64 comments

[ 3.0 ms ] story [ 137 ms ] thread
One interesting thing I read in a Dutch paper today was that a cyber security expert that was involved in the hack was surprised they kept using these specialized services. It’s very easy for authorities to get approval to hack and read _all_ the messages of a service that has a user base that is nearly 100% criminal. If criminals were smart (his words), they’d use Signal or Whatsapp where they’d be a small percentage of the user base and authorities would have a much harder time to get court-allowed blanket access like they had with Sky or Encro.
From what I can tell, encryption services like this function more like an affinity scam. People believe any claim to make them feel safe.

(Not saying this service was a fraud, just that the users are not objective)

I think it's an issue with estimating probabilities.

They probably saw a few failures a year of people using Signal or WhatsApp slopily on old Android phones that were easy to sideload onto with a warrant, had microphones with no hard switch, etc, etc.

They probably saw no failures of Sky ECC (as it sounds like a vendor hardened the phone for them and any convenience over security features are non-existent) right up until the claim that the protocol is broken and everyone is affected.

Based on this story, for all we know most criminals are smart. It's just the dumb ones use Sky and get caught.
And yet, the police all claim that criminals are dumb, and wait for them to do something that gets them caught. That's one of the basic investigation tactics--wait for the criminal to screw up.
Because all the ones they catch are dumb. There’s no information on how many are smart
It’s not an issue of smart vs. dumb. It’s that the cops can screw up infinitely without consequence (yesterday US cops shot a 1 year old baby in the head... nothing will happen to any of them) while the criminals have to be perfect and get busted on the first mistake. That asymmetry is why idiot cops who could barely graduate high school routinely bust even skilled criminals.
> the police all claim that [...]

Yes, because if this wasn't true they would look bad.

> If criminals were smart (his words), they’d use Signal or Whatsapp where they’d be a small percentage of the user base and authorities would have a much harder time to get court-allowed blanket access like they had with Sky or Encro.

How could I get a court order to get blanket access to Signal?

Ineffective, or using side-channels
> Ineffective, or using side-channels

Yeah, I worry more about the device running Signal.

Is it up to date? | Any other apps with flaws?

And then any time the browser is used there's risk, especially since mobile devices are worse about supporting ad blocking - that's one reason I like Algo - block malicious stuff at the DNS level rather than worry your combination of privacy extensions is giving you security but also making you more fingerprintable (reducing privacy).

BUT I like Signal as a way to reduce ambiguity. (Eg: If I text you on Signal, it's unlikely someone snarfed that out of the air, and over time I can see where information is leaking, same goes for a voice chat)

Then it's down to trust, which is sadly an unsolved problem. (At least for this poster)

You can’t, that was his point.
> You can’t, that was his point.

Oh, ok. I'd prefer he say things directly. For example, if someone insinuates criminals are stupid I tend to discount what they say, not try to infer the speaker's true meaning.

(Many criminals are extremely intelligent, but feel stymied from legitimate employment despite having smarts and skills, this is a well documented phenomenon.)

> a service that has a user base that is nearly 100% criminal

The article says this service is widely used among criminals. That doesn't mean the user base of this service is largely criminals. In fact I would be surprised there would be 170k criminals around the world using a single service I had never heard about, seems very high to me.

> In fact I would be surprised there would be 170k criminals around the world using a single service I had never heard about, seems very high to me.

Do you not think that, perhaps, criminals will know other criminals (I mean we're talking organize crime here), and will have whisper-networks in place? Or are you saying that you're plugged-in to what smugglers, etc. do and you had never heard of it?

He's saying he thinks that there would be 170k criminals forming a singular network seems like a high number.

To me, it sounds low. There are very niche interest websites with 750k accounts[1]. Further, 170k isn't the number of criminals, but the number of people who had interaction with Sky - Which may be basically anyone who had a shady friend.

The problem with our modern understanding of "innocent until proven guilty" is that unsubstantiated rumor can spark fire very quickly, while real damage can fly under the radar for a very long time. People who have been actually damaged often try to extricate themselves from the situation as quickly as possible, or end up trapped and pushing further into it. Without real numbers to back this up: If you marry an abusive spouse, Either you get a quick if painful divorce, or you normalize it and become embedded deeply in the relationship and cut off from your friends who tell you to get away, because their advice for setting boundaries only gets you hurt further.

I have no doubt that the niche interest of shady behavior can attract a few hundred thousand users, while staying unknown to anyone outside the niche.

[1] Furaffinity claims this number, as a standard internet oddity, but fimfiction.net boasts nearly 300k; Many other "weird" websites probably have numbers in the 50-500k range.

Assuming A) you are not a criminal, and B) the service is only used by criminals - why would you have heard of it?
I presume most users of such service are professionals in anything but cyber security and can be as misguided as an average Joe on the street.
Full headline: "Belgian Police Say They Decrypted Half a Billion ‘Sky’ Messages, Arrested 48 People"

From the article: "Around the world, there are approximately 171,000 SKY ECC telephones in service [...] Each month, around 70,000 of these phones actively communicate on the SKY ECC network [...] More than 1.2 million euros, 15 prohibited weapons, including six firearms, eight luxury vehicles, three machines used to count money, police uniforms and GPS beacons were also seized today"

Doesn't sound like a great hit rate to me!

What do you reckon the 9 non-firearm prohibited weapons are, trebuchets? Medieval flails? Clubs with nails in them?

Keep in mind this is not the American continent and there are considerably less firearms to begin with.
What about Switzerland?
One of the few places with high firearms ownership, raising the average higher above the median.
Knives have many restrictions such as opening and locking one handed or being too long. Certain kinds of flashlights and clubs are illegal for civilians in Germany so I imagine something along those lines might be applicable in Belgium as well.
There are some pretty silly weapon prohibitions out there. In Canada, the list includes some familiar ones like brass knuckles and butterfly knives... and yes, it appears that flails are on the list. Trebuchets, ballistas and catapults appear to be legal here.

https://laws-lois.justice.gc.ca/eng/regulations/sor-98-462/f...

>Any instrument or device commonly known as “shuriken”

I can now walk confidently at night knowing I'm safe from Ninjas

(comment deleted)
Law abiding ninjas.

You're probably safe from most law abiding people, tautologically.

If anything, the most dangerous people, statistically, are those closest to you, rather than, say, random street ninjas.

What's silly about prohibiting knuckledusters?

They have one and only one use, are easily consealed, and very effective.

I operate a laser cutter and am not infrequently asked to cut knuckles and always politely refuse with a brief explanation why.

It's butterfly knives, nunchucks and other medieval weapons that I find to be extremely silly. They're usually more of a risk to the user than their intended, and generally limit history buffs and martial artists more than prevent crime.

I was born and raised in a place where getting a gun was as simple as putting together $100 or so and walking down to the corner. Not the corner store, mind you. In that context, any ban on melee weapons feels silly to me. But yeah, knuckledusters can really ruin your evening/face.

The flail I can understand, due to the disproportionate risk of hitting yourself in the face with it.

However, having grown up in an environment where carrying weapons is generally banned, it seems equally silly to me that people with short fuses might have them at hand.

It's one of those things I chalk up to personal values. I can understand the opposite rationale, but prefer the Canadian way.

> What do you reckon the 9 non-firearm prohibited weapons are

I wonder if a hand grenade would be counted as a firearm or not?

The other thing that springs to mind would be switchblades.

I'd guess grenades are more likely to be categorized as explosive devices.
There's a bullet list halfway here:

https://advo-recht.be/kennisbank/strafrecht/misdrijven/welke...

Some non-firearms on the list:

* Lots of types of knives, like Stilettos

* shurikens

* Blank weapons which look like other objects, like a knife hidden in an umbrella

* Clubs and batons

* Electric shockers

* Aerosol cans and sprays for self defence

* Nunchuks

Technically, anti personnel mines, flamethrowers and laser weapons might also be considered non-firearms, but I assume even the USA forbids these.

Interesting point is your medieval flail, which is probably legal as a historical ornamental weapon. Good luck explaining that one to the cops, though

Nunchuks are banned in a lot of places in the US, too (CA and VA at least). I think it's easy for people outside the US to miss what a patchwork of regulation we have here.
(comment deleted)
I believe landmines would be illegal in the US as destructive devices, although you might be able to get a stamp to buy one, not sure.

But flamethrowers and any power laser are legal without any special paperwork in almost all states.

In US you can sieze that many firearms raiding a random nightclub. :)
Knives, swords, and crossbows are pretty popular in drugs gangs -- due, I understand, to a perception that forensic analysis is harder (it isn't), the sentences may be lighter (they aren't), and that the weapons are stealthier (uncertain) or "cool" (not outside of video games!)
Nah its not for any of those reasons. Its because their quiet, drawing less attention when used and are easier to acquire. Guns are expensive, harder to get and attract a shit ton of attention when used. Its more of an economics and availability thing.
(comment deleted)
There was a much publicised terrorist raid in Australia where the police raided a suspected Muslim terrorist and proudly displayed an evidence bag containing a sword which turned out to be a common Shiite plastic decoration that wasn't sharp enough to cut a cucumber. Their suspect was released with no charges but it didn't give me a lot of confidence in their capability to protect the public from real dangers.

I still find it amusing when I go into a store here and use self-checkouts and there are messages aimed at people in neighboring states advising them that plastic picnic cutlery can't be purchased by people under the age of 16. I am sure the intention is good but legislators and law enforcement often seem to do things with no obvious benefit.

You have to take a kid's gell blaster down to the cop shop and register it as a class A firearm which puts it in the same category as a rifle or shotgun that isn't self loading. Now I get that you don't want people waving replica firearms at the police and getting shot for their stupidity but this isn't a lethal device. It is toy that is intended to be shot at people for fun. You would think adding a visual indication distinguishing it as a toy would be sufficient. I fully support gun control but this is crazy even to me.

Any more details on the type of phones they use? iPhones, stock Android, feature phones?

Would be neat to get a tech breakdown of the phones.

Seems like Google pixels. Just do an image search for the product name and you’ll see it for sale from “spy stores” that sell things like hidden cameras.
Which tells you a little about how price insensitive the users are.

Who chooses a $800 phone as the basis for a service only offering text chat when a $50 phone would work just fine?

That business model worked for blackberry until it didn’t.
An interesting aspect is the guilty until proven innocent aspect:

Rough translation of parts of the header of https://www.vrt.be/vrtnws/nl/2021/03/11/oproep-sky/ :

  The federal police sent out a special 'wanted' message: All users of the encrypted Sky ECC phone have to report [...]If the phone was used for legitimate purposes, the collected data will after verification be [veiliggesteld]
I don't know how to translate [veiliggesteld] as it is pretty vague. The word might be approximated as 'made safe' or 'put in a secure location', but it surely does not mean destroyed.

As expected, the whole thing raises some eyebrows in privacy circles.

Veiliggesteld would translate somewhere close to safeguarded or stored securely.

Which is a strange thing to do with an innocent person's data but that is what's reported.

(comment deleted)
> An interesting aspect is the guilty until proven innocent aspect

A few years back people considered "H.R.4681 - Intelligence Authorization Act" to be a victory in terms of limiting how long government can keep information of U.S. citizens "not wittingly"[1] captured by intelligence agencies in their hoovering activities. I thought the coincidence of the specific provisions in that law with the drive towards making sure all communications on the web is encrypted was "interesting".[2]

[1]: https://fas.org/blogs/secrecy/2014/01/clapper-ssci/

[2]: https://www.nu42.com/2014/12/https-everywhere-and-hr4681.htm...

As far as I understand, they were logging the encrypted messages for a long time, but only had live access for a few weeks. My guess is they used this to intercept a large shipment (17+ ton of cocaine captured), and watch the communications after that to rapidly identify the players involved.

Sky phones were set up with dedicated sims, everything else but their app blocked. There's no telephone number, email adress or other id to identify users. The app also featured self-deleting messages and post-seizure remote wiping. Besides the phone, they required an expensive subscription.

If these phones keep showing up on suspects, only available via no questions asked dealers, and you can't get anything from the phones themselves, it's easier to get a court order to go after the service itself. If you can then log all encrypted messages on or near the servers, and see they're mostly going to Belgium/Netherlands, then you can try to read all messages. Either via decryption, or compromising update servers, or ...

Because there's no way to identify users besides reading the messages, they asked legitimate users to come forward so their data can be excluded from the investigation.

> Because there's no way to identify users besides reading the messages, they asked legitimate users to come forward so their data can be excluded from the investigation.

Excluded from the investigation but still kept and also recorded in the first place because of dragnet surveillance. If I'm not comfortable with them seeing anything because I'm not guilty of anything what do I do then?

(comment deleted)
This will be used as support when they come for signal by pressuring Apple and Google to ban it from the store. Facebrick will just remove whatsapp end to end encryption.

How should we react when it starts?

Me waves to the security state "dudes" on this sight! Good to see you here!

A PR battle to change the law is a PR battle so you can sell a change in the law taking away people's rights.

Officer Sicknick didn't have his head smashed by a fire-extinguisher in the riot, so apparently that was also false. Many haven't heard that yet and bristle that it was a lie, but it was. The corrections are now there but just whispered. Disinformation that is great support a war on domestic terror to get the security state more unchecked power. Power wants more power no matter what ideology wields it, it would seem. I guess I should have pointed out more explicitly just how much of the law-enforcement claims reported in the article was also totally unsupported by evidence. I will believe it when there is evidence and not before because I've been had by law-enforcement press-release stenography enough now that my default position has gone from "probably true" to "probably false" absent evidence. I doubt I'm alone in that change.

"Given that the services provided by the organization seem to be almost exclusively criminal in nature, the federal prosecutor's office decided at the end of 2018 to open an investigation against SKY ECC and against the people who make these phones available to the criminal community,"

See that? Providing encrypted messaging is "almost exclusively criminal in nature". This the the PR battle that exists and is escalating. This one is the latest shot.

FBI, CIA, NSA, they hate the idea you can talk to someone in private without leaving a permanent record. They just hate it. "If you have nothing to hide why do you wear pants?!?"

So what else will come in the PR war on encryption other than "Domestic terrorists" and "Organised crime."

Will nobody think of the children!?!

It is building and will come, no matter how much you dislike the orange idiot, love your country and believe in law-abiding truth, justice and all that good stuff.

Is end to end encryption worth anything? I strongly suspect it has negative worth to facebook.

Surely this is not a smart move from authorities? The whole point of having these capabilities is to not advertise them until extremely necessary. The seizures reported don’t seem particularly significant. Would’ve smarter to keep mum and look for some “parallel construction” when doing these busts, surely...?
It's possible that they knew they were either losing access (perhaps a vendor update or action was going to break access) or that news was going to spread due to some upcoming legal case. In that case they might try to get as much impact as possible, especially if they were in position to monitor what spooked users tried to switch to or whether they started communicating to previously unseen partners.
Only true if they were confident they could keep mum about the hack. Someone in law enforcement could leak it to the criminals, SKY could find out, etc...
The users aren't that stupid. If the police have been quiet for months and suddenly start busting many different gangs by doing raids that would have required information only a few gang members had, it doesn't take a genius to figure out that the common thread is the use of Sky phones.

Once they start exploiting intel like that, it won't take long until the jig is up, so coordination and mass action becomes essential.

(comment deleted)
They should go after knife makers next, 99.8% of all stabbings are made with knives
(comment deleted)
Shouldn't the Policemen in question then be charged with breaching the secrecy of correspondance for each of those of the messages that did not pertain to illegal activities?

Het briefgeheim is onschendbaar.

In Serbia government officials displayed some gruesome photos on TV couple weeks ago which were allegedly obtained from SkyECC phones with equipment borrowed from EU.