Australian cops, FBI created backdoored chat app, told crims it was secure – then snooped on 9,000 users' plots The Australian Federal Police (AFP) has revealed it was able to decrypt messages sent on a supposedly secure messaging app that was seeded into the criminal underworld and promoted as providing snoop-proof comms. The app was in fact secretly built by the FBI, and designed to allow law enforcement to tune into conversations …
Mobile phones that can't make calls. There's a demand among drug traffickers for handhelds that have had their voice call capabilities, and other functions, removed for security and privacy reasons -- preferably physically removed, if possible. See Sky ECC, which was bundled on devices that had their microphones, cameras, and GPS receivers removed.
From the AFP announcement:
"The app AN0M was installed on mobile phones that were stripped of other capability. The mobile phones, which were bought on the black market, could not make calls or send emails. It could only send messages to another device that had the organised crime app. Criminals needed to know a criminal to get a device."
C.
But surely they connect to a cellular network. I'm pleased if this is the way forward rather than mass snooping EVERY individual. But methinks thats not going to be the case.
I think this 'success' will just empower the agencies further to do what they hecking want in terms of backdooring anything and everything they desire, alongside the sneaky entrapment methods that they eventually come clean about. utilising a method of 10% overt, 90% covert.
Presumably one of three possibilities:
a) remove mic, speaker and headphone jack, build custom ROM that doesn't have a dialler app, or "contacts" as we know it. Phone can still connect to a phone network for data purposes, and this is basically a WhatsApp-like device, with an app-specific contacts list. Relies on some form of IMS mobility via a server so that messages can be routed properly. Still needs a SIM - but PAYG is easy enough to manage for this.
b) remove entire SoC for network connectivity, can only use Wifi for data
c) build the device around a USB data dongle - a bit like (a), not sure which would be easier
In (a), the device is still trackable in the network - probably useful for the police to have this info to locate the devices, and therefore the criminals
In (b), tracking very difficult as WiFi SSID shouldn't make it into higher layer communication with network infrastructure.
Bonus points to make the device small enough to fit in a cosy orifice for smuggling into prisons
> But surely they connect to a cellular network. I'm pleased if this is the way forward rather than mass snooping EVERY individual. But methinks thats not going to be the case.
I think you might be missing the point a little here. The criminals aren't directly worried about the fact that the phone connects to a celluar network.
They're worried about the fact that - as popularised by decades of sensationality TV shows - that little device they're carrying around has a microphone and a video camera built into it. Which means they can potentially be used as wiretap devices by any authorities who happen to have a suitable exploit handy to install such things, and which will then let them listen to the criminal's activities 24/7.
So they've opted for a brute-force solution: they disable the device's audio and video capabilities, preferably by physically removing them. And then they stick to text-based messages sent via encrypted channels and which are either kept in encrypted storage, or deleted after reading.
And that vastly reduces the risk of accidental/unaware leaks.
> I think this 'success' will just empower the agencies further to do what they hecking want in terms of backdooring anything and everything they desire, alongside the sneaky entrapment methods that they eventually come clean about. utilising a method of 10% overt, 90% covert.
This particular "exploit" only worked because of the authorities both built the hack directly into the hardware for this specific device and then managed to persuade people that it was a secure device.
As a double-whammy physical/social engineering hack, it's superb. But it's not something they can do on an ad-hoc basis, not least because both Apple and Google are fully aware that any such backdooring mechanisms can be used for both good and evil. After all, if an exploit appeared which lets black-hat hackers remotely steal data from a phone, you can pretty much guarantee that millions of people would wake up the next day to find their bank accounts emptied.
As such, they will continue to actively limit such things, at least until/unless the NSA comes knocking with another Clipper chip proposal and the legal backing needed to force them both to comply.
Equally, for all their strong words, this probably isn't something the authorities are likely to be able to repeat - they've only gone public with this as they're losing their legal cover and therefore had to either "use it or lose it".
Even if they are in the process of rolling out a repeat of this sting, I suspect the top-tiers of criminal organisations - or at least their very well-paid security consultants - will be taking a good, long and hard look at any future devices - or possibly maybe even commissioning their own customised hardware.
or possibly maybe even commissioning their own customised hardware.
They will probably fairly quickly end up with the same question of "which country do they want to allow to read their messages" that every country's diplomats also have. There are only a small number of organisations which can provide almost-completely secure messaging, and each one is either linked to or compromised by at least one country's spies.
You probably have to decide whether you would prefer to link your criminal enterprise to (i.e. pay substantial bribes to) Russia, USA, Israel or China.
How hard would it be to roll-your-own: Ras-PI, mobile network device, small usb keyboard, small screen, box to stick it all in/on. Insert some encrypted messaging app, of which there are myriad. Insert PAYG SIM and off you go
It's not hard, if you're so inclined and have access to the appropriate resources.
But then it hasn't been hard to use encryption at least since PGP arrived on the scene (and arguably before that, depending on how high you set the "hard" bar); yet many, many people who ought to be using encryption (at least under their own value systems) haven't been. Most people are cheap1 and don't want to take on even the cognitive load of figuring out how difficult it would be to encrypt their communications, not to mention the inconvenience and opportunity costs of doing so.
1This is a gloss and not really a useful observation. A better one would be a behavioral-economics analysis which concludes that most human actors make an economic decision to employ only a small set of the security controls necessary to realize their (generally underdeveloped) threat models, influence to a great extent by intangible costs such as cognitive load and miscalculation of relative threats.
> Most people are cheap1 and don't want to take on even the cognitive load of figuring out how difficult it would be to encrypt their communications,
Agreed, and the greedy/stupid crims leapt on the "here's a box that does what you need for minor numbers of currency per month" solution offered to them. It's just surprising that no-one's done it yet with the open-source solution - the BOM is probably ~£200, and they could probably contract an IT outfit to make it without raising eyebrows if they were really lazy.
Unless they're the ones that haven't been caught (yet).....
I've seen a couple of companies here, offering cellphone plans based off of using data to virtual numbers rather than an actual cellphone plan with data.
Wondering now if someone span off, from marketing to just criminals to the wider populace, or a similar adoption of the concept for legitimate users.
> Genius! So who gets the payments for the AN0M app?
The crims, actually :D . The police were quite smart about applying the social-infection tools used by network-driven movements like social media and MLM.
From social meeja they ran the Influencer route, and in fact directly planted only FIVE handsets in Australia (1,650 eventually purchased via network effects), all to identified Crimfluencers. (The core one, Hakan Ayik/Hakan Reis, was actually on the run offshore; still is; no idea how they got jurisdiction for that.)
But the really genius one they took from MLM (eg, Amway). Each crimfluencer got a cut from every handset they sold and its ongoing licence fees. And then from every handset+licencestream that _those_ guys sold, who also got _their_ cut. And so on and so on, standard pyramid marketing scheme stylee.
Nice.
Committed fraud in the sense they were taking money for a service about which they had lied through their teeth about. But, that's what having a signed warranty allowing such activity is all about - rendering something that would ordinarily be illegal legal for a very specific and, in this case, large scale and overwhelmingly beneficial purpose. As was mentioned in the article, some of these warrants were about to expire, so they acted.
The difference between a well adjusted democracy and a totalitarian state like China or Russia is that in the democracy a warrant is required, whereas in the totalitarian state it's taken as a given that the state can and will do this kind of thing with every comms platform all the time anyway. It's not just walls that have ears.
I assume you mean "signed warrant". And, yes, law enforcement engages in prima facie fraud with criminals all the time: undercover operatives, lying in interrogation, sting operations, etc. Obviously this will vary by jurisdiction but in the US, certainly, the law makes considerable latitude for this, due to a compelling state interest.
Yes I did indeed mean "signed warrant". Bloody autocorrect...
I wonder if they did give a warranty? Perhaps not, given that such a thing would be unprecedented, and therefore a warning sign.
The thing that the US permits that most countries find objectionable is entrapment. Putting people in situations where they may feel threatened, thus pressurising them into agreeing to something they normally never would just to get out of the room alive, and then charging them with an offence is immoral. In the UK people doing that sort of sting get sent to jail for perverting the course of justice.
Though I'm happy to point out that nothing like that has happened in this case; it's been a creative and commendable form of covert wire tapping,
Yes, technically, but who cares? The investigator who agrees to supply someone with explosives to see if they're really willing to blow up people but provides inert blocks is also failing to provide the agreed goods, but fraud doesn't matter when the buyer is a criminal. When investigating a crime, the police aren't responsible for fraud.
Now let me see if I can explain this in a way adapted to your apparently limited understanding. On this occasion the cops stopped howling that they need to be allowed to back-door every messaging/media app used by world+wife+dog and cooked up their own app, persuaded the crims themselves to buy it and sell it onwards to other crims. In other words they used their brains for once instead of trying to listen in on the whole of society on the off-chance they might actually find something to prosecute. That is pretty much the opposite of anything that would justifiably provoke comments about "heiling". Top tip: Think before you post.
I'm reminded of the time Sky TV, positioned a " high placed ex employee" with full details of the Videocrypt cards & encryption system currently in use having recently issued new cards to the public to a (Consortium of) clone card & other pirate devices producer.
A meeting was made (Holland IIRC), the technical details & a very large bankers draft &\or cash exchanged hands or dropped into pockets (Icon).
In the meantime, while the enterprising gentlemen were hard at work investing in exploiting the info, Sky were busy prepping the series 013 next generation cards to pop in the post, ready to start posting them once the pirates were offering their wares, leaving them with a lot of useless hardware on their shelves or in the hands of angry customers with little to no recourse of reclaiming their money.
I knew one guy who came running to me for help after buying one of these activators (I didn't sell it to him) as he had rashly promised people left right & centre in his local pub he would support them ad infinitum.
Also reminded of the Irish cable TV sting, when they sent out a advert to sports channel subscribers to ring in for for a free t-shirt that was only viewable to those using pirate decoders.
Exactly. This is good for privacy, broadly speaking, because it's highly targeted; it's transparent to users (in the sense that the devices were distributed only within criminal networks, so you wouldn't acquire one unless you were a criminal); it didn't affect legal equivalents used by non-criminals (such as Signal); and it was a practical example of a major law-enforcement success which did not require backdoors in generally-available secure-communications systems, undermining the all-too-frequent calls for such backdoors.
No. Their hand was forced by a coupla exogenous things which drew a practicality line under the whole operation, not least that some core authorising legislation had imminent sunset dates.
The hard deadline meant mobilising & coordinating over 4,000 Aussie cops alone, for the sudden wrap-up's multitudinous simultaneous home invasions, some requiring explosives.
2 of the crimfluencers are likely to die shortly. Because the police took the opportunity at the press conference to identify them. One by name. The other by honest job & criminal role: he's big in the horticultural industry (including appearing in trade journals); he's also the main man in the crim world for all their comms tech and security, including recommending and supplying AN0M widely.
I suspect both will shortly have new job descriptions : "Toast".
Well done chaps.
Making this info public will also inject fears in criminals networks whose members may be more reluctant to use electronic devices. This may have a bad effect on their 'productivity'.
required payment of a monthly fee.
So the criminals paid for being watched by the cops... that's almost evil ^^
NZ cops had a field day as a part of their exposure to this crim scam.
As did Interpol, and other Euro cops.
Imagine it as a clever exercise by the FBI, whose scam may not have been legal in the US (entrapment etc.), but Aussie information passed back to the USA would have met the threshold of international information.
This how 5 eyes works in the spook area.
I love it :-)
It's not entrapment.
Entrapment requires the cops to induce an otherwise law-abiding person into committing a crime.
So, it would be like handing a random person a brick of cocaine, telling them it was cocaine, then saying, "Hey, I know a place and person to sell this to. Go here at this time," and then arresting them for possession and intent to distribute when they leave.
They just created a product using their knowledge of in-demand specs, advertised it to some criminals, who then word-of-mouthed it to other criminals, who then used it exactly as they would have similar products.
Is it fair to assume one of those countries was Greece with the identifier of Cyclops.
CYCLOPS: Five across...U.S. state in the Western United States, in the Pacific Ocean..Hey Medusa how do u spell Hawaii?
WIFE [biting lip] well..u need 2 i's.
CYCLOPS [puts pen down] my life is just a fucking joke to you isn't it Medusa!
She'll mutter something about how real police work costs money. Money that could be better spent on harassing immigrants.
By the way, it's completely untrue that she has a secret trapdoor in her office that she can open to drop someone into an underground lake of hungry piranhas. That's someone else.
* FBI built the hardware and managed the final multi-country operation; Australian Federal Police thought it up, built the software, designed the social/infiltration strategy+tactics, and ran the server/decryption. Phone app's icon was of a Calculator. 11,000 handsets globally in over 20 countries, 1,650 in AU.
* User traffic: first msgs seen on server 2018.10.31. 6mths later, 2019.04.last2weeks: 42,000 messages. 18mths later 2020.04.last2weeks: 2.67 million messages.
* 2 "Reality" TV "stars" busted. (We used to just call them Gameshows.)
1 Bachelorette contestant Mr Samuel Minkin (166kg cannabis (+ 7 mobile phones));
1 Ninja Warrior contestant Ms Sopiea Kong (revolver with no serial number (filed off?), 154g of meth, fake ID incl. fake passport, fake drivers licence, & multiple fake medicare cards (+ multiple phones + A$2,030 cash)).
["Where's the IT angle?!" Nuttin -- it's just amusing.]
April 2018: an Aussie tech & Aussie investigator visiting US FBI counterparts debriefing/celebrating the successful takedown of Phantom Secure. Tech has idea; pitches it over beers+dinners.
May 2018: the Tech builds Prototype on his couch at home late at night, as Proof Of Concept. Sends 96second video of it working. Laptop is on his lap, video includes his bare feet...
> "one of the most exciting times for me was when we proved the concept that we could collect encrypted messages and decrypt them from the platform."
> "Phone here, phone there, my laptop here. I sent a message to that phone and I could see the encrypted messages come up on the computer."
> He videoed the moment with yet another phone, showing the messages pinging backwards and forwards between the two phones and scrolling down, unencrypted, on the laptop.
> The Tech sent it off to his colleagues.
> The 96-second clip, which would later be shown to the AFP top brass, inadvertently also captured The Tech's bare feet.
> "I had to sell this to the executive -- like, this is possible, we can do this," The Tech says, defending his feet cameo on the basis "it was like 10pm at night".
> His colleagues were thrilled with the development -- and grateful that at least he had his pants on ["trousers" for Brits].
> "And he sent us the video and it's like, 'yeah, we like your bare feet, it's a nice touch'," Rob Nelson, head of Digital Surveillance Collection, says.
May-Sept 2018: much pitching internally, discussions, then finally formal thumbs-up.
3 hardcore devs from the Digital Surveillance Collection team (60ish ppl, described as the AFP's "Q Branch" whose boss says they "happily wear the terms 'geek' and 'nerd' like a badge of honour") take the Prototype, throw away the code, wash their hands, create Production-ready app+server which are real, scalable, stable/unbuggy, "secure", and also professional in appearance.
25 Sept 2018: Go! Operation Ironside (after Viking Bjorn Ironside, chosen by The Investigator) signed off ("Major Controlled Operation" auth'n)
31 Oct 2018: first messages...
> Despite his technical wizardry, The Tech is not a formally trained computer engineer.
> "My whole law enforcement agency career [16yrs, 5 with the AFP] has been around legally accessing criminal communications. I would not call myself a tech compared to the people I work with in Digital Surveillance, but ... to the operational members of the AFP, I am a tech."
> Despite his technical wizardry, The Tech is not a formally trained computer engineer.
In a large IT department, I once had to go around and get what qualifications and certifications everybody had.
If we ignore qualifications in obsolete technology, the honest answer was "practically none", by which I mean 2 qualifications in something like 70 staff, one of which was a CCNA and one person with a degree in IT. The person with the degree was (and I say this as the line manager whom was allocating jobs) arguably the least productive person in the department.
There is a crying need in the modern economy for certifying self taught people have particular skills at an affordable price, without doing an irrelevant training course with a several thousand pound bill.
MY own opinion is that certification is ONLY useful at the start of someone's career. Once they have spent a few (> 5 years) in job then the skills that they have from their past jobs are more important than certification. If you are 40 years old and have college or university degrees, these are not very useful in gauging a persons current skillset.
I'm still making more money yearly just from COBOL than the average newbie graduate's entire yearly salary for more modern, popular languages.
I've been recommending people buck whatever the current trendy fad language is and learn COBOL and Fortran since they started dropping the two in favo(u)r of C (and then Pascal) back in the '80s. Not a month goes by without a former student/mentee dropping me an email thanking me for the advice ... I know lots of Java, Ruby, Python, C++, C# etc. coders who are out of work, but the COBOL and Fortran folks are all gainfully employed.
Personally, I still prefer coding in good old C.
The Ada, FORTRAN, and Pascal not so much….
The basic underlying concepts we picked up alongside them, which the Ada, FORTRAN, Pascal etc were used to illustrate, and which we built on when we taught ourselves C (or whatever) and have applied pretty much every day of the succeeding 30 years (40-something in my case) of employment much more so.
Education isn’t (or at least shouldn’t be) about specific technologies, it’s about the fundamentals…
Quote: "....the idea of creating a backdoored app....."
*
Have I mentioned this before.....but since we all know about "backdoors" (you know....Cisco, NSA, Snowden, etc., etc.).....why are sensible people not encrypting their messaging BEFORE their messages enter ANY public channel?
*
Of course, it's not an absolute guarantee of privacy, but it might help just a bit. To give you an idea of what is possible, here's a sample of Blowfish encryption, relatively easy to implement in less than a thousand lines of vanilla C. Is it a thumbnail picture of my cat? Is it part of an international conspiracy? Jeremy Fleming's creatures should take a while to find out!!!
*
KUTktHLwrCNGmD2/gUDz8dqm0fNyVWbHjLE6oCl7UJEVBEUWFmHAm3qhzEK+B9juexE5aZHBFfh4
7qyZm4ABQ0T+13gzTh8cg4KlAwdDK5VNyDR23XuKsbG27cvVr0wQZR37AaBeRrSeG4Pe5KMY0aI3
D2mEcRXEk0JQ8ImpeEMJ1XtLEz7ey0dnarktOemDWSaaa4iG2mQ0GmltYQ0puneMmaWnfBaCP8m0
RShGRkkW05hCiXHga6qg2k0pF13kHUqApeoUPj55rrJOOWAfcXhlv75bd0KfKhkdc6weCvwKyoyx
JjcPe3EhDy0yZdyufuNakKho8JcBiMrpbFBxmmbl1rHpwhnnNRegf7oOGpVP+3iaN2RzryS9qAD+
iB7kZIUZ6Yn+g8G23xMmHkXLs2Kiseq9/ry5vraz0wITznmlnOLZM2brr/J174i0oLkwje0ppg/w
55HfHRDXtL8bAvR2ecFia9z9wdZW0/RYqHLhOoWMIbzUBBaEl3VMCbsJT2N2xhWgKwi3iBybYRrE
b9vDOSroeN6bbp640FDEoCIPJeIUCTi2O6DjftXImZvQ0MoKxOwlfpc388vb6vumjLoFcbOPpXa4
OABh7Nq2nCX3A24ySiTBjofGwufxaOaorxFHLGFCjFGH0FnQH4KaLkHVTnfwkrcdJHRl5SBWF/W1
/YwV3skJJl9YNEQ503e4awnc3GVwyo+WE0jM/imgslt6W2WvT8MHWElHwcBxw01pqz1OGwWvaBsk
14bwjivum/bS7+8nso+MYKESbPVRz1K+GQP8aeJAww6dpisq6cJSMph2jxAyb6ke1P4gDChkVRTw
VN3Qx/7OkippTDSLtbpYyqpPcRxRowxibfXzGuUqZca25CAplhpKCsCM9DRKzUIvkIEVfYFF0Llu
Rl4JtVU/OUrHIXBtLY8lPW3cjKZ1M2ajVP1YCN80fkwx4PZuKXXYmmfEYi6HapPJ2rE3o5kGaXYY
OrBefEw0529xzJ8R5ddFyYHffBlYDnJr092tzAFIfch//T/s3ljslQ2V+K73EQ8n8LKiUZZpERZz
hgyfCQfT7s7ATkiTfwIIeFi4Elynea5esT9LBlk1lkNjjNXHXZKdxGSGl/uTt9xV/PlWaHOkFhOI
BDMQRKzED0MJmuwVb5bS/vJGu37xaeyYG9PU7rVGiSfGFsWHrklpLkFFWIxYpQtUKom2oTekV2XP
4+dmsieXEjXt3H7jN6PCFG1CFm6IUFS4Ok8zRhxDvXn7c1FR2Nd+v+fwO5oU4MjTZpg/dvpAUzIl
HnJp9dWGotkGqLPL9dg76vm9he+Emc0mybM9JyNO88jfcYXQcg3qM0GFlDEkMe7cDUtczNcFzSDz
YDV8Y0Lj4bJNjpPvhv4KeZ8De6L1eOy5wPjF2rh53F8DBhQ8bdFPm6qNjYaQ4fO/lpK1Rv0iGXWc
XA6KMypW4zYoDlVekt1y7lKIwk6yMJhlTRiYzCW1hn15Wou9BCtX4eYIJwOhSshOQKMbDzKRZSYv
ToGWMolwKvHVOEUJ1QvjoGS6rOQS45c+71wC45luYyj3zqB2zl4fgl9hDgkg5r12E9y63pbfYmeN
4SLTil1Y3PYVm41fbEH7cq9BVSB0hGl5nh+Xg0N7TePCkPF8RZeKU7w0/GZ39Sm63AGIYUlnZCyY
RcLEZYn1MGUB+WQOZnJT0AhdbeXBrglC2Cr9kSBZCCKNrQbxFy8GDeH69oV31x57ayl5mjqEQGuR
SV1DXpaz2CGW32m/mfMDLMSC3PAvOJYj8qZ8dp5ELsUZKJ6o5P2prA0T9ckNI+b7gTaK5K7kyDPd
xlZKD9z5Z/c=
*
Thanks AC.
*
CHsLixuz4ZaHSv6dMzw5Y7az0DahaFY3cTYxAH01
stqV6b0foHK1GT05mpI1GR2p47Wjk56xMduv6ROF
6F8FMHixy3GRung1uPaHOTS1ClQl0rGXUjIVEhMZ
M7EpgBKb8Bare1M3cvKTOneHqfihIxwt4du3khAz
UpgzezGBKVeHcXuxQP2BY7IdmB8D8R0zaFG5QxEr
wBafKbiXs5ElYBYbQVKXQTMN4Xo9GXmPYbi18ZGN
mfcnQhqLiPm1Iz2jgJMJYVeBEFeZ0xyNwzQJebqj
6pcbEFMbmv0NAFif8VuZiBgtkhGxuB6tUjozi30h
U1wPqdaZ6pqfENg1C78nOHeNOJYf2lQloj2vy9YZ
GH4HW3cNCHMZYP2xAxw5Y3ap874xGBqjuLSbEDI1
CDANGjChQNmbenqp4XWH8hIdkt4BUtUrs5sJwrwz
mHMLmHOBMfq7ezeLGhQTo7GVsdEX4baLc3u9EPYd
khmN6vKrYJqbQZgDodWz0hC9EPQ9spm7y5S5idEB
urkNeJ0xmjgLeB4refopwd85qHkRM3cNELOzcPuN
wByT
*
"Have I mentioned this before.....but since we all know about "backdoors" (you know....Cisco, NSA, Snowden, etc., etc.).....why are sensible people not encrypting their messaging BEFORE their messages enter ANY public channel?"
For exactly the same reason no one else does. Convenience and lack of knowledge/skills. Crims, like the rest of the \Joe Average world, are not techies. They just want it work and will trust the higher ups/suppliers to have made it easy to use and secure. They make assumptions because they don't have the tech knowledge to know what questions to ask. They assume their criminal techs have done their jobs properly and rely on the fact nothing untoward seems to have happened to other users, therefore it must be safe to use.
This is a wonderful endorsement of open sourcing. When I start my world conquering criminal enterprise, I will insist on seeing the source code to the communication software, and have it verified by independent experts to make sure there are no back doors.
And there will be a tank of sharks with friggin’ lasers, just to put the vendors at ease while we wait for the results.
Yes, I said friggin’ lasers…
I forgot above one of the best bits:
The police improved market penetration by swift Agile responsiveness to their customers' needs.
They noticed in the monitored traffic that people were saying they wanted smaller, newer phones. So they immediately built & supplied smaller, newer phones. They then observed from messages that their customers were very pleased, and this then turned into improved referrals and sales.
Beats the crap out of any IT company/startup! *Genuine* customer responsiveness and speed!
The AFP and FBI should set up a commercial Computer arm. They'll drive Microsoft, Apple, Facebook, etc out of business in no time. Those companies are already surveilling us just as hard anyway -- might as well be honest about it AND provide outstanding products and service! :D
On the one hand, you have government officials demonstrating care & concern for customer experience. On the other, you have the world's most wealthy companies demonstrating...
Yeah, kind of mind blowing. The one time that the lack of market discipline (in this case, the cost of doing business) works to create great customer service, and who gets it? Violent criminals.
I think Scott Adams just had his scripts written for the rest of his natural life...
iOS15 has a 'private relay' feature that strips out IP addresses from web browsing. Whether it is secure or not it'll be a popular feature. Except in China, Belarus, Colombia, Kazakhstan, Turkmenistan, Saudi Arabia, South Africa, Egypt, Uganda and the Philippines. Exactly the nations where activists require most protection from state surveillance.
US tech companies doing Beijing's bidding in exchange for market share is at least as big a risk as using Chinese tech domestically.
"500 warrants executed, 200-plus arrests, the seizure of AU$45m and 3.7 tonnes of drugs, and the prevention of a credible threat to murder a family of five"
A massive dent of maybe 0.5 to 1% of the illicit drug market in Australia.
"Over 4,000 AFP officers were involved in raids overnight, Australian time."
Anyone got any idea what % of the annual policing budget got spent over the course of the operation?
Anyone got any idea what % of the annual policing budget got spent over the course of the operation?
The article suggested that the crims had to buy the handset and then subscribe to the service. There's every chance it was self funded or even turned a profit. If it didn't then someone needs to hang their head in shame.
If they sold these in the US I'd be surprised if some of the crims don't sue the cops for breach of contract, They sold a secure system that wasn't after all.
I don't think there's "every chance" it was self funding, let alone turned a profit. Remember, you've only just started the spend with the arrests.
The war on drugs is hideously stupid and counterproductive. These big flashy busts always turn out to have near zero impact on the supply --- example) It's a great tech story, and awesome cyber security work, but the global annual trade in illicit drugs is well into 12 digits USD and the ”war” is just making criminals richer and more violent. Not the same criminals, perhaps, but to ordinary law-abiding folk the effect is the same (or temporarily worse as the inevitable turf war breaks out).
In the UK the police have effectively recruited loads of children into drugs gangs ... dealers have got so used to undercover cops infiltrating their networks that they have now have a deliberate policy of using minors, the only people who can't be cops.
In short, 50 years after their stupid moral panic about alcohol elevated Cosa Nostra to a global organized crime power, the USA started an entirely new moral panic over drugs, repeating exactly the same mistake, and this time spreading their apparently inadvertent sponsorship of international crime all over the world. And 50 years after that, a century after prohibition, just how well is this strategy working?
How much longer are we going to give it?
> Anyone got any idea what % of the annual policing budget got spent over the course of the operation?
3 people for 2.5yrs. 1 small server (presumably VM on existing kit/capacity).
Plus the very brief involvements of ordinary police when executing arrests. All of which, using IT industry (sales) language, were "pre-qualified" as guaranteed certainties.
So, percentage-wise, approximately half-past fuck-all.
At under 10 man years of Australian law enforcement effort I reckon you and your upvoters must belong to the 'how hard can it be?' school of IT sales and project management :-D Intelligence gathering isn't done by some little algorithm on your "VM server" you know, spitting out a list of "go get these guys and lock them up, job done"
Also, if the arrests involved only 'very brief involvement of ordinary police' they haven't nicked anyone remotely senior/dangerous in the entire operation. And even police work doesn't stop with the arrest, let alone the rest of the cost to the justice system, where the work only just starts up on arrest.
You don't need to have worked in or with the police or other investigative bodies to see that your thumb-in-the-air estimate is nonsense - you don't even need to have watched Line of Duty or the Wire --- you just need to be comfortable with back-of-the-envelope estimation work.
Indulge me whilst I explain why this annoys me: I am a great believer in back-of-the-envelope calculation - but it has to have reasonable inputs and not be a thoughtless hand-wave to shut someone down.
I clearly remember some of the scorn from those to whom I used to report when I told them (a) the paperwork they were proposing to scan was about 5,000 tonnes and (b) no it could not be stored in an unused second floor office space.
One of the twats seriously asked me whether I "thought I was some sort of building expert" when I told him there was no way a second floor office would take 10kPa loading --- laughing with his public-school 'educated' friends "John's got carried away because his job description says architect!"
Yes, I do know that systems and enterprise architect is no sort of architect - and I hate the term for that reason - but I do know how to: (a) make sensible estimates; (b) multiply numbers together; and (c) the value of the 'engineering eye' to oversee the whole process and judge whether it's reasonable.
OP might well be wrong in the implication that a 1% dent in the AUS drug market wasn't worth it because it cost at least 1% in the law enforcement budget. But I suspect they are wrong because it isn't nearly a 1% dent in the drug market. Yes it's 1% of the product. But drugs are cheap. That 1% will be easily made up by (a) importing or manufacturing more drugs and (b) by dealers increasing their prices (which, guess what, makes users commit more crime to pay for it).
TL;DR: what is approximately "percentage-wise half-past fuck-all" in this situation is what the bust has achieved in the "War on Drugs" (even in AUS, let alone globally) and it has been achieved at a cost of somewhat more than that amount.
In the US at least, entrapment is when cops/government induce an otherwise law-abiding individual to commit a crime, and not just by leaving a brick of drugs sitting on the ground, waiting for them to pick it up.
The phone itself is not illegal, and intent is important when determining culpability (usually).
You get to do it again once all the criminals have forgotten about it.
And an important thing is that if criminals fear that their "encrypted" data can be read by the police (there have been two completely cracked "real" applications and now this trojan), and that makes them hesitant to use encryption apps, that slows the criminals down, which is also a good thing.
On the other hand, when I hear politicians calling that end-to-end encryption should be removed: For law enforcement purposes, I really hope that they play a game where they give Facebook, Apple etc. a bit of hell but not too much, while at the same time working with them to actually get that "end to end encrypted" data.
On the other hand: Priti, I have nothing to hide, but my data is none of your f***ing business, and I don't trust you further than I could throw you and your whole family.
No. Like any organisation, criminals have to communicate. Yes, until now they assumed secure messaging apps were "magic" and they have now learnt, the hard way, that that isn't the case. But they will still need to communicate and will still use apps, some of which will be backdoored.
The smarter crims will try to tradeoff the risks: each app has risks that it is a police snitch, but then so do people in the organisation, people they need to interact with, face-to-face interactions, etc. They may keep some more information to themselves, but that will make them less efficient and maybe less able to see law enforcement activity (in other gangs, etc).
I am not an organisation design person but I imagine the smartest gangs might adopt a more cellular structure, with more delegation and less detailed monitoring (and hence less operational information being passed around).
And some may try to use codewords more (but I am guessing that won't help unless they change them fairly frequently and I can imagine a future crim sitcom playing up the problem the heavies are having trying to remember whether "bloomers" is the code word for "drugs" or "murder" in even-numbered months).
You get to do it an unlimited number of times.
It isn't like there is a place crooks can go for chat apps / devices they know 100% for sure aren't bugged, so nothing stops this being done again. In fact, nothing prevents this being only the first of a dozen such bugged apps created by the FBI that are still in use. We don't know, and more importantly the crooks using other solutions don't know.
This being announced was quite deliberate, to create paranoia in the crooks. They could have said "we successfully hacked into this app's servers" or "we arrested one of the principals behind it and he cooperated in exchange for a lighter sentence" or "we were able to use a software weakness to decrypt the traffic".
They very deliberately said "this was written by the FBI and backdoored from day one" when they were under no obligation to admit that. They want criminals to know, so they can't trust anything will keep them secure. They want criminals to be paranoid, to not trust each other, to worry that everything they say or fellow criminals say that might incriminate them is being monitored.
How does one not know that Tor or other "anonymising" tools aren't cleverly planted tools on the part of the agencies to facilitate either their own exfiltration of data, the gathering of human or signals intelligence, or even to direct action.
Of course they use the dark web. They may have been involved in the creation of it.
There's a saying, where there's smoke, there's fire. Stay out if you don't want to get burned.
The only truly secure system remains the one time pad. And that still depends on absolute trust in the distribution of the key. All other security measures are merely inconveniences for the truly determined. (And might in fact be used to catch you out, if you are up to no good).
Cue usual questions about who watches the watchmen.
What is a "secure device"? Please point to one that should be trusted.
There is no 100% secure way to communicate, even if you only trust in person communication that leaves you vulnerable to being followed, having listening devices planted where you meet etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
