Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Encryption United States

US Feds Are Tapping a Half-Billion Encrypted Messaging Goldmine (404media.co) 77

An anonymous reader shares a report: U.S. agencies are increasingly accessing parts of a half-billion encrypted chat message haul that has rocked the global organized crime underground, using the chats as part of multiple drug trafficking prosecutions, according to a 404 Media review of U.S. court records. In particular, U.S. authorities are using the chat messages to prosecute alleged maritime drug smugglers who traffic cocaine using speedboats and commercial ships.

The court records show the continued fallout of the massive hack of encrypted phone company Sky in 2021, in which European agencies obtained the intelligence goldmine of messages despite Sky being advertised as end-to-end encrypted. European authorities have used those messages as the basis for many prosecutions and drug seizures across the continent. Now, it's clear that the blast radius extends to the United States.

This discussion has been archived. No new comments can be posted.

US Feds Are Tapping a Half-Billion Encrypted Messaging Goldmine

Comments Filter:
  • Well, expecting criminals to implement encryption right is probably too much to ask. At least for small-time criminals. Clearly, this "Sky" service was not actually end-to-end encrypted in the usual understanding of what that entails. I do not remember what the vulnerability here was, but probably keys stored on end-devices could be accessed via a software update or remote administration interface. End-to-end generally assumes that is at least hard to do and the end-device is actually under user control in

    • Comment removed based on user account deletion
      • There's almost certainly a clause buried somewhere in the EULA indicating that you won't use the service to break any laws. That's pretty standard boilerplate for EULA terms, so anyone committing crimes on the platform doesn't have much to stand on. Non-criminal persons (good luck, you're probably guilty of something [lawcomic.net]) may have a case, but would probably have difficulty showing damages.
    • Sounds like the moral of the story if you're a criminal is just "use something better". They always seem to fall for these companies that feed them a line of shit about being "unbreakable" or other bombastic claims but, in reality, leave them exposed. If they'd have been using PGP/GPG or Signal, maybe things would have worked out better. However, I tend to think the cops will just target them in other ways at that point. They'll try to get the carriers to install some keylogging spyware etc... There is real
      • Comment removed based on user account deletion
        • You're "golden" until they install a keylogger through your celluar vendor and then you're screwed because you trusted encryption and thought it was all bulletproof so much so that you forgot that these perfect algorithms had to actually be implemented with real I/O to real things like user input or some OS with a thousand layers to get between and hack on.
        • by Anonymous Coward

          Encryption is just one part of the stack. A lot of people want to combine the encryption mechanism and transport mechanisms, leading to it being easy to be compromised. One even needs to consider endpoints as well, and that easy to use iPhone isn't going to be secure against the level of nation-states, period. Same with that Windows PC with Microsoft CoPilot and MS Recall, allowing forensics to see what it was doing, second by second.

        • Are any of those published techniques asymmetrical like RSA?
        • by ceoyoyo ( 59147 )

          SHA and pretty much all of the other symmetric encryption algorithms are pretty safe from quantum computers, even theoretically.

      • by TWX ( 665546 ) on Wednesday August 21, 2024 @11:07AM (#64724050)

        I think the actual moral of the story is that if you're using technology that you don't understand in support of clandestine criminal activity, it's going to go badly for you when someone in law enforcement who does understand the technology manages to use it against you.

        • I think the actual moral of the story is that if you're using technology that you don't understand in support of clandestine criminal activity, it's going to go badly for you when someone in law enforcement who does understand the technology manages to use it against you.

          I think the actual actual moral of the story is, don't be a F'in shitbag.

          • by gweihir ( 88907 )

            Nope. That is an irrelevant side-detail as far as infosec is concerned. Oh, you thought they will not spy on you because you have "nothing to hide"? Well, talk about stupid.

            • Nope. That is an irrelevant side-detail as far as infosec is concerned. Oh, you thought they will not spy on you because you have "nothing to hide"? Well, talk about stupid.

              No, I don't care if they spy on me as I have 'nothing to hide'. "Stupid", is being so self-absorbed that you think infosec cares about you.

        • by gweihir ( 88907 )

          That is the general moral here. Just replace {law enforcement, criminal attackers} with "attackers". It does really not matter whether the attacks are "legal" in some framework, your job is to keep them out. And that requires understanding the technology and its limits and very mich not believe anything a vendor "promises".

      • by gweihir ( 88907 )

        That is generally the moral here, for all users.

    • by thegarbz ( 1787294 ) on Wednesday August 21, 2024 @12:08PM (#64724310)

      Clearly, this "Sky" service was not actually end-to-end encrypted in the usual understanding of what that entails.

      Of course it was. In fact for a long time they ran an uncollected $5million bounty to see if anyone could crack the communication. The issue appears to have been the distribution of a fake "Sky" app which was compromised by Dutch police which in turn led to arrests which in turn led to access to devices which in turn led to more communications exposed and more arrests.

      Your end to end encryption is useless if I take your unlocked phone from you and read your messages on your own screen.

      The only thing "clear" is that our favourite Slashdotter gweihir not only posts without understanding what is going on, but even admits he has no clue in the post.

      • by gweihir ( 88907 )

        Nice collection of nonsense you have there. Ever did any actual risk management? Obviously not.

        • Yeah, daily. It's actually my primary job. But interesting that you didn't once counter anything I said, just called it nonsense and flung an insult.

          Typical gweihir. Don't ever change, you provide all the laughs here on Slashdot.

          • by gweihir ( 88907 )

            Yeah, daily. It's actually my primary job.

            I pity whoever employs you. You miss about 90% of the picture.

    • The encryption is only as good as the update mechanism and the key exchange.

      Lets say Signal was completely taken over by the CIA/NSA. They could NSL Google and Apple to selectively push updates with compromised apps (the odds of criminals checking reproducible builds is very small) or they could take over the servers and get the mobile phone company to fuck with the mobile phone account of someone central and the next time there's key exchange do a MITM attack (the odds of criminals doing in person safety n

      • by gweihir ( 88907 )

        Obviously. End-to-end does include that the end-device needs to be secure. And quite a few other things.

        As to MITM, no. That does not work with properly implemented end-to-end encryption.

        • MITM always work as long as you control the original key exchange, no amount of ratcheting helps if they can fool you about the identity of the other party, that's why the safety numbers exist.

          You can't compromise that after the fact, without a nasty warning about identity key changes due to pinning, but you can manipulate someone into reregistering and do the exchange "right" the second time.

          • by gweihir ( 88907 )

            That is complete nonsense. A proper key-exchange is not vulnerable to MITM. You are probably talking about key distribution, which is an entirely different question. Sure, if you do not have an authentic key of your communication partner, MITM becomes possible. But even a bloody amateur could see that, so authentic keys are obviously assumed.

            • Proper key exchange requires a pre-existing secure channel to solve identification.

              So in this case the secure channel set up by the server public keys in the app and an uncompromised server. Break those assumptions and what's left is improper key exchange, indistinguishable from proper. All the app can do is pin keys and hope the server was not yet compromised and allow checking of safety numbers (which next to no one does).

  • I'll be interested to see if this makes people lose faith in services like Signal. Which, I think the feds running a fake phone company was totally designed to do as well.
    • by CAIMLAS ( 41445 )

      Yeah, I have no pretense of Signal actually being secure end-to-end at this point. It's well known that it's used by CIA to both monitor opponents using it, and that they use it for their own ends.

      • Citation?
      • Do you have a source for that? Everything I've read on the CIA and Signal indicates that Signal is safe and the CIA got the info through other vectors.
      • The likely ploy is that Signal is secure - which entices users to say things they should not on insecure endpoints, which are intruded by MWG's..

        However they tipped their hand with their "spam checks" - we now know the servers can shut down any endpoint they want and with sufficient traffic correlation that can be rather specific.

        So, good for chatting about groceries but don't plan your next Venezuelan coup on it.

      • I'd like to see a citation on that, too.

        Let me help you out a bit here though.
        Signal uses what I'm calling Zen-fu. It does what it says it does. It also does 2 things that "people" just shrug and ignore as irrelevant. So the gambit is no secret, but "people" are too dense to understand that meta-data can be more valueable than the actual content of your messages.

        It *is* a secure encrypted messaging app. That is true, so your messages and voice calls are encrypted. However, the *commercial* version of Signal
      • No, it's almost certainly secure end to end at the moment. It's just not entirely relevant.

        In an extreme emergency America's hold over Google/Apple allows them to compromise the encryption with updates. In the meantime NSA has taps on all IP and mobile phone traffic to use traffic analysis for metadata mining, whereas foreign intelligence agencies do not. The advantage of a centralized service with servers in the US ... it's in their best interest to not compromise the encryption outside of extreme emergenc

    • It depends on the attack profiles. To keep stuff private between friends and not go outside of this, something E2EE like Signal is good enough. However, when the value of the info is so high that it attracts nation-states' attention, then just trusting an app on a consumer grade device isn't going to do the trick.

      For what I do, Signal is secure enough. I'm well enough assured that when something falls off a chat in a day or so, it is gone forever, like a picture of a new 3D print I made. However, if thi

    • The courts are already illegally using screenshots of messages as evidence in criminal proceedings, nevermind Signal has OTR messaging as a core advertised feature meaning even if you have someone's phone you can't prove which party of a conversation wrote it. To fight things like that in court takes hundreds of thousands of dollars of expert testimony per-case, because the state is unwilling to accept that it's inadmissible due to technical incompetence and a desire to exploit that technical incompetence
  • It's correctly said as "End to-end-encryption". It's an end, to put a stop to encryption. Or you can think of it as being encrypted to the end user. But you can bet that the government that invented the internet is capable of decrypting all internet traffic on the fly.

    • Comment removed based on user account deletion
    • by gweihir ( 88907 ) on Wednesday August 21, 2024 @10:50AM (#64724010)

      But you can bet that the government that invented the internet is capable of decrypting all internet traffic on the fly.

      That is bullshit. If done right, nobody can decrypt anything on the fly just because they see traffic. If the key-management and encryption is done right end the end-device is secure, nobody can read any messages. Some insights into modern cryptography required.

      • Re: (Score:3, Insightful)

        Comment removed based on user account deletion
        • The NSA and CIA would certainly benefit from such a discovery.

          Their immediate next step, however, is to appraise which other global actors might also be aware of the vulnerability. They'll gauge this by measuring the depth of research required to identify the vulnerability and correlate that to estimates of dedicated research resources in China, North Korea, Russia, etc. This step is critical because it identifies what communications may already have been intercepted by those actors and whether it's safe
        • by NicknameUnavailable ( 4134147 ) on Wednesday August 21, 2024 @12:20PM (#64724356)
          They don't need to break SSL, they just need to break the root CAs, which has been shown to have been done in numerous public news articles over the decades.
          • by gweihir ( 88907 )

            You trust the CA-system for anything besides casual web-security? Oh sweet summer child...

          • Comment removed based on user account deletion
        • Sure but can you be sure your employees who you paid for their time to figure out how to do it might not want to cash in when their contract expired?
      • by mjwx ( 966435 )

        But you can bet that the government that invented the internet is capable of decrypting all internet traffic on the fly.

        That is bullshit. If done right, nobody can decrypt anything on the fly just because they see traffic. If the key-management and encryption is done right end the end-device is secure, nobody can read any messages. Some insights into modern cryptography required.

        If you've done encryption really, really well, no one can read it... not even the intended recipient.

  • by alanw ( 1822 ) <alan@wylie.me.uk> on Wednesday August 21, 2024 @10:46AM (#64723974) Homepage

    non-paywalled copy [courtwatch.news] at Courtwatch

  • I wonder what percentage of the messages are from other services that they didn't have warrants for.

  • Legalize drugs now (Score:4, Insightful)

    by rsilvergun ( 571051 ) on Wednesday August 21, 2024 @11:31AM (#64724136)
    So we have the federal government trawling through huge amounts of encrypted data and messages. Working hard to develop increasingly powerful techniques for decrypting private data. And bringing the resources of a nation state to bear to do it.

    All of this largely in the service of a drug war that has been an abject failure.

    Legalize all drugs. Treat the hard stuff as a medical condition. Don't allow the hard drugs to be sold by private companies because we can't trust private companies with something that deadly and dangerous. Take the savings from the drug war and spend it on addiction therapy.

    That last one is the hard part. Everyone agrees we should do it but when it comes time to do it drug addicts or some of the most horrible people you can imagine having been changed by their addiction in bad ways and it's really hard to get people behind treating them humanely and spending what seems like a lot of money on doing that. Never mind the fact that there are just some drug addicts who are never going to kick the habit fully and we end up just kind of supporting them. It's still way way less money and way better than the drug war but it feels really awful in a sort of lizard brain way
    • I mostly agree with this, though, I don't mind private companies trying to sell.

      At the end of the day, this is the government saying "you don't actually own your body; you can only do with your body what we allow you to". It's just old-school puritan thinking that the US still hasn't been able to break away from, even with how badly the War on Drugs has failed.

      • private companies are the worst possible sellers of drugs! I'd rather have thugs on every street dealing than big corporations with advertisers, lobbyists etc. Private sales on the black market is not good and organized crime is worse but on the open market as legal business it would be on a whole other level. They already push known drug problems for a decade or more before government finally does something about it. Plus nobody would go to jail at all... except maybe some whistleblowers.

        Government giving

      • If you let them sell an ultra addictive heavily damaging substance like heroin or meth they're going to do just that and they're going to optimize their sales.

        Preventing private companies from selling hard drugs doesn't prevent consumers from getting those hard drugs. It's the exact opposite.

        What it does do is remove the profit motive. You can't have a profit motive mixed in with something that destructive and dangerous. They'll be putting it in breakfast cereal before you know it.

        If we're going
    • Legalize all drugs. Treat the hard stuff as a medical condition. Don't allow the hard drugs to be sold by private companies because we can't trust private companies with something that deadly and dangerous.

      Sure, because we can clearly trust the black market entities that currently exist with that. They're the ones putting fentanyl in places where it doesn't belong. Much like the bootleggers never gave anyone a bottle poison on accident. The states that tried unrestricted drug access have already started rolling it back [nytimes.com] because they were incapable of treating addiction, which if you've ever had the misfortune of dealing with, is practically an impossible task. Until you're willing to require personal responsib

      • What Oregon found is that we've been doing this for so long -- out of sight, out of mind -- that we simply weren't prepared to help addicts. Whatever they did, Prison, as awful as it is, saved more lives based on whatever metrics.

        But we can't just stop now. What you described here is already the steady state of the War On Drugs:

        If you want unlimited freedom then you need to accept part of that is letting crack or meth heads die out on the street because there's nothing that can help many of them and they ca

      • There won't be any profit motive. It's kind of hard to make money off a product that you can get for free.

        The only reason why I don't think we should let private companies sell hard drugs in the first place is because they will quickly lobby to shut the government down from giving it away for free.

        It's kind of like how the private health insurance companies simultaneously argued that the public option in America for health care would be terrible and everyone would be denied care and die while also a
      • by kackle ( 910159 )
        +1 It's like allowing the blind to drive cars and paying for all of their damage, too. Otherwise, I don't care what one does to his body.
    • I think we have to look at legal marijuana as an example. Legal weed shows that; municipalities allowing sales push tax way way way too far; the regulations on industry guarantee high prices; enforcement of illegal operations go almost unchecked.

      I'm all for legalization but we need to address what that means, and it does not mean a cash cow. We can learn from our mistakes.

      • Between marijuana and heroin or meth just like there's a world of difference between alcohol and heroin or meth.

        When I say hard drugs those are the ones that are immediately indestructively addictive and are typically used to cope with extreme stress and mental illness.

        These kind of drugs need to be treated as a severe medical condition starting by curing the addiction and then working at the underlying causes as best we can.

        The challenging part is keeping the profit motive out of that entire ex
    • And, when the concept of recreationally altering your brain chemistry is completely legalized, shareholders will force pharmaceutical companies to maximize profit by making recreational drugs that don't undermine the customer's ability to earn money and buy more of them in the future. In fact, drugs that make the customer maximize their earning ability and then spend all those earnings on the drug should be the ideal creation.
    • All of this largely in the service of a drug war that has been an abject failure.

      You are forgetting one huge aspect of this: The people who are running drugs would be running other illegal stuff, so catching them is a high priority regardless if it is about drugs or weapons or counterfeits.

      You are correct that drugs shouldn't be treated the way they are; however, you are wrong that any money will really be saved.

  • ...on prosecuting drug traffickers while scammers and cybercriminals run wild
    Law enforcement needs to adjust its priorities

  • There hasn't been this much of a need for law enforcement to use parallel construction since the whole Stingray IMSI catcher thing was still secret.

  • It's worth noting that this wasn't an "encryption failure". This was an intelligence action where they operated the wireless company for something like 18 months. It's interesting to see domestic prosecutions, since I thought they decided that it was inadmissible in domestic courts because it involved an intelligence agency.

Single tasking: Just Say No.

Working...