US Feds Are Tapping a Half-Billion Encrypted Messaging Goldmine (404media.co) 77
An anonymous reader shares a report: U.S. agencies are increasingly accessing parts of a half-billion encrypted chat message haul that has rocked the global organized crime underground, using the chats as part of multiple drug trafficking prosecutions, according to a 404 Media review of U.S. court records. In particular, U.S. authorities are using the chat messages to prosecute alleged maritime drug smugglers who traffic cocaine using speedboats and commercial ships.
The court records show the continued fallout of the massive hack of encrypted phone company Sky in 2021, in which European agencies obtained the intelligence goldmine of messages despite Sky being advertised as end-to-end encrypted. European authorities have used those messages as the basis for many prosecutions and drug seizures across the continent. Now, it's clear that the blast radius extends to the United States.
The court records show the continued fallout of the massive hack of encrypted phone company Sky in 2021, in which European agencies obtained the intelligence goldmine of messages despite Sky being advertised as end-to-end encrypted. European authorities have used those messages as the basis for many prosecutions and drug seizures across the continent. Now, it's clear that the blast radius extends to the United States.
When end-to-end is not end-to-end (Score:2)
Well, expecting criminals to implement encryption right is probably too much to ask. At least for small-time criminals. Clearly, this "Sky" service was not actually end-to-end encrypted in the usual understanding of what that entails. I do not remember what the vulnerability here was, but probably keys stored on end-devices could be accessed via a software update or remote administration interface. End-to-end generally assumes that is at least hard to do and the end-device is actually under user control in
They were the victim of fraudulent vendor claims. (Score:2)
Re: (Score:3)
Re: (Score:2)
I disagree. Encryption works when used correctly. (Score:2)
Only if your encryption includes escrow technology.
Quantum computing has not advanced sufficiently to break current encryption technologies (RSA, SSL, SHA, etc.), and current encryption technologies can be considered adequately secure against conventional computer attacks. Even when that changes, NIST has already published three encryption techniques which would appear to be computationally secure against quantum techniques. Just make sure nobody has
Re: (Score:3)
Re: (Score:1)
Encryption is just one part of the stack. A lot of people want to combine the encryption mechanism and transport mechanisms, leading to it being easy to be compromised. One even needs to consider endpoints as well, and that easy to use iPhone isn't going to be secure against the level of nation-states, period. Same with that Windows PC with Microsoft CoPilot and MS Recall, allowing forensics to see what it was doing, second by second.
Re: (Score:2)
Re: (Score:2)
Yes. Most symmetric algorithms are already fine.
Re: (Score:2)
SHA and pretty much all of the other symmetric encryption algorithms are pretty safe from quantum computers, even theoretically.
Re:When end-to-end is not end-to-end (Score:4)
I think the actual moral of the story is that if you're using technology that you don't understand in support of clandestine criminal activity, it's going to go badly for you when someone in law enforcement who does understand the technology manages to use it against you.
Re: (Score:1)
I think the actual moral of the story is that if you're using technology that you don't understand in support of clandestine criminal activity, it's going to go badly for you when someone in law enforcement who does understand the technology manages to use it against you.
I think the actual actual moral of the story is, don't be a F'in shitbag.
Re: (Score:2)
Nope. That is an irrelevant side-detail as far as infosec is concerned. Oh, you thought they will not spy on you because you have "nothing to hide"? Well, talk about stupid.
Re: (Score:1)
Nope. That is an irrelevant side-detail as far as infosec is concerned. Oh, you thought they will not spy on you because you have "nothing to hide"? Well, talk about stupid.
No, I don't care if they spy on me as I have 'nothing to hide'. "Stupid", is being so self-absorbed that you think infosec cares about you.
Re: (Score:2)
Have a look at human history. And then realize how disconnected you are.
Re: (Score:2)
That is the general moral here. Just replace {law enforcement, criminal attackers} with "attackers". It does really not matter whether the attacks are "legal" in some framework, your job is to keep them out. And that requires understanding the technology and its limits and very mich not believe anything a vendor "promises".
Re: (Score:2)
That is generally the moral here, for all users.
Re:When end-to-end is not end-to-end (Score:5, Informative)
Clearly, this "Sky" service was not actually end-to-end encrypted in the usual understanding of what that entails.
Of course it was. In fact for a long time they ran an uncollected $5million bounty to see if anyone could crack the communication. The issue appears to have been the distribution of a fake "Sky" app which was compromised by Dutch police which in turn led to arrests which in turn led to access to devices which in turn led to more communications exposed and more arrests.
Your end to end encryption is useless if I take your unlocked phone from you and read your messages on your own screen.
The only thing "clear" is that our favourite Slashdotter gweihir not only posts without understanding what is going on, but even admits he has no clue in the post.
Re: (Score:2)
Nice collection of nonsense you have there. Ever did any actual risk management? Obviously not.
Re: (Score:2)
Yeah, daily. It's actually my primary job. But interesting that you didn't once counter anything I said, just called it nonsense and flung an insult.
Typical gweihir. Don't ever change, you provide all the laughs here on Slashdot.
Re: (Score:2)
Yeah, daily. It's actually my primary job.
I pity whoever employs you. You miss about 90% of the picture.
Re: (Score:2)
The encryption is only as good as the update mechanism and the key exchange.
Lets say Signal was completely taken over by the CIA/NSA. They could NSL Google and Apple to selectively push updates with compromised apps (the odds of criminals checking reproducible builds is very small) or they could take over the servers and get the mobile phone company to fuck with the mobile phone account of someone central and the next time there's key exchange do a MITM attack (the odds of criminals doing in person safety n
Re: (Score:2)
Obviously. End-to-end does include that the end-device needs to be secure. And quite a few other things.
As to MITM, no. That does not work with properly implemented end-to-end encryption.
Re: (Score:2)
MITM always work as long as you control the original key exchange, no amount of ratcheting helps if they can fool you about the identity of the other party, that's why the safety numbers exist.
You can't compromise that after the fact, without a nasty warning about identity key changes due to pinning, but you can manipulate someone into reregistering and do the exchange "right" the second time.
Re: (Score:2)
That is complete nonsense. A proper key-exchange is not vulnerable to MITM. You are probably talking about key distribution, which is an entirely different question. Sure, if you do not have an authentic key of your communication partner, MITM becomes possible. But even a bloody amateur could see that, so authentic keys are obviously assumed.
Re: (Score:2)
Proper key exchange requires a pre-existing secure channel to solve identification.
So in this case the secure channel set up by the server public keys in the app and an uncompromised server. Break those assumptions and what's left is improper key exchange, indistinguishable from proper. All the app can do is pin keys and hope the server was not yet compromised and allow checking of safety numbers (which next to no one does).
Signal (Score:2)
Re: (Score:2)
Yeah, I have no pretense of Signal actually being secure end-to-end at this point. It's well known that it's used by CIA to both monitor opponents using it, and that they use it for their own ends.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
The likely ploy is that Signal is secure - which entices users to say things they should not on insecure endpoints, which are intruded by MWG's..
However they tipped their hand with their "spam checks" - we now know the servers can shut down any endpoint they want and with sufficient traffic correlation that can be rather specific.
So, good for chatting about groceries but don't plan your next Venezuelan coup on it.
Re: (Score:3)
Let me help you out a bit here though.
Signal uses what I'm calling Zen-fu. It does what it says it does. It also does 2 things that "people" just shrug and ignore as irrelevant. So the gambit is no secret, but "people" are too dense to understand that meta-data can be more valueable than the actual content of your messages.
It *is* a secure encrypted messaging app. That is true, so your messages and voice calls are encrypted. However, the *commercial* version of Signal
Re: (Score:3)
No, it's almost certainly secure end to end at the moment. It's just not entirely relevant.
In an extreme emergency America's hold over Google/Apple allows them to compromise the encryption with updates. In the meantime NSA has taps on all IP and mobile phone traffic to use traffic analysis for metadata mining, whereas foreign intelligence agencies do not. The advantage of a centralized service with servers in the US ... it's in their best interest to not compromise the encryption outside of extreme emergenc
Re: (Score:2)
It depends on the attack profiles. To keep stuff private between friends and not go outside of this, something E2EE like Signal is good enough. However, when the value of the info is so high that it attracts nation-states' attention, then just trusting an app on a consumer grade device isn't going to do the trick.
For what I do, Signal is secure enough. I'm well enough assured that when something falls off a chat in a day or so, it is gone forever, like a picture of a new 3D print I made. However, if thi
Re: (Score:1)
End to end encryption (Score:1, Flamebait)
It's correctly said as "End to-end-encryption". It's an end, to put a stop to encryption. Or you can think of it as being encrypted to the end user. But you can bet that the government that invented the internet is capable of decrypting all internet traffic on the fly.
Only if they have escrow technology built in. (Score:1)
Re:End to end encryption (Score:4, Informative)
But you can bet that the government that invented the internet is capable of decrypting all internet traffic on the fly.
That is bullshit. If done right, nobody can decrypt anything on the fly just because they see traffic. If the key-management and encryption is done right end the end-device is secure, nobody can read any messages. Some insights into modern cryptography required.
Re: (Score:3, Insightful)
i mean, just putting this out there, but if I was the CIA and I broke SSL the last thing I would be doing is "proving it" to anyone. Quite the contrary, Id never say a word
Re: (Score:3)
Their immediate next step, however, is to appraise which other global actors might also be aware of the vulnerability. They'll gauge this by measuring the depth of research required to identify the vulnerability and correlate that to estimates of dedicated research resources in China, North Korea, Russia, etc. This step is critical because it identifies what communications may already have been intercepted by those actors and whether it's safe
Re:End to end encryption (Score:5, Informative)
Re: (Score:3)
Re: (Score:2)
That is nonsense, and many of us here actually do understand TCP/IP.
Indeed. Hell, many of us have implemented basic TCP handling either for fun or as part of an undergrad-level networking course. It isn't rocket science. It's the sort of thing a reasonably competent CS student can do in a few days. RFC9293 provides the current definition and specification for TCP, with a functional spec [ietf.org] that should be easily digestible by anyone proficient in this area.
Re: (Score:2)
Re: (Score:2)
You trust the CA-system for anything besides casual web-security? Oh sweet summer child...
Re: (Score:1)
Re: (Score:1)
certificate authoritys are like the japanese, they follow protocol or a shame is cast upon their household
Re: (Score:1)
Re: (Score:2)
But you can bet that the government that invented the internet is capable of decrypting all internet traffic on the fly.
That is bullshit. If done right, nobody can decrypt anything on the fly just because they see traffic. If the key-management and encryption is done right end the end-device is secure, nobody can read any messages. Some insights into modern cryptography required.
If you've done encryption really, really well, no one can read it... not even the intended recipient.
Non-paywalled version (Score:3)
non-paywalled copy [courtwatch.news] at Courtwatch
Thank you very much. (Score:2)
Reread TFA. Found what I missed. (Score:2)
Re: (Score:1)
You should try fentanyl, lots of it.
expecting perfect confidentiality (Score:2)
Yes, we know. There's no such thing as 'perfect'. (Score:2)
Re: (Score:2)
The difference is academic in this case. Semantic (Score:2)
I wonder... (Score:2)
I wonder what percentage of the messages are from other services that they didn't have warrants for.
Legalize drugs now (Score:4, Insightful)
All of this largely in the service of a drug war that has been an abject failure.
Legalize all drugs. Treat the hard stuff as a medical condition. Don't allow the hard drugs to be sold by private companies because we can't trust private companies with something that deadly and dangerous. Take the savings from the drug war and spend it on addiction therapy.
That last one is the hard part. Everyone agrees we should do it but when it comes time to do it drug addicts or some of the most horrible people you can imagine having been changed by their addiction in bad ways and it's really hard to get people behind treating them humanely and spending what seems like a lot of money on doing that. Never mind the fact that there are just some drug addicts who are never going to kick the habit fully and we end up just kind of supporting them. It's still way way less money and way better than the drug war but it feels really awful in a sort of lizard brain way
Re: (Score:2)
I mostly agree with this, though, I don't mind private companies trying to sell.
At the end of the day, this is the government saying "you don't actually own your body; you can only do with your body what we allow you to". It's just old-school puritan thinking that the US still hasn't been able to break away from, even with how badly the War on Drugs has failed.
Re: (Score:2)
private companies are the worst possible sellers of drugs! I'd rather have thugs on every street dealing than big corporations with advertisers, lobbyists etc. Private sales on the black market is not good and organized crime is worse but on the open market as legal business it would be on a whole other level. They already push known drug problems for a decade or more before government finally does something about it. Plus nobody would go to jail at all... except maybe some whistleblowers.
Government giving
Private companies have a incentive to sell product (Score:2)
Preventing private companies from selling hard drugs doesn't prevent consumers from getting those hard drugs. It's the exact opposite.
What it does do is remove the profit motive. You can't have a profit motive mixed in with something that destructive and dangerous. They'll be putting it in breakfast cereal before you know it.
If we're going
Re: (Score:3)
Legalize all drugs. Treat the hard stuff as a medical condition. Don't allow the hard drugs to be sold by private companies because we can't trust private companies with something that deadly and dangerous.
Sure, because we can clearly trust the black market entities that currently exist with that. They're the ones putting fentanyl in places where it doesn't belong. Much like the bootleggers never gave anyone a bottle poison on accident. The states that tried unrestricted drug access have already started rolling it back [nytimes.com] because they were incapable of treating addiction, which if you've ever had the misfortune of dealing with, is practically an impossible task. Until you're willing to require personal responsib
Re: (Score:2)
What Oregon found is that we've been doing this for so long -- out of sight, out of mind -- that we simply weren't prepared to help addicts. Whatever they did, Prison, as awful as it is, saved more lives based on whatever metrics.
But we can't just stop now. What you described here is already the steady state of the War On Drugs:
If the government gives it away (Score:2)
The only reason why I don't think we should let private companies sell hard drugs in the first place is because they will quickly lobby to shut the government down from giving it away for free.
It's kind of like how the private health insurance companies simultaneously argued that the public option in America for health care would be terrible and everyone would be denied care and die while also a
Re: (Score:2)
Re: (Score:2)
I think we have to look at legal marijuana as an example. Legal weed shows that; municipalities allowing sales push tax way way way too far; the regulations on industry guarantee high prices; enforcement of illegal operations go almost unchecked.
I'm all for legalization but we need to address what that means, and it does not mean a cash cow. We can learn from our mistakes.
So there's a world of difference (Score:2)
When I say hard drugs those are the ones that are immediately indestructively addictive and are typically used to cope with extreme stress and mental illness.
These kind of drugs need to be treated as a severe medical condition starting by curing the addiction and then working at the underlying causes as best we can.
The challenging part is keeping the profit motive out of that entire ex
Re: (Score:2)
Re: (Score:2)
All of this largely in the service of a drug war that has been an abject failure.
You are forgetting one huge aspect of this: The people who are running drugs would be running other illegal stuff, so catching them is a high priority regardless if it is about drugs or weapons or counterfeits.
You are correct that drugs shouldn't be treated the way they are; however, you are wrong that any money will really be saved.
So much time and effort spent... (Score:2)
...on prosecuting drug traffickers while scammers and cybercriminals run wild
Law enforcement needs to adjust its priorities
Parallel construction goldmine! (Score:2)
There hasn't been this much of a need for law enforcement to use parallel construction since the whole Stingray IMSI catcher thing was still secret.
Missing Detail (Score:2)