back to article Eurocops shut down Exclu encrypted messaging app, arrest dozens

An encrypted messaging service that has been on law enforcement's radar since a 2019 raid on an old NATO bunker has been shut down after a sweeping series of raids across Europe last week.  In a search of 79 properties in German, The Netherlands, Belgium and Poland last Friday, Authorities in those four countries arrested 48 …

  1. Korev Silver badge
    Joke

    Exclu made it possible to exchange messages, photos, notes and other communications with users, of which Dutch police said there were around 3,000 prior to the service's seizure, 750 of whom were Dutch speakers.

    If they'd have spoken Double Dutch then there would have been no need for the encryption...

    1. Hans Neeson-Bumpsadese Silver badge
      Joke

      If they'd have spoken Double Dutch then there would have been no need for the encryption...

      You could say that they could just skip it

      1. NoneSuch Silver badge
        Devil

        We Have Freedom of Speech

        and governments want to know what you said, when, and who else was in the room. That's all.

        Because governments ALWAYS have your best interests at heart.

    2. Jedit Silver badge
      Joke

      "If they'd have spoken Double Dutch then there would have been no need for the encryption..."

      You're tilting at windmills again.

    3. StrangerHereMyself Silver badge

      Or Denglish.

  2. Anonymous Coward
    Anonymous Coward

    Network Service == Single Point Of Failure!

    Quote: "...gave them the data needed to decrypt Exclu's services..."

    Quote: "... forcing a backdoor into such services was necessary..."

    Yup.....there's a warning there to anyone using network service based communication (you know, Proton, Telegram, WhatsApp and so on). The service is a single point of failure.

    Now...there are other, somewhat less insecure methods of communication. My favourite is using a peer-to-peer application which does the encryption and decryption. The messaging can be vanilla email. The software only exists on the end point devices -- no network service out there for snoops to hack. Other benefits include the complete absence of persistent keys. In fact, every message can be crafted with a different, random key (or set of keys, for those using multiple encryption passes).

    Oh....and notice that the users control their own communications.....one peer at a time! What a concept! Actual "edge computing"!!!!

    1. elsergiovolador Silver badge

      Re: Network Service == Single Point Of Failure!

      Now...there are other, somewhat less insecure methods of communication. My favourite is using a peer-to-peer application which does the encryption and decryption. The messaging can be vanilla email. The software only exists on the end point devices -- no network service out there for snoops to hack. Other benefits include the complete absence of persistent keys. In fact, every message can be crafted with a different, random key (or set of keys, for those using multiple encryption passes).

      Now that's the way to get maths banned.

      1. Frank Bitterlich

        Re: Network Service == Single Point Of Failure!

        Now that's the way to get maths banned.

        I think they tried that in Australia, but it didn't work. To quote Mr. Malcom Turnbull:

        "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

        The right way to go is not to outlaw mathematics, but to issue an Interpol Red Notice for it.

        1. G40

          Re: Network Service == Single Point Of Failure!

          Is that a real quote. Well spotted!

    2. JulieM Silver badge

      Re: Network Service == Single Point Of Failure!

      Ordinary SMS using a one-time pad (handwritten on a packet of Rizla papers, in a private meeting with nobody else present save your intended correspondent) is about as secure as you can get. The plaintext need never exist anywhere in electronic form. Changing the key for each character of the message renders all possible plaintexts equally plausible.

      1. elsergiovolador Silver badge

        Re: Network Service == Single Point Of Failure!

        They'll just tack this onto Communications Act 2003

        127 Improper use of public electronic communications network

        (1)A person is guilty of an offence if he—

        (3) sends message that contains random characters.

        1. Anonymous Coward
          Anonymous Coward

          "random characters"........I think we need a definition!

          @elsergiovolador

          Quote: "...message that contains random characters..."

          So....does "elsergiovolador" count as "random characters"?

          So....do base64 attachments count as "random characters"?

          So....do the random emissions of the Tory press count as "random characters"?

          ....I think we should be told!!!!

          1. Anonymous Coward
            Anonymous Coward

            Re: "random characters"........I think we need a definition!

            Well, it would be one way to stop Boris sexting, I guess. It's not all bad.

            :)

          2. FrogsAndChips Silver badge

            Re: "random characters"........I think we need a definition!

            What about "covfefe"?

        2. Anonymous Coward
          Anonymous Coward

          About those "random characters".....who gets to judge?

          This is base64 stuff. Anyone can find out what the text says:

          SGEhICBTb21lb25lIHdhbnRzIHRvIGRlZmluZSAicmFuZG9tIGNoYXJhY3RlcnMiIGFzICJiYWQi

          ISBXZWxsLi4ud2UgaGF2ZSBhIHZhcmlldHkgb2Ygd2F5IG9mIGhlbHBpbmcgdGhlbSB1bmRlcnN0

          YW5kIHRoZSBtZWFuaW5nIG9mICJyYW5kb20gY2hhcmFjdGVycyIuICBUaGVyZSdzIGZhaXJseSBw

          bGFpbiBiYXNlNjQgZW5jb2RpbmcuLi4uYW5kIHRoZW4gdGhlcmUncyBhY3R1YWwgY2lwaGVyIHRl

          eHQuICBJJ20gbm90IGdvaW5nIHRvIHN1cHBseSB0cmlwbGUgZW5jcnlwdGVkIEFFUyEhCg==

          On the other hand, this is encrypted stuff...as it happens, the message is the same message as in the base64 above:

          qTePaF8LuV83Cv0N2Tqf8hy3S3sPS7WZAPwjeNWHEXiFiB2tKrENyRSnEFURARAFkn4nI9YRCTqt

          GliFY9yL2Jat430fILKTAB0TehIfsdIHerWrmfezwp0tYNkN6P8fmxkHy9S9UdeFMhM5cVaTAnAN

          QJGBUlOLwVgz8ls943W9S3YNkrsHg3Q3CLY7k5CnIfkxSdgHAJMNwDODezAPGpwJwbyvUviTGj0x

          c7kpwfon4X4dK74VUZER67wVQT4h4PUlYnSpMj6Rud4TCdQRuvmngtcB03G5ej0fcVE3mfsHelaF

          WT23uvOZuV83IPqJAf6P85qlgJmBKjM1O7qRS3M9OPmnIPE1YF2tYFK10dgpmHUDa7cvANwnE1ER

          Gf0xGf2Jm3iZGFwHkPENW5ExCXqdy5iVKnc5CnADcxcX2TmxyVK1uF8VansP2DctObsDWd2Rm1yd

          MryngrKZSh0hILajCLmDc36rEbifiToTC78HE1s9ITwpMJEde7sba9azwda3Udc1ajyDER4nYFsj

          4xcLQ9yR4RaXSjSn2pcl2hQNSncD6FozKjsFMfOtSdQ36JgH09MjKPmHUd2DcTiTe5C1kfcVQHaB

          cPmLK5m589gNoTUDmVGr4DS3QZEHClyx0pSjAtahm5cBODMRWN4tqlmLSTo30XSXqLkTGNSX07eb

          uH0dOlI3yJIlYB6HOzAX

          To the untrained eye, they look very similar, n'est ce pas?

          So who gets to say one is "bad" and the other is "good"?

          I think we should be told!!!

        3. Anonymous Coward
          Anonymous Coward

          Re: Network Service == Single Point Of Failure!

          There are a number of modern and classical steganographic ways around that. The simplest is that the 3rd, 1st, 4th, 1st, etc word in the letter are the real message, but takes some skill with writing to make it non-obvious. The other one is that if you use the words "pension", "pessary" and "Covington", in that particular order, there is a corresponding message in the code book. And then we have all the modern computer based ways to hide a text inside an image.

          Maybe there is information in what kind of headgear I wear and hold in my left hand on my instagram page? It will not be trivial to find out!

          1. JulieM Silver badge

            Re: Network Service == Single Point Of Failure!

            I now have visions of somebody being briefed they need to ask a busker whether or not they know any Malvina Reynolds songs, to find out the correct order in which to press a blue button, a pink button, a green button and a yellow button (OK, the yellow one would always be last, obviously .....)

            Knowing my luck, there would happen to be a Seekers fan convention in town, everybody with an instrument in their hand would be only too pleased to sing me all four verses of "Morning Town Ride" and I would run out of change before coming anywhere near the real contact .....

      2. Graham Cobb Silver badge

        Re: Network Service == Single Point Of Failure!

        One-time pads turn out to be not really as secure as one might think. They are very difficult to use properly. For example, you have to make sure the mapping really is random: you can't use a book, for example, as a one-time pad as the distribution of letters (and common pairs and triples) in a book is heavily biased (e occurs much more often than anything else, for example). You also have to make sure they really are one-time: if anyone accidentally uses the same sequence twice, or two people use the same pad, then it is easy to decode.

        I have just read "The Woman Who Smashed Codes", about Elizebeth Friedman, the astounding early 20th century American cryptanalyst, who even broke Enigma at the same time as Bletchley were doing it, without having their level of technology. But some of the most interesting parts of the book are her pre-war experience breaking codes used by booze smugglers using manual codes which they, and everyone else at the time, thought were unbreakable. It was her insight that how you used the codes were as much a part of their security as the encryption process itself.

      3. RichardBarrell

        Re: Network Service == Single Point Of Failure!

        Cryptographically this is perfect. It will conceal the contents of your messages.

        You need to also worry about getting screwed by the metadata about who sent messages to whom & when.

    3. Anonymous Coward
      Anonymous Coward

      Re: Network Service == Single Point Of Failure!

      Yup......single point of failure.....this time Telegram!! See:

      - Link: https://www.theguardian.com/world/2023/feb/15/revealed-disinformation-team-jorge-claim-meddling-elections-tal-hanan

  3. elsergiovolador Silver badge

    Competition

    So is the goal there to only have encrypted communication apps run by big corporations?

    What's the difference between them and e.g. WhatsApp?

    Government is as always tough towards the little guy and weak for everyone else.

    It seems like the tax payer money again were used to help big corporations crush the competition.

  4. JulieM Silver badge

    Reminder

    Why would anyone pay good money for a secure encrypted messaging service? Apart from anything else, you're advertising the fact that you have something to hide. Can you trust the people running the service? The messaging service itself is a juicy target for all those from whom you want to hide it (whether that be the Old Bill or business rivals). If you have to enter the plaintext into a device to encrypt it, how sure can you be that there is no way for it to get sent anywhere?

    The best strategy is always to assume a communications channel is insecure, and send only pre-encrypted content down it. Is it a hassle to do so? Not if the stakes are that high .....

    Disclaimer: I dabble in repertory theatre and when I am not busy rehearsing lines for plays, I enjoy conducting scientific experiments; often using a mobile phone placed remotely on location as a simple data logger capable of reporting results via SMS message, which may look like random nonsensical strings of printable characters.

    1. elsergiovolador Silver badge

      Re: Reminder

      placed remotely on location

      which may look like random nonsensical strings of printable characters

      You could just say you send messages in Welsh.

  5. StrangerHereMyself Silver badge

    Baffled

    I keep being baffled that criminals keep using "exclusive" services, which obviously become prime targets for LEA to hack and infiltrate. Why don't they just use WhatsApp with Disappearing Messages turned on?

    Does anyone really believe the U.S. government would allow any nation's LEA to hack WhatsApp? That person would need to have his head examined! WhatsApp is as safe as you can get and completely off-limits for LEA.

    1. Black Label1
      Black Helicopters

      Re: Baffled

      You Fool. WhatsApp is in bed for YEARS with Intelligence agencies.

      1. StrangerHereMyself Silver badge

        Re: Baffled

        Says who? Your mother?

        1. Black Label1
          Black Helicopters

          Re: Baffled

          Nah, my mother is a treacherous whore. She would never tell me WhatsApp is in bed with Intelligence agencies. Prefer to use Signal in sensitive matters :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: Baffled

      Because the people who really understand this kind of thing tend to work for either TLA agencies or organisations with more technical ability.

      If I had to hide a communication flow my first questions would be about bandwidth and if messages could be pre-planned. Low could be the colour of a t-shirt in an insta selfie, or the initial letter of the third word in a post mentioning a colour in some nominal strangers chatting on a public forum.

    3. Macka

      Re: Baffled

      "WhatsApp is as safe as you can get"

      Really?

      WhatsApp keep a copy all user public keys on their servers. When you open a chat with one or more person, they send those keys to your client so it can multiply encrypt your messages using those keys, a unique one for each correspondent. Sounds super secure except for one thing. The client app is closed source. You don't actually see what public keys are used to encrypted your message, or how many. What's to stop them from adding invisible users to your chats? User accounts that they control. You'd be none the wiser.

      1. StrangerHereMyself Silver badge

        Re: Baffled

        It's clear you don't understand the difference between a public and a private key. Go back to school and come back when you've read up on encryption.

        1. Macka

          Re: Baffled

          Oh I understand it -- far better than you it seems. Let me repeat what I said in simpler terms for you.

          Each user device generates a public/private key pair.

          The private keys are retained individually on each device.

          The public keys are pushed to WhatsApp where they're stored in a repository.

          If you want to message 3 people, WhatsApp sends you their public keys.

          Your device encrypts 3 versions of your message using the 3 public keys.

          Your device transmits each message to WhatsApp who forwards them to the users.

          They can each decrypt their version of the message using their own private key.

          Now, unknown to you WhatsApp actually sent you 4 public keys. 3 for your intended recipients and 1 for which they hold the private key. Your device generates and sends 4 versions of the message, one of which they keep to themselves and can read. You're none the wiser as their App knows to hide special/flagged public keys and doesn't tell you what it's done.

          Is that any clearer now ?

      2. Cliffwilliams44 Silver badge

        Re: Baffled

        "Paulie hated phones. He wouldn't have one in his house. He used to get all his calls second hand, then you'd have to call the people back from an outside phone. There were guys, that's all they did all day long was take care of Paulie's phone call."

        Still true today!

  6. flayman

    Am I missing something?

    Does it say anywhere in this article which European laws were broken by the developers and operators of this encryption service? I can't see it. Nothing apart from illegal items and operations seized adjacent to the service, presumably belonging to some of the criminal users. There's an admission that there may be legitimate users of the service who can invoke legal privilege. Therefore, the service serves a legitimate purpose. So what's the crime? Wouldn't it actually be better to allow this to continue to operate while also continuing to use the decryption tools that were developed following the raid on the Cyberbunker?

    1. David Hicklin Bronze badge

      Re: Am I missing something?

      The issue is that the messaging was used to plan illegal activities

      1. flayman

        Re: Am I missing something?

        How is that a crime from the standpoint of the messaging service provider?

    2. Black Label1
      Alert

      Re: Am I missing something?

      Their crime was to use unbreakable encryption to conduct business. LEA got angry.

      Their App maker mistake was to use servers without FDE (Full Disk Encryption), allowing LEA to reverse engineer and extract cryptographic keys.

    3. Anonymous Coward
      Anonymous Coward

      Re: Am I missing something?

      This article from Irish paper the Sunday World has some more details:

      https://www.sundayworld.com/crime/irish-crime/george-the-penguin-mitchells-encrypted-phone-service-hacked-by-police-as-45-arrested/1689230084.html

      According to the article, Exclu was developed by someone who was associated with the Cyberbunker. Apparently written-down passwords were found during the raid in 2019, and the evidence on the servers is what's led to arrests. The article implies that Exclu was actively marketed as a secure communication service to drug dealers. We may have to wait until the legal processes (formal charges, trials etc.) take place to know more.

      These things can take a long time. The BBC reported today on a conviction of a man using evidence from Encrochat, for crimes committed in 2020:

      https://www.bbc.co.uk/news/uk-england-merseyside-64566904

      1. flayman

        Re: Am I missing something?

        Then why are lawyers using it? The article states that there are legitimate users. I still don't get how the service itself is criminal. Maybe some of the developers and operators are criminal in other respects. But the whole thing has been shut down, which ignores that it may well be a legitimate service with legitimate customers, regardless of how it may have been marketed. So what law does it break? Is it a crime to market your services to known drug dealers?

        1. Jimmy2Cows Silver badge

          Re: Then why are lawyers using it?

          How else will they score their Bolivian marching powder after a hard day in court? Having your dealer on speed-dial is far too insecure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like