Anom Encrypted App Analysis(webcache.googleusercontent.com) |
Anom Encrypted App Analysis(webcache.googleusercontent.com) |
https://web.archive.org/web/20210608102417/https://webcache....
(Since, as we all know, Google’s webcache won’t last)
Since the Encrochat scare I would imagine no dealer in their right mind would ever use a crimephone again.
Plus, managing DIY security is more complicated than just running Signal on an encrypted phone. Same concerns regarding supply chain interdiction, remote code execution, and other security vulnerabilities on the operating system running Signal.
Yes, but specifically to supply chain security, as this attack shows, the most affordable option to secure your supply chain is to ensure your devices and downloads cannot be uniquely targeted.
Buying a stock iPhone in cash and downloading Signal from the App Store is a far better approach than buying a "drug dealer phone."
I do think this attack, as you imply, simply highlights how hard it is for even motivated consumers in the market to make actually secure choices, which in turn is why the market underemphasizes real security improvements.
people make this mistaken assumption constsntly.
also, if a criminal had enough intelligent, they tend not to be criminals. very rarely do you find full blown intelligent criminal syndicates.
mostly youll find that basic human heuristics, like security through obscurity is the height of security.
They made it invite only
They also made it a 6 monthly subscription fee
I know I'll get told off again for finding this very very funny, but honestly these guys got duped and deserved it.
I thought this article would be a genuine analysis by a security researcher as a tie-in to the news today:)
This analysis came out a couple months ago, and was exactly correct. Also, you are blaming the style of the writing but ignoring the substance, which is that the app is most definitely making encrypted connections where it has no need to do so.
The points might have been valid but the language is not instilling any kind of confidence: "This is an ENTERPRISE MILITARY GRADE Encrypted setup." doesn't exactly make it seem like a security researcher who knows what they're talking about. And add many other words capitalised for maximum shock effect: "imagine you were meeting up with someone like an EX-LOVER your partner may not approve of"
It all sounds very much FUD and biased. If you do a good analysis, this is not how you present it.
The main points he really makes are poor endpoint security (not uncommon in this market, as many such networks have been breached) and noticed some suspicious traffic which is indeed a telltale that something more is going on.
But it sounds way too much like someone with 'skin in the game' was trying to spin it and turned out to be right.
It seems they use off-the-shelf phones and put a custom ROM on them. Can anybody recommend a state of the art phone that has good custom ROM support (close to mainline Linux if possible; custom images have full hardware support)?
I imagine to use it for "citizen journalism", i.e. safely taking pictures and posting them anonymously to social media. For that reason the PinePhone would be out - it doesn't have a very good camera and doesn't run social media apps.
I wonder why this blog was deleted by the author. Get a phone call from the FBI?
I mean, it's pretty clear to me that (a) criminals are highly unlikely to see this blog and (b) if they did, so what, they wouldn't have understood it/believed it anyway. Half the comments on HN don't give it any credence because it's written by someone whose first language is obviously not English and who likes hyperbolic ALL CAPS, despite the fact that the underlying analysis is valid.
I'll take "Signs someone doesn't know what they are talking about for 200, Alex"
OHOOO Enterprise level encryption...FIPS :)
Stay away from both.
Classic.
No matter how powerful the infrastructure or skilled the local personnel, some countries are doomed to be put always in the same bucket by certain people from certain other countries.
You didn't even have to read that much into the article to spot the ignorance. Whether by gun, "law", or money, there's no place where your data untouchable. But you could have stopped right here:
> This is an ENTERPRISE MILITARY GRADE Encrypted setup.
The famed "military encryption".
Estonia, is a third world country. Total breakdown of any governmental admiistration, corrupt etc. (dont ask how I know)
This analysis was written by law enforcement in advance of the takedown to promote the next backdoored app.
VPNs work fine on them. You can set up your own tor nodes to VPN in behind from another VPN, etc. A tinfoil hat can have many layers.
It just won't be a cheap secondary burner toy phone because they're so expensive.
I guess gangsters only trust other shady types to sell them stuff. In this case the trust was misplaced because they stored all the keys centrally and the cops were listening in for months before they shut it down.
I'd try this: https://wiki.lineageos.org/devices/
Why? They are used by gangsters. These are not nice people. They are not people with innocent secrets they need to keep from those who would oppress them. They are people who murder, who ruin lives, and who undermine peaceful society.
You would objectively be making the world a worse place by helping them. Why would you want to do that?
1. The Police
2. The Financial Supervision of Estonia and Madis Reimand (Head of Estonian Financial Intelligence Unit)
Having worked for military and police enforcement in the US before, I can say with confidence: I you want to do a financial scam, do it in Estonia. Nobody will care. Seriously. (and dont worry, Madis knows who I am)
The greatest moral failure of Silicon Valley and American tech was enabling human rights abuses on a massive scale by selling hardware and software to oppressive and ultimately illegitimate governments during the early days of the internet. The ship has sailed on that one now, perhaps, with the early assistance in building the Great Firewall of China for example.
There remains a moral obligation for American companies to build secure communication platforms for the internet. Instead they drift further, yielding to demands from governments to host data (which often never should have been stored) locally.
The most disturbing trend I have seen over the last decade on hacker news is the shift from support of an open and free internet to an internet of control and censorship. I can only conclude that all is lost if the core engineers and hackers who build and design these systems can no longer explain why this is important but rather argue why the internet shouldn’t be secure.
There are many unintended implications to this, one being American intelligence agents can no longer operate safely abroad. Others include the withering of development in the protocols and standards from which the internet was born, a redirection of talent and resources to private companies and private networks which are constructed in a way to build monopolies and then extract rent from its users. Facebook could be built on the web, but nothing lasting could be built on Facebook.
That’s my rant.
That said, one huge caveat: any stock, internet-connected phone is always one law away from being rendered completely transparent to law enforcement with legal jurisdiction over the place of sale.
In the US, for example, Congress could write a law that forces a back door.
The back door doesn’t even have to be to the encryption keys or algorithm, but could be a simple screen capture interface that can be remotely triggered with a warrant.
At least there’s this:
> The Assistance and Access Act contains an express prohibition against building or implementing any weakness or vulnerability in software or physical devices that would jeopardise the security of innocent users. This is found in section 317ZG of the Act which also makes clear that any assistance that makes a system's encryption or authentication less effective for general users is strictly prohibited. This same section prohibits the construction of new decryption capabilities and rules out any requirements that would prevent a company from patching existing security flaws in their systems.
You'll be hardpressed to find a more secure hardware platform on android.
https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/app...
Short of living in a shack in the woods, we will all have to trust someone at some point. I'm content to trust Apple to not lie on their documents, so the more important security and privacy checkboxes are ticked.
Anything you can point me to read about that?
There is no way to know whether either of those services were compromised simply due to their express purpose of forwarding everything to government agent’s computers
They’re just simply not capable of providing users any of the assurances they claim in a way the user can ever have the assurance of
https://www.reuters.com/article/us-mexico-telecoms-cartels-s...
A bit like buying Apple, which is also very expensive.
On a side note, conning international criminals carries a level of risk to one's health...
For an encrypted phone network that's pretty much the opposite of working well. Even with the servers compromised the network should remain secure. Like it is with Signal and even WhatsApp.
I always wonder why such networks make mistakes like storing key material centrally. I suppose telling a crime lord that he can't have his messages back because he forgot his PIN code is not fun. But neither is having their network cracked by the police I guess.
True, but so does cooperating with authorities to be a honeypot. Branding yourself as a legitimate business for criminals is a Bad Idea for the very reason encrochat learned. The criminals should be thinking the same way.
https://www.zdnet.com/article/whats-actually-in-australias-e...
There may be some level of encryption, it acts like a company set up by the government or made to be tapped into.
This wasnt conspiracy theory fiction even before Anom, as there are other examples of governments especially the US government doing this already. Just let Anom be another more clear cut reminder that it doesn't matter who you trust that uses a software, if it doesn't pass some key criteria then don’t use it. There is no “I’m sure this large group of people thought of that” just assume they are stupid, negligent, thought the same as you did and nobody attempted any scrutiny, or are all informants themselves.
I'm not aware that Encrochat did anything of the sort.