Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App (arstechnica.com)

← Back to Stories (view on slashdot.org)

Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App (arstechnica.com)

Posted by BeauHD on Wednesday November 7, 2018 @10:00AM from the heads-up dept.

An anonymous reader quotes a report from Ars Technica: Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden. In a statement published Tuesday, Dutch police said officers achieved a "breakthrough in the interception and decryption of encrypted communication" in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages.

"Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat," Tuesday's statement said. "Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time." Blackbox-security.com, the site selling IronChat and IronPhone, quoted Snowden as saying: "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation," according to Web archives. Whether the endorsement was authentic or not wasn't immediately known. The site has been seized by Dutch police.

76 of 122 comments (clear)

Min score:

Reason:

Sort:

Paid Product Endorsement? by Camel+Pilot · 2018-11-07 10:08 · Score: 4, Insightful

"I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation,"
Sure sounds like a paid product endorsement....
1. Re:Paid Product Endorsement? by Anonymous Coward · 2018-11-07 10:25 · Score: 5, Funny
  
  "Exactly, who the fuck is quoting me? And why do I look so fucking pale in all the paintings?" - Jesus of Nazareth
2. Re: Paid Product Endorsement? by reanjr · 2018-11-07 16:00 · Score: 4, Insightful
  
  I think what probably happened is Snowden was talking about the OTR protocol, and not a particular product and the marketurds twisted his words with their ignorant/malicious misquotation.
3. Re: Paid Product Endorsement? by karmatic · 2018-11-07 23:31 · Score: 2
  
  This is a common problem, and can also be accomplished by getting a rogue employee in, getting an backdoor in version control that eventually gets pushed, or stealing developer credentials.
  That's why the crypto hardware my company is working on has a four part process. To do an update, we first have to sign the firmware. Next, a third party code audit company has to countersign after auditing any changes and building their own identical build. Next, the customer must use their admin credential and upgrade PIN. This wipes all the key material from the HSM. Finally, it must be physically placed into a USB port on the machine.
  We also have a HSM controlled counter in every firmware we sign, so it's not like we could hide any nefarious builds without customers noticing we never released firmware number X.
  We really don't want to get beaten by pipes.
4. Re:Paid Product Endorsement? by AmiMoJo · 2018-11-08 01:57 · Score: 1
  
  I'm pretty sure this quite is fake. I can't find an original source for it, and Snowden's writing style would at capitalize the 'I', if not put quotes around "hi" and "hello".
  He has mentioned OTR before, but not in reference to IronChat.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
5. Re:Paid Product Endorsement? by GoTeam · 2018-11-08 04:59 · Score: 1
  
  It sounds like an advertisement when he uses the specific name of a product instead of the type of technology or type of application he uses. If I were interested in my security, I don't think I'd go blabbing about the exact application I use to keep my communications secure.
6. Re: Paid Product Endorsement? by karmatic · 2018-11-08 16:11 · Score: 1
  
  That is what the self destructing enclosure is for. Light, temperature, tamper sensor.
Extremely thin on useful detail by Srin+Tuar · 2018-11-07 10:12 · Score: 4, Interesting

This is likely just a fairly amateurish security protocol implementation sold at inflated prices to people flush with cash.
Its really not all that hard to do secure communications... if actual criminals used something called "ironchat" they deserve what they got.
1. Re:Extremely thin on useful detail by fred911 · 2018-11-07 10:24 · Score: 2
  
  "used something called "ironchat" they deserve what they got."
  Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.
  
  --
  09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
2. Re:Extremely thin on useful detail by AHuxley · 2018-11-07 11:08 · Score: 4, Interesting
  
  AC humans would start looking at other humans as the police issue. A news report that tells everyone that it was computers makes that deep search go away.
  Police informants deep in criminal networks are safe as everyone thinks it was the computers.
  
  Informants that stay in place can then report on the next use of crypto.
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:Extremely thin on useful detail by Zaelath · 2018-11-07 11:40 · Score: 5, Informative
  
  Rather succinctly explained in the release from the Police:
  
  We stopped the operation because we became aware that criminals were starting to suspect each other of leaking information to the police. This was causing safety risks. That’s why now we make clear that it was us acting upon information from the chats.
4. Re: Extremely thin on useful detail by Anonymous Coward · 2018-11-07 12:54 · Score: 1
  
  Sounds like a cover story to protect a high level informant or undercover cop.
5. Re: Extremely thin on useful detail by Harlequin80 · 2018-11-07 14:00 · Score: 3, Insightful
  
  Just because someone is a crook doesn't mean its ok to step over their dead bodies to stop them.
  The information the police were obtaining causes the crims to suspect and then kill / harm each other. The police determined that the risks or death / injury to the people involved in or around the criminal activites exceed the rewards
6. Re:Extremely thin on useful detail by goose-incarnated · 2018-11-07 17:51 · Score: 2
  
  "used something called "ironchat" they deserve what they got."
  Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.
  I prefer the Rotweiller13 encrypted comms: the message is transmitted via a sled pulled by 13 extremely hungry rotweillers.
  
  *Lag is horrible and distance can become a problem.YMMV (literally).
  
  --
  I'm a minority race. Save your vitriol for white people.
7. Re: Extremely thin on useful detail by Teun · 2018-11-07 22:37 · Score: 1
  
  The past year we've (The Netherlands) had many fatal shootings of criminals and also innocent bystanders.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
8. Re:Extremely thin on useful detail by Highdude702 · 2018-11-08 00:44 · Score: 1
  
  Intercepting an encrypted message and being able to READ said message is 3 different things.
9. Re:Extremely thin on useful detail by Highdude702 · 2018-11-08 00:47 · Score: 1
  
  Had I not commented you would be getting my last point. Good work!
10. Re:Extremely thin on useful detail by jittles · 2018-11-08 02:57 · Score: 1
  
  This is likely just a fairly amateurish security protocol implementation sold at inflated prices to people flush with cash.
  Its really not all that hard to do secure communications... if actual criminals used something called "ironchat" they deserve what they got.
  If secure communications are so easy, why do so many people seem to get it wrong? It only takes one little mistake to compromise secure communications. The mistake may not even be in anything but a library you use or a design flaw in the silicon you run it on. No. Secure communications is very difficult and that is why the NSA spends a lot of time and effort A) Monitoring others communications B) developing and testing secure methods of communication.
11. Re:Extremely thin on useful detail by jythie · 2018-11-08 04:17 · Score: 1
  
  Secure communications are a bit like, hrm, the whole meme around how we could build interstellar ships 'right now'. It is 'easy' when one only wants to look at a single, fun part of the problem that you can throw math at, but gets a lot harder when getting into the nitty gritty of implementation and maintenance, then even worse when your entire solution for the human factor is handwaving 'well just use the right kind of people!'
12. Re:Extremely thin on useful detail by ripvlan · 2018-11-08 06:26 · Score: 2
  
  I see it several ways.
  1) maybe they can't crack it - so everybody move to another one that they can break.
  2) maybe they want to see Who moves - and that is telling
  3) I'm surprised they didn't say "gosh we can't break this other Secure Chat App" :-)
13. Re:Extremely thin on useful detail by dcw3 · 2018-11-09 05:36 · Score: 1
  
  "used something called "ironchat" they deserve what they got."
  Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.
  I prefer the Rotweiller13 encrypted comms: the message is transmitted via a sled pulled by 13 extremely hungry rotweillers.
  Is it's bark worse than it's byte?
  
  --
  Just another day in Paradise
They siezed the site by Anonymous Coward · 2018-11-07 10:27 · Score: 1

And siezed the keys, then used those keys to unlock the locks. Or the messages are logged unencrypted on the siezed site.
I promise you the dutch police have no ability to "hack" anything.
And IronHorse or whatever has never been secure.
1. Re:They siezed the site by tsqr · 2018-11-07 10:55 · Score: 1
  
  And siezed the keys.
2. Re:They siezed the site by darronb · 2018-11-07 11:24 · Score: 5, Interesting
  
  A trojaned version of the app is also a good possibility. They could have quietly taken control of the site, changed the app to push the keys back to them, etc. Sure that's beyond a typical police department but with any agency help it's totally doable.
  You don't have to be incompetent to get a gag order and have your stuff compromised like that.
3. Re:They siezed the site by mi · 2018-11-07 11:48 · Score: 1
  
  The server should only see encrypted messages, and only the intended receiver should have the decryption keys.
  That still requires the correspondents to have exchanged the public keys somehow. I bet, the site was signing the users' public keys with their own so that device would trust them. There is no way to do this — enable PGP-communications between strangers — otherwise.
  Even if the site didn't act as the "man-in-the-middle" itself — and you may well be right in that they did — by taking control of their servers police got into position to alter the public keys presented by users and signing them with the keys known to devices. From then on they could monitor communications...
  
  The police secretly got help from the NSA
  No shame in that...
  
  --
  In Soviet Washington the swamp drains you.
4. Re:They siezed the site by drnb · 2018-11-07 12:22 · Score: 1
  
  Its not end-to-end if the service provider / middleman is providing or transmitting the keys. The key should be exchanged via an entirely different and unrelated channel of communications.
5. Re:They siezed the site by scdeimos · 2018-11-07 13:55 · Score: 1
  
  Given the very thin details my bet is that the IronChat servers kept a copy of each user's private key in their user profiles so that they could sync them between mobile devices and still be able send/read messages. End-to-end systems shouldn't do that.
6. Re:They siezed the site by nnull · 2018-11-07 15:14 · Score: 1
  
  I get very annoyed with syncing. Terminus does this on the ipad unless you strictly turn it off in the first place.
7. Re:They siezed the site by spongman · 2018-11-07 16:46 · Score: 1
  
  but in order for each client to know to trust that the other isn't a man-in-the-middle attacker, you need some kind of trust authority (usually a central CA). if the keys to that were compromised, then all bets are off - which is what mi was saying above.
8. Re:They siezed the site by spongman · 2018-11-07 16:47 · Score: 1
  
  google certificate authority.
9. Re:They siezed the site by gnasher719 · 2018-11-07 19:33 · Score: 2
  
  Its not end-to-end if the service provider / middleman is providing or transmitting the keys. The key should be exchanged via an entirely different and unrelated channel of communications
  You would be right if the purpose of the app was to provide secure communications. It wasn't. The purpose was to make money from criminals that are willing to pay for an application where they _believe_ they get secure communications.
10. Re:They siezed the site by jbengt · 2018-11-08 02:24 · Score: 1
  
  If you want to truly keep your communications secret, "trust authority (usually a central CA)" is what's wrong with many encryption schemes. There's no absolutely secure way for two parties to communicate without them first getting together privately to agree on the particulars, like sharing keys (and hoping no one is eavesdropping at the time).
11. Re:They siezed the site by mi · 2018-11-08 02:40 · Score: 1
  
  The key should be exchanged via an entirely different and unrelated channel of communications.
  The "different and unrelated"... such as?
  
  --
  In Soviet Washington the swamp drains you.
12. Re:They siezed the site by Teun · 2018-11-08 05:07 · Score: 1
  
  Why only small nations, unless you mean that place that needs to tell itself to become Great again.
  Yes The Netherlands has some great IT security people, just think about how they for several watched the webcam in a major Moscow troll factory.
  Until Trump blew the whistle...
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
13. Re: They siezed the site by spongman · 2018-11-08 06:22 · Score: 1
  
  Yeah. If youâ(TM)re sharing a key then you donâ(TM)t need asymmetric enc at all. You can just share your aes key (or whatever) and be done with it.
14. Re:They siezed the site by drnb · 2018-11-08 08:45 · Score: 1
  
  The key should be exchanged via an entirely different and unrelated channel of communications.
  The "different and unrelated"... such as?
  Well you could go the full Snowden and fly to Hong Kong, meet in a hotel room and get under a blanket with computers that have never been online. Or any myriad of less drastic things that would be an improvement over letting a middleman handle keys for you.
15. Re:They siezed the site by mi · 2018-11-08 09:12 · Score: 1
  
  Or any myriad of less drastic things that would be an improvement over letting a middleman handle keys for you.
  Such as? Remember, we are talking here about strangers seeking to communicate securely without ever meeting each other in person...
  
  --
  In Soviet Washington the swamp drains you.
16. Re:They siezed the site by drnb · 2018-11-11 11:04 · Score: 1
  
  Or any myriad of less drastic things that would be an improvement over letting a middleman handle keys for you.
  Such as? Remember, we are talking here about strangers seeking to communicate securely without ever meeting each other in person...
  Sigh --- Create a truecrypt/versacrypt volume with a text file with the keys. Email them, put them on a USB stick or SD Card and postal mail them, ... Phone, text, postal mail (not if sending USB stick or SD card via postal), etc the volume passphrase. Use temporary emails, burner phones, etc depending on you level of paranoia, fedex, ups or courier rather than postal mail. As I said there are a host of options beyond the chat service middleman also handling your keys.
17. Re:They siezed the site by mi · 2018-11-13 09:21 · Score: 1
  
  Mail — and all your other means of communications, except those under blanket ones you mentioned — are still subject to interception by government. And, probably, should be.
  Though two dedicated people could use some of the means you describe, it can not be done commercially....
  
  --
  In Soviet Washington the swamp drains you.
18. Re:They siezed the site by drnb · 2018-11-14 09:29 · Score: 1
  
  Mail — and all your other means of communications, except those under blanket ones you mentioned — are still subject to interception by government. And, probably, should be.
  Though two dedicated people could use some of the means you describe, it can not be done commercially....
  Yes, and when the gov't grabs a single site as in this case you lose everything. However if you had used one of the other channels for key distribution you would overwhelmingly likely be just fine. You are comparing apples and oranges, a massive haul of keys and communications at a single point of failure and the targeting of one specific person over many channels of communications. Two very very different things.
  
  And if you are concerned about being targeted over many channels of communications then you do a face-to-face meeting as I originally mentioned.
  
  The fact remains that letting your communications provider handle your keys is the worst possible way of going about this.
Brilliant by nehumanuscrede · 2018-11-07 10:32 · Score: 2

If there was any chance of listening to future conversations between parties using Iron Chat, this announcement just blew that right out of the water.
The folks who wish to talk via encrypted channels will now simply change their method of communication.
It could be another commercial app, a homebrew one or just go all old school and do things the way it was done before the era of smartphones.
It could also be complete bullshit on the part of the Police in an attempt to get folks to quit using it :D
1. Re:Brilliant by AmiMoJo · 2018-11-07 10:39 · Score: 5, Insightful
  
  They couldn't keep it secret for very long because they would have to present the intercepted messages in court eventually.
  It appears that weaknesses in the app are to blame here. It was a poorly designed app, basically snake oil.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Brilliant by Anonymous Coward · 2018-11-07 10:49 · Score: 1
  
  Maybe Iron Chat is working so well, the only way to defeat it is to fake a story that it's been cracked so people switch to something more exploitable.
3. Re:Brilliant by AHuxley · 2018-11-07 10:55 · Score: 1
  
  Police had to act fast before criminals suspected and questioned other criminals about helping the police.
  Better to tell everyone that it was "computers" and protect other well placed human informants working for the police.
  
  The police can then control the results now rather and unexpected results of finding actual decades of well placed human informants.
  
  Informants who can always find out what the next crypto products is :)
  
  --
  Domestic spying is now "Benign Information Gathering"
4. Re:Brilliant by MtHuurne · 2018-11-07 11:01 · Score: 2
  
  It was on the news here: the police announced it at this moment on purpose, because several people getting arrested recently made other criminals suspect someone in their mids was leaking to the police and they were planning violent actions against them.
5. Re:Brilliant by Highdude702 · 2018-11-07 11:33 · Score: 2, Interesting
  
  You apparently don't understand the underworld.. They would have been killed, not beaten up.. I'm no longer a criminal but I still despise rats. If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out that was smart enough to not get caught because you're a fuck up. The rats deserve to die. I've seen police let violent offenders who have ratted go free and lock up the drug dealer(weed) for years because the violent person turned state.
6. Re:Brilliant by Zaelath · 2018-11-07 11:41 · Score: 1
  
  Collateral damage.
7. Re:Brilliant by Anonymous Coward · 2018-11-07 12:09 · Score: 1
  
  It sounds like you actively and strenuously promote conspiracy after the fact, so I guess rehabilitation failed on you.
8. Re:Brilliant by farble1670 · 2018-11-07 13:06 · Score: 2
  
  You apparently don't understand the underworld
  You're right, we don't.
  
  If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out
  In law there is something called the Clean Hands Doctrine that can be fit here. It a nutshell it says that if your hands are dirty, you are not entitled to a fair outcome.
9. Re:Brilliant by vbdasc · 2018-11-07 19:37 · Score: 1
  
  The rats deserve to die. .
  You're dangerously close to being a criminal again, IMHO. Control yourself before it's too late.
10. Re:Brilliant by hackertourist · 2018-11-07 21:26 · Score: 1
  
  Criminals don't deserve loyalty. Informing the police of a crime is what civilized people do and should do.
11. Re:Brilliant by Highdude702 · 2018-11-08 00:32 · Score: 1, Insightful
  
  No, see these are WORDS. Once again people on slashdot conflate words with violence. My words didn't hurt anybody therefore get the fuck out of here with your noise. I was smart, I did my time and realized being a criminal is fucking stupid and I bust my ass for a living now. on that note.
  
  You're dangerously close to being a fascist, IMHO. Control yourself before it's too late.
  FTFY...
12. Re:Brilliant by Highdude702 · 2018-11-08 00:35 · Score: 1
  
  Criminals are not civilized or they wouldn't be criminals. And believe it or not for *most* criminals there is such thing as honor among thieves. The ones that turn state are the ones that couldn't handle THEIR OWN ACTIONS! Nobody forces people to become criminals, that is 100% a choice of the person doing the dirt.
13. Re:Brilliant by Highdude702 · 2018-11-08 00:43 · Score: 1
  
  Back to "You apparently don't understand the underworld" We are talking about the CCOC(since you guys like codes of conduct so much).
  Criminals do not follow "laws" That's why they're criminals. Which is also why the people saying "make guns illegal" look like bleeding heart idiots, because they don't even realize that the people committing 99% of gun crimes are already criminals and couldn't give a fuck about a gun law. But from the brief look at your comment history I cant tell if you will be able to understand what I'm saying. Once you commit to being a criminal you no longer get to play moral high ground, and you damn sure better not hang someone else for you being stupid and getting caught. That's how you end up dead. I'm just stating facts here by the way. I've essentially already been told that me using words to express my thoughts means I'm a criminal because of the words contained in my thought...
14. Re:Brilliant by Trailer+Trash · 2018-11-08 01:48 · Score: 1
  
  In law there is something called the Clean Hands Doctrine that can be fit here. It a nutshell it says that if your hands are dirty, you are not entitled to a fair outcome.
  You really don't understand the clean hands doctrine. It has nothing to do with what he's talking about.
  
  --
  Do you have ESP?
15. Re:Brilliant by jbengt · 2018-11-08 02:36 · Score: 1
  
  I'm just stating facts here . . .
  
  No, you weren't just stating facts. You were stating your opinion that "the rats deserve to die".
  If you're talking about criminals willing to kill each other, then you should consider that maybe both the rats and the ratted-on deserve to die.
  Not to mention the irony of you complaining that " . . . using words to express my thoughts means I'm a criminal because of the words contained in my thought." and also complaining that the rats expressing, in words, what they know just because of who they told it to.
16. Re:Brilliant by Anonymous Coward · 2018-11-08 03:07 · Score: 1
  
  So, hang on, use that big brain of yours to explain this to me.
  
  The moment you become a criminal, you no longer get to play the moral high ground, but you still consider yourself somehow being morally superior to an informant, an individual who actually aids the non-criminal society by putting shitheads like you behind bars?
  
  That is the most retarded thing I have read all week. You decide to shit on the society and break its rules for material gains, but the moment someone shits on you for a material gain (such as serving a shorter sentence), oh no, they are bad people and it somehow gives you more justification to murder them. Just cut the crap, you were always a son of a bitch to begin with.
  
  I can see why you spent time in prison now.
17. Re:Brilliant by gnasher719 · 2018-11-08 04:36 · Score: 1
  
  And believe it or not for *most* criminals there is such thing as honor among thieves.
  Actually, there isn't.
  
  A UK police phone line where you can phone in information about crimes anonymously reported that 1/3rd of all calls come from criminals who want to get rid of the competition. And it's common knowledge for everyone in jail that the ones saying "don't rat on anyone" will be the first ones to rat on you.
18. Re:Brilliant by Teun · 2018-11-08 05:31 · Score: 1
  
  Once a criminal always one?
  I really appreciate people that change their bad ways and start to recognise mine and dine, including the right to someone's life.
  But by the fact you consider a converted criminal a snitch bring you down to their level.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
19. Re:Brilliant by farble1670 · 2018-11-08 07:41 · Score: 1
  
  You really don't understand the clean hands doctrine. It has nothing to do with what he's talking about.
  The difference is my ability to apply ideas and concepts outside the domain which they were originally applied. It's one of the things that separates us from lower animals.
20. Re:Brilliant by Highdude702 · 2018-11-08 15:44 · Score: 1
  
  Wow, that is almost the complete opposite of the US systems. Here the people snitching do it to get their sentences vastly reduced if not absolved completely.
  
  And it's common knowledge for everyone in jail that the ones saying "don't rat on anyone" will be the first ones to rat on you.
  That is common with a lot of things, It is a risk you take if you're a criminal and do work with other criminals. That's why you need to have a good judge of character. But even that is not guaranteed. I found the easiest thing to do is not do crime for a living. Makes life a lot less stressful. Especially when you do the kind of shit that makes you have to look over your shoulder at every moment for retaliation.
21. Re:Brilliant by Highdude702 · 2018-11-08 15:46 · Score: 1
  
  A snitch is not a converted criminal. I am a converted criminal. A snitch will snitch on somebody to get a reduced or absolved time for their crime. and go right back to committing crimes as soon as hes out of custody.
22. Re:Brilliant by Agent0013 · 2018-11-09 07:54 · Score: 1
  
  You apparently don't understand the underworld
  You're right, we don't.
  
  If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out
  In law there is something called the Clean Hands Doctrine that can be fit here. It a nutshell it says that if your hands are dirty, you are not entitled to a fair outcome.
  So every police department is not entitled to a fair outcome then. Got it! That is why I cheer inside when someone goes on a killing spree of the asses in blue!
  
  --
  
  -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
23. Re:Brilliant by farble1670 · 2018-11-09 08:09 · Score: 1
  
  So every police department is not entitled to a fair outcome then.
  Police are humans. Punish the bad ones, and get one with your life. The fact that there are bad apples doesn't mean the entire system is crap. There are always bad apples anywhere you go.
  
  That is why I cheer inside when someone goes on a killing spree of the asses in blue!
  Got it. You are happy when people are murdered, because some minute percentage of people in the same line work have done bad things. See a therapist friend.
24. Re: Brilliant by Agent0013 · 2018-11-09 10:43 · Score: 1
  
  So then, the accountant for the mob should not be arrested because he doesn't kill anyone! Yeah, that is not how the law works. If you work for a criminal organization, you are determined to be a criminal. If the men I blue burder people, then they are a criminal oroanization, and noone in it get a free pass. Unless they are actually an informant for the real law inforcement that is.
  
  --
  
  -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
Snowden mentioned OTR in the past by jelwell · 2018-11-07 11:00 · Score: 2

Pretty sure that quote is only half true. Snowden has mentioned OTR in the past. I doubt he specified IronChat.
Joseph Elwell.
The police did not break anything by ffkom · 2018-11-07 11:26 · Score: 2

They just fetched keys from the central service provider, and given that this crappy app never implemented actual end-to-end encryption, that was enough to decrypt the messages.

Seriously, criminals stupid enough to rely on proprietary, centralized messenger services deserve to get jailed for that alone.
Not really end-to-end encryption by drnb · 2018-11-07 12:19 · Score: 1

They siezed the site
And siezed the keys, then used those keys to unlock the locks.
Then its not really end-to-end encryption as claimed. Its just another service encrypting its traffic so middlemen, other than itself and its masters, can't read it. In true end-to-end the service provider can't read the content even if they want to.
So only Android not iOS users of the app? by drnb · 2018-11-07 12:20 · Score: 1

So only the Android users were hit and not the iOS users of the app?
1. Re:So only Android not iOS users of the app? by dinfinity · 2018-11-08 03:10 · Score: 1
  
  They were custom phones ('IronPhones'). Stop trying to inject Android/iOS-strife into this.
2. Re:So only Android not iOS users of the app? by drnb · 2018-11-08 08:38 · Score: 1
  
  Why only Android? You don't think Apple bends of backward to accommodate law enforcement?
  Because of the word "trojan" in: "A trojaned version of the app is also a good possibility."
There should not be any keys to fetch by aberglas · 2018-11-07 14:11 · Score: 1

We should not be using PKI that depends on a trusted source.
People have their own private keys. But then how to know that you are using the right one? The SSH problem.
So use SRP instead. Secure Remote Password. The communication only works if both people use the same password. And no way to brute force the password back. Simple, and intrinsically secure.
There is no such thing as money laundering by CoolDiscoRex · 2018-11-07 20:40 · Score: 1

Much like âidentity theftâ(TM) , âobstructing justice, âresistingâ(TM), and âhuman traffickingâ(TM), itâ(TM)s a made-up boogeyman designed to convince the masses to give up their civil rights voluntarily.
Sadly, most of them do. Everyone else gets theirs taken away involuntarily. We all clap when we hear that the government nabbed one of those evil money launderers.
Money laundering is an almost sure-fire conviction as it is impossible to disprove, and that is exactly what a defendant had to do. Thatâ(TM)s why roadside piracy, I mean, civil forfeiture is so lucrative.
Underpay your taxes by $170? Boom, every dollar in your position is now laundered money, proceeds of your tax evasion. Take out $5,000 of your own money from the bank one day, $6,000 of your own money the next? Bam, youâ(TM)re a money launderer, your funds were obtained via structuring.
The link between every dollar and theoretical malfeasance is not hard to make, so itâ(TM)s the perfect crime to charge someone with when they havenâ(TM)t committed a crime you can prove they committed.
In fact, the only guaranteed non-laundered money, is money you give to the government. No matter where you got it from, or how you acquired it, if you give it to the government, itâ(TM)s righteous.
1. Re:There is no such thing as money laundering by Trailer+Trash · 2018-11-08 01:56 · Score: 1
  
  You apparently don't understand what money laundering is. In the simplest sense, let's say you're a drug dealer and you have $20,000 in cash. You want to store it in the bank, but when you do that the IRS finds out about it. So you create a sham business and cook the books, making it look as if the money is really proceeds from your business.
  We sometimes see things listed for exorbitant prices on Amazon. Probably money laundering. A friend of mine talks about car auctions now, where people will buy cars at auction and then sell them for really high prices to certain buyers. They're laundering money.
  Underpaying taxes isn't laundering. Structuring deposits or withdrawals isn't laundering (it's "structuring" - a separate and unrelated offense).
  
  --
  Do you have ESP?
Decryption tool by dskoll · 2018-11-08 00:36 · Score: 1

I hear the decryption tool was written in Rust.
Crypto snakeoil by DrXym · 2018-11-08 02:15 · Score: 1

I've never heard of Ironchat but from the sounds of it, it was cryptographic snakeoil. If cops / intelligence services were listening in realtime that would suggest that it wasn't securing messages from man in the middle / spoof attacks or the manner that keys were exchanged was insecure.