For the third time, the wily Mexican drug kingpin Joaquín Guzmán Loera has been apprehended by government authorities. The story bears all the hallmarks of any good cybersecurity thriller: evasion, deception, espionage, hamartia.
Investigators began tracking the infamous narcotics tycoon, also known as El Chapo (or “Shorty”), after his daring escape from a maximum-security federal prison last year. His accomplices had burrowed for a mile to a spot underneath his cell’s shower, allowing him to flee underground on a rail-guided motorcycle. The drug trafficker had made another legendary escape more than a decade prior, carted out of a holding facility while hiding inside a laundry basket. (Yes, a laundry basket.)
Following the latest improbable breakout, law enforcement agents appear to have monitored the cartel boss’ communications with Mexican actress and sympathizer Kate del Castillo. The Mexican news outlet Milenio this week published the contents of intercepted Blackberry Messenger chats between the two here. (Take a gander at a translated version on CNN.) Aside from the obviously piquant thrill that accompanies peeking into the private lives of the celebrity pair, one must wonder: How did this breach bring about El Chapo’s third and most recent downfall?
Del Castillo isn’t the only star implicated in the drug trafficker’s arrest either. After the actor-activist Sen Penn’s riveting, if fawning, Rolling Stone feature appeared last week, people speculated that his operational security procedures might be to blame for the cocaine chief’s re-capture. Cybersecurity experts questioned Penn’s protocols, calling some of his magazine descriptions “incomprehensible…gibberish,” as Kashmir Hill at Fusion reported. (Penn self-identified in his story’s first paragraph as “the single most technologically illiterate man left standing,” so there’s that.) In the end, Penn declared that his “article has failed”; but more importantly, did his attempts at operational security fail, too?
For those with the time, I recommend sifting through theories and analyses contained in the comments section of this post by the computer security blogger Bruce Schneier. In any case, it’s unlikely that all of the hunt’s details will fully surface. If the reports are to be believed, then Penn and del Castillo’s visit to the drug lord’s mountain hideout provided necessary intel to pinpoint the suspect’s location. That incident didn’t immediately lead to his arrest; however, a few months later, after an initially unsuccessful raid, Mexican marines finally nabbed him.
All this goes to show just how utterly important it is for people in precarious situations to practice excellence in operational security. (El Chapo’s case is exceptional, of course.) After all, Mexico’s most wanted man’s own son reportedly leaked his location earlier through a careless photo upload.
The best tactics are easier spoken than obeyed: Don’t reveal information. Compartmentalize. Avoid letting the details of your personal life bleed into your professional one. Opsec, as the pros call it, too often is a losing game. It only takes one slip-up—one tragic flaw—to give oneself up.
Robert Hackett
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber, PGP encrypted email, or however you (securely) prefer. Feedback welcome.
THREATS
New York proposes encryption ban. State Assemblyman Matthew Titone has introduced a bill that seeks to ban the sale of devices that use end-to-end encryption. If it passes, the legislation could smack companies like Apple and Google with thousand-dollar fines for selling their products there. (New York State Senate, ZDNet)
Meanwhile, France votes against "backdoors." Following the Netherlands lead, the French Parliament has shot down an amendment to a piece of proposed legislation that would have mandated "backdoors"—built-in vulnerabilities exploitable by law enforcement, as well as hackers and spies—in encrypted products. The government deliberated this tech policy in the wake of a horrific terror attack in its capital city. (Register)
Raytheon renames its cyber business. The defense giant has rebranded its cybersecurity division as "Forcepoint." The new unit consists of former Internet traffic-scrubbing firm Websense, acquired by the military contractor for $1.9 billion last year, as well the Stonesoft computer firewall suite, which it recently picked up from Intel. (Fortune)
Obama omits "cyber" in State address. For the first time since 2011, President Obama excluded the word "cyber" during his State of the Union address, though he did touch on a variety of Internet and technology related topics. The 2015 address featured the term prominently in the wake of a cyberattack on Sony Pictures Entertainment. (The Hill)
Another Bitcoin exchange implodes. Almost two years after Mt. Gox, formerly one of the world's most popular cryptocurrency trading services, declared bankruptcy, another one is poised to bite the dust. Florida-based Crypsty reported its insolvency in a blog post this week after claiming that it had been digitally ransacked to the tune of $5 million. (Coindesk)
GM invites white hat hackers. The automaker wants cybersecurity pros to pick apart its connected cars to find security flaws. The company has put in place a web portal in partnership with the bug disclosure startup Hackerone in order for hackers to report their findings. (Fortune)
Firewall firms find security flaws. Following Juniper Network's disclosure of a gaping "backdoor" in its Netscreen computer firewall products, researchers have discovered suspicious code in competitor Fortinet's software. The company claims its a "management authentication issue," and that it was not introduced maliciously. (Ars Technica)
Hot cybersecurity startup hire. The billion-dollar data center security startup has brought Nathaniel Gleicher, former cybersecurity policy director at the National Security Council, aboard to head its strategy. He has moved from the White House to Silicon Valley. (Fortune)
Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
What everybody misunderstands about privacy pioneer David Chaum's controversial crypto plan.
David Chaum, a pioneer behind technologies that anonymize Internet users, unveiled a contentious plan recently. He outlined a proposed social media system—PrivaTegrity, he’s branded it—capable of supporting a host of features, including status update feeds, private chats, payments, pseudonymous interactions. But that’s not all. Chaum also claimed that his system may overcome a seemingly insurmountable impasse. The technology, he told Wired‘s Andy Greenberg, could “break…this standoff called the encryption wars.”
Cryptography and privacy enthusiasts reacted to Chaum’s statements with shock, disbelief, and—in some cases—outrage, for reasons detailed below.
Fortune spoke to Chaum amid the ensuing fracas in order to gather additional information about his proposal. He said he believes his plan was misconstrued. Asked whether he stands by his claim that PrivaTegrity may “break” or “end” the crypto wars, he responded: “I don’t want to retract it, but the sense that I meant it was misunderstood.” He continued: “Because to me, it’s more the privacy war—not the end-to-end encryption war.”
This is an attempt to better convey his purpose... Read the rest on Fortune.com.
TREATS
Meet the CryptoKids. NSA's coloring book. (Vice Motherboard)
In a jam—use this DARPA electro-war gadget. (Washington Post)
Paper, or plastic? Oh Canada. (Fortune)
Big Brother. Enters the workplace. (BBC News)
Sabermetrics? More like cybermetrics. (ESPN)
FORTUNE RECON
Exclusive: Roger Ailes Taking a Backseat Is 'Bullshit,' Rupert Murdoch Says by Andrew Nusca
No, Wearing a Pantsuit Does Not Mean You Dress Like a Lesbian by Valentina Zarya
Wikipedia Turns 15. Will it Manage to Make it to 30? Mathew Ingram
Did $1 iPhones Drag Down Best Buy? by Jen Wieczner
Why So Many Lottery Winners Go Broke by Ric Edelman
ONE MORE THING
Terrorists are using Twitter to spread propaganda, enlist recruits, and raise funds. Should the micro-blogging service be held responsible for the death of a man caught in the crossfire? (Fortune)
EXFIL
"There is this myth about the visit that we made, my colleagues and I with El Chapo, that it was—as the Attorney General of Mexico is quoted—'essential' to his capture. We had met with him many weeks earlier...on October 2nd, in a place nowhere near where he was captured."
Actor and activist Sean Penn dismissing an allegation that he somehow played a role in the capture of Mexican drug kingpin Joaquín Guzmán when he visited him during a reporting trip for Rolling Stone magazine. Penn broke his silence on the matter in an interview with CBS's Charlie Rose. When Penn's article first appeared, cybersecurity experts questioned his operational security procedures. (CBS News, Fusion)
