
A fleeting moment of joy
And then I realised it was not Rupert Murdoch being arrested.
Encrypted phone network Sky Global has seemingly shut down after European police swooped on users and distributors, and its chief exec was indicted by American prosecutors. News of the company shutdown was broken by Vice News after raids in Belgium and the Netherlands on Sky ECC users and resellers. We're told Canada's …
The problem with proper encryption and security is decentralization and compartmentalization. Having a central hub (even with geographic spread) is only good if the hub-admins cannot decrypt the stream/contents. Only single endpoint final recipient should be able to decrypt. From the looks, the system's security could be cracked by cracking one point at the edge. Not good design.
Why do people not use PGP mail? Oh, yes, it is difficult (and old). Well, let me tell you, secure communication is very hard to do right. Even PGP security can suffer, if you send messages to multiple users in the same stream because it can expose the (existence of) other recipients. If you are a smart criminal, then you know what to do. But then, those who get caught are surely not the "smart" criminals.
"If you are a smart criminal, then you know what to do. But then, those who get caught are surely not the "smart" criminals."
Have a friend in law enforcement. He said they didn't always catch the smart criminals, but they always catch the dumb ones.
Criminals probably think they're being smart when they use dark web sites, or modified encrypted phones, or money laundering exchanges. Instead it just makes law enforcement super interested & determined to infiltrate these service providers because the effort is worth it. The criminals are merrily discussing and transacting on their "safe haven" so the cops infiltrate, listen in and choose the moment to take them down. All designed to arrest as many people as possible and cause disruption and fear amongst the rest.
Criminals probably think they're being smart when they use dark web sites, or modified encrypted phones, or money laundering exchanges.
We are presented with a very one-sided picture. It is natural for the authorities to broadcast their triumphs, and keep very quiet indeed about their failures.
For example, in 2015 there was estimated to be about £10.7 billion of cocaine imported into the UK, i.e. the illegal UK cocaine industry is about eight times the size of the pre-Brexit fishing industry. The people at the top of this industry are clearly doing rather well, despite the occasional high profile success by the police.
if you truely REALLY want to destroy the narcotics cartels there's a really simple low cost answer
Decriminalise, treat as a heatlh issue and give addicts clean cheap supplies
The ACTUAL cost of a medical-grade knockout dose of heroin or cocaine is still far less than £1
When you realise how fantastic the profits are you understand why this keeps happening - it's not about the drugs, it's abotu the MONEY - and the police are busy hoovering up money too - they don't want the "war" to end because it would make them unemployed
Portugal is a good example of what happens when you take the Dutch exeroeiment to its logical end. There are virtually no pushers left operating in the country - why try to sell anything when you can't make a profit from the addicts?
oh, but "power", "control", "criminals", "rule of law"
Funnily enough one of the knockond effects of the Portuguese approach has been a major drop in minor crime as addicts no longer mug or steal to support their habits.
There's a lot of money to be made in selling fear and authoritarianism
I can imagine a raft of high-profile celebrities, corporate executives and the ludicrously wealthy who might all find encyrpted comms useful.
Just providing encryption doesn't make it a criminal business, no matter how much the cops would like it to be.
Use by criminals doesn't make the business a criminal conspiritor, no matter how much the cops would like it to.
No, the cops want to shut this guy down because the service he provides can get in their way, and so they're throwing a bunch a charges at him to see if anything sticks, and to scare other potential providers away from offering a similar service.
If there's actual proof Sky Global knowingly and deliberately markets to criminals, then there's a case to answer. But since crim's are unlikely to announce themselves as such, it's unlikely such evidence exists.
This case feels a lot like going after BMW because criminals sometimes drive a Beemer.
Well, they can both be used to commit a crime. A car lets a criminal get to or away from a crime scene a lot faster or you can kill someone with it. For the same reason, encryption can be used to hide information about your crime. Both can be put to nefarious use. They are also similar because both are heavily used by others for entirely legitimate purposes.
The important detail is whether the operators of the encrypted communication company knew their products were being sold to criminals. The wording there is important. It's not enough that the equipment was being used by criminals; car companies know that criminals will use cars and ISPs know that people will send malicious packets. The business has to know that they're interacting with a criminal for them to share culpability. Again, the wording is important. If they went to strange steps not to know their customers because they knew they would be criminals, then they knew and the circling around doesn't help them. If they actually thought the products were being used by normal businesses which would have a reason to want secure communications, they aren't culpable. This is the reason the trials of these companies have to be based on specific evidence from each company. There have been many companies deliberately aiding criminals and this might be one of them, but that has to be proven and just saying "they provide useful stuff that criminals used" isn't enough.
> Well, they can both be used to commit a crime.
In the US, and NATO countries, encryption exceeding a certain strength (loosely key length but it's more complicated than that) is classified either as a weapon, or as munition. Military-use only. In the US, strong encryption is regulated under ITAR, and Export Controls apply.
Selling or transmitting strong crypto to a non-friendly country will find one charged under the Trading With The Enemy Act.
In a previous job I had to deal with US Export Controls for crypto. To give you an example, GnuPG required - and still requires - US Export Control approval. We had to remove some of the crypto algorithms available in GnuPG because they were not cleared for export.
I am not talking about the crap commercial-grade encryption that is commonly found in smartphones or web browsers, and that a police department or the FBI or DHS would have no difficulty in cracking. I am talking about the kind of encryption that this Canadian fellow decided to install on mobile phones he subsequently sold to drug cartels - as it is alleged, and as he was charged and indicted.
The culpability in this case is two-fold: (a) he sold strong encryption to drug dealers for the purpose of evading detection while committing a crime and (b) in the process of committing (a) he violated ITAR and US Export Control regulations.
For the purposes of (b) it doesn't matter if one sells strong crypto to a known drug cartel boss, or to a nun. Or if he knew his customer. The culpability is the same.
If you are not a resident of the US - and something tells me you aren't - you may want to check the crypto export regulations of your own country. If your country is a NATO member, the rules for exporting and/or trafficking in crypto are exactly the same as the US rules.
Switzerland is not a NATO member and their crypto trading and export rules are stricter than the US rules.
So no, crypto is not just like a car.
You are wrong several times. Let's start with the obvious one:
"The culpability in this case is two-fold: (a) he sold strong encryption to drug dealers for the purpose of evading detection while committing a crime and (b) in the process of committing (a) he violated ITAR and US Export Control regulations."
A is covered in my original comment, short version is "more proof than that needed". For B, no, he did not violate U.S. export controls. He and his company are Canadian. The exports happened from Canada. U.S. export controls only apply to people exporting stuff from the U.S. Same with ITAR. It's a U.S. law and applies only to the U.S. Other countries have similar legislation, at times structured to be compatible, but it's not ITAR. Canada has export control legislation. Calling it ITAR and alleging that U.S. export regulations apply to Canadians makes it clear you do not understand how those laws work.
Now let's consider Canada's legislation. Actually, it's best we don't, because Canada hasn't charged anybody with breaking its export legislation, and they are the ones who would have to. But let's consider it anyway. In the list of controlled items, it originally seems somewhat damning since symmetric cryptography which works is prohibited (limit of 56 bit keys). However, there are long lists of exceptions. One of them looks like this:
"e. Portable or mobile radiotelephones and similar client wireless devices for civil use, that implement only published or commercial cryptographic standards (except for anti piracy functions, which may be non-published) and also meet the provisions of paragraphs a.2. to a.4. of the Cryptography Note (Note 3 in Category 5 - Part 2), that have been customised for a specific civil industry application with features that do not affect the cryptographic functionality of these original non-customised devices;"
Well, the phones themselves are mass-market with hardware modifications unrelated to the cryptography. So as long as they use public algorithms, they count under this exception. Public algorithms include AES and RSA. So now, if Canada wants to charge him, they will have to identify the encryption in use. I'm guessing it's likely to be a public one, in which case they have already allowed it.
Also see this FAQ about cryptography exports. It's useful in determining what is allowed and what is not.
By the way, you'll find that no charges for breaking export controls, whether Canadian or U.S., have been filed. That's because the lawyers understand what is illegal and what isn't. They are hinging their entire case on point A, and point A is quite plausibly true. Still, it needs more proof than you have.
Have you expressed your concerns to the Belgians and the Dutch? I am sure they would be very interested.
I did not realize that Belgium and Holland were such obedient agents of Big Bad Imperialist US.
Insofar as the US is concerned, your Canadian hero and his buddy were indicted by a Grand Jury in the Southern District of California:
From the indictment:
According to the indictment, Sky Global’s devices are specifically designed to prevent law enforcement from actively monitoring the communications between members of transnational criminal organizations involved in drug trafficking and money laundering. As part of its services, Sky Global guarantees that messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised.
[ ... ]
According to the indictment, Sky Global’s purpose was to create, maintain, and control a method of secure communication to facilitate the importation, exportation, and distribution of heroin, cocaine and methamphetamine into Australia, Asia, Europe, and North America, including the United States and Canada; to launder the proceeds of such drug trafficking conduct; and to obstruct investigations of drug trafficking and money laundering organizations by creating, maintaining, and controlling a system whereby Sky Global would remotely delete evidence of such activities.
Insofar as jurisdiction is concerned: trafficking drugs on US territory is a US jurisdiction concern. Using strong encryption in the process of trafficking drugs on US territory triggers ITAR, among other things.
I do not need your help on accessing ITAR regulations on strong crypto, should I ever need to consult them again (I really hope I don't because it's a very boring read).
What happened to your "crypto is just like a car" theory? What about the "Yeah, but he didn't know his services were being used by drug cartels" theory?
Is that why Eap and Herdman designed their servers such that [ ... ] messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised?
Following your theory, this would be a self-defeating move. If the operation was as innocent as you - and others here - claim it was, deleting these messages would also destroy exculpatory evidence, wouldn't it?
Are you aware that obtaining a Federal Grand Jury indictment in the US is not a single-handed one-man operation?
You have now proven my point. The indictment linked is entirely about complicity with criminal clients. What did I say about that option? I called it "plausibly true".
My complaints are about application of export law which doesn't apply outside the U.S. Is that in the indictment? No, it's not. Is it in the Dutch or Belgian reports? No, it's not. Why not? Because it does not apply. The lawyers and I agree on what charges are valid. We also agree on what's plausible. To prove it true instead of just plausible, they'll need more proof than I've seen. They probably have it. That's their job.
They are likely correct. You ... are not. They are focusing on a crime which they will have to prove. You're attacking cryptography on fallacious arguments and incorrect application of limited legislation.
Seriously, if your security endpoint is not outside your communication endpoint (e.g. if your top-secret proprietary encryption scheme runs _on_ the phone), you lose almost immediately. Why would Officer Plod and Nefarious Hacker bother to decrypt when they can just watch the keylogger in real time via a back-channel?
Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.
A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.
Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.
Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.
Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony's blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.
According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.
Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.
It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.
A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.
Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.
ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.
"ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."
Proposed European regulations that purport to curb child abuse by imposing mass surveillance would be a "disaster" for digital privacy and strong encryption, say cybersecurity experts.
A number of options have been put forward for lawmakers to mull that aim to encourage or ensure online service providers and messaging apps tackle the "detection, removal, and reporting of previously-known and new child sexual abuse material and grooming."
These options range from voluntary detection and reporting of child sexual abuse material (CSAM) and grooming, to legally mandating that service providers find and report such material using whatever detection technology they wish — essentially scanning all private communications and, if necessary, breaking end-to-end (E2E) encryption for everyone.
US president Joe Biden issued two directives on Wednesday aimed at ensuring the nation – and like-minded friends – remain ahead of other countries in the field of quantum computing. Especially as applied to cryptography.
The first directive, an Executive Order, creates a National Quantum Initiative Advisory Committee comprising up to 26 experts from industry, academia, and federal laboratories – all appointed by the president and under the authority of the White House. The committee is an enhancement to the National Quantum Initiative Act – a 2018 law that provides $1.2 billion and a plan for advancing quantum tech.
The other directive is a memorandum designed to promote US leadership in quantum computing while mitigating risks to cryptographic systems.
Kaspersky has found a vulnerability in the Yanluowang ransomware encryption algorithm and, as a result, released a free decryptor tool to help victims of this software nasty recover their files.
Yanluowang, named after a Chinese deity and underworld judge, is a type of ransomware that has been used against financial institutions and other firms in America, Brazil, and Turkey as well as a smaller number of organizations in Sweden and China, Kaspersky said yesterday. The Russian security shop said it found a fatal flaw in the ransomware's encryption system and those afflicted can get a free fix to restore their scrambled data.
Symantec's threat hunters uncovered this Windows ransomware strain in the fall and said unknown fiends have been using it to infect US corporations since at least August 2021.
End-to-end encryption (E2EE) has become a global flashpoint in the ongoing debate between the security of private communications versus the need of law enforcement agencies to protect the public from criminals.
The Register has written at length about this increasingly strident back-and-forth that is seeing proponents of both sides more entrenched in their beliefs.
London-based think tank the Royal United Services Institute (RUSI) released a report [PDF] this week laying out the contours of the privacy-vs-safety debate, weighing the needs and exploring possible solutions.
OpenSSH 9 is here, with updates aimed at dealing with cryptographically challenging quantum computers.
The popular open-source SSH implementation aims to provide secure communication in a potentially unsecure network environments. While version 9 is ostensibly focused on bug-fixing, there are some substantial changes lurking within that could catch the unwary, most notably, the switch from the legacy SCP/RCP protocol to SFTP by default.
The OpenSSH group warned the change was coming earlier this year, with a deprecation notice in February's version 8.9 release. Experimental support for transfers using the SFTP protocol as a replacement for the SCP/RCP protocol turned up in version 8.7 in August 2021 with the warning: "It is intended for SFTP to become the default transfer mode in the near future."
IBM has unveiled a cloud-based key management service that should make it easier for organizations to manage encryption keys across complex multi-cloud hybrid environments, as well as on-premises.
The new support comes in the form of the Unified Key Orchestrator, a multi-cloud key management product sold as a managed service as part of IBM's Cloud Hyper Protect Crypto Services.
Many organizations have by now adopted a multi-cloud strategy, hosting workloads in the most advantageous location, whether that is in a public cloud or in the organization's own datacenter.
Biting the hand that feeds IT © 1998–2022