I'm curious about this encrypted VoIP network. I've never heard of an off-the-shelf product like that, so was it custom-written? What was the interface like?
The source NYT article has some more details, but not enough to answer these questions:
One of Mr. Guzmán’s Colombian suppliers, Jorge Cifuentes,
who introduced the kingpin to the I.T. expert, testified
last month that Mr. Rodriguez had promised to arrange
secure communications for what amounted to the entire
cartel’s leadership. His system operated on VoiP, or voice
over internet protocol, Mr. Marston said on Tuesday, and
was accessible only to those within the network. According
to Mr. Cifuentes, Mr. Guzmán was able to sign in through
Wi-Fi even from his hide-outs in the Sierra Madre
mountains.
I have a tinc + asterisk setup to my cell phone (for my personal/home line) and openvpn + asterisk to desk Yealink phones (They have built-in openvpn clients) (for business)
Fairly easy to maintain + grow once you get some basics out of the way. The net result is that all the signaling + transport is encrypted as far as non-VPN nodes are concerned.
I’d love to know about this setup! What hardware you run it on and where you get the #’s from for the home line. Trying to set up something like this for myself at home and business. Thank you!!
The business line has a T1, and a Sangoma Vega 100 T1/SIP gateway, with SIP trunking service from https://voip.ms as a backup if there's trouble w/ the T1. (My personal phone service is just voip.ms at this point)
Yealink T23P Phones have a OpenVPN client built in (some newer Grandstream phones do too), these are relatively inexpensive VoIP desk phones. Once you configure them, and an OpenVPN server you can plug them anywhere you have internet (NAT'ed or otherwise), and not have to worry about NAT Traversal, or other issues.
Asterisk is just running on a stock PC. I'm running on a Supermicro Board with an Atom processor, and for our call volume (50 extension phones, 23 inbound lines, 30 on an inbound call queue, 3 simultaneous calls average, 15 @ our known peak, no transcoding (all uLaw)). The OpenVPN server is a a separate machine, for lighter usage the VPN + Asterisk could probably be the same machine.
For the cell phone, I have CSipSimple running there, with a OpenVPN client to connect to the network.
In my configuration, the phones + Asterisk are not using SSL/TLS directly, but the VPN secures the traffic over untrusted LANs.
Calls within the system are on the protected LAN, but once they reach out to the PSTN, all bets are off.
I've setup a smaller office with a Raspberry Pi 3, and a Grandstream SIP/Analog Gateway, ( 7 Grandstream phones, 3 lines, no transcoding, not very heavy use), and they haven't had any complaints. (see http://www.raspberry-asterisk.org/) If they used SIP trunking over their internet connection, they woulden't need the SIP/Analog gateway, which was the single most expensive piece of equipment in this setup (@ US$399-ish)
I remember an article on HN about disappearing techs who were kidnapped by cartels to build them a custom telecoms network or something. Wondering how related this could be to that.
> Amid the accounts of corruption, murder, and drug smuggling, Vice News’ Keegan Hamilton wrote on Twitter, there was a brief moment of levity when lights in the courtroom went out. When the electricity returned, someone shouted “He’s gone!”, referring to Guzmán’s habit of escaping from prison. “Everybody laughed, except maybe the U.S. Marshals,” Hamilton wrote.
It's interesting how even such a serious situation as this can have these moments of laughter.
The article mentions that the server was moved to the Netherlands, but not the reason. According to the Dutch press, it was because the FBI asked so, because we're not so difficult installing wire taps on the internet [1].
Asking for a ... friend. What is the mitigation against attacks like this? Seriously, it would appear that every organization is at risk of having a trusted insider hand over keys to a competitor, criminals, etc. There must be a way to detect or protect against this, right?
Dual control (aka the two-man rule), separation of duties (person who requests a change isn't allowed to approve/implement it), mandatory vacation, etc. These policies have existing in fields like finance for a while.
The battleground in crypto is so often around crypto key management. With the Snowden revelations, it was obvious that the NSA strategy is going after keys in targets key management systems first.
Actually there are a few providers that do encrypted VoIP, or more specifically encrypted SIP. Telnyx offer a private infrastructure deployed around the world with low latency and the really good call quality.
DEA /FBI offers /can offer millions to cooperating witnesses and a new identity. Or life in prison. Or death in the hands of the cartel if they find out about the chat. They kinda make it very easy to choose.
Jorge Salcedo that took down Cali cartel got million$ for his cooperation.
Not sure if he gets any ongoing salary...but paying makes sense for the Feds in every way. They save resources since the boss will be jailed and collect cash in fines.
Presumably, the same way Mafia informants do - witness protection. The government spirits them away and sets them up with an entirely new identity. There have been some leaks, but generally these people just disappear and become someone else.
That is a good question. And I'm sure it's because the reality isn't much like what we perceive from TV and movies. And cartels and crime organizations are far from omnipotent.
They don't have infinite resources. And if they can't get at a person easily, trivially even, maybe it's just not worth the effort a lot of the time. Especially once the damage has been done.
It's not just TV and movies. Go Wiki browsing on organized crime some time. Here's [1] a fun starting point. These organizations go through extensive efforts, which at times has included things such as flipping decorated law enforcement officers, to 'get revenge'. I put that in quotes because I'd imagine it's not really about revenge, at least not entirely. It's the criminal analog of law enforcement. If you don't enforce your laws, there will be an increasingly large number of people that break them. And similar to a law it's not just the penalty people factor into consideration, but also the probability of getting caught.
You're dead anyway. Or jailed and possibly be killed there. With USA on your side you have a better chance of living a life close to normal, relatively speaking.
I guess that Sinaloa will put this guy #1 or close to it (maybe the Flores twins beat them to #1) on their revenge list. 20-50 kilos of cocaine to the sicarios...a drop in the bucket since they buy for $2k a kilo or so.
The source NYT article has some more details, but not enough to answer these questions:
https://www.nytimes.com/2019/01/08/nyregion/el-chapo-trial.h...