[______-]

Maybe I'm missing something vital here, but why trust these `drug dealer` phones? What's wrong with using Signal on an encrypted Android device?

Since the Encrochat scare I would imagine no dealer in their right mind would ever use a crimephone again.

[notatoad]

the missing context is that anom has been revealed to be an FBI sting operation. no dealer in their right might should have trusted it, but many did.

https://www.bbc.com/news/world-57394831

[vmception]

The real question is how long will they keep Wickr running?

[jtbayly]

Are you implying that Wickr is a sting operation also?

Anything you can point me to read about that?

[vmception]

It is set up like an obvious honey pot just like Anom was set up like an obvious honey pot and should be avoided purely for those reasons alone, just like Anom should have been avoided purely for those reasons alone

There is no way to know whether either of those services were compromised simply due to their express purpose of forwarding everything to government agent’s computers

They’re just simply not capable of providing users any of the assurances they claim in a way the user can ever have the assurance of

[bierjunge]

That's why drug cartels in Mexico are setting up their own cellular networks. If you control infrastructure, it's harder to get wiretapped.

https://www.reuters.com/article/us-mexico-telecoms-cartels-s...

[jtbayly]

Thanks. As-in there is no way to evaluate whether Wickr's claims of encryption are true?

[vmception]

No way to evaluate whether your messages are readable by law enforcement at any given point in time, with a greater red flag being the advertising claims of Wickr misleading users to the contrary. Wickr, a US based company.

There may be some level of encryption, it acts like a company set up by the government or made to be tapped into.

This wasnt conspiracy theory fiction even before Anom, as there are other examples of governments especially the US government doing this already. Just let Anom be another more clear cut reminder that it doesn't matter who you trust that uses a software, if it doesn't pass some key criteria then don’t use it. There is no “I’m sure this large group of people thought of that” just assume they are stupid, negligent, thought the same as you did and nobody attempted any scrutiny, or are all informants themselves.

[9wzYQbTYsAIc]

Apparently there’s criminals that only trust other criminals (also apparently, those same criminals are highly likely to betray each other) and those trusted criminals are saying “use this phone, it’s secure”.

Plus, managing DIY security is more complicated than just running Signal on an encrypted phone. Same concerns regarding supply chain interdiction, remote code execution, and other security vulnerabilities on the operating system running Signal.

[md_]

> Plus, managing DIY security is more complicated than just running Signal on an encrypted phone. Same concerns regarding supply chain interdiction, remote code execution, and other security vulnerabilities on the operating system running Signal.

Yes, but specifically to supply chain security, as this attack shows, the most affordable option to secure your supply chain is to ensure your devices and downloads cannot be uniquely targeted.

Buying a stock iPhone in cash and downloading Signal from the App Store is a far better approach than buying a "drug dealer phone."

I do think this attack, as you imply, simply highlights how hard it is for even motivated consumers in the market to make actually secure choices, which in turn is why the market underemphasizes real security improvements.

[9wzYQbTYsAIc]

Well put, and I agree that right now the most effective thing would probably be to buy a stock iPhone, from a random source, in cash, etc.

That said, one huge caveat: any stock, internet-connected phone is always one law away from being rendered completely transparent to law enforcement with legal jurisdiction over the place of sale.

In the US, for example, Congress could write a law that forces a back door.

The back door doesn’t even have to be to the encryption keys or algorithm, but could be a simple screen capture interface that can be remotely triggered with a warrant.

[mianos]

This exact law exists in Australia, the "Assistance & Access Act". That these laws exist in Australia is also a reason why there is a lot of co-operation between US and Australian law enforcement. I am not sure how but it gives the US an ability to do things they can't do on their own shore. The US often works on other countries, like Bucharest in the An0m case to work around their own laws.

[9wzYQbTYsAIc]

https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...

At least there’s this:

> The Assistance and Access Act contains an express prohibition against building or implementing any weakness or vulnerability in software or physical devices that would jeopardise the security of innocent users. This is found in section 317ZG of the Act which also makes clear that any assistance that makes a system's encryption or authentication less effective for general users is strictly prohibited. This same section prohibits the construction of new decryption capabilities and rules out any requirements that would prevent a company from patching existing security flaws in their systems.

[katatonik]

That legislation also has Technical Assistance Requests (TAR) where company isn't compelled but can choose to comply. As not trying to compel they have few safeguards in being issued and less limitations on what can be requested.

https://www.zdnet.com/article/whats-actually-in-australias-e...

[Cyril_HN]

Exactly my thought. Surely, if you're a criminal and you're actually successful, then you want to use open source privacy. Heck, if only to hide your usage with everyone else's right? It's not unusual to have Signal on your phone. It's pretty weird to have Anom or whatever else exists

[cyanydeez]

money != intelligent

people make this mistaken assumption constsntly.

also, if a criminal had enough intelligent, they tend not to be criminals. very rarely do you find full blown intelligent criminal syndicates.

mostly youll find that basic human heuristics, like security through obscurity is the height of security.

[senectus1]

nothing, but i suspect they used neat social engineering tricks to get it used...

They made it invite only

They also made it a 6 monthly subscription fee

I know I'll get told off again for finding this very very funny, but honestly these guys got duped and deserved it.