The Code the FBI Used To Wiretap the World

The FBI operation in which the agency intercepted messages from thousands of encrypted phones around the world was powered by cobbled together code. From a report: Motherboard has obtained that code and is now publishing sections of it that show how the FBI was able to create its honeypot. The code shows that the messages were secretly duplicated and sent to a "ghost" contact that was hidden from the users' contact lists. This ghost user, in a way, was the FBI and its law enforcement partners, reading over the shoulder of organized criminals as they talked to each other.

Last year, the FBI and its international partners announced Operation Trojan Shield, in which the FBI secretly ran an encrypted phone company called Anom for years and used it to hoover up tens of millions of messages from Anom users. Anom was marketed to criminals, and ended up in the hands of over 300 criminal syndicates worldwide. The landmark operation has led to more than 1,000 arrests including alleged top tier drug traffickers and massive seizures of weapons, cash, narcotics, and luxury cars. Motherboard has obtained this underlying code of the Anom app and is now publishing sections of it due to the public interest in understanding how law enforcement agencies are tackling the so-called Going Dark problem, where criminals use encryption to keep their communications out of the hands of the authorities. The code provides greater insight into the hurried nature of its development, the freely available online tools that Anom's developers copied for their own purposes, and how the relevant section of code copied the messages as part of one of the largest law enforcement operations ever.

Re:

[nightflameauto]

Somewhere, someone once had a thought about doing something inappropriate to a child. We should probably just have all our brains hooked directly into a scanner so that they can deprogram the wrong-think from the source.

they are everywhere

[holostagram]

If you trust any so-called "privacy" tool - Tor, VPN services, anonymous and/or encrypted messaging - then you are almost certainly just as gullible as the crooks in this story. If they FBI is not complaining about something - e.g. Tor - then they are not concerned about it. The obvious problem here is not that the FBI catches criminals sometimes. The problem is that we are all now considered guilty until proven innocent, and the government is hoovering up our private information to such an extent that the practice has become normalized. How do you explain to a millennial why the East German surveillance state was so bad? The US is a thousand times worse than any other regime in history - including China.

Re:

[Tha_Zanthrax]

The feds are essentially black hat hackers.
Abusing exploits for their own purposes instead of reporting/fixing them.

Re:

[spacepimp]

The FBI has plenty of complaints about criminals going dark/using the darkweb. You can see the code in TOR/TAILS and many have conducted code reviews on the software. What special sauce do you think the FBI has that magically subverts encryption?

Re:

[holostagram]

"What special sauce do you think the FBI has that magically subverts encryption?"

the keys

Not all algo have a secret key.

[DrYak]

the keys

Tor does NOT run on Dual_EC_DRBG [wikipedia.org], just FYI.

Re: they are everywhere

[ToasterMonkey]

How do you explain to a millennial why the East German surveillance state was so bad? The US is a thousand times worse than any other regime in history - including China.

Um, the problem with East Germany wasn't the quality or volume of intel the Stasi collected, it was the whole state of fear, imprisoning dissidents, and hunting down people that fled part.

Or the re-education camps and imprisoning of dissidents that China does.

But the Intel apparatus is the problem, not the totally fucked authoritarian state behind it?
How in the FUCK can you be that dense?

Re:

[holostagram]

And what made all of the abuse you mention possible? Where did it begin? Do you know anything about history or politics or philosophy at all. Talk about ignorant.

Re:

[holostagram]

You know you are dealing with a nut job when they write an impassioned defense of the Stasi.

Re:

[holostagram]

If it is incarceration that concerns you, it might be worth pointing out that the US has the highest incarceration rate in the world. What does that mean to you? More free dumb? Come on, shout it right out when you think you know something.

Re:

[holostagram]

The authoritarian government of Florida plans to mandate that professors divulge their political views to the state. That is the kind of forward thinking progress freedumb that you really like, isn't it?

Re:

[Anonymous Coward]

Interesting idea, got any proof beyond unhinged conspiracy theories?

I mean I might see they could have a leg to stand on under their obligations to share information on serial killers but if its only defined as such in one jurisdiction then it seems like quite the stretch. It seems unlikely the feds will get involved unless there is some legislation first.

Re:

[YetAnotherDrew]

Interesting idea, got any proof beyond unhinged conspiracy theories?

NSA willing to accept culpability for informing the FBI? That seems entirely unlikely not just hinge-free.

Simple Complex

[dougman]

Another fine example of a simple solution where it would have been easy to do something quite complicated. Can anyone tell me why those variables are named the way they are? Or did someone find and replace to obfuscate?

Re:

[StormReaver]

Can anyone tell me why those variables are named the way they are?

The code was decompiled from an APK file, which generated meaningless variable names. The variables in the article were manually renamed from their decompiled names to something meaningful to humans.

Forgive my naivete but

[Rosco P. Coltrane]

What business does the FBI have wiretapping the world? Isn't that the NSA and the CIA's job? I thought the FBI concerned itself with domestic tyranny rather than foreign.

Re:

[ArchieBunker]

No one is ever held accountable for wrongdoing so why not?

Re: Forgive my naivete but

[Dynedain]

FBI can investigate crimes internationally when it is related to crimes committed in US jurisdictions or when US citizens and companies are the victims. When you consider the criminal support services (banking, technologies, hacking, communications, law evasion, etc) almost any domestic criminal operation will have some international ties worthy of investigation. Furthermore, CIA and NSA are intelligence organizations, not law enforcement. They do not investigate crimes for the purposes of prosecuting criminals and they are unlikely to share their information for those purposes as it would compromise their classified tools and operatives used for collecting said information.

Re:

[Rosco P. Coltrane]

Okay. I'll ask my question again then: what business does the FBI have wiretapping the world? Is that what's required to investigate crime nowadays, wherever it may take place?

The NSA and the CIA do it because they're essentially lawless organization with a black budgets and zero oversight. And if you're dumb enough to believe it, total information awareness is essential to the pursuit of gathering intelligence in order to protect Americans. Probably. Possibly.

But certainly none of that applies to the FBI.

Re: Forgive my naivete but

[smooth wombat]

The NSA and the CIA do it

Nope. The NSA deals with cryptography [nsa.gov]:

The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both signals intelligence (SIGINT) insights and cybersecurity products and services and enables computer network operations to gain a decisive advantage for the nation and our allies. Throughout the site, NSA/CSS will be referred to collectively as NSA.

Central Security Service provides timely and accurate cryptologic support, knowledge, and assistance to the military cryptologic community, while promoting partnership between the NSA and the cryptologic elements of the Armed Forces.

The CIA collects intelligence and provides information [cia.gov] to elected leaders and, when directed, takes action. They do not do law enforcement:

To stop threats before they happen and further U.S. national security objectives, we:

Collect foreign intelligence;
Produce objective analysis; and
Conduct covert action, as directed by the president.

We do not make policy or policy recommendations. Instead, our Agency serves as an independent source of information for people who do.

We are not a law enforcement organization. However, we do work with the Intelligence Community, Department of Defense, and law enforcement agencies on many complex issues ranging from counterintelligence to counterterrorism.

Meanwhile, the FBI investigates [fbi.gov] all federal crimes not assigned to another agency as well as threats to national security. They are also chartered to take action as needed.

Re:

[fafalone]

https://www.brennancenter.org/... [brennancenter.org]

https://fortune.com/2022/02/11... [fortune.com]

The CIA is doing plenty of their own wiretapping.

Re: Forgive my naivete but

[Rujiel]

So for the CIA, how is toppling elected governments around the world not a form of "enforcement"?

Re:

[xalqor]

You missed the word "law" in "law enforcement". They don't do "law enforcement".

When you negate a compound noun (e.g. "not law enforcement") the negation applies to that entire compound noun. You can't draw any meaningful conclusion about negating any one part of that compound noun by itself. For example, if you point to a liquid and say "not ginger ale" it just means the liquid isn't "ginger ale". It does not mean the liquid is not an ale at all, or doesn't have ginger in it at all. It could be a pale ale,

Re:

[Rujiel]

"Law enforcement" is just the euphemism you chose, we are talking specifically about wiretapping, and a hogh schooler could tell you that the CIA and NSA do whatever they want regardless of what euphemism you want to pick for it. The idea that the CIA can coup entire countries but won't act on their own to spy is absurd.

Re:

[xalqor]

"Law enforcement" is just the euphemism you chose

The FBI is a law enforcement agency. Law enforcement is not a euphemism, it's a well-defined activity. It involves finding people who did something illegal and to correct that situation. Sometimes it's a traffic ticket. Sometimes it's an arrest. It can involve wiretapping and searching. Any organized group of people needs law enforcement for the laws of the group. The FBI is there to enforce the laws of the United States.

The CIA is, as the name plainly says,

Re: Forgive my naivete but

[Dynedain]

When every criminal organization at scale is using international banking to hide their money, international supply chains for hardware like skimming devices, international communications for routing call center scams, international employees to write malware and hacking tools, etc, then yes, there is justification for the FBI to conduct international investigations. Organized crime rarely stops at borders.

And the FBI didn't "wiretap the world". They didn't slip malware into everyone's iPhones and Androids. They created a targeted honeypot device especially tantalizing to criminals and it worked exactly as intended.

Re:

[Plugh]

every criminal organization at scale is using international banking to hide their money

Wait till they learn about Monero...

Re: Forgive my naivete but

[Dynedain]

This program wasn't designed to catch the smart criminals, just the lazy ones.

Even Monero can be somewhat deanonymized by monitoring the exchanges. At some point criminals want to turn it into a usable currency.

Let me pose a difficult question:

[hdyoung]

It's well established that any entity willing to play a tiny bit fast and loose with the law can hoover up vast quantities of data on US citizens. So:

1. Any US company that's motivated enough can collect it
2. Any foreign company that's motivated enough can collect it
3. China can.
4. Russia can.
5. Israel can.
6. *insert name of most other countries here* can

So. Do we want our government to be blind to this information? I realize that a lot of people will say "hell yes". However, please keep

Re:

[codeAlDente]

It's an interesting question. A basic principle of jurisprudence is that laws should be enforceable, and you seem to suggest that enforcing constitutional protections against unwarranted search and seizure is no longer a viable strategy for the long-term existence of a geopolitically competitive government.

Re:

[hdyoung]

Very well put. Yes. Data privacy is probably unenforceable. To me, there's a difference between physical search and seizure and all this stuff we call "data". In a civilized country, it's fairly straightforward to protect physical stuff. Data is another matter entirely. In essence, yes, it's become impossible to protect your "data" from any large, organized entity like a company or a government.

1. Companies keep figuring out ways to circumvent privacy protections and harvest data at massive scale.
2. Go

Same tatics different platform

[kyoko21]

The very exact tactic is used by a lot of online scammers these days. Once a bad actor has gained access to an email account, they often create mail processing rules that bcc all messages to another account. Since these rules are created server side and many times they try to hide the rules with empty spaces or other hard to see characters that many users do not see them. Since the rules section is also something very little users look at/manage on the daily, many times these rules remain in the system for long periods of time.