Hacker News new | past | comments | ask | show | jobs | submit login
The Feds Cracked El Chapo's Encrypted Comms Network by Flipping His System Admin (gizmodo.com)
89 points by lnguyen on Jan 9, 2019 | hide | past | favorite | 36 comments

I'm curious about this encrypted VoIP network. I've never heard of an off-the-shelf product like that, so was it custom-written? What was the interface like?

The source NYT article has some more details, but not enough to answer these questions:

  One of Mr. Guzmán’s Colombian suppliers, Jorge Cifuentes, 
  who introduced the kingpin to the I.T. expert, testified 
  last month that Mr. Rodriguez had promised to arrange 
  secure communications for what amounted to the entire 
  cartel’s leadership. His system operated on VoiP, or voice 
  over internet protocol, Mr. Marston said on Tuesday, and 
  was accessible only to those within the network. According 
  to Mr. Cifuentes, Mr. Guzmán was able to sign in through 
  Wi-Fi even from his hide-outs in the Sierra Madre 

According to this [1] dutch article, they used a private Blackberry server.

[1] https://www.volkskrant.nl/nieuws-achtergrond/nederlandse-pol...

Asterisk has had SIP/TLS for a 5 years now. Ive tried it a few times, and its not too bad with ECDSA or smaller RSA keys.


Why can't it be a common off-the-shelf VoIP server with a custom deployment? e.g. a Mumble server behind TLS with client authorization?

I have a tinc + asterisk setup to my cell phone (for my personal/home line) and openvpn + asterisk to desk Yealink phones (They have built-in openvpn clients) (for business)

Fairly easy to maintain + grow once you get some basics out of the way. The net result is that all the signaling + transport is encrypted as far as non-VPN nodes are concerned.

I’d love to know about this setup! What hardware you run it on and where you get the #’s from for the home line. Trying to set up something like this for myself at home and business. Thank you!!

The business line has a T1, and a Sangoma Vega 100 T1/SIP gateway, with SIP trunking service from https://voip.ms as a backup if there's trouble w/ the T1. (My personal phone service is just voip.ms at this point)

Yealink T23P Phones have a OpenVPN client built in (some newer Grandstream phones do too), these are relatively inexpensive VoIP desk phones. Once you configure them, and an OpenVPN server you can plug them anywhere you have internet (NAT'ed or otherwise), and not have to worry about NAT Traversal, or other issues.

Asterisk is just running on a stock PC. I'm running on a Supermicro Board with an Atom processor, and for our call volume (50 extension phones, 23 inbound lines, 30 on an inbound call queue, 3 simultaneous calls average, 15 @ our known peak, no transcoding (all uLaw)). The OpenVPN server is a a separate machine, for lighter usage the VPN + Asterisk could probably be the same machine.

For the cell phone, I have CSipSimple running there, with a OpenVPN client to connect to the network.

In my configuration, the phones + Asterisk are not using SSL/TLS directly, but the VPN secures the traffic over untrusted LANs.

Calls within the system are on the protected LAN, but once they reach out to the PSTN, all bets are off.

I've setup a smaller office with a Raspberry Pi 3, and a Grandstream SIP/Analog Gateway, ( 7 Grandstream phones, 3 lines, no transcoding, not very heavy use), and they haven't had any complaints. (see http://www.raspberry-asterisk.org/) If they used SIP trunking over their internet connection, they woulden't need the SIP/Analog gateway, which was the single most expensive piece of equipment in this setup (@ US$399-ish)

I'd like to follow your steps and setup something similar, but I'm completely a noob. Where is the best place to start?

I would imagine this is just a standard open source SIP server or something plus VPN, with encryption turned on.

IMO, the article was a little breathless in its reporting.

I wonder if the encryption here is just SRTP/ZRTP.

I remember an article on HN about disappearing techs who were kidnapped by cartels to build them a custom telecoms network or something. Wondering how related this could be to that.

Edit - found the article:


> Amid the accounts of corruption, murder, and drug smuggling, Vice News’ Keegan Hamilton wrote on Twitter, there was a brief moment of levity when lights in the courtroom went out. When the electricity returned, someone shouted “He’s gone!”, referring to Guzmán’s habit of escaping from prison. “Everybody laughed, except maybe the U.S. Marshals,” Hamilton wrote.

It's interesting how even such a serious situation as this can have these moments of laughter.

The article mentions that the server was moved to the Netherlands, but not the reason. According to the Dutch press, it was because the FBI asked so, because we're not so difficult installing wire taps on the internet [1].

[1]: https://www.volkskrant.nl/nieuws-achtergrond/nederlandse-pol...

Asking for a ... friend. What is the mitigation against attacks like this? Seriously, it would appear that every organization is at risk of having a trusted insider hand over keys to a competitor, criminals, etc. There must be a way to detect or protect against this, right?

Dual control (aka the two-man rule), separation of duties (person who requests a change isn't allowed to approve/implement it), mandatory vacation, etc. These policies have existing in fields like finance for a while.

Don't do the crime if you can't do the time.

The battleground in crypto is so often around crypto key management. With the Snowden revelations, it was obvious that the NSA strategy is going after keys in targets key management systems first.

Then cryptoanalysis becomes O(n)

Actually there are a few providers that do encrypted VoIP, or more specifically encrypted SIP. Telnyx offer a private infrastructure deployed around the world with low latency and the really good call quality.


Well, we know at least one guy who is going to be dead shortly.

Oh they turned him to their side. I was wondering how he could give away anything while they showed him the finger(s) :D

DEA /FBI offers /can offer millions to cooperating witnesses and a new identity. Or life in prison. Or death in the hands of the cartel if they find out about the chat. They kinda make it very easy to choose.

Jorge Salcedo that took down Cali cartel got million$ for his cooperation.

>>"Jorge Salcedo that took down Cali cartel got million$ for his cooperation."

Do you have any source for that? because I read recently an interview [1] with the guy and I didn't get the impression he was so well financially.

[1] - https://ew.com/tv/2017/09/03/narcos-jorge-salcedo-interview/

Fortunately I had the means to start a company. in your link, towards the end.

"Thanks to Salcedo, the entire Cali cartel hierarchy was extradited. For his service, the relocated Colombian received rewards of about $1.7 million." https://www.seattletimes.com/nation-world/a-daring-betrayal-...

Not sure if he gets any ongoing salary...but paying makes sense for the Feds in every way. They save resources since the boss will be jailed and collect cash in fines.

The question is, how do these people avoid vengeful followers of the former cartel bosses?

Presumably, the same way Mafia informants do - witness protection. The government spirits them away and sets them up with an entirely new identity. There have been some leaks, but generally these people just disappear and become someone else.


That is a good question. And I'm sure it's because the reality isn't much like what we perceive from TV and movies. And cartels and crime organizations are far from omnipotent.

They don't have infinite resources. And if they can't get at a person easily, trivially even, maybe it's just not worth the effort a lot of the time. Especially once the damage has been done.

It's not just TV and movies. Go Wiki browsing on organized crime some time. Here's [1] a fun starting point. These organizations go through extensive efforts, which at times has included things such as flipping decorated law enforcement officers, to 'get revenge'. I put that in quotes because I'd imagine it's not really about revenge, at least not entirely. It's the criminal analog of law enforcement. If you don't enforce your laws, there will be an increasingly large number of people that break them. And similar to a law it's not just the penalty people factor into consideration, but also the probability of getting caught.

[1] - https://en.wikipedia.org/wiki/List_of_criminal_enterprises,_...

You're dead anyway. Or jailed and possibly be killed there. With USA on your side you have a better chance of living a life close to normal, relatively speaking.

I guess that Sinaloa will put this guy #1 or close to it (maybe the Flores twins beat them to #1) on their revenge list. 20-50 kilos of cocaine to the sicarios...a drop in the bucket since they buy for $2k a kilo or so.

I assume getting paid is combined with witness protection, or you'd be right, they're screwed.

I hope this guy is in witness protection!

The feds didn't crack, I recall in the NYT article, the encryption keys were handed over from someone who flipped.

servers were in Canada?? interesting

Reminds me of https://xkcd.com/538/

No matter the technological sophistication, humans will always be the weakest link in any secure system.

God, I recognise that specific comic just from the number in the url...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact