# FBI paid renegade developer $180k for backdoored AN0M chat app that brought down drug underworld The FBI has revealed how it managed to hoodwink the criminal underworld with its secretly backdoored AN0M encrypted chat app, leading to hundreds of arrests, the seizure of 32 tons of drugs, 250 firearms, 55 luxury cars, more than$148M, and even cocaine-filled pineapples. About 12,000 smartphones with AN0M installed were sold …

1. #### Trusting trust

Reflections on Trusting Trust should be mandatory reading for all "criminals"?

Not only software is a problem, but the hardware too. If you want some strong guarantees about the system you are using, then you must make both hardware and software yourself. At the same time, you then cross your fingers that you have not introduced any bugs.

Maybe, using an old typewriter, paper and the post-office is becoming more secure than your computing platforms. I guess you should use some kind of code. But then, OTP has a very long history and is very secure. Oh, yes, the RTT is lower, but that is compensated with the better security.

But in the end, it will be the users who make simple or stupid mistakes that cause them to be caught. That cannot be fixed with any type of technology. Or, can you already get an integrated brain replacement?

1. #### Re: Trusting trust

Or, and here I realise I am being somewhat facetious, be in a business that does not break the law?

1. #### Re: Trusting trust

Or get better lobbyists. ;-)

2. #### Re: Trusting trust

It may surprise you to learn that it is not only criminals who have a need to use secure communication, and not breaking the law is no protection against being duped with a bogus "secure" application that purports to do just that but in fact does the exact opposite.

1. #### Re: Trusting trust

You see that red triangular icon on the right side of that post? That's supposed to tell you something.

2. #### Re: Trusting trust

OTP has a very long history ... of being broken because people don't follow the rules:

1) The OTP must be generated in a truly random fashion.

2) The OTP must never be reused.

Breaking either of those rules means you end up with no security whatsoever against a determined attacker.

OTP also has the key distribution problem - you have to give the person you're talking to a copy of the OTP ahead of time, in a secure manner.

If you are disciplined enough to follow the rules, then OTP is secure.

1. #### Re: Trusting trust

And

3) The OTP must never be stolen or intercepted by the enemy.

Something that is not generally under the control of the people using it.

Which is why PK encryption is much better than OTP.

1. #### undeveloped Re: Trusting trust

If the OTP is sent on undeveloped film, it can still be intercepted -- but the recipient will know it has been

1. #### Re: undeveloped Trusting trust

Not necessarily. The original can be intercepted & developed, and then a photo taken and the new undeveloped film substituted.

3. #### Re: Trusting trust

An OTP just shifts the problem. You must first get a copy of the OTP (or bunch of OTPs) to the other person/people in a secure way prior to sending each message or group of messages. You then have no control over how securely the other person has stored that key. OTP is often cited as being the most secure form of encryption, but if the OTP is intercepted and copied during or after its delivery to the intended receiptient then the encrypted message is 100% compromised. A very big problem when the decryption OTP has to be given to many people in advance, and run the risk of having a copy stolen. Key interception is almost always a far greater risk than the probability that a modern electronic encryption algorithm can be "cracked" (at least in any reasonable length of time).

These were the very problems that PK encryption (e.g. PGP) was designed to overcome - and to this day it does so very well indeed. Every single communication using PGP, including the initial key exchanges may be intercepted with no loss of security whatsoever. What's more, nobody can use any exposed key to spoof a signed PGP message to pretend it came from someone else.

One advantage of using OTP however is that you can make a different bogus OTP that will turn the real message into something of the same length but with completely different content so that any encrypted message can, if demanded, be "decoded" to show something completely different.

1. #### Re: Trusting trust

As the right-pondians put it, "horses for courses". As you say, OTP is all about key management. Certainly, it does not "scale". But scale is not everything. In fact, I always assumed that OTPs were only ever used with two pads--and the encryption sheet was burned after use.

OTP actually works quite well for critical diplomatic communications, or instance. Especially if the diplomat is the key courier.

4. #### Re: Trusting trust

The human factor is the big one. Seems crims (and even non-crims) forget the old "under the spreading chestnut tree, I sold you and you sold me".

5. #### Re: Trusting trust

Well yeah...or use hardware that is simple and easy to test and verify. I.e. not monolithic SoCs.

2. Well gosh, I don't honestly think $180k would be enough to pay for the sheer terror and dread and paranoia it must now be like to live every moment of that snitches life. Hope they were better at hiding their identity than DPR eh? No friends, fellow devs, nobody who could be bought for like, a *lot* of money, to give some very angry people a point in the right direction? Must be sleeping easy on that not actually very substantial pile of blood money. 1. I he stays away from that world, those people, and stays clean, he stands a much better chance. He presumably will be offered a new ID. It's not like these people are bound together by honesty - their lives are full of double crosses, betrayal, and physical attacks. They'll move on to other grudges. 1. A new ID is great if that information is not also accessible by someone at the police who makes average wages. Once the politicians have had their shiny moment of glory, the security of the informant will probably not be the highest priority anymore. 2. " If he stays away from that world, those people, and stays clean, he stands a much better chance. He presumably will be offered a new ID. It's not like these people are bound together by honesty - their lives are full of double crosses, betrayal, and physical attacks. They'll move on to other grudges. " The drug gangs have a *lot* of money. At least one person, and probably several people will know who the developer is even if they have a new identity - friends, family, police employees etc. Will they all resist the temptation of lottery-win amounts of cash in return for a name & address? Or, arguably worse, give the name of a completely innocent person. To believe that all the criminals caught in such a high-profile operation will just shrug their shoulders and forgive and forget within a couple of months is, I fear, being a tad naive. Some of these people will not hestiate to kill someone just for not showing them enough "respect". 1. "We have ways to protect our folks" - FBI. 1. Yeah, about that. Ever see the real numbers about what happens with the FBI's witness protection program? No? Try for a FOI lawsuit. These organizations have comparable free resources to Russia. If he's lucky, he dies from a bunch of bullet holes. 2. Law enforcement has methods of hiding people who help them. Also, this guy wasn't known by the criminals--they just wrote code for a company which interacted with them. I'm pretty sure most of those caught recently have never heard of them. Those caught a while ago might have, but weren't told who it was. They'll likely be safe. 1. I imagine that if you were also one of the devs at Phantom Secure or especially Sky Global you'd have an idea as to who it was given we know they had also been sentenced for drug importation before. I'd also guess that there are photos of them in the public domain or at least ones that could appear in the public domain. The criminals involved don't need to actively look for that person - a chance encounter would suffice. Either way I can't see how you'd sleep easy knowing the magnitude of who you'd p*ssed off. 1. one of the devs at Phantom Secure or especially Sky Global All the crims need is someone on the inside in HR in those companies, and a tip-off when a dev leaves or is "sacked"... 1. I imagine that every one of the former developers from Phantom Secure or Sky Global will be wanting a new identity and protection. Crooks have been known to mistake other people's identities before, and also get quite 'assertive' with questioning techniques when asking 'who was it who put the backdoor into our communications?' or similar questions. 1. #### Well too bad for them These are people who made a choice to work on a product they KNEW was expressly designed to be used by criminals - some of whom undoubtedly did a lot worse than just smuggling drugs, i.e. human trafficking, murder for hire, etc. As far as I'm concerned, if some of them are mistakenly killed by gangs who think they were the informant, good riddance. 2. #### Mystery dev Ex-Phantom Secure. Working for Sky Global. Track record in designing "secure" messaging software. Had a criminal record after having done 6 years for importing illegal drugs. How hard is it to search court reports in the US? That last fact is likely to narrow the search field pretty dramatically. 1. #### Re: Mystery dev If they can protect KGB defectors, they can protect this guy, too. The guy must keep a low profile, though. No facebooking, Instagramming etc. 1. #### Re: Mystery dev The UK hasn't been very good at protecting Russian defectors from Putin recently... and how do we know that the US has protected defectors successfully? They are hardly likely to admit they screed up protecting a defector and there's so much gun crime over there, who'd notice a few more murders!!! 2. #### Re: Mystery dev The security services exist in no small part so that governments can mess with each other without going to war. I expect that there is a general "understanding" that defectors, once they have spilled the beans, are to keep a low profile, and if so, are generally left alone. It's similar to the way that we don't try to assassinate their leaders & they don't try to do ours either. Russia appears NOT to be playing by the rules regarding wet work, and it appears that the security services are furious about it. Tit-for-tat would fix it, in a hurry, but we don't seem to want to go there. That balance works quite differently for organized crime. Tracking down & snuffing a stoolie doesn't generate the same kind of blowback. 2. #### Re: Mystery dev Provided the 'profile' released as to criminal record is true. If untrue a big red herring to mislead the chase. Anonymous as current ID not that I previously used. 3. #### Re: Mystery dev If that information about his history is accurate. 3. Assume you happen to know who developed the code - maybe you worked in the same company and heard about it via the office grapevine, or a fellow computer geek told you what they were working on when it was still in the conceptual stages. Then assume that someone offers you £100 million for that person's name. 1. Day three: assume an army of grim looking, short-haired men in half-civil outfits showing up on your walk to work. Making you shut up. 4. Well first up, i'm pretty certain the story of who the informer is/was is likely to be a fabrication. 1. #### Fabrication? Too bad about the totally unconnected person who happens to fit that profile. 1. #### Re: Fabrication? I think this is unlikely. Could someone find out who this is through extremely dogged research of several companies' files (not public), interviewing people in prison, tracking financial payments, and finally identifying someone with sufficient information to give up the new identity of the person they've identified? Maybe. It would take a while and it's not as easy as people here seem to think it is, but it could be done. I don't think that criminal organizations' petulance will rise to that level of interest when they could already be planning to assassinate the much more easily identified FBI and AFP personnel who did a lot more. Yet often they don't bother to spend the resources on killing those people because doing so carries no benefit--those people have already done what they didn't like and someone would replace them--and it also carries cost and risk. 1. #### Re: Fabrication? Don't rule out spite. 3. This post has been deleted by its author 4. His choice was to go to jail, get his ass pounded to pulp by some animal and maybe get stabbed anyway or take the FBI’s money and walk away to a new identity. Will probably end up working as a sys admin for a city council in Nowhere Alberta. I know what choice I’d make. 1. The risk of stabbing? I mean, if the alternative is Alberta... 5.$180k plus "reduce any future punishment potentially coming their way"

6. Even if the ploy was running out of time there's no excuse for publicising it like this. Far better to have said "brilliant operation by our agents to break into what was a secure system" etc. In the mean time set the guy up producing the next generation product.

Unless, of course it was really a break in and the dev being thrown to the wolves was singularly uncooperative and they're taking revenge.

1. Maybe the intent is to sow doubt about all their communications. If no communications channel can be trusted then that will hamper their ability to coordinate

1. ... or the crims will "do it properly" from now on.

So it could end up being counter-productive.

7. Not sure why the downvotes. There must be a lot of people very angry at the person who created the bogus app, and who will be offering a lot of money for their identity.

So if that person was sensible, they would indeed be very frightened by now.

1. Did you ever figure the FBI could protect defectors from much more dangerous orgs ?

Do you know their headcount ?

3. Evil people are always amazed that good people can be clever.

1. And the good people are often stunned that evil people can also be stupid.

The evil mastermind controlling the puppet strings from afar is a common thread in movies, but I'm pretty sure the reality is that most master criminals are more brawn than brain. Good at manipulation of people, but not great strategic minds

1. With this sting operation the police only caught the low hanging fruit.

It'll be used to crack down on private encrypted communications for regular citizens.

1. #### see what we can do

When we have the back door wedged open?

Loooooook! Many busted criminals!!! Look, look, look, backdoors all over right now!!!!!! Doo eeet!

You have it in one Kabookie

2. hammarbtyp: "I'm pretty sure the reality is that most master criminals are more brawn than brain"

You're probably right, but it depends on your definition of "master criminal". Some would claim that many criminals exist in the financial services industry, Bernie Madoff is an example that springs to mind, then there were the ENRON high-ups, and of course Ernest Saunders who was convicted of manipulating the share price of his company (and is the only known person to recover from senile dementia after he left prison).

Maybe it is the thick ones who tend to get caught.

1. Bernie was a rookie. Look for Richard Fuld. He knew all the machinations had to go through lawyers.

He got a career in finance after hitting his commanding officer in the face.

Still living in his country castle. Not a day jail, as far as I know. Maybe three days in the air force...

2. I'd guess that criminals follow the same intelligence bell curve as the general population, but that it tends to be the stupid ones that get caught.

After all, just look how many unsolved crimes there are.

1. #### Criminal Intelligence

If you look at the earnings of most criminals they would have more money doing honest work. And if they were pretty clever they could probably make a lot more without breaking laws.

1. #### Re: Criminal Intelligence

I know that there is a lot of spread, but in organized crime, they go through eye-watering amounts of money. I got this from personal communications plus what I know about the Al Capone era. It's "Gangster's Paradise"--live fast, die young. They blow money like mad because they don't have anything to live for, and no expectation to live that long.

4. #### A job well done

This is a great job by law enforcement in many countries and demonstrates the usefulness of thought-out targeted attacks as a method of identifying and tracking criminals. I applaud those who did this and I hope they're able to continue solving crimes like this. If we needed extra points to prove why encryption and security aren't the enemy, this is an excellent one. By hard work and actual policing, the FBI and its friends have done a much better job than they could ever hope to do by mass surveillance.

1. #### Re: A job well done

I disagree. The actual police work was well done, but all the blabbing about how it was done was kind of dumb. If the setup works that well, why not keep on using it?

1. #### Re: A job well done

"why not keep on using it?"

Simply because it would become fairly obvious that the system was compromised if people using it kept getting arrested. Gather the evidence, strike while the iron is hot.

Of course, they're just playing whack a mole and more criminals will pop up to fill the vacuum in the market. It is money we are talking about after all. The world isn't short of criminals.

1. #### Re: A job well done

The uncertainty fear, and paranoia would cause the crims to explore a number of theories about why they keep getting busted. They wouldn't trust each other and it would really slow down their activities. So I don't know why it was revealed how they did it, unless there is another goal by doing so.

2. #### Re: A job well done

Besides the authorization expiring in various jurisdictions? The answer is in the last sentence of the article: To get the users of such methods to question its safety, to reduce trust between groups, and show off the danger of assuming you're protected from eavesdropping.

I'm sure there will be other methods, and some groups might have enough capital to employ their own developers and device makers to keep things relatively safe. But by also co-opting one such dev, law enforcement demonstrates they can make it lucrative to sell out your employers....

3. #### Re: A job well done

They usually do NOT do dumb things. Also, where does the fish smell come from ?

4. #### Re: A job well done

I agree, when the UK cracked ENIGMA in WWII, we didn't blab until 1976 or something.

1. #### Re: A job well done

And between the end of WW2 & the revelation, we sold them to embassies around the world, telling people how secure and unbreakable they were… sound familiar?

5. #### Stupid cops

Advertising your means of capture ruins it. The crims, and there is an infinite supply of them, will switch to another method, and the cops will *follow* as usual. Well, it keeps the boys busy.

Better idea, legalize all "drugs" (as in Portugal), as we already do with alcohol and tobacco, and make the serious ones prescription only.

The drug trade collapses, prices crash, lives are saved, and the cops can get more exercise beating up protesters. Win-win.

1. #### Re: Stupid cops

The crims, and there is an infinite supply of them, will switch to another method, and the cops will *follow* as usual.

It appears from the story that they did indeed switch - from one taken down secure phone/app to another.

I doubt they'll learn as they effectively paid to be imprisoned this time ($1700 per handset). This is where the techno ignorance of the masses pays dividends. 2. #### Re: Stupid cops At some point, the jig has to be up. The criminals will eventually begin to suspect they're being surveilled, as their operations are taken apart and their associates arrested. My expectation is that either that point wasn't far off, and/or LEO decided it had enough information and couldn't let them remain free any longer. A system like this would also have given them an intimate understanding of the criminal networks and which members were the important ones. 1. #### Re: Stupid cops There are two methods that as I understand are already used to deal with this. The first is that you let people get away with things for a set time period and then simultaneously arrest everybody at the same time. The second is that you use the data gathered to mount "random" searches that happen to catch things which can be written down to "bad luck" by the criminals on the receiving end. I'd imagine that they were going with the second option until the article that said "um, I think this is an FBI plant guys because of X technical reasons" started getting around and the network started going quiet, at which point they nicked the lot of them. I'd have been inclined to have kept quiet about the success though and seen if I could replicate it again, but presumably the criminals are so traumatised by this that the only people in the dark were the general public. 1. #### Re: Stupid cops There is a decision to be made when a law enforcement officer has conclusive evidence that a crime is about to be committed. They can allow it to go ahead or try to stop it. This may depend on the crime. Import of tonnes of hard drugs for distribution would be hard to justify based on the amount of harm it would do (the UK fought the opium war against China to supply heroin to Chinese peasants). And of course when you have definite knowledge that a person is about to be murdered, there is always the option of stopping it and asking the potential victim if he or she has anything they might like to say that would help law enforcement put the aggressors behind bars for a very long time. The film 'Goodfellas' (SPOILER ALERT) is based on the fact that the guy who ratted on his former colleagues was about to be killed by them. (\end SPOILER ALERT) Eventually the eavesdropping would become evident, but this way either the FBI / Australians already have a replacement ready or are hoping that any new system developed by actual criminals will be treated with great suspicion. 2. #### Re: Stupid cops The more cops around the world that became aware of this, the higher the chances that one of them would be bent and would leak, either to a criminal, or the press (or to someone 'in confidence', who then tells someone else, who talks about it in a pub, etc. etc.). Or eventually it would come out in court. This was always going to be a limited opportunity to get as much evidence as possible before they had to reveal its source. 3. #### Re: Stupid cops All very good points. An ABC article about the Australian side of the operation included the following statement from the AFP commissioner: ...legal authorities prevented the app from being used covertly for a longer time frame. There's probably also an element of risk aversion in the decision. If they know a murder is going to occur but don't prevent it, for example, I'll bet serious questions are going to be asked in parliament, especially if it was an innocent bystander. 3. #### Re: Stupid cops Almost certainly, this backdoor was already blown, so they let it become propeganda. Even dumb criminals can put together sitrep as to what might be going on if shipment after shipment is suddenly intercepted when it was not before. 1. #### Re: Stupid cops Yes, reportedly a security researcher had actually already found earlier this year that ANOM is broken and BCC:s everything, although he did not know law enforcement was using the backdoor. His pages about it got taken down quickly... This must have been one sign that the secret could not be maintained much longer. 4. #### Re: Stupid cops @jgarbo Sure, legalise all drugs. See what that does to people's driving. Then let the cops focus on motoring offences rather than real crime. But not where I live, please. 1. #### Re: Stupid cops "See what that does to people's driving." Given the way people drive where I live, I rather imagine that access to drugs might actually improve things. It's illegal to drink, to text, to get doped up, yet it's not an unusual occurrence for some twat to hook me for daring to do 30 in a 30 zone, whizz around me at twice that, weave all over the road, and it's a real surprise that the roads aren't littered with wreckage and dead children. That's the sucky part of living rural. Open roads, psycho drivers, and too few Gendarmes. 2. #### Re: Stupid cops Driving already kills a lot more people than "real crime", but people still whine "why aren't you going after real criminals?" when they're booked for breaking the law in their cars. 3. #### Re: Stupid cops "Sure, legalise all drugs. See what that does to people's driving. Then let the cops focus on motoring offences rather than real crime." On the basis that motoring offences generally affect more people than what you consider to be "real" crime... I think you might have your priorities mixed. 5. #### Re: Stupid cops Drugs are not legal in Portugal. Distribution is criminal, possession for own use is not. There are a lot of deliveries over the beaches, or to fishermen at sea. Probably pays better than sardines, and there’s no season 6. #### What method will they switch to? The release of the info about how this was done would destroy criminal's trust in companies that provide secure communications gear, since one of the biggest names had been infiltrated by the FBI. How do they know others weren't infiltrated in a similar way? That will have to be on their mind when they are shopping around for a replacement, and they will have no idea who or what to trust - just because a company has been around seemingly providing secure services for years is no guarantee that it hasn't ALSO been infiltrated and bugged. 6. #### No cure for stupidity...no cure for not reading the news!! Quote: "Operation Trojan Shield has shattered any confidence the criminals may have in the use of hardened encrypted devices," Grossman concluded. * "Criminals" have the same access to news media as everyone else. I'm thinking about the crap about "backdoors", about compromised Cisco equipment, about NSA compromising encryption standards, about Edward Snowden, about Proton Mail...............really a DELUGE of public reporting with a single repeating theme: - There is a fair chance that ANY service supplied as a "black box" by ANY supplier will be compromised. How hard can this be to understand? So the next step for anyone interested in keeping their affairs private is to implement their own communication tools. I believe the terms are "white box" and "do-it-yourself". I guess next year's hot news will be the discovery of a criminal communications network which can't be broken into....let's call it TOR2. With billions of dollars available from the drug trade and some vision and some determination.......TOR2 shouldn't be too long coming. P.S. Some of us honest citizens would also like some privacy. Just saying! P.P.S. Reading recommendation -- Applied Cryptography, Bruce Schneier, 2001 and 2021 1. #### Re: No cure for stupidity...no cure for not reading the news!! YouTube: Ron White, "No Cure For Stupid!"....recommended!!!! 7. #### Just think and consider for a moment ... What if you were to replace the words "suspected criminal" with "suspected journalist" or "suspected activist" or "suspected member of the opposition"? What place would you be in? Nothing to Hide, Nothing to Fear. Ask yourself, have the authoritiies been acting as Agent Provacateurs, encouraging alleged crimes that might not have otherwise taken place, but for the communication system that they have provided? 1. #### Re: Just think and consider for a moment ... I fully agree with the initial sentiments which are quite scary. However an Agent Provacateur would have to encourage a crime, not just allow it to take place. On the face of it, the authorities "tapped" a piece of hardware/software, already in late development, and allowed it to be distributed, sold and used as it was designed to be - which is why the belief in the system continued. It's really no different to introducing the ability to tap a voice call or intercept an email detailing potential criminal activity whilst still allowing phones and email systems to exist. 1. #### Re: Just think and consider for a moment ... I disagree that it's no different. If I get buy a secure service or device to share naugthy stuff with my wife, I don't expect the police to be watching along. What was the percentage of people who used ANOM and were NOT engaging in criminal activity? 1. #### Re: Just think and consider for a moment ... Zero, it's not something you could buy, as the article says; it was supplied by criminals exclusively to other criminals. 1. #### Re: Just think and consider for a moment ... " Zero, it's not something you could buy, as the article says; it was supplied by criminals exclusively to other criminals. " Realistically, how likely is that to be true? The only products that are sold exclusively to criminals are things that could *only* conceivably be used to commit a crime. And I would hope you agree that an encrypted messaging application is not one. 2. #### Re: Just think and consider for a moment ... That seems to be untrue, as stated above, a security researcher analysed a device and found the bcc'ing. 2. #### Re: Just think and consider for a moment ... "What was the percentage of people who used ANOM and were NOT engaging in criminal activity?" According to the article - zero. Unless, of course, there were more messages over and above the 100% which were criminal. 1. #### Re: Just think and consider for a moment ... So Guilty until proven Innocent then? 2. #### Re: Just think and consider for a moment ... Zero, according to the police. It might even be true, but the police would say that regardless. Or maybe they're assuming that there are so many laws that no one can go through the day without violating at least one of them. 3. #### Re: Just think and consider for a moment ... I wondered about that. Would there really not be discussion of sports events or wishing the Godfather a happy birthday? But then... if you're a practising criminal... maybe you make a point of discussing football etc on public media instead because it's suspicious if you don't. Or, maybe all of the sport also is a criminal enterprise. A lot of it's dirty. Even violent. I think I heard if you get on the wrong side of some football clubs they take your knees. 2. #### Re: Just think and consider for a moment ... Mostly I agree with the downvotes you're received, however, in TFA: "Grossman also announced Uncle Sam had indicted 17 suspects on RICO charges relating to the use and marketing of the AN0M handsets. Most of these people are said to be distributors, though the prosecutor said three were administrators who helped run the service." So they're being charged for distributing/running the handsets that the FBI etc. used to gather intelligence. If they'd not done so then the FBI would have had to find another way to get crims to start using the phones. That sounds a bit like entrapment, and I'm sure some of their lawyers will be claiming that their clients didn't know that their service was being used for crimes. 1. #### Re: Just think and consider for a moment ... "So they're being charged for distributing/running the handsets that the FBI etc. used to gather intelligence." While this could theoretically be entrapment if the FBI's agents were particularly connected to them, I'm guessing most if not all of those people were distributing the equipment after getting it from others. If the FBI didn't sell them directly to the distributors, they couldn't have suggested it. 8. #### It's all about timing The operation appears to be terminated now that the cover is blown. There is probably a reason why the time is now instead of letting it continue. I suspect that something big was being planned by the crims which had to be stopped at the expense of blowing the cover. At least the police will have plenty of leads to follow up with. So what will be the next tool for the law enforcers? 1. #### Re: It's all about timing There is probably a reason why the time is now instead of letting it continue. The original ElReg article said that the legal permissions they had to run the sting were time-limited, and reaching their end, so it was time to use the info gathered & start the round up. 1. #### Re: It's all about timing Indeed. I was about to say that publicising this little coup was a bad move because it would have warned the crooks that their channel of communication had been blown. Pity, but I understand the reasons. 1. #### Re: It's all about timing The sting would be exposed as soon as the court cases start. The prosecution have to provide not only the evidence of the criminal acts, but in many countries the basis on which they conducted the arrests. Where the basis for scores of arrests came from a single source, that source would inevitably have to be revealed. 9. #### Huh? Not one member of any group using this device vetted it? 1. #### Re: Huh? In March "canyouguess67" posted on WordPress that ANOM was a "scam" and that a device he had tested was "in constant contact with" Google servers and relayed data to non-secure servers in Australia and the United States. "I was quite concerned to see the amount of IP addresses relating to many corporations within the 5 eyes Governments (Australia, USA, Canada, UK, NZ who share information with one another)," the post said before it was deleted. 1. #### Re: Huh? If they also sent comms to random Chinese IPs then nobody would suspect a thing. 2. #### Re: Huh? Interestingly there was a reference to canyouguess67 on the wikipedia page about this, but it got deleted. You can still read it in the wikipedia page history though. So it seems that the redacting is still going on. 1. #### Can you guess who it is yet? Worth a read, https://anomexposed.wordpress.com/2021/06/10/an0m-exposed/ 10. I hope this developer will be under a protection program, or else his remains may be found scattered puzzle-style... 11. #### FBI paid renegade developer$180k

does he have to declare it, re. IR? ;)

1. #### Re: FBI paid renegade developer $180k Not sure they had much of a choice. 12. #### Coventry Scenario? I'm wondering if law enforcement had any potential "Coventry Scenarios"* whereby they couldn't intervene in a potential murder because it would have made it obvious there was a leak in the system somewhere? * In WWII intelligence about upcoming air raids and U-boats, gleaned from Enigma decrypts, was not always acted upon to ensure the news that Enigma encryption was broken did not become apparent. 1. #### Re: Coventry Scenario? The earlier Reg article suggested that an upcoming murder of a family of five they had to prevent was one reason they stopped the project now. Although I suspect that any individual criminal act being foiled would not, by itself, have stopped them continuing: informants, and deliberate inter-gang tipoffs, are probably a fact of life for these gangs. 2. #### Re: Coventry Scenario? AFAIK there was strong intelligence that a massive air raid was planned, but the actual target was not known. It turned out to be Coventry, but could have been another UK city. By the time the true target was evident, it was too late to take precautions. A bit of family history: It seems that my German grandfather, who escaped from NAZI Germany with his family and joined the British Army (he was not a fan of the NAZIs) was wounded fighting in France, evacuated and was operated on in Coventry the night of the raid. He remembered the doors of the operating theatre being blown open by a bomb blast. After the op the nurse asked what give him, the surgeon said whatever he likes, he's not going to make it. So he asked for warm milk with honey, and survived :-) 1. #### Re: Coventry Scenario? Yes. The idea that PM Churchill knew about the target and did nothing was a lie concocted by his political enemies. First-person accounts of that evening contradict the claim. 1. #### Re: Coventry Scenario? It was mainly Hitler I'd suppose? 13. #### Shades of Bletchley Park I wonder how often they had information about an upcoming crime and decided to do nothing about it to not jeopardize the operation. 1. #### Re: Shades of Bletchley Park A very good point -- there must be a tipping point when you know there is a rat because everything is going titsup -- i.e. time to get out of Dodge . Maybe that is an other reason for them pulling the plug and rounding everyone up. 2. #### Re: Shades of Bletchley Park I expect quite a few. You don't bust up every numbers game in town just because you can. The article mentions a number of >one ton cocaine shipments that failed, however. 14. #### War on drugs We're all against drugs destroying people's lives, including those of us who believe in legalization and decriminalization, so it would be good to avoid comments like "sure, legalise all drugs and see what happens" Surely those who support the War on Drugs either: a) are making money out of it b) believe it can eventually be won c) ... I can't think of anything else but am open to suggestions I used to believe (b) and now I don't. It's taken me a couple of decades or so, so I'm not demanding anyone changes their mind immediately! But I'd like those people here who believe (b) to tell me how much longer we should give it and perhaps any indications at all that we are making progress towards an eventual victory. 1. #### Re: War on drugs For clarification, I don't personally use drugs - I'm old enough that 'standing up really fast' usually suffices for a head trip. 2. #### Re: War on drugs There is a big error in viewing b) as the goal. The goal is not to "win". I seriously doubt anyone with even the most basic understanding of economics or human nature believes that it can be "won". (The later includes >99% of winning politicians, by the way.) The goal is to minimize societal harm. On the one hand, if you have these substances freely available, you do eliminate one category of crime. Of course, if you look at what's happening in Vancouver BC, you see that another sort of crime (theft) skyrockets as the users of these substances are unwilling to limit their consumption to what they can afford by working, paying rent, and etc. Also, the cost to our medical system to deal with bad effects of taking the drugs, and of a decidedly unhealthy approach to life generally. Surely I'm not the only person to have a family member consumed by alcohol. Despite the claims of some, most of these drugs are in fact worse. (And, we've not had thousands of years of selection pressure to develop resistance.) What to do? We settled, more or less, on allowing alcohol & tobacco and criminalizing the rest. We're now moving (strongly) towards legalizing weed. We're also seeing a lot of ER cases with previously unknown weed-related issues. There is no good, simple answer. I'm not even certain that there is a good one. 1. #### Re: War on drugs The goal is not to "win" ... The goal is to minimize societal harm But I remain to be convinced that the War on Drugs is doing anything but increasing societal harm. Framing it as a War is leading to escalation on both sides and serious issues like militarisation of policing and loss of support and respect for law and policing in general. As John suggested, the term "war" implies there is an end and it implies that there is an answer: "win the war". There is no War on drugs -- there is a serious societal problem with abuse of drugs that needs to be ameliorated. It requires grown-up, serious, long-term work in society to solve. It can't be solved by throwing guns and soldiers (pretending to be police) at it. 2. #### Re: War on drugs If you look at the facts, you must surely come to the conclusion that the prohibition of drugs causes more harm to society than the drugs themselves cause. Most people can see that the prohibition of alcohol in the USA did far more harm than good. Why folk cannot see that exactly the same is true of other recreational drugs is a mystery to me. Just for a start, legalising drugs would de-fund much of organised crime, which would then reduce the amount of other illegal activity those crime syndicates carry out. 15. #### Excellent Value for Money Obviously the total operational costs for the law enforcement agencies will run into the millions - but the fee paid to the dev - given the results, seems incredibly good value. 16. #### Trojan Shield? Wasn't Trojan a classic brand of American condoms? So obviously, you could call one a shield, but I can't see where the analogy is going... 1. #### Re: Trojan Shield? You need to read up on the classics. Trojan war, and the wooden horse the Greeks used to gain access to Troy. 17. #### Legal redress for the crims? Just wondering if they can sue the feds for flogging them something that's not as described. 1. #### Re: Legal redress for the crims? They can try, but the devices weren't sold directly to them by the feds. 1. #### Re: Legal redress for the crims? I wonder what the really small print in the licence agreement says. I mean if it is anything like the Apple or MicroSoft EULAs* there is no chance that the criminals actually read the whole thing through. *Sorry to offend any Apple or MicroSoft fans out there but does anyone actually read the EULA all the way through these days? 70 plus pages is a lot to digest in one go. 18. #### Drugs versus Gambling If law was truly based on reducing social harm then online gambling ought to be just as illegal as drugs, but it's not, and gambling firms make huge amounts of money from promoting addiction. The war on drugs is a moral crusade - I am not a homosexual therefore all homosexuals are depraved deviants - similarly, drinkers, non-churchgoers, golfers, queen fans, and anyone else indulging in my list of petty hates. I don't see how taking drugs, consenting adults acting in private, should be a criminal matter - surely criminality has to include intentional or reckless harm to others? Sure, there would be public health penalties if drugs were legalised, as there are with horse riding, motorbikes, mountain climbing, alcohol, food, and worse of all, gambling. I don't have an easy answer, legalised consumption but illegal supply chain, as in Portugal, is fundamentally conflicted - and does not take the money out of the criminal empires that kill thousands every year. I don't see that the current approach will ever succeed, like prohibition you cannot stop people "getting off" on stuff, it is a universal human trait - across all cultures - right down to little children spinning round till they get dizzy and fall over. 19. #### Can we hire more of them? How come they can develop this for the price of half a man-year of developer while a simple govt payroll system ends up costing$3bn, is years late and doesn't work.

Can we use drug dealers for all govt IT projects instead of Crapita / Fujitsu / IBM?

20. Reminds me - time to watch The Wire again....

21. #### Cat and mouse game

[i]"Operation Trojan Shield has shattered any confidence the criminals may have in the use of hardened encrypted devices," Grossman concluded.[/i]

What will happen is that in future some richer criminals will pay to have the phones pentested before they put faith in to them. Simply seeing traffic going to a few different IP addresses and the amount of data being similar or more than any message or image sent would have set of alarm bells in this case.

1. #### Re: Cat and mouse game

Criminals will have to use open source security products like the rest of us - rather than buying them from criminals

2. #### Re: Cat and mouse game

What will happen is that in future some richer criminals will pay to have the phones pentested before they put faith in to them. Simply seeing traffic going to a few different IP addresses and the amount of data being similar or more than any message or image sent would have set of alarm bells in this case.

So the next set of phones will wait for a while before sending the data to the law enforcement organisations. It is just a matter of determining how long that pentest will take. Alternatively, all messages can go through one central server, which will do the duplicating, no need to send duplicate data.

22. #### evidence and intelligence

I suspect a lot of the trials outside the US will fail, due to "illegal" means to obtain evidence.

While ASD (Australian Signals Directorate) would have done most of the intercepts betwixt and between Aus and USA, other third-countries (likely Netherlands, comparable to earlier cases) will contribute their own intercepts. These would have been collected as "national intelligence", meaning ordinary court orders are not applicable or not required because it is not a police (law enforcement) agency doing the intercepts. The intercepts are delivered to the country of interest as part of MLAT.

But.

Lawyers for the defence would demand to cross-examine the collection personnel, who are (a) foreign and (b) unavailable and (c) subject to secrecy laws of their own government. Without a witness to support the electronic evidence, the case could well be tossed out.

In the US, of course, prosecutors will threaten life in prison for possession of an encrypted phone, and most of the accused will plead rather than risk a ridiculous sentence. 99% conviction rate speaks for itself.

1. #### Re: evidence and intelligence

I think that a lot of the prosecutions will rely on capturing the suspects in possession of illegal firearms, illegal drugs or maybe illegal images (such as child pornography) or stolen items. There will be no need to bring in how the law enforcement authorities knew these people had these illegal things in their possession.

And, of course, some will be stitched up by their intended victims, who will plea bargain going 'states evidence' for a much reduced to non-existent prison term, especially after seeing the messages of the arrangements for their own murders. Then of course there will be the trail to the canning factory which put drugs inside Tuna cans and pineapples, which will no doubt still have considerable forensic evidence of those activities.

Generally when Covert Human Intelligence Source (CHIS in the UK) is used, I believe that the police wait until there is enough hard evidence to arrest and convict the offenders rather than rely on their friend in low places. Alfie Moore, the Humberside sergeant who does a stand up routine describes one CHIS he managed as being so scared of the crime he was supposed to be committing that he was very relieved when Sgt. Moore arrested him for driving while disqualified, meaning he was not available as getaway driver for the proposed ram-raid that evening.

23. #### Notably missing: Anyting from Mexico or China

I would have thought that if there had been significant penetration of gangs importing to the US from either China or Mexico, that the FBI would have talked about that. <sigh>

24. #### Makes me think about a police Lt I knew...

...I asked him about some of our local organized criminals and whether they would walk sometimes when everyone knew they are dirty. His answer was along the lines of:

'Hell yeah! But you kiss them goodbye. Say, "You know what, buddy? You're right - we can't keep you. But I will make abso-fucking-lutely certain every swinging dick on the street know how HELPFUL you've been to me. Have a nice life, if you can. GTFO."

I wonder if some admin was less than forthcoming and his "cooperation" is overrated. Pour encourager les autres.

25. #### Pineapple on pizza

Is always an abomination, cocaine or not.

It needed saying. So I said it.

Whilst coke in pineapples sounds like the real thing, and 'designed by criminals for criminals' has a lot of marketing charm, this snatch was not good police-work but just gangsterism wearing badges. First they lean on one bad guy, not only making him promises of leniency but paying him hard cash--taxable? Not on your life.

Doesn't sound like honest busts to me. This was just trickery.

## POST COMMENT House rules

Not a member of The Register? Create a new account here.