The Futile Fugitive

Gambler’s Ruin, but for Hide and Seek

thaddeus t. grugq
Jan 17, 2016 · 5 min read

The inevitable capture of el Chapo came sooner than some were expecting, but the outcome was never in doubt. On the wrong end of a nation wide manhunt of over 2500 personnel, including the assistance of the US intelligence community, el Chapo was living on borrowed time.

Several narratives are emerging around the capture, all of them wrong, including:

  • Too many tacos and it all goes wrong (usually true, and important)

These are all interesting, so lets examine them.

Travelers Flatulence and Tequila

The subtle brume of failure

Sean Penn’s ill advised “interview” with el Chapo seems to have been some sort of protection for Kate del Castillo when she went to meet Guzman. Reading the messages between them is like reading a chat between an important customer and a female employee feigning interest just long enough to close the deal. She agrees to go to his house, but insists on bringing a male friend.

For his part, Sean Penn is completely useless at practicing (or describing) effective COMSEC procedures.

labeling TracPhones (burners), one per contact, one per day, destroy, burn, buy, balancing levels of encryption, mirroring through Blackphones, anonymous e-mail addresses, unsent messages accessed in draft form

It seems he is using daily burner phones, along with the hopelessly outdated “shared email drafts” folder trick you may recognise from such failures as: the Petraeus scandal, al Qaeda (2005!), and even Danish undercover operations.

All of this was a complete waste of time as the security forces were monitoring the communications of Guzman with his lawyers and the phone (a Blackberry) he bought for Kate del Castillo. What happens when people are under surveillance because they are on the way to meet with a drug kingpin in hiding? Their electronic footprint becomes less relevant.

I wasted hundreds on burner phones and all I got was a blurry surveillance shot

Sean Penn is indeed a complete and total operational security disaster. His writing is not… well, it is not an “owl among falcons.” He also farts after drinking tequila. If you are on the lam, don’t invite him to your hide out, even if a really hot girl insists.

Sean Penn was not the reason for Guzman’s capture. Kate del Castillo was under surveillance.

BlackBerry, Not Even Once

Almost as secure as Twitter Direct Messages, but with geolocation.

Since December 2015 it has been public knowledge that Western security forces are able to crack encrypted BlackBerry devices. It is known that Guzman used BlackBerry devices to communicate with his organisation. He had a complicated setup involving two BlackBerry Enterprise Servers (BES) and a pair of iPads.

If you needed to communicate with the boss, you could reach him via B.B.M., BlackBerry’s instant-messaging application…Your message would go not directly to Guzmán, however, but to a trusted lieutenant, who spent his days in Starbucks coffee shops and other locations with public wireless networks. Upon receiving the message, the lieutenant would transcribe it onto an iPad, so that he could forward the text using WiFi — avoiding the cellular networks that the cartel knew the authorities were trolling. The transcribed message would be sent not to Guzmán but to a second intermediary, who, also using a tablet and public WiFi, would transcribe the words onto his BlackBerry and relay them to Guzmán.

This setup broke the connection between people who were monitored by the authorities and the device that Guzman himself was using. The use of a human proxy to transcribe the messages was a clever innovation. It isn’t very useful against a nation state, however. For example, the Royal Canadian Mounted Police are able to crack PIN to PIN messages. BBM messages are not end to end encrypted, so a compromise of the BES would allows them to be intercepted.

It does not appear that Guzman was using the PGP BB devices that were recently cracked by the Canadians and the Dutch. That would have assured end to end encryption, although the protection against seizure appears to be flawed.

Guzman had other problems with his COMSEC setup. He gave a phone purchased from a retail store to an actress and communicated directly with her. How this was supposed to be secure is beyond me. Security is as strong as the weakest link, and generally speaking civilians are not associated with high security.

The BlackBerry based COMSEC setup used by el Chapo, and apparently everyone that happened to strike his fancy, was not very secure. It contributed to his capture by allowing security forces to intercept his communications and derive actionable intelligence about his location at specific times. However, this did not lead directly to his capture.

Technology is not the solution

Although much has been made about the poor security of BlackBerry, the bizarre abortive seduction of Kate del Castillo, and the oblivious security practices of Sean Penn, none of these is directly to blame for Guzman’s capture. As a man on the run from the combined might of his native nation and the US, he had no chance at all in the long run.

Technology did not make or break Guzman’s bid for freedom. He was doomed from the day he ducked down the tunnel in his cell in July 8, 2015.

Next post will look at exactly what led directly to the capture of el Chapo (spoiler alert: COMSEC plays almost no role).

Read Part Two: The Tunnel Rat King

thaddeus t. grugq

Written by

Information Security Researcher :: keybase.io/grugq :: https://www.patreon.com/grugq

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade