How ISIS Recruits Jihadi Brides From Within The U.S.

surespot image

isis girls

The enemy is here and it is us.

I’m not sure if many people caught the news blip this week (our sources are: Fox News and Colorado Newsday) that clearly identified the primary recruiting  communication method used ISIS/ISIL terrorists.  Having learned from the Navy Seal-induced demise of their Satanic idol, OSL, that cell phones (when used for speaking) and couriers are ultimately trackable, this new terror blight on the planet channels contact through an open source app – SureSpot.

Potential jihadi recruits and brides are being groomed online using a phone app run by privacy and drug legislation campaigners in Boulder, Colorado by environmentalist, Cherie Berdovich and alleged hacker, Adam Patacchia. SureSpot is designed so messages are totally encrypted and cannot be intercepted by authorities.

When messages are deleted by the IS member, they automatically also erase from the phones used by the new recruitee so no trace of the incriminating conversation is left.  (SureSpot was used by jihadi recruiters and the recent three ISIS-bound British teen-aged schoolgirls.)

We tried SureSpot here at BNI (Julia and Ed) and it works as well, if not better than advertised.  We downloaded the app from Apple’s App Store and Google Play (to test ease of OS [operating system] cross-platform use) and easily employed not traceable communication in under a minute.  Scarily fast and vapor-like. It was just as easy to permanently delete our messages (which were in print, voice and via graphics) as they are not collected and maintained on any server.

The app is available for free on internet stores run by Apple and Google and known jihadists direct teenagers to download the software using public profiles on Twitter.

Yet none of the technology giants appear to have acted to crack down on people using the app to speak to jihadists.

Let’s begin by breaking down how their encryption works: (We’re using SureSpot’s explanation.)

Traditional IM , SMS, etc. communications send messages in “plain text”. This means that the information is sent without anything done to protect the information from being read by anyone else. It is akin to sending a postcard.

Imagine you are on vacation in Italy, Florence to be precise, and you send a postcard to your sister in London. As the postcard travels anyone that touches it can read it. Typically you do not send information like a credit card number or your pin number or an intimate thought using the postcard format. Today this is what sending an email or a text message or an instant message or a picture is like. The message is the postcard which travels along many hops until it reaches its destination. At every one of these “hops” the message could potentially be read.

For example you, are reading an email at Starbucks. To read this email the information travels from the server (gmail) through their (Google’s) ISP, to Starbuck’s ISP, to the Starbucks location you are at. At any one of these points the email can be read. To illustrate this we can run the traceroute command which shows the hops your data is taking to reach its destination.

for example the traceroute from my house to looks like this:

  • [adam@monkey ~]$ traceroute
  • traceroute to (, 30 hops max, 60 byte packets
  • 1 DD-WRT.mugello ( 0.506 ms 0.598 ms 0.794 ms
  • 2 ( 16.723 ms 17.837 ms 32.677 ms
  • 3 ( 17.710 ms 17.711 ms 17.828 ms
  • 4 ( 21.140 ms 22.087 ms 22.145 ms
  • 5 ( 25.333 ms 25.334 ms 25.448 ms
  • 6 ( 24.116 ms 20.657 ms 20.689 ms
  • 7 * * *
  • 8 ( 17.512 ms 18.328 ms 18.402 ms
  • 9 ( 16.190 ms 16.218 ms 16.160 ms
  • 10 ( 16.674 ms 20.817 ms 21.715 ms
  • 11 ( 17.238 ms 18.200 ms 18.152 ms

We can see that to get to Google’s server at, the data is being routed through at least 11 hops, anyone of which could have a chance to intercept the information. Now if you controlled the routing and could make the data on your network always pass through a certain one of these hops, you could monitor all of the “plain text” data being sent on your network. Not exactly “secure”.

enter surespot…

Surespot solves these problems by using end to end encryption so that only the end users can decipher it. No one along the network route the message takes from one client to another, not any of the hops, not even the surespot server, can view the contents of the data. (Only Julia and Ed can see their messages.) 

how does this work?

Encryption is an electronic lock and key system. You take a plain text message and encrypt it using a key (secret). You can then decrypt the message using the same key. Pretty simple. You encrypt data at one end using the key, send it over all the network’s hops and servers, and at the other end it can be read because the key is known. None of the hops and servers in-between can read it because they don’t know the key.

So Julia encrypts a message for Ed with a key, then Ed decrypts it using the same key. Simple right, except for the fact that Ed needs to know the key! Somehow we need to get the key to Ed but how can we send it over the network? We can’t encrypt it because we need a key to encrypt so we have a catch 22. Or a chicken and egg situation. The answer is we don’t send the key over the network.

public key encryption

When a user is created in surespot an associated key pair is generated. A key pair consists of a public key and a private key. These keys allow us to do magical things. So now Julia has a key pair and Ed has a key pair. The private key is stored on the device, the surespot server does not need and never will have access to it. The public key is given to the user that you wish to exchange messages with. So surespot ensures that Julia gives Ed her public key and vice versa.  Now the brilliance of shared key derivation can shine. The key pair algorithm that surespot is using allows the following mathematics to happen: Julia can now take Ed’s public key and with his private key can derive a secret. Ed takes Julia’s public key and with his private key derives the same secret! Re-read that part a few times. This shared secret is unique to Julia and Ed, only they know, and assuming their private keys remain private, only they will ever know. This shared secret has never been and never will be exposed to the surespot server or any other hops along the network route that the message takes. This shared secret can now be used to exchange information securely. This is the crux of what makes surespot work.


In that SureSpot does not maintain information on a server anywhere, there are no records.  

So, why haven’t our federal intelligence and law enforcement agencies shut down SureSpot?? Surespot’s owners insist that they are protecting an ‘essential liberty’ and have no responsibility to block IS.  Is this app not directly providing material aid to the enemy?  While I am a strong supporter of capitalism, today, technological advances need to also be balanced with security needs. Someone is dropping the ball in a very dangerous way but not addressing this perverted use of an otherwise great communication technology.

BNI Operatives: Street smart; info savvy.

As always, stay safe.

Tactical Trainer, Christian Swann, on NSA-resistant Communication Encryption.

(This week, we bring you an informative article on protecting sensitive client data from our friend and one-woman whirlwind of accomplishments, Christian Swann (featured below): Christian is a writer, mom, edged and blunt tool instructor for law enforcement and the military, and a risk mitigation security and vulnerability assessment specialist.


Be vigilant about protecting sensitive  client data with these tools.

 I wrote an article not long ago about protecting our personal and sensitive important information. As some of you are well aware, once your data is out there, it’s out there. From the first click of the “check out now” button, you are being traced, watched and analyzed. From how much you spend, where you shop, to your favorite products to your prime shopping time – you’re being tracked. But that’s just one aspect of this passive monitoring.   Big Brother (e.g. and fact, as we now all know,  the NSA) has the capability and may not only watching but also listening, recording and even transcribing your confidential client conversations.

What about when it’s not only your information that is being tracked, but your clients’ confidential information is at risk of also being recorded? As a risk and security director of a multi-million dollar company, it is one of the toughest questions and concerns I have. I’m in constant contact with high-profile clients and sensitive data.

The good news for lawyers, corporations and medical professionals, concerned about maintaining their duty of confidentiality is that there are tools and safeguards now to help them.

Legal and risk management specialists, such as myself, need to be very aware of the possibility (or now, probability) of  their communications being intercepted by empowered governmental agencies.  Given the ever-changing, nebulous status of agency data collection laws, legal professionals have to deal with the ambiguity of this usage of collected data –  while contending with the secretive nature of intelligence agency operations, as well as the U.S. Foreign Intelligence Surveillance Court that oversees surveillance warrants.

Lawyers –  and anyone for that matter – should assume all of their conversations are subject to covert surveillance an should  take steps to protect confidential information.

I can’t stress enough that all pertinent emails, electronic messages and communications should be encrypted. There is no shortage of available encryption hardware and software, and I highly recommend using an encryption service such as ZixCorp or the open-sourced TrueCrypt: (Warning: this is an open source method and may not be as stable as desired.) Platform-specific devices are also available, such as, Apple’s FileVault.

“One can also purchase self-encrypting hard drives such as the Seagate Secure and already-encrypted flash drives – e.g.,  IronKey from Imation Corp.  and encryption software such as Symantec Whole Disk Encryption and Sophos Ltd.’s Safeguard“, says Lina Maini of Beacon Network Investigations, LLC.

As for passwords, I recommend a more secure method of authentication, such as security tokens or USB tokens.

Perhaps apparently, I’m a big fan of firewalls, and encrypting everything networked – from email to any and all telecomm technology apps.   I’ve also become a huge fan of the company Silent Circle. One of my favorite features of Silent Circle’s service is the ability to program burn settings.  I.e., one I’ve  sent any type of message: email, text, audio, it is then encrypted and will burn itself at the pre-set time. I’ve chosen.

Many people forget that one a voice message, text or email  has bent sent, that data  has to go through a provider, e.g.,  Apple, and is then is transferred back to the end-user, therefore leaving data footprints that can be copied.

For professionals that mainly communicate via phone, relief from eavesdropping is on its way. This month: Spanish smartphone company GeeksPhone and software company Silent Circle launch Blackphone, an encrypted smartphone that protects phone calls, text messages, emails and Internet browsing. Using VPN technology, Blackphone promises to be an NSA-resistant phone.I’m looking forward to ours arriving soon.