this post was submitted on 03 Dec 2024
49 points (98.0% liked)

Privacy

1322 readers
2 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
[email protected]
[email protected]
49
Why do criminals use their own encrypted messaging platforms, instead of using any of the recommended apps? (www.europol.europa.eu)
submitted 3 weeks ago* (last edited 3 weeks ago) by [email protected] to c/[email protected]
26 comments fedilink hide all child comments
 

Does that mean that other apps like signal for example have back doors?

Do criminals have a knowledge of exploits in the recommended messaging apps?

top 26 comments
sorted by: hot top controversial new old
[–] [email protected] 45 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

You're missing the #1 reason organized criminals prefer their own service. To have trusted staff who control everything — the servers, code development & deployment — whom can't be ordered by a court to shut off access to individuals at any time, or provide metadata, eavesdrop, etc.

The weakest link with legal services like Signal is that they can be compelled by law enforcement, the judicial system, and government... That's an enormous risk for any organized crime operation. Even a minimal amount of metadata collection can do a lot of damage, especially if it's analyzed over months/years, and especially when performed by an advanced persistent threat actor like a nation state.

[–] [email protected] 15 points 3 weeks ago (2 children)

I disagree, stupid self developed systems leak so much more, I think the number 1 reason is, surprise surprise, stupid people.

Also plenty of criminals and organized crime also use standard tools like telegram (which is way worse then signal)

[–] [email protected] 20 points 3 weeks ago

I think you're both right. I think the non-stupid people with successful self-developed systems simply aren't talked about, because they don't get caught, because they're not stupid.

[–] [email protected] 4 points 3 weeks ago (1 children)

It probably depends on the level of the criminals and organized crime groups. I saw this Youtube video a couple weeks ago that talks about the history of how organized crime groups were using encrypted communication https://www.youtube.com/watch?v=gigIOc_0PKo (And how they were honey-potted by the FBI to use an FBI-hosted service, lol)

Organized crime groups that make 100s of millions should be capable enough to hire skilled developers and sysops to host self-managed services. At some point if they make enough money, investing in self-managed communication becomes preferable over using telegram or signal.

[–] [email protected] 1 points 3 weeks ago* (last edited 3 weeks ago)

There are multi million companies that get hacked left and right, money does not mean intelligent security measures.

Also, best option is the big ones, anyone who wants real security and privacy should use something that already exists. Sure, maybe not signal (even though for anything less then a state actor it is plenty) but there are plenty of self-hosted or decentralized communication apps out there.

Anyone who builds their own app is very likely making a bad decision.

Just a reminder that one of the most wanted man in the world by the most capable state in the world (Snowden) is using signal

[–] [email protected] 1 points 3 weeks ago (2 children)

Theoretically signal only has your phone number and time of sign up which means theoretically it shouldn't matter if the legal system asks them for information.

[–] [email protected] 9 points 3 weeks ago (2 children)

... theoretically. In practice if the NSA used a secret court order that banned them from talking about it and made them update the app to reveal plaintext for one particular person, I don't see how they could get out of that (other than by breaking the law and risking jail).

I think the chances of that are very small though.

[–] [email protected] 6 points 3 weeks ago

There is legislation in Australia that allows precicely this. Then 5 eyes or Interpol or whatever for everyone else.

[–] [email protected] 2 points 3 weeks ago* (last edited 3 weeks ago)

...that's a terrifying but also plausible prospect. Guess it's a reason not to use the published app and instead build it yourself.

[–] [email protected] 8 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Yea and if a nation-state knows your phone number, they can track your exact whereabouts in real-time. Let's not pretend like we know better than them about what information matters :)

[–] [email protected] 2 points 3 weeks ago

...yeah and if they went to signal to ask about you they're going to provide signal your phone number as it's the only identifier they have in their system...so the nation state already had that to begin with, it isn't sensitive info despite what it can be used for.

[–] [email protected] 16 points 3 weeks ago

The average criminal is no dumber or smarter than the average non-criminal. As such they’re every bit as subject to marketing ploys and mis/disinformation. so if their criminal buddies are using BaddieApp Pro, they probably will too. Or if they hear that Bill Gates is using the Signal app for mind control, there’s a good chance they’ll believe it.

[–] [email protected] 13 points 3 weeks ago (3 children)

I've definitely also thought about, if our government gets taken over by fascists, how do you organize a rebellion?

And yeah, Signal definitely has some weird fucking shit going on. As far as I'm aware, they don't allow you to use their centralized servers, if you don't use their provided build of the app. They don't seem to have a mechanism to enforce that, so you could still use a self-compiled build, but if all your friends are on a compromised client, you can't talk to anyone anyways.

Well, and then there's also the great stupidity that Signal requires a phone number. In my country, you can't sign up to a mobile phone plan without revealing your full identity. If the fascist government realizes that I'm part of the rebellion, they can make my phone number disappear in unfortunate circumstances.

So, yeah, I'd at least want to self-host the communication platform. I'd probably use an existing open-source solution, but would try to audit at least part of it...

[–] [email protected] 3 points 3 weeks ago (1 children)

Pretty sure Signal supports usernames now.

[–] [email protected] 7 points 3 weeks ago (1 children)

I thought I heard so, too, but when I tried to research it, all that came up is that you can publicly hide your phone number and instead give people your username, but you still need the phone number for sign-up. I really do not know, though, if search engines are failing me again...

[–] [email protected] 5 points 3 weeks ago

That's correct, you still need a phone number for sign up. between contacts you can use usernames.

So Signal has your phone number, your contacts only have it if you use your number instead ofgiving them a username.

[–] [email protected] 2 points 3 weeks ago

Just use a XMPP client, instead of signal

[–] [email protected] 2 points 3 weeks ago

I think that simply knowing about PGP and using it with traditional platforms will go a long way. If you add some steganography to the mix, it can go a long way.

[–] [email protected] 11 points 3 weeks ago (1 children)

Lets put it this way: There are criminals that use whatsup, twitter, and the like for communication. They don't really last for some reason. Then there are those who use a special, commercial system. They might fail if they fall for traps like EncroChat (or however that was spelled). Then there are those who try to set up their own system, but lack the capabilities and talent for that. And last but not least are those groups you have not heard from in the news. They do have proper infosec.

[–] [email protected] 1 points 3 weeks ago (1 children)

I've heard of criminals using MMORPG DM's to communicate back in the day, not sure what happened to those guys.

[–] [email protected] 3 points 3 weeks ago

Another way to stay under the radar. IIRC there was a case where information was passed on an image board by means of using random-looking filenames that actually encoded messages.

[–] [email protected] 8 points 3 weeks ago (2 children)

No, but by making their own they can ensure there isn't one. Or something like that.

[–] [email protected] 8 points 3 weeks ago* (last edited 3 weeks ago)

All they really need is a program that turns cleartext into ciphertext and back, an open communication channel to transmit ciphertext, a secure way to exchange keys, and good operational security. There are plenty of cybersecurity experts with good skills and flexible morals, except NK and Russia probably pay better than the local meth lord.

[–] [email protected] 8 points 3 weeks ago (1 children)

Your average criminal is not making their own and have to trust some third party regardless. Law enforcement agencies have been known to have wide spread honey pot secure messaging apps before.

[–] [email protected] 1 points 3 weeks ago

Yes. Most are likely still on provenly compromised platforms like whatsapp or telegram.

[–] [email protected] 5 points 3 weeks ago

Because they're not stupid and understand that government agencies could have a finger in the pie for any publicly available software in some way/shape/form? Paranoia keeps them in business longer.