If Encrochat servers had access to decrypted messages then the whole system was a sham from the get-go.
posted by grumpybear69 at 6:39 AM on July 2, 2020 [8 favorites]

I'm just happy those 73 luxury watches are off the streets.
posted by charismatic megafauna at 6:44 AM on July 2, 2020 [31 favorites]

They didn’t have decrypted messages on the servers. There was malware installed to the phones by law enforcement agencies which were mining the messages en masse.

Security is a spectrum, not a binary thing. Most of what keeps us secure is our unattractiveness as targets. It’s all just one giant cost-benefit analysis on the part of our adversaries. Most of the security precautions we take (2FA, independent passwords for each site) are just to stop automated hacking from harvested passwords. The amount of resources required to snoop on someone’s recipe sharing isn’t really justified in the grand scheme of things. Drug dealers? Murderers? They’re going to attract the maximum amount of attention and LE will move mountains to break their security.
posted by Your Childhood Pet Rock at 6:47 AM on July 2, 2020 [16 favorites]

Well, at the very least LE will lean on other people to move mountains to break their security.
posted by Walleye at 7:01 AM on July 2, 2020

Drug dealers? Murderers? They’re going to attract the maximum amount of attention and LE will move mountains to break their security.

Dissidents? BLM? antifa?
posted by Botanizer at 7:02 AM on July 2, 2020 [30 favorites]

Let me just say I'm not surprised the French Authorities have given themselves the legal cover to hack into whatever devices they please in the name of Law Enforcement. They have a history of this.
posted by some loser at 7:02 AM on July 2, 2020 [1 favorite]

"Do you know anything about Encrochat? Contact us on Signal!" uh... so...
posted by mhoye at 7:13 AM on July 2, 2020 [4 favorites]

Seriously, if you intend to do any organizing at all, do it offline. If you ever actually start to make a difference in the world, the full weight and force of the oligopoly-controlled surveillance state will crash down on you hard. Learn traditional opsec methods, master the one-time-pad technique. No joke.
posted by seanmpuckett at 7:30 AM on July 2, 2020 [10 favorites]

Criminals or Freedom Fighters?
posted by sammyo at 7:33 AM on July 2, 2020

When encryption is illegal only criminals will have encryption.

Er, or something.
posted by chavenet at 7:34 AM on July 2, 2020

Security is a spectrum, not a binary thing. Most of what keeps us secure is our unattractiveness as targets.

Security is boring.

What one needs to do to keep secure is 10% tech and 90% perspiration. (to abuse an old platitude) Go back and read what Glenn Greenwald and Laura Poitras did to keep their discussions with Snowden private, largely great care at small details. There are excellent discussions about their process with just a bit of googling (don't use google :-) Such as never using the same starbucks twice and even randomizing that. It's very doable for anyone.
posted by sammyo at 7:45 AM on July 2, 2020 [5 favorites]

>There were 60,000 users worldwide and around 10,000 users in the UK – the sole use was for coordinating and planning the distribution of illicit commodities, money laundering and plotting to kill rival criminals.

This is evil, propagandistic horseshit. Encryption is for everyone and to brand every user of this service as criminal is utterly sinister.
posted by Catblack at 8:00 AM on July 2, 2020 [9 favorites]

Encryption may be for everyone, but Encrochat phones certainly were not.
posted by dmh at 8:07 AM on July 2, 2020 [9 favorites]

Encryption is for everyone and to brand every user of this service as criminal is utterly sinister.

I mean yeah but it seems this was explicitly marketed to criminals, for crime.
posted by OverlappingElvis at 8:08 AM on July 2, 2020 [3 favorites]

Sounds like most of the crime was drug dealing. Should these drugs be legalized and regulated instead? Would that be a more effective way to get violent criminals out of the business?
posted by clawsoon at 8:24 AM on July 2, 2020 [3 favorites]

> 1,800 rounds of ammunition

That's all? I have more than that sitting on my coffee table right now.
posted by glonous keming at 8:28 AM on July 2, 2020 [2 favorites]

Hopefully you're not in the UK though.
posted by pipeski at 8:29 AM on July 2, 2020 [6 favorites]

77 firearms, including an AK47 assault rifle, sub machine guns, handguns, four grenades, and over 1,800 rounds of ammunition

The fact that this HUGE criminal sting produces less firepower than exists in at least each of two people's houses I know personally in the US completely validates gun control and makes all this 'only the criminals will have gun' stuff complete nonsense. This is the reason the concept of 'false flag's and normalising of school shootings is utterly bizarre in US culture outside of this warped 'I wish it were still the Wild West' perspective nonsense.
posted by Brockles at 8:32 AM on July 2, 2020 [21 favorites]

There's a big difference between the cops being able to install malware on a mafioso's phone (or, indeed, an activist's), at considerable operational expense, and being able to suck up everybody's plaintext to go fishing in for subversives and troublemakers. The difference is scalability. Scalable surveillance is inherently totalitarian.
posted by acb at 8:36 AM on July 2, 2020 [5 favorites]

This is evil, propagandistic horseshit. Encryption is for everyone and to brand every user of this service as criminal is utterly sinister.

I don't know why anyone bothers linking to actual current events on this site. Everyone's already made up their mind what they're going to write before they're even 3 words into the title. It's an interesting thing that's happened here, but there's nothing to talk about if everyone who might have an interest in the details organised crime in Northern Europe is drowned out by knee-jerk shouters.

I mean, The Guardian gave a cost to join the network of £1500 for 6 months, if that's of interest.
posted by ambrosen at 8:47 AM on July 2, 2020 [15 favorites]

The key part of this story to me is that the Encrochat phones were special phones manufactured and sold explicitly to run this one encrypted app. With a customized operating system, at that.

And according to the article, they were marketed to and bought by criminals. It's like a special secret social network for bad guys. At least, that's what the Vice article is saying. That's quite a different thing from police hacking general purpose phones, or stealing unsecured SMS messages with blanket warrants, etc.
posted by Nelson at 8:59 AM on July 2, 2020 [5 favorites]

If they'd only arrested some of them and heavily hinted there were moles in their organisation surely the rest of the problem would take care of itself? And then they could have kept their advantage secret.

I'm beginning to suspect I'm not a very nice person.
posted by Grangousier at 9:00 AM on July 2, 2020 [2 favorites]

I'm kind of amazed that an operation like Encrochat was anything other than a law-enforcement operation to begin with. Did the creators have some kind of special bona fides among their customer base, or were these particular criminals just really trusting?

(Or, as the article seems to suggest, was this basically a network effect for many of the malware victims -- perhaps they couldn't really compete without using Encrochat (any more than a modern business could compete without email), so they had to accept it as another risk of doing business?)

Still, even/especially for those who felt compelled to use Encrochat, it seems weird that they would have apparently dropped all semblance of opsec when using it. An organization that approached Encrochat with the same wariness as they would have approached an unencrypted phone connection would presumably have had much less exposure here -- but this perhaps gets back to the point that security is hard work, and time spent on it is time not spent building market share.
posted by Not A Thing at 9:13 AM on July 2, 2020 [5 favorites]

I don't know why anyone bothers linking to actual current events on this site. Everyone's already made up their mind what they're going to write before they're even 3 words into the title.

Fucking seriously. The hot takes on the blue are out. of. hand. Please RTFA, mefites.
posted by j_curiouser at 9:45 AM on July 2, 2020 [10 favorites]

If they'd only arrested some of them and heavily hinted there were moles in their organisation surely the rest of the problem would take care of itself?

Great plot for a crime novel/show. It certainly is a trope that is used mostly as a throwaway moment often enough, is it something that occurs in real life? I can't imagine that it could be a policy. With the rampant reuse of basic crime plots the utter unethical and hopefully illegal actions could make for an interesting theme of a crime drama.

Another trope is "is there honor among thieves?" In this case sort of:

Encrochat decided to shut itself down entirely.

"Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device," a message Encrochat sent to its users read. "You are advises [sic] to power off and physically dispose your device immediately," it added.

The company web site is still online. No price information. Sounds pretty expensive, past tense. If there any serious banditos reading this, Encrochat was the leader but capitalism quickly fills the vacuum, from a competitor:

CRYPTO ACCEPTED | DODGED THE MASS EXTINCTION EVENT? GET 10% OFF ALL PHONES & SIM!

(seems less than ethical to include an actual link, easy enough to find, cough, buyer beware)
posted by sammyo at 10:54 AM on July 2, 2020 [1 favorite]

Encrochat physically removed or disabled cameras, microphones, and GPS in otherwise ordinary, cheap Android devices that were manufactured by a small Spanish company. I wonder if such hobbling was seen by criminal organizations as the main benefit of using these phones, because I wouldn’t expect a company like this to build a more robust, secure OS and messaging app than anyone else could. And since it sounds like they were tied to one particular SIM service provider (which likely cooperated with investigators), it would have been that much easier for governments to target customers.

Using an app like Signal on an iPhone seems like it would offer pretty sufficient security and privacy, but then you wouldn’t be able to prevent members of your organization from being careless with their devices in other ways like enabling iCloud backups or using other, less secure apps.

As an aside, the rival phone company mentioned at the end of the article has a name that’s just a little too on the nose.
posted by theory at 11:04 AM on July 2, 2020 [3 favorites]

Something wasn't right. Starting earlier this year, police kept arresting associates of Mark, a UK-based alleged drug dealer.

I'm reminded of that scene in The Wire with Stringer and Avon sitting around saying WTF!? as their organization was being rolled up.

then you wouldn’t be able to prevent members of your organization from being careless with their devices in other ways like enabling iCloud backups or using other, less secure apps.

That is a huge benefit. Standard phones leak data all over the place by design (not only Google and Apple directly but so many apps) and maliciously (see tik-tok and facebook).

Law enforcement agencies had acted against encrypted phone companies before. In 2018, the FBI arrested the owner of Phantom Secure. The FBI tried to convince the owner to install a backdoor into the communications system—he declined—before shutting the network down itself.

Eerily familiar to the shutdown of TrueCrypt.
posted by Mitheral at 12:24 PM on July 2, 2020 [1 favorite]

I wonder how Signal keeps running, and whether this has to do anything with the fact that, while the client is open-source, a client compiled from the public source will not be allowed on the official Signal servers, only the official blessed binary will.
posted by acb at 2:37 PM on July 2, 2020 [2 favorites]

2016: Evidence suggests Encrochat is working with the NSA and other authorities. Not clear this allegation is well substantiated at the time, but an interesting read.
posted by Nelson at 2:42 PM on July 2, 2020

The world of encrypted phone makers and resellers sure looks sketchy.

That Medium post about Encrochat working with the NSA could very well just be mud-slinging by a rival company. For anyone interested here's a (cached) response from someone claiming to be affiliated with Encrochat (maybe a Canadian reseller?). And here's another Medium post a few days later.
posted by theory at 5:44 PM on July 2, 2020 [1 favorite]

Eerily familiar to the shutdown of TrueCrypt.

I think you mean Lavabit? TrueCrypt was/is standalone disk encryption software.
posted by atoxyl at 10:33 PM on July 2, 2020

I was meaning Truecrypt which IIRC the maintainer abruptly not only stopped supporting but also pushed out a final version that only decrypted the files. Speculation at the time included the idea that the NSA or other alphabet soup US agency attempted to get him to insert a back door and he just killed the project rather than acquiesce to their demands.
posted by Mitheral at 10:47 PM on July 2, 2020 [6 favorites]

Dissidents? BLM? antifa?

Plus: citizens, any of them or us.

Add a few more "very"s to the title quote and replace "criminals" with "citizens" to get the best picture. Criminals expect enforcement intervention, citizens might not (though in these times, you should).
posted by filtergik at 6:01 AM on July 4, 2020 [1 favorite]