Hacker News new | past | comments | ask | show | jobs | submit login
Hundreds arrested as crime chat network cracked (bbc.com)
334 points by bogle on July 2, 2020 | hide | past | favorite | 365 comments

Claims of said encrochat:

* Each message session with each contact is encrypted with a different set of keys. If any given key is ever compromised, it will never result in the compromise of previously transmitted messages – or even passive observation of future messages.

* Anyone can forge messages after a conversation is complete to make them look like they came from you. However, during a conversation the recipient is assured all messages received are authentic and unmodified. This assures non-reputability of messages.

* The algorithms employed are many times stronger than that of PGP (RSA+AES). We employ algorithms from different families of mathematics, which protects message content in the event that one encryption algorithm is ever solved.

* Messages do not employ digital signatures that provide third party proofs. However, you are still assured you are messaging with whom you think you are.

source: https://encrochat.us/

Saying "many times stronger than RSA/AES" but not providing details on the algorithms is a huge red flag.

If they have built some home-grown algorithm, then it's possible the NCA actually cracked the encryption (with a bit of help from GCHQ) rather than using the baseband processor to snoop on the keys or something like that.

It could also be implementation-based.

A few years ago they rounded up a ring of crime phones in the Netherlands.. They were using PGP encryption, however instead of each phone generating its own private key, they generated them centrally and kept them in a database. Obviously this introduced a huge vulnerability.

The police compromised the server and was listening in (through cooperation with Canadian police as they were using Blackberries) for quite a while before they started kicking doors down :D They basically got all the evidence on a silver platter.

I'm surprised someone with the skill to develop such an app and service platform doesn't have the skill for avoiding such common mistakes. Or maybe they weren't able to explain to their users that the fact that they couldn't retrieve their messages after forgetting their pincode is a feature, not a bug. Either way, the police was really happy.


Not saying the same would have happened here, but crypto is hard to implement correctly and the algorithms are only part of the problem. And this kind of network is a massive target for law enforcement because the ratio of criminal users is huge.

I'm surprised someone with the skill to develop such an app and service platform doesn't have the skill for avoiding such common mistakes

My impression is that the way things go is:

* Sure, a smart person can implement a "homebrew" security protocol that seems safe.

* But smarter people never implement a "homebrew" security protocol and instead use existing protocols, 'cause they know how easy it is to fuck-up.

* The smartest people implement real, secure protocols, working in academic or three letter agencies and have those protocols vetted and peer reviewed. And even these fail on a regular basis.

So much this! My learning curve on crypto took me through a few self-evaluations:

- Crypto isn't that hard! I can do this!

- Crypto is a lot harder than I though. I shouldn't do this.

- I've read about a lot of crypto! I can do this!

- People way more experienced than me are making the tiniest mistakes that end up crashing the entire house of cards. I definitely shouldn't do this.

Implementing a protocol correctly is easy. Implementing the primitives is harder (and tons of work), but you can easily grab them from a low-level crypto library like Libsodium or Monocypher.

Designing a protocol correctly is not that hard, as long as you understand exactly what you are doing. By which I mean you are at least able to write an informal (yet rigorous) proof that it has the security properties you seek. Also, verification tools like Verifpal are a godsend. The tricky part here is avoiding the Dunning-Kruger effect. It's easy to have the illusion of perfect understanding while being unable to write the most basic mathematical proof.

The hardest part is convincing others that your protocol is any good. People who don't understand what you are doing cannot (perhaps even must not) trust your work. They need the vetting of someone reputable, and getting those reputable people to take a look is pretty hard if you don't have the right connections (an uphill struggle without a relevant PhD).

Another famous case was a crime lord who's blackberry pin was written on a sticky note so police got everything.


Actually, according to Dutch press (nrc.nl), it was the same detectives who performed that hack who were flown into France to do this hack as well.

Good for them, but I hope for their sake their names do not leak.

No the exploit was by the Dutch supporting the French because the actual physical servers were located in France, under their jurisdiction. Just like the previous time they did this we aren't getting a lot of information of how. But it seems physical access is part of the exploit.

Sure but the "crack" that occurred here was essentially MITM, so regardless of their encryption scheme they would have been caught.

It isn't necessary for a central server to be able to intercept messages. In an end-to-end encrypted system any boxes in the middle can infer stuff from traffic but they can't read message contents.

The article says: "Europol said that French police had discovered some of EncroChat's servers were located in the country, and that it was possible to put a 'technical device' in place to access the messages." Even if it was end-to-end, they at least could intercept the initial key exchange perhaps.

Intercepting a DH key exchange doesn't help you. The whole point of DH is that an eavesdropper doesn't learn the secret even though both of the other participants do.

They probably just didn't use end-to-end because it's easier to offer a nice customer experience without.

Closed source is a huge red flag.

Ideally, nobody should use any form of closed-source crypto any more.

>Anyone can forge messages after a conversation is complete to make them look like they came from you.

"I didn't send those messages your honour. Someone forged them. I am a victim of a conspiracy!"

"Do you have any evidence that this actually happened?"


"...moving right along..."

It will be fun if someone from this actually tries a cryptogeek argument in real life...

Ross Ulbricht tried essentially that defense.

Exactly. The tricky part of plausible deniability is that it needs to actually be plausible. People very often screw this part up. EG they'll make a TrueCrypt/VeraCrypt hidden volume, but then won't modify the outer volume with the same access patterns to hide their usage of the hidden volume.

Doesn't this put the burden of proof on the accused?

People have been claiming they have been framed since forever. If claiming you were framed with zero proof actually helped in any way then every one would do it and much time would be wasted.

In the case of a crypto forgeablity argument there will never be any proof. It will always be a false claim. It is a silly idea.

> People have been claiming they have been framed since forever.

Yes they have, but they have been doing so in the face of circumstantial evidence: DNA, fingerprints, blood, whatever. Or eyewitness evidence: someone saw you go in the building at such and such time (perhaps there is a surveillence video).

If someone has nothing of the sort on you and their entire claim is that you wrote some digital message, I'd think the onus would be on them to prove their extraordinary claim somehow.

Just like with any other evidence. My point is that the possibility of forgery makes no difference at all to that.

A piece of digital text isn't a forgery; there is no concept of authenticity in it in the first place to serve as a backdrop legitimizing the use of the word "forgery". It's not like planting someone's hair, or imitating their signature. You need absolutely nothing from the victim, and to expend no effort.

The concept seems to have come from the original off the record (OTR) messaging proposal. The concern was that, say, a PGP signature could create a situation where there was objective proof that someone had created a particular message. By making forgery possible the theory was that someone could disclaim the message. I have been writing some PGP fandom articles lately which is why I am up on the subject. The relevant articles:

* https://articles.59.ca/doku.php?id=pgpfan:off_the_record

* https://articles.59.ca/doku.php?id=pgpfan:repudiability

So I am not disagreeing with what you said, it supports my contention that forgability is a silly cryptographic feature if there is no proof in the first place.

algorithms don't matter for shit to the person that controls the (mandatory) updates.

its the same issue with all modern e2e apps like whatsapp or signal, if there is a single client implementation its not secure at all to these kind of attacks.

> signal [...] > if there is a single client implementation its not secure at all to these kind of attacks.

There are (where?) actually multiple "distributions" of signal, like textSecure on f-droid. Last I checked it worked with signal, but that was a few years ago.

No, Moxy killed the alternatives with really shitty arguments and banning from using Signal official servers.

Exactly! All it takes is a "demand letter" from any government with jurisdiction. See: https://en.wikipedia.org/wiki/Lavabit

> Each message session with each contact is encrypted with a different set of keys"

Is this not a bad thing? Since transferring key-pairs is the weakest link on these apps. To be really secure, wouldn't you want to do this as infrequently as possible and ideally outside in person outside the app?

Sounds like they are trying to achieve perfect forward secrecy per message. Typically you might do this with Diffie-Hellman using ephemeral derivation pairs per session. This is good practice as if any one session key is broken, that has no effect on the privacy of past or future messages encrypted under different session keys. They seem to be claiming to use their own crypto based on the parent comment (red flag) and no signature scheme over the top of it to prove a consistent identity, so I'm not sure what they would be doing. Establishing encrypted pipes over an observable medium is very doable, but providing a way to trust that the party on the other end of the pipe is who you think it is is the hard part as you pointed out.

Session keys are fine, and they're usually not the top level identity or key. So long as this is what they're doing, i.e. using an asymmetric KEx (e.g. Diffie-Hellman) to exchange public keys, from which a shared secret would be derived, and then from that a KDF would be used to generate a key using a salt, you can keep generating new keys for each session from that shared secret (shared in the sense that it's symmetric, not that you send it over the wire).

You can still be more secure, but that's a decent start.

It would be fine if they meant "forward-secure ratchet construction", like Signal does.

You can rotate message/session keys easily enough if you have a shared long(er) term key.

No, this is actually normal. For instance, each time you make a SSH connection, it will use a different key for the bulk encryption. A key exchange has to happen to negotiate this randomly generated session key.

> We employ algorithms from different families of mathematics

Did they roll their own?

It's unclear, but that statement alone makes me shudder.

Anyone doing secure comms at this level, and is talking about families of mathematics always gives me the impression they don't really know what they're doing.

> Anyone doing secure comms at this level, and is talking about families of mathematics always gives me the impression they don't really know what they're doing.

Why is that? Do you assume that making competent choices for encryption algorithms (for which you try to understand the math problems involved) and trying to market the systems security means that they also try to implement it themselves? Or is the "family of mathematics" a sign for incompetence that I just don't recognize?

As someone who's worked in the sector (the crypto sector, not the crime one):

"Families of Mathematics" is a marketing statement, or "hot air" as I prefer to call it. The information content of that statement is zero, what it's doing is trying to project warm "you can trust us" feelings.

A statement aimed at technical people would read more like "we use AES-256-OFB with Axolotl on Curve25519 and scrypt(2^14, 8, 1)" or something like that.

To a crypto professional, I'd say any "trust us" statement that's not backed up by technical information actually lowers their trust in the system - it makes you wonder why they're not making their algorithm choice public.

The US created a fake bank to catch drug runners and cartel bosses. What's to say this isn't an state intelligence backed company created not to sell a product but to be sold to criminals then listened to until warrants were signed?

I haven't looked into the service at all so could be totally off.

Wow. Do you happen to have more details about that fake bank honeypot?

There's an excellent episode of the npr podcast Planet Money that covers this story: https://www.npr.org/transcripts/694548245

That's where I heard it, yeah.

> To a crypto professional, I'd say any "trust us" statement that's not backed up by technical information actually lowers their trust in the system - it makes you wonder why they're not making their algorithm choice public.

IMHO if your solution isn't open source, or least completely documented so it can be verified, then the whole point is moot anyway.

Thanks for clarifying. You convinced me.

I just interpreted that as "we use RSA and ECC".

So it's based on my experience. I'm an Engineer in secure comms. I absolutely see the "family of mathematics" card as a sign of incompetence. In the space, nobody talks about the mathematics. The people implementing algos might, but they're in a different space.

A savvy customer wants to know which algos you're using, and how you're using them, where you're using them. EC? RSA? Other? Which implementation are you using, is it audited? Standard based? Working with government, is it FIPS or similar? What does your KEx and KDF look like? Data at rest security? WHAT are you storing, and sending? Transport security? Metadata? Development practices?

There are a LOT of things a customer wants to know, and which or how many "family(/ies) of mathematics" has never been one of them, in my experience.

Waving about "families of mathematics" when selling a product is just an attempt to bamboozle the gullible.

The number of branches of mathematics that you involve in the product doesn't mean anything.

Encrypting a message twice with different keys using exactly the same algorithm (thus the same branch of mathematics) is prima facie as effective a security increase as using some different algorithms involving different mathematics.

Most everyday crypto products rely on the results from several different areas of cryptography with different mathematics.

Could also simply mean that they are chaining different encryption algos from libraries (à la TrueCrypt) which would indeed add to the security level or even at worst not harm it. (This assumes that each step is not broken...)

I have to agree that point 2 is very clever.

"It was not me, your Honour, as anyone can send a message by my (old) name)

It (deniable authentication) has been provided previously by OTR.


TLS provides a weaker version (instead of everyone in the world being able to forge a message, just your peer is able to forge the message).

>This assures non-reputability of messages.

No, they're assuring reputability, not non-reputability.

I disagree, I believe, they're trying to say they provide "non-reputability" (the opposite to non-repudiation) so you can deny messages actually came from you because they could have been "forged".

it's hard to tell though, the statements are a bit of a mess in general.

Hmm, you're right that non-reputability likely means something different than non-repudiation. The problem is I can't find anyone actually using non-reputability in that other meaning.

What I do find is various places using non-reputability erroneously as a synonym for non-repudiation.[1][2][3] So in fact I now think that EncroChat actually made 2 errors: said non-reputability instead of non-repudiation, and also misunderstood non-repudiation as meaning repudiation.

[1] https://books.google.com/books?id=qk_hDwAAQBAJ&pg=PT682&lpg=...

[2] https://books.google.com/books?id=_d7RUNF-2tcC&pg=PR21&lpg=P...

[3] https://books.google.com/books?id=PHBTDwAAQBAJ&pg=PA61&lpg=P...

I've never heard "reputability" used in crypto, but confusingly, it might be the opposite of "repudiability"?

I read it as saying you could deny writing any specific message as it could have been forged after the session ended. Non-reputability.

Perhaps they were going for non-repudiation?

Damn why didn't they use a messenger not made by idiots

> The algorithms employed are many times stronger than that of PGP (RSA+AES).

If they just used PGP over email, they wouldn't have gotten caught.

From what I have heard most criminals since the 90s use PGP over email (middle management and higher criminals not street thugs who probably just use WhatsApp or worse). They should go back to that.

If you read the Vice article, it explains that they were compromised by on-device "malware" that was pushed in an update via the company provider (whose software update process had been taken over by the authorities).

So it doesn't matter what software they would have used since the device itself was capturing data before encryption and after decryption.

They could have been using regular iPhones/Galaxies/Pixels etc. Then it wouldn't rely on this bespoke operating system and its updates. It seems unlikely Play Store or Apple Store would get compromised. But you could always compile the PGP app yourself.

Could law enforcement require access to play and appstores? Has this happened?

Law enforcement could replace an app, with their own, even for one specific user, if they have access to the system, granted by Google or Apple. I presume the signing can can be compromised, this way, but am unfamiliar to know this for sure.

Using those stores means using those centralized services by Apple and Google, which includes device updates, carrier updates and more than just app store downloads.

And those companies would absolutely comply with a legal request to push intercept updates to phones.

Well, it tells you a lot about the ease of use of PGP when people prefer to go to jail rather than use PGP ;P

If you wanted to get into the criminal drug trade, how would you start? Is there a guide somewhere I can follow?

$13M in cash is an impressive amount. It makes me wonder: There must be all kinds of operations happening around us daily, yet nobody knows about them. And those operations need members. Where do they come from?

The inner workings of this stuff is fascinating. To be honest, I wish it were possible to go observe the system in action as a spectator. I'd love to see how the packaging is done, the supply lines, the transport logistics...

(I balance this with a deep hatred for cartels. If you trace these questions far enough, it seems to often lead to "the cartels are at the center of it all." And they're responsible for unspeakable miseries.)

To be clear, my question is: how is the knowledge necessary for such operations preserved? I'm a programmer. I learned it from the internet. Where do they learn? And these aren't street dealers. It's an organized, carefully designed, well-oiled machine. How does this machine work? How does it survive the loss of so many members?

>(I balance this with a deep hatred for cartels. If you trace these questions far enough, it seems to often lead to "the cartels are at the center of it all." And they're responsible for unspeakable miseries.)

This is why all drugs should be legalized (not just decriminalized, decriminalization still leaves a black market). Cartels are meeting a demand, but cartels make up their own rules and will do anything they want to stay ahead.

Just legalize them, it solves so many problems.

1. Quality and proper labeling (no more mystery drugs/dosages). Buyers know exactly what they are getting, which would decrees the amount of OD's.

2. Vast reduction in violent crimes (legitimate, licensed distributors are very unlikely to have violent turf wars as this would jeopardize their license). Black market would suddenly have no market (provided the taxes on legal drugs aren't stupid), which means no money, which means there is nothing to kill/fight over.

3. Increased tax revenue

It is a win/win/win for everyone, I just don't get it....and please just don't with the tear jerking "What about the children!" The kids will be fine. No legalizing doesn't send a message that "drugs are OK". No it won't make them more accessible to kids, please stop fearmongering you don't know what you are talking about.

That can work for drugs with low abuse potentials, like psychedelics. But why do you think drugs like heroin will benefit the society or the people who are taking them?

There is a different course of action for high-abuse drugs. Apparently in Switzerland you can get an "addict" prescription from your doctor, and with that prescription you can go to an injection clinic and get a free professional injection of heroin and a bed to lie on.

The result of this is all drug dealers going bust, and no drug dealers - no one to market the drug, so no new users. All addicts in Switzerland are now old people, and as they die of related diseases and old age the Swiss are having hard time keeping the clinics open because there are not enough takers for free heroin.

I think all opiates can and should be taken care of this way. Not sure about stimulants though - one doesn't just lie down on a clinic bed after a dose of meth or crack. Maybe if regular coke is legalized people will give up meth and crack?

You've never been to Switzerland if you think there are no drug dealers there.

I don't know about heroin, but there are something like 3/4 Swiss cities in the top 20 for cocaine consumption based waste water sampling.

There are, in fact, even heroin dealers in Switzerland, and of course all sorts of other drugs are still being sold illegally, but compared to the early 1990s, before the heroin prescription policy, there is practically no visible drug addict scene anymore.

The problem is that people who want drugs (either because of addiction or desire to try them) will always find a way; this war has been lost already. However making these drugs legal will still remove the negative impact of the illegal drug trade such as cartels and their inherent violence (which also enables other crimes as cartels might be willing to supply their weapons - which they source already because they need them - to other criminals who are willing to pay good money for them).

People already take those drugs. Drugs are everywhere and have been for a long, long time. When I was a teenager, it was easier for me to get marijuana than alcohol. Why because one was regulated.

Why do you think the world will flock to drugs if they were simply made legal?

Drug addicts (people who need to get high) will find an alternate high if they can't get illegal drugs.

I agree with this. I don't think legality dissuades but a tiny number of people. I think most people who aren't going to do it don't take drugs because they've seen the results of the harder drugs and don't want anything to do with it.

Heroin will not benefit society, the hypothesis is that it will cause less harm if users receive it from a boring, official, controlled source instead of letting violent criminals earn millions with it. The idea that prohibition can somehow end drug use was proven wrong a long time ago.

I would not necessarily credit Heroin for it (and would definitely not advocate its use), but a sizable proportion of Rock and Jazz performers have composed and performed music under its influence.

Drugs with very high abuse potential like opioids are very dangerous and a big problem - but looking at the epidemic of opioid abuse in the US, it's evident that criminalization isn't helping.

Do you have evidence to support the idea that more people would become heroin users if it were available through legal means?

I don't, and that's a good point - if the number of users remain the same (or even increases slightly) than I do see how legalizing can be beneficial. However, in my mind legalizing drugs also means easier access, and that can lead to an increasing number of people using drugs.

>However, in my mind legalizing drugs also means easier access, and that can lead to an increasing number of people using drugs.

How many adults do you know that have never done, or tried, heroin would suddenly do so if was legal? I think the amount of people that would try heroin because it became legal would be staggering low. I don't think there are many people out there going "Man, if heroin was just legal then I would totally try it!". People that want to do heroin are already doing so, it being illegal isn't stopping anyone.

So the counterargument is hydrocodone. It is legal, and people that would never in their lives think of shooting smack now had doctors, many of whom knew better, prescribing them a highly addictive narcotic in order to get compensated by the manufacturer. Purdue Pharma was a wholly legal cartel with thousands of dealers worldwide moving their product for them.

"Heroin" has a bad name, so your legalized version would have some innocuous made-up marketing name, backed by tens of millions of dollars of advertising and it would sell like hotcakes.

My response to that is to assert that most of the negative impact of the opiate crisis is due to the fact that people become addicted to them and are then unable to obtain them through legal means, which effectively forces them into criminal activity.

I'm certainly not saying opiate addiction is a neutral/good thing, but I don't think it would cause the societal harm that we see today with them being tightly regulated.

Potential case in point: illegal methamphetamine usage/addiction is a huge issue today in the US. I qualify that as "illegal", because meth is available by prescription under the trade name Desoxyn. Many drugs with similar effects are likewise available and much more commonly prescribed - but I'm not aware of anyone calling for them to be banned. If anything, I suspect in that case the overall societal impact is positive: I know I would be much less effective as a developer if I were to lose access to ADHD medication.

Not to mention the way the opiates where marketed at doctors with claims they where less addictive.

Meaning doctors where more likely to prescribe them, that whole episode was one of multiple fuck ups at every level backed by some unscrupulous fuckers.

>So the counterargument is hydrocodone. It is legal, and people that would never in their lives think of shooting smack now had doctors,many of whom knew better, prescribing them a highly addictive narcotic in order to get compensated by the manufacturer.

How is that a counter argument? This is a breakdown/fault of the medical community and has no relation to making drugs legal. To be clear, I am arguing that all drugs should be legal for recreational use (not require a prescription).

No question, doctors need to vet information on drugs better (they should not be taking literature/studies that come from the drug manufacturers as a reputable sources of truth). No question doctors should be extremely hesitant prescribing any opioid at all. No doubt that a lot of the current opioid epidemic stems from doctors (either unwittingly or not) prescribing things that they shouldn't be. Those are all medical industry issues that need to be solved (regardless if things like heroin are legal).

I don't suppose, and don't recommend, doing a self diagnosis and getting whatever drugs you feel will help. The medical community is supposed to be the experts on that subject matter.

That said, people need to be free to determine their own risk tolerance level regarding what to put in, or use on their bodies.

Me personally? I am not going to stop going to the doctors to get medicines when I am sick, even if I could buy any and all drugs over-the-counter. Also I am sure prescriptions aren't going away even if all drugs could be bought over the counter, there is no way insurance would pay for drugs that weren't prescribed by a medical professional.

You are using "legal" in a way that implies unregulated. Regulations have a large value, at least to some people. For instance, I would like to try CBD, but I don't trust that some random product will be safe and effective and have the right amount of the active ingredient. Unless it's an approved drug.

If you have regulations on drugs, then you have all the problems, to some extent, that people attribute to their illegality.

I am afraid of opioids, and I don't trust even doctors, so I never took the ones I was offered and didn't get addicted. But there must be millions of people who wouldn't trust a heroin dealer and would trust their doctor, so legality makes a big difference.

Why would a doctor promote Heroin? If they would, especially for recreative purposes, would be very much at odds with any medical ethics. What is clear via Oxy example is that medical ethics really need to be upheld and profit taken out of the equation.

Do you see doctors promoting cigarettes? Alcohol?

I would say that your reasoning why you aren't doing CBD is highly rational. Do you really think that even if you wanted to try heroin and if you did it, it would automatically addict you? Like you're instantly gone in to the abyss?

People try heroin and nothing happens to them. Some even hate the experience. People use heroin for prolonged periods and then simply stop (non unusual in the late teens, with some kind of a trigger in the mid 20).

If there was not so much stigma involved and so much risk taking the stuff, we might see people coming out of this juvenile experimenting phase in a much much better state.

Also, do you really think that people that lifelong addicts, don't have some kind of deeper psychological reasons to go down that path?

>if you wanted to try heroin and if you did it, it would automatically addict you

I have no idea. Lots of people experiment with things and it's no big deal and they insist that must be a universal experience. There's a selection effect. If you try something at 20 and don't survive, you're not around at 40 or 80 to tell people it's no big deal.

When I was young, I enjoyed alcohol a lot, but didn't really struggle giving it up when I had to. Nor did I ever drink until blackout or vomiting, which you know, whether or not it's pathological/alcoholism, is common. I am certain that the level of compulsion is very different for some people.

I have a sibling, who I believe smoked cigarettes off and on but it never became a permanent habit. But a lot of people find them extremely addictive. I never smoked my first one, just because there was never an anticipated reward that seemed worth it. I might have been wrong, or right. Some people seem to get substantial cognitive benefits from nicotine.

Occasionally having a negative reaction to a prescription drug makes me wary of recreational or unregulated stuff, too. Seeing homeopathic stuff in the drug store makes me fearful that a CBD product might be fake too. So when I had wisdom teeth pulled and I was given a bottle of big pink pills (I think it must have been oxycodone/paracetamol based on a quick google) I didn't use a single one.

For what it's worth, I think you're at least mostly correct - I would also expect legalization to lead to increased usage, at least in the short term. I'm just the type of person who challenges those sorts of expectations, including when I'm the one holding them.

Along with wondering if "legalization leads to increased rate of usage" holds true, I also wonder if the following is true:

> legalizing drugs also means easier access

Criminality is a "barrier to entry", surely, but I'm not at all sure that ease of access changes because of it. In Arkansas, where I live, cannabis is illegal. Even though I don't consume it (the risk isn't worth the benefit to me), I'm extremely confident I could make a couple of phone calls and have some delivered to me if I wanted to. That's really no different from my experience in the LA area.

In fact, it might actually be more difficult to obtain it in LA through legal means. Generally you have to seek out a dispensary (physically, or via phone/app) and provide identification. I wouldn't need ID to get it illegally in Arkansas. If an ID requirement has a negative participation impact on other things (like voting) then I would expect that to hold true for this as well.

I don't believe that drug addicts face any real difficulty obtaining their drugs; they do face hazards to their safety and economic security.

The risk of legalization isn't so much ease of access as it is the normalization of drug abuse. We have shown with cigarette usage that education, propaganda and marketing laws can de-normalize drug use.

If anything, by making high risk drugs safely available through official venues, you can provide social services better access to those who need help.

I would say that you would likely see an initial increase in users but that a well run program would lead to both a overall decrease in users and more importantly a reduction of average harm per user.

I think that is a common misunderstanding. Access is there and not much more difficult than deciding you are curious and going to a specialty shop. Look at marijuana legalization, not a big uptick in consumption by most approximations.

Currently legal opiods: oxycodone, fentanyl, buprenorphine, methadone, oxymorphone, hydrocodone, codeine, and morphine.

The question is whether banning drugs causes more harm than good, not whether drugs are beneficial to society.

Correct, heroin addiction is problematic. In fact, I'd go so far as to simply say "addiction is problematic" If we say that instead of "drugs are problematic" perhaps a different approach seems reasonable. Portugal decriminalized drugs and focused on addiction treatment. The model isn't perfect, but it might be worth a look.

of course not; but neither does the war on drugs. Or legal drugs like alcohol. And it's quite obvious at this point that the negative consequences of the war on drugs far outweigh the negative consequences of drug use, especially if such use was regulated and supervised, and had compassionate treatment options

It is hard to see how financing a global network of violent and terroristic criminal organizations could ever be a better state of affairs than having more drug addicts. If you then include the massive loss of freedoms imposed on us to fight these organizations, it boggles my mind that anyone can support the war on drugs.

Edit: The answer I guess is that those who have supported the war on drugs had other goals than "reducing the number of addicts". If you look at the history of how the war on drugs has been used by western intelligence agencies to grow their surveillance powers and finance and the fight against left-wing/communist organizations, the real reasons become more clear.

3: tax revenue

Governments can and do tax illegal drugs. Just issue tax stamps. If drugs are found without them, you also get them for tax evasion.

All drugs used to be legal in the US. There is a reason that they became controlled a hundred years ago or so, and it does not involve conspiracies by big pharma. Go research the history - it's fascinating.

Alcohol is one of the leading causes of death in the US. A large share of car accidents, suicides, crime, heart disease, and many other things is caused by it.

>This is why all drugs should be legalized

This libertarian trope has gotten more annoying as I get older. No matter what you want legalized/deregulated, there is something that even you can't stomach. And organized crime can focus their business on that something. They probably already have.

You say legalize everything and then you say there will be "quality and proper labeling". Well duh, you have to enforce that; that means drugs that don't meet the standards are illegal. And your organized criminals will deal in them. There's no way out.

Current drug laws can be framed as a matter of "quality and proper labeling", we're just quibbling about the details.

Even legalizing some drugs would reduce organized crime. Would it completely destroy it? Probably not, but it would mean that there's less money to be made in it, and that means fewer people involved, less violence, less corruption.

> how would you start?

At the bottom usually. Either that, or you'll need some specific smarts or connections that are sought after. That's how it survives the loss of members. Many are low level and are replaceable, they have no actual knowledge about the high level trade. The high level bosses hide really well and try to stay untouchable by letting others do the dirty work.

From what I understand about Dutch organized crime, if you'd start for yourself, you'd have to fight a turf war and will always be at the top of multiple hit lists.

The safest bet is probably shipping drugs by mail through dark markets. A Dutch guy (SuperTrips) got arrested in Miami a couple of years ago. He sold drugs from his bedroom in his parental home. Was estimated to have earned 385k BTC through this.

If you want to see it at work, you could go to some of the Caribbean Islands. Drug trafficking runs through many of them and you can actually see the impact it has on some communities. In Haiti, I was warned to stay away from packages on the beach (though I didn't spot any). Apparently they throw them overboard near the coast, locals find them and sell them back to drug traffickers for about €50 a kg. This way the traffickers don't need to be directly involved with bringing them to shore.

Hopefully this gives you some info. There's lots of books and documentaries about this stuff too, by ex-criminals, insiders and researchers.

> I was warned to stay away from packages on the beach

Ah, the infamous square grouper.

yeah, even parts of Panama and Costa Rica have so much cocaine running through them that people basically just have gobs of the stuff on them and 75% of the ex-pats there are somewhere between drunk and coke-addled most days :P Mind trying to buy it as a tourist though, "Just follow me down this alley" - ah you'll prob just a confusing fast run around about needing to make change in a currency not your own and end up with a little bit of what you thought you were buying for a whole lot more than it should have cost...

>and Costa Rica have so much cocaine running through them that people basically just have gobs of the stuff on them and 75% of the ex-pats there are somewhere between drunk and coke-addled most days

Not my experience at all. The expats I met are usually doing some combination of bar work, yoga classes, and other such things. Among the entire cohort of the hostel inhabitants (mostly tourists I imagine?) I haven't seen one drunk or drugged person.

I did see plenty of drug dealers though - some shady dealers on the street and some very presentable resident dealers inside various venues. So there has to be a lot of drug use going on, just none that I have noticed.

385k BTC is $3.6 billion USD.

I doubt he made _that_ much out of his parent's house.

At that time BTC peaked at $1k. So that would've been $380 million max. Also, this was apparently revenue, not profit.

BTC was not always worth that much...385k btc can also be around 80 pizzas. https://www.cbsnews.com/news/meet-the-man-who-spent-millions...

In case you aren't being sarcastic he likely means $385k in BTC.

Edit: I was wrong holy shit that's a lot of money.

That's not what I meant, I meant 385k BTC. At that time BTC peaked at around $1k.

I mean, why would you even continue risking it after $1m? $10m? $100m??

I was once approached to develop a darknet market. I spent a few weeks scoping out the work, unpaid, before I turned down the opportunity due to the legal and ethical problems.

I did spend that time pondering and scoping out the work because I found it a fascinating challenge to design an ecommerce platform with very heavy requirements for user privacy and anonymity.

The source code for an existing platform that I was granted access to view showed me that a lot of encryption techniques were just smoke and mirrors. Mostly, everything was stored unencrypted or using symmetric encryption with the encryption key stored on the same filesystem as the server generating the pages.

It was fun designing an asymetric multi-key encryption system, where a user's "second password" with a hash (stored with a microservice API on another server in another data center) generated one of the multiple keys required. Even server seizure wouldn't result in anything usable.

Another challenge was how to prevent servers from being overwhelmed with DDoS attacks. That would have been achieved by using the Tor API to generate custom onion addresses for each user and vendor that they could bookmark. The only site that could be DDoS'd would be the landing page. It also allowed for an easy route to horizontal scaling.

The old system also didn't properly delete stuff, it just flipped a boolean "deleted" field to prevent it from being visible anymore... Not very smart for data hygiene.

I've been wanting to use what I planned out to build a product for the last few years, but I can't think of anything legal & legitimate that would have such strict security requirements that also has potential for profitability.

> Another challenge was how to prevent servers from being overwhelmed with DDoS attacks. That would have been achieved by using the Tor API to generate custom onion addresses for each user and vendor that they could bookmark. The only site that could be DDoS'd would be the landing page. It also allowed for an easy route to horizontal scaling.

If the market were compromised and the URLs exposed, this would make it easier for a bad actor to connect a user to the URL, right?

A friend told me the story of his friend here in Mexico, who was just finishing school (uni) and needed some money. A friend of his offered that if he stayed at some random house for a weekend (to "guard" the house just staying there to sleep) he would be paid several thousand pesos. Not bad for a weekend of doing nothing.

That weekend there was a police raid to that house. The poor guy ended up being arrested along with others and got 20 years jail time because there were drugs and guns in the house.

Not worth it.

Assuming your story true (and based on ones I've seen on 'Locked Up Abroad'), I think what happens here is that higher ups are giving the police a win. Everyone in some of these areas is on the take, but the police still need to show arrests once in awhile. So throw some guns and drugs in a house (cost of doing business), put some randoms in there, and call the raid.

>A friend of his offered that if he stayed at some random house ...arrested along with others

with friends like that, who needs enemies!

Well yeh, that particular idea is not worth it. It's ridiculous. On the other hand in the UK I know people who make huge amounts of tax free money and when they get caught (usually after 5-10 years) they go to prison for a year or two. Not so bad.

> These aren't street dealers. It's an organized, carefully designed, well-oiled machine. How does this machine work? How does it survive the loss of so many members?

Narconomics[1] has a pretty good discussion of the economics (including recruiting) of cartels.

[1]: https://www.amazon.com/Narconomics-How-Run-Drug-Cartel/dp/16...

The real barrier to entry here is the stress. Always feeling those butterflies when the phone rings - getting nervous when you see a police car - freaking out a little when the doorbell rings.

It's no way to live - and don't even think about having a family/kids after you get involved. You'll die early of the stress.

If you think you're a master 1337 hacker or online drug dealer - just get a job in IT security. It pays better, comes with zero stress.

> It pays better, comes with zero stress.

Spoken like someone who has never done either.

15+ years ago when I was hacking and doing credit card fraud, I could make $1000 cash a day without a lot of effort or time. Because I was careful about protecting myself and didn't work a lot I didn't have much stress. I have far more stress with a full time job.

That said, the drug game would be a lot more stressful.

As a curiosity: what made you stop?

I wanted to go legit and get into real estate. About 3 before I would have been out I got caught.

*3 months

Might be dated at this point, but a chapter in Freakonomics was about the economics of being a gang affiliated drug dealer in the US. The analysis there was that outside the top couple guys, the actual pay wasn't much better than just working as a fry cook or whatever, while the risk of being arrested or shot was much, much higher.

So even in criminal enterprises, I think you have to move up the distribution chain a ways to see the big $

> get a job in IT security. It pays better, comes with zero stress.

I beg to differ. All IT jobs have stress, but security by definition stresses you about things that haven't happened yet. If you have zero stress doing IT security, you're doing it wrong. Still immensely better than crime, though.

Second this recommendation. Fascinating read.

That is a fantastic title. I decided to buy it, thanks for the recommendation.

You could benefit from reading this sociologist's account: "Gang Leader for a Day":

<< Sudhir Venkatesh never imagined that as a result of this assignment he would befriend a gang leader named JT and spend the better part of a decade embedded inside the projects under JT’s protection. From a privileged position of unprecedented access, Venkatesh observed JT and the rest of his gang as they operated their crack-selling business, made peace with their neighbors, evaded the law, and rose up or fell within the ranks of the gang’s complex hierarchical structure. >>

But that was in the 90's. All the tech must've changed the trade by 2020.

The line between being willing to take enough risk to get involved in drugs and being risk averse not to get in trouble from being involved with drugs is a very thin line.

You can get rich from drugs very easily but getting rich from drugs while minimising your risk enough to live out your days comfortably is hard.

The smart way for a nerd to get rich from drugs is to formulate a short-term high risk plan that utilises the dark net to acquire and sell drugs before moving on very quickly. The problem is, if you’re making a lot of money very quickly... can you give it up? What’s one more day? What’s another week? You’ve been going 6 months — what’s 7?

Drug dealing groups are not a carefully designed and well oiled machine, there’s no knowledge passed down from generation to generation: there’s a group of people who haven’t yet been caught out by their mistakes. The people mentioned in this article made a mistake by using this app, and that mistake finally caught up to them.

The whole drug industry is predatory, the smartest people involved in drugs are the most predatory because minimising risk for yourself means offloading that risk onto others using violence and coercion.

There’s no romantic art to drug dealing: if you’re smart and willing to hurt others, you can be a millionaire before the year is out.

You may be interested in the book “Wiseguy”, a very interesting, informative, and often hilarious book about Henry Hill, a member of the mafia in New York.


It explains in great detail how he got into the mob and how the mob works. I would assume many organized crime groups follow similar paths. Essentially young kids with problems with authority meet hoodlums who can vouch for them, they get into the lifestyle, and start learning how to hustle. No one rats because doing so means death.

This book is also what the superb movie Goodfellas is based on, which is a fairly close portrayal of the book.

>>And those operations need members. Where do they come from?

Friends and friends of friends. If you hang out with "dodgy" people you will eventually see those opportunities pop up.

However those are exactly the sort of people that a well run criminal organization would keep at a distance. The opportunities one gets from dodgy people are dodgy opportunities.

The recruiting of violent, power seeking, poor impulse control people was one of the major factors in the decline of the five families. When better opportunities existed for 2nd and 3rd generation Italian-Americans, many took those better non-criminal opportunities. An organized crime life is a pretty hard life. This dramatically hurt the number of good candidates that organized crime could recruit from. The candidates they did recruit often placed their individual desires over the needs of the organization. This destroyed the internal trust which was a major enabler of their success.

Have you heard of the podcast Darknet Diaries? Jack Rhysider (the host) does a pretty remarkable job of documenting the answers to your questions by interviewing guests (in story format) who often come from the more murky areas of the internet.

In particular I recommend the episode freakyclown or OxyMonster as that seems to fit what you're looking for.

> I'm a programmer. I learned it from the internet. Where do they learn?

Crack Overflow?

Also HitHub. Heaps of free coke repositories.

>> I'm a programmer. I learned it from the internet.

Same is true of Paul Le Roux [1]. I think if you're criminally inclined you'll find a way.

[1] https://en.wikipedia.org/wiki/Paul_Le_Roux

>Le Roux was sentenced to 25 years in prison in June 2020 after agreeing to cooperate with authorities in exchange for a lesser sentence and immunity to his most serious crimes.

Surely he will have to serve his sentence in solitary because I would imagine cooperating with the authorities makes you rather unpopular in prison.

It wouldn't stop there - imagine _leaving_ prison when those who weren't caught know your name and the fact that you cooperated with law enforcement.

That depends on the prison. If it's minimum security it's unlikely anyone would do anything. Medium or higher? Maybe.

Some people are exceedingly good at working out ways around the law to make a lot money. Here is how I think their story works in many cases (I have no formal expertise):

I expect these days in developed countries most of them start with credit card fraud in their teens and usually go to prison. At that point they either reform (I know of two such individuals by name, one is a friend sysadmin/CTO now and the other is Stephen Fry) or they get recruited in prison into an existing criminal org. From then on they acquire knowledge on how to crime from people who have the experience.

This is an interesting aspect of the criminal system I don’t often see discussed - for a lot of kids who are dabbling in crime and get caught sending them to prison is how their criminal network grows. It doesn’t help “reform” the edge cases so much as it allows the edge cases to be easily recruited by existing criminal operations.

Pah, these guys are petty thieves compared to Wirecard...

the difference between blue collar crime and white collar crime is one uses guns, while the other uses pens.

The pen is mightier than the sword.

It's great news that these crims have had their just desserts. It's even better the quantity of drugs taken out of circulation, and hopefully the decimation of the network.

I'm well grasped of the difference between the two, and for the most part I think white collar crime is worse. It's pure greed and the same kind of exceptionalism that's been growing and growing for the last 50-60 years. Blue collar crime is as old as civilisation, white collar crime is as old as deregulation.

> white collar crime is as old as deregulation.

white collar crime is as old as civilization - how do you think kings and nobles got their positions back then?

I don't think we can compare feudalism with financial crime.

One was the system of governance for millennia, the other was enabled by the naivety of a failed ruling class who handed the power of states to the fraudsters of global finance.

Everyone understood (at a local level) how feudalism worked, I doubt many people could tell you what Wirecard were doing.

Feudalism only had about a 600 year run.

So right. Add Enron, or 2008 bank crash.

The important stuff they got off the street was the people and the machine guns.

Not to mention the drugs. One has to feel some sympathy for the street level thugs. They're body-men for the elite organisers, of whom we seem to only catch one every 10 years, and they often get off lightly and/or escape.

> To be clear, my question is: how is the knowledge necessary for such operations preserved? I'm a programmer. I learned it from the internet. Where do they learn? And these aren't street dealers. It's an organized, carefully designed, well-oiled machine. How does this machine work? How does it survive the loss of so many members?

This is what anthropologists call an "oral culture". You have to be told it verbally, because those involved are strongly deterred from writing it down. For the deeper secrets you probably have to be part of the right family.

In the rougher neighborhoods you'll find plenty of people who know how the system works, if only so they know what and who to avoid getting caught up in it.

(The interesting thing about the internet is how we've developed an "oral" culture that actually does get written down, because we do so much socializing through text! IRC channels and the like.)

£13m is only what the Met (London police) seized. It was over £50m in the whole UK

I can recommend a book called Wiz Mob.[1]

It's ostensibly a study of the specialized language of pickpockets, but actually goes in to great detail on how pickpocket gangs work.

Before reading this book, and knowing nothing about the subject matter, I had somehow assumed pickpockets worked alone and were just bottom-of-the-barrel amateur opportunists. I couldn't have been more wrong, as it turned out they work in highly organized units.

Fortunately, probably through the ubiquity of video surveillance, such gangs don't seem to be as widespread as they used to be.

[1] - https://www.amazon.com/Whiz-Mob-Correlation-Technical-Pickpo...

At least in the States, pickpocketing has almost disappeared. Part of this is probably part of the general trend of falling crime rates, but also because people carry much less cash around and cel-phones etc. are difficult to fence.

Your either born a hustler or born into it. In the last few decades the hustlers do need IT help, especially online gambling, money laundering, etc. But it does come with risks, you don't want to be the IT guy who recommended this cracked app.

Get arrested and go to jail... that's where there's a large concentration of criminals from which you can learn.

Such is the plot of "A stainless steel rat is born", by Harry Harrison.

Although selection bias tells you that they are the ones who got caught, so maybe they are not the best ones to learn from.

That is also a plot-point in ASSRIB.

You could likely learn what not to do, from them :)

> I wish it were possible to go observe the system in action as a spectator.

Barring a time machine or wonder viewer that would make this possible I highly recommend this documentary from 2006 [1] “Cocaine Cowboys” its a tell all of the inner workings of the largest drug importers and follows the rise and subsequently fall of the cocaine trade in Florida which ultimately culminates in the major construction and modernization of Miami Florida.

[1] https://imdb.com/title/tt0380268/

I know in Mexico/other parts of South America they'd kidnap/abduct radio infrastructure workers for setting up/managing comms. Give them a fairly nice life too, except for the whole you're stuck in this position and we'll kill you and your family if you try to leave.

So, basically, go down there with a sign stating what you can do and hope to get kidnapped...

This. For organized crime in a country when 9 out of 10 crimes go unpunished, the fastest way to startup infrastructure is kidnapping experts.

You want to steal from oil pipes? Kidnap a few field workers. You want a solar-powered, encrypted, nation-wide radio network? Kidnap telecom workers.

I can’t speak to the British case, but the book Gomorrah goes some way to answering these questions for organized crime in Naples.

If my local neighbourhood drug dealers are any indicator they recruit by word of mouth. A friend knows a friend who knows a friend who has a few attractive job offers so if there's somebody to vouch for you, a meeting is arranged.

They usually have some front business. "My guys" had a small logistics operation(obviously) - a single tractor trailer. Apparently the local liquor store was involved as well because it was run by the same people.

How do I know all this? Some of their trades, meetings and even disagreements happened out in the open. Nobody dared to be too curious about this. Also my friend's ex boyfriend was a drug dealer so she had a few stories to share.

I still vividly remember this one time when I saw one man handing out brick-shaped packages which were inside a car trunk to another man. At first I didn't know what I was looking at, but seeing how my eye contact made them uncomfortable I stopped staring and went on my way.

>>If you wanted to get into the criminal drug trade, how would you start? Is there a guide somewhere I can follow?

You would start from the bottom. Going around saying you want to part of the business, is a sure way to end up dead as a snitch.

Yeah there's a LOT of money: cocaine costs as little as $2k a kilo in Columbia and can be sold in EU for close to $100K when accounting for cutting. I guess a lot of it is segmented. For example: one group brings 800kg from Ecuador and sells it to local gangs and so on. If they get caught, other groups fill the void.

There's a ton of "inside look" type videos on Vice on YouTube if you're interested. Try a "{any drug name} vice" query.

You would join an existing organisation, as you'd have no chance setting yourself up as a "startup" - existing gangs would not take kindly to someone trying to disrupt their business.

The criminal world offers a fascinating glimpse into what pure, unrestrained capitalism would look like.

If we look at what trading corporations do in times and places where they can get away with it, we see:

-Aggressive acquisition of natural resources to protect the supply chain

-Use of armed force to gather and protect said natural resources and the geographic territory wherein they're contained.

-Use of armed force to protect and expand market capitalization (markets, trade routes etc)

This is pretty much identical to what a drug cartel does on a day-to-day basis.

I don't know if it's insightful to think of this as "pure, unrestrained capitalism".

Imperialistic nation states of the 1700s and 1800s followed this playbook, in a time where the biggest enterprises were state-owned (in Empire of Cotton, Beckert refers to it as "War Capitalism").

But those systems fell apart because they were too volatile. Eventually, an inability to control that volatility compelled the same imperialistic nation states to divorce themselves from private enterprise, and took the monopoly on violence in the settlement; so far, it's been a more stable equilibrium.

Both systems are "capitalist", in that they permit the private accumulation and investment of wealth. I would argue that the main difference is the state-owned monopoly on violence, eminent domain, and regulation of financial sector.

Regions with strong criminal underworlds tend not to to be governed by institutions with such monopolies.

> state-owned monopoly on violence

There's an interesting 2012 Ted Talks presentation by Peter van Uhm the then chief of defense for the Netherlands. He discusses the state monopoly on violence as a central point of how and why the military exists.

"Peter van Uhm: Why I chose a gun"

Ted: https://www.ted.com/talks/peter_van_uhm_why_i_chose_a_gun?la...

Youtube: https://www.youtube.com/watch?v=LjAsM1vAhW0

It's only partially unrestrained capitalism. Don't forget the role of the cartels is to to both provide finance/guarantee and control price/supply.

By definition trade in capitalism is done willing.

That is not capitalism.

> By definition trade in capitalism is done willing.

Not by the definition used by the people who named and defined capitalism.

It's true that after that, the conceit that capitalism involved only voluntary, uncoerced trade was adopted by it's defenders as a rationalization of the system, but that was not true of either the specific real world systems for which the name “capitalism” was coined to refer or subsequent real world examples, and certainly has nothing to do with the definition of capitalism.

If you want to distinguish the proposed scenario from capitalism, it would be in that it does not involve private property rights in the means of production, but instead on their forcible seizure and defense, but that's a slippery distinction because commonly such systems evolve into a degree of legitimization and trade with recognized rights between the parties, and the roots of capitalist property also start in forcible seizure which is later legitimized.

If someone living today called themselves a capitalist would you expect them to be involved in "forcible seizure and defence"?

> If someone living today called themselves a capitalist would you expect them to be involved in "forcible seizure and defence"?

Given the diversification most capitalists have and looking at what major corporations do globally, yes, though I'd also expect them not to think of themselves that way.

Drug cartel leaders, I'm sure, often have similar self-serving rationalizations of their role.

Ok, thanks :)

We can't go any further on here, too much ground to cover.

>If someone living today called themselves a capitalist would you expect them to be involved in "forcible seizure and defence"?

Do you consider executives of, oh let's say, the Coca-Cola Company, to be capitalists?


Assuming you are probably thinking of linking something like this: https://en.wikipedia.org/wiki/Sinaltrainal_v._Coca-Cola_Co. ?

Illegal activity is illegal. Capitalism has law and a stable society as a prerequisite.

From related portions of the economy: given the growing use of debtor's prisons, predatory loans, and coercive tactics including armed repossession & bounty hunting dependent on an exploitive for-profit bond regime? Yes. These are not companies rejected by modern capitalism. On a higher economic level private equity's leveraged buyouts are very frequently hostile takeovers that use a company's own resources to seize control of it.

> By definition trade in capitalism is done willing.

The definition of capitalism, and the world in which capitalism operates, are different.

The final transaction between buyer and seller is voluntary.

But all of the backend infrastructure may be highly manipulated in unethical, forceful ways.

A person buying some whale meat willingly pays the merchant at the meat market.

But that whale meat was acquired because one group killed the whale before another group. And that group killed the whale first because they setup groups who threatened other would-be whale hunters, and as this group gained a bit of financial traction they paid off local officials to pass some “coastal safety” ordinances that provide them some level of monopoly on killing whales, and worked out another ordinance that lets them dump toxic byproduct in a local river to place some of their cost into the public that won’t be easily rectified for decades.

So a perfectly ethical capitalist fisherman might well find themselves facing men with guns who forcefully prevent them from competing, when the police show up to enforce the local coastal safety law.

People buying drugs do so willingly.

Rather depends on your definition of willing.

indeed, but that wasn't the bit I was talking about.

I was replying to the comments about use of force.

Create the problem, sell the solution. Consent!

I don't think a product that creates its own demand is against any of the Official Rules Of Capitalism.

That's nowhere in the common definition of capitalism.

The film "Blow" is outdated but probably a good starting point on the history of how things like that develop.

ZeroZeroZero by Roberto Saviano may have information you'd want.

Also looks like ZeroZeroZero is an Amazon Original series now as well.

Netflix has a comedy about a programmer getting into drug trade called How To Sell Drugs Online (Fast)

You should read the story of the silk road. There was a fascinating piece in Wired.

This story is surprising as there were rumours about 18 months ago that EncroChat had been vulnerable. Esp when other similar services had been taken down and targeted.

Random side story: Governments have become much more aware of the purposes of these sorts of phones and seller.

About 18 months ago I was asked to meet with the sales people from a specialist phone company like this one, they were interested in selling them to the NGO/journalist market. I'm always happy to chat and test the utility of interesting security tech and compare versus more common setups (locked down phones, Signal etc). I've met a load of these sort of companies at trade shows etc as I'm sure many here have but they wanted to meet in person as they were in town talking to various potential clients. The product was decent enough but way beyond the price of anyone in the sector would be able to afford. Anyways the guys were nice and I genuinely didn't get a sense they particularly up to anything bad...

However when I left the meeting (in a European capital) I had physical surveillance all over me. Not a particularly good team, hence I detected them. Totally caught me by surprise. Ran a hastily arranged surveillance detection route and managed to confirm a few (no doubt there may have been more). At first I thought it might be the company I had met doing it to me for some weird reason. However as I thought through the tactics, people profile and operational reason for doing it to me I can only assume that whoever the local police were had been watching closely anyone who was meeting with the secure phone providers (they were foreign to the country in question, so probably came under more suspicion). No doubt this was because of the connection between a lot of these sort of companies and the criminal underworld. (Again, I didn't get the sense these particular sellers were up to no good, I just thought it was an interesting perspective)

> Ran a hastily arranged surveillance detection route

What did this entail?

I was so curious about this that I did some googling and read this article about it: https://protectioncircle.org/2016/05/25/surveillance-detecti...

Ami's stuff is excellent. If you ping any of the resources in my bio I can send you more if you are interested.

Well being trained properly is the best advice as there is nothing more risky than thinking you are clean and are not. It was on foot in a busy city so it's way too much to write up here but if your interested in reading basic stuff from a general security guide follow the link in my bio.

Not OP but could be as simple as travelling in circles or taking nonsensical routes.

That would be considered very suspicious and alert the team immediately, plus they would have been trained to deal with that. I had no reason to feel threatened by them as I haven't done anything wrong. I just used the chance to practice some past training, buy myself time to figure out WTF was happening then broke off at a point where that would seem legitimate to them without them sensing it was what I was doing. It may well have been a genuine criminal investigation I'd somehow walked into by accident so I had no desire to compromise that.

If you are already being followed by someone, surely it doesn't matter if you "act suspiciously" by e.g walking in circles.

What are they going to do? They are already following you? Follow you more?

For what it is worth, there are enough crazies and phone zombies in any major city that pretty much anything goes anyway..,

It's really a sort of long story and depends ultimately on the risk that you potentially face and their possible objectives.

Roughly the way to think about your options are:

-Covert - Use your detection of one or more to detect more of the team but do nothing. This preserves your ability to detect them in future especially if they reuse tactics and locations, especially any trigger locations that they pick you up on.

-Overt - Use your detection of the team to openly "burn" them by confronting them ("Who the fuck are you and what do you want?"). But that means in some contexts like a human rights defender they may move in to arrest you, kidnap or whatever depending on their objectives. Or they will just step off you and come back next time in a better way that means you won't be able to detect.

-Semi-overt - increase their heat state by approaching them for something innocuous ("Hey do you know where the local church is?"). This means you test their local knowledge and that individual will most definitely lift off you for awhile though may not entirely suspect what you did was deliberate as they would above. They could of course use that time to threaten you, especially if you are talking criminal or narco threat etc.

-Overt break - You use a very obvious method of breaking away from them like jumping a light, speeding up your normal walking pace, swapping public transport, going into a location that doesn't fit your pattern of life purely as it would be hard to cover and then ditching out fast through an exit etc etc. Again that will alert them and as above they may move to snatch you or come back another time. Remember, they may already know where you live/work etc so they may have that information.

-Covert break - You run an SDR then find a location you can use that fits your pattern of life and use that to lose them. They can still of course come back but they may chalk it down to an accidental loss if you do it right. Plus you are sometimes playing on their cultural biases that means they may be reluctant to report a loss to their bosses etc.

There's obviously a hell of a lot more to think about. Such as if you use the above to create a break, what is it you are going to do then? This is often what people struggle to think about in advance, especially as its intimidating as hell to find yourself in that sort of scenario with a real threat. For example people we've worked with have made decisions to essentially go on the run with just what they have in their pockets (from people looking to kill them) once they broke away. That's when the training about the physical and digital stuff (alert help but may need to ditch the phone, get grab bag, change clothes, switch to routes off CCTV etc etc etc) kicks in.

What is useful though is that you as the person being followed usually have control over who, what, where etc happens in your day (unless it's an intimidation scenario like in some countries where surveillance literally waves at the people every morning as they follow them around).

Some better structured answers in Umbrella App or you can try the beta web version: https://umbrella.secfirst.org/lessons/en/work.being-followed

Extremely interesting read. Thanks for sharing.

Never thought I would see someone referring to the use of SDRs - let alone effectively applying one - on HN. Curious as to where you picked up the skillset.

Mostly private courses and experience built up over the years driven by the need to use and train on it for journalists and activists at risk.

On a few, thankfully limited occasions I've had to use it in relation to myself where a real threat existed but rarely enough. Mostly when I've had to use it personally it was to ensure I wasn't risking anyone I was meeting or if I wasn't sure if they might be a deliberate/accidental security threat.

We teach it on some of the source protection training courses with do with journos/NGOs. Also we write some basic stuff about it in our open source app, Umbrella. Some activists are threatened by actors ranging from kidnap to ISIS, from corporate to government intelligence, from crime to stalkers. So it's very useful for helping people identify a wide range of threats early.

Also just generally for getting peoples heads up out of their phones and off the ground and taking in more alertness of their surroundings - the sort of Coopers Colour Code style thinking.

> the sort of Coopers Colour Code style thinking.

... and now you've got all of us gun nuts paying attention :)

Very cool! Sounds like some really fun training to provide and never even considered how useful those skillsets would be for journalists. Thank you for sharing.

Four left/right turns in a row

difficult way of saying "i drove around in circles for a while"

Maybe a police state keeping tabs on journalists potentially investigating corruption?

No definitely wasn't a police state. I mean I wouldn't rule out that was why but very very unlikely.

Is it just me or does the timing of this story seem a little fishy considering the EARN IT act that US Senators are trying to push through?


I'd say the contrary: isn't this a prime example of how law enforcement can work around encryption without weakening encryption in general by law?

It's a shaky argument, because ideally these systems would be so secure that they wouldn't be able to have done what they did. They relied on human error and that seems like a bad excuse to penetrate a system.

Yes, but I'm not sure we should be giving up real rights to imagined threats. In practice, what encryption systems do is make it sufficiently inconvenient to steam open our letters that the authorities only do it with motivation. The only real case for some of these proposed laws is "we don't want to employ specialists in this field" not "these systems are uncrackable".

Or: we want the full firehose of data, and then we want to employ Machine Learning specialists. ML is apparently magic.

The motivation driving these laws is E2E encryption that if implemented correctly are uncrackable. Today, pretty much everything is encrypted but since the provider has the keys they can access the messages. E2E encryption shifts the keys to the user which means that the provider has no access to the content of the message. They are theoretically uncrackable without the user's secret and when it's Apple, Google, Facebook, et.al. implementing the system and not some 2 bit criminal operation it will be uncrackable in practice.

To quote Monty Python "This isn't an argument, this is just contradiction!"

I don't know what this means.

First off, you definitely should watch this: https://www.youtube.com/watch?v=ohDB5gbtaEQ

But the point is the post just literally contradicted the previous post. There's not a lot of places to go from there.

I'm sure that if a bunch of criminals found a way to make a perfectly secure mobile phone they wouldn't be too bothered with a law that says they're not allowed to do that.

But doesn't that also mean one can plausible defend strong crypto by saying "look how easily police broke into this system's weak crypto, how would you feel if criminals could break into your bank this easily?"

They had the fact they'd broken the system leak to the criminals before they finished their operation.

Seems like they can't be trusted with proper secrets, doesn't it?

I realize Mozilla has an axe to grind, and perhaps rightly so, but they undermine their argument by not linking to the actual text of the Act.

That page is just saying, "Act bad! Signup here to protest!" If the bill is really so bad, then they shouldn't be afraid to let people see for themselves what's in it.

Why would the Dutch and French police time the release of this information with a US law proposal?

Because that's how global politics and alliances work, sometimes.

Sure. Because Trump hasn't completely messed up any form of allegiance the Europe had to the US.

Ultimately Trump is just one (albeit powerful) dude - I imagine intelligence and other agencies have built up relationships over a much longer period

Yes, they probably have, relationships based on trust. Using information for political gain is not the type of stuff that allows that trust to continue existing.

So for US politicians to both know and abuse this, someone in the US intelligence community would have had to be willing to lose a lot of trust on the EU side by both sharing the intelligence and allowing it to be used for political gain and forcing the EU side to become their political puppet.

That doesn't seem reasonable to me, but who knows. If that's what happened though, the US can forget any trust in the near future.

No particular reason I guess, but stranger connections have been made when the US leans on other countries.

Sweden violated its constitution and had dawn raids and confiscation of servers performed to satisfy the RIAA.

That's completely different from asking two different countries to withhold information from multiple criminal investigations for political gain by a specific group of US politicians.

European countries don't even trust US politicians anymore with information about ongoing investigations, due to the blabbermouth president. Why would they even communicate this with them to begin with?

They still hold some clout as long as they are in office.

And don't forget that the administration has installed a lot of affiliated poeople into agencies. (Ratcliffe for instance.)

I'm not saying the dutch and the french did some kind of cooperation with the US here, I'm just saying I would not gasp of surprise if it turned out to be so.

GCHQ were involved which means the NSa would have known about it since they're not really separate organizations. I believe they would refrain from briefing the president on something which was important to keep secret.

> And don't forget that the administration has installed a lot of affiliated poeople into agencies.

I haven't and neither have our agencies.

Do you mean the staff remember to cater to the whims of their newly appointed chief, or do you mean, they remember and try to stall the worst madness from above?

It's probably just a coincidence. The actual French access to the servers was in April - there were more rumors of it back then.

exactly my thoughts too

Given the care with which the software was built, I wonder if the hardware itself was compromised. The open hardware folks always talk about the insecurity of the closed hardware in phones; I wonder if any official narrative discussing a software exploit is simply a parallel construction. [1]

[1] https://en.wikipedia.org/wiki/Parallel_construction

From an different article linked by a comment, the replies from the company itself points towards an compromise between the phone and the update server. The police got access through the SIM service provider and was able to inject their own modified updates to the connected phones.

As a simple guess, I would suspect that the police managed to get a valid certificate from the domain name used by the update server and through that MiTM the connection. One of the comments from the company said "They repurposed our domain to launch an attack", which would fit such scenario.

Attacking the authentication of update functionallity is also in my view the usual suspect in cases like this. When a hardware device get rooted it very often is some kind of attack which allow people to push an modified update in some way. The developer in this case would need to have designed the update feature assuming that the domain name could be compromised, the SIM service could be compromised, and that the path between their server and the phone could be compromised. If they used cloud services for their servers than they would also need to assume that the cloud provider could be compromised. People can write software very carefully and still forget to account for one of those.

Yeah, I wonder too. I had Cyanogenmod on a very old Android phone, and after a while messaging started to act up in strange ways.

The paranoid side of me started to weigh different explanations against each other, and one would be a compromised base band processor which tried to do something to the Android side, but failing, since it was no longer the vendor image it (hypothetically) was expecting to manipulate.

Security is tricky and must be designed in depth and a mistrust of all layers. If the hardware is designed such that the baseband the main CPU are not separated by a communications channel, all can be lost if one does not control the baseband firmware too.

(For instance if the baseband processor has shared memory access, that's a problem. If it's just a data interface, treat the baseband processor as a hostile network.)

In my case, the likelier cause was probably something buggy in the Cyanogenmod image, or, while still unlikely but less so than baseband exploit, that the Android side itself had gotten some kind of virus because of some kind of security flaw in that particular Cyanogenmod version.

I think even more likely, is that EncroChat employees and/or the company itself were compromised.

The article makes mention of using their network to deliver an exploit. It could have been software, firmware, or hardware related. I'm guessing one of the existing zero-days that they hadn't patched yet. Once the end device is compromised the encryption used doesn't really matter as keys and plain text can be intercepted by the kernel. How they got access to the network for delivery is likely via the company itself. A knowingly or unknowingly compromised employee as mentioned seems the most likely.

I don't quite understand how this worked and the article is thin on details - was there not E2E encryption between the participants?

> Our servers are node based and located all over the world; all input and output are true end-to-end encrypted. The Servers only initiate the tunnel.

Their own statement suggests a zero-day?

> Today we had our domains seized illegally by government entities. They repurposed our domain to launch an attack to compromise carbon units.

> With control of our domain they managed to launch a malware campaign against the carbon to weaken its security.

Here is a link from another HN post. It explains a little about it from my quick scanning:


> French authorities had penetrated the Encrochat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation, and had been quietly reading the users' communications for months.

Sounds like their servers got popped, probably ones distributing updates, and also sounds like hand rolled crypto from their website although that doesn’t mean much if they can access the devices.

Breaking "hand rolled" crypto is a very hypothetical threat, almost a non-existent threat, as in practice software with centralizedly controlled distribution model has many much much bigger weaknesses that advanced threat actors are going to exploit, like updates. Assuming they even can successfully break such crypto at scale, imagine how much effort would it take just to get to the encrypted bytes given all the VPNs, TOR and overlay networks providing extra layers of encryption and privacy/anonymity hiding who talks to whom by sending packet through other countries.

I guess what people should learn from this is that encryption isn't a protection without solving problems caused by centralization first.

Well, I wouldn't say that's true, hand rolled crypto notoriously is weak when your adversary has cryptographers... like governments.

And this system sounds extremely snake-oily, and likely making typical bad crypto mistakes everywhere.

That's a good summary.

The other article I read about this is that law enforcement compromised the service's servers and pushed an update to the clients, making them send unencrypted messages, which allowed law enforcement to read them as they came through in real time.

Devil's advocate: Is there evidence law enforcement didn't start and run the project from the beginning? If they did, I wouldn't expect them to come out and acknowledge it.

I'm similarly skeptical of popular VPN apps.

Humans are often the weak link here. The most common scenario is that the police had some control over the project due to a compromised person. I'd wager that the police did not start the project, but soon after it was being used for crime, they took over it.

I'm not sure it's possible to me to develop and run something with the assumption that even if I turned police intelligence asset, that the product would be untouched. Open source would help, and some kind of distributed, decentralised thing maybe

I agree. That seems more likely. I doubt we'll be told, but I'd be interested in the specifics. It seems like it might have ethical implications to take over it without the blessing of the owner(s) of the company. After all, I doubt they will be able to get many more customers now that it's widely known that it was compromised by law enforcement. Arguably law enforcement destroyed this company, which the owners might normally not be happy about.

It may be as simple as: the business wasn't making money and the owners wanted out, so law enforcement bought it or paid them off. Then law enforcement isn't really "compromising" the company--they're in control of it (whether the employees know or not). At that point they can have the existing devs modify it however they want, or just hire a few new devs.

Think there may be some legal/ethical issues with law enforcement starting/running a honeypot that is actively being used to plan (and probably carry out) murder, while they just sat back and watched.

Yeah, police are just not that entrepreneurial in enabling crime.

It's like trying to design something to go viral -- harder than it looks. Probably easier just to find informers.

Yeah, any VPN that doesn't mind paying YouTubers to advertise I run far away from.

But in that case why wouldn't the system's owners alert everyone about that fact? It's pretty obvious when your system is sending updates and your domains are getting seized.

According to the Vice article, they did notify users on multiple occasions about the compromise. They even pushed out software updates and worked with a 3rd party SIM provider to try and fix the issue. Apparently, even after they pushed out updates the “hackers” were somehow able to repeatedly regain access.

Do you have a link?

The Dutch news mentions the police managed to snoop on the messages "before they were encrypted", so I assume they managed to hijack the app update process and installed a keylogger or something.

If they had access to the servers then they could have intercepted the key transfer. They would then be able to decrypt any messages sent

If that was the case, it's not really "before they were encrypted" though.

Some government comms such as areas including disaster relief and simple police dispatch are end to end

Thalw problem is the key is transmitted in dtmf or other means in the clear. I am not sure what my local pd uses for encryption but I'm guessing it's outdated.

You can set the tornado sirens off with a small transmitter and recording the very consistent tone pattern of you wanted.

The worrisome thing is that cops use their cellphones instead, which is much more secure but also is used accidentally or purposefully to avoid public records.

Police dispatch might be encrypted but not very well.


It's actually worse than clear text radio in many ways.

All cellphone call meta data and all SMSes are recorded, so while it avoids people listening in scanners and the public record it isn't very confidential. It's police using WhatsApp and Signal that will cause big problems.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact