
How Police Secretly Took over a Global Phone Network for Organized Crime - jmsflknr
https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked
======
motohagiography
When I read this I see a a niche, super premium hardware company that managed
to acquire tens of thousands of customers by word of mouth. Not only that,
their customers are all in-effect self employed or small businesses with huge
average revenue per employee. They manage global supply chains, intense
competition, all while taking on and managing huge legal/compliance risk.

How is is that supposedly "dumb," criminals can do this, and yet many of us
are stretching our intellectual capacities to learn new technologies and
maths, developing our nth stupid app, trying to achieve a fraction of the
customer traction and revenue that street thugs manage to do every day. Are
these people much smarter than average, or does it mean that if you sell
something people actually want, literally nothing else matters about your
intelligence, education, character, background, or anything at all. When I
read these drug stories, it just reinforces for me that growth solves
everything. You can succeed with a crew of violent, drug addicted idiots whose
only reliable characteristic is short term thinking, and who spend half their
time in prison if you have product market fit. What I'm beginning to think is
that the "smarter," people are in a company, the less anyone will want their
product. It's like the success of a venture is inversely proportional to the
number of ostensible geniuses it employs.

~~~
kyboren
> does it mean that if you sell something people actually want, literally
> nothing else matters about your intelligence, education, character,
> background, or anything at all.

Yes, although I think more specifically s/want/are addicted to/. See also:
Saudi Aramco and Facebook.

> What I'm beginning to think is that the "smarter," people are in a company,
> the less anyone will want their product.

Do you not think Apple and Google are composed of very smart people? Tesla and
SpaceX don't make the cut?

~~~
hamandcheese
Google still seems to be riding on their ad business. Their other products are
very hit and miss. So yes, I think Google is a great example here.

------
rxsel
So everyone moves to a new platform/vendor... what exactly is significant
about this particular bust aside from “we did it” signaling of law
enforcement? Things like this happen all the time... Silk Road and many other
examples come to mind.

I just hope this doesn’t become yet another incident used as an example to
slowly erode the freedom and idea of privacy. The current anti-encryption
sentiment and reactionary nature of legislation doesn’t inspire much
confidence.

On a side note for anyone wanting a truly secure device, you’d have to source
the raw materials, create the hardware, software, distribution and oversee the
entire process. The old school Ford assembly line for the brave new world. And
this assumes you didn’t leave any security holes in the process. Which humans
tend to do.

~~~
paulmatthijs
It has huge implications. What is “exactly significant about this” bust is the
prevention of multiple assassinations, kidnappings with planned torture, and
multiple large coke smuggling operations being intercepted. Plus it’s all
evidence. Previous encryption breaking busts like this by the Dutch national
police have led to lifelong convictions of multiple murder squads.

~~~
rxsel
I didn’t mean to be or come off as insensitive. I get that many would be
horrible things were prevented. Which is very much appreciated.

------
vianneychevalie
I'm very curious as to which legal basis French authorities have had for this
coordinated state-level hack. It's mentioned that they had one, but nothing
more specific, even in French media I've looked up.

~~~
speedgoose
It's explained in this French PDF :
[http://www.eurojust.europa.eu/press/Documents/2020-07-02_Enc...](http://www.eurojust.europa.eu/press/Documents/2020-07-02_EncroChat-
investigation-in-France_FR.pdf)

~~~
ciarannolan
Can a French speaker please give us a tldr?

~~~
vianneychevalie
A judge was heading the investigation and provided the legal go-ahead for the
actions. The legal justification is twofold: evidence of organized crime
uncovered in a preliminary investigation and (!) lack of declaration of
cryptographic solution deployment , which is apparently a thing [0] when it’a
not used for authentication or data integrity control!

I’m extremely surprised by the latter, it seems that one has to declare any
operational use of cryptography when it’s not for those two uses.

[0]
[https://www.ssi.gouv.fr/uploads/2015/03/ANNEXE-I.pdf](https://www.ssi.gouv.fr/uploads/2015/03/ANNEXE-I.pdf)

~~~
speedgoose
The latter is indeed very surprising. I'm considering to submit a few for fun.

------
black_puppydog
So did I miss anything here, or is this a story of how law enforcement took
over an entire fleet of devices, put a rootkit on all of them, and the only
reason we know about it is that the company seems to have had a solid reason
(wouldn't call it backbone in this specific case) to publish the whole thing?

It reads to me like, had Encrophone not opted to inform all their customers,
this would have simply gone on?

I have a hard time condemning the specific case here, but if you substitute
any other phone manufacturer here, this becomes quite obviously scary.

~~~
rusk
My understanding is that the police intervened because multiple violent crimes
were in the offing. Otherwise yeah I guess they would have gone on using it to
spy on criminals

------
opwieurposiu
If the police can plant malware on a device, then they can also plant evidence
on a device. What percentage of these people are being framed? 10%? 50%? No
way of knowing.

~~~
ciarannolan
Well, presumably not the ones with "77 firearms, including an AK47 assault
rifle, sub machine guns, handguns, four grenades, and over 1,800 rounds of
ammunition" or "More than two tonnes of Class A and B drugs have also been
seized by police, as well as 55 sports cars, 73 luxury watches and over 28
million street Valium pills – a drug that has caused a number of deaths in
Scotland."

------
zhte415
Got a 2-year heads up
[https://hn.algolia.com/?q=encrochat](https://hn.algolia.com/?q=encrochat)

~~~
rusk
[https://news.ycombinator.com/item?id=16229863](https://news.ycombinator.com/item?id=16229863)

------
twic
> The messages "have given insight in an unprecedented large number of serious
> crimes, including [...] murders, thrashing robberies, extortions, robberies
> [...]" Dutch law enforcement said.

What are "thrashing robberies"? Is this an odd translation of some Dutch term?

~~~
Shikiju
Translates to "vernieling' which probably means vandalism is this context. but
most likely its just aggravated robbery. its a bad translation for sure

~~~
the-dude
"Kapot maken" (breaking something) is what the Dutch police calls this.

If they get a hunch of a crime in preparation ( killing/liquiditation or
robberies ), they might contact future victim and suspect to tell them they
are aware.

This usually is enough to stop the crime.

edit: my explanation does not seem to fit the context, will look into it.

------
Pick-A-Hill2019
Ouch. This is gonna hurt. For those that comment before/without rtfa a few
select quotes - " ... monitored and investigated "more than a hundred million
encrypted messages" sent between Encrochat users in real time"; "They're just
lifting people," another source close to criminal users of Encrochat told
Motherboard and (please excuse the NSFW direct quote) "People are fucked," one
of the sources who provided the documents to Motherboard said. Viewing this
from a purely technical stance, Wow & Ouch.

------
johnflan
If the GPS module and Cameras were removed from the devices - how were there
so many photos in the article?

------
sweeneyrod
Why would criminals use these kinds of apps rather than e.g. Signal?

~~~
save_ferris
It wasn’t just an app, Encrochat sold a modified android phone that had its
camera and GPS physically removed and its custom app pre-installed.

Based on the article, Encrochat didn’t sound like a fully legitimate company
and may have been run by criminals as well. The part I found interesting is
how these vendors often block competitor apps and services from working on
their phones, essentially requiring everyone to use the same type of modified
phone. This made life a lot easier for investigators once the network was
penetrated.

~~~
gruez
>It wasn’t just an app, Encrochat sold a modified android phone that had its
camera and GPS physically removed

I doubt that provides significant value. Cameras aren't too hard to disable
yourself, just use black tape. They probably didn't disable to microphones,
which arguably provide at least more valuable information than a camera. They
removed the GPS module, but you can probably get the same info with better
accuracy by using wifi + cell phone signals. All in all, I think those
"features" are just there to make criminals feel better.

~~~
ponker
But it’s verifiable for your counterparty. If you’re on Encrochat you know
that your counterparty has no GPS in their phone.

~~~
gruez
But what's the threat model here? That your counterparty's phone has been
compromised? In that case they can be leaking location through wifi/cell
signals as mentioned earlier. There's also nothing preventing the counterparty
from carrying a gps-enabled phone with him, which would be trivially linked to
his Encrochat phone if he takes them both to the same locations.

------
k33n
Sounds like poor OpSec to me

------
kwhitefoot
The title makes it sound as though it was the police who were taking over a
global phone network _in order to facilitate_ organized crime.

Perhaps they meant to say: "How Police Secretly Took over a Global Phone
Network that was used for Organized Crime"

------
JackPoach
Yeah, the title could be better

------
randompwd
Fantastic. Maybe read the article before commenting:

"bUt EncRypTion is My rIGht/bIg sTATe/ITs jUST maths"

Encryption between groups without decryption available (on request) to outside
3rd parties is a poison chalice.

I'm in the EU, not in the US. I don't want any companies(esp. US companies)
deciding how EU daily lives unfold.

Delighted so many scumbags will be off the streets.

If they had access earlier, more crimes could have been prevented.

~~~
hamandcheese
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.

