[HN Gopher] Sky Global CEO indicted over encrypted chat drug tra...
___________________________________________________________________
Sky Global CEO indicted over encrypted chat drug trafficking
Author : StuntPope
Score : 74 points
Date : 2021-03-15 10:43 UTC (12 hours ago)
(HTM) web link (www.zdnet.com)
(TXT) w3m dump (www.zdnet.com)
| _fat_santa wrote:
| Something doesn't square up. knowingly and
| intentionally participated" in a criminal ring that distributed
| narcotics by facilitating the "sale and service of encrypted
| communications devices."
|
| followed by Canada-based Sky Global is a provider
| of custom handsets and the developer of Sky ECC, a subscription-
| based end-to-end encrypted messaging application.
|
| Someone please correct me If I'm wrong but I thought If your
| systems are all E2E encrypted, then you as the service provider
| have no way of seeing what your users are discussing on your
| platform. At least from a technical aspect, the state's case
| doesn't really hold up.
|
| However on the other side of the equation I have to ask. There
| has to be away they knew, and I think that is what the government
| is getting at, even if you can't read the exact messages, surely
| you aren't oblivious to what your users are discussing.
|
| I think this will come down to the makeup of the user base. If
| say only 10% of your customers are using it for illicit purposes,
| you can claim you didn't know, of couldn't have know because the
| messages are E2E encrypted, however if that number is 50+%, then
| I think the case could be made that yes even though you couldn't
| read the exact messages, you can still be held liable.
|
| I'm not an expert in this field and this is my Monday morning
| quarterback, so if someone has any better insights please correct
| me.
| throwaway0a5e wrote:
| >Someone please correct me If I'm wrong but I thought If your
| systems are all E2E encrypted, then you as the service provider
| have no way of seeing what your users are discussing on your
| platform. At least from a technical aspect, the state's case
| doesn't really hold up.
|
| When has a prosecutor ever let reality stop them from throwing
| shit at the wall to see what sticks?
|
| It is highly unlikely that anyone developing an app that
| facilitates crime will leave themselves access to user data.
| It's a pointless risk from a business and criminal liability
| perspective. Pretty much everything illegal runs on the "don't
| ask don't tell" principal. The less you know the less of a
| target you are.
| EthanHeilman wrote:
| >Someone please correct me If I'm wrong but I thought If your
| systems are all E2E encrypted, then you as the service provider
| have no way of seeing what your users are discussing on your
| platform.
|
| In the past the issue has been did the company intentionally
| develop and market the product for drug trafficking. For
| instance did they send sales reps to contact criminal
| organizations and offer their products as a way to do crimes.
|
| One company produced electronic devices for the purposes of
| evading wiretaps and then visited various mafia owned bars to
| meet criminals and sold those devices to members of those
| syndicates [citation needed] specifically for the purposes of
| evading wiretaps. You might have heard of that company, it
| later became Apple Computer.
|
| >"Somehow, despite the fact that many of their blue boxes had
| been seized by law enforcement, and there were definitely
| indicators that they were all made by the same outfit, the
| boxes were never linked back to Woz and Jobs." - [0]
|
| Edit: I can't find anything to back up my memories that Woz
| talks about selling blue boxes at a bar. I may have
| misremembered. I have added a [citation need]
|
| [0]: Concerning Steve Wozniak's Blue Boxes
| https://512pixels.net/2018/03/woz-blue-box/
| jsjohnst wrote:
| > One company produced electronic devices for the purposes of
| evading wiretaps and then visited various mafia owned bars to
| meet criminals and sold those devices to members of those
| syndicates specifically for the purposes of evading wiretaps.
| You might have heard of that company, it later became Apple
| Computer.
|
| While Steve and Woz definitely made and sold Blue Boxes, this
| conjecture is entirely false otherwise. Blue boxes had
| nothing to do with evading wiretaps, but rather making free
| phone calls. Further, your farcical story of them visiting
| mafia owned bars is utterly fantasy.
| EthanHeilman wrote:
| >While Steve and Woz definitely made and sold Blue Boxes,
| this conjecture is entirely false otherwise. Blue boxes had
| nothing to do with evading wiretaps, but rather making free
| phone calls.
|
| You are incorrect, blue boxes were and can be used to evade
| wiretaps.
|
| "in wiretapping systems: common phone-tapping equipment was
| designed to be backwards compatible with in-band
| signalling, with the result that you can evade surveillance
| by using a blue box to convince the police equipment that
| you've hung up. The telephone exchange ignores this signal,
| so you remain on the phone but with the police recording
| stopped" - [0]
|
| >Further, your farcical story of them visiting mafia owned
| bars is utterly fantasy.
|
| I can't find the exact quote where I think Woz talks about
| this in an interview. It is that not absurd at face value
| since one of the main purchaser of blue boxes was bookies.
| If you're selling blue boxes at that time, a bunch of the
| buyers are going to be bookies. Both for their ability make
| free calls, but also for advantages like evading wiretaps
| that blue boxes provide. See quote below:
|
| "Since the early 1950s [mafia] bookies had been using every
| trick they could think of to make free and, more important,
| unrecorded long-distance telephone calls. One method was as
| simple as bribing telephone company operators and
| technicians to place calls for them so that the calls never
| appeared on their own telephone bills. [..] Blue boxes were
| active devices: they allowed you to call people -- anybody
| -- without leaving a record that the call was ever made.
| It's not clear exactly when the bookies learned about blue
| boxes, or from whom, but the best guess appears to be about
| 1 963 or 1 964. One source was Louis MacKenzie, the
| electronics engineer who offered to fix AT&T's network, for
| a price, in the early 1960s. MacKenzie, who later became a
| witness for the government in several blue box
| prosecutions, sold blue boxes to bookies in 1965 or perhaps
| earlier." - [1]
|
| Edit: Really having trouble finding that quote from Woz. I
| could have misremembered this. The article that inspired
| Woz to build blue boxes was about people selling blue boxes
| to bookies, perhaps I conflated those two stories.
|
| [0]: Telecom System Security: Chapter 20,
| https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c20.pdf
|
| [1]: The Untold Story of the Teenagers and Outlaws Who
| Hacked Ma Bell by Phil Lapsley, https://archive.org/stream/
| ExplodingThePhoneTheUntoldStoryOf...
| joelkevinjones wrote:
| From my understanding, a Blue Box doesn't evade wiretaps, but
| allows one to make long distance calls for free.
| EthanHeilman wrote:
| A blue box gives you administrative access to the switching
| equipment by tricking the switching equipment into thinking
| it is receiving control plane information from another
| switch. It's like being able to send BGP messages to
| routers.
|
| This means you can make long distance calls for free, but
| it also means you can route your call through whatever
| switches you want and lying about both the source and
| destination at each hop. Because wiretapping systems often
| rely on the switching infrastructure and with a blue box
| you control the infrastructure, you can make yourself
| invisible. It was God-mode for the phone network.
| Aerroon wrote:
| > _I think this will come down to the makeup of the user base.
| If say only 10% of your customers are using it for illicit
| purposes, you can claim you didn 't know, of couldn't have know
| because the messages are E2E encrypted, however if that number
| is 50+%, then I think the case could be made that yes even
| though you couldn't read the exact messages, you can still be
| held liable._
|
| But what are you _supposed_ to do in this situation? You get an
| inkling that the service you 're providing is used by drug
| traffickers. If you start taking actions against that then it
| means you know, therefore more likely to be guilty in the eyes
| of the law. If you tell law enforcement then you're also taking
| a risk, because it's still happening in your backyard. On top
| of that, anything you do has a good chance of destroying the
| business as well.
| salawat wrote:
| You let law enforcement do their job, and forward what little
| you can. If you implemented e-2-e encryption properly it
| isn't your problem you have no access to anything but
| metadata.
|
| If you didn't, and you really have access to keys that enable
| law enforcement to intercept or crack the encryption, then
| you weren't really end-to-end encrypted were you?
|
| Law enforcement interaction, and adherence to the law is not
| that much different than following and implementing a
| protocol. They can ask. You are expected to make a best
| effort attempt at accomodating what they ask for, given they
| have probable cost and a warrant. If they say that isn't good
| enough, you fight it in Court until either a judge modifies
| the protocol, or stipulates it's a legislative question.
| Queue lobbying.
|
| At all times, law enforcement are bound by probable cause. If
| they have it, you have to assist to the best of your ability,
| which for an e-2-e encrypted data stream is pretty much just
| metadata submission, or production of ciphertext if you're
| really going full centralized comm-stream tapping CALEA.
| Design your comm system like WebRTC, where your infra is only
| there to help two endpoints meet, and you have not even that.
|
| That's all there is to it really. Awful people doing awful
| things is a certainty. LE just have their knickers getting in
| a twist because their prey are starting to play the game with
| the blinders of technical ignorance off.
|
| What Law Enforcement wants is everyone to agree that they get
| privileged access to any message propagating through societal
| infrastructure... I sure hope everyone here understands why
| it is essential that they don't have it.
| sschueller wrote:
| If they didn't specially target only illegal actives as their
| customer base then you might as well indict every gun maker and
| whatsapp, apple, google etc.
| Bancakes wrote:
| Don't underestimate how corrupt a cabal of old men can be.
| qertoip wrote:
| Please help me understand.
|
| Say Monica runs a clothing shop and sells clothes (including face
| masks and sun glasses) to people she suspects are drug dealers.
|
| And we are not talking a single pair of sun glasses - she is
| running the clothing shop 8 hours a day, every day, for many
| years.
|
| Well, she facilitated criminal activity and must go to jail,
| right?
| 34679 wrote:
| Go to any small hardware store in Northern California and
| you'll find a display of turkey bags near the front for bagging
| pounds of weed.
|
| I've wondered what the manufacturer must have thought when they
| first realized why demand is so much higher in that region. I
| guess the FBI would have them and all the owners of those mom
| and pop stores hauled off to prison.
| throwaway0a5e wrote:
| >Go to any small hardware store in Northern California and
| you'll find a display of turkey bags near the front for
| bagging pounds of weed.
|
| And the pawn shop will have sawzalls for stealing cats.
| dboreham wrote:
| Do you need tools to steal a cat? Just offer it a pile of
| food and a warm soft place to sleep.
| zht wrote:
| catalytic converter
| Ariez wrote:
| I wonder if the DOJ will try to indict the man behind Signal for
| similar reasons.
| coolspot wrote:
| After the PIN drama and decision to protect data using SGX, I
| am 80% convinced Signal and NSA are on the same team.
| TheAdamAndChe wrote:
| I know it sounds paranoid, but it's why I don't trust Signal
| for information that I want to defend against nation-states. In
| the US, if the govt couldn't circumvent their messages then
| they would find a way to take it down. Any warrant canaries
| could be required to be left untouched by secret FISA courts.
| sodality2 wrote:
| What do you use?
| TheAdamAndChe wrote:
| If needed, I'd prioritize good OPSEC and prevent
| association of the communication device with me. Purchase a
| laptop from Craigslist with cash, disconnect its power when
| close to an area I frequent. Use macchanger to change the
| mac address of my device when in use, use a yagi antenna so
| I don't have to get too close to the open WiFi access
| point. A host of other activities meant to make association
| more difficult.
|
| Defense in depth is important. It's also unnecessary for
| most people most of the time, which is why I generally
| don't do it and just use Signal for interpersonal
| communication. But it's still good for people to know that
| depending on one system like Signal for security has risks
| so they can make their own determination on if it's worth
| it to harden their communication systems.
| sodality2 wrote:
| That sounds very secure, yeah. But what messaging
| platform would you use? XMPP+OMEMO, matrix, etc? Or PGP?
| TheAdamAndChe wrote:
| That depends entirely on the need. I would bet that any
| sort of decentralized chat system communicating to
| nonstandard servers would be closely scrutinized.
|
| For one-to-one communication, ideally I'd set up either
| some sort of special code with the receiving end and just
| use http. If more information relaying is needed, a one-
| time pad would be good. I'd try to keep the messages
| short in case there's a hole in the system somewhere.
| Again, depending on your needs, relying on one protocol
| like matrix or pgp could be risky. Good OPSEC can make up
| for a leaky security system.
|
| For one-to-many communication, proxies and device
| disassociation are priority above all else. You can
| assume interception of those messages generally.
| yawaworht1978 wrote:
| Not saying I do not believe this , but do you have a citation
| or an example?
| inetknght wrote:
| Edward Snowden provides proof and documentation.
|
| Lavabit provides a direct example.
| TheAdamAndChe wrote:
| When lives are on the line, it's dangerous to wait for
| peer-reviewed papers or solid evidence to come out. Think
| of how many years the NSA spied on everything before
| Snowden leaked it. There were rumors for years, but no
| solid proof. It's better to be more paranoid and have good
| OPSEC.
|
| I'm not saying I don't use Signal, because I do. It would
| work fine against cops or the federal government as a
| citizen. But if lives depended on it, it would merely be
| part of my communications toolbelt.
| StuntPope wrote:
| This is my take on it reading between the lines:
|
| That former high-level distributor was selling boatloads of these
| things into the criminal underworld, and the DoJ is alleging that
| the CEO knew about it and didn't stop it.
| FDSGSG wrote:
| Many commenters here seem to believe that these charges are
| solely based on the fact that the guy sold cryptophones. That's
| very unlikely.
|
| The feds almost certainly have records of the CEO discussing drug
| trafficking.
| yorwba wrote:
| Especially considering this part of the indictment:
|
| > ... on March 10, 2021, Europol announced that judicial and
| law enforcement authorities in Belgium, France and the
| Netherlands had wiretapped Sky Global's servers and monitored
| hundreds of millions of messages by Sky Global's users. The
| European investigation resulted in hundreds of arrests, the
| seizure of thousands of kilograms of cocaine and
| methamphetamine, hundreds of firearms, and millions of Euros.
| sbarre wrote:
| That refers to the activities of the customers though, not
| the company itself.
|
| If it's end-to-end encrypted, then in theory the company is
| unaware of the content of the messages.
|
| That said, this feels like governments basically saying that
| even if you sell a service that is _technically_ legal, if
| the majority of your customers are using it for criminal
| activity, you're also going down.
| uxp100 wrote:
| It seems to me that if it is possible to "wiretap the
| server" it was not really E2E encrypted. I don't know,
| maybe some messages were, some weren't. Certain users,
| certain types of messages, certain platforms.
| sbarre wrote:
| If this is the case, then that's of course quite damning..
|
| However, if you run a business that is making (according to the
| article) "hundreds of millions" selling handsets and
| subscriptions, why would you need to be involved in other very
| obviously illicit business?
|
| I think it's more likely that this guy is really a "freedom and
| privacy at all costs" guy who probably knows what his product
| is being used for, and doesn't care because for him that comes
| with the territory, and also because he's raking in the money.
|
| Even the whole "skyecc.eu is a fake version made by a
| disgruntled reseller" feels like a deniability smokescreen..
|
| If you're smart enough to able to set up a service like SkyECC
| in the first place, you're smart enough to know that one day
| the cops/feds/govt are going to take a shot at you, so you'd
| have some kind of plan in place for that I would think.
|
| Whether it works or not, remains to be seen I guess.
| FDSGSG wrote:
| >However, if you run a business that is making (according to
| the article) "hundreds of millions" selling handsets and
| subscriptions, why would you need to be involved in other
| very obviously illicit business?
|
| This wasn't always a huge business. I'm sure they became more
| careful after the incident with phantom secure.
|
| >I think it's more likely that this guy is really a "freedom
| and privacy at all costs" guy who probably knows what his
| product is being used for, and doesn't care because for him
| that comes with the territory, and also because he's raking
| in the money.
|
| Full disclosure: I work in this space, SkyECC was a
| competitor and I'm deeply familiar with their product.
|
| This guy is an opportunist and a liar promoting a very
| insecure product, constantly making false promises of
| security. He's made his money by exploiting the technical
| ineptitude of drug dealers.
|
| A "freedom and privacy at all costs" guy he is not.
|
| >If you're smart enough to able to set up a service like
| SkyECC in the first place, you're smart enough to know that
| one day the cops/feds/govt are going to take a shot at you,
| so you'd have some kind of plan in place for that I would
| think.
|
| You're clearly not very familiar with this space. It's rife
| with absolutely terrible products built by drug dealers who
| just hired a couple of developers from freelancer.com.
|
| SkyECCs sole focus was providing a polished user experience,
| not security.
|
| These clowns had their corporate active directory server
| (adsql.skyecc.com) exposed to the internet with RDP, SMB,
| LDAP all publicly accessible until it was seized a few days
| ago. They did nothing to harden their infrastructure after
| the Encrochat hack. I assure you they weren't prepared for
| the cops to come knocking.
| thecopy wrote:
| I suppose one of the most effective ways to reduce state
| hostility towards privacy issues is to legalize all drugs.
| tweetle_beetle wrote:
| Assuming that wasn't intended sarcastically, I'm a bit more
| pessimistic. I think that the narrative would just move on to
| the next bogeyman to maintain the hostile stance. Between
| terrorists, paedophiles, organised crime and occasionally
| illegal immigrants, you always have an excuse for your
| political dilemma.
| standardUser wrote:
| None of those other things are nearly as profitable as drug
| markets, or nearly as widespread. Drugs are a uniquely
| effective excuse for _massive_ government interference into
| people 's personal lives, and that interference also happens
| to be self-funding.
| cat199 wrote:
| does anyone else see this title as a bit clickbaity?
|
| I initially read this as if the CEO was _actually_ drug
| trafficking, rather than the selling of encrypted chat being used
| to claim 'facilitation' of trafficking, which appears to be the
| actual charge..
| ianhawes wrote:
| If you think thats clickbaity, wait until you read the DoJ
| press release:
|
| https://www.justice.gov/usao-sdca/pr/sky-global-executive-an...
| jmkni wrote:
| Am I the only one who thought the CEO of Sky TV had been caught
| using an encrypted messaging app for drugs?
| afrcnc wrote:
| that's ZDNet for you
|
| shit headlines and a deluge of ads, screw the user or accuracy
| jtbayly wrote:
| It's not clickbait, but it is inaccurate in what it implies.
| The truth is much more clickbaity:
|
| "Sky Global CEO indicted for providing encryption on devices
| sold"
| pmarreck wrote:
| "Consensual crimes" are a contradiction in terms
___________________________________________________________________
(page generated 2021-03-15 23:02 UTC)