[HN Gopher] Crooks' mistaken bet on encrypted phones ___________________________________________________________________ Crooks' mistaken bet on encrypted phones Author : jbegley Score : 64 points Date : 2023-04-17 19:09 UTC (3 hours ago) (HTM) web link (www.newyorker.com) (TXT) w3m dump (www.newyorker.com) | mschuster91 wrote: | > He told me that, although there were measures a government | could take to combat organized crime--better scanners, more | customs officers, improved collaboration between national police | forces--the flow of drugs would stop only if there was a change | in attitude among Europeans. "Drugs are being normalized in our | society," he said. "Users need to look themselves in the mirror. | They are putting our security in danger. I hope they are wise | enough to understand that, without demand, there is no supply." | | Just how long will it take politicians to finally recognize that | prohibition is the problem? It didn't work for alcohol in the US | (and created Al Capone in the process), it didn't work for | cannabis, it didn't work for sex work, it didn't work for porn, | it didn't work for any other kind of drug. All it ever created | was senseless suffering on all levels, from governments whose | budgets were and are drained by the cost of prosecuting all the | drug crime, over the users who literally die like flies from | contaminated products or accidental overdoses, to society which | can't rely on not being shot in a drive-by gang fight or walking | home without stepping over feces and heroin needles. | | The only place where prohibition somehow works halfway is CSAM | and pedophilia, but only because everyone but the pedos hates the | pedos and agrees it's inacceptable - and even there, with this | worldwide unity, there's still more than enough pedos that | corrupt local officials in poor countries where pedos from all | over the world exploit the utter poverty that leads people to | send their children into human trafficking. | ViVr wrote: | > "The network, owned by a Dutchman named Danny Manupassa, had | made a spectacular bungle: it had stored the private keys for the | system on the same server as the network's messages. Analysts in | the Netherlands obtained the private keys and then used them to | decrypt Ennetcom texts." | | Not your keys not your comms. But even then then, apply defense | in depth. | | > "Sky's messages ran on a different system than EncroChat's, and | it was more difficult to infect the network with bulk malware. | Instead, someone with knowledge of the investigation told me, | analysts seem to have launched a "protocol attack" that deceived | handsets into revealing their private keys." | joebiden2 wrote: | If "crooks" as a category would be so stupid, we wouldn't have | crime at all. | | While good, this is fishing the ocean with a fishing rod to me. | The comfiest, surface-nearest and most trusting fish get | arrested, which ironically could well be strengthening the real | underground. | c7DJTLrn wrote: | The smart crooks use Signal on iOS with backups off. Maybe a | VPN for good measure. | joebiden2 wrote: | I think the real crooks do the old-fashioned stuff. Like, not | use a smartphone at all for criminal things. Just use | expendable workers over two or three layers of hierarchy :) | account-5 wrote: | Is signal on iOS safer than signal on Android? | wmf wrote: | Yes, just because iOS itself is harder to hack. For example | there are trivial evil maid style attacks against Android: | https://www.tiktok.com/@android_infosecurity/video/71859078 | 9... | CommitSyn wrote: | Security 101: Physical compromise is full compromise. If | someone with the means has access to your unlocked | iPhone, it's game over as quickly as Android. Remember | JailbreakMe? That was the NiceGuy(tm) version of iPhone | hacking. Now companies bill governments millions of | dollars for iPhone jailbreaks and you can't even sideload | apps after. | JCharante wrote: | Why don't criminals just meet in person to swap public keys and | use email to mail each other encrypted messages? | notRobot wrote: | Because that requires technical skills most laypeople don't | have. | antibasilisk wrote: | Because depending on your threat model, meeting in person may | be undesirable. | chefandy wrote: | The convenience and knowledge barriers are too high for most | people. It's pretty straightforward for folks with tech subject | matter expertise, but for most others, it's just not worth | figuring out what they need to know, then getting all of the | prerequisite knowledge that lets them learn that, then worrying | about screwing it up, or maybe relying on someone else for | basic operations, etc. | | It's often tough for developers to see this for the same reason | it's tough to write documentation-- reasoning about a | beginner's perspective is a specific skill that takes study and | practice. That's why software companies that need financially | stable products hire technical writers and interface designers, | and it's a place where FOSS really struggles. | | For example, Mastodon's active userbase has dropped 50% since | its peak during the beginning of the Musk/Twitter debacle... | even for the ones brave enough to plunge in head-first, it was | too much technical resistance compared to the more | straightforward alternatives that they had already abandoned. I | think it was a missed opportunity. | Gigachad wrote: | Because no one will ever do that. Even if they risk being | arrested | skatanski wrote: | If anyone is interested. There's a pretty good Darknet Diaries | episode that covers some of this and other cases: | https://darknetdiaries.com/transcript/105/ | ipaddr wrote: | Isn't the guy speaking part of the hacker quality radio crue? | davely wrote: | Nice! I just love this podcast so much. I think I discovered it | from an older Hacker News thread a year ago or so. | LoganDark wrote: | Might be worth adding some indicator that this is a podcast and | not a video series | from wrote: | Really interesting article. I get the impression the Sky ECC bust | was bigger than all of the previous ones but maybe that's just | cause there was more reporting on it. It's kind of confusing to | me why the CEO is wanted in the US because it doesn't seem like | there's any evidence he facilitated drug trafficking or at least | facilitated it anymore than say Signal does. | BlueTemplar wrote: | Murder, torture, drug trafficking... but by far the worst is | abbreviating Lord of the Rings as Lor rather than LotR ! | the_jeremy wrote: | "Crooks' mistaken bet on false marketing claiming end-to-end | encryption and offshore hosting by 2 different European | communication networks that ended up shutting down due to police | raids in 2020-2021" is a better title (or I guess just summary at | that point). | MuffinFlavored wrote: | This is a dumb slightly unrelated question by me. Say I was a | "crook"/bad guy. Why doesn't "well done" AES/RSA/ECC encryption | stop law enforcement from being able to "snoop" on what one | crook says to another crook? | bawolff wrote: | You know the saying don't roll your own crypto, well that is | because almost everyone does it wrong. AES/RSA/ECC can't | protect you from using it incorrectly. | wmf wrote: | The real problem is that most people cannot tell whether | they're buying proper encryption or snake oil. | [deleted] | e12e wrote: | The missing part is often the "well done" part. Other than | that - traditional bugs/listening devices, malware (recording | the sound before encryption/after decryption)? | | Then there's traffic analysis (a talk to b, b kill c, b talk | to a). See also: "well done". | forgotmypw17 wrote: | I think the main reason is that LE basically has root on the | entire stack up to the encryption. | [deleted] | onion2k wrote: | It does. The problem is that crooks aren't generally | trustworthy, and selling you out is leverage they're very | willing to use should the cops ever catch them. The same | applies to every part of the illicit communications network | you rely on - if any part of the trusted chain breaks down in | a way that enables the cops to subvert your encryption you're | screwed, right down to installing an OS update on your | device. | | Good opsec is exceptionally hard. If you aren't building it | from scratch it probably isn't secure. And even if you are, | if you're a big enough target for nation states to be looking | you're still going to have a hard time. | bsder wrote: | It does. But how do you _prove_ you have a "well done" | crypto _system_? | | Very few "crypto" exploits are ever the issue. It's almost | always easier to break some other part of the _system_ than | the crypto. | | To be honest, if someone were trying to sell me a | cryptosystem for a criminal enterprise and I were in the | market for one, I'd happily start tracing _everybody_ in that | company as they are almost certainly part of the Feds. | | If you are the target of a nation state actor, you're pretty | much fucked. Once a nation decides to put down that much | resource to get _you_ , you're getting gotten. | | Crypto is only valuable in the sense of "I don't have to | outrun the hungry tiger. I just have to outrun _you_ so the | tiger stops chasing me to eat. " If you, specifically, are a | target, crypto won't help you much. | newZWhoDis wrote: | Sounds to me like the best criminals become nations. | er4hn wrote: | If crooks were proficient at using FOSS to write their own | encryption apps that obey best practices... working as an SWE | would probably pay better and have less downsides. | sbierwagen wrote: | It does. | | The standard playbook for rolling up criminal conspiracies is | to arrest a low level member, offer him a reduced sentence in | return for testimony, arrest the next guy higher up based on | that testimony, etc. (The only way to prevent that would be a | fully trustless "cell" structure where none of conspirators | know each other, which has never been done in real life.) | | You will notice none of this requires communications | intercepts. This is because the feds are simply lying when | they say encryption prevents law enforcement operations. | jstarfish wrote: | There was a Chinese drug lord operating out of Canada who | did successfully pull off the cell structure. Amazon of | Drugs or something. | | Somehow they managed perfect forward secrecy. | | For a while. | spitfire wrote: | Here he is. | | https://torontolife.com/city/this-man-is-the-jeff-bezos- | of-t... | more_corn wrote: | It has never been discovered to exist. If it's actually | good it'll defeat attempts to uncover it. An even better | cell structure would be one where the cells don't even know | that other cells exist. | upofadown wrote: | None of these busts involved breaking encryption. They all | involved trusting a third party which later became known to | be untrustworthy. | ed_elliott_asc wrote: | Also when they arrested people the phones were often | unlocked (I watched a documentary and saw the police | capture phones and state they were unlocked) | | Also they didn't use disappearing messages or delete them | so the full history was available without breaking any | encryption | pffft8888 wrote: | The propaganda against encryption is in full swing. | | My expectation is that all NSA CNSA[1] encryption standards are | backdoored at the implementation level (by the NSA who uses Suite | A for its own communication and I suspect military communications | outside of that in weapons systems that can fall into enemy | hands) | | I guess the propaganda is driven by FBI and law enforcement | agencies. | | 1. | https://en.wikipedia.org/wiki/Commercial_National_Security_A... | 2. https://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography | aziaziazi wrote: | Can someone explain me why this is downvoted ? In my | understanding his proposition about NSA is quite close to a | popular one and hn seems to allow discussion of hypothesis - if | they are more probable than imaginary ? | | Is it the word _propaganda_ that patriots dislike ? Not sure if | some soviet connotation is involved in US but for me it's just | a synonym of "public lobbying" of "ideology gov marketing". | | I know those subjects can become polemic and I don't want to | throwing oil on the fire, but an "out of debate" clarification | would be nice and helpful. | jmclnx wrote: | It was an interesting read, moral to me is not to use Cell | Phones for anything illegal. If you do not control the keys, | you might as well not bother with encryption. | mschuster91 wrote: | Even if you control the keys, it does not protect you from | vulnerabilities somewhere in the stack. Stuff like thumbnail | generation provided by the OS has been used by cyber- | criminals in the past to compromise phones by sending MMSes | or even third-party messenger apps, and I'd take a guess and | bet that at least the Five Eyes government agencies all have | a sizeable cache of baseband vulnerabilities. | | Technology simply has become far too complex to be reasonably | secure, even if you have the financial firepower of being | Apple, Sony, Microsoft, Nintendo or Amazon. | wmf wrote: | This article isn't spreading any propaganda against encryption. | If anything, it makes the case that new backdoors are not | needed. | abigail95 wrote: | It's so dumb - think about the signals you are sending out just | by having such a device. Let alone trusting someone else to | harden it for you. | | Think about Monero - it's a lot more suspicious to be dealing | with that than regular bitcoin. | | For privacy advocates it's fine, you aren't doing anything wrong | by using e2e and monero, any govt looking at you won't be able to | get past reasonable suspicion. | | But if you're a criminal you're basically glowing in the dark by | doing this stuff. Regular phones are also encrypted! Facetime is | e2e? What was the point of the "AN0M" phones. What did they give | you except a supply chain risk and a 100x SIGINT interest factor | than a normal person. | boomboomsubban wrote: | One warrant let the Gendarmerie copy all data on EncroChat phones | indefinitely, and seemingly let them then use that data for any | number of charges. That is kind of messed up. Burying it in "but | we have to stop the drugs" doesn't change anything. | tantalor wrote: | What are you complaining about? Are you implying that there | should have been additional warrants required? Because the | article doesn't say there weren't. All it says is, | | > Gendarmerie executed a warrant to secretly copy EncroChat's | servers | | Yes, there was initially one warrant. But there could have been | many others. And even if there weren't, why is that a bad | thing? What is your actual complaint? | from wrote: | That the message contents of every user of a service were | indiscriminately read without doing any investigation to see | which were criminals first? Imagine if the FBI just seized | the Yahoo! mail database and started reading messages because | some of the users were criminals. | masfuerte wrote: | The FBI did do this with safety deposit boxes. And a judge | ruled they did nothing wrong! | https://www.latimes.com/california/story/2022-09-30/judge- | ba... | wmf wrote: | General warrants are supposed to be illegal under US law but it | doesn't stop law enforcement from trying. | https://www.eff.org/files/filenode/att/generalwarrantsmemo.p... | Most of the cases discussed in this article are outside the US | so I don't know if similar precedents exist. | upofadown wrote: | >At Europol, Lecouffe has explained that, although he was of | course unsurprised to find that criminals used violence, he was | shocked at "the level of violence" in Europe. | | It isn't like they can settle their differences in drug court. | Black markets and the associated attempts to shut them down | naturally generate violence. The people involved literally have | no other choice. | vasco wrote: | They have plenty of choices, like not doing crime or | participate in black markets, what are you talking about. | DogTweezers wrote: | [flagged] | pton_xd wrote: | Doesn't reflect poorly on the crooks as much as the government. | | You have no right to privacy. The government can and will spy on | everything you do. | tantalor wrote: | You do have a right to privacy by default, but the government | can spy if it has a good enough reason. | | If you thought being spied on was bad, wait til you hear what | the government does when it thinks you're guilty of a crime. | remram wrote: | It seems that "suspecting it might have a good reason later" | or "you're using the same service as other people it has a | good reason to spy on" are sufficient reasons now. | yieldcrv wrote: | anybody that's tried to do a commodities trade over whatsapp | can tell you there are just a lot of dumb crooks out there | | but especially in Europe | harvey9 wrote: | If the adversary had been another gang of crooks it's still bad | security. | adventured wrote: | https://archive.ph/DOA8y ___________________________________________________________________ (page generated 2023-04-17 23:00 UTC)