[HN Gopher] Crooks' mistaken bet on encrypted phones
___________________________________________________________________
Crooks' mistaken bet on encrypted phones
Author : jbegley
Score : 64 points
Date : 2023-04-17 19:09 UTC (3 hours ago)
(HTM) web link (www.newyorker.com)
(TXT) w3m dump (www.newyorker.com)
| mschuster91 wrote:
| > He told me that, although there were measures a government
| could take to combat organized crime--better scanners, more
| customs officers, improved collaboration between national police
| forces--the flow of drugs would stop only if there was a change
| in attitude among Europeans. "Drugs are being normalized in our
| society," he said. "Users need to look themselves in the mirror.
| They are putting our security in danger. I hope they are wise
| enough to understand that, without demand, there is no supply."
|
| Just how long will it take politicians to finally recognize that
| prohibition is the problem? It didn't work for alcohol in the US
| (and created Al Capone in the process), it didn't work for
| cannabis, it didn't work for sex work, it didn't work for porn,
| it didn't work for any other kind of drug. All it ever created
| was senseless suffering on all levels, from governments whose
| budgets were and are drained by the cost of prosecuting all the
| drug crime, over the users who literally die like flies from
| contaminated products or accidental overdoses, to society which
| can't rely on not being shot in a drive-by gang fight or walking
| home without stepping over feces and heroin needles.
|
| The only place where prohibition somehow works halfway is CSAM
| and pedophilia, but only because everyone but the pedos hates the
| pedos and agrees it's inacceptable - and even there, with this
| worldwide unity, there's still more than enough pedos that
| corrupt local officials in poor countries where pedos from all
| over the world exploit the utter poverty that leads people to
| send their children into human trafficking.
| ViVr wrote:
| > "The network, owned by a Dutchman named Danny Manupassa, had
| made a spectacular bungle: it had stored the private keys for the
| system on the same server as the network's messages. Analysts in
| the Netherlands obtained the private keys and then used them to
| decrypt Ennetcom texts."
|
| Not your keys not your comms. But even then then, apply defense
| in depth.
|
| > "Sky's messages ran on a different system than EncroChat's, and
| it was more difficult to infect the network with bulk malware.
| Instead, someone with knowledge of the investigation told me,
| analysts seem to have launched a "protocol attack" that deceived
| handsets into revealing their private keys."
| joebiden2 wrote:
| If "crooks" as a category would be so stupid, we wouldn't have
| crime at all.
|
| While good, this is fishing the ocean with a fishing rod to me.
| The comfiest, surface-nearest and most trusting fish get
| arrested, which ironically could well be strengthening the real
| underground.
| c7DJTLrn wrote:
| The smart crooks use Signal on iOS with backups off. Maybe a
| VPN for good measure.
| joebiden2 wrote:
| I think the real crooks do the old-fashioned stuff. Like, not
| use a smartphone at all for criminal things. Just use
| expendable workers over two or three layers of hierarchy :)
| account-5 wrote:
| Is signal on iOS safer than signal on Android?
| wmf wrote:
| Yes, just because iOS itself is harder to hack. For example
| there are trivial evil maid style attacks against Android:
| https://www.tiktok.com/@android_infosecurity/video/71859078
| 9...
| CommitSyn wrote:
| Security 101: Physical compromise is full compromise. If
| someone with the means has access to your unlocked
| iPhone, it's game over as quickly as Android. Remember
| JailbreakMe? That was the NiceGuy(tm) version of iPhone
| hacking. Now companies bill governments millions of
| dollars for iPhone jailbreaks and you can't even sideload
| apps after.
| JCharante wrote:
| Why don't criminals just meet in person to swap public keys and
| use email to mail each other encrypted messages?
| notRobot wrote:
| Because that requires technical skills most laypeople don't
| have.
| antibasilisk wrote:
| Because depending on your threat model, meeting in person may
| be undesirable.
| chefandy wrote:
| The convenience and knowledge barriers are too high for most
| people. It's pretty straightforward for folks with tech subject
| matter expertise, but for most others, it's just not worth
| figuring out what they need to know, then getting all of the
| prerequisite knowledge that lets them learn that, then worrying
| about screwing it up, or maybe relying on someone else for
| basic operations, etc.
|
| It's often tough for developers to see this for the same reason
| it's tough to write documentation-- reasoning about a
| beginner's perspective is a specific skill that takes study and
| practice. That's why software companies that need financially
| stable products hire technical writers and interface designers,
| and it's a place where FOSS really struggles.
|
| For example, Mastodon's active userbase has dropped 50% since
| its peak during the beginning of the Musk/Twitter debacle...
| even for the ones brave enough to plunge in head-first, it was
| too much technical resistance compared to the more
| straightforward alternatives that they had already abandoned. I
| think it was a missed opportunity.
| Gigachad wrote:
| Because no one will ever do that. Even if they risk being
| arrested
| skatanski wrote:
| If anyone is interested. There's a pretty good Darknet Diaries
| episode that covers some of this and other cases:
| https://darknetdiaries.com/transcript/105/
| ipaddr wrote:
| Isn't the guy speaking part of the hacker quality radio crue?
| davely wrote:
| Nice! I just love this podcast so much. I think I discovered it
| from an older Hacker News thread a year ago or so.
| LoganDark wrote:
| Might be worth adding some indicator that this is a podcast and
| not a video series
| from wrote:
| Really interesting article. I get the impression the Sky ECC bust
| was bigger than all of the previous ones but maybe that's just
| cause there was more reporting on it. It's kind of confusing to
| me why the CEO is wanted in the US because it doesn't seem like
| there's any evidence he facilitated drug trafficking or at least
| facilitated it anymore than say Signal does.
| BlueTemplar wrote:
| Murder, torture, drug trafficking... but by far the worst is
| abbreviating Lord of the Rings as Lor rather than LotR !
| the_jeremy wrote:
| "Crooks' mistaken bet on false marketing claiming end-to-end
| encryption and offshore hosting by 2 different European
| communication networks that ended up shutting down due to police
| raids in 2020-2021" is a better title (or I guess just summary at
| that point).
| MuffinFlavored wrote:
| This is a dumb slightly unrelated question by me. Say I was a
| "crook"/bad guy. Why doesn't "well done" AES/RSA/ECC encryption
| stop law enforcement from being able to "snoop" on what one
| crook says to another crook?
| bawolff wrote:
| You know the saying don't roll your own crypto, well that is
| because almost everyone does it wrong. AES/RSA/ECC can't
| protect you from using it incorrectly.
| wmf wrote:
| The real problem is that most people cannot tell whether
| they're buying proper encryption or snake oil.
| [deleted]
| e12e wrote:
| The missing part is often the "well done" part. Other than
| that - traditional bugs/listening devices, malware (recording
| the sound before encryption/after decryption)?
|
| Then there's traffic analysis (a talk to b, b kill c, b talk
| to a). See also: "well done".
| forgotmypw17 wrote:
| I think the main reason is that LE basically has root on the
| entire stack up to the encryption.
| [deleted]
| onion2k wrote:
| It does. The problem is that crooks aren't generally
| trustworthy, and selling you out is leverage they're very
| willing to use should the cops ever catch them. The same
| applies to every part of the illicit communications network
| you rely on - if any part of the trusted chain breaks down in
| a way that enables the cops to subvert your encryption you're
| screwed, right down to installing an OS update on your
| device.
|
| Good opsec is exceptionally hard. If you aren't building it
| from scratch it probably isn't secure. And even if you are,
| if you're a big enough target for nation states to be looking
| you're still going to have a hard time.
| bsder wrote:
| It does. But how do you _prove_ you have a "well done"
| crypto _system_?
|
| Very few "crypto" exploits are ever the issue. It's almost
| always easier to break some other part of the _system_ than
| the crypto.
|
| To be honest, if someone were trying to sell me a
| cryptosystem for a criminal enterprise and I were in the
| market for one, I'd happily start tracing _everybody_ in that
| company as they are almost certainly part of the Feds.
|
| If you are the target of a nation state actor, you're pretty
| much fucked. Once a nation decides to put down that much
| resource to get _you_ , you're getting gotten.
|
| Crypto is only valuable in the sense of "I don't have to
| outrun the hungry tiger. I just have to outrun _you_ so the
| tiger stops chasing me to eat. " If you, specifically, are a
| target, crypto won't help you much.
| newZWhoDis wrote:
| Sounds to me like the best criminals become nations.
| er4hn wrote:
| If crooks were proficient at using FOSS to write their own
| encryption apps that obey best practices... working as an SWE
| would probably pay better and have less downsides.
| sbierwagen wrote:
| It does.
|
| The standard playbook for rolling up criminal conspiracies is
| to arrest a low level member, offer him a reduced sentence in
| return for testimony, arrest the next guy higher up based on
| that testimony, etc. (The only way to prevent that would be a
| fully trustless "cell" structure where none of conspirators
| know each other, which has never been done in real life.)
|
| You will notice none of this requires communications
| intercepts. This is because the feds are simply lying when
| they say encryption prevents law enforcement operations.
| jstarfish wrote:
| There was a Chinese drug lord operating out of Canada who
| did successfully pull off the cell structure. Amazon of
| Drugs or something.
|
| Somehow they managed perfect forward secrecy.
|
| For a while.
| spitfire wrote:
| Here he is.
|
| https://torontolife.com/city/this-man-is-the-jeff-bezos-
| of-t...
| more_corn wrote:
| It has never been discovered to exist. If it's actually
| good it'll defeat attempts to uncover it. An even better
| cell structure would be one where the cells don't even know
| that other cells exist.
| upofadown wrote:
| None of these busts involved breaking encryption. They all
| involved trusting a third party which later became known to
| be untrustworthy.
| ed_elliott_asc wrote:
| Also when they arrested people the phones were often
| unlocked (I watched a documentary and saw the police
| capture phones and state they were unlocked)
|
| Also they didn't use disappearing messages or delete them
| so the full history was available without breaking any
| encryption
| pffft8888 wrote:
| The propaganda against encryption is in full swing.
|
| My expectation is that all NSA CNSA[1] encryption standards are
| backdoored at the implementation level (by the NSA who uses Suite
| A for its own communication and I suspect military communications
| outside of that in weapons systems that can fall into enemy
| hands)
|
| I guess the propaganda is driven by FBI and law enforcement
| agencies.
|
| 1.
| https://en.wikipedia.org/wiki/Commercial_National_Security_A...
| 2. https://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography
| aziaziazi wrote:
| Can someone explain me why this is downvoted ? In my
| understanding his proposition about NSA is quite close to a
| popular one and hn seems to allow discussion of hypothesis - if
| they are more probable than imaginary ?
|
| Is it the word _propaganda_ that patriots dislike ? Not sure if
| some soviet connotation is involved in US but for me it's just
| a synonym of "public lobbying" of "ideology gov marketing".
|
| I know those subjects can become polemic and I don't want to
| throwing oil on the fire, but an "out of debate" clarification
| would be nice and helpful.
| jmclnx wrote:
| It was an interesting read, moral to me is not to use Cell
| Phones for anything illegal. If you do not control the keys,
| you might as well not bother with encryption.
| mschuster91 wrote:
| Even if you control the keys, it does not protect you from
| vulnerabilities somewhere in the stack. Stuff like thumbnail
| generation provided by the OS has been used by cyber-
| criminals in the past to compromise phones by sending MMSes
| or even third-party messenger apps, and I'd take a guess and
| bet that at least the Five Eyes government agencies all have
| a sizeable cache of baseband vulnerabilities.
|
| Technology simply has become far too complex to be reasonably
| secure, even if you have the financial firepower of being
| Apple, Sony, Microsoft, Nintendo or Amazon.
| wmf wrote:
| This article isn't spreading any propaganda against encryption.
| If anything, it makes the case that new backdoors are not
| needed.
| abigail95 wrote:
| It's so dumb - think about the signals you are sending out just
| by having such a device. Let alone trusting someone else to
| harden it for you.
|
| Think about Monero - it's a lot more suspicious to be dealing
| with that than regular bitcoin.
|
| For privacy advocates it's fine, you aren't doing anything wrong
| by using e2e and monero, any govt looking at you won't be able to
| get past reasonable suspicion.
|
| But if you're a criminal you're basically glowing in the dark by
| doing this stuff. Regular phones are also encrypted! Facetime is
| e2e? What was the point of the "AN0M" phones. What did they give
| you except a supply chain risk and a 100x SIGINT interest factor
| than a normal person.
| boomboomsubban wrote:
| One warrant let the Gendarmerie copy all data on EncroChat phones
| indefinitely, and seemingly let them then use that data for any
| number of charges. That is kind of messed up. Burying it in "but
| we have to stop the drugs" doesn't change anything.
| tantalor wrote:
| What are you complaining about? Are you implying that there
| should have been additional warrants required? Because the
| article doesn't say there weren't. All it says is,
|
| > Gendarmerie executed a warrant to secretly copy EncroChat's
| servers
|
| Yes, there was initially one warrant. But there could have been
| many others. And even if there weren't, why is that a bad
| thing? What is your actual complaint?
| from wrote:
| That the message contents of every user of a service were
| indiscriminately read without doing any investigation to see
| which were criminals first? Imagine if the FBI just seized
| the Yahoo! mail database and started reading messages because
| some of the users were criminals.
| masfuerte wrote:
| The FBI did do this with safety deposit boxes. And a judge
| ruled they did nothing wrong!
| https://www.latimes.com/california/story/2022-09-30/judge-
| ba...
| wmf wrote:
| General warrants are supposed to be illegal under US law but it
| doesn't stop law enforcement from trying.
| https://www.eff.org/files/filenode/att/generalwarrantsmemo.p...
| Most of the cases discussed in this article are outside the US
| so I don't know if similar precedents exist.
| upofadown wrote:
| >At Europol, Lecouffe has explained that, although he was of
| course unsurprised to find that criminals used violence, he was
| shocked at "the level of violence" in Europe.
|
| It isn't like they can settle their differences in drug court.
| Black markets and the associated attempts to shut them down
| naturally generate violence. The people involved literally have
| no other choice.
| vasco wrote:
| They have plenty of choices, like not doing crime or
| participate in black markets, what are you talking about.
| DogTweezers wrote:
| [flagged]
| pton_xd wrote:
| Doesn't reflect poorly on the crooks as much as the government.
|
| You have no right to privacy. The government can and will spy on
| everything you do.
| tantalor wrote:
| You do have a right to privacy by default, but the government
| can spy if it has a good enough reason.
|
| If you thought being spied on was bad, wait til you hear what
| the government does when it thinks you're guilty of a crime.
| remram wrote:
| It seems that "suspecting it might have a good reason later"
| or "you're using the same service as other people it has a
| good reason to spy on" are sufficient reasons now.
| yieldcrv wrote:
| anybody that's tried to do a commodities trade over whatsapp
| can tell you there are just a lot of dumb crooks out there
|
| but especially in Europe
| harvey9 wrote:
| If the adversary had been another gang of crooks it's still bad
| security.
| adventured wrote:
| https://archive.ph/DOA8y
___________________________________________________________________
(page generated 2023-04-17 23:00 UTC)