern United States. She was attempting to blog anonymously to rally local residents to urge reform in the company that dominated the town's economic and government affairs. She is fully cognizant that the kind of organizing she was doing could lead to harm or “fatal accidents.”
        * In east Asia, some labor organizers use anonymity to reveal information regarding sweatshops that produce goods for western countries and to organize local labor.
        * Tor can help activists avoid government or corporate censorship that hinders organization. In one such case, a Canadian ISP blocked access to a union website used by their own employees to help organize a strike.

it was funded by both NRL and EFF concurrently. i am not making things up, you are denying reality.

Re:All this OBL bullshit

[brit74]

To be fair, it's not clear from the picture that the dish was functional. Who knows what kind of condition the system was in. The house was likely inhabited before Bin Laden was there, and maybe they had used it previously.

Also, the angle of the dish is very low. Satellite dishes point at satellites in geosynchronous orbit, meaning they are organized in a band around the equator. Since Pakistan isn't that far from the equator, it would look at satellites that were more or less overhead. (Yeah, some satellites might appear slightly over the horizon to the east and west.) I just think the fact that the dish is pointed at something like 10 degrees above the horizon might suggest that it's not actually functional.