https://web.archive.org/web/20210608102417/https://webcache....
(Since, as we all know, Google’s webcache won’t last)
Since the Encrochat scare I would imagine no dealer in their right mind would ever use a crimephone again.
Plus, managing DIY security is more complicated than just running Signal on an encrypted phone. Same concerns regarding supply chain interdiction, remote code execution, and other security vulnerabilities on the operating system running Signal.
Yes, but specifically to supply chain security, as this attack shows, the most affordable option to secure your supply chain is to ensure your devices and downloads cannot be uniquely targeted.
Buying a stock iPhone in cash and downloading Signal from the App Store is a far better approach than buying a "drug dealer phone."
I do think this attack, as you imply, simply highlights how hard it is for even motivated consumers in the market to make actually secure choices, which in turn is why the market underemphasizes real security improvements.
people make this mistaken assumption constsntly.
also, if a criminal had enough intelligent, they tend not to be criminals. very rarely do you find full blown intelligent criminal syndicates.
mostly youll find that basic human heuristics, like security through obscurity is the height of security.
They made it invite only
They also made it a 6 monthly subscription fee
I know I'll get told off again for finding this very very funny, but honestly these guys got duped and deserved it.
I thought this article would be a genuine analysis by a security researcher as a tie-in to the news today:)
This analysis came out a couple months ago, and was exactly correct. Also, you are blaming the style of the writing but ignoring the substance, which is that the app is most definitely making encrypted connections where it has no need to do so.
The points might have been valid but the language is not instilling any kind of confidence: "This is an ENTERPRISE MILITARY GRADE Encrypted setup." doesn't exactly make it seem like a security researcher who knows what they're talking about. And add many other words capitalised for maximum shock effect: "imagine you were meeting up with someone like an EX-LOVER your partner may not approve of"
It all sounds very much FUD and biased. If you do a good analysis, this is not how you present it.
The main points he really makes are poor endpoint security (not uncommon in this market, as many such networks have been breached) and noticed some suspicious traffic which is indeed a telltale that something more is going on.
But it sounds way too much like someone with 'skin in the game' was trying to spin it and turned out to be right.
It seems they use off-the-shelf phones and put a custom ROM on them. Can anybody recommend a state of the art phone that has good custom ROM support (close to mainline Linux if possible; custom images have full hardware support)?
I imagine to use it for "citizen journalism", i.e. safely taking pictures and posting them anonymously to social media. For that reason the PinePhone would be out - it doesn't have a very good camera and doesn't run social media apps.
VPNs work fine on them. You can set up your own tor nodes to VPN in behind from another VPN, etc. A tinfoil hat can have many layers.
It just won't be a cheap secondary burner toy phone because they're so expensive.
I guess gangsters only trust other shady types to sell them stuff. In this case the trust was misplaced because they stored all the keys centrally and the cops were listening in for months before they shut it down.
I'd try this: https://wiki.lineageos.org/devices/
Why? They are used by gangsters. These are not nice people. They are not people with innocent secrets they need to keep from those who would oppress them. They are people who murder, who ruin lives, and who undermine peaceful society.
You would objectively be making the world a worse place by helping them. Why would you want to do that?
I wonder why this blog was deleted by the author. Get a phone call from the FBI?
I mean, it's pretty clear to me that (a) criminals are highly unlikely to see this blog and (b) if they did, so what, they wouldn't have understood it/believed it anyway. Half the comments on HN don't give it any credence because it's written by someone whose first language is obviously not English and who likes hyperbolic ALL CAPS, despite the fact that the underlying analysis is valid.
I'll take "Signs someone doesn't know what they are talking about for 200, Alex"
OHOOO Enterprise level encryption...FIPS :)
Stay away from both.
Classic.
No matter how powerful the infrastructure or skilled the local personnel, some countries are doomed to be put always in the same bucket by certain people from certain other countries.
You didn't even have to read that much into the article to spot the ignorance. Whether by gun, "law", or money, there's no place where your data untouchable. But you could have stopped right here:
> This is an ENTERPRISE MILITARY GRADE Encrypted setup.
The famed "military encryption".
Estonia, is a third world country. Total breakdown of any governmental admiistration, corrupt etc. (dont ask how I know)
This analysis was written by law enforcement in advance of the takedown to promote the next backdoored app.
