Slashdot Mirror

← Back to Stories (view on slashdot.org)

French Officer Caught Selling Access To State Surveillance System On the Darkweb (zdnet.com)

Posted by BeauHD on from the caught-red-handed dept.

An anonymous reader writes: "A French police officer has been charged and arrested last week for selling confidential data on the dark web in exchange for Bitcoin," reports ZDNet. French authorities caught him after they took down the "Black Hand" dark web marketplace. Sifting through the marketplace data, they found French police documents sold on the site. All the documents had unique identifiers, which they used to track down the French police officer who was selling the data under the name of Haurus.

Besides selling access to official docs, they also found he ran a service to track the location of mobile devices based on a supplied phone number. He advertised the system as a way to track spouses or members of competing criminal gangs. Investigators believe Haurus was using the French police resources designed with the intention to track criminals for this service. He also advertised a service that told buyers if they were tracked by French police and what information officers had on them.

33 of 68 comments (clear)

  1. If this guy doesn't get the guillotine by Snotnose · · Score: 1

    the next guy will be smarter and not too worried about the risk/reward balance.

  2. How is this news? by ebonum · · Score: 4, Funny

    My complete surprise. NEVER saw this one coming.

    Let's see. About 10 million Slashdot posters have been predicting this.

    1. Re:How is this news? by AHuxley · · Score: 5, Interesting

      The wide and normal use of unique identifiers in documents at a police level is news.
      Wonder what US and UK police get tracked with?

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:How is this news? by Aighearach · · Score: 1

      This is why we should have a single electric eye up in space looking down on us. And it should be American. One eye perpetual.

      Forget this Five Eyes nonsense. I love France, but trust has limits.

    3. Re:How is this news? by CaffeinatedBacon · · Score: 1

      France isn't one of the 5 eyes...

    4. Re:How is this news? by infolation · · Score: 1

      France isn't one of the 5 eyes...

      But it is part of the nine eyes.

      (France plus Denmark, Netherlands, and Norway.)

      Basically that means France shares five eyes intelligence, but is not automatically exempt from intelligence targeting.

    5. Re:How is this news? by gweihir · · Score: 1

      Indeed.

      One down, probably a few 1000 more that do this on some scale to go.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:How is this news? by houghi · · Score: 1

      In Belgium the Unique Identifier is your National Number. Not used for identification, but used once the person is identified.

      Many companies use it to link e.g. accounts to a person. Be it bank accounts, or you phonenumber or your loyalty card.

      It is the birthday backwards, three numbers, based on when it was enterered into the system and 2 control numbers.
      So if you are the first who was written in the system to be born on October 8th 2018, it would be 2018108-001-XX To lazy to look uip the controlnumber. The controlnumber will also identify the gender.

      I Spain you also have a nationbal number. For foreighners you need it to e.g. buy a house, even if you do not live there. There it is called an N.I.E. I assume France has something similar.

      So not anything special and not only for police. And no, it is NOT used to identify you. It is used once you ARE identified.

      --
      Don't fight for your country, if your country does not fight for you.
    7. Re:How is this news? by AHuxley · · Score: 1

      When a worker requests a document that document is encoded with information about who requested that document. On their computer as a file, when printed.

      --
      Domestic spying is now "Benign Information Gathering"
  3. Re:sometimes, EU is too kind by Anonymous Coward · · Score: 5, Insightful

    you have to give credit to a China-like approach: swift bullet to the head to deter all future people in power who might be tempted.

    Oh, you're precious. In China, the bullet to the head would be the person who uncovered the person in power who was selling information because "social harmony" prevents admitting to these sorts of abuses and fueling any sort of notion that the Chinese government can't adequately control its own police force. Now, maybe the actual person selling the information will "disappear", but that's not even assured. For that a little kickback bribe from all those sales will probably be enough to wash away the crime. In fact, the government might keep paying the guy and just use him as an indefinitely mole.

    Breakdown of trust in the government strikes at the heart of society. Some things you can't be tolerant of.

    In a democracy, justice through exposure of criminals can restore trust. In a totalitarian regime, breakdown of trust "never happens". Sure, sometimes you don't get to it quickly enough so you have to either "issue a correction" or maybe even quietly do a "trial" while quickly burying the story in the news. Actually exposing the corruption would only reaffirm every person's own personal experience and might even encourage them to step forward on what they know, and that's something they don't want to have to deal with--a lot of those people are paying them bribes (or somewhere down the chain) to look the other way. No, you want to bury those fuckers as "muckrakers" making up "false accusations" upon "upstanding, outstanding citizens"; they could use a good bullet to the head or some other "accident".

  4. Did anyone care? by Krishnoid · · Score: 3, Funny

    He advertised the system as a way to track spouses.

    Ah oui, but we are French! We love freely and let our spouses roam, but we will not accept corruption in our peace officers. Away with you. Monsieur!

  5. Trust by markdavis · · Score: 4, Interesting

    But governments can be trusted with built-in encryption backdoors. Hmm.

    1. Re:Trust by BlueStrat · · Score: 1

      But governments can be trusted with built-in encryption backdoors.

      Yes, that would certainly give citizens a powerful tool to keep track of those in their government and thus increase trust betw...oh, wait....

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  6. Re: sometimes, EU is too kind by Anonymous Coward · · Score: 1

    Ah, yes, I'm racist. At least you could try to make an argument, like how the Chinese Dream has mostly supplanted the idea, but then the Chinese Dream in practice is much closer to the worst of the America Dream--unbridled greed in the name of progress. Bringing up rampant corruption is just going to "inconvenience" the narrative--someone who does it to have the money for bribes to advance their career would proves just how many people act in realizing "the Chinese Dream". So, whatever the stated motivation, the story will be killed. Actually working to clean up corruption would undercut the actual base that got Pooh in power, just like the ones before him. The same as in the US with lobbying and campaign money.

  7. Why bust him? by Grog6 · · Score: 3, Interesting

    This is the future.

    Criminals can be made, and busted by the same service.

    It seems like the perfect use.

    --
    Truth isn't Truth - Guliani
    1. Re:Why bust him? by Mr.+Dollar+Ton · · Score: 3, Insightful

      It is also the past. If you think police selling information to rich criminals is new, you're very, very ill-informed.

  8. Yep. by Anonymous Coward · · Score: 5, Insightful

    This is why we can't abide backdoors. Their existence presumes that all government and law-enforcement members are trustworthy people.

    They are not. And people like this guy will abuse backdoors for his own profit.

  9. Bullshit; They shoot peeps for much less. by Grog6 · · Score: 1

    They save Torture for people they Really don't like.

    Fuck.

    --
    Truth isn't Truth - Guliani
  10. Re:sometimes, EU is too kind by ShanghaiBill · · Score: 5, Informative

    you have to give credit to a China-like approach: swift bullet to the head to deter all future people

    China executed a few people for selling baby formula laced with melamine. Since then they have had ... dozens more incidents of intentionally contaminated food.

    "Shooting people in the head" is NOT a deterrent to people that don't think they will get caught, and it is an easy excuse to NOT fix the systemic problems of poor regulation, corrupt food safety inspectors, nobody double checking the checkers, etc.

    The contaminated formula was sold for years, killing many Chinese babies, and was only discovered when it was exported to New Zealand, and the melamine was detected by NZ food inspectors. Most other Chinese food scandals also were detected by foreigners.

    In the French case, the solution is not to "shoot the cop" but to ask why he had access to so much information in the first place. For instance, to get GPS info on a phone, he should have needed his ID, a PIN or password, and a valid warrant. Yet he apparently needed none of those things. This is far more than "one bad cop". It is a rotten broken system. None of their internal systems or cross checks caught this guy. It was only revealed by outside info.

    Breakdown of trust in the government strikes at the heart of society.

    Some mistrust of government is healthy for a society. It is too much trust that is dangerous.

  11. Hey, politicians? Are you listening? by Opportunist · · Score: 1

    Here's where the "government only" backdoors to your industry's R&D end up. Doesn't even take North Korea to kidnap spouse and kids of the ones you entrust with sensitive access, all it takes is fucking money!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. If you've done nothing wrong, you have nothing... by Michael+Woodhams · · Score: 5, Insightful

    to hide.

    So be sure to vote for politicians who will pass laws to give state access to every aspect of your digital life.

    And if a policeman passes your location on to your ex partner who has raped and beaten you, it is your fault for having had something to hide.

    --
    Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
  13. Re:sometimes, EU is too kind by sjames · · Score: 2

    Some mistrust of government is healthy for a society. It is too much trust that is dangerous.

    Sure, but too much mistrust and society turns into a bunch of smallish gangs with government being seen as just another gang. An early sign of that is when regular citizens start seeing police as a danger to be avoided.

  14. Trust the government! by ReneR · · Score: 1

    They say decade after decade. We need encryption backdoors and such they have said. It will be 100% super, military grade super save. They have said, NOT :-/ !!!

  15. Forensic security by DrXym · · Score: 1

    Sounds like the documents contained unique identifiers in anticipation of this sort of thing. I wonder if there would be a way to embed invisible identifiers in docs in fonts, line spacing, punctuation, hyphenation etc. that could withstand modification to a greater or lesser degree.

    1. Re:Forensic security by AHuxley · · Score: 1

      Re "anticipation of this sort of thing"
      To go with the full cost to embed invisible identifiers shows they cant trust any of their gov/mil workers.
      Too many people who will never be loyal to France have been granted work deep in gov and mil.
      So many with split loyalty who are supporting other nations, their faith.
      The only way to keep the flow of information sharing from the NSA, GCHQ is to offer total security over all documents.

      The question is why France allowed this rather good system of security to get attention.

      Every offical, mil and gov worker with a clearance now knows the document have used are created just for them and are all tracked.
      Mil and gov officials of any rank now also know they will never be trusted by their own gov no matter their ability and past work.

      Re 'I wonder if there would be a way to embed invisible identifiers in docs in fonts, line spacing, punctuation, hyphenation etc. that could withstand modification to a greater or lesser degree."
      The software offered would have to remain useful after a photocopy, photo, OCR, scanning and average consumer computer file creation.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Forensic security by Bomazi · · Score: 1

      There is a way. It's an old trick known as a canary trap.
      Note that manipulating non-meaningful elements like spacing, case and punctuation doesn't work because they are not guaranteed to be preserved. A simple normalization would destroy the watermark.

    3. Re:Forensic security by DrXym · · Score: 1
      These weren't state secrets, they were police records & systems that a crooked cop decided to sell the use of.

      And trust is important, but not in the way you think. Human nature means that no matter how much you vet employees, putting them in a position of trust you'll get some rotten ones. You will even have those who were once trustworthy who longer aren't due to some grievance or compromise.

      Embedding hidden data into a document has ZERO impact on the trustworthy because they're not selling or giving the data to adversaries. However it will help in identifying those who aren't trustworthy.

    4. Re:Forensic security by DrXym · · Score: 1
      I'm thinking of a systematic system, not just a few docs left laying around. And I didn't say "guaranteed to be preserved". The way I see it is that every change to a page is one bit of information - if the bit is set then the person is in that half of people, if the bit is flipped it's the other half.

      It should be possible to encode 5-8 bits of difference in various ways in a page without it being too visible or obvious. Even if a clever adversary were to reformat, transcribe every page they may have still leave some bits in the output. And since the adversary has probably stolen MULTIPLE pages and multiple documents, the the bits could be culmulative. And chances are most thieves aren't going to go to that effort.

      It might only take a handful of pages to uniquely ID somebody in this fashion.

    5. Re:Forensic security by AHuxley · · Score: 1

      Re ' no matter how much you vet employees, putting them in a position of trust"
      Think of how bad the total loss of information had to get that needed a per document per person in the mil/police tracking :)

      Vetting works well. Think of the NSA, the GCHQ after the 1970's and CIA.
      Understand the person. Their politics, their education. The politics of their friends. Who educated them. The politics of their university. Faith and lifestyle.
      Friends, bank accounts, spending habits, reading material. Hours of interviews with everyone who knew that person. Governments and the mil can slowly work out if a person is going to be loyal to their country.
      The tick is to always hire only when considering security.

      --
      Domestic spying is now "Benign Information Gathering"
  16. Re:sometimes, EU is too kind by Spamalope · · Score: 2

    That's because the surveillance state isn't a mistake, but... it's benefit is reserved for the connected/powerful. Private use by the little people threatens it's use and value for the connected and so it's got to be punished. Why, the connected's misdeeds might be exposed!

  17. needle in a haystack with two straws by epine · · Score: 1

    Let's see. About 10 million Slashdot posters have been predicting this.

    No, that's not what was going on.

    10 million Slashdot posters were busy advertising how they were going to pile on to the issue with a big "said so" at the first sign of human fallibility (as infallibly projected), despite the original prediction having a zero value add.

    In the he-said/she-said fiasco now playing out on the national American stage, you can pretty much bet that the loudest voices in the camp of "well, if the accusers aren't perfect in every way, if there is ever any abuse at all, then we shouldn't listen hardly at all" are the ones with the haziest, alcohol-infused recollections of their own youthful misdeeds.

    Systems theory has a name for loud voices demanding perfection concerning non-traditional door #2, while tolerating rampant imperfection in traditional door #1.

    You see, the only reason you'd ever improve a working system (flawed though it might be, as we all know from long experience) is if the replacement system achieves outright perfection. And I can personally predict, right now, that the replacement system will have failure mode X, and when that day comes, 10 million voices will join in unison to proclaim that 10 million voices having collectively predicted the inevitable surely can't be wrong.

    That's the not terribly charitable view.

    The slightly more charitable view is that this is an exercise in proof by induction, basis step only.

    You see, it happened once, and by the lemma stating that every bad that can happen does happen, QED. Because if it happened once, it can surely happen again.

    You see, in human systems, that's how induction properly works.

  18. Surveillance is optional but... by morethanapapercert · · Score: 1
    Surveillance is optional but most governments seem to be embracing it anyway. As I understand it, wide spread, even ubiquitous surveillance gives the appearance of spreading a very wide and at the same time, selective net at a cost per suspect far lower than traditional methods.

    While I believe that police and intelligence agencies certainly should be paying attention to our digital interactions and activities, I believe it needs to be more selective and carefully targeted than is usually the case. In IT security one fundamental principle is the least amount of access needed to do a job. The police surveillance equivalent would be only looking at a persons traffic after a warrant has been issued. But what seems to be done instead is getting the most sweeping powers they can get away with at the time legislation is passed, then pushing slightly beyond that limit on the down low afterwards. (see parallel construction)

    An analogy that might be helpful is looking in trash bags. In many places, looking in your trash does not require a warrant because it is considered to be placed into the public domain. So, in theory, a police dept could set up an inspection station at the dump and household waste transfer stations looking at everyone's trash. From there, if anything of interest is found, they would then start to backtrack that item through the collection network to identify the house it came from. The biggest reason they don't do this I think is because the expense in capital equipment and manpower is just too high for the number of clues they would get. So for trash, our privacy is respected by the logistical concerns.

    However, in digital surveillance, the equipment to do the searching is already there and paid for by the ISPs. There is far less manpower required, but what there is of it is split between the ISP and the police. All a cop needs to do is send a letter to the ISP, demanding logging of all traffic with a certain signature (IP address, web protocol, key words or destinations etc). One of their admins fires up his management console and starts the logging process. The difference in cost between tracking one individual of interest and tracking an entire community is trivial compared the the scaling costs of real world surveillance.

    If we want the same level of privacy and protection from unreasonable search and seizure, we need to find a way (possibly a multi-prong approach) to make it hard for authorities to cast wide nets without a damn good reason. My suggestions are:

    1) All interception done at the behest of law enforcement should require a warrant, not simply a letter.

    2) All interception done at the behest of the intelligence community should require the approval of elected officials on a case by case basis.

    3) regardless of who requests the surveillance, the ISP's should be paid a reasonable amount for their services.

    4) All warrants and National Security Letters must be required to state the expiration date and any other limiting factors.

    5) Authorities must be held accountable when cases of over-reach, misuse or abuse are identified. The penalties must be meaningful. Someone, possibly several someones have to lose their job, it has to be possible to put someone in jail if the abuse was severe enough. Corporations must be fined heavily enough to affect the bottom line.

    6) It has to be possible for an ISP to refuse a request if they have reason to believe the request fails to meet the legal criteria. When that happens, they will record the requested data, but not hand it over to the police until the matter can be reviewed by a judge or impartial panel. Requiring people to cooperate even when police are in the wrong supports the authority of the legal system, but also gives people the classic "I was only following orders" excuse for participating in a crime.

    --
    I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
  19. Re: sometimes, EU is too kind by sjames · · Score: 1

    Parents used to advise kids to find a cop if they get lost. Now they tell them to find a woman with kids and avoid the cops.