'Corrupt' cop jailed for tipping off pal to EncroChat dragnet A British court has sentenced a "corrupt" police analyst to almost four years behind bars for tipping off a friend that officers had compromised the EncroChat encrypted messaging app network. Natalie Mottram, 25, of Warrington, England, was sent down for three years and nine months on Friday at Liverpool Crown Court. She …
El Reg is one of the few sources I still read that shows amazing inventiveness in its headlines, while remaining pretty accurate. Please don't compromise your standards. Especially when 15 second thinking would have yielded a similarly alliterative yet more accurate phrasing
Does anyone else find some of this a little odd? I'll list what I find strange.
The shortness of the sentence.
This supposed 48 hour delay and the ability to delete messages. It's a MITM attack. You can't delete data already intercepted.
The fact that even though she worked for the NCA she sent messages to people about it that could be read later.
Why didn't she send them through the encrypted service then delete them if the above is true? how did she send these intercepted messages?
The don't use postcodes comment. That's like saying to Amazon don't use postcodes. How are you supposed to deliver stuff?
Reported elsewhere in the media, she had a £1500 a month pot habit. How is that even possible?
They reportedly used an update to lift the entire contents of peoples phones. How did people not notice this when their burner PAYG phone ran out of credit rather quickly?
I think there may be a bit more to this story though I could be wrong.
The overall impression I have is that none of the culprits were the sharpest tools.
3.75 years less remission/probabation doesn't seem like a lot but for a 25 year old woman its probably harsher than it first appears especially for what seems to be acts of idiocy.
Don't the NCA etc do continual background checks of staff in sensitive roles? I would imagine her association with the other two idiots would have raised the alarm earlier. Trust but check.
As already commented there is possibly a lot more to this story?
Regarding background checks:
Having recently gone through security clearance to manage government IT stuff, the amount of checking depends on the level of clearance required. For something like this, it was probably checking on her and close family, same as I went through. Checking friends/associates happens more when you move into MI5/MI6 and probably GCHQ type levels, I'd assume.
Regarding background checks
plus ça change
Many, many years ago I was contracting at a <reacted> factory making <reacted> for <redacted> when my military escort mentioned the penalties under the Official Secrets Act if I blabbed about what I'd seen. I had not then nor since signed the Official Secrets Act - so much for the military sorting out my clearance before I started the job.
Not really. The sentence would have been decided by the court, and maybe it was enough based on the evidence, or sentencing guidelines. If she was just an analyst working on the product, she probably wouldn't have known, or needing to know exactly how the compromise worked because that would have been really sensitive information. So maybe messages were held back 48hrs, or that was how long it took messages to get from collection, filtration and to the relevant LEAs. Her sending messages is just one of those security risks, ie if she sent messages from work devices, or personal. If the NCA suspected something, personal devices could have been monitored.
The postcode thing is just criminals being criminals. Maybe they assumed because they were on an encrypted system, they could speak more freely, and not have to try and speak in code. But that's also why this operation has been so successful. Eventually the smarter ones might have realised their messages were being compromised, but LEAs would still have a mountain of evidence to work through. As for the phone stuff, I read it as her phone had been seized and the data recovered. If not, my contract has some free data, like to EE's systems and it's simple enough for mobile operators to zero rate or exclude some data in their billing systems. And the £1500 a month weed habit may have been sloppy journalism, they were buying more than just weed, or were buying a 9-bar and sharing it with friends. But there were no charges for dealing, so maybe the CPS felt they had enough to send a message.
"So maybe messages were held back 48hrs, or that was how long it took messages to get from collection, filtration and to the relevant LEAs."
Apparently the messages were sent as an overnight download to UK. NCA then filtered it into separate batches for the various units who would have to deal with it. A message intercepted just after the previous download would would be ~24 hours old by the time of the next download so allow some processing time for sorting and her unit to upload their batch onto their own system & 48 hours sounds about right. But depending on the timing of the intercept vs the overnight download schedule it could have been a good bit shorter.
There's an account elsewhere but it would make a good el Reg article.
The article doesn't say that it says.
I no [sic] a lady who works for the police. This is not hearsay. Direct to me. They can access Encro software. And are using to intercept forearms [sic] only at the moment. There [sic] software runs 48 hours behind real time. So have ur burns one day max. And try to avoid giving postcodes over it.
"Burns" refers to the delete-time on messages. The friend continued:
I completely understand the time it takes for messages to get to the relevant people and to be checked. What I don't understand is how you can delete it after it's been intercepted in a MITM attack. It also makes no sense to say avoid postcodes if they can in fact be deleted. Theoretically they could be pulling it from devices every 48 hours but how would you know when that 48 hour point is and even then you would have to trust the other person to delete it as well.
I completely understand the time it takes for messages to get to the relevant people and to be checked. What I don't understand is how you can delete it after it's been intercepted in a MITM attack.
You can't. Don't get too hung up on that part. The woman wouldn't (or shouldn't) have known they were being collected by a MITM, just they turned up on her desk 48hrs old. She may have assumed, or been told they were a result of the handsets being compromised and the 'burn' feature may still work. It's unlikely there would have been an office memo explaining exactly how the collection worked because most staff wouldn't have needed to know. And knowing risked someone telling the bad guys, who then try to avoid surveillance as they did in this case. Kind of why this stuff is like magic, and the performers really don't like revealing all their secrets.
It also makes no sense to say avoid postcodes if they can in fact be deleted.
But like you say, you wouldn't know the window of opportunity and just figured 24hrs would be enough to hope messages self-destructed, and if they didn't, attempting to conceal stuff like postcodes might protect them. Criminals have been doing that for decades, eg 'Charlie's coming over on the 5th', and LEOs have long been wise to those games.
Yes, this is usually true, with the guidelines giving some basic constraints and the judge using the context to decide what the value should be from the provided range. There are some contexts where the guidelines are specifically modified to consider them, but trying to enumerate them all is tricky, whereas assuming that a judge will produce a number that the writers of the guidelines would have been fine with is easy.
Some recent cases in the news give a distinct impression that sentencing guidelines are rather generic and not context sensitive.i.e. no difference between passing on confidential police information and passing on confidential information that endangers a major multi-national campaign.
I guess that's by necessity. I did a quick look at what misconduct in public office could be, and that's punishable by up to life imprisonment. But then it's a pretty broad bit of legislation covering pretty much any misconduct by anyone in any public office, so could potentially be someone stealing paperclips, dodgy planning applications or nicking billions from the Treasury. Then there's the other more specific charges that could be laid, like the offences under the CMA with their own sentencing guidelines. Then those often include a bunch of aggravating and mitigating circumstances. I think if I were a Judge, part of my decision would be just how heavy the guideline book was, when printed, and I was considering throwing it at the guilty party.
Encrochat was a full service, you'd buy a "customised" phone with it installed and pay a subscription to use it so I doubt PayG phones were involved.
It wasn't a cheap service either so you'd need to be seriously worried about your messaging and making a good chunk of cash to be using it.
I can answer a few of those questions.
"The fact that even though she worked for the NCA she sent messages to people about it that could be read later.": From what we know, she probably didn't. One of the people she told was stupid enough to send a message to someone else which could be read later. She ended up tipping off someone that was too stupid to hide that, but from the information available, she could have told the criminal about the surveillance in person or on some other safe communication method.
"The don't use postcodes comment. That's like saying to Amazon don't use postcodes. How are you supposed to deliver stuff?": It meant to not send postcodes through this app. Theoretically, you would send them some other way, or encrypt them separately (no, they're not smart enough), or some other alternative not mentioned. They were trying to limit the data sent through a compromised system without just dropping it for some reason.
"They reportedly used an update to lift the entire contents of peoples phones. How did people not notice this when their burner PAYG phone ran out of credit rather quickly?": WiFi? In any case, it's unlikely they had that much data to steal. All the text messages I've sent in the past year isn't a lot of data, especially if you compress it first. It is certainly more if you include pictures, but I don't send many of those and it's possible that they started with just all the text and requested images later if they needed them.
"This supposed 48 hour delay and the ability to delete messages. It's a MITM attack. You can't delete data already intercepted.": The only answers I have for this one involve someone not getting it. One option is that she was telling her friends that their messages were visible about 48 hours after sending, so be careful with any long-term messages sent, and they misunderstood and though they could just delete before that happened. The other option is that she saw that messages were 48 hours old when they came through, so she thought they could delete them beforehand. Either way, someone was getting this all wrong.
Either way, someone was getting this all wrong.
This. OP's argument rests on the premise that Kay's message was documenting viable OPSEC countermeasures. There's no evidence Kay knew what the hell he was talking about, or for that matter that Mottram herself knew anything more than that EncroChat was compromised.
"You can't delete data already intercepted."
Yes, but the system may operate in a way you don't know. If "un-burned" messages get archived every 48 hours and the filth only have access to an archive server, that could explain it. I don't know the particulars so I'm just guessing. It may also be down to how it's taking to plow through the traffic given the number of people they've thrown at it. They can search for keywords, but spelling isn't a big thing with the underworld and euphemisms are used all over anyway. Somebody saying they want to buy a gram and who they've sent the message to identifies what sort of substance they are looking for. The msg might just read "wana g". Good luck on that keyword scan, but a human would understand PDQ.
Is this some kind of secret criminal slang, used so that the police can't understand what they're talking about?
No, it's the work of the criminal mastermind who decided to warn his friend with a standard text message that encrypted text messages could now be read.
Regardless of what it's being employed for, I like it when would be sneaks are defeated by a bit of honesty.
I have no loyalty to either side but I do find police subterfuge especially disgusting.
To adopt criminal/dishonest practices in the name of fighting crime you lose your moral high ground and represent no better than what you oppose.
But often the secret police create as much harm or more that's what they oppose.
Leaving everyone else to pick up the collateral damage for their power struggles to dominate the behavioral landscape.
With criminals I can make a deal, or provide a physical demonstration, have some trust that the principal of mutually assured destruction will motivate adequately. That combined with the easier marks my neighbors make for have some reasonable sense of security.
With police involvement then all power choice and opportunity to handle my own business is taken away. They reduce the individual to a sitting duck.
Police involvement renders one defenseless and paralyzed to take any personal responsibility regarding their own life.
I prefer having opportunities to be directly effective rather than being reduced to infant like influence in my own affairs.
Outsourcing personal security to others that have no genuine hard loyalty to you is a living nightmare.
Not thank you.
In police-speak all criminals are equally culpable, so "selling a bit of bud" is put on about the same level as robbery, assault and so on. After all, a crime's a crime and being able to mark a crime 'solved' is the goal.
The bit I'm having trouble with is that relatively low level crime -- street crimes like bad snatching, breaking and entering and so on, all the crimes that directly impact the lives of many -- seem to be ignored while plenty of effort seems to have gone into the detection and prosecution of dealers. Low hanging fruit
"seem to be ignored while plenty of effort seems to have gone into the detection and prosecution of dealers. Low hanging fruit"
Sometimes it's due to politics and the narrative of the day. If there's stories about too much availability of drugs on the street or yet another politicians kids OD's, arresting dealers becomes the priority delivered from on high. "On High" being the politicians that formulate and approve the budgets for the police. Ignore them and there will be no shiny new un-rusty cars for you this fiscal year. I swear the police fleet cars from manufacturers are pure crap. Since they usually get decommissioned and replaced every 5 or so years, things like anti-corrosion coatings aren't applied or aren't applied very thick. The high power engine and oversize brakes are worth salvaging. The regular maintenance is often very good so oil is kept topped up and changed on schedule unlike plenty of privately owned cars.
This post has been deleted by its author
What a pity that some of the criiminal[political] fratanity didn't use EncroChat phones when they were discussing Covid - the NCA would have been able to provide the messages to the Covid Inquiry that the likes of some very high profile politicians have said are no longer available
The team that developed EncroChat should get a medal. Culture-hacking the criminal class - "Oh, there's an app / a phone for that, and I got it from a mate so it must be legit" - was an act of genius. They were literally pyramid selling compromised comms word-of-mouth from crim to crim. No-one who was not a crim was compromised by this, because only crims a) needed it and b) found out about it.
I suspect they hit this individual with as hard a sentence as they could because it was like the Enigma secret. Once it got out that it was compromised, the word was out, the system would change and any advantage would be lost, possibly compromising operations in progress.
Great while it lasted, though.
Taking a selfie of oneself is not a good move. The wide angle lens and close proximity makes you look goofy/fat. People in the habit of taking selfies will also do it a lot more when drunk/on drugs. The criminal class seem to get a big rush by filming themselves committing crimes and also documenting what they have stolen/done for some sort of criminal network social credit. The police love that since a defense attorney is up against it to get their client off when said client has peached on themselves in a way that's easy to analyze frame by frame.
I am recalling one such case where the police wrongfully shot a young black male in the US that wasn't doin nuffin. Welllllll, the guy was streaming himself live on FB through the whole last hour or so of his life including his shooting at the police with a hand gun he'd posted selfies holding on FB previously over the course of some months. The people in the street suddenly had a lot of egg on their faces when that was released. Still, didn't matter, the police are fascists and totally at fault. That night of randomly firing by the gut into buildings while driving around downtown whose video was also found on the phone was just youths blowing off some steam in the weekend. Very clear photos of the same gun as it was highly personalized.
An encrypted messaging system can be very useful but just like getting a computer, it doesn't make you any smarter and maybe the does the opposite. There's nothing like a computer to make mistakes bigger and faster. There's nothing like believing that an encrypted service is perfect and letting it lull you into a sense of invincibility. Why did the letter FSD pop into my head. Hmmm.
...and so wrong. I can't say I approve of her actions but I don't think years in prison is an accurate punishment. Now making her spend years writing the "Authorized Computer Use" parts of our employment contracts is closer to the mark, but still you can't make her change. Only she can do that.
The security classification Official Sensitive is rather low and roughly equates to the old Restricted.
Access to that simply requires a BPSS (Baseline Personnel Security Standard) background check which is a very basic criminal records check. It does not require a SC (Security Check) which is required for those who handle Secret. Just what checks had been made on this person remains something of a mystery (there is a counter terrorism check which is not much different from BPSS).
That said, divulging anything protectively marked is a violation of the official secrets act which everyone is covered by. The typical 'they signed the official secrets act' statement means very little. Signing the form means you have had your responsibilities under the act highlighted. Even if you don't sign it, you are still (within the UK) subject to it.
I remember when newspapers would come onto a base and get stamped 'Restricted' Hilarious in a way.
Still, it is pretty dumb to take a selfie with a classified document (albeit of probably little intelligence value) clearly in view.
.......and so on.......
Why do people out there rely on HUGE INTERWEB CORPORATIONS to guarantee (!) their privacy?
Why not just do it yourself for your own group of privacy sensitive folk?
That way, your private encryption gives the spooks EVEN MORE heavy lifting do do!!
Reading List
- Applied Cryptography, Schneier, 1996 and 2016
- Cryptography Engineering, Ferguson/Schneier/Kohno, 2010
Code Links
- Daniel Bernstein, https://cr.yp.to/chacha.html
- Daniel Bernstien, https://cr.yp.to/ecdh.html
Enjoy!!
Oh.....I forgot.......much of this discussion assumes that a single pass of some encryption scheme (e.g. AES) is "enough" to get the job done.
Well.....no......a reasonable recommendation is perhaps three passes (with three random keys).......
......that way the spooks can't ever know if they have actually decrypted the last pass correctly!
Did I mention "heavy lifting"?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
