I recently read a story in the Associated Press about how Osama bin Laden was able to stay off the digital radar for so long. If he was the leader of a terrorist organization, he had to stay in contact with his underlings. But if he was staying in contact with his underlings, surely there would be some digital trace of it and the NSA would have found it by now (I assume that the NSA reads everyone’s email)?
Because the trail to bin Laden had gone cold, many intelligence officials assumed that he was no longer in charge of the organization or was at the very most marginalized as a figurehead only. Conflicting data has come out from the United States, but after the raid at the beginning of the month where US Navy Seals recovered many digital thumb drives, it appears that bin Laden retained far more control that many people thought (well, more than me, anyhow).
That begs the question – how did this guy stay off the radar for so long? It turns out that he did communicate with other people but he did it using proxies. According to the Associated Press, bin Laden had a few trusted associated and a laptop computer at home. He would type out the messages, put them on a USB drive and then the associate would go out to an Internet cafe. He would log in to a free web account, copy the message over, and any new messages he would copy onto the same USB drive. He would leave the cafe, bring them back to bin Laden where he would read them offline. The various parties in the communications would frequently change email addresses to avoid having them for too long which could potentially reveal their location.
This is a tedious process and very inconvenient, but if you want to be (almost) totally secure, it’s what you have to do. It means you have to have a very small trusted inner circle.
But who can live like that?
The whole reason we have the Internet is to make our lives more convenient. The majority of the population wants to be connected instantly. But we all know that there are risks associated with being online – malware, spam, hacking, and so forth.
Many in the security industry give the advice that if you want to be secure, either severely limit your online access or get rid of all of your Microsoft software and switch to Macs, or some other variant. But who wants to live like that? I want to be connected to the Internet, but I also want to be secure. I’m not greedy or immoral for wanting that because nearly the entire world has embraced the same thing. But why should I have to give up my Microsoft software? I have a lot of stuff that runs on Windows that doesn’t run on the Mac or Linux (for example, my Telechart stock analysis software; my Windows Live Writer blogging software also works well for me). Why does the security industry tell me to do things that is unrealistic (don’t connect to the Internet) or very inconvenient to me (don’t use Windows)? Don’t they realize that users do things for their own convenience, not the security industry’s convenience?
We need to give realistic advice and make our software more secure, and easy to upgrade. Nobody wants to live in a cave where they read everything offline because they’re too scared to go outside. And nobody wants to get rid of all of their existing software when it has worked well for them in the past.
Let’s stop giving people advice they won’t use.