Hacker News new | past | comments | ask | show | jobs | submit login
How Police Secretly Took over a Global Phone Network for Organized Crime (vice.com)
151 points by jmsflknr on July 2, 2020 | hide | past | favorite | 57 comments



When I read this I see a a niche, super premium hardware company that managed to acquire tens of thousands of customers by word of mouth. Not only that, their customers are all in-effect self employed or small businesses with huge average revenue per employee. They manage global supply chains, intense competition, all while taking on and managing huge legal/compliance risk.

How is is that supposedly "dumb," criminals can do this, and yet many of us are stretching our intellectual capacities to learn new technologies and maths, developing our nth stupid app, trying to achieve a fraction of the customer traction and revenue that street thugs manage to do every day. Are these people much smarter than average, or does it mean that if you sell something people actually want, literally nothing else matters about your intelligence, education, character, background, or anything at all. When I read these drug stories, it just reinforces for me that growth solves everything. You can succeed with a crew of violent, drug addicted idiots whose only reliable characteristic is short term thinking, and who spend half their time in prison if you have product market fit. What I'm beginning to think is that the "smarter," people are in a company, the less anyone will want their product. It's like the success of a venture is inversely proportional to the number of ostensible geniuses it employs.


> does it mean that if you sell something people actually want, literally nothing else matters about your intelligence, education, character, background, or anything at all

You got it. As always, it's the gross margins. Cocaine has higher gross margins than most prescription drugs, which in and of themselves are almost pure margin -- nevermind that, the market demand for it is broad and deep globally. Cartel operators aren't dumb. On the contrary, they show much of the unsavory, warlord like aspects of doing many kinds of business where there are zero-sum dynamics like this -- they just don't even try and hide it.


The criminals are smarter than you're giving them credit for. I'm sure having cash flow helps but then you need to be smart enough to be the person who can co-opt that cash flow and put the organisational structure in place to hold onto it. Modern day criminal organisations are basically multi-national conglomerates.


The underground market has one thing legitimate business doesn't have: product that sells itself.


Take a lesson.

Make your product and customer service so good that people can't say no, even if they want to.

See: Google Search and Mail, Facebook, TikTok, other spyware


> does it mean that if you sell something people actually want, literally nothing else matters about your intelligence, education, character, background, or anything at all.

Yes, although I think more specifically s/want/are addicted to/. See also: Saudi Aramco and Facebook.

> What I'm beginning to think is that the "smarter," people are in a company, the less anyone will want their product.

Do you not think Apple and Google are composed of very smart people? Tesla and SpaceX don't make the cut?


Google still seems to be riding on their ad business. Their other products are very hit and miss. So yes, I think Google is a great example here.


I'd posit Apple, Google and Tesla used growth and revenue to hire intellectual people, where we can see everywhere else that the majority of growth and PMF itself is independent of the intellectualism of the employees. It's a loose correlation. It may beg the question in regard to what smart/intelligent/intellectual might mean, but financial success and intellectualism certainly seem inversely correlated, with criminal businesses being the most polarized example.


Theres a saying in business 'sales cure all' meaning that no matter what else is going on, having enough/more sales is an answer to the problem

Sales is also all about creating emotion in the buyer. For drugs, that emotion is present without a salesman having to do anything.


It's also worth noting that the intersection of "capable enough to build that sort of company" and "willing to go the criminal route" is small enough to limit the potential competition.


[flagged]


Point of order to mods on this, is "check your privilege," within the realm of civil discourse? It seems unnecessarily provocative. However, if it is fair game, my response would be "check your reading comprehension," as the further implication of my comment is that societies are locking up their most entrepreneurial and productive members for creating too much value. Using the privilege dog whistle is just cheap intimidation. I'm upvoting this because sweeping it away with downvotes doesn't do it justice.


> as the further implication of my comment is that societies are locking up their most entrepreneurial and productive members for creating too much value.

Strange, right? People WANT to do these drugs, there are plenty of dangerous LEGAL drugs, yet the state is obsessed with them. How much do we spend a year to arrest and incarcerate these people? How much money could we be making my bringing these products out of the black market and into the light?

There is a strong case to be made that the "war on drugs" is less about "locking up dangerous criminals", and more about targeting anti-war, civil rights, and pro-labor movements. Nixon even outright said so.[0]

It is a potent weapon. Lots and lots of people do drugs. All the police need to do is trump up an excuse about "smelling weed", plant a drug[1], and BOOM. Police man meets his quota for arrests, the prison system gets a new worker they can pay $0.50/hr, and one less potential activist on the street.

0: https://www.cnn.com/2016/03/23/politics/john-ehrlichman-rich...

1: It DOES happen. https://www.youtube.com/watch?v=8z6RVGnoXeI


> the further implication of my comment is that societies are locking up their most entrepreneurial and productive members for creating too much value

This view seems flawed to me: "creating value" for the drug dealer by selling cut and fentanyl laced "heroin" is definitely not creating value for society. That said, there is no denying the entrepreneurial aspects of drug dealing.


One is certainly worse, but adtech isn't exactly creating social value either.


> "You can succeed with a crew of violent, drug addicted idiots whose only reliable characteristic is short term thinking, and who spend half their time in prison if you have product market fit"

My comment stands. And further, drugs don't sell themselves, a lot of good hard work and smarts goes into it. It's unfortunately the only easy avenue for those without an education and steady home life.


So everyone moves to a new platform/vendor... what exactly is significant about this particular bust aside from “we did it” signaling of law enforcement? Things like this happen all the time... Silk Road and many other examples come to mind.

I just hope this doesn’t become yet another incident used as an example to slowly erode the freedom and idea of privacy. The current anti-encryption sentiment and reactionary nature of legislation doesn’t inspire much confidence.

On a side note for anyone wanting a truly secure device, you’d have to source the raw materials, create the hardware, software, distribution and oversee the entire process. The old school Ford assembly line for the brave new world. And this assumes you didn’t leave any security holes in the process. Which humans tend to do.


It has huge implications. What is “exactly significant about this” bust is the prevention of multiple assassinations, kidnappings with planned torture, and multiple large coke smuggling operations being intercepted. Plus it’s all evidence. Previous encryption breaking busts like this by the Dutch national police have led to lifelong convictions of multiple murder squads.


I didn’t mean to be or come off as insensitive. I get that many would be horrible things were prevented. Which is very much appreciated.


It is peculiar that this was my first thought too. Surveillance has caused indescribable damage to western nations and they still continue their insanity.

Aside from that I think most hardware is actually still safe. I don't know of hardware backdoors that were actually implemented. I think self preservation keeps most companies in line.


I think the issue with hardware is the potential for infiltration and compromise of the hardware along the supply chain. Both in the component itself or in the assembly process.


I'm very curious as to which legal basis French authorities have had for this coordinated state-level hack. It's mentioned that they had one, but nothing more specific, even in French media I've looked up.



Can a French speaker please give us a tldr?


A judge was heading the investigation and provided the legal go-ahead for the actions. The legal justification is twofold: evidence of organized crime uncovered in a preliminary investigation and (!) lack of declaration of cryptographic solution deployment , which is apparently a thing [0] when it’a not used for authentication or data integrity control!

I’m extremely surprised by the latter, it seems that one has to declare any operational use of cryptography when it’s not for those two uses.

[0] https://www.ssi.gouv.fr/uploads/2015/03/ANNEXE-I.pdf


The latter is indeed very surprising. I'm considering to submit a few for fun.


in 2017, French Gendarmerie ( a part of the french public order system, that work outside the big city - Police is working in the big city. It's a join branch of army and interior ministry. It has a good reputation with computer, like using linux) detected phones in criminal affairs. In 2019, a project called Cerberus was create with 60 gendarmes full time working on the case. They investigated servers located in france and tapped communications of theses servers. In 2020, EncroChat issue a warning that their servers where compromised by the police. avril 2020, joint operation with the nederland police mai 2020 : all your base are belong to us Every investigation was legal and within the control of judges from the french legal system.

post scripton


Thanks!


Police has legal rights (given they do it by protocol and with judicial oversight) for most kinds of interception and monitoring, whether they do it by force or by asking does not matter - in most or all of EU.


Not so - you need evidence backed suspicion of a serious crime in the eu jurisdictions I know of. And even then it needs to be narrowly targeted to individuals.


Not sure why you’re getting downvoted cause this is my understanding of the legality too ...

In my mind the key is that it’s the French that did it ...


So did I miss anything here, or is this a story of how law enforcement took over an entire fleet of devices, put a rootkit on all of them, and the only reason we know about it is that the company seems to have had a solid reason (wouldn't call it backbone in this specific case) to publish the whole thing?

It reads to me like, had Encrophone not opted to inform all their customers, this would have simply gone on?

I have a hard time condemning the specific case here, but if you substitute any other phone manufacturer here, this becomes quite obviously scary.


My understanding is that the police intervened because multiple violent crimes were in the offing. Otherwise yeah I guess they would have gone on using it to spy on criminals


If the police can plant malware on a device, then they can also plant evidence on a device. What percentage of these people are being framed? 10%? 50%? No way of knowing.


Well, presumably not the ones with "77 firearms, including an AK47 assault rifle, sub machine guns, handguns, four grenades, and over 1,800 rounds of ammunition" or "More than two tonnes of Class A and B drugs have also been seized by police, as well as 55 sports cars, 73 luxury watches and over 28 million street Valium pills – a drug that has caused a number of deaths in Scotland."


Yes or even 0%.


Yeah. It might even be 0% who is framed!


Got a 2-year heads up https://hn.algolia.com/?q=encrochat



> The messages "have given insight in an unprecedented large number of serious crimes, including [...] murders, thrashing robberies, extortions, robberies [...]" Dutch law enforcement said.

What are "thrashing robberies"? Is this an odd translation of some Dutch term?


From the Dutch Public Prosecution Service (Dutch: Openbaar ministerie, OM): "De berichten van ongeveer 10.000 gebruikers alleen al in Nederland hebben zicht gegeven op ongekend grote aantallen ernstige misdrijven, waaronder grote, internationale drugstransporten en drugslabs, liquidaties, plofkraken, afpersingen, overvallen, zware mishandeling en gijzelingen." https://www.om.nl/actueel/nieuws/2020/07/02/aardschok-voor-g...

Most probably "plofkraken" has been translated to "trashing robberies". A better translation would be something like "ram-raiding" or "ATM-raiding".


Translates to "vernieling' which probably means vandalism is this context. but most likely its just aggravated robbery. its a bad translation for sure


"Kapot maken" (breaking something) is what the Dutch police calls this.

If they get a hunch of a crime in preparation ( killing/liquiditation or robberies ), they might contact future victim and suspect to tell them they are aware.

This usually is enough to stop the crime.

edit: my explanation does not seem to fit the context, will look into it.


Ouch. This is gonna hurt. For those that comment before/without rtfa a few select quotes - " ... monitored and investigated "more than a hundred million encrypted messages" sent between Encrochat users in real time"; "They're just lifting people," another source close to criminal users of Encrochat told Motherboard and (please excuse the NSFW direct quote) "People are fucked," one of the sources who provided the documents to Motherboard said. Viewing this from a purely technical stance, Wow & Ouch.


If the GPS module and Cameras were removed from the devices - how were there so many photos in the article?


Why would criminals use these kinds of apps rather than e.g. Signal?


It wasn’t just an app, Encrochat sold a modified android phone that had its camera and GPS physically removed and its custom app pre-installed.

Based on the article, Encrochat didn’t sound like a fully legitimate company and may have been run by criminals as well. The part I found interesting is how these vendors often block competitor apps and services from working on their phones, essentially requiring everyone to use the same type of modified phone. This made life a lot easier for investigators once the network was penetrated.


>It wasn’t just an app, Encrochat sold a modified android phone that had its camera and GPS physically removed

I doubt that provides significant value. Cameras aren't too hard to disable yourself, just use black tape. They probably didn't disable to microphones, which arguably provide at least more valuable information than a camera. They removed the GPS module, but you can probably get the same info with better accuracy by using wifi + cell phone signals. All in all, I think those "features" are just there to make criminals feel better.


But it’s verifiable for your counterparty. If you’re on Encrochat you know that your counterparty has no GPS in their phone.


But what's the threat model here? That your counterparty's phone has been compromised? In that case they can be leaking location through wifi/cell signals as mentioned earlier. There's also nothing preventing the counterparty from carrying a gps-enabled phone with him, which would be trivially linked to his Encrochat phone if he takes them both to the same locations.


Also signal complies with all police and government request, even if it's just meta data "supposedly".


> and government request, even if it's just meta data "supposedly".

If you have evidence that unencrypted data might be leaked from Signal (except by a rootkit on the phone, tampered update or by someone having physical access to the phone) you might have a real scoop on your hands and you should contact project zero or someone for a bounty and then a journalist so you can bask in the glory.

If you don't have anything I suggest abstaining from writing in a way that suggests that until you find something.


signal probably isn't a good example because your identity is tied to your phone number, which can tie back to you unless you're really careful (eg. renting a VOIP number with cryptocurrency over tor).


Sounds like poor OpSec to me


The title makes it sound as though it was the police who were taking over a global phone network in order to facilitate organized crime.

Perhaps they meant to say: "How Police Secretly Took over a Global Phone Network that was used for Organized Crime"


Yeah, the title could be better


Fantastic. Maybe read the article before commenting:

"bUt EncRypTion is My rIGht/bIg sTATe/ITs jUST maths"

Encryption between groups without decryption available (on request) to outside 3rd parties is a poison chalice.

I'm in the EU, not in the US. I don't want any companies(esp. US companies) deciding how EU daily lives unfold.

Delighted so many scumbags will be off the streets.

If they had access earlier, more crimes could have been prevented.


Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.




Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: