* Each message session with each contact is encrypted with a different set of keys. If any given key is ever compromised, it will never result in the compromise of previously transmitted messages – or even passive observation of future messages.
* Anyone can forge messages after a conversation is complete to make them look like they came from you. However, during a conversation the recipient is assured all messages received are authentic and unmodified. This assures non-reputability of messages.
* The algorithms employed are many times stronger than that of PGP (RSA+AES). We employ algorithms from different families of mathematics, which protects message content in the event that one encryption algorithm is ever solved.
* Messages do not employ digital signatures that provide third party proofs. However, you are still assured you are messaging with whom you think you are.
Saying "many times stronger than RSA/AES" but not providing details on the algorithms is a huge red flag.
If they have built some home-grown algorithm, then it's possible the NCA actually cracked the encryption (with a bit of help from GCHQ) rather than using the baseband processor to snoop on the keys or something like that.
A few years ago they rounded up a ring of crime phones in the Netherlands.. They were using PGP encryption, however instead of each phone generating its own private key, they generated them centrally and kept them in a database. Obviously this introduced a huge vulnerability.
The police compromised the server and was listening in (through cooperation with Canadian police as they were using Blackberries) for quite a while before they started kicking doors down :D They basically got all the evidence on a silver platter.
I'm surprised someone with the skill to develop such an app and service platform doesn't have the skill for avoiding such common mistakes. Or maybe they weren't able to explain to their users that the fact that they couldn't retrieve their messages after forgetting their pincode is a feature, not a bug. Either way, the police was really happy.
Not saying the same would have happened here, but crypto is hard to implement correctly and the algorithms are only part of the problem. And this kind of network is a massive target for law enforcement because the ratio of criminal users is huge.
I'm surprised someone with the skill to develop such an app and service platform doesn't have the skill for avoiding such common mistakes
My impression is that the way things go is:
* Sure, a smart person can implement a "homebrew" security protocol that seems safe.
* But smarter people never implement a "homebrew" security protocol and instead use existing protocols, 'cause they know how easy it is to fuck-up.
* The smartest people implement real, secure protocols, working in academic or three letter agencies and have those protocols vetted and peer reviewed. And even these fail on a regular basis.
Implementing a protocol correctly is easy. Implementing the primitives is harder (and tons of work), but you can easily grab them from a low-level crypto library like Libsodium or Monocypher.
Designing a protocol correctly is not that hard, as long as you understand exactly what you are doing. By which I mean you are at least able to write an informal (yet rigorous) proof that it has the security properties you seek. Also, verification tools like Verifpal are a godsend. The tricky part here is avoiding the Dunning-Kruger effect. It's easy to have the illusion of perfect understanding while being unable to write the most basic mathematical proof.
The hardest part is convincing others that your protocol is any good. People who don't understand what you are doing cannot (perhaps even must not) trust your work. They need the vetting of someone reputable, and getting those reputable people to take a look is pretty hard if you don't have the right connections (an uphill struggle without a relevant PhD).
No the exploit was by the Dutch supporting the French because the actual physical servers were located in France, under their jurisdiction. Just like the previous time they did this we aren't getting a lot of information of how. But it seems physical access is part of the exploit.
It isn't necessary for a central server to be able to intercept messages. In an end-to-end encrypted system any boxes in the middle can infer stuff from traffic but they can't read message contents.
The article says: "Europol said that French police had discovered some of EncroChat's servers were located in the country, and that it was possible to put a 'technical device' in place to access the messages." Even if it was end-to-end, they at least could intercept the initial key exchange perhaps.
Intercepting a DH key exchange doesn't help you. The whole point of DH is that an eavesdropper doesn't learn the secret even though both of the other participants do.
They probably just didn't use end-to-end because it's easier to offer a nice customer experience without.
Exactly. The tricky part of plausible deniability is that it needs to actually be plausible. People very often screw this part up. EG they'll make a TrueCrypt/VeraCrypt hidden volume, but then won't modify the outer volume with the same access patterns to hide their usage of the hidden volume.
People have been claiming they have been framed since forever. If claiming you were framed with zero proof actually helped in any way then every one would do it and much time would be wasted.
In the case of a crypto forgeablity argument there will never be any proof. It will always be a false claim. It is a silly idea.
> People have been claiming they have been framed since forever.
Yes they have, but they have been doing so in the face of circumstantial evidence: DNA, fingerprints, blood, whatever. Or eyewitness evidence: someone saw you go in the building at such and such time (perhaps there is a surveillence video).
If someone has nothing of the sort on you and their entire claim is that you wrote some digital message, I'd think the onus would be on them to prove their extraordinary claim somehow.
A piece of digital text isn't a forgery; there is no concept of authenticity in it in the first place to serve as a backdrop legitimizing the use of the word "forgery". It's not like planting someone's hair, or imitating their signature. You need absolutely nothing from the victim, and to expend no effort.
The concept seems to have come from the original off the record (OTR) messaging proposal. The concern was that, say, a PGP signature could create a situation where there was objective proof that someone had created a particular message. By making forgery possible the theory was that someone could disclaim the message. I have been writing some PGP fandom articles lately which is why I am up on the subject. The relevant articles:
So I am not disagreeing with what you said, it supports my contention that forgability is a silly cryptographic feature if there is no proof in the first place.
algorithms don't matter for shit to the person that controls the (mandatory) updates.
its the same issue with all modern e2e apps like whatsapp or signal, if there is a single client implementation its not secure at all to these kind of attacks.
> signal [...]
> if there is a single client implementation its not secure at all to these kind of attacks.
There are (where?) actually multiple "distributions" of signal, like textSecure on f-droid. Last I checked it worked with signal, but that was a few years ago.
> Each message session with each contact is encrypted with a different set of keys"
Is this not a bad thing? Since transferring key-pairs is the weakest link on these apps. To be really secure, wouldn't you want to do this as infrequently as possible and ideally outside in person outside the app?
Sounds like they are trying to achieve perfect forward secrecy per message. Typically you might do this with Diffie-Hellman using ephemeral derivation pairs per session. This is good practice as if any one session key is broken, that has no effect on the privacy of past or future messages encrypted under different session keys. They seem to be claiming to use their own crypto based on the parent comment (red flag) and no signature scheme over the top of it to prove a consistent identity, so I'm not sure what they would be doing. Establishing encrypted pipes over an observable medium is very doable, but providing a way to trust that the party on the other end of the pipe is who you think it is is the hard part as you pointed out.
Session keys are fine, and they're usually not the top level identity or key. So long as this is what they're doing, i.e. using an asymmetric KEx (e.g. Diffie-Hellman) to exchange public keys, from which a shared secret would be derived, and then from that a KDF would be used to generate a key using a salt, you can keep generating new keys for each session from that shared secret (shared in the sense that it's symmetric, not that you send it over the wire).
You can still be more secure, but that's a decent start.
No, this is actually normal. For instance, each time you make a SSH connection, it will use a different key for the bulk encryption. A key exchange has to happen to negotiate this randomly generated session key.
It's unclear, but that statement alone makes me shudder.
Anyone doing secure comms at this level, and is talking about families of mathematics always gives me the impression they don't really know what they're doing.
> Anyone doing secure comms at this level, and is talking about families of mathematics always gives me the impression they don't really know what they're doing.
Why is that? Do you assume that making competent choices for encryption algorithms (for which you try to understand the math problems involved) and trying to market the systems security means that they also try to implement it themselves? Or is the "family of mathematics" a sign for incompetence that I just don't recognize?
As someone who's worked in the sector (the crypto sector, not the crime one):
"Families of Mathematics" is a marketing statement, or "hot air" as I prefer to call it. The information content of that statement is zero, what it's doing is trying to project warm "you can trust us" feelings.
A statement aimed at technical people would read more like "we use AES-256-OFB with Axolotl on Curve25519 and scrypt(2^14, 8, 1)" or something like that.
To a crypto professional, I'd say any "trust us" statement that's not backed up by technical information actually lowers their trust in the system - it makes you wonder why they're not making their algorithm choice public.
The US created a fake bank to catch drug runners and cartel bosses. What's to say this isn't an state intelligence backed company created not to sell a product but to be sold to criminals then listened to until warrants were signed?
I haven't looked into the service at all so could be totally off.
> To a crypto professional, I'd say any "trust us" statement that's not backed up by technical information actually lowers their trust in the system - it makes you wonder why they're not making their algorithm choice public.
IMHO if your solution isn't open source, or least completely documented so it can be verified, then the whole point is moot anyway.
So it's based on my experience. I'm an Engineer in secure comms. I absolutely see the "family of mathematics" card as a sign of incompetence. In the space, nobody talks about the mathematics. The people implementing algos might, but they're in a different space.
A savvy customer wants to know which algos you're using, and how you're using them, where you're using them. EC? RSA? Other? Which implementation are you using, is it audited? Standard based? Working with government, is it FIPS or similar? What does your KEx and KDF look like? Data at rest security? WHAT are you storing, and sending? Transport security? Metadata? Development practices?
There are a LOT of things a customer wants to know, and which or how many "family(/ies) of mathematics" has never been one of them, in my experience.
Waving about "families of mathematics" when selling a product is just an attempt to bamboozle the gullible.
The number of branches of mathematics that you involve in the product doesn't mean anything.
Encrypting a message twice with different keys using exactly the same algorithm (thus the same branch of mathematics) is prima facie as effective a security increase as using some different algorithms involving different mathematics.
Most everyday crypto products rely on the results from several different areas of cryptography with different mathematics.
Could also simply mean that they are chaining different encryption algos from libraries (à la TrueCrypt) which would indeed add to the security level or even at worst not harm it. (This assumes that each step is not broken...)
I disagree, I believe, they're trying to say they provide "non-reputability" (the opposite to non-repudiation) so you can deny messages actually came from you because they could have been "forged".
it's hard to tell though, the statements are a bit of a mess in general.
Hmm, you're right that non-reputability likely means something different than non-repudiation. The problem is I can't find anyone actually using non-reputability in that other meaning.
What I do find is various places using non-reputability erroneously as a synonym for non-repudiation.[1][2][3] So in fact I now think that EncroChat actually made 2 errors: said non-reputability instead of non-repudiation, and also misunderstood non-repudiation as meaning repudiation.
Damn why didn't they use a messenger not made by idiots
> The algorithms employed are many times stronger than that of PGP (RSA+AES).
If they just used PGP over email, they wouldn't have gotten caught.
From what I have heard most criminals since the 90s use PGP over email (middle management and higher criminals not street thugs who probably just use WhatsApp or worse). They should go back to that.
If you read the Vice article, it explains that they were compromised by on-device "malware" that was pushed in an update via the company provider (whose software update process had been taken over by the authorities).
So it doesn't matter what software they would have used since the device itself was capturing data before encryption and after decryption.
They could have been using regular iPhones/Galaxies/Pixels etc. Then it wouldn't rely on this bespoke operating system and its updates. It seems unlikely Play Store or Apple Store would get compromised. But you could always compile the PGP app yourself.
Could law enforcement require access to play and appstores? Has this happened?
Law enforcement could replace an app, with their own, even for one specific user, if they have access to the system, granted by Google or Apple. I presume the signing can can be compromised, this way, but am unfamiliar to know this for sure.
Using those stores means using those centralized services by Apple and Google, which includes device updates, carrier updates and more than just app store downloads.
And those companies would absolutely comply with a legal request to push intercept updates to phones.
If you wanted to get into the criminal drug trade, how would you start? Is there a guide somewhere I can follow?
$13M in cash is an impressive amount. It makes me wonder: There must be all kinds of operations happening around us daily, yet nobody knows about them. And those operations need members. Where do they come from?
The inner workings of this stuff is fascinating. To be honest, I wish it were possible to go observe the system in action as a spectator. I'd love to see how the packaging is done, the supply lines, the transport logistics...
(I balance this with a deep hatred for cartels. If you trace these questions far enough, it seems to often lead to "the cartels are at the center of it all." And they're responsible for unspeakable miseries.)
To be clear, my question is: how is the knowledge necessary for such operations preserved? I'm a programmer. I learned it from the internet. Where do they learn? And these aren't street dealers. It's an organized, carefully designed, well-oiled machine. How does this machine work? How does it survive the loss of so many members?
>(I balance this with a deep hatred for cartels. If you trace these questions far enough, it seems to often lead to "the cartels are at the center of it all." And they're responsible for unspeakable miseries.)
This is why all drugs should be legalized (not just decriminalized, decriminalization still leaves a black market). Cartels are meeting a demand, but cartels make up their own rules and will do anything they want to stay ahead.
Just legalize them, it solves so many problems.
1. Quality and proper labeling (no more mystery drugs/dosages). Buyers know exactly what they are getting, which would decrees the amount of OD's.
2. Vast reduction in violent crimes (legitimate, licensed distributors are very unlikely to have violent turf wars as this would jeopardize their license). Black market would suddenly have no market (provided the taxes on legal drugs aren't stupid), which means no money, which means there is nothing to kill/fight over.
3. Increased tax revenue
It is a win/win/win for everyone, I just don't get it....and please just don't with the tear jerking "What about the children!" The kids will be fine. No legalizing doesn't send a message that "drugs are OK". No it won't make them more accessible to kids, please stop fearmongering you don't know what you are talking about.
That can work for drugs with low abuse potentials, like psychedelics. But why do you think drugs like heroin will benefit the society or the people who are taking them?
There is a different course of action for high-abuse drugs. Apparently in Switzerland you can get an "addict" prescription from your doctor, and with that prescription you can go to an injection clinic and get a free professional injection of heroin and a bed to lie on.
The result of this is all drug dealers going bust, and no drug dealers - no one to market the drug, so no new users. All addicts in Switzerland are now old people, and as they die of related diseases and old age the Swiss are having hard time keeping the clinics open because there are not enough takers for free heroin.
I think all opiates can and should be taken care of this way. Not sure about stimulants though - one doesn't just lie down on a clinic bed after a dose of meth or crack. Maybe if regular coke is legalized people will give up meth and crack?
There are, in fact, even heroin dealers in Switzerland, and of course all sorts of other drugs are still being sold illegally, but compared to the early 1990s, before the heroin prescription policy, there is practically no visible drug addict scene anymore.
The problem is that people who want drugs (either because of addiction or desire to try them) will always find a way; this war has been lost already. However making these drugs legal will still remove the negative impact of the illegal drug trade such as cartels and their inherent violence (which also enables other crimes as cartels might be willing to supply their weapons - which they source already because they need them - to other criminals who are willing to pay good money for them).
People already take those drugs. Drugs are everywhere and have been for a long, long time. When I was a teenager, it was easier for me to get marijuana than alcohol. Why because one was regulated.
Why do you think the world will flock to drugs if they were simply made legal?
Drug addicts (people who need to get high) will find an alternate high if they can't get illegal drugs.
I agree with this. I don't think legality dissuades but a tiny number of people. I think most people who aren't going to do it don't take drugs because they've seen the results of the harder drugs and don't want anything to do with it.
Heroin will not benefit society, the hypothesis is that it will cause less harm if users receive it from a boring, official, controlled source instead of letting violent criminals earn millions with it. The idea that prohibition can somehow end drug use was proven wrong a long time ago.
I would not necessarily credit Heroin for it (and would definitely not advocate its use), but a sizable proportion of Rock and Jazz performers have composed and performed music under its influence.
Drugs with very high abuse potential like opioids are very dangerous and a big problem - but looking at the epidemic of opioid abuse in the US, it's evident that criminalization isn't helping.
I don't, and that's a good point - if the number of users remain the same (or even increases slightly) than I do see how legalizing can be beneficial. However, in my mind legalizing drugs also means easier access, and that can lead to an increasing number of people using drugs.
>However, in my mind legalizing drugs also means easier access, and that can lead to an increasing number of people using drugs.
How many adults do you know that have never done, or tried, heroin would suddenly do so if was legal? I think the amount of people that would try heroin because it became legal would be staggering low. I don't think there are many people out there going "Man, if heroin was just legal then I would totally try it!". People that want to do heroin are already doing so, it being illegal isn't stopping anyone.
So the counterargument is hydrocodone. It is legal, and people that would never in their lives think of shooting smack now had doctors, many of whom knew better, prescribing them a highly addictive narcotic in order to get compensated by the manufacturer. Purdue Pharma was a wholly legal cartel with thousands of dealers worldwide moving their product for them.
"Heroin" has a bad name, so your legalized version would have some innocuous made-up marketing name, backed by tens of millions of dollars of advertising and it would sell like hotcakes.
My response to that is to assert that most of the negative impact of the opiate crisis is due to the fact that people become addicted to them and are then unable to obtain them through legal means, which effectively forces them into criminal activity.
I'm certainly not saying opiate addiction is a neutral/good thing, but I don't think it would cause the societal harm that we see today with them being tightly regulated.
Potential case in point: illegal methamphetamine usage/addiction is a huge issue today in the US. I qualify that as "illegal", because meth is available by prescription under the trade name Desoxyn. Many drugs with similar effects are likewise available and much more commonly prescribed - but I'm not aware of anyone calling for them to be banned. If anything, I suspect in that case the overall societal impact is positive: I know I would be much less effective as a developer if I were to lose access to ADHD medication.
Not to mention the way the opiates where marketed at doctors with claims they where less addictive.
Meaning doctors where more likely to prescribe them, that whole episode was one of multiple fuck ups at every level backed by some unscrupulous fuckers.
>So the counterargument is hydrocodone. It is legal, and people that would never in their lives think of shooting smack now had doctors,many of whom knew better, prescribing them a highly addictive narcotic in order to get compensated by the manufacturer.
How is that a counter argument? This is a breakdown/fault of the medical community and has no relation to making drugs legal. To be clear, I am arguing that all drugs should be legal for recreational use (not require a prescription).
No question, doctors need to vet information on drugs better (they should not be taking literature/studies that come from the drug manufacturers as a reputable sources of truth). No question doctors should be extremely hesitant prescribing any opioid at all. No doubt that a lot of the current opioid epidemic stems from doctors (either unwittingly or not) prescribing things that they shouldn't be. Those are all medical industry issues that need to be solved (regardless if things like heroin are legal).
I don't suppose, and don't recommend, doing a self diagnosis and getting whatever drugs you feel will help. The medical community is supposed to be the experts on that subject matter.
That said, people need to be free to determine their own risk tolerance level regarding what to put in, or use on their bodies.
Me personally? I am not going to stop going to the doctors to get medicines when I am sick, even if I could buy any and all drugs over-the-counter. Also I am sure prescriptions aren't going away even if all drugs could be bought over the counter, there is no way insurance would pay for drugs that weren't prescribed by a medical professional.
You are using "legal" in a way that implies unregulated. Regulations have a large value, at least to some people. For instance, I would like to try CBD, but I don't trust that some random product will be safe and effective and have the right amount of the active ingredient. Unless it's an approved drug.
If you have regulations on drugs, then you have all the problems, to some extent, that people attribute to their illegality.
I am afraid of opioids, and I don't trust even doctors, so I never took the ones I was offered and didn't get addicted. But there must be millions of people who wouldn't trust a heroin dealer and would trust their doctor, so legality makes a big difference.
Why would a doctor promote Heroin? If they would, especially for recreative purposes, would be very much at odds with any medical ethics. What is clear via Oxy example is that medical ethics really need to be upheld and profit taken out of the equation.
Do you see doctors promoting cigarettes? Alcohol?
I would say that your reasoning why you aren't doing CBD is highly rational. Do you really think that even if you wanted to try heroin and if you did it, it would automatically addict you? Like you're instantly gone in to the abyss?
People try heroin and nothing happens to them. Some even hate the experience. People use heroin for prolonged periods and then simply stop (non unusual in the late teens, with some kind of a trigger in the mid 20).
If there was not so much stigma involved and so much risk taking the stuff, we might see people coming out of this juvenile experimenting phase in a much much better state.
Also, do you really think that people that lifelong addicts, don't have some kind of deeper psychological reasons to go down that path?
>if you wanted to try heroin and if you did it, it would automatically addict you
I have no idea. Lots of people experiment with things and it's no big deal and they insist that must be a universal experience. There's a selection effect. If you try something at 20 and don't survive, you're not around at 40 or 80 to tell people it's no big deal.
When I was young, I enjoyed alcohol a lot, but didn't really struggle giving it up when I had to. Nor did I ever drink until blackout or vomiting, which you know, whether or not it's pathological/alcoholism, is common. I am certain that the level of compulsion is very different for some people.
I have a sibling, who I believe smoked cigarettes off and on but it never became a permanent habit. But a lot of people find them extremely addictive. I never smoked my first one, just because there was never an anticipated reward that seemed worth it. I might have been wrong, or right. Some people seem to get substantial cognitive benefits from nicotine.
Occasionally having a negative reaction to a prescription drug makes me wary of recreational or unregulated stuff, too. Seeing homeopathic stuff in the drug store makes me fearful that a CBD product might be fake too. So when I had wisdom teeth pulled and I was given a bottle of big pink pills (I think it must have been oxycodone/paracetamol based on a quick google) I didn't use a single one.
For what it's worth, I think you're at least mostly correct - I would also expect legalization to lead to increased usage, at least in the short term. I'm just the type of person who challenges those sorts of expectations, including when I'm the one holding them.
Along with wondering if "legalization leads to increased rate of usage" holds true, I also wonder if the following is true:
> legalizing drugs also means easier access
Criminality is a "barrier to entry", surely, but I'm not at all sure that ease of access changes because of it. In Arkansas, where I live, cannabis is illegal. Even though I don't consume it (the risk isn't worth the benefit to me), I'm extremely confident I could make a couple of phone calls and have some delivered to me if I wanted to. That's really no different from my experience in the LA area.
In fact, it might actually be more difficult to obtain it in LA through legal means. Generally you have to seek out a dispensary (physically, or via phone/app) and provide identification. I wouldn't need ID to get it illegally in Arkansas. If an ID requirement has a negative participation impact on other things (like voting) then I would expect that to hold true for this as well.
I don't believe that drug addicts face any real difficulty obtaining their drugs; they do face hazards to their safety and economic security.
The risk of legalization isn't so much ease of access as it is the normalization of drug abuse. We have shown with cigarette usage that education, propaganda and marketing laws can de-normalize drug use.
If anything, by making high risk drugs safely available through official venues, you can provide social services better access to those who need help.
I would say that you would likely see an initial increase in users but that a well run program would lead to both a overall decrease in users and more importantly a reduction of average harm per user.
I think that is a common misunderstanding. Access is there and not much more difficult than deciding you are curious and going to a specialty shop. Look at marijuana legalization, not a big uptick in consumption by most approximations.
Correct, heroin addiction is problematic. In fact, I'd go so far as to simply say "addiction is problematic" If we say that instead of "drugs are problematic" perhaps a different approach seems reasonable.
Portugal decriminalized drugs and focused on addiction treatment. The model isn't perfect, but it might be worth a look.
of course not; but neither does the war on drugs. Or legal drugs like alcohol. And it's quite obvious at this point that the negative consequences of the war on drugs far outweigh the negative consequences of drug use, especially if such use was regulated and supervised, and had compassionate treatment options
It is hard to see how financing a global network of violent and terroristic criminal organizations could ever be a better state of affairs than having more drug addicts. If you then include the massive loss of freedoms imposed on us to fight these organizations, it boggles my mind that anyone can support the war on drugs.
Edit: The answer I guess is that those who have supported the war on drugs had other goals than "reducing the number of addicts". If you look at the history of how the war on drugs has been used by western intelligence agencies to grow their surveillance powers and finance and the fight against left-wing/communist organizations, the real reasons become more clear.
Governments can and do tax illegal drugs. Just issue tax stamps. If drugs are found without them, you also get them for tax evasion.
All drugs used to be legal in the US. There is a reason that they became controlled a hundred years ago or so, and it does not involve conspiracies by big pharma. Go research the history - it's fascinating.
Alcohol is one of the leading causes of death in the US. A large share of car accidents, suicides, crime, heart disease, and many other things is caused by it.
This libertarian trope has gotten more annoying as I get older. No matter what you want legalized/deregulated, there is something that even you can't stomach. And organized crime can focus their business on that something. They probably already have.
You say legalize everything and then you say there will be "quality and proper labeling". Well duh, you have to enforce that; that means drugs that don't meet the standards are illegal. And your organized criminals will deal in them. There's no way out.
Current drug laws can be framed as a matter of "quality and proper labeling", we're just quibbling about the details.
Even legalizing some drugs would reduce organized crime. Would it completely destroy it? Probably not, but it would mean that there's less money to be made in it, and that means fewer people involved, less violence, less corruption.
At the bottom usually. Either that, or you'll need some specific smarts or connections that are sought after. That's how it survives the loss of members. Many are low level and are replaceable, they have no actual knowledge about the high level trade. The high level bosses hide really well and try to stay untouchable by letting others do the dirty work.
From what I understand about Dutch organized crime, if you'd start for yourself, you'd have to fight a turf war and will always be at the top of multiple hit lists.
The safest bet is probably shipping drugs by mail through dark markets. A Dutch guy (SuperTrips) got arrested in Miami a couple of years ago. He sold drugs from his bedroom in his parental home. Was estimated to have earned 385k BTC through this.
If you want to see it at work, you could go to some of the Caribbean Islands. Drug trafficking runs through many of them and you can actually see the impact it has on some communities. In Haiti, I was warned to stay away from packages on the beach (though I didn't spot any). Apparently they throw them overboard near the coast, locals find them and sell them back to drug traffickers for about €50 a kg. This way the traffickers don't need to be directly involved with bringing them to shore.
Hopefully this gives you some info. There's lots of books and documentaries about this stuff too, by ex-criminals, insiders and researchers.
yeah, even parts of Panama and Costa Rica have so much cocaine running through them that people basically just have gobs of the stuff on them and 75% of the ex-pats there are somewhere between drunk and coke-addled most days :P Mind trying to buy it as a tourist though, "Just follow me down this alley" - ah you'll prob just a confusing fast run around about needing to make change in a currency not your own and end up with a little bit of what you thought you were buying for a whole lot more than it should have cost...
>and Costa Rica have so much cocaine running through them that people basically just have gobs of the stuff on them and 75% of the ex-pats there are somewhere between drunk and coke-addled most days
Not my experience at all. The expats I met are usually doing some combination of bar work, yoga classes, and other such things. Among the entire cohort of the hostel inhabitants (mostly tourists I imagine?) I haven't seen one drunk or drugged person.
I did see plenty of drug dealers though - some shady dealers on the street and some very presentable resident dealers inside various venues. So there has to be a lot of drug use going on, just none that I have noticed.
I was once approached to develop a darknet market. I spent a few weeks scoping out the work, unpaid, before I turned down the opportunity due to the legal and ethical problems.
I did spend that time pondering and scoping out the work because I found it a fascinating challenge to design an ecommerce platform with very heavy requirements for user privacy and anonymity.
The source code for an existing platform that I was granted access to view showed me that a lot of encryption techniques were just smoke and mirrors. Mostly, everything was stored unencrypted or using symmetric encryption with the encryption key stored on the same filesystem as the server generating the pages.
It was fun designing an asymetric multi-key encryption system, where a user's "second password" with a hash (stored with a microservice API on another server in another data center) generated one of the multiple keys required. Even server seizure wouldn't result in anything usable.
Another challenge was how to prevent servers from being overwhelmed with DDoS attacks. That would have been achieved by using the Tor API to generate custom onion addresses for each user and vendor that they could bookmark. The only site that could be DDoS'd would be the landing page. It also allowed for an easy route to horizontal scaling.
The old system also didn't properly delete stuff, it just flipped a boolean "deleted" field to prevent it from being visible anymore... Not very smart for data hygiene.
I've been wanting to use what I planned out to build a product for the last few years, but I can't think of anything legal & legitimate that would have such strict security requirements that also has potential for profitability.
> Another challenge was how to prevent servers from being overwhelmed with DDoS attacks. That would have been achieved by using the Tor API to generate custom onion addresses for each user and vendor that they could bookmark. The only site that could be DDoS'd would be the landing page. It also allowed for an easy route to horizontal scaling.
If the market were compromised and the URLs exposed, this would make it easier for a bad actor to connect a user to the URL, right?
A friend told me the story of his friend here in Mexico, who was just finishing school (uni) and needed some money. A friend of his offered that if he stayed at some random house for a weekend (to "guard" the house just staying there to sleep) he would be paid several thousand pesos. Not bad for a weekend of doing nothing.
That weekend there was a police raid to that house. The poor guy ended up being arrested along with others and got 20 years jail time because there were drugs and guns in the house.
Assuming your story true (and based on ones I've seen on 'Locked Up Abroad'), I think what happens here is that higher ups are giving the police a win. Everyone in some of these areas is on the take, but the police still need to show arrests once in awhile. So throw some guns and drugs in a house (cost of doing business), put some randoms in there, and call the raid.
Well yeh, that particular idea is not worth it. It's ridiculous. On the other hand in the UK I know people who make huge amounts of tax free money and when they get caught (usually after 5-10 years) they go to prison for a year or two. Not so bad.
> These aren't street dealers. It's an organized, carefully designed, well-oiled machine. How does this machine work? How does it survive the loss of so many members?
Narconomics[1] has a pretty good discussion of the economics (including recruiting) of cartels.
The real barrier to entry here is the stress. Always feeling those butterflies when the phone rings - getting nervous when you see a police car - freaking out a little when the doorbell rings.
It's no way to live - and don't even think about having a family/kids after you get involved. You'll die early of the stress.
If you think you're a master 1337 hacker or online drug dealer - just get a job in IT security. It pays better, comes with zero stress.
15+ years ago when I was hacking and doing credit card fraud, I could make $1000 cash a day without a lot of effort or time. Because I was careful about protecting myself and didn't work a lot I didn't have much stress. I have far more stress with a full time job.
That said, the drug game would be a lot more stressful.
Might be dated at this point, but a chapter in Freakonomics was about the economics of being a gang affiliated drug dealer in the US. The analysis there was that outside the top couple guys, the actual pay wasn't much better than just working as a fry cook or whatever, while the risk of being arrested or shot was much, much higher.
So even in criminal enterprises, I think you have to move up the distribution chain a ways to see the big $
> get a job in IT security. It pays better, comes with zero stress.
I beg to differ. All IT jobs have stress, but security by definition stresses you about things that haven't happened yet. If you have zero stress doing IT security, you're doing it wrong. Still immensely better than crime, though.
You could benefit from reading this sociologist's account: "Gang Leader for a Day":
<< Sudhir Venkatesh never imagined that as a result of this assignment he would befriend a gang leader named JT and spend the better part of a decade embedded inside the projects under JT’s protection. From a privileged position of unprecedented access, Venkatesh observed JT and the rest of his gang as they operated their crack-selling business, made peace with their neighbors, evaded the law, and rose up or fell within the ranks of the gang’s complex hierarchical structure. >>
The line between being willing to take enough risk to get involved in drugs and being risk averse not to get in trouble from being involved with drugs is a very thin line.
You can get rich from drugs very easily but getting rich from drugs while minimising your risk enough to live out your days comfortably is hard.
The smart way for a nerd to get rich from drugs is to formulate a short-term high risk plan that utilises the dark net to acquire and sell drugs before moving on very quickly. The problem is, if you’re making a lot of money very quickly... can you give it up? What’s one more day? What’s another week? You’ve been going 6 months — what’s 7?
Drug dealing groups are not a carefully designed and well oiled machine, there’s no knowledge passed down from generation to generation: there’s a group of people who haven’t yet been caught out by their mistakes. The people mentioned in this article made a mistake by using this app, and that mistake finally caught up to them.
The whole drug industry is predatory, the smartest people involved in drugs are the most predatory because minimising risk for yourself means offloading that risk onto others using violence and coercion.
There’s no romantic art to drug dealing: if you’re smart and willing to hurt others, you can be a millionaire before the year is out.
You may be interested in the book “Wiseguy”, a very interesting, informative, and often hilarious book about Henry Hill, a member of the mafia in New York.
It explains in great detail how he got into the mob and how the mob works. I would assume many organized crime groups follow similar paths. Essentially young kids with problems with authority meet hoodlums who can vouch for them, they get into the lifestyle, and start learning how to hustle. No one rats because doing so means death.
This book is also what the superb movie Goodfellas is based on, which is a fairly close portrayal of the book.
However those are exactly the sort of people that a well run criminal organization would keep at a distance. The opportunities one gets from dodgy people are dodgy opportunities.
The recruiting of violent, power seeking, poor impulse control people was one of the major factors in the decline of the five families. When better opportunities existed for 2nd and 3rd generation Italian-Americans, many took those better non-criminal opportunities. An organized crime life is a pretty hard life. This dramatically hurt the number of good candidates that organized crime could recruit from. The candidates they did recruit often placed their individual desires over the needs of the organization. This destroyed the internal trust which was a major enabler of their success.
Have you heard of the podcast Darknet Diaries? Jack Rhysider (the host) does a pretty remarkable job of documenting the answers to your questions by interviewing guests (in story format) who often come from the more murky areas of the internet.
In particular I recommend the episode freakyclown or OxyMonster as that seems to fit what you're looking for.
>Le Roux was sentenced to 25 years in prison in June 2020 after agreeing to cooperate with authorities in exchange for a lesser sentence and immunity to his most serious crimes.
Surely he will have to serve his sentence in solitary because I would imagine cooperating with the authorities makes you rather unpopular in prison.
Some people are exceedingly good at working out ways around the law to make a lot money. Here is how I think their story works in many cases (I have no formal expertise):
I expect these days in developed countries most of them start with credit card fraud in their teens and usually go to prison. At that point they either reform (I know of two such individuals by name, one is a friend sysadmin/CTO now and the other is Stephen Fry) or they get recruited in prison into an existing criminal org. From then on they acquire knowledge on how to crime from people who have the experience.
This is an interesting aspect of the criminal system I don’t often see discussed - for a lot of kids who are dabbling in crime and get caught sending them to prison is how their criminal network grows. It doesn’t help “reform” the edge cases so much as it allows the edge cases to be easily recruited by existing criminal operations.
It's great news that these crims have had their just desserts. It's even better the quantity of drugs taken out of circulation, and hopefully the decimation of the network.
I'm well grasped of the difference between the two, and for the most part I think white collar crime is worse. It's pure greed and the same kind of exceptionalism that's been growing and growing for the last 50-60 years. Blue collar crime is as old as civilisation, white collar crime is as old as deregulation.
I don't think we can compare feudalism with financial crime.
One was the system of governance for millennia, the other was enabled by the naivety of a failed ruling class who handed the power of states to the fraudsters of global finance.
Everyone understood (at a local level) how feudalism worked, I doubt many people could tell you what Wirecard were doing.
Not to mention the drugs. One has to feel some sympathy for the street level thugs. They're body-men for the elite organisers, of whom we seem to only catch one every 10 years, and they often get off lightly and/or escape.
> To be clear, my question is: how is the knowledge necessary for such operations preserved? I'm a programmer. I learned it from the internet. Where do they learn? And these aren't street dealers. It's an organized, carefully designed, well-oiled machine. How does this machine work? How does it survive the loss of so many members?
This is what anthropologists call an "oral culture". You have to be told it verbally, because those involved are strongly deterred from writing it down. For the deeper secrets you probably have to be part of the right family.
In the rougher neighborhoods you'll find plenty of people who know how the system works, if only so they know what and who to avoid getting caught up in it.
(The interesting thing about the internet is how we've developed an "oral" culture that actually does get written down, because we do so much socializing through text! IRC channels and the like.)
It's ostensibly a study of the specialized language of pickpockets, but actually goes in to great detail on how pickpocket gangs work.
Before reading this book, and knowing nothing about the subject matter, I had somehow assumed pickpockets worked alone and were just bottom-of-the-barrel amateur opportunists. I couldn't have been more wrong, as it turned out they work in highly organized units.
Fortunately, probably through the ubiquity of video surveillance, such gangs don't seem to be as widespread as they used to be.
At least in the States, pickpocketing has almost disappeared. Part of this is probably part of the general trend of falling crime rates, but also because people carry much less cash around and cel-phones etc. are difficult to fence.
Your either born a hustler or born into it. In the last few decades the hustlers do need IT help, especially online gambling, money laundering, etc. But it does come with risks, you don't want to be the IT guy who recommended this cracked app.
> I wish it were possible to go observe the system in action as a spectator.
Barring a time machine or wonder viewer that would make this possible I highly recommend this documentary from 2006 [1] “Cocaine Cowboys” its a tell all of the inner workings of the largest drug importers and follows the rise and subsequently fall of the cocaine trade in Florida which ultimately culminates in the major construction and modernization of Miami Florida.
I know in Mexico/other parts of South America they'd kidnap/abduct radio infrastructure workers for setting up/managing comms. Give them a fairly nice life too, except for the whole you're stuck in this position and we'll kill you and your family if you try to leave.
So, basically, go down there with a sign stating what you can do and hope to get kidnapped...
If my local neighbourhood drug dealers are any indicator they recruit by word of mouth. A friend knows a friend who knows a friend who has a few attractive job offers so if there's somebody to vouch for you, a meeting is arranged.
They usually have some front business. "My guys" had a small logistics operation(obviously) - a single tractor trailer. Apparently the local liquor store was involved as well because it was run by the same people.
How do I know all this? Some of their trades, meetings and even disagreements happened out in the open. Nobody dared to be too curious about this. Also my friend's ex boyfriend was a drug dealer so she had a few stories to share.
I still vividly remember this one time when I saw one man handing out brick-shaped packages which were inside a car trunk to another man. At first I didn't know what I was looking at, but seeing how my eye contact made them uncomfortable I stopped staring and went on my way.
>>If you wanted to get into the criminal drug trade, how would you start? Is there a guide somewhere I can follow?
You would start from the bottom. Going around saying you want to part of the business, is a sure way to end up dead as a snitch.
Yeah there's a LOT of money: cocaine costs as little as $2k a kilo in Columbia and can be sold in EU for close to $100K when accounting for cutting. I guess a lot of it is segmented. For example: one group brings 800kg from Ecuador and sells it to local gangs and so on. If they get caught, other groups fill the void.
You would join an existing organisation, as you'd have no chance setting yourself up as a "startup" - existing gangs would not take kindly to someone trying to disrupt their business.
I don't know if it's insightful to think of this as "pure, unrestrained capitalism".
Imperialistic nation states of the 1700s and 1800s followed this playbook, in a time where the biggest enterprises were state-owned (in Empire of Cotton, Beckert refers to it as "War Capitalism").
But those systems fell apart because they were too volatile. Eventually, an inability to control that volatility compelled the same imperialistic nation states to divorce themselves from private enterprise, and took the monopoly on violence in the settlement; so far, it's been a more stable equilibrium.
Both systems are "capitalist", in that they permit the private accumulation and investment of wealth. I would argue that the main difference is the state-owned monopoly on violence, eminent domain, and regulation of financial sector.
Regions with strong criminal underworlds tend not to to be governed by institutions with such monopolies.
There's an interesting 2012 Ted Talks presentation by Peter van Uhm the then chief of defense for the Netherlands. He discusses the state monopoly on violence as a central point of how and why the military exists.
> By definition trade in capitalism is done willing.
Not by the definition used by the people who named and defined capitalism.
It's true that after that, the conceit that capitalism involved only voluntary, uncoerced trade was adopted by it's defenders as a rationalization of the system, but that was not true of either the specific real world systems for which the name “capitalism” was coined to refer or subsequent real world examples, and certainly has nothing to do with the definition of capitalism.
If you want to distinguish the proposed scenario from capitalism, it would be in that it does not involve private property rights in the means of production, but instead on their forcible seizure and defense, but that's a slippery distinction because commonly such systems evolve into a degree of legitimization and trade with recognized rights between the parties, and the roots of capitalist property also start in forcible seizure which is later legitimized.
> If someone living today called themselves a capitalist would you expect them to be involved in "forcible seizure and defence"?
Given the diversification most capitalists have and looking at what major corporations do globally, yes, though I'd also expect them not to think of themselves that way.
Drug cartel leaders, I'm sure, often have similar self-serving rationalizations of their role.
From related portions of the economy: given the growing use of debtor's prisons, predatory loans, and coercive tactics including armed repossession & bounty hunting dependent on an exploitive for-profit bond regime? Yes. These are not companies rejected by modern capitalism. On a higher economic level private equity's leveraged buyouts are very frequently hostile takeovers that use a company's own resources to seize control of it.
> By definition trade in capitalism is done willing.
The definition of capitalism, and the world in which capitalism operates, are different.
The final transaction between buyer and seller is voluntary.
But all of the backend infrastructure may be highly manipulated in unethical, forceful ways.
A person buying some whale meat willingly pays the merchant at the meat market.
But that whale meat was acquired because one group killed the whale before another group. And that group killed the whale first because they setup groups who threatened other would-be whale hunters, and as this group gained a bit of financial traction they paid off local officials to pass some “coastal safety” ordinances that provide them some level of monopoly on killing whales, and worked out another ordinance that lets them dump toxic byproduct in a local river to place some of their cost into the public that won’t be easily rectified for decades.
So a perfectly ethical capitalist fisherman might well find themselves facing men with guns who forcefully prevent them from competing, when the police show up to enforce the local coastal safety law.
This story is surprising as there were rumours about 18 months ago that EncroChat had been vulnerable. Esp when other similar services had been taken down and targeted.
Random side story:
Governments have become much more aware of the purposes of these sorts of phones and seller.
About 18 months ago I was asked to meet with the sales people from a specialist phone company like this one, they were interested in selling them to the NGO/journalist market. I'm always happy to chat and test the utility of interesting security tech and compare versus more common setups (locked down phones, Signal etc). I've met a load of these sort of companies at trade shows etc as I'm sure many here have but they wanted to meet in person as they were in town talking to various potential clients. The product was decent enough but way beyond the price of anyone in the sector would be able to afford. Anyways the guys were nice and I genuinely didn't get a sense they particularly up to anything bad...
However when I left the meeting (in a European capital) I had physical surveillance all over me. Not a particularly good team, hence I detected them. Totally caught me by surprise. Ran a hastily arranged surveillance detection route and managed to confirm a few (no doubt there may have been more). At first I thought it might be the company I had met doing it to me for some weird reason. However as I thought through the tactics, people profile and operational reason for doing it to me I can only assume that whoever the local police were had been watching closely anyone who was meeting with the secure phone providers (they were foreign to the country in question, so probably came under more suspicion). No doubt this was because of the connection between a lot of these sort of companies and the criminal underworld. (Again, I didn't get the sense these particular sellers were up to no good, I just thought it was an interesting perspective)
Well being trained properly is the best advice as there is nothing more risky than thinking you are clean and are not. It was on foot in a busy city so it's way too much to write up here but if your interested in reading basic stuff from a general security guide follow the link in my bio.
That would be considered very suspicious and alert the team immediately, plus they would have been trained to deal with that. I had no reason to feel threatened by them as I haven't done anything wrong. I just used the chance to practice some past training, buy myself time to figure out WTF was happening then broke off at a point where that would seem legitimate to them without them sensing it was what I was doing. It may well have been a genuine criminal investigation I'd somehow walked into by accident so I had no desire to compromise that.
It's really a sort of long story and depends ultimately on the risk that you potentially face and their possible objectives.
Roughly the way to think about your options are:
-Covert - Use your detection of one or more to detect more of the team but do nothing. This preserves your ability to detect them in future especially if they reuse tactics and locations, especially any trigger locations that they pick you up on.
-Overt - Use your detection of the team to openly "burn" them by confronting them ("Who the fuck are you and what do you want?"). But that means in some contexts like a human rights defender they may move in to arrest you, kidnap or whatever depending on their objectives. Or they will just step off you and come back next time in a better way that means you won't be able to detect.
-Semi-overt - increase their heat state by approaching them for something innocuous ("Hey do you know where the local church is?"). This means you test their local knowledge and that individual will most definitely lift off you for awhile though may not entirely suspect what you did was deliberate as they would above. They could of course use that time to threaten you, especially if you are talking criminal or narco threat etc.
-Overt break - You use a very obvious method of breaking away from them like jumping a light, speeding up your normal walking pace, swapping public transport, going into a location that doesn't fit your pattern of life purely as it would be hard to cover and then ditching out fast through an exit etc etc. Again that will alert them and as above they may move to snatch you or come back another time. Remember, they may already know where you live/work etc so they may have that information.
-Covert break - You run an SDR then find a location you can use that fits your pattern of life and use that to lose them. They can still of course come back but they may chalk it down to an accidental loss if you do it right. Plus you are sometimes playing on their cultural biases that means they may be reluctant to report a loss to their bosses etc.
There's obviously a hell of a lot more to think about. Such as if you use the above to create a break, what is it you are going to do then? This is often what people struggle to think about in advance, especially as its intimidating as hell to find yourself in that sort of scenario with a real threat. For example people we've worked with have made decisions to essentially go on the run with just what they have in their pockets (from people looking to kill them) once they broke away. That's when the training about the physical and digital stuff (alert help but may need to ditch the phone, get grab bag, change clothes, switch to routes off CCTV etc etc etc) kicks in.
What is useful though is that you as the person being followed usually have control over who, what, where etc happens in your day (unless it's an intimidation scenario like in some countries where surveillance literally waves at the people every morning as they follow them around).
Never thought I would see someone referring to the use of SDRs - let alone effectively applying one - on HN. Curious as to where you picked up the skillset.
Mostly private courses and experience built up over the years driven by the need to use and train on it for journalists and activists at risk.
On a few, thankfully limited occasions I've had to use it in relation to myself where a real threat existed but rarely enough. Mostly when I've had to use it personally it was to ensure I wasn't risking anyone I was meeting or if I wasn't sure if they might be a deliberate/accidental security threat.
We teach it on some of the source protection training courses with do with journos/NGOs. Also we write some basic stuff about it in our open source app, Umbrella. Some activists are threatened by actors ranging from kidnap to ISIS, from corporate to government intelligence, from crime to stalkers. So it's very useful for helping people identify a wide range of threats early.
Also just generally for getting peoples heads up out of their phones and off the ground and taking in more alertness of their surroundings - the sort of Coopers Colour Code style thinking.
Very cool! Sounds like some really fun training to provide and never even considered how useful those skillsets would be for journalists. Thank you for sharing.
It's a shaky argument, because ideally these systems would be so secure that they wouldn't be able to have done what they did. They relied on human error and that seems like a bad excuse to penetrate a system.
Yes, but I'm not sure we should be giving up real rights to imagined threats. In practice, what encryption systems do is make it sufficiently inconvenient to steam open our letters that the authorities only do it with motivation. The only real case for some of these proposed laws is "we don't want to employ specialists in this field" not "these systems are uncrackable".
The motivation driving these laws is E2E encryption that if implemented correctly are uncrackable. Today, pretty much everything is encrypted but since the provider has the keys they can access the messages. E2E encryption shifts the keys to the user which means that the provider has no access to the content of the message. They are theoretically uncrackable without the user's secret and when it's Apple, Google, Facebook, et.al. implementing the system and not some 2 bit criminal operation it will be uncrackable in practice.
I'm sure that if a bunch of criminals found a way to make a perfectly secure mobile phone they wouldn't be too bothered with a law that says they're not allowed to do that.
But doesn't that also mean one can plausible defend strong crypto by saying "look how easily police broke into this system's weak crypto, how would you feel if criminals could break into your bank this easily?"
I realize Mozilla has an axe to grind, and perhaps rightly so, but they undermine their argument by not linking to the actual text of the Act.
That page is just saying, "Act bad! Signup here to protest!" If the bill is really so bad, then they shouldn't be afraid to let people see for themselves what's in it.
Yes, they probably have, relationships based on trust. Using information for political gain is not the type of stuff that allows that trust to continue existing.
So for US politicians to both know and abuse this, someone in the US intelligence community would have had to be willing to lose a lot of trust on the EU side by both sharing the intelligence and allowing it to be used for political gain and forcing the EU side to become their political puppet.
That doesn't seem reasonable to me, but who knows. If that's what happened though, the US can forget any trust in the near future.
That's completely different from asking two different countries to withhold information from multiple criminal investigations for political gain by a specific group of US politicians.
European countries don't even trust US politicians anymore with information about ongoing investigations, due to the blabbermouth president. Why would they even communicate this with them to begin with?
They still hold some clout as long as they are in office.
And don't forget that the administration has installed a lot of affiliated poeople into agencies. (Ratcliffe for instance.)
I'm not saying the dutch and the french did some kind of cooperation with the US here, I'm just saying I would not gasp of surprise if it turned out to be so.
GCHQ were involved which means the NSa would have known about it since they're not really separate organizations. I believe they would refrain from briefing the president on something which was important to keep secret.
Do you mean the staff remember to cater to the whims of their newly appointed chief, or do you mean, they remember and try to stall the worst madness from above?
Given the care with which the software was built, I wonder if the hardware itself was compromised. The open hardware folks always talk about the insecurity of the closed hardware in phones; I wonder if any official narrative discussing a software exploit is simply a parallel construction. [1]
From an different article linked by a comment, the replies from the company itself points towards an compromise between the phone and the update server. The police got access through the SIM service provider and was able to inject their own modified updates to the connected phones.
As a simple guess, I would suspect that the police managed to get a valid certificate from the domain name used by the update server and through that MiTM the connection. One of the comments from the company said "They repurposed our domain to launch an attack", which would fit such scenario.
Attacking the authentication of update functionallity is also in my view the usual suspect in cases like this. When a hardware device get rooted it very often is some kind of attack which allow people to push an modified update in some way. The developer in this case would need to have designed the update feature assuming that the domain name could be compromised, the SIM service could be compromised, and that the path between their server and the phone could be compromised. If they used cloud services for their servers than they would also need to assume that the cloud provider could be compromised. People can write software very carefully and still forget to account for one of those.
Yeah, I wonder too. I had Cyanogenmod on a very old Android phone, and after a while messaging started to act up in strange ways.
The paranoid side of me started to weigh different explanations against each other, and one would be a compromised base band processor which tried to do something to the Android side, but failing, since it was no longer the vendor image it (hypothetically) was expecting to manipulate.
Security is tricky and must be designed in depth and a mistrust of all layers. If the hardware is designed such that the baseband the main CPU are not separated by a communications channel, all can be lost if one does not control the baseband firmware too.
(For instance if the baseband processor has shared memory access, that's a problem. If it's just a data interface, treat the baseband processor as a hostile network.)
In my case, the likelier cause was probably something buggy in the Cyanogenmod image, or, while still unlikely but less so than baseband exploit, that the Android side itself had gotten some kind of virus because of some kind of security flaw in that particular Cyanogenmod version.
The article makes mention of using their network to deliver an exploit. It could have been software, firmware, or hardware related. I'm guessing one of the existing zero-days that they hadn't patched yet. Once the end device is compromised the encryption used doesn't really matter as keys and plain text can be intercepted by the kernel. How they got access to the network for delivery is likely via the company itself. A knowingly or unknowingly compromised employee as mentioned seems the most likely.
> French authorities had penetrated the Encrochat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation, and had been quietly reading the users' communications for months.
Sounds like their servers got popped, probably ones distributing updates, and also sounds like hand rolled crypto from their website although that doesn’t mean much if they can access the devices.
Breaking "hand rolled" crypto is a very hypothetical threat, almost a non-existent threat, as in practice software with centralizedly controlled distribution model has many much much bigger weaknesses that advanced threat actors are going to exploit, like updates. Assuming they even can successfully break such crypto at scale, imagine how much effort would it take just to get to the encrypted bytes given all the VPNs, TOR and overlay networks providing extra layers of encryption and privacy/anonymity hiding who talks to whom by sending packet through other countries.
I guess what people should learn from this is that encryption isn't a protection without solving problems caused by centralization first.
The other article I read about this is that law enforcement compromised the service's servers and pushed an update to the clients, making them send unencrypted messages, which allowed law enforcement to read them as they came through in real time.
Devil's advocate: Is there evidence law enforcement didn't start and run the project from the beginning? If they did, I wouldn't expect them to come out and acknowledge it.
Humans are often the weak link here. The most common scenario is that the police had some control over the project due to a compromised person. I'd wager that the police did not start the project, but soon after it was being used for crime, they took over it.
I'm not sure it's possible to me to develop and run something with the assumption that even if I turned police intelligence asset, that the product would be untouched. Open source would help, and some kind of distributed, decentralised thing maybe
I agree. That seems more likely. I doubt we'll be told, but I'd be interested in the specifics. It seems like it might have ethical implications to take over it without the blessing of the owner(s) of the company. After all, I doubt they will be able to get many more customers now that it's widely known that it was compromised by law enforcement. Arguably law enforcement destroyed this company, which the owners might normally not be happy about.
It may be as simple as: the business wasn't making money and the owners wanted out, so law enforcement bought it or paid them off. Then law enforcement isn't really "compromising" the company--they're in control of it (whether the employees know or not). At that point they can have the existing devs modify it however they want, or just hire a few new devs.
Think there may be some legal/ethical issues with law enforcement starting/running a honeypot that is actively being used to plan (and probably carry out) murder, while they just sat back and watched.
But in that case why wouldn't the system's owners alert everyone about that fact? It's pretty obvious when your system is sending updates and your domains are getting seized.
According to the Vice article, they did notify users on multiple occasions about the compromise. They even pushed out software updates and worked with a 3rd party SIM provider to try and fix the issue. Apparently, even after they pushed out updates the “hackers” were somehow able to repeatedly regain access.
The Dutch news mentions the police managed to snoop on the messages "before they were encrypted", so I assume they managed to hijack the app update process and installed a keylogger or something.
Some government comms such as areas including disaster relief and simple police dispatch are end to end
Thalw problem is the key is transmitted in dtmf or other means in the clear. I am not sure what my local pd uses for encryption but I'm guessing it's outdated.
You can set the tornado sirens off with a small transmitter and recording the very consistent tone pattern of you wanted.
The worrisome thing is that cops use their cellphones instead, which is much more secure but also is used accidentally or purposefully to avoid public records.
It's actually worse than clear text radio in many ways.
All cellphone call meta data and all SMSes are recorded, so while it avoids people listening in scanners and the public record it isn't very confidential. It's police using WhatsApp and Signal that will cause big problems.
The moral of the story is there's no such thing as plug and play opsec. It requires thought, patience and domain knowledge. You can't outsource it because that contractor becomes your immediate and obvious weak link and will be compromised. Whether it's El Chapo's IT guys or fools who thought a cell phone company would keep them out of prison, this story just repeats itself.
Do I sense some Brexit here? The BBC article mentions "The NCA worked with forces across Europe on the UK's "biggest and most significant" law enforcement operation.", while the Joint Eurojust-Europol press release [1] doesn't mention the Brits at all, but calls it a Dutch / French operation.
It was a joint operation lead by France/Netherlands but a very large number of the suspects were in the UK. This is a BBC article and focuses on the UK arrests.
The article says the encryption was cracked on April 1st but apparently a whistleblower said that the police used a warrant to get access to the company's infrastructure back in March - which suggests to me that the whole "cracked encryption" story might not be fully legitimate
The encryption was likely 'cracked' by gaining access to the infrastructure and then putting something in place to view the encrypted traffic. .. changing keys to a known value, pushing out a custom software update, etc.
The amazing thing here is this was a perfect piece of viral marketing - one criminal presumably recommending / refusing to do business without another one buying a new phone.
But it also has huge knock on effects - I mean there are 60,000 people identified on here - and they won't be the bottom level of crime organisations. I don't have a clear number but this must be a large chunk of all established criminal networks in huge numbers of countries.
Seems to me the level of competition has dropped in the criminal industry - VC opportunity perhaps :-)
And the obvious conclusion, if you're a criminal, is that don't rely on others to encrypt your comms. Either go with classic PGP or make your own layers (as Schneier puts it).
But criminals are usually just dumb in regards to this, they are only "street smart". Those who are "intellectual smart" don't do it. Or if they do they don't get caught until they jump over the horse (see the current scandal with 2 billions "siphoned")
> don't rely on others to encrypt your comms. Either go with classic PGP or make your own layers
You're saying "don't rely on others to encrypt your comms" and then the very next sentence says "use something someone else has made". Those two are conflicting. "Making your own" is even worse, because cryptographers don't usually have to resort to crime.
There is making encryption tools and then there is using them. "don't rely on others to encrypt your comms" means don't let others use encryption on your behalf, it means encrypt it yourself. It also does not mean to make your own encryption tool.
So your comment parent meant use a reputable tool yourself. And I would agree with that.
I'm not sure what you mean. They were using a tool that encrypted their communications, it just wasn't good. What's the difference between using Signal and using what they were using, or using GPG and what they were using?
I get the feeling you don't want to understand at this point, but ok, I'll byte:
The difference is the action of encryption and decryption is completely transparent to the user in the case of Signal or this thing they used. You don't encrypt anything, you input plain text and then the system takes over and you have to trust it. If the rumors are true the authorities compromised the servers, pushed an update to the app and the encryption no longer happened.
Just one example on how to do it yourself: using PGP you can use any hardware (not a phone marketed to criminals) and keep it completely offline. And use a phone (worst option but whatever) in which you input the encrypted thing directly. So you don't have to trust the network device. Bonus: neither do you have to use something that makes you stand out to authorities.
Okay, but unless you implement the encryption yourself, PGP can push an update and use weak RNG input so that your message is decryptable, and you'd never know.
"Don't rely on others" makes no sense for encryption, you have to rely on others because it's too hard otherwise. You just have to pick trustworthy others.
PGP can not push an update in the example I offered. And I already explained what was meant with "Don't rely on others" - btw now I see you cut the quote to fit your straw-man argument.
If the attack was that the NCA compromised a server and then pushed an update, then using Signal would buy you that you have people of the calibre, reputation and public platform size of the Signal developers in charge of protecting the servers.
Moxie going on twitter to say the cops have broken into Signal would be headline news, at least in the tech world.
You accept that, unless you're the NSA, GRU or whatever the Chinese counterpart is called, you will have to.
Do you really have the talent in your organisation to develop a better cipher than AES or ChaCha? If not, go with something that exists. According to Snowden, even the NSA can't just break PGP if you use it properly.
Do you have better coders than OpenWhisperSystems? You're going to have to trade off relying on someone else's software versus the chance your own coders make a mistake. I'd say the latter risk is usually the bigger one - even the Sony PS developers messed up on the "don't reuse nonces" bit.
Do you have your own chip fab? If not, you're going to have to hope whatever you're using doesn't have too many backdoors.
There is huge difference between relying on libraries or independent implementations of software in a form of source code that may or may not have bugs, and relying on an organization that sends binary blobs to you, that has to keep their development process secure, infrastructure secure, physical security, developers not compromised, backdoors not forced through laws, state agencies not threatening and forcing to implement backdoors, etc. OpenWhisperSystems essentially asks you to trust they can do all of that, but of course they can't, while an open source PGP implementation doesn't ask you to trust them and rely on their competence on running highly secure infrastructure. So, don't be fooled by propaganda organizations put out, there is a huge difference in what you can rely on and Signal here is exactly as weak as EncroChat.
Not even street smart in this example. You don't have to work in IT security to understand you should not trust a product based on the vendor description. In this case you don't even know who the vendor is ffs. Could actually be the authorities.
Looks like another episode in the failed war on drugs. While this may look “good” and someone will be able to say “look at those figures” in reality we’re addressing a side effect of a much deeper issue.
That wouldn't change anything regarding the guns or the amount of crime - career criminals don't do it because they believe in selling drugs, they sell drugs because it's an easy way to make money.
In that regard: keeping a black market for drugs may even be a good thing. Otherwise they'd move on to other ventures that might be more harmful, kidnapping, murder for hire etc.
People don't get physically addicted and spend their every last cent on murder for hire after murder for hire. Think of how stupidly lucrative a substance like crack is, it is water to an addict.
"career criminal" is begging the question. You claim these people exist, and by definition they are going to continue crime rather than find legitimate ways of making money.
Furthermore, you're suggesting that when their way of making money through crime disappears they will migrate towards worse crime. That's a bold claim.
Looks like another episode of how democratic systems try to solve one of the many problems they have. And in fact, in this case and from this prospective, successfully.
I am not positioning myself here, but I would say if this was a "failed war" on drugs things would be different. Just take a look on how things look like in some regions of Central America.
It's all tied together. You can't compare the literal banana republics of Central America (one of which I was birthed in, not that that matters) to the money printing machine that is the US. The point is, that developed contries are failing just as miserably to tackle the root problems at hand. Yes stopping crime is always great, but is playing cops and robbers really the best approach?
For anyone interested, a show recommendation: The Wire by David Simon
I guess what I was trying to say is that within the existing western countries rules (good or bad depending on personal opinions) this does not sound to me as a failure
Prices on the street don't change. Ever. As a result of some hike in price somewhere along the supply chain. What you will see on the street is varying quality but never prices at least in the way we think of price compitition driving prices down.
A good book on this is 'Narconomics: How to Run a Drug Cartel' by Tom Wainwright
- since the majority of users are recreative users and not hardcore junkies, and even those are just people with various levels of mental issues, I would actually find this reliable.
- There are surveys that are taken, at least here in the EU, that track drug usage.
- Quality sampling of confiscated drugs
- Analysis of medical data (deaths, overdoses,...)
- Analysis of police data (crimes related to drug usage)
> Officers are said to have prevented people being murdered after covertly monitoring planned attacks and threats to life on the encrypted service.
Now they can't do that any more. It's a dilemma that British intelligence faced a lot during the world wars: if they acted on information gleaned from secret channel it would reveal to the enemy that the channel was compromised. Makes me wonder how long they were monitoring and possibly letting crime take place before deciding that now was the time to strike.
Not just during the world wars. British intelligence apparently faced the same dilemma when infiltrating the IRA, and some of the results were quite ugly (look up Stakeknife if you're interested).
Very true. Though Stakeknife was also used in a way to remove hardline individuals seen as problematic to the more pragmatic parts of the Republican movement who were open to negotiate and protect other sources higher up. With obviously terrible consequences for many innocent people.
There's a podcast series called "Hunting Warhead" wich documents how the largest child abuse site (sadly had over a million members) was taken over by law enforcement. It turns out they carried on running the site for about a year, even posting child abuse images themselves as the admin to maintain legitimacy. Definitely a moral gray area there. Great podcast series but also made me feel sick and keeps creeping into my head periodically..
Same problem as planting an officer into a criminal org. Presumably the agent has to witness and commit crimes until they've infiltrated deeply enough for their mission
I think the take home message is: Police had a way to intercept these communications, but they managed to have that information leaked before they could finish their operation, only managing success because it was already too late for most of the participants.
Sort of illustrates the futility of giving the police keys to access communications, when the number of times they pull this off without a leak is near zero.
This contains some really interesting info. Basically someone (i.e. a government, likely the Dutch) managed to install malware on a bunch of the phones.
Each phone only communicates with other phones in the network so once they got one zero-day and put malware on a phone and could spread it, it could spread very quickly.
Considering they operated in France and the Netherlands and even 'had a shop there' (whatever that means): Yes, but looking at all the articles I'm pretty sure they are also building a case against EncroChat for participating or actively facilitating criminal behavior, in which case the point is mute anyway.
Some requests can be made to ask you participate making you sort-of free of prosecution as you are cooperating, but I doubt they would do that with companies with shady structures and owners.
EncroChat is not an app you get from an app store. It came with the EncroPhone, which are physical Androids you rent for some absurdly high price (like $3000/year-ish). And EncroPhone didn't sell online. You had to get them via a reseller i.e. someone you knew, or they had a few physical stores in the Netherlands.
These tactics are as old as international drug smuggling itself. Howard Marks(Mr Nice)[0] says in his book that he stationed one of his associates in Amsterdam to operate as a communications node, he finds out later that the Dutch police had tapped the phone lines within weeks.
Compartmentalize into small groups aka cells. It is centralizing around EncroChat which was the mistake here. All the eggs in one basket will always carry this type of risk.
There is also another difference. Drug dealers usually wants to get rich, and have no real interest in any larger cause than their own profit.
Dissidents are sometimes willing to sacrifice themselves for the larger cause. What is important for such a dissident is not that nobody gets caught, but that the events are beneficial for the cause and that certain key individuals are protected. Even martyrdom is useful for a dissident, but rarely to a drug dealer.
Dissidents should keep working in cells to minimize the risk of discovery. The drop hollows the stone is the working principle for dissidents. The most influential dissident may have a very small network of contacts but with a large fan-out a few layers down. This tactic is for example how Bin Ladin was able to stay in hiding, he was meeting very few people and it was hard to find him because of that even when he was the top target.
In reality the nature of drug dealing would make it tricky to implement a cell structure. If you look at the IRA, implementing it meant in theory it was very hard for one cell to know another and only certain parts would supply arms, intelligence etc. This resulted in a drop in attacks for a long time because of the difficulties in keeping to that. Though it did of course decrease infiltration for awhile. Until the UK found the weaknesses and targeted those who had permission to oversee and deal with everything - the internal security section and leadership.
Drugs is a much more dynamic industry where are some points there is a need for a lot of contact, travel, managing big groups of individuals...Not that it couldn't work that way but it would be very hard when people are out making money all day rather then at home in a dissident sense waiting months/years until a short/fast operation.
I think the only way to do so would be to deny themselves the ability to push software to customers (speculating that this is how it was attacked), which itself is an attack vector. It basically seems impossible to do securely if you can't trust the software on the phone, short of providing a separate device that decrypts and encrypts messages and shows them, but any software that device runs would be the attack surface.
That said, it's probably far more likely the crypto was done incorrectly from the off (and probable that other services have the same flaws) but the authorities needed a cheaper vulnerability to burn in public so as not to disrupt other investigations that are no doubt ongoing.
If the adversary controls the phone network and the baseband processor - not much.
If only a small percentage of the population buys encro phones, it might even be worthwhile for the authorities to log and plot all their movements and interactions, all the time. Even without breaking encryption, the traffic analysis alone would give valuable insights.
Seems like they didn't sign software updates with an offline key and relied on the transport (TLS via the domain) to authenticate them.
If they used an offline key (GPG?) to sign updates, a compromised transport wouldn't have allowed an attacker to deploy malicious updates to the devices. That's exactly how most Linux distributions operate, the mirrors themselves are untrusted and packages are often fetched via unencrypted HTTP, but that doesn't matter because the signatures are checked independently of the transport.
Too risky to use such services,. As soon as they become too big, they have nation state resources thrown at them...and they're without Google or FB resources to defend.
If all else fails, DEA-like agencies can easily offer employees millions of dollars for keys or assistance to plant bugs, offer immunity and so on. Very hard to resist.
It's interesting that law enforcement can hack it but eventually they have to burn the network because they have to make arrests using the information.
They should buy/hack all these companies and then run false flag operations to hide the fact they own the comms.
Like the germans never realized that enigma was hacked
Signal is installed from the platform stores, which have the ability to push updates. As far as we can tell, the compromise was done via a pushed update. It's likely that Signal wouldn't have helped.
On Android, I recall that updates to a package must be signed by the same key as the package being updated, otherwise the device itself will reject the update. Doesn't that mean that only the Signal developers (who are the ones who signed the original package) would be able to create a compromised update?
yes, if they could keep shuffling physical phones and sims with high frequency. But that is _serious_ operational drag and discipline. Professionals can't generally manage that at scale. We're talking criminals here..
Confused: OP says the service was taken down. That seems the most significant part of this action, even beyond the criminal arrests. Is an encrypted communications company liable/responsible if criminals use their product? Surely there were many, many legitimate users e.g. lawyers, business negotiators, lovers. Can the 'bad apples' be laid on the communication company's doorstep? If so, why not Facebook, Zoom or even Apple?
Why is HN not addressing this point? Instead of speculating about criminal activities etc.
It’s hard to say. At least in the U.S., there has been some precedent relatively recently where companies knowingly facilitating criminal activity can be subject to prosecution. They could probably argue that they didn’t have access to the the contents of communications so they were unaware of the criminal activities. However, they (it’s unclear if it was resellers or the company doing this) actively marketed to criminals, via ad placements on websites known to be used for criminal activity. Needless to say, it’s a pretty complicated situation in terms of liability.
See? The websites "known to be used for criminal activity" we ok somehow, but not this company. Were the ISP or site hosting organizations shut down? Why not?
And selling communications equipment to a criminal - maybe they wanted to talk to their sweetie without being monitored. They also bought a bagel and took a taxi ride. Is the bagel store shut down too? The taxi company?
I think there needs to be a certain level of reasonableness when tracing back liability. I mean, why stop at the ISPs? Why not take it all the way up to RIPE for allocating IPs to the company? Or how about the telecommunication companies that used government allocated RF spectrum to facilitate the communications. In that case, the telecoms and the Government(s) themselves should be liable.
As for people wanting to talk to their sweetie without being monitored, I believe authorities have already said people who were using the services for legitimate purposes may request to have their communications excluded from any legal proceedings and naturally, won't be prosecuted just for using the devices.
Yes, of course, the criminal side is well understood. Except, of course, the massive wiretapping without a warrant part.
Gun sellers have been pretty safe from prosecution for selling a gun that gets used in a crime. Why not encrypted communications companies? That's the distinction I wonder about. (Hopefully using the 'g' word wont further derail the conversation)
Yeah, I get where you’re coming from. So the case I was referring to earlier as a recent example, was Backpage. I think there are some key elements that need to be met, but you can see with that case where lines can be crossed. I’m not arguing encrypted communication companies should be liable for all activities using their service. However, if a company specifically markets to criminals, in my mind, that gets really close to crossing a line.
I think it’s the difference between facilitation and knowingly facilitating. With the gun store example, if the person purchasing the weapon said “I’m going to go kill someone, can you tell me which gun would be best for that?”, the gun store would be absolutely liable if they sold them the gun.
Gun stores have expertise in 'personal protection' weapons. They sell guns to people all the time with the express intention of being easiest to use and the most fatal.
I'd say, marketing to criminals seems pretty close to the line, but depending on the conversation its no closer than the 'personal protection' sale? As long as they're not advocating "use this to break laws", they're just selling privacy. Like selling a fence for your yard or padlocks for your house. No natural illegal nature to those sales. Even if they ultimately get used to conceal crimes etc.
> "We have been forced to make the difficult decision to shut down our service and our business permanently," the person wrote in an email to Motherboard. "This [sic] following several attacks carried out by a foreign organization that seems to originate in the UK."
Both of these are from before the authorities went public today
>EncroChat sold encrypted phones with a guarantee of anonymity, with a range of special features to remove identifying information. The phones themselves cost roughly £900 (€1,000) each, with a subscription costing £1,350 (€1,500) for six months.
That's a pretty pricey for what's basically a chat app. Is there a reason why they were able to command such a high price even though there are plenty of free/open source solutions on the internet? Marketing? Trust? Criminals thinking more $$$ = better?
> "Dès 2017, les téléphones utilisant le moyen de communication sécurisée EncroChat sont détectés par le département Informatique Électronique (INL) de l'Institut de Recherche Criminelle de la Gendarmerie Nationale (IRCGN)"
First device using EncroChat were discovered in 2017.
> "La JIRS de Lille s'est saisie de l'enquête sur la solution de communication chiffrée EncroChat à raison de la localisation de serveurs en assurant le fonctionnement."
Special section JIRS in France was mandated to investigate because the servers used by EncroChat were hosted in the north region of France.
> "un dispositif dont la conception et le fonctionnement sont couverts par le secret de la défense nationale, mais qui a été reçu et déployé par un service habilité par la loi pour ce faire, le Service Central de Renseignement Criminel de la Gendarmerie Nationale (SCRC) du Pôle Judiciaire de la Gendarmerie Nationale (PJGN) en application de l’article D15-1-6 du Code de procédure pénale."
The "device" (not necessarily a hardware device) used to intercept coms are classified but was "received" and "deployed" by "Service Central de Renseignement Criminel de la Gendarmerie Nationale".
So it was deployed by French police but it's not clear if they made it.
I guess the lesson here is clear: don't overrely on technology.
There are tried and tested methods for running a covert organisation and they all rely on organisational resilience rather than ultra clever tech. Also, don't reuse channels - actual intelligence operations failed because of breaking this rule.
These days messaging security pretty much comes down to end point security ... and end point security is terrible.
If you want to be sure you have to do some sort of air gapping, either with something like a Yubikey, or even better, with a dedicated device with a screen and keyboard.
Complex systems are the core problem. Hardware, firmware, third-parties and black boxes all over, live updates, OS, apps, network, etc. etc. The upside is that it also makes them hetergeneous which is more difficult to roll en masse.
You're only hearing about this now because the cat was out of the bag as of a couple of weeks. If not for that the data gathering would have continued and more people would have been caught.
* Each message session with each contact is encrypted with a different set of keys. If any given key is ever compromised, it will never result in the compromise of previously transmitted messages – or even passive observation of future messages.
* Anyone can forge messages after a conversation is complete to make them look like they came from you. However, during a conversation the recipient is assured all messages received are authentic and unmodified. This assures non-reputability of messages.
* The algorithms employed are many times stronger than that of PGP (RSA+AES). We employ algorithms from different families of mathematics, which protects message content in the event that one encryption algorithm is ever solved.
* Messages do not employ digital signatures that provide third party proofs. However, you are still assured you are messaging with whom you think you are.
source: https://encrochat.us/