
Hundreds arrested as crime chat network cracked - bogle
https://www.bbc.com/news/uk-53263310
======
Fiveplus
_Claims of said encrochat_ :

* Each message session with each contact is encrypted with a different set of keys. If any given key is ever compromised, it will never result in the compromise of previously transmitted messages – or even passive observation of future messages.

* Anyone can forge messages after a conversation is complete to make them look like they came from you. However, during a conversation the recipient is assured all messages received are authentic and unmodified. This assures non-reputability of messages.

* The algorithms employed are many times stronger than that of PGP (RSA+AES). We employ algorithms from different families of mathematics, which protects message content in the event that one encryption algorithm is ever solved.

* Messages do not employ digital signatures that provide third party proofs. However, you are still assured you are messaging with whom you think you are.

source: [https://encrochat.us/](https://encrochat.us/)

~~~
dkarp
> Each message session with each contact is encrypted with a different set of
> keys"

Is this not a bad thing? Since transferring key-pairs is the weakest link on
these apps. To be really secure, wouldn't you want to do this as infrequently
as possible and ideally outside in person outside the app?

~~~
robmccoll
Sounds like they are trying to achieve perfect forward secrecy per message.
Typically you might do this with Diffie-Hellman using ephemeral derivation
pairs per session. This is good practice as if any one session key is broken,
that has no effect on the privacy of past or future messages encrypted under
different session keys. They seem to be claiming to use their own crypto based
on the parent comment (red flag) and no signature scheme over the top of it to
prove a consistent identity, so I'm not sure what they would be doing.
Establishing encrypted pipes over an observable medium is very doable, but
providing a way to trust that the party on the other end of the pipe is who
you think it is is the hard part as you pointed out.

------
sillysaurusx
If you wanted to get into the criminal drug trade, how would you start? Is
there a guide somewhere I can follow?

$13M in cash is an impressive amount. It makes me wonder: There must be all
kinds of operations happening around us daily, yet nobody knows about them.
And those operations need members. Where do they come from?

The inner workings of this stuff is fascinating. To be honest, I wish it were
possible to go observe the system in action as a spectator. I'd love to see
how the packaging is done, the supply lines, the transport logistics...

(I balance this with a deep hatred for cartels. If you trace these questions
far enough, it seems to often lead to "the cartels are at the center of it
all." And they're responsible for unspeakable miseries.)

To be clear, my question is: how is the knowledge necessary for such
operations preserved? I'm a programmer. I learned it from the internet. Where
do they learn? And these aren't street dealers. It's an organized, carefully
designed, well-oiled machine. How does this machine work? How does it survive
the loss of so many members?

~~~
hitpointdrew
>(I balance this with a deep hatred for cartels. If you trace these questions
far enough, it seems to often lead to "the cartels are at the center of it
all." And they're responsible for unspeakable miseries.)

This is why all drugs should be legalized (not just decriminalized,
decriminalization still leaves a black market). Cartels are meeting a demand,
but cartels make up their own rules and will do anything they want to stay
ahead.

Just legalize them, it solves so many problems.

1\. Quality and proper labeling (no more mystery drugs/dosages). Buyers know
exactly what they are getting, which would decrees the amount of OD's.

2\. Vast reduction in violent crimes (legitimate, licensed distributors are
very unlikely to have violent turf wars as this would jeopardize their
license). Black market would suddenly have no market (provided the taxes on
legal drugs aren't stupid), which means no money, which means there is nothing
to kill/fight over.

3\. Increased tax revenue

It is a win/win/win for everyone, I just don't get it....and please just don't
with the tear jerking "What about the children!" The kids will be fine. No
legalizing doesn't send a message that "drugs are OK". No it won't make them
more accessible to kids, please stop fearmongering you don't know what you are
talking about.

~~~
rafi_kamal
That can work for drugs with low abuse potentials, like psychedelics. But why
do you think drugs like heroin will benefit the society or the people who are
taking them?

~~~
DenisM
There is a different course of action for high-abuse drugs. Apparently in
Switzerland you can get an "addict" prescription from your doctor, and with
that prescription you can go to an injection clinic and get a free
professional injection of heroin and a bed to lie on.

The result of this is all drug dealers going bust, and no drug dealers - no
one to market the drug, so no new users. All addicts in Switzerland are now
old people, and as they die of related diseases and old age the Swiss are
having hard time keeping the clinics open because there are not enough takers
for free heroin.

I think all opiates can and should be taken care of this way. Not sure about
stimulants though - one doesn't just lie down on a clinic bed after a dose of
meth or crack. Maybe if regular coke is legalized people will give up meth and
crack?

~~~
Leherenn
You've never been to Switzerland if you think there are no drug dealers there.

I don't know about heroin, but there are something like 3/4 Swiss cities in
the top 20 for cocaine consumption based waste water sampling.

~~~
microtherion
There are, in fact, even heroin dealers in Switzerland, and of course all
sorts of other drugs are still being sold illegally, but compared to the early
1990s, before the heroin prescription policy, there is practically no visible
drug addict scene anymore.

------
secfirstmd
This story is surprising as there were rumours about 18 months ago that
EncroChat had been vulnerable. Esp when other similar services had been taken
down and targeted.

Random side story: Governments have become much more aware of the purposes of
these sorts of phones and seller.

About 18 months ago I was asked to meet with the sales people from a
specialist phone company like this one, they were interested in selling them
to the NGO/journalist market. I'm always happy to chat and test the utility of
interesting security tech and compare versus more common setups (locked down
phones, Signal etc). I've met a load of these sort of companies at trade shows
etc as I'm sure many here have but they wanted to meet in person as they were
in town talking to various potential clients. The product was decent enough
but way beyond the price of anyone in the sector would be able to afford.
Anyways the guys were nice and I genuinely didn't get a sense they
particularly up to anything bad...

However when I left the meeting (in a European capital) I had physical
surveillance all over me. Not a particularly good team, hence I detected them.
Totally caught me by surprise. Ran a hastily arranged surveillance detection
route and managed to confirm a few (no doubt there may have been more). At
first I thought it might be the company I had met doing it to me for some
weird reason. However as I thought through the tactics, people profile and
operational reason for doing it to me I can only assume that whoever the local
police were had been watching closely anyone who was meeting with the secure
phone providers (they were foreign to the country in question, so probably
came under more suspicion). No doubt this was because of the connection
between a lot of these sort of companies and the criminal underworld. (Again,
I didn't get the sense these particular sellers were up to no good, I just
thought it was an interesting perspective)

~~~
have_faith
> Ran a hastily arranged surveillance detection route

What did this entail?

~~~
Benjammer
I was so curious about this that I did some googling and read this article
about it: [https://protectioncircle.org/2016/05/25/surveillance-
detecti...](https://protectioncircle.org/2016/05/25/surveillance-detection-on-
yourself/)

~~~
secfirstmd
Ami's stuff is excellent. If you ping any of the resources in my bio I can
send you more if you are interested.

------
AHappyCamper
Is it just me or does the timing of this story seem a little fishy considering
the EARN IT act that US Senators are trying to push through?

[https://foundation.mozilla.org/en/campaigns/oppose-earn-
it-a...](https://foundation.mozilla.org/en/campaigns/oppose-earn-it-act/)

~~~
donkeyd
Why would the Dutch and French police time the release of this information
with a US law proposal?

~~~
draugadrotten
Because that's how global politics and alliances work, sometimes.

~~~
donkeyd
Sure. Because Trump hasn't completely messed up any form of allegiance the
Europe had to the US.

~~~
h0h0h0h0111
Ultimately Trump is just one (albeit powerful) dude - I imagine intelligence
and other agencies have built up relationships over a much longer period

~~~
donkeyd
Yes, they probably have, relationships based on trust. Using information for
political gain is not the type of stuff that allows that trust to continue
existing.

So for US politicians to both know and abuse this, someone in the US
intelligence community would have had to be willing to lose a lot of trust on
the EU side by both sharing the intelligence and allowing it to be used for
political gain and forcing the EU side to become their political puppet.

That doesn't seem reasonable to me, but who knows. If that's what happened
though, the US can forget any trust in the near future.

------
ColanR
Given the care with which the software was built, I wonder if the hardware
itself was compromised. The open hardware folks always talk about the
insecurity of the closed hardware in phones; I wonder if any official
narrative discussing a software exploit is simply a parallel construction. [1]

[1]
[https://en.wikipedia.org/wiki/Parallel_construction](https://en.wikipedia.org/wiki/Parallel_construction)

~~~
belorn
From an different article linked by a comment, the replies from the company
itself points towards an compromise between the phone and the update server.
The police got access through the SIM service provider and was able to inject
their own modified updates to the connected phones.

As a simple guess, I would suspect that the police managed to get a valid
certificate from the domain name used by the update server and through that
MiTM the connection. One of the comments from the company said "They
repurposed our domain to launch an attack", which would fit such scenario.

Attacking the authentication of update functionallity is also in my view the
usual suspect in cases like this. When a hardware device get rooted it very
often is some kind of attack which allow people to push an modified update in
some way. The developer in this case would need to have designed the update
feature assuming that the domain name could be compromised, the SIM service
could be compromised, and that the path between their server and the phone
could be compromised. If they used cloud services for their servers than they
would also need to assume that the cloud provider could be compromised. People
can write software very carefully and still forget to account for one of
those.

------
lol768
I don't quite understand how this worked and the article is thin on details -
was there not E2E encryption between the participants?

> Our servers are node based and located all over the world; all input and
> output are true end-to-end encrypted. The Servers only initiate the tunnel.

Their own statement suggests a zero-day?

> Today we had our domains seized illegally by government entities. They
> repurposed our domain to launch an attack to compromise carbon units.

> With control of our domain they managed to launch a malware campaign against
> the carbon to weaken its security.

~~~
Cthulhu_
The other article I read about this is that law enforcement compromised the
service's servers and pushed an update to the clients, making them send
unencrypted messages, which allowed law enforcement to read them as they came
through in real time.

~~~
moduspol
Devil's advocate: Is there evidence law enforcement didn't start and run the
project from the beginning? If they did, I wouldn't expect them to come out
and acknowledge it.

I'm similarly skeptical of popular VPN apps.

~~~
chippy
Humans are often the weak link here. The most common scenario is that the
police had some control over the project due to a compromised person. I'd
wager that the police did not start the project, but soon after it was being
used for crime, they took over it.

I'm not sure it's possible to me to develop and run something with the
assumption that even if I turned police intelligence asset, that the product
would be untouched. Open source would help, and some kind of distributed,
decentralised thing maybe

~~~
moduspol
I agree. That seems more likely. I doubt we'll be told, but I'd be interested
in the specifics. It seems like it might have ethical implications to take
over it without the blessing of the owner(s) of the company. After all, I
doubt they will be able to get many more customers now that it's widely known
that it was compromised by law enforcement. Arguably law enforcement destroyed
this company, which the owners might normally not be happy about.

It may be as simple as: the business wasn't making money and the owners wanted
out, so law enforcement bought it or paid them off. Then law enforcement isn't
really "compromising" the company--they're in control of it (whether the
employees know or not). At that point they can have the existing devs modify
it however they want, or just hire a few new devs.

------
alistproducer2
The moral of the story is there's no such thing as plug and play opsec. It
requires thought, patience and domain knowledge. You can't outsource it
because that contractor becomes your immediate and obvious weak link and will
be compromised. Whether it's El Chapo's IT guys or fools who thought a cell
phone company would keep them out of prison, this story just repeats itself.

~~~
charwalker
Exactly like The Wire plot with burner phones. As soon as compromised phones
made it into rotation, they were sunk.

------
rollulus
Do I sense some Brexit here? The BBC article mentions "The NCA worked with
forces across Europe on the UK's "biggest and most significant" law
enforcement operation.", while the Joint Eurojust-Europol press release [1]
doesn't mention the Brits at all, but calls it a Dutch / French operation.

[1]:
[http://www.eurojust.europa.eu/press/PressReleases/Pages/2020...](http://www.eurojust.europa.eu/press/PressReleases/Pages/2020/2020-07-02b.aspx)

~~~
djmobley
For what it’s worth, in an earlier statement to Vice, a company representative
claimed the attacks appeared to originate from the UK.

[https://www.vice.com/amp/en_us/article/5dz9qx/encrochat-
hack...](https://www.vice.com/amp/en_us/article/5dz9qx/encrochat-hacked-
shutting-down-encrypted-phone)

~~~
PoachedSausage
From Cheltenham perhaps?

------
vivekd
The article says the encryption was cracked on April 1st but apparently a
whistleblower said that the police used a warrant to get access to the
company's infrastructure back in March - which suggests to me that the whole
"cracked encryption" story might not be fully legitimate

[https://medium.com/@fordnic/evidence-suggests-encrochat-
is-w...](https://medium.com/@fordnic/evidence-suggests-encrochat-is-working-
with-the-nsa-and-other-authorities-281bfd05ed9e)

~~~
kjaftaedi
The encryption was likely 'cracked' by gaining access to the infrastructure
and then putting something in place to view the encrypted traffic. .. changing
keys to a known value, pushing out a custom software update, etc.

------
lifeisstillgood
The amazing thing here is this was a perfect piece of viral marketing - one
criminal presumably recommending / refusing to do business without another one
buying a new phone.

But it also has huge knock on effects - I mean there are 60,000 people
identified on here - and they won't be the bottom level of crime
organisations. I don't have a clear number but this must be a large chunk of
all established criminal networks in huge numbers of countries.

Seems to me the level of competition has dropped in the criminal industry - VC
opportunity perhaps :-)

------
unnouinceput
And the obvious conclusion, if you're a criminal, is that don't rely on others
to encrypt your comms. Either go with classic PGP or make your own layers (as
Schneier puts it).

But criminals are usually just dumb in regards to this, they are only "street
smart". Those who are "intellectual smart" don't do it. Or if they do they
don't get caught until they jump over the horse (see the current scandal with
2 billions "siphoned")

~~~
StavrosK
> don't rely on others to encrypt your comms. Either go with classic PGP or
> make your own layers

You're saying "don't rely on others to encrypt your comms" and then the very
next sentence says "use something someone else has made". Those two are
conflicting. "Making your own" is even worse, because cryptographers don't
usually have to resort to crime.

~~~
trabant00
There is making encryption tools and then there is using them. "don't rely on
others to encrypt your comms" means don't let others use encryption on your
behalf, it means encrypt it yourself. It also does not mean to make your own
encryption tool.

So your comment parent meant use a reputable tool yourself. And I would agree
with that.

~~~
StavrosK
I'm not sure what you mean. They were using a tool that encrypted their
communications, it just wasn't good. What's the difference between using
Signal and using what they were using, or using GPG and what they were using?

~~~
trabant00
I get the feeling you don't want to understand at this point, but ok, I'll
byte:

The difference is the action of encryption and decryption is completely
transparent to the user in the case of Signal or this thing they used. You
don't encrypt anything, you input plain text and then the system takes over
and you have to trust it. If the rumors are true the authorities compromised
the servers, pushed an update to the app and the encryption no longer
happened.

Just one example on how to do it yourself: using PGP you can use any hardware
(not a phone marketed to criminals) and keep it completely offline. And use a
phone (worst option but whatever) in which you input the encrypted thing
directly. So you don't have to trust the network device. Bonus: neither do you
have to use something that makes you stand out to authorities.

~~~
StavrosK
Okay, but unless you implement the encryption yourself, PGP can push an update
and use weak RNG input so that your message is decryptable, and you'd never
know.

"Don't rely on others" makes no sense for encryption, you have to rely on
others because it's too hard otherwise. You just have to pick trustworthy
others.

~~~
trabant00
PGP can not push an update in the example I offered. And I already explained
what was meant with "Don't rely on others" \- btw now I see you cut the quote
to fit your straw-man argument.

------
rxsel
Looks like another episode in the failed war on drugs. While this may look
“good” and someone will be able to say “look at those figures” in reality
we’re addressing a side effect of a much deeper issue.

~~~
neilsimp1
Am I happy guns are off the streets? Hell yes. Would I be happier with sane
drug laws so as to not necessitate a black market? Double hell yes.

~~~
luckylion
That wouldn't change anything regarding the guns or the amount of crime -
career criminals don't do it because they believe in selling drugs, they sell
drugs because it's an easy way to make money.

In that regard: keeping a black market for drugs may even be a good thing.
Otherwise they'd move on to other ventures that might be more harmful,
kidnapping, murder for hire etc.

~~~
yboris
That's a bold claim. Any empirical evidence on your side?

~~~
luckylion
That career criminals are career criminals, not ideological "prohibition is
bad, therefore I sell drugs" hippies? Are you serious?

~~~
yboris
"career criminal" is begging the question. You claim these people exist, and
by definition they are going to continue crime rather than find legitimate
ways of making money.

Furthermore, you're suggesting that when their way of making money through
crime disappears they will migrate towards _worse_ crime. That's a bold claim.

------
boffinism
Is there anywhere we can learn more about EncroChat? Google took me to
[http://encrophone.com/](http://encrophone.com/) which is now 403ing

~~~
codegladiator
Bing gives correct result

[https://encrochat.us/](https://encrochat.us/)

------
globular-toast
> Officers are said to have prevented people being murdered after covertly
> monitoring planned attacks and threats to life on the encrypted service.

Now they can't do that any more. It's a dilemma that British intelligence
faced a lot during the world wars: if they acted on information gleaned from
secret channel it would reveal to the enemy that the channel was compromised.
Makes me wonder how long they were monitoring and possibly letting crime take
place before deciding that now was the time to strike.

~~~
makomk
Not just during the world wars. British intelligence apparently faced the same
dilemma when infiltrating the IRA, and some of the results were quite ugly
(look up Stakeknife if you're interested).

~~~
secfirstmd
Very true. Though Stakeknife was also used in a way to remove hardline
individuals seen as problematic to the more pragmatic parts of the Republican
movement who were open to negotiate and protect other sources higher up. With
obviously terrible consequences for many innocent people.

------
bobdole12345
I think the take home message is: Police had a way to intercept these
communications, but they managed to have that information leaked before they
could finish their operation, only managing success because it was already too
late for most of the participants.

Sort of illustrates the futility of giving the police keys to access
communications, when the number of times they pull this off without a leak is
near zero.

------
trabant00
Ofc we are going to get no details on how they managed to penetrate the
network.

The real question for me is how the criminals trusted the product.

~~~
raxxorrax
Allegedly they captured the servers and compromised the clients through an
update. The trust was probably due to not getting caught for a while.

------
mellosouls
More info:

[https://www.vice.com/en_us/article/3aza95/how-police-took-
ov...](https://www.vice.com/en_us/article/3aza95/how-police-took-over-
encrochat-hacked)

~~~
crispyporkbites
This contains some really interesting info. Basically someone (i.e. a
government, likely the Dutch) managed to install malware on a bunch of the
phones.

Each phone only communicates with other phones in the network so once they got
one zero-day and put malware on a phone and could spread it, it could spread
very quickly.

------
londons_explore
Might encrochat and its shareholders have a case against various european
governments here?

Are they supposed to simply accept that the government will hack into their
servers and users devices with no compensation?

~~~
consp
Considering they operated in France and the Netherlands and even 'had a shop
there' (whatever that means): Yes, but looking at all the articles I'm pretty
sure they are also building a case against EncroChat for participating or
actively facilitating criminal behavior, in which case the point is mute
anyway.

Some requests can be made to ask you participate making you sort-of free of
prosecution as you are cooperating, but I doubt they would do that with
companies with shady structures and owners.

~~~
thu2111
EncroChat is not an app you get from an app store. It came with the
EncroPhone, which are physical Androids you rent for some absurdly high price
(like $3000/year-ish). And EncroPhone didn't sell online. You had to get them
via a reseller i.e. someone you knew, or they had a few physical stores in the
Netherlands.

------
PoachedSausage
These tactics are as old as international drug smuggling itself. Howard
Marks(Mr Nice)[0] says in his book that he stationed one of his associates in
Amsterdam to operate as a communications node, he finds out later that the
Dutch police had tapped the phone lines within weeks.

[0][https://en.wikipedia.org/wiki/Howard_Marks](https://en.wikipedia.org/wiki/Howard_Marks)

------
orthoxerox
If we mentally replace criminals with dissidents and France/Britain with PRC,
what could EncroChat have done differently to shulield its users?

~~~
draugadrotten
Compartmentalize into small groups aka cells. It is centralizing around
EncroChat which was the mistake here. All the eggs in one basket will always
carry this type of risk.

There is also another difference. Drug dealers usually wants to get rich, and
have no real interest in any larger cause than their own profit.

Dissidents are sometimes willing to sacrifice themselves for the larger cause.
What is important for such a dissident is not that nobody gets caught, but
that the events are beneficial for the cause and that certain key individuals
are protected. Even martyrdom is useful for a dissident, but rarely to a drug
dealer.

Dissidents should keep working in cells to minimize the risk of discovery. The
drop hollows the stone is the working principle for dissidents. The most
influential dissident may have a very small network of contacts but with a
large fan-out a few layers down. This tactic is for example how Bin Ladin was
able to stay in hiding, he was meeting very few people and it was hard to find
him because of that even when he was the top target.

~~~
secfirstmd
In reality the nature of drug dealing would make it tricky to implement a cell
structure. If you look at the IRA, implementing it meant in theory it was very
hard for one cell to know another and only certain parts would supply arms,
intelligence etc. This resulted in a drop in attacks for a long time because
of the difficulties in keeping to that. Though it did of course decrease
infiltration for awhile. Until the UK found the weaknesses and targeted those
who had permission to oversee and deal with everything - the internal security
section and leadership.

Drugs is a much more dynamic industry where are some points there is a need
for a lot of contact, travel, managing big groups of individuals...Not that it
couldn't work that way but it would be very hard when people are out making
money all day rather then at home in a dissident sense waiting months/years
until a short/fast operation.

------
draugadrotten
Screen shot of EncroChat message claiming authorities seized their domain
names and compromised their "carbon" units with malware.

[https://twitter.com/Borisuithetbos/status/127173017995886592...](https://twitter.com/Borisuithetbos/status/1271730179958865920?s=20)

~~~
Nextgrid
Seems like they didn't sign software updates with an offline key and relied on
the transport (TLS via the domain) to authenticate them.

If they used an offline key (GPG?) to sign updates, a compromised transport
wouldn't have allowed an attacker to deploy malicious updates to the devices.
That's exactly how most Linux distributions operate, the mirrors themselves
are untrusted and packages are often fetched via unencrypted HTTP, but that
doesn't matter because the signatures are checked independently of the
transport.

------
onetimemanytime
Too risky to use such services,. As soon as they become too big, they have
nation state resources thrown at them...and they're without Google or FB
resources to defend.

If all else fails, DEA-like agencies can easily offer employees millions of
dollars for keys or assistance to plant bugs, offer immunity and so on. Very
hard to resist.

~~~
cynusx
It's interesting that law enforcement can hack it but eventually they have to
burn the network because they have to make arrests using the information.

They should buy/hack all these companies and then run false flag operations to
hide the fact they own the comms.

Like the germans never realized that enigma was hacked

~~~
onetimemanytime
They do it but at some point they have to arrest...and warn Johnny that he
will be killed this Saturday.

------
nujabe
Dumb question....but would they have been better off using Signal? Assuming a
burner sim for registration.

~~~
kybernetikos
Signal is installed from the platform stores, which have the ability to push
updates. As far as we can tell, the compromise was done via a pushed update.
It's likely that Signal wouldn't have helped.

~~~
cesarb
On Android, I recall that updates to a package must be signed by the same key
as the package being updated, otherwise the device itself will reject the
update. Doesn't that mean that only the Signal developers (who are the ones
who signed the original package) would be able to create a compromised update?

~~~
kybernetikos
That is likely what happened in this situation (although I don't have
details).

------
JoeAltmaier
Confused: OP says the service was taken down. That seems the most significant
part of this action, even beyond the criminal arrests. Is an encrypted
communications company liable/responsible if criminals use their product?
Surely there were many, many legitimate users e.g. lawyers, business
negotiators, lovers. Can the 'bad apples' be laid on the communication
company's doorstep? If so, why not Facebook, Zoom or even Apple?

Why is HN not addressing this point? Instead of speculating about criminal
activities etc.

~~~
bladegash
It’s hard to say. At least in the U.S., there has been some precedent
relatively recently where companies knowingly facilitating criminal activity
can be subject to prosecution. They could probably argue that they didn’t have
access to the the contents of communications so they were unaware of the
criminal activities. However, they (it’s unclear if it was resellers or the
company doing this) actively marketed to criminals, via ad placements on
websites known to be used for criminal activity. Needless to say, it’s a
pretty complicated situation in terms of liability.

~~~
JoeAltmaier
See? The websites "known to be used for criminal activity" we ok somehow, but
not this company. Were the ISP or site hosting organizations shut down? Why
not?

And selling communications equipment to a criminal - maybe they wanted to talk
to their sweetie without being monitored. They also bought a bagel and took a
taxi ride. Is the bagel store shut down too? The taxi company?

There's lots to talk about here.

~~~
bladegash
I think there needs to be a certain level of reasonableness when tracing back
liability. I mean, why stop at the ISPs? Why not take it all the way up to
RIPE for allocating IPs to the company? Or how about the telecommunication
companies that used government allocated RF spectrum to facilitate the
communications. In that case, the telecoms and the Government(s) themselves
should be liable.

As for people wanting to talk to their sweetie without being monitored, I
believe authorities have already said people who were using the services for
legitimate purposes may request to have their communications excluded from any
legal proceedings and naturally, won't be prosecuted just for using the
devices.

~~~
JoeAltmaier
Yes, of course, the criminal side is well understood. Except, of course, the
massive wiretapping without a warrant part.

Gun sellers have been pretty safe from prosecution for selling a gun that gets
used in a crime. Why not encrypted communications companies? That's the
distinction I wonder about. (Hopefully using the 'g' word wont further derail
the conversation)

~~~
bladegash
Yeah, I get where you’re coming from. So the case I was referring to earlier
as a recent example, was Backpage. I think there are some key elements that
need to be met, but you can see with that case where lines can be crossed. I’m
not arguing encrypted communication companies should be liable for all
activities using their service. However, if a company specifically markets to
criminals, in my mind, that gets really close to crossing a line.

I think it’s the difference between facilitation and knowingly facilitating.
With the gun store example, if the person purchasing the weapon said “I’m
going to go kill someone, can you tell me which gun would be best for that?”,
the gun store would be absolutely liable if they sold them the gun.

~~~
JoeAltmaier
Gun stores have expertise in 'personal protection' weapons. They sell guns to
people _all the time_ with the express intention of being easiest to use and
the most fatal.

I'd say, marketing to criminals seems pretty close to the line, but depending
on the conversation its no closer than the 'personal protection' sale? As long
as they're not advocating "use this to break laws", they're just selling
privacy. Like selling a fence for your yard or padlocks for your house. No
natural illegal nature to those sales. Even if they ultimately get used to
conceal crimes etc.

------
gruez
>EncroChat sold encrypted phones with a guarantee of anonymity, with a range
of special features to remove identifying information. The phones themselves
cost roughly £900 (€1,000) each, with a subscription costing £1,350 (€1,500)
for six months.

That's a pretty pricey for what's basically a chat app. Is there a reason why
they were able to command such a high price even though there are plenty of
free/open source solutions on the internet? Marketing? Trust? Criminals
thinking more $$$ = better?

~~~
Nightshaxx
When you have a ton of money and you aren't super Technically savy, you don't
always make the right decisions.

------
ideals
December 2017 - encrochat hacked

[https://encrochathacked.wordpress.com/2017/12/09/encrochat-h...](https://encrochathacked.wordpress.com/2017/12/09/encrochat-
hacked/)

[https://www.vice.com/en_us/article/mbpyea/encrochat-
secure-p...](https://www.vice.com/en_us/article/mbpyea/encrochat-secure-phone-
hacking-video)

The writing was on the wall and is was ignored

------
tda
Some more backgrounds: [https://alarmeringen.nl/gelderland/well-
gelderland/123823-li...](https://alarmeringen.nl/gelderland/well-
gelderland/123823-live-acces-to-criminals-in-the-netherlands.html) Not sure if
it was the Dutch or French police that did the actual hack, anyone have
details on this?

Apparently the investigation was code named 26Lemont

~~~
alibert
The Europa article links to this document in French:
[http://www.eurojust.europa.eu/press/Documents/2020-07-02_Enc...](http://www.eurojust.europa.eu/press/Documents/2020-07-02_EncroChat-
investigation-in-France_FR.pdf)

Some parts:

> "Dès 2017, les téléphones utilisant le moyen de communication sécurisée
> EncroChat sont détectés par le département Informatique Électronique (INL)
> de l'Institut de Recherche Criminelle de la Gendarmerie Nationale (IRCGN)"

First device using EncroChat were discovered in 2017.

> "La JIRS de Lille s'est saisie de l'enquête sur la solution de communication
> chiffrée EncroChat à raison de la localisation de serveurs en assurant le
> fonctionnement."

Special section JIRS in France was mandated to investigate because the servers
used by EncroChat were hosted in the north region of France.

> "un dispositif dont la conception et le fonctionnement sont couverts par le
> secret de la défense nationale, mais qui a été reçu et déployé par un
> service habilité par la loi pour ce faire, le Service Central de
> Renseignement Criminel de la Gendarmerie Nationale (SCRC) du Pôle Judiciaire
> de la Gendarmerie Nationale (PJGN) en application de l’article D15-1-6 du
> Code de procédure pénale."

The "device" (not necessarily a hardware device) used to intercept coms are
classified but was "received" and "deployed" by "Service Central de
Renseignement Criminel de la Gendarmerie Nationale".

So it was deployed by French police but it's not clear if they made it.

------
zelly
Anyone got a copy of the APK? Let's decompile it

~~~
ccvannorman
I wish more HN threads were of this particular flavor!

[insert "can we run DooM on it?" joke]

------
crispyporkbites
Now that Encrochat is gone, if anyone fancies playing ethical hacker:

\- buy one of these
[https://omertadigital.com/collections/frontpage/products/the...](https://omertadigital.com/collections/frontpage/products/the-
signature-magnum-opus-ultimate-privacy-package-with-encrypted-smartphone-sim-
card-mobile-data?variant=33265453596808)

\- find a zero day

\- install malware

\- ???

\- Profit!

------
ximeng
[https://www.vice.com/en_us/article/wjwbmm/inside-the-
phone-c...](https://www.vice.com/en_us/article/wjwbmm/inside-the-phone-
company-secretly-run-by-drug-traffickers) this is another crazy story about
links between secure phone companies and organised crime including torture and
murder

------
praptak
I guess the lesson here is clear: don't overrely on technology.

There are tried and tested methods for running a covert organisation and they
all rely on organisational resilience rather than ultra clever tech. Also,
don't reuse channels - actual intelligence operations failed because of
breaking this rule.

------
upofadown
These days messaging security pretty much comes down to end point security ...
and end point security is terrible.

If you want to be sure you have to do some sort of air gapping, either with
something like a Yubikey, or even better, with a dedicated device with a
screen and keyboard.

------
thu2111
Predicted a few weeks ago, before any news of this came out:

[https://moderncrypto.org/mail-
archive/messaging/2020/002586....](https://moderncrypto.org/mail-
archive/messaging/2020/002586.html)

------
reedwolf
A few years ago I decided that all of the encryption in the world isn't going
to protect you from state-actors.

Even if your software is perfectly implemented (it won't be), your hardware is
mostly a black box.

~~~
jrexilius
Complex systems are the core problem. Hardware, firmware, third-parties and
black boxes all over, live updates, OS, apps, network, etc. etc. The upside is
that it also makes them hetergeneous which is more difficult to roll en masse.

------
jacquesm
You're only hearing about this now because the cat was out of the bag as of a
couple of weeks. If not for that the data gathering would have continued and
more people would have been caught.

------
dillonmckay
This sounds like a plot device from the most recent season of _West World_.

------
ur-whale
"several dozen guns"

------
pjc50
This is going to make arguing against EARN-IT a lot harder just now.

~~~
jacquesm
No, it actually weakens it.

