Dazed and confused by opsec

Was Sean Penn really responsible for El Chapo’s arrest?

Rolling Stone

On Friday, government officials announced that they’d captured notorious drug kingpin Joaquín “El Chapo” Guzmán, who has twice escaped prison. The following day, Rolling Stone published a bombshell report from Sean Penn, in which the actor revealed that he had met with Guzmán secretly in Mexico in October 2015 and interviewed him. Shortly after that article dropped, Mexican officials indicated that El Chapo’s interest in a Hollywood portrayal of his life led to his capture, with some media directly blaming Sean Penn for his arrest.

So did Sean Penn’s October interview lead to El Chapo’s arrest three months later? It wouldn’t be the first time that reporters outed the location of their fugitive interview; Vice infamously included location metadata in a photo it published of John McAfee on the run in 2012. Hell, Guzman’s own son may have leaked his father’s location in a tweet the month before Penn met him.

Based on the information available now, it’s hard to know for sure that Penn’s responsible. It’s entirely possible that the Mexican government is pointing to the very public Rolling Stone article to protect another source. A DEA official told the LA Times, for example, that a neighbor’s tip about suspicious activity next door led to the raid this weekend.

Rolling Stone did not respond to a request asking them to elaborate on the security measures the magazine took, but editor Jann Wenner told the New York Times that they “were very conscientious on our end and on Sean’s end, keeping it quiet, using a separate protected part of our server for emails.” By “separate and protected,” he perhaps means encrypted.

Penn, meanwhile, briefly described the steps he took to protect his source at the very beginning of his article.

My head is swimming, labeling TracPhones (burners), one per contact, one per day, destroy, burn, buy, balancing levels of encryption, mirroring through Blackphones, anonymous e-mail addresses, unsent messages accessed in draft form. It’s a clandestine horror show for the single most technologically illiterate man left standing. At 55 years old, I’ve never learned to use a laptop.

Security experts say there aren’t enough public details to fully analyze Penn’s operational security (opsec). But they described the paragraph above as “incomprehensible” and “gibberish.” Let’s try to break it down:

Labeling TracPhones

Penn describes using “TracPhones,” by which he likely means TracFones, which are cheap phones that take calling cards so they’re not linked to a credit card or account. (The company is owned by Mexican billionaire Carlos Slim.) They’re often called burners, but you don’t actually throw it in the trash after a call; instead you might swap out the SIM card or use different calling cards for different people.

Hollywood loves these! Katie Holmes reportedly used one to plan her divorce from Tom Cruise. They’re a reasonable security measure, but it still creates phone records that live with, and can be requested from, cell phone carriers.

Mirroring through Blackphones

A Blackphone, on the other hand, is a relatively expensive phone sold by Silent Circle that comes with secure apps installed. It runs Internet through a VPN (to shield the user’s IP address and encrypt their Web traffic) and end-to-end encrypts calls and messages sent to other Blackphones or through Silent Circle’s app. Unlike with the TracFone, Penn would have a credit card tied to the account on this phone.

It’s unclear what Penn means when he says he “mirrored” through the phone; the phrase “mirrored” typically means to duplicate something. As he wrote it, it sounds like he duplicated messages on the secure Blackphone that were being sent some other, potentially less secure, way, which would be dumb, if true.

“I’m not sure what he means.,” said Silent Circle CEO Mike Janke via email. “It’s a strange term and most likely he doesn’t know what he is saying.”

Anonymous email addresses

Penn says he used “anonymous” email addresses and that he and his companions accessed messages left as drafts in a shared email account. That likely means the emails were stored unencrypted, a bad security practice. If he were sharing the account with a person using an IP address that was the target of an investigation, i.e. any IP address associated with El Chapo’s crew, then all messages shared this way would likely be monitored by law enforcement.

For the record, that did not work out very well for former CIA director David Petraeus, who used draft messages to communicate with his mistress and got busted when her IP address was targeted in an online harassment investigation.

BBMs

Elsewhere in the article, Penn says Guzman corresponded with Mexican actress Kate del Castillo via BBMs (Blackberry messages). Those only have unique end-to-end encryption if a user has opted for BBM Protected. Law enforcement has been able to intercept BBMs in the past.

Moreover, Mexican officials have told the media that they were monitoring del Castillo for months, following a meeting she had last summer with El Chapo’s lawyers, before she had reached out to Penn. Law enforcement even reportedly got photos of her and Penn’s arrival at the airport in Mexico, so it’s possible her BBMs were being monitored as well. I’m looking forward to what we find out when court documents about this investigation make it into public light (if ever).

Going phone-less

In the most impressive operational, if not personal, security on display, Sean Penn says that when he traveled to Mexico, he left all of his electronics in Los Angeles, knowing that El Chapo’s crew would force him to leave them behind. If you’re not carrying a phone, it can’t be used to monitor and track you.

📞📞📞

“Penn, to his credit, clearly understood that he didn’t understand this, and was following some kind of instructions,” said encryption expert Matt Blaze of the University of Pennsylvania, via Twitter. “[But] it sounds like he was following instructions he didn’t quite understand, which is a bad start.”

Operational security isn’t easy but it can be made simpler than this. For one, don’t use smartphones at all, which come with all kinds of potential information leakage—the camera, the microphone, and your GPS location to name a few.

ACLU technologist Chris Soghoian offered a simpler approach to opsec. He tweeted:

  • “Use Signal,” which is a free app for unique end-to-end encrypted calls and texts. Only users hold the keys to decrypt the content, so Open Whisper Systems, which designed the app, can only hand over metadata about who was contacting who.
  • “On an iPod Touch.” Because it’s not on a cellular network, it gives up less data.
  • “Connect via Tor.” This disguises your IP address and is a more private way to access websites, though still not perfect security.

Regardless of the measures taken, it’s going to be hard to communicate secretly with the high-profile target of two governments. The real security failure here was Guzmán’s: any contact with another human being was a risk for him, whether it was a famous Hollywood actor or his neighbor.