[HN Gopher] The Crime Messenger
___________________________________________________________________
The Crime Messenger
Author : SirLJ
Score : 89 points
Date : 2024-11-26 13:34 UTC (9 hours ago)
(HTM) web link (www.cbc.ca)
(TXT) w3m dump (www.cbc.ca)
| kubb wrote:
| Feels like criminals will eventually get encrypted communication
| right and there won't be anything left for police to do.
| gambiting wrote:
| Vast majority of criminals are actually stupid though. For
| every criminal using quantum guaranteed encryption there will
| be 10 just doing normal unencrypted calls over regular GSM -
| you use the same tactics against criminals that have been used
| forever, before IMs were even invented - you infiltrate these
| groups, arrest lower members, get them to incriminate the
| people higher up until you dismantle the entire structure. Yeah
| I know it sounds simple and in reality there are million other
| steps to do this - but it has been done in the past and is
| still being done now. That's what the police will do. They
| caught criminals before they could read their messages, they
| will catch them again when they can't read their messages.
| Cthulhu_ wrote:
| What makes you believe they don't / didn't already? That's the
| thing, if it's done right you'll never know until it's found
| out and decrypted like what is in this article.
| ActionHank wrote:
| If the marketing is to be believed we are months away from
| having AI assist someone with no dev, technology, devops
| background just asking for an app like this.
| kubb wrote:
| I mean, nobody really believes that, this is just what you
| have to say if you have a stake in an AI company. Or you
| don't know what you're talking about.
| AnimalMuppet wrote:
| I'm not holding my breath for AI enabling someone with no
| tech background to get _encryption_ right.
| paxys wrote:
| Encrypted communication is already a solved problem. The people
| being caught are the ones who don't have the technical skills
| to use them correctly.
| dist-epoch wrote:
| When you have tens of thousands of criminals using a single
| app, the reward of cracking that in some way is gigantic, and
| these apps are created by a team of a few people which can't
| cover every angle like Apple can.
| ruthmarx wrote:
| Then they'll refine stenography and it will be citizens who
| suffer increasingly more.
| Zak wrote:
| > _The Serbian criminals shared photos of their victims on Sky
| without realizing police had installed a probe on the Sky ECC
| servers in France, which allowed authorities to intercept and
| read every user's messages._
|
| I'm surprised criminals keep picking these niche messaging
| services, which keep turning out not to use proper end to end
| encryption, rather than Signal.
| dghlsakjg wrote:
| Presumably you don't hear about the ones that use signal for a
| reason...
| notachatbot123 wrote:
| That's what a Fed would say to discourage Signal use.
| derefr wrote:
| That's the opposite of what the GP poster meant to imply.
| They meant that you don't hear about the ones that use
| Signal because they _don't_ get caught.
| krisoft wrote:
| > That's what a Fed would say to discourage Signal use.
|
| What? No. That is exactly what a Fed (or anyone else) would
| say to encourage Signal use.
|
| "Presumably you don't hear about the ones that use signal
| for a reason..."
|
| The reason being that they don't get caught so you don't
| hear about them.
| RUnconcerned wrote:
| feds literally fund signal
|
| https://www.mintpressnews.com/the-open-technology-fund-
| makes...
| or_am_i wrote:
| I guess the b2b sales work the same irrespective of the
| businesses' legal status.
| jjmarr wrote:
| Criminals aren't immune to pitch decks and overspending on
| bespoke systems??
| ben_w wrote:
| There's people who regard the government as organised
| crime... and some such people are not even in the
| government themselves.
|
| Likewise for corporations, on both counts.
|
| Myself I'm not so cynical as to see that everywhere, but
| I've seen it. Hard to miss when it gets in the news.
| Scoundreller wrote:
| But you, you're special. You need the "Enterprise Edition"
| at 10x the price and half the reliability.
|
| Don't forget our service plan, which you'll need because
| only the manufacturer knows how to fix it.
| Miraltar wrote:
| I guess you didn't really read the article so I'll put it here
| : > They intercepted one billion messages, but they couldn't
| read them at first because they were encrypted. It wasn't until
| late 2020 that they managed to decrypt them.
| kasey_junk wrote:
| The article is extremely vague on how they did this. The one
| big red flag though is that the protocol for the messenger in
| the article was a bespoke secret design by a single person
| who wasn't a cryptographer and not a well vetted public one.
|
| I would love to see a technical analysis of the supposed end-
| to-end encryption methodology used here.
| dorfsmay wrote:
| Same here, and would love to find out if they paid the
| "Million dollar hack" to the Europol people who cracked it!
| RobotToaster wrote:
| You would think they would have their own tech people. I guess
| even crime isn't immune to outsourcing.
| dist-epoch wrote:
| Signal requires a telephone number.
| red_admiral wrote:
| I believe I once read that back in the day, Al-Qaeda decided
| that AES and the like was probably compromised because it was
| made by the infidels, and launched their own "Islamic secure
| messenger" with an encryption algorithm their people had
| designed themselves.
|
| This is not only terrible from a "let's get the list of all
| accounts who downloaded this app and perhaps track their
| phones" perspective, but also the encryption turned out to be
| exactly as good as you might have guessed.
| TravisPeacock wrote:
| Just a fun aside: Islam is responsible for the foundations of
| algebra and the al in algorithm is of the same Arabic root.
|
| I'm not an Imam but I feel like if someone wanted to justify
| using a Western created algorithm they could just say "well
| technically this is just built on our initial work"
| barbazoo wrote:
| > Islam is responsible for the foundations of algebra
|
| I don't think that's true. Algebra has history that goes
| way back to Babylonian times, long before Islam.
|
| From https://en.wikipedia.org/wiki/History_of_algebra
|
| > The origins of algebra can be traced to the ancient
| Babylonians,[6] who developed a positional number system
| that greatly aided them in solving their rhetorical
| algebraic equations. The Babylonians were not interested in
| exact solutions, but rather approximations, and so they
| would commonly use linear interpolation to approximate
| intermediate values.[7] One of the most famous tablets is
| the Plimpton 322 tablet, created around 1900-1600 BC, which
| gives a table of Pythagorean triples and represents some of
| the most advanced mathematics prior to Greek
| mathematics.[8]
|
| Islam is much more recent than that. From
| https://en.wikipedia.org/wiki/Islam#History
|
| > Muhammad and the beginning of Islam (570-632)
| inhumantsar wrote:
| Algebra as we know it today has its roots in the Islamic
| world. They took prior works and formalized them into a
| discipline.
|
| From the History of Algebra Wikipedia link:
|
| > "Al-Khwarizmi's text can be seen to be distinct not
| only from the Babylonian tablets, but also from
| Diophantus' Arithmetica. It no longer concerns a series
| of problems to be resolved, but an exposition which
| starts with primitive terms in which the combinations
| must give all possible prototypes for equations, which
| henceforward explicitly constitute the true object of
| study. On the other hand, the idea of an equation for its
| own sake appears from the beginning and, one could say,
| in a generic manner, insofar as it does not simply emerge
| in the course of solving a problem, but is specifically
| called on to define an infinite class of problems."
| rolph wrote:
| i think these are the criminals that dont know the concept of
| local encyption vs encryption services, multiple serial
| encryptions, subjective "in" euphemisms, or other obfusication
| of clear payload
| bjoli wrote:
| There was a Swedish case recently where a signal group of over
| 1000 people was infiltrated. (I think it was this one:
| https://sverigesradio.se/artikel/uppdrag-i-gruppchatt-morda-...
| - sound only. Sorry)
|
| No e2e is going to help you if you invite the cops to your
| group chat I guess.
| loup-vaillant wrote:
| How _any_ group of one thousand people could be truly safe?
| Of course they would get infiltrated. Groups who want to
| survive being hunted kinda have to either be smaller, or
| divide themselves into cells.
| brudgers wrote:
| My guess is that the law enforcement hackers are professionals
| and use social engineering to encourage adoption of compromised
| apps.
|
| Because social engineering is the foundation of hacking. Not
| technology.
| dghlsakjg wrote:
| > "Privacy is really, really important and we all have the right
| to our privacy," said Catherine De Bolle, executive director of
| Europol, the law enforcement agency of the European Union. "But
| when we see now that encrypted communication is really an enabler
| for crime, then we have to do something."
|
| Can she hear herself when she talks? Apparently we don't have a
| right to our privacy. Interpol intercepting every message going
| across a server just because some of the messages might be
| criminal is explicitly acting in a way that does not imply any
| right to privacy.
| hbn wrote:
| As soon as someone follows "we all have the right to privacy"
| with "but", a springboard should pop up from under their feet
| and launch them into space.
|
| Unsurprising the first time I see a CBC article at the top of
| HN, it's a puff piece about how taking people's privacy is
| supposedly good for us. Real glad I paid for this article, but
| it's not like I'm not constantly paying for these clowns to
| produce slop that I find appalling. They recently spent $2
| million to create a bunch of liberal propaganda podcasts that
| got a few hundred views per episode.
|
| I hate this country.
| ipython wrote:
| When the entire point of the enterprise (sky in this case) is
| to enable criminals, wouldn't the enterprise itself be part
| of the criminal conspiracy?
|
| I am all for privacy, but I'm also for rule of law. If I
| could start an encrypted messaging company that marketed
| exclusively to criminals, then wouldn't I expect to be
| charged as abetting the crimes committed as a result of
| facilitating that communication?
|
| It's a question of intent. Law isn't black and white- and law
| recognizes that tools can be dual use. It's not perfect but
| nothing is.
| Workaccount2 wrote:
| > "But when we see now that unmonitored communication is really
| an enabler for crime, then we have to do something."
|
| Fixed for her.
| AnimalMuppet wrote:
| I think that's the unstated part: Encryption doesn't handicap
| law enforcement if they weren't monitoring the communication
| anyway.
|
| [Edit: Though in fairness, if they weren't monitoring
| everything but then decided they had grounds - or even (gasp)
| a warrant - to monitor a specific set of communications,
| _then_ encryption handicaps law enforcement.]
| loup-vaillant wrote:
| "Nothing someone says before the word 'but' really counts".
| curious_cat_163 wrote:
| I think the inherent contradiction stands. You are right to
| point it out.
|
| However, there _is_ another side to it: the law enforcement
| agencies have a harder job now and it needs to be acknowledged
| as such.
|
| The acknowledgement does not require agreeing to let up on
| fundamental principles of privacy. But, so that resources could
| be invested in ways that do not require hoovering up people's
| personal data en masse.
| dghlsakjg wrote:
| Harder in what sense?
|
| Criminal communications have always existed, and I don't buy
| that a smartphone is a fundamental change from encoded
| letters, whispers, or any more primitive signaling device.
| With an electronic surveillance warrant it is easier than
| ever to compromise communications. If they suspect that a
| crime is being committed they should use the existing legal
| framework that exists for exactly this purpose.
| coretx wrote:
| "Harder" is a blue extremist lie. The information position
| of law enforcement has never been this good before. Yet
| they ask for more - a clear indication for their true
| motive: Power.
| curious_cat_163 wrote:
| Harder in the sense that never before in human history
| could any person communicate with any other person on most
| of the inhabited planet through instant wireless internet.
| They can do all this with end-to-end encryption, if
| sufficiently motivated, via apps like Signal.
|
| Most (I would hazard > 99%) people won't use this
| capability for criminal enterprise.
|
| Some would. Some do.
|
| BTW, This does not mean that we should open illegal
| backdoors to our end-to-end encryption. Private
| communication must remain possible and viable and easy for
| everyone.
|
| It also does not mean that law enforcement should resort to
| unconstitutional means (at least in the US).
|
| But, this is just a different game than what they are used
| to. It is okay to acknowledge it and resource them to do
| without.
| darknavi wrote:
| A good defcon talk that referenced Sky but focused on another
| platform called Anon:
|
| https://youtu.be/uFyk5UOyNqI?si=i-GtpeCR1QEj69cz
| auscad wrote:
| What makes this different from a typical attack on encryption is
| that this company (probably) knowingly distributed to and worked
| with criminal enterprises.
|
| But this article is written in a way that suggests that
| encryption is dangerous - an angle that the CBC has taken before
| - which makes sense considering that it is a government-owned
| news outlet in a Five Eyes member state.
| Cthulhu_ wrote:
| > (probably) knowingly
|
| That's doing a lot of heavy lifting. I'm sure they knew,
| personally, but since everything is encrypted, even for
| themselves, they have plausible deniability. If there is no
| solid proof of e.g. the company selling to someone they knew is
| a criminal, there's nothing to be done, legally speaking.
|
| And even then, criminals _can_ talk using e.g. commercially
| available phones and mobile networks; are those networks /
| manufacturers / anyone but the criminal responsible for what is
| talked about?
|
| Yes the seller could reasonably assume their stuff was used by
| criminals, but so can Signal, Whatsapp, Messenger, anyone
| offering (encrypted) communication. It doesn't make them guilty
| themselves.
| gambiting wrote:
| >>If there is no solid proof of e.g. the company selling to
| someone they knew is a criminal, there's nothing to be done,
| legally speaking.
|
| If you look at the article it has examples found of the
| company employees explicitly saying they are meeting with
| criminals so to play it safe. It doesn't get any more "solid
| proof" than that.
|
| >>are those networks / manufacturers / anyone but the
| criminal responsible for what is talked about?
|
| No, but again - read the article. There are examples of their
| employees saying that a client of theirs was arrested so they
| proactively wiped their phone - that could be interpreted as
| knowingly destroying evidence. They did end up changing this
| policy to _not_ wipe phones of people who have been arrested,
| precisely because of this concern.
|
| >>Yes the seller could reasonably assume their stuff was used
| by criminals, but so can Signal, Whatsapp, Messenger, anyone
| offering (encrypted) communication
|
| The difference is most likely in how it's advertised and
| sold. Whatsapp is a free app that anyone can use, Facebook
| can reasonably claim that they don't advertise to criminals
| or encourage illegal use because the app is free to anyone.
| The owners of this app made it paid and they actively pursued
| clients they knew were members of criminal rings. Whether
| that passes the threshold for holding the company liable -
| that's for courts to decide. But that's generally where I
| think the line is. Anyone can make and sell a knife, but
| start selling knives(knowingly) to gang members and you're
| going to be in trouble even though selling a knife isn't
| illegal in itself.
| or_am_i wrote:
| > there's nothing to be done, legally speaking.
|
| Even if true, this sure feels like a loophole though, like
| the Saul Goodman's burner phone side business, doesn't it?
| Should there perhaps be a stricter KYC requirement/similar
| measures to the same end when it comes to re-/selling
| technology explicitly designed for encrypted communication?
| Note that we are not just talking about an end-to-end
| encrypted messenger app, it's a whole integrated phone with
| an explicit special purpose. This feels more like a
| regulation oversight: the encrypted transmissions in AM/FM
| bands are outright prohibited in most Western jurisdictions
| after all, and so is possession of the respective equipment.
| mistrial9 wrote:
| There are thousands of millions of people who are not
| criminals, who are not trying to be criminals.. yet somehow the
| literate audience is led by media such that a small, dedicated
| bunch of adults half-way around the world is proof positive
| that all encryption is "for me, not for thee"
| petesergeant wrote:
| > which makes sense considering that it is a government-owned
| news outlet in a Five Eyes member state
|
| re the mention of FVEY, I strongly suspect it's law enforcement
| rather than the spooks who have any issue with encryption
| there. I don't think FVEY SIGINT are having any issue reading
| the messages they want to read, it's the City of Spokane Police
| Department, FBI Tampa, and the Manitoba RCMP who are
| struggling, and would like Apple to give them decryption keys.
| SIGINT would love you to believe they can't read your messages
| because of encryption.
| lyu07282 wrote:
| > SIGINT would love you to believe they can't read your
| messages because of encryption.
|
| I think this line of thinking can lead to a sort of defeatist
| ignorance. For example, can anyone break the default cipher
| suite of wireguard or gpg? I really don't think so.
| petesergeant wrote:
| > can anyone break the default cipher suite
|
| I think one would be very lucky to have an adversary who's
| focusing their attacks at the strongest points
| lyu07282 wrote:
| fine just give up then, you already lost? Fuck that,
| let's not pretend like they are omnipotent all the
| fucking time.
| petesergeant wrote:
| You seem to be passionately arguing against a point of
| view I haven't expressed
| MadnessASAP wrote:
| > But this article is written in a way that suggests that
| encryption is dangerous - an angle that the CBC has taken
| before - which makes sense considering that it is a government-
| owned news outlet in a Five Eyes member state.
|
| While neither of these points is completely incorrect, that is
| a heck of a connection to make without evidence.
| devmor wrote:
| >"Privacy is really, really important and we all have the right
| to our privacy," said Catherine De Bolle, executive director of
| Europol, the law enforcement agency of the European Union. "But
| when we see now that encrypted communication is really an
| enabler for crime, then we have to do something."
|
| That was a pretty terrifying line to read - the idea that they
| feel comfortable assuming a great deal of the public will agree
| with or find this reasonable is pretty worrisome.
| try_the_bass wrote:
| I think a great deal of the public does agree with this
| sentiment, though?
|
| In general, "the public" is usually okay with things that
| reduce anti-social behavior.
| dghlsakjg wrote:
| The public would probably say that they agree that things
| that reduce anti-social behavior.
|
| But if you instead phrase it as: "should international law
| enforcement have a perpetual copy of every single written
| message you have ever sent in order to reduce anti social
| behavior?" You will discover that there is a limit to what
| people will tolerate.
| lb1lf wrote:
| There hopefully is, but it never ceases to amaze me how
| many, even highly intelligent, reasonable people, buy
| into the 'I don't do anything illegal, hence I have
| nothing to hide and off to the races we go' mindset.
|
| Heck, even if I try to point out all the fun side effects
| - say, how embarrassing it would be if a copy of your,
| ahem, correspondence with that cute intern was leaked, or
| simple guilt by association, like finding yourself on a
| watchlist after buying a car from a suspected Islamic
| militant or something similar, I am mostly met with a
| shrug and a variation on the theme 'Oh, they'd never do
| that / surely if that was to happen, it would be fixed in
| due course'.
|
| Basically, I more and more feel like the odd man out - as
| my position that 'Seeing as I am not doing anything
| criminal, the authorities have no business snooping on
| me' is seen as the militant one. Won't somebody think of
| the children, etc.
|
| Sigh. Rant over.
| devmor wrote:
| I mean that it is worrisome that the public would agree
| with this, or at least that public sentiment is shifting in
| that direction enough that this statement doesn't cause
| visceral outlash against anyone that would say it.
| jfactorial wrote:
| "Freedom of movement, freedom of speech, freedom to assemble,
| freedom of religion, these are really, really important and
| we all have rights to them..." said a law enforcement
| director who would soon make clear they didn't believe in
| rights at all.
|
| "But," they continued rather than stopping at defending
| rights, "when those rights can be used to enable activity
| which we deem criminal but hasn't yet been tested in court,
| we have to take them away."
| ipython wrote:
| If you enjoy this story, read the book Dark Wire which focuses on
| the FBI's infiltration of Anom, another encrypted message
| service. It also covers sky briefly. Fascinating story
|
| https://www.hachettebookgroup.com/titles/joseph-cox/dark-wir...
| morbicer wrote:
| Or if you prefer podcast, listen to this episode of Darknet
| Diaries
|
| https://darknetdiaries.com/transcript/146/
|
| Truly fascinating story
| paxys wrote:
| Pretty ironic that they got caught after going out of their way
| to buy secure phones and use secure messaging services when an
| off-the-shelf iPhone and Whatsapp/Signal/Telegram would have made
| them 100% untraceable.
| mhitza wrote:
| Probably Signal would have been a safe bet. Telegram doesn't do
| encryption by default (on group messages? Been a year or two
| since I've used it). And Facebook complies with law enforcement
| agencies, and I don't think it's unreasonable for them to have
| a feature flags to selectively and transparently disable
| encryption for some participants if need be.
| joering2 wrote:
| Facebook certainly likes to at least have sense to know what
| you are conversating about. Sometime in 2016 we and my buddy
| abroad got our accounts frozen "due to security reasons" at
| exact same time; what we were doing is having fun with FB
| Messenger and sending each other PGP-encrypted messages. This
| least about 2 months and my buddy is Egyptian, so I am pretty
| sure at some point FB said "we don't know what they chat
| about and enough is enough". I got my account recovered after
| multiple layers of verification including video-call to hold
| up my ID done by third-party ... my friend never gotten his
| reinstated.
| int_19h wrote:
| Facebook definitely has some kind of chat monitoring and
| real-time censorship in place. For example, I once couldn't
| send a message in _private chat_ if it included a link to
| one of the online weed stores. Remove the link, and it goes
| through just fine. Put the link there, and the thing just
| hangs and errors out with no coherent explanation.
| cwmma wrote:
| One of the features the phones had was that they could be
| remotely deleted and were locked down to prevent other apps on
| them. So an off the shelf iphone with signal is going to be
| vulnerable to having the device itself hacked via text message,
| bluetooth, or something else in a way the Sky ECC phones
| theoretically can't be, so it's not necessarily a slam dunk.
| paxys wrote:
| - Buy a cheap android phone from a no-name Chinese OEM.
|
| - Run a basic script to disable app installs, phone calls and
| some other features.
|
| - Never update the OS. Don't do any security patching.
|
| - Write your own encrypted messaging app with your own
| crypto. Don't get any external reviews or audits.
|
| - Resell this as a Sky ECC phone with some marketing dollars
| labeling it as "secure" and "private".
|
| What do you think is more hackable, this or a regular
| iPhone/Samsung Galaxy/Pixel?
| michaelt wrote:
| Consider the following two offers:
|
| A cheap netbook from a no-name Chinese OEM, running weird
| software you've never heard of named 'TAILS' which doesn't
| auto-update or anything, and which the makers say is very
| secure.
|
| A cheap phone from a no-name Chinese OEM, running weird
| software you've never heard of named 'Sky ECC' which
| doesn't auto-update or anything, and which the makers say
| is very secure.
|
| You've got to be fairly knowledgeable to appraise the two
| options correctly.
| Scoundreller wrote:
| Sky ECC over TAILS it is!
| asveikau wrote:
| These are common requirements for a corporate phone.
|
| Remote wipe is provided by both Android and iPhone iirc even
| to end users.
|
| A stock android phone, a knowledgeable user could already
| remove a bunch of stock apps.
| loceng wrote:
| I suppose the hope is that if relatively good people, maybe bad
| actors but with certain limits, if they get exposed to or
| inadvertently the "opportunity" to be involved in higher orders
| of magnitude of bad - that they may then act as a light that
| helps create cracks in the armour to expose such horrific
| behaviour?
| anthk wrote:
| Or just a damn netbook (i386, Atom, pre-IntelME) with Email and
| GPG.
| Scoundreller wrote:
| The average journo would struggle with that
| paxys wrote:
| Hard to carry that around in your pocket when on a job.
| dist-epoch wrote:
| Reminds me of an organization buying pagers since they are more
| "secure".
| lyu07282 wrote:
| > In 2011, Eap started developing an encrypted messaging system
| with the help of his father, who holds a master's degree in
| computer science from Simon Fraser University in Burnaby, B.C.
| The app was initially designed for BlackBerry phones and later
| made available for iPhones.
|
| > His father designed the data encryption algorithm.
|
| > "My dad's a genius," said Eap. "It had the highest level of
| encryption available."
|
| It's hard to imagine that this level of ignorance wasn't
| intentional from the beginning.
| AnimalMuppet wrote:
| Sounds more like weapons-grade arrogance on the part of the
| dad, and the kid believed it.
| dist-epoch wrote:
| Except these kinds of secure apps are never broken by attacking
| the encryption, but by just infiltrating/seizing the servers.
| loup-vaillant wrote:
| For this one however this seems to be the case? The wording
| of the article isn't crystal clear, but it looks like the
| cops took control of the servers, and decrypted messages from
| there. So either the messages weren't truly end-to-end
| encrypted, or the encryption truly was broken.
| loup-vaillant wrote:
| This quote sure was a huge red flag to me.
|
| _" My dad's a genius"_ because you're not supposed to rely on
| genius to make a good crypto system, and also because it makes
| Eap sounds like he has absolutely zero knowledge on the
| subject.
|
| _" highest level of encryption available"_ because there's a
| fairly low floor above which it's all uncrackable anyway
| (ChaCha20 + BLAKE2B authenticated encryption, and Curve448 +
| post quantum winners for the public stuff, should go beyond
| total overkill).
|
| I don't believe it was intentional though. I'm just out of a
| quick job implementing SSCPv2 (encryption over RS485 to secure
| communication between card readers and central computer,
| typically used to secure buildings). Good specs, fairly good
| separation between cryptography and business logic, and as far
| as I could tell the crypto isn't broken... but it is quite old
| school: AES CBC + HMAC SHA256, using _MAC then encrypt_.
| https://moxie.org/2011/12/13/the-cryptographic-doom-principl...
| And while I _think_ my implementation is okay, I did have to
| pay special attention to specific traps raising from this
| design, and to be honest wouldn 't bet my life on having ironed
| out all possible timing attacks.
|
| SSCPv2 was almost certainly designed after 2020, but it took
| books from 2005. Good books for their time, but a bit dated
| unfortunately. I'm pretty sure no actual cryptographer was
| involved. If there were, they would almost certainly have used
| standard authenticated encryption scheme like AES CGM, or
| ChaPoly (RFC 8439), they would have authenticated the
| unencrypted header, and provided an even better separation
| between crypto and business logic.
| avodonosov wrote:
| > Not only did Sky ECC provide end-to-end encryption, like
| Whatsapp or Signal, but unlike those free apps, it also
| redirected the data on its own secure network.
|
| So how the messages were intercepted if e2e encryption is used?
| dist-epoch wrote:
| Backdoor the app itself and add an extra key?
| avodonosov wrote:
| That's one of possibilities. But what actually happened in
| this case?
| avodonosov wrote:
| A friend told me that:
|
| The exact approach used to break the encryption of Sky ECC
| phones is not fully detailed in the sources I found.
| However, there are some insights into the methods used:
|
| 1. One source mentions that law enforcement agencies used
| cloned devices running a fake phishing application designed
| to impersonate the Sky ECC app
| https://www.bleepingcomputer.com/news/security/europol-
| unloc.... This allowed them to intercept messages as they
| were being sent and received.
|
| 2. Another report indicates that unauthorized devices with
| modified security features were sold through unauthorized
| channels, which likely played a role in the interception
| https://www.vice.com/en/article/sky-ecc-decrypted-hacked-
| pol....
|
| These methods suggest that the encryption itself wasn't
| directly broken, but rather the security of the devices and
| the integrity of the app were compromised.
| garrettjoecox wrote:
| I've seen it before--a SaaS claiming to offer end-to-end
| encryption simply because it uses HTTPS/SSL for communication
| between the client and server. It's laughable, but the lack of
| clear regulations or standards defining E2E encryption lets
| them get away with treating the client and server as the
| "ends."
|
| Not sure if that's what happened here but it wouldn't surprise
| me.
| avodonosov wrote:
| I understand that's one of possibilities. But what actually
| happened in this case?
| jpalawaga wrote:
| I have thoughts and feelings about a lot of this, but the part
| that stands out to me is LE folks intentionally working with
| agents out of their jurisdiction to circumvent the laws in their
| own jurisdiction.
|
| You want to talk about unethical behaviour? That sounds
| borderline like a poison tree to me.
| potato3732842 wrote:
| Follow the incentives.
|
| The only practical check acting against the whims of these
| agencies is that if they do things that are too horrible the
| resulting public perception will be bad for the career
| advancement prospects of the top ranks who want to move into
| politics where optics matters.
| morkalork wrote:
| Isn't that like half the raison d'etre for the five eyes?
| worldvoyageur wrote:
| "His father designed the data encryption algorithm.
|
| "My dad's a genius," said Eap. "It had the highest level of
| encryption available."
|
| Not only did Sky ECC provide end-to-end encryption, like Whatsapp
| or Signal, but unlike those free apps, it also redirected the
| data on its own secure network. "
|
| This was the basis for users to think the system was secure?
| Seriously!?!
|
| I'm reminded of the saying 'don't roll your own crypto'.
| Obviously the authorities were able to crack the crypto, probably
| at multiple points.
| Hizonner wrote:
| > They communicated with each other on highly secure phones
|
| You keep using that word...
| janmo wrote:
| The key aspect here is that both Sky ECC and Encrochat got F.
| over by the modern day equivalent of Crypto AG which is the
| french hosting provider OVH.
|
| While intelligence agencies were pumping in real-time all the
| data from Encrochat's and Sky ECC;s dedicated OVH servers, the
| OVH co-founder Octave Klaba and their ex-CEO Michel Paulin were
| selling the company with statements like:
|
| - We don't dig in our customer's data unlike the the "others".
|
| - US secret services have no access to our data.
|
| However there are many interesting anecdotes:
|
| 1) For many years OVH was hiding a "maintenance" backdoor in
| "/etc/ssh/authorized_keys2", authorized_keys2 was used for ssh
| protocol 2 which was depreciated in 2001 yet OVH was using it to
| store a maintenance key until around 2018. This was very poorly
| documented and a user warned of the backdoor on HN back in 2012.
| https://news.ycombinator.com/item?id=4839414
|
| 2) In 2013 the TOR hidden service hosting provider "Freedom
| hosting" was taken down, "they" had rented 400 servers at OVH and
| in June 2013 "they" let all but one expire, likely moving to
| another provider, this is when through an unknown way the FBI
| obtained the IP address of the only remaining server at OVH. The
| server was imaged but it contained an encrypted "container". The
| FBI claims that they were able to break the encryption within a
| week using "cryptanalysis" and to recover the "root" password
| used to encrypt these "containers". This is total BS, they must
| just have used the ssh maintenance key or added "something" to
| the server when they did the imaging.
|
| Source criminal complaint Eric Eoin Marques:
| https://www.justice.gov/d9/press-releases/attachments/2019/0...
|
| 3) Later that same year Silk Road was taken down. It is
| undisputed that law enforcement lied about key parts in their
| investigation.
|
| According to law enforcement Ross Ulbricht was ssh'ing into the
| Silk Road server using a "VPN server". When they got to the "VPN
| server" it had been wiped out BUT, the hosting provider had kept
| "VPN" "logs"??? which led them to the IP address of a cafe where
| Ross Ulbricht had been. Ross Ulbricht kept a list with all the
| servers he was and had been operating. There is no mention of a
| VPN server, however in the "retired" server section there is a
| "VNC Desktop" server with the note "SR related". This appears to
| be a server running a virtual desktop that Ross Ulbricht was
| using to connect to the Silk Road. It was a VPS hosted at ... OVH
| and rented through an intermediary called momentovps. But it gets
| even worse, just bellow he listed another VPS at OVH and it has
| the remark "Will / personal backup / deadman switch"...
|
| Source: Silk Road Exhibit GX-264
|
| 4) The creation story is quite strange. OVH was offering very low
| prices while not having any funding. The secret was that for
| years Xavier Niel who is one of Octave Klaba's competitors and
| has been outed as being a former agent for the french government
| was hosting the OVH servers in his datacenter for FREE. Obviously
| if you do not pay for the electricity, internet and rent life is
| easy. The question is what did Xavier Niel get in return?
| According to him (Interview on BFMTV) he did it out of
| generosity. Of course...
|
| Now we pretty much know that Pavel Durov founder of Telegram got
| his french passport because he agreed to work with the french
| intelligence agencies but failed to deliver. Guess who was the
| first person he called when he got arrested, and then the person
| he met once he was released? Xavier Niel!
| Etheryte wrote:
| You can add What.CD, the de facto Music Library of Alexandria
| at the time, to this list, along with a number of other private
| torrent trackers. When What.CD's servers got raided by the
| French authorities, a number of other trackers that were hosted
| at OVH also got raided "by accident". The authorities went in
| with a warrant for one site, but oh so luckily just happened to
| also stumble on a number of other private trackers hosted by
| OVH at the time, never mind that they're spread across separate
| servers in separate racks etc. You can smell the foul play from
| half a continent away.
|
| What.CD is dead, long live What.CD (and Oink's Pink Palace).
| janmo wrote:
| They don't need a warrant if OVH just hands it out to them
| which they do.
|
| But what really matters is that intelligence agencies are
| sniffing in your data at OVH and that the company wants you
| to think otherwise.
| barbazoo wrote:
| Reminds me of a recent episode of "Search Engine" about the
| "AN0M" phone: https://www.searchengine.show/listen/search-
| engine-1/what-s-...
___________________________________________________________________
(page generated 2024-11-26 23:02 UTC)