Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App (arstechnica.com)

← Back to Stories (view on slashdot.org)

Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App (arstechnica.com)

Posted by BeauHD on Wednesday November 7, 2018 @10:00AM from the heads-up dept.

An anonymous reader quotes a report from Ars Technica: Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden. In a statement published Tuesday, Dutch police said officers achieved a "breakthrough in the interception and decryption of encrypted communication" in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages.

"Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat," Tuesday's statement said. "Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time." Blackbox-security.com, the site selling IronChat and IronPhone, quoted Snowden as saying: "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation," according to Web archives. Whether the endorsement was authentic or not wasn't immediately known. The site has been seized by Dutch police.

122 comments

Min score:

Reason:

Sort:

Paid Product Endorsement? by Camel+Pilot · 2018-11-07 10:08 · Score: 4, Insightful

"I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation,"
Sure sounds like a paid product endorsement....
1. Re:Paid Product Endorsement? by Anonymous Coward · 2018-11-07 10:19 · Score: 0
  
  > "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation,"
  >
  > Sure sounds like a paid product endorsement....
  I get your point, but what should he have said instead, assuming he did actually use IronChat for private conversations and simply believed it was a good tool to combat eavesdropping?
  What should he have said instead, to make it not sound like a paid product endorsement?
  Which part exactly of what he said makes it seem that he might be getting paid to endorse the product?
2. Re:Paid Product Endorsement? by Anonymous Coward · 2018-11-07 10:23 · Score: 0
  
  It sounds like a variant of:
  
  "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation,"
  -- Albert Einstein
  Unless a "snowden" statement is signed with the same PGP key Snowden used to sign his data dump to the Guardian, I see little reason to assume it's authentic.
3. Re:Paid Product Endorsement? by Anonymous Coward · 2018-11-07 10:25 · Score: 5, Funny
  
  "Exactly, who the fuck is quoting me? And why do I look so fucking pale in all the paintings?" - Jesus of Nazareth
4. Re: Paid Product Endorsement? by Anonymous Coward · 2018-11-07 10:31 · Score: 0
  
  Sounds, like, real clownish.
5. Re: Paid Product Endorsement? by Anonymous Coward · 2018-11-07 11:05 · Score: 0
  
  Whoops-a-daisy! Must have forgotten to upgrade to the latest version.
6. Re:Paid Product Endorsement? by Anonymous Coward · 2018-11-07 14:03 · Score: 0
  
  Apps that do "end-to-end" encryption are EASY AND CHILDSPLAY to decrypt.
  This is how, you're going to have a laugh.
  Authors spend hundreds (or thousands) of man-hours perfecting encrypting algorithms/android apps/etc.
  Police say "put this line in here that sends the unencrypted text to our server, or else we'll throw this $5 wrench at you".
  Company does that and pushes an update. Guess what the change log in Android says? "Bug Fixes." Everyone downloads and installs the update
  Police do something else evil?
  ???
  Profit.
7. Re:Paid Product Endorsement? by Anonymous Coward · 2018-11-07 14:06 · Score: 0, Funny
  
  I don't trust any Jesus quote lacking a valid cryptographic signature.
8. Re: Paid Product Endorsement? by reanjr · 2018-11-07 16:00 · Score: 4, Insightful
  
  I think what probably happened is Snowden was talking about the OTR protocol, and not a particular product and the marketurds twisted his words with their ignorant/malicious misquotation.
9. Re:Paid Product Endorsement? by Anonymous Coward · 2018-11-07 21:10 · Score: 0
  
  "Exactly, who the fuck is quoting me? And why do I look so fucking pale in all the paintings?" - Jesus of Nazareth
  "I wish I could have done something half as spectacular as that Osama fellow." - Jesus of Nazareth
10. Re: Paid Product Endorsement? by karmatic · 2018-11-07 23:31 · Score: 2
  
  This is a common problem, and can also be accomplished by getting a rogue employee in, getting an backdoor in version control that eventually gets pushed, or stealing developer credentials.
  That's why the crypto hardware my company is working on has a four part process. To do an update, we first have to sign the firmware. Next, a third party code audit company has to countersign after auditing any changes and building their own identical build. Next, the customer must use their admin credential and upgrade PIN. This wipes all the key material from the HSM. Finally, it must be physically placed into a USB port on the machine.
  We also have a HSM controlled counter in every firmware we sign, so it's not like we could hide any nefarious builds without customers noticing we never released firmware number X.
  We really don't want to get beaten by pipes.
11. Re:Paid Product Endorsement? by AmiMoJo · 2018-11-08 01:57 · Score: 1
  
  I'm pretty sure this quite is fake. I can't find an original source for it, and Snowden's writing style would at capitalize the 'I', if not put quotes around "hi" and "hello".
  He has mentioned OTR before, but not in reference to IronChat.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
12. Re: Paid Product Endorsement? by Anonymous Coward · 2018-11-08 04:06 · Score: 0
  
  Until we figure out we can read the data directly from the memory chips of your device...
13. Re:Paid Product Endorsement? by GoTeam · 2018-11-08 04:59 · Score: 1
  
  It sounds like an advertisement when he uses the specific name of a product instead of the type of technology or type of application he uses. If I were interested in my security, I don't think I'd go blabbing about the exact application I use to keep my communications secure.
14. Re: Paid Product Endorsement? by karmatic · 2018-11-08 16:11 · Score: 1
  
  That is what the self destructing enclosure is for. Light, temperature, tamper sensor.
Second Yahey! by Anonymous Coward · 2018-11-07 10:12 · Score: 0

Pinky in corner of mouth, Thousands of dollars!
Extremely thin on useful detail by Srin+Tuar · 2018-11-07 10:12 · Score: 4, Interesting

This is likely just a fairly amateurish security protocol implementation sold at inflated prices to people flush with cash.
Its really not all that hard to do secure communications... if actual criminals used something called "ironchat" they deserve what they got.
1. Re:Extremely thin on useful detail by Anonymous Coward · 2018-11-07 10:21 · Score: 0
  
  Also, it seems strange that the police department would so loudly advertise that they can decrypt the messages. Now all the criminals know not to use IronChat, so they will just use something else instead.
  If the department had kept quiet about it, they could have kept right on spying on the criminals and catching more. They could have also spied on ordinary civilians without any kind of warrant, and nobody would know. There is no end to the evil they could have totally gotten away with.
  But no, they had to go and spill the beans.
2. Re:Extremely thin on useful detail by Anonymous Coward · 2018-11-07 10:23 · Score: 0
  
  "Its really not all that hard to do secure communications... if actual criminals used something called "ironchat" they deserve what they got."
  It is incredibly difficult.
  We're talking about secure communication over mobile phones here.
  It's barely even possible to create a private environment on a mobile phone, even with custom Linux versions.
  In fact, even if you have the software all figured out, the hardware may still have backdoors.
  Actually, if you think it's not all that hard to do secure communications over mobile phones...
  Tell us which phone, OS and program to use; it's not all that hard? Are you sure?
3. Re:Extremely thin on useful detail by fred911 · 2018-11-07 10:24 · Score: 2
  
  "used something called "ironchat" they deserve what they got."
  Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.
  
  --
  09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
4. Re:Extremely thin on useful detail by Anonymous Coward · 2018-11-07 10:33 · Score: 0
  
  iPhone, iOS, Signal private messenger. If you can break that, you can probably get a top-level gig with a variety of 3-letter agencies or government contractors.
5. Re: Extremely thin on useful detail by Anonymous Coward · 2018-11-07 10:53 · Score: 0
  
  Exaclty, they probably want everyone to switch to the three letter agency version instead.
6. Re:Extremely thin on useful detail by AHuxley · 2018-11-07 11:08 · Score: 4, Interesting
  
  AC humans would start looking at other humans as the police issue. A news report that tells everyone that it was computers makes that deep search go away.
  Police informants deep in criminal networks are safe as everyone thinks it was the computers.
  
  Informants that stay in place can then report on the next use of crypto.
  
  --
  Domestic spying is now "Benign Information Gathering"
7. Re:Extremely thin on useful detail by Zaelath · 2018-11-07 11:40 · Score: 5, Informative
  
  Rather succinctly explained in the release from the Police:
  
  We stopped the operation because we became aware that criminals were starting to suspect each other of leaking information to the police. This was causing safety risks. That’s why now we make clear that it was us acting upon information from the chats.
8. Re: Extremely thin on useful detail by Anonymous Coward · 2018-11-07 11:55 · Score: 0
  
  Quadruple Rot13 must be even betterer
9. Re: Extremely thin on useful detail by Anonymous Coward · 2018-11-07 12:54 · Score: 1
  
  Sounds like a cover story to protect a high level informant or undercover cop.
10. Re: Extremely thin on useful detail by Anonymous Coward · 2018-11-07 13:19 · Score: 0
  
  Quadruple Rot13 must be even betterer
  Dude, that is sooooo not secure in the face of the upcoming quantum computers. It might be OK right now, but not for long.
  You need to go to at least ROT1651. That's the only way it's going to stand up to quantum supremacy.
11. Re: Extremely thin on useful detail by Anonymous Coward · 2018-11-07 13:44 · Score: 0
  
  Right, because safety risks to whom?
12. Re:Extremely thin on useful detail by Anonymous Coward · 2018-11-07 13:52 · Score: 0
  
  ROT13 was too hard for Symantec... back in the '80s and '90s they used to just XOR A5 everything.
13. Re: Extremely thin on useful detail by Anonymous Coward · 2018-11-07 13:53 · Score: 0
  
  No I canâ(TM)t because I am not US citizen.
14. Re:Extremely thin on useful detail by Anonymous Coward · 2018-11-07 13:55 · Score: 0
  
  Actually, if you think it's not all that hard to do secure communications over mobile phones...
  Tell us which phone, OS and program to use; it's not all that hard? Are you sure?
  It's an order of magnitude easier if you do the encryption offline on a dedicated device and there is one provably unbreakable encryption method taught in about day 1 of cryptography class, though it does have its downside. Of course that is not remotely as easy as a phone app and you have to keep the offline device secure, or at least know if its been accessed.
15. Re: Extremely thin on useful detail by Harlequin80 · 2018-11-07 14:00 · Score: 3, Insightful
  
  Just because someone is a crook doesn't mean its ok to step over their dead bodies to stop them.
  The information the police were obtaining causes the crims to suspect and then kill / harm each other. The police determined that the risks or death / injury to the people involved in or around the criminal activites exceed the rewards
16. Re: Extremely thin on useful detail by Anonymous Coward · 2018-11-07 17:10 · Score: 0
  
  The policy was arresting people based on the information in the chats. The criminals suspected that some persons had sniched, and had serious plan to kill them for leaking information. To prevent that the police went public.
17. Re:Extremely thin on useful detail by goose-incarnated · 2018-11-07 17:51 · Score: 2
  
  "used something called "ironchat" they deserve what they got."
  Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.
  I prefer the Rotweiller13 encrypted comms: the message is transmitted via a sled pulled by 13 extremely hungry rotweillers.
  
  *Lag is horrible and distance can become a problem.YMMV (literally).
  
  --
  I'm a minority race. Save your vitriol for white people.
18. Re:Extremely thin on useful detail by Anonymous Coward · 2018-11-07 20:17 · Score: 0
  
  The reason was that criminals were blaming each other for leaking to the police. And they (the police) were afraid for a raid of liquidations in the streets.
19. Re: Extremely thin on useful detail by Teun · 2018-11-07 22:37 · Score: 1
  
  The past year we've (The Netherlands) had many fatal shootings of criminals and also innocent bystanders.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
20. Re:Extremely thin on useful detail by Anonymous Coward · 2018-11-08 00:19 · Score: 0
  
  Intercepted quite easily if it runs on a phone.
21. Re:Extremely thin on useful detail by Highdude702 · 2018-11-08 00:44 · Score: 1
  
  Intercepting an encrypted message and being able to READ said message is 3 different things.
22. Re:Extremely thin on useful detail by Highdude702 · 2018-11-08 00:47 · Score: 1
  
  Had I not commented you would be getting my last point. Good work!
23. Re: Extremely thin on useful detail by Anonymous Coward · 2018-11-08 01:09 · Score: 0
  
  Just because someone is a crook doesn't mean its ok to step over their dead bodies to stop them.
  That just means we are not going to send the crooks to death camps.
  Making the criminals suspect each other is ok - if they shoot each other then it is them pulling the triggers on their own initiative. And so they get to take the punishments for murder as well. Fewer live criminals, and also fewer on the streets. Win-win.
24. Re:Extremely thin on useful detail by jittles · 2018-11-08 02:57 · Score: 1
  
  This is likely just a fairly amateurish security protocol implementation sold at inflated prices to people flush with cash.
  Its really not all that hard to do secure communications... if actual criminals used something called "ironchat" they deserve what they got.
  If secure communications are so easy, why do so many people seem to get it wrong? It only takes one little mistake to compromise secure communications. The mistake may not even be in anything but a library you use or a design flaw in the silicon you run it on. No. Secure communications is very difficult and that is why the NSA spends a lot of time and effort A) Monitoring others communications B) developing and testing secure methods of communication.
25. Re:Extremely thin on useful detail by jythie · 2018-11-08 04:17 · Score: 1
  
  Secure communications are a bit like, hrm, the whole meme around how we could build interstellar ships 'right now'. It is 'easy' when one only wants to look at a single, fun part of the problem that you can throw math at, but gets a lot harder when getting into the nitty gritty of implementation and maintenance, then even worse when your entire solution for the human factor is handwaving 'well just use the right kind of people!'
26. Re:Extremely thin on useful detail by ripvlan · 2018-11-08 06:26 · Score: 2
  
  I see it several ways.
  1) maybe they can't crack it - so everybody move to another one that they can break.
  2) maybe they want to see Who moves - and that is telling
  3) I'm surprised they didn't say "gosh we can't break this other Secure Chat App" :-)
27. Re:Extremely thin on useful detail by dcw3 · 2018-11-09 05:36 · Score: 1
  
  "used something called "ironchat" they deserve what they got."
  Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.
  I prefer the Rotweiller13 encrypted comms: the message is transmitted via a sled pulled by 13 extremely hungry rotweillers.
  Is it's bark worse than it's byte?
  
  --
  Just another day in Paradise
They siezed the site by Anonymous Coward · 2018-11-07 10:27 · Score: 1

And siezed the keys, then used those keys to unlock the locks. Or the messages are logged unencrypted on the siezed site.
I promise you the dutch police have no ability to "hack" anything.
And IronHorse or whatever has never been secure.
1. Re:They siezed the site by Anonymous Coward · 2018-11-07 10:46 · Score: 0
  
  That is only possible if the server has the keys. If so, they (IronChat) are doing it wrong. The server should only see encrypted messages, and only the intended receiver should have the decryption keys.
  I see three possibilities:
  IronChat screwed up big-time in a very amateur way.
  The police secretly got help from the NSA, and whatever encryption system is being used is broken.
  The police are lying.
2. Re:They siezed the site by tsqr · 2018-11-07 10:55 · Score: 1
  
  And siezed the keys.
3. Re:They siezed the site by darronb · 2018-11-07 11:24 · Score: 5, Interesting
  
  A trojaned version of the app is also a good possibility. They could have quietly taken control of the site, changed the app to push the keys back to them, etc. Sure that's beyond a typical police department but with any agency help it's totally doable.
  You don't have to be incompetent to get a gag order and have your stuff compromised like that.
4. Re:They siezed the site by mi · 2018-11-07 11:48 · Score: 1
  
  The server should only see encrypted messages, and only the intended receiver should have the decryption keys.
  That still requires the correspondents to have exchanged the public keys somehow. I bet, the site was signing the users' public keys with their own so that device would trust them. There is no way to do this — enable PGP-communications between strangers — otherwise.
  Even if the site didn't act as the "man-in-the-middle" itself — and you may well be right in that they did — by taking control of their servers police got into position to alter the public keys presented by users and signing them with the keys known to devices. From then on they could monitor communications...
  
  The police secretly got help from the NSA
  No shame in that...
  
  --
  In Soviet Washington the swamp drains you.
5. Re:They siezed the site by drnb · 2018-11-07 12:22 · Score: 1
  
  Its not end-to-end if the service provider / middleman is providing or transmitting the keys. The key should be exchanged via an entirely different and unrelated channel of communications.
6. Re:They siezed the site by Anonymous Coward · 2018-11-07 12:58 · Score: 0
  
  Why in the name of fuck is an 'end-to-end encrypted' messenger storing keys on their servers? :S
7. Re:They siezed the site by scdeimos · 2018-11-07 13:55 · Score: 1
  
  Given the very thin details my bet is that the IronChat servers kept a copy of each user's private key in their user profiles so that they could sync them between mobile devices and still be able send/read messages. End-to-end systems shouldn't do that.
8. Re:They siezed the site by Anonymous Coward · 2018-11-07 15:13 · Score: 0
  
  The lines get blurred in small nations regarding police forces and state security. A lot of places, they're one in the same and have the resources and advantage of being able to break the law whenever they want too for national security.
9. Re:They siezed the site by nnull · 2018-11-07 15:14 · Score: 1
  
  I get very annoyed with syncing. Terminus does this on the ipad unless you strictly turn it off in the first place.
10. Re:They siezed the site by spongman · 2018-11-07 16:46 · Score: 1
  
  but in order for each client to know to trust that the other isn't a man-in-the-middle attacker, you need some kind of trust authority (usually a central CA). if the keys to that were compromised, then all bets are off - which is what mi was saying above.
11. Re:They siezed the site by spongman · 2018-11-07 16:47 · Score: 1
  
  google certificate authority.
12. Re:They siezed the site by gnasher719 · 2018-11-07 19:33 · Score: 2
  
  Its not end-to-end if the service provider / middleman is providing or transmitting the keys. The key should be exchanged via an entirely different and unrelated channel of communications
  You would be right if the purpose of the app was to provide secure communications. It wasn't. The purpose was to make money from criminals that are willing to pay for an application where they _believe_ they get secure communications.
13. Re:They siezed the site by jbengt · 2018-11-08 02:24 · Score: 1
  
  If you want to truly keep your communications secret, "trust authority (usually a central CA)" is what's wrong with many encryption schemes. There's no absolutely secure way for two parties to communicate without them first getting together privately to agree on the particulars, like sharing keys (and hoping no one is eavesdropping at the time).
14. Re:They siezed the site by mi · 2018-11-08 02:40 · Score: 1
  
  The key should be exchanged via an entirely different and unrelated channel of communications.
  The "different and unrelated"... such as?
  
  --
  In Soviet Washington the swamp drains you.
15. Re:They siezed the site by Teun · 2018-11-08 05:07 · Score: 1
  
  Why only small nations, unless you mean that place that needs to tell itself to become Great again.
  Yes The Netherlands has some great IT security people, just think about how they for several watched the webcam in a major Moscow troll factory.
  Until Trump blew the whistle...
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
16. Re: They siezed the site by spongman · 2018-11-08 06:22 · Score: 1
  
  Yeah. If youâ(TM)re sharing a key then you donâ(TM)t need asymmetric enc at all. You can just share your aes key (or whatever) and be done with it.
17. Re:They siezed the site by drnb · 2018-11-08 08:45 · Score: 1
  
  The key should be exchanged via an entirely different and unrelated channel of communications.
  The "different and unrelated"... such as?
  Well you could go the full Snowden and fly to Hong Kong, meet in a hotel room and get under a blanket with computers that have never been online. Or any myriad of less drastic things that would be an improvement over letting a middleman handle keys for you.
18. Re:They siezed the site by mi · 2018-11-08 09:12 · Score: 1
  
  Or any myriad of less drastic things that would be an improvement over letting a middleman handle keys for you.
  Such as? Remember, we are talking here about strangers seeking to communicate securely without ever meeting each other in person...
  
  --
  In Soviet Washington the swamp drains you.
19. Re:They siezed the site by drnb · 2018-11-11 11:04 · Score: 1
  
  Or any myriad of less drastic things that would be an improvement over letting a middleman handle keys for you.
  Such as? Remember, we are talking here about strangers seeking to communicate securely without ever meeting each other in person...
  Sigh --- Create a truecrypt/versacrypt volume with a text file with the keys. Email them, put them on a USB stick or SD Card and postal mail them, ... Phone, text, postal mail (not if sending USB stick or SD card via postal), etc the volume passphrase. Use temporary emails, burner phones, etc depending on you level of paranoia, fedex, ups or courier rather than postal mail. As I said there are a host of options beyond the chat service middleman also handling your keys.
20. Re:They siezed the site by mi · 2018-11-13 09:21 · Score: 1
  
  Mail — and all your other means of communications, except those under blanket ones you mentioned — are still subject to interception by government. And, probably, should be.
  Though two dedicated people could use some of the means you describe, it can not be done commercially....
  
  --
  In Soviet Washington the swamp drains you.
21. Re:They siezed the site by drnb · 2018-11-14 09:29 · Score: 1
  
  Mail — and all your other means of communications, except those under blanket ones you mentioned — are still subject to interception by government. And, probably, should be.
  Though two dedicated people could use some of the means you describe, it can not be done commercially....
  Yes, and when the gov't grabs a single site as in this case you lose everything. However if you had used one of the other channels for key distribution you would overwhelmingly likely be just fine. You are comparing apples and oranges, a massive haul of keys and communications at a single point of failure and the targeting of one specific person over many channels of communications. Two very very different things.
  
  And if you are concerned about being targeted over many channels of communications then you do a face-to-face meeting as I originally mentioned.
  
  The fact remains that letting your communications provider handle your keys is the worst possible way of going about this.
Well that cat's out of the bag by Anonymous Coward · 2018-11-07 10:31 · Score: 0

Looks like they won't be using IronChat any more.
Brilliant by nehumanuscrede · 2018-11-07 10:32 · Score: 2

If there was any chance of listening to future conversations between parties using Iron Chat, this announcement just blew that right out of the water.
The folks who wish to talk via encrypted channels will now simply change their method of communication.
It could be another commercial app, a homebrew one or just go all old school and do things the way it was done before the era of smartphones.
It could also be complete bullshit on the part of the Police in an attempt to get folks to quit using it :D
1. Re:Brilliant by AmiMoJo · 2018-11-07 10:39 · Score: 5, Insightful
  
  They couldn't keep it secret for very long because they would have to present the intercepted messages in court eventually.
  It appears that weaknesses in the app are to blame here. It was a poorly designed app, basically snake oil.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Brilliant by Anonymous Coward · 2018-11-07 10:49 · Score: 1
  
  Maybe Iron Chat is working so well, the only way to defeat it is to fake a story that it's been cracked so people switch to something more exploitable.
3. Re:Brilliant by AHuxley · 2018-11-07 10:55 · Score: 1
  
  Police had to act fast before criminals suspected and questioned other criminals about helping the police.
  Better to tell everyone that it was "computers" and protect other well placed human informants working for the police.
  
  The police can then control the results now rather and unexpected results of finding actual decades of well placed human informants.
  
  Informants who can always find out what the next crypto products is :)
  
  --
  Domestic spying is now "Benign Information Gathering"
4. Re:Brilliant by MtHuurne · 2018-11-07 11:01 · Score: 2
  
  It was on the news here: the police announced it at this moment on purpose, because several people getting arrested recently made other criminals suspect someone in their mids was leaking to the police and they were planning violent actions against them.
5. Re:Brilliant by Anonymous Coward · 2018-11-07 11:07 · Score: 0
  
  criminals beating the shit out of other criminals? I say let them do their worst.
6. Re:Brilliant by Highdude702 · 2018-11-07 11:33 · Score: 2, Interesting
  
  You apparently don't understand the underworld.. They would have been killed, not beaten up.. I'm no longer a criminal but I still despise rats. If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out that was smart enough to not get caught because you're a fuck up. The rats deserve to die. I've seen police let violent offenders who have ratted go free and lock up the drug dealer(weed) for years because the violent person turned state.
7. Re:Brilliant by Zaelath · 2018-11-07 11:41 · Score: 1
  
  Collateral damage.
8. Re:Brilliant by Anonymous Coward · 2018-11-07 12:09 · Score: 1
  
  It sounds like you actively and strenuously promote conspiracy after the fact, so I guess rehabilitation failed on you.
9. Re:Brilliant by Anonymous Coward · 2018-11-07 12:18 · Score: 0
  
  Or they just seized the servers, and M-I-T-A was what they did.
10. Re:Brilliant by farble1670 · 2018-11-07 13:06 · Score: 2
  
  You apparently don't understand the underworld
  You're right, we don't.
  
  If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out
  In law there is something called the Clean Hands Doctrine that can be fit here. It a nutshell it says that if your hands are dirty, you are not entitled to a fair outcome.
11. Re:Brilliant by Anonymous Coward · 2018-11-07 16:48 · Score: 0
  
  You apparently don't understand the underworld..
  And we don't have to. All we know is that its existence poses a potential risk for the rest of us and that we don't want that. Criminals do not get to set the rules of how lawmakers and enforcers are to counteract them. When a drug dealer sells drugs to a violent offender they also provide them with a good chance of making a deal with law enforcers as part of that package. If they were really smart they would have been more selective in their choice of 'clients'.
12. Re:Brilliant by vbdasc · 2018-11-07 19:37 · Score: 1
  
  The rats deserve to die. .
  You're dangerously close to being a criminal again, IMHO. Control yourself before it's too late.
13. Re:Brilliant by Anonymous Coward · 2018-11-07 19:40 · Score: 0
  
  They are all fucking scum, the rat is no worse than the people they are ratting out, if anything they are slightly better as at least they are making the world a slightly better place whereas people like you think your warped fucking morality and pride is more important than the safety of others.
14. Re: Brilliant by Anonymous Coward · 2018-11-07 20:17 · Score: 0
  
  This is the second time they decrypted a large amount of messages from a cryptophones provider, so they likely can do this again. These are not just stock Android phones running ironchat, they have been modified so you can only use ironchat on them, microphones removed, things like that.
  The app however looks very amateuristic. It's very likely they either pushed an update of the app that leaked messages, or that the app had severe encryption flaws. It at least had UX-flaws where it was hard to notice a man in the middle attack due to a cryptic message in a very small font.
15. Re:Brilliant by hackertourist · 2018-11-07 21:26 · Score: 1
  
  Criminals don't deserve loyalty. Informing the police of a crime is what civilized people do and should do.
16. Re:Brilliant by Anonymous Coward · 2018-11-07 21:34 · Score: 0
  
  I'm no longer a criminal but I still despise rats.
  You sure sound like one, though.
17. Re:Brilliant by Highdude702 · 2018-11-08 00:32 · Score: 1, Insightful
  
  No, see these are WORDS. Once again people on slashdot conflate words with violence. My words didn't hurt anybody therefore get the fuck out of here with your noise. I was smart, I did my time and realized being a criminal is fucking stupid and I bust my ass for a living now. on that note.
  
  You're dangerously close to being a fascist, IMHO. Control yourself before it's too late.
  FTFY...
18. Re:Brilliant by Highdude702 · 2018-11-08 00:35 · Score: 1
  
  Criminals are not civilized or they wouldn't be criminals. And believe it or not for *most* criminals there is such thing as honor among thieves. The ones that turn state are the ones that couldn't handle THEIR OWN ACTIONS! Nobody forces people to become criminals, that is 100% a choice of the person doing the dirt.
19. Re:Brilliant by Highdude702 · 2018-11-08 00:43 · Score: 1
  
  Back to "You apparently don't understand the underworld" We are talking about the CCOC(since you guys like codes of conduct so much).
  Criminals do not follow "laws" That's why they're criminals. Which is also why the people saying "make guns illegal" look like bleeding heart idiots, because they don't even realize that the people committing 99% of gun crimes are already criminals and couldn't give a fuck about a gun law. But from the brief look at your comment history I cant tell if you will be able to understand what I'm saying. Once you commit to being a criminal you no longer get to play moral high ground, and you damn sure better not hang someone else for you being stupid and getting caught. That's how you end up dead. I'm just stating facts here by the way. I've essentially already been told that me using words to express my thoughts means I'm a criminal because of the words contained in my thought...
20. Re:Brilliant by Anonymous Coward · 2018-11-08 01:23 · Score: 0
  
  You apparently don't understand the underworld.. They would have been killed, not beaten up.. I'm no longer a criminal but I still despise rats. If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out that was smart enough to not get caught because you're a fuck up. The rats deserve to die. I've seen police let violent offenders who have ratted go free and lock up the drug dealer(weed) for years because the violent person turned state.
  Quite the contrary.
  If a 'rat' can get you - then you're doing something wrong. Don't do it. You have no right to do anything 'that cannot be talked about.' Clearly, the underworld fail to understand transparency - or the straight world. Rats are heroes; they disrupt criminal activity, at the risk of getting killed by the criminals.
  You break the law, you are at risk. You can not trust anybody - not your clients, not your accomplices, not the friends you brag to. As it should be!
  You break the rules, then you have the gall to complain that the rats breaks your rules in turn? Comical. Someone caught by a rat, simply wasn't smart enough to avoid getting caught. There is a name for those, and it is 'losers'.
21. Re:Brilliant by Trailer+Trash · 2018-11-08 01:48 · Score: 1
  
  In law there is something called the Clean Hands Doctrine that can be fit here. It a nutshell it says that if your hands are dirty, you are not entitled to a fair outcome.
  You really don't understand the clean hands doctrine. It has nothing to do with what he's talking about.
  
  --
  Do you have ESP?
22. Re:Brilliant by Anonymous Coward · 2018-11-08 01:56 · Score: 0
  
  I'm no longer a criminal but I still despise rats. If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out that was smart enough to not get caught because you're a fuck up. The rats deserve to die.
  
  Right, sure, we believe you that you're no longer a criminal.
  With that attitude you should be back in prison in no time.
23. Re:Brilliant by jbengt · 2018-11-08 02:36 · Score: 1
  
  I'm just stating facts here . . .
  
  No, you weren't just stating facts. You were stating your opinion that "the rats deserve to die".
  If you're talking about criminals willing to kill each other, then you should consider that maybe both the rats and the ratted-on deserve to die.
  Not to mention the irony of you complaining that " . . . using words to express my thoughts means I'm a criminal because of the words contained in my thought." and also complaining that the rats expressing, in words, what they know just because of who they told it to.
24. Re:Brilliant by Anonymous Coward · 2018-11-08 02:50 · Score: 0
  
  That’s great. An ex-con who thinks that people calling him out are fascists. Comedy fucking gold.
25. Re:Brilliant by Anonymous Coward · 2018-11-08 03:07 · Score: 1
  
  So, hang on, use that big brain of yours to explain this to me.
  
  The moment you become a criminal, you no longer get to play the moral high ground, but you still consider yourself somehow being morally superior to an informant, an individual who actually aids the non-criminal society by putting shitheads like you behind bars?
  
  That is the most retarded thing I have read all week. You decide to shit on the society and break its rules for material gains, but the moment someone shits on you for a material gain (such as serving a shorter sentence), oh no, they are bad people and it somehow gives you more justification to murder them. Just cut the crap, you were always a son of a bitch to begin with.
  
  I can see why you spent time in prison now.
26. Re:Brilliant by gnasher719 · 2018-11-08 04:36 · Score: 1
  
  And believe it or not for *most* criminals there is such thing as honor among thieves.
  Actually, there isn't.
  
  A UK police phone line where you can phone in information about crimes anonymously reported that 1/3rd of all calls come from criminals who want to get rid of the competition. And it's common knowledge for everyone in jail that the ones saying "don't rat on anyone" will be the first ones to rat on you.
27. Re:Brilliant by Teun · 2018-11-08 05:31 · Score: 1
  
  Once a criminal always one?
  I really appreciate people that change their bad ways and start to recognise mine and dine, including the right to someone's life.
  But by the fact you consider a converted criminal a snitch bring you down to their level.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
28. Re:Brilliant by Anonymous Coward · 2018-11-08 07:26 · Score: 0
  
  Criminals do not follow "laws" That's why they're criminals. Which is also why the people saying "make guns illegal" look like bleeding heart idiots, because they don't even realize that the people committing 99% of gun crimes are already criminals and couldn't give a fuck about a gun law.
  Even criminals are capable of a risk/benefit analysis, although it may not be too well thought out.
  If using a gun to commit a crime doesn't confer much benefit and entails lots of risk, you'll find even criminals will avoid using guns.
  Obviously, simply making guns illegal isn't sufficient, you have to change the risk/benefit equation, so they would rather not use a gun. For a start, if guns were removed from most cops, so in a confrontation a criminal won't be faced with a cop pulling a gun on them there is less need for the criminal to carry a gun, and only the ones that carry regardless will face an armed response unit. Next increase the penalties for using a gun to commit a crime.
29. Re:Brilliant by farble1670 · 2018-11-08 07:41 · Score: 1
  
  You really don't understand the clean hands doctrine. It has nothing to do with what he's talking about.
  The difference is my ability to apply ideas and concepts outside the domain which they were originally applied. It's one of the things that separates us from lower animals.
30. Re:Brilliant by Highdude702 · 2018-11-08 15:44 · Score: 1
  
  Wow, that is almost the complete opposite of the US systems. Here the people snitching do it to get their sentences vastly reduced if not absolved completely.
  
  And it's common knowledge for everyone in jail that the ones saying "don't rat on anyone" will be the first ones to rat on you.
  That is common with a lot of things, It is a risk you take if you're a criminal and do work with other criminals. That's why you need to have a good judge of character. But even that is not guaranteed. I found the easiest thing to do is not do crime for a living. Makes life a lot less stressful. Especially when you do the kind of shit that makes you have to look over your shoulder at every moment for retaliation.
31. Re:Brilliant by Highdude702 · 2018-11-08 15:46 · Score: 1
  
  A snitch is not a converted criminal. I am a converted criminal. A snitch will snitch on somebody to get a reduced or absolved time for their crime. and go right back to committing crimes as soon as hes out of custody.
32. Re:Brilliant by Agent0013 · 2018-11-09 07:54 · Score: 1
  
  You apparently don't understand the underworld
  You're right, we don't.
  
  If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out
  In law there is something called the Clean Hands Doctrine that can be fit here. It a nutshell it says that if your hands are dirty, you are not entitled to a fair outcome.
  So every police department is not entitled to a fair outcome then. Got it! That is why I cheer inside when someone goes on a killing spree of the asses in blue!
  
  --
  
  -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
33. Re:Brilliant by farble1670 · 2018-11-09 08:09 · Score: 1
  
  So every police department is not entitled to a fair outcome then.
  Police are humans. Punish the bad ones, and get one with your life. The fact that there are bad apples doesn't mean the entire system is crap. There are always bad apples anywhere you go.
  
  That is why I cheer inside when someone goes on a killing spree of the asses in blue!
  Got it. You are happy when people are murdered, because some minute percentage of people in the same line work have done bad things. See a therapist friend.
34. Re: Brilliant by Agent0013 · 2018-11-09 10:43 · Score: 1
  
  So then, the accountant for the mob should not be arrested because he doesn't kill anyone! Yeah, that is not how the law works. If you work for a criminal organization, you are determined to be a criminal. If the men I blue burder people, then they are a criminal oroanization, and noone in it get a free pass. Unless they are actually an informant for the real law inforcement that is.
  
  --
  
  -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
title needs changed by Anonymous Coward · 2018-11-07 10:37 · Score: 0

Title need changed to: Police in the Netherlands are idiots for telling people they can decrypt ironchat. OR change to Police in the Netherlands recommend you find another chat tool, Ironchat isnt good enough
Open Source? by Anonymous Coward · 2018-11-07 10:46 · Score: 0

No source? Then why did anyone trust it? Because it was expensive? Because there was a business backing it? You fools.
private keys must be private by Anonymous Coward · 2018-11-07 10:47 · Score: 0

If somebody else has your private keys, they aren't secure.
Snowden mentioned OTR in the past by jelwell · 2018-11-07 11:00 · Score: 2

Pretty sure that quote is only half true. Snowden has mentioned OTR in the past. I doubt he specified IronChat.
Joseph Elwell.
The police did not break anything by ffkom · 2018-11-07 11:26 · Score: 2

They just fetched keys from the central service provider, and given that this crappy app never implemented actual end-to-end encryption, that was enough to decrypt the messages.

Seriously, criminals stupid enough to rely on proprietary, centralized messenger services deserve to get jailed for that alone.
Not really end-to-end encryption by drnb · 2018-11-07 12:19 · Score: 1

They siezed the site
And siezed the keys, then used those keys to unlock the locks.
Then its not really end-to-end encryption as claimed. Its just another service encrypting its traffic so middlemen, other than itself and its masters, can't read it. In true end-to-end the service provider can't read the content even if they want to.
So only Android not iOS users of the app? by drnb · 2018-11-07 12:20 · Score: 1

So only the Android users were hit and not the iOS users of the app?
1. Re:So only Android not iOS users of the app? by 110010001000 · 2018-11-07 13:33 · Score: 0
  
  Why only Android? You don't think Apple bends of backward to accommodate law enforcement?
2. Re:So only Android not iOS users of the app? by dinfinity · 2018-11-08 03:10 · Score: 1
  
  They were custom phones ('IronPhones'). Stop trying to inject Android/iOS-strife into this.
3. Re:So only Android not iOS users of the app? by drnb · 2018-11-08 08:38 · Score: 1
  
  Why only Android? You don't think Apple bends of backward to accommodate law enforcement?
  Because of the word "trojan" in: "A trojaned version of the app is also a good possibility."
No PFS? by Anonymous Coward · 2018-11-07 13:04 · Score: 0

Seems like the damage could have been limited if perfect forward secrecy was used
There should not be any keys to fetch by aberglas · 2018-11-07 14:11 · Score: 1

We should not be using PKI that depends on a trusted source.
People have their own private keys. But then how to know that you are using the right one? The SSH problem.
So use SRP instead. Secure Remote Password. The communication only works if both people use the same password. And no way to brute force the password back. Simple, and intrinsically secure.
Snowden poked his head up recently by Anonymous Coward · 2018-11-07 20:03 · Score: 0

And made some criticisms approved by his Russian landlords, so some "independent" agency makes a by-the-way announcement that they have broken encryption on a tool. Now Snowden has to worry about what might be in some of his captured conversations, and if it could be a cold winter...
There is no such thing as money laundering by CoolDiscoRex · 2018-11-07 20:40 · Score: 1

Much like âidentity theftâ(TM) , âobstructing justice, âresistingâ(TM), and âhuman traffickingâ(TM), itâ(TM)s a made-up boogeyman designed to convince the masses to give up their civil rights voluntarily.
Sadly, most of them do. Everyone else gets theirs taken away involuntarily. We all clap when we hear that the government nabbed one of those evil money launderers.
Money laundering is an almost sure-fire conviction as it is impossible to disprove, and that is exactly what a defendant had to do. Thatâ(TM)s why roadside piracy, I mean, civil forfeiture is so lucrative.
Underpay your taxes by $170? Boom, every dollar in your position is now laundered money, proceeds of your tax evasion. Take out $5,000 of your own money from the bank one day, $6,000 of your own money the next? Bam, youâ(TM)re a money launderer, your funds were obtained via structuring.
The link between every dollar and theoretical malfeasance is not hard to make, so itâ(TM)s the perfect crime to charge someone with when they havenâ(TM)t committed a crime you can prove they committed.
In fact, the only guaranteed non-laundered money, is money you give to the government. No matter where you got it from, or how you acquired it, if you give it to the government, itâ(TM)s righteous.
1. Re:There is no such thing as money laundering by Trailer+Trash · 2018-11-08 01:56 · Score: 1
  
  You apparently don't understand what money laundering is. In the simplest sense, let's say you're a drug dealer and you have $20,000 in cash. You want to store it in the bank, but when you do that the IRS finds out about it. So you create a sham business and cook the books, making it look as if the money is really proceeds from your business.
  We sometimes see things listed for exorbitant prices on Amazon. Probably money laundering. A friend of mine talks about car auctions now, where people will buy cars at auction and then sell them for really high prices to certain buyers. They're laundering money.
  Underpaying taxes isn't laundering. Structuring deposits or withdrawals isn't laundering (it's "structuring" - a separate and unrelated offense).
  
  --
  Do you have ESP?
It IS hard. But there's Signal, so why IronChat? by Anonymous Coward · 2018-11-07 22:45 · Score: 0

I don't get why anyone would use IronChat. Or any OTR solution, given that it's pointless, due to the metatdata not being encrypted.
Just use Signal, like everyone, and be done with it.
And if your life depends on it, and you have the option, you use one-time pads from a good source of randomness somewhere in your process, period. Because it vastly simplifies the amount of things that could go wrong, while itself (but not the code around it, of course) being uncrackable.
Correct. But OTR is not metadata-secure. by Anonymous Coward · 2018-11-07 22:49 · Score: 0

You are correct. I remember him mentioning OTR. But with the caveat, that it only protects what has being said, and the implementation must be good too. It does NOT protect the metadata. Like who you are, who you talked to, and when. As in: What criminals actually care about.
Decryption tool by dskoll · 2018-11-08 00:36 · Score: 1

I hear the decryption tool was written in Rust.
Crypto snakeoil by DrXym · 2018-11-08 02:15 · Score: 1

I've never heard of Ironchat but from the sounds of it, it was cryptographic snakeoil. If cops / intelligence services were listening in realtime that would suggest that it wasn't securing messages from man in the middle / spoof attacks or the manner that keys were exchanged was insecure.