53 comments

[ 6.2 ms ] story [ 151 ms ] thread
Lol they probably would have been caught sooner if they used PGP
PGP is known to have worked for at least a handful of people and it's easy (comparatively) for normal people to understand the dangers of using.

These smartphone apps have spent orders of magnitude less time under attack, are often closed source, often integrate OS vendor and carrier value add in ways that make them weak, and their centralized and closed nature makes forcing both en mass and targeted key exfiltration updates on users trivial.

There are zero secure messaging smartphone apps and there never will be unless smartphones substantially change.

Wire + GrapheneOS isn't secure? Security experts seem to be above justifying their claims 99% of the time these days.
> There are zero secure messaging smartphone apps and there never will be unless smartphones substantially change.

Agreed - if you really wanted to make a (more) secure messaging device then you wouldn't base it on a phone to start with.

This article is so full of vague information and flat-out wrong information, I recommend reading another one.

It reads like it's written by someone who skimmed three other news articles without really comprehending what's going on, then wrote whatever.

Police never "shut down" Sky ECC, especially not prior to the raid.

This article is quite interesting

https://www.politico.eu/article/cryptophone-firm-dismisses-b...

Sky ECC denies the breach (see also [0]):

> "a fake phishing application falsely branded as Sky ECC was illegally created, modified and side-loaded onto unsecure devices"

The belgian police claims:

> Sky ECC's claims were "bullshit."

> So confident were the police that they broke Sky ECC's code, they said they sent the firm their bank account details to claim a $5 million (€4.2 million) bug bounty Sky ECC promised to pay out to security researchers that had managed it.

Quite ballsy.

> “The work is only starting,” a spokesperson for the Belgian judicial police had said Tuesday, adding that many more investigations were likely to follow as the decrypted messages yielded more leads.

I don't see why they'd give those criminals this notice to prepare. I'd assume a bunch of surprise house-visits would be more effective, if they have all this info.

The story smells somewhat fishy from both ends. Good drama though. If they really breached Sky ECC's security, they should be able to prove this by solving a cryptographic challenge by them.

[0] https://www.skyecc.com/sky-ecc-platform-remains-secure-and-n...

In a cop show, they'd bust everyone they could with the info they have. Then they'd say something publicly like, "the work is only starting", to make the folks they can't bust nervous enough to do something stupid.

The Galaxy brain move is maybe to realize that this news will cause the crims to move to a new network, and to have one waiting for them.

E:sp

In the levels of government of which the bureaucrats and appointees in charge of this operation are a part creating grandiose publicity for career purposes with no intention of following through and every intention of leaving it for the next guy to mop up is far more common than "galaxy brain" moves.
This is actually a very big thing in Belgium at the moment ([0]).

> I don't see why they'd give those criminals this notice to prepare. I'd assume a bunch of surprise house-visits would be more effective, if they have all this info.

This actually happened ([1]). In 1 huge operation, 1600 agents performed 200 house searches. This resulted in 48 arrests.

[0] https://www.vrt.be/vrtnws/nl/dossiers/2021/03/politieoperati... [1] https://www.vrt.be/vrtnws/nl/2021/03/09/huiszoekingen-200-15...

My guess is that some of those people could have worked with governments (e.g. having "permission" to deal drugs and do other stuff in exchange for a cut) so they got time to cover their tracks.
Reading about this, I wonder if there is a market for legitimate secure phones, i.e. not marketed towards criminals. Businesses are afraid of industrial espionage. Political activists are afraid of persecution (and yes, it can also happen in the west, even if you are doing "good" things and are non-violent).

The defenses in both cases can be quite different. For some people, a cheap Chromebook that you can wipe quickly plus 2FA gives great security, or using a modern (encrypted) phone with Signal. But what if you are, say, protesting against the construction of a new Google campus on top of your neighborhood? Then you'd don't want all your secret stuff on their infrastructure. Normally you assume everybody is playing fair, but it would be so easy for them to push out a malicious update to your phone to gather dirt on you.

If one has experience with AOSP and security, there seems to be a market for an open, secure phone. But I wonder how you'd keep the organized crime out, or at least keep plausible deniability to not get into trouble...

I dont even need a legitimate secure phone. All i want is a phone where i can install debian or any linux flavour, just like on a regular pc or a raspberry pi. There are too few options that allow for it and are quite low spec. Once we gain such freedom then we can get the security we want the way we want - not security as defined and controlled by a third party.
That'd definitely be an improvement, but you still have backdoors on your CPU brought to you by Intel(tm).
The only closed (and staying closed) part of the PinePhone is the FCC regulated part of the modem.

If someone wanted to make a modem with no binary blobs we could have fully Open hardware in toto.

There's the opportunity to make Linux programs scalable to small screens right now; that's a big part of the dev time currently.

The pinephone looks very promising though softwarewise is not there yet, it keeps on inproving quickly.
Any truly secure phone will attract criminals which in turn will attract law enforcement scrutiny.

It's like building a private house with barbed wire, armed guards, ... people will wonder what's going on inside.

Today, the only way to make it as a criminal in the West is to fly under the radar.

Stuff like "the Amazon of drugs", or "the WhatsApp for criminals" will always be taken down.

Again ?

After Encrochat[1], Criminals in Netherland/France/Belgium are really the dumbest around. I mean, good for us ? Fool me once, shame on me, fool me twice...

[1] https://en.wikipedia.org/wiki/EncroChat

I don't see how the latest iPhone with Signal installed and a text-based diceware passphrase for locking it would be inferior to EncroChat. You can even turn on a feature that resets the phone to factory settings once ten wrong tries have occurred.
(comment deleted)
Or perhaps the dutch/french/belgium cops are smarter than the average one ?

or maybe the reason is because there is a large platform of drug traffic in those areas compared to others..

This may be a dumb question, but is there any reason why these crime groups don't just use Signal? I understand a phone number is required upon registration but a burner sim could be used and discarded for that purpose.
It's not a dumb question at all. I bet you that 99% of criminals already use Signal. These ones were dumb enough not to use it and got caught

If you want a Signal-like app that doesn't need a phone number you can use www.groupsapp.online

You should have disclosed that groupsapp is your app. How's it better than signal in terms of security other than not requiring phone number? How is the E2EE implemented? Is it open source?
Indeed, I disclose here that I am the developer. It's not better or worse, it's different. You can see a list of features in the link, that should be better than me writing them here (main security pluses are: doesn't read from phone book, email can be masked, sent messages can be deleted even after having been read, and there is a self-destruct mechanism)

E2EE is implemented with RSA+AES. iOS uses keychain and CommonCrypto. Android uses a modified BouncyCastles. I'll probably open source the code once I've figured out the licensing details

(comment deleted)
Or even better, why don't they have their own synapse network with proper PKI and key rotation?

Because anyone who can do that wouldn't waste their lives workin for criminals when they can make safe money legally.

Thats exactly what the Mexican cartels had until the guy that ran it flipped on them. They even had their own cell towers in remote areas of Mexico.
> anyone who can do that wouldn't waste their lives workin for criminals when they can make safe money legally

The skills required to set up a secure communications network aren't that valued (as in it won't make you a millionaire) in the legal world, and even less so in Europe where IT salaries are absolutely terrible.

It will allow you to live comfortably at least.

Look I know because I've been between those two worlds. When I was around criminals I had the option of working for them for money and would probably make more than I do today because it would be tax free. But it wouldn't be millions because I'd be in the background helping out with IT infra and policy. So if you're smart you take less money to be left as far outside as possible.

The problem is that it's not possible to be outside of that world. You will be taken advantage of. You will be a golden goose that everyone wants a part of just because you can manage their IT securely.

So I was smart and got a safe IT job where I make enough to live very comfortably, work where I want, practically when I want and with people who are not openly sociopaths.

What I meant is that if someone doesn't have a moral problem with breaking the law, US tech wages are more likely to sway them towards the right path (just because of the risk aversity) than EU wages where IT isn't well-compensated.

I know as well because when starting my career I had to make a choice - if it wasn't for a stroke of luck I may have had to pick the wrong path out of desperation (whether I would've made it anywhere is another question - sounds like you looked into it farther than I did).

Thankfully everything worked out and I haven't needed to be on the wrong side of the law, but this was down to luck - you can very well have the skills that would pay well in the criminal world while being stuck in a situation where you can't get much out of those skills in the legal world, so I disagree with the idea that having those skills automatically gives you the option to make a good living legally.

I try not to identify myself too much with this account but I'm talking from an EU perspective, not US. Just FYI.

Not only EU perspective but Swedish one too where it's very difficult to launder cash.

So it's just not a smart decision to get in bed with crazy criminals. It was a decision I pondered as a young and short sighted 20 year old.

In retrospect it's much easier to make a comfortable living as a simple SRE, Sysadmin or Devops consultant. What ever basic knowledge you must have to setup a proper PKI is enough skill to become at least one of those professions.

I have the same "dumb" question every time I read this type of news.
You only hear about dumb crooks because those are the ones that get caught.
Signal keeps chat history on the device, meaning all the incriminating evidence (of yourself and others) is on your person when you get arrested.

Sky ECC wipes messages after 30 seconds, meaning a seized phone is of limited value to investigators.

Is this still the case even if you set it messages to self-delete after a set period?
Signal has a function to delete messages after a set interval (after having read it.)

I don't know about Sky ECC, but Signal requires a Phone # to register, as far as I remember. It's increasingly hard to get anonymous Phone # in the EU. That might be an argument against using it.

Open the Desktop Signal app, connect it to your phone, and watch it download all the supposedly "expired" messages.

They will not always be shown, but they are downloaded.

They're selling a device too, it's not just an app. If you're a high level criminal it's not irrational to worry about zero days getting used on you. The attack surface isn't limited to any one app [0]. I can see how this may be compelling, if done right it makes a lot of sense. Yes, a tiny no-name company is pretty likely to totally mess up. But the "error" in thinking here is being bad with probabilities rather than strictly not understanding something technical.

I'd also wonder if there's an element of buying access. If all the top people in some criminal industry use it, it may be a way to signal membership.

[0] not that there haven't been numerous whatsapp zerodays and expecting the Signal honeymoon to last makes about as much sense as "there's no Linux/Mac malware"

If you where a really high level criminal you wouldn't use a phone at all, you'd pass all your instructions in person to lieutenants who'd pass them on down the chain.

This was largely how the Mob operated for decades and why RICO was created.

Communications security against national state level organisations in the current environment is a no-win situation for the defending side, you can make their life more difficult but for you to go truly dark means using nothing that shuffles electrons around.

I feel like you may have a different definition of who a high level criminal is. I would consider anybody who derives significant revenue (say above $1M) from a criminal activity to count.

I'd also question how many highly hierarchical criminal organizations exist today and how many have in the recent past. Media and governments love to overemphasize the organized element for simplicity. Likewise many "terrorist organizations" aren't organized either. In practice you mostly see very lose networks that operate a lot like the rest of the economy. There may be some emergent structure but it's usually not deliberate.

> If you where a really high level criminal you wouldn't use a phone at all, you'd pass all your instructions in person to lieutenants who'd pass them on down the chain.

> This was largely how the Mob operated for decades and why RICO was created.

That would be a legal strategy not a communications security one. It may have been more feasible to proxy away legal responsibility before RICO and such.

> it may be a way to signal membership.

Yeah, because they want the world to know they are successful criminals. Just wondering: do they also wear a Beagle Boys mask?

No, they want other criminals to know they're trustworthy. The risk of doing business is very high in criminal endeavors. People may have (or want to access) great deals to offer but no easy way to safely broker a transaction. This also creates the very conditions for these great deals to exist.
Convenience. Why bother with stuff like, say, validating your Signal "safety numbers" to ensure that you are actually talking to your contact and not the police? Why bother with insuring you are quickly deleting your old messages? Why bother with finding a burner SIM? Instead, just farm out all the boring detail to someone else and buy a "secure" phone for $1-$2k. Unfortunately, at that point you are trusting a third party which becomes a single point of failure.

There was a case where a company was selling a "PGP phone" where it turned out that, to save having to bother the customer with key generation on the phone, they were doing it on the servers[1]. So the police grabbed the servers with all the private keys and there were a lot of sad customers.

To do end to end encryption in a way that works, there is a minimum level of understanding required. These "secure" phones are really a type of scam that preys on the not sufficiently informed.

Note that Signal on a smart phone is not anywhere near the most secure way to communicate over the internet. Smart phones themselves are not particularly secure and are vulnerable any time they are unlocked. Instant messaging is inherently insecure because it is always on and thus makes it impossible to keep the secret key information locked up securely when the user is not in a safe environment.

[1] https://securityaffairs.co/wordpress/57036/cyber-crime/black...

I think in large parts of Europe you need to identify/register when buying a sim. No idea how hard it is to get one without.

Also I was just wondering, albeit maybe ridiculous, if criminals have the same issues with messenger apps as the rest of us, in so far that you are kinda forced to use whichever app is the most popular. I reckon there is not much criming to be done, if everyone in your gangster-circle is using a different app.

I don't think criminals lower down the hierarchies have or have access to much security knowledge, so they might just pick the currently most popular or use multiple apps depending who they talk to.

You can buy them on UK Ebay with no ID and they can work throughout the EU.
Ignoring the rest of the stack for a minute, any crime group should be hesitant to us software connected to the US.

National security letters are still very much a thing there. Signal has fought at least one and won (https://signal.org/bigbrother/) we can only know about ones they've won against.

Plus say you use Signal, how are you connecting? If that's through an app store then your binary has been replaced. A similar thing happened with Hushmail and their 'client side pgp' jar file: https://archive.is/IRYoh.

Then you have to consider the sealed-sender stuff, and other metadata. If your crime group isn't specializing in tech crime in general then outsourcing to a third-party (that could use the Signal code internally) probably makes more sense then trying to figure this stuff out yourself.

With the option of using a burner sim, I thought about the fact that at least in the US, most places you would buy a prepaid sim will also have you on video surveillance when you purchase it.

Maybe I've been watching too much TV, but would it be better to pay some random person to go into a store and buy my sim/chromebook/phone in cash and then bring it to me at a location I know does not have video surveillance?