ISIS Fanboys, Good French, Bad Advice

Plagiarised from other sources, as usual.

French ISIS fanboys have put out another issue of their IT Security guide and it is full of content and advice copied from privacy manuals. It is a well accepted practice to build a reputation within the ISIS fanboy community by creating these cobbled together security guides. The hallmark of ISIS work is basically: slick PR covering mediocre content. This issue is true to form.

Good artists copy; great artists steal.

It seems the ISIS fanboy crowd has taken this to heart and believe that stealing will alone make them great artists. Maybe it works for graphic design, but it is a terrible idea for creating a clandestine operations manual from privacy guide books.

The Recommendations for Secure Mobile Devices

The guide has a detailed set of instructions for installing various software and enabling features that have been turned on by default on Android since 2015.

Enable FDE

A step by step guide on how to turn on Android full disk encryption (on by default since 2015.)

Use Tor

There is a guide to install Orbot (the mobile version of Tor), and Orfox (the mobile version of Tor Browser Bundle, but dead.) There is also a mini guide on how to get Tor bridges (non advertised entry points into the Tor network.) True to form, the author is confused about the terminology and what the software does, calling Orbot a VPN and saying that Orfox is Tor.

Use ZRTP

Next, the guide covers how to install CSipSimple and configure it to use the OSTEL network (probably because this is the only “easy configuration” option that works on CSipSimple.) Although OSTEL is free and encrypted (and therefore absolutely fine for people concerned about their privacy), it is not an ideal network for a jihadi. Privacy is not sufficient protection for a jihadi, even if they are just a fanboy.

Use OTR (via ChatSecure)

There’s a pretty detailed set of directions on how to find and install ChatSecure (officially deprecated), as well as a list of desktop software that also supports OTR (Adium, pidgin.) These guys love their dead EOL software. They don’t mention which chat servers to use, which is a bit of a glaring oversight. Not all XMPP servers are created equal.

Use PGP

There’s a wonderful page on how to install OpenKeychain and use it to create a PGP key pair. The author seems to have neglected to mention that there are no decent email clients on Android that support PGP (via OpenKeychain). There’s an alpha of K-9 which is starting to get PGP/MIME support (from the 90’s) although it can’t even quote reply to a message. There is no reason to use PGP email on mobile except to support legacy devices (e.g. PCs.)

Not only do they fail to discuss which email clients to use, they didn’t suggest any email service providers. As anyone who has spent time creating free email accounts knows, there are very few that are usable with linking a phone number. Rather than getting excited about PGP, these guys should stick with smartphone apps that have their own encryption.

Use A Bunch Of Words

The IT security section is closed out with a long list of vocabulary words. Given the author’s confusion about their actual meaning and the capabilities of the apps they recommend, I wouldn’t put too much stock in this. However, even if they were accurate, I am not clear on what sort of operational value there is in knowing that PGP is a protocol (that you can’t easily use on a phone.)

Clandestine Operation and Privacy

Typical for an ISIS “IT security guide,” this one is a jumble of content from various privacy guides. Assembled by a crack team of graphic designers who have, apparently, no idea about how to operate securely online. More to the point, the ISIS fanboys continue to confuse “privacy” with “clandestine operation.” As long as the fanboys continue to confuse the two, they will remain vulnerable to security forces. Good.