Aardvark DailyNew Zealand's longest-running online daily news and commentary publication, now in its 25th year. The opinion pieces presented here are not purported to be fact but reasonable effort is made to ensure accuracy.
Content copyright © 1995 - 2019 to Bruce Simpson (aka Aardvark), the logo was kindly created for Aardvark Daily by the folks at aardvark.co.uk
Please visit the sponsor!
How ironic is it that just days after I published a column in which I suggested that where data security is involved we should trust nobody, that a huge crime ring is busted for just that reason.
Reports abound in the media about a major crack-down on drug rings and organised crime that was made possible thanks to the interception of communications that were supposed to be secure.
According to those reports, over 800 people were arrested in a pan-European operation after their conversations on EncroChat were intercepted and recorded. The chat service allegedly offered secure communications, for a hefty subscription, via specially customised phones.
Despite the raft of supposedly secure features such as self-deleting messages and hard encryption of data, authorities apparently managed to gain access to the raw data by simply installing a monitor (called "a technical device" in the reports) on one of the servers, which was located in France.
Was it really that simple?
Who designed a supposedly "secure" system where the data was available in plaintext at anywhere along the path from sender to recipient?
If I was one of those who'd been flogging this "secure" service to some of the crime-world's biggest and most powerful players, I'd be pretty worried about my own future right now. I'm pretty sure they're not going to be at all happy that their empires have been dealt such a huge blow because some idiot decided that the messages should appear as plaintext on the servers -- assuming that is the case.
I say "assuming that is the case" because I think it's reasonable to say that the authorities may not be telling the whole truth here. If one of the group turned informer and grassed up the rest by handing over his phone and keys I expect that this would not be a fact they'd want known to the rest of the bad-guys. It's almost certain that any deal done like this would have had to guarantee the anonymity and safety of the informant. For that reason we might be seeing a bit of "creative storytelling" on the part of the NCA.
Whatever the reality however, this case just goes to prove that you should never assume that *any* communications is totally secure, especially if you're engaged in activities that are somewhat (or very) nefarious.
I actually wonder if criminal gangs might be better off giving the Net a wide berth and perhaps focusing on more old-school technologies for their comms. I'm pretty sure that a suitably encrypted digital stream sent via "good old radioTM" might be a lot more secure than a complex network of servers and internet links. The RF spectrum is a *very* big place (even bigger than the Net) so an RF-based commes network that chose random times and random frequencies to conduct such transfers would be hard to spot.
You could even engage in a bit of steganography by embedding the encrypted bitstream in some other seemingly legit data transfer on the HAM bands. Maybe a moonbounce?
On reflection, perhaps a combination of methods... splitting the encrypted data stream up into parallel streams that were sent via different transport layers -- internet, radio, carrier pigeon, etc. Without access to all the component streams, any one intercepting the data would have nothing.
Of course that doesn't solve the problem of someone who is a legitimate member of the criminal gang turning "state's evidence" and grassing everyone else up by handing over all the gear they have and their personal keys.
So perhaps here's the best suggestion to the criminal underworld...
Stop being arses. Get a real job and contribute to society instead of exploiting it.
Oh, hang on... if all those who wre exploiting people did that we'd have no politicians.
Meh... maybe *that* would be a good thing too.
Please visit the sponsor!
Have your say in the Aardvark Forums.