[messaging] Crypto standards in modern-day consumer apps
mike.power.casual at theguardian.com
Mon Jun 8 10:45:33 PDT 2020
Hello modern crypto crew,
I've lurked on this list for a year or two, knowing that one day I'd seek
your help. Today's the day.
i'm a journalist specialising in drugs, tech, and the net. I wrote the
about the emergence of a digital drug market. (I once sold 25 bitcoin for
£100, to give you an idea of my all-seeing prescience in the field...)
Part of my work involves communicating with anonymous sources in the
organised criminal underworld. Security is important to me, and much more
important to them. I'm losing key contacts and stories because I can't
afford an Encro phone lease (£3,000 a year).
Anyway, I'm researching a piece on Encro phones and crypto standards in
commercial phone software for a book i'm pitching, and also for a series of
I understand that Encro phones are sold in Holland on six-month leases. I'm
struggling to understand this company's model, and customer base. I've
spoken to users and they just say "it's safe". But they don't even use or
understand PGP or keybase. Every serious criminal I have ever met has an
This story alerted me to the phenomenon:
Almost every murder case or major drug bust in Liverpool involves these
My questions follow. Any assistance on or off-list would be much
appreciated, and I would cite and attribute any quote of yours that I
use, or we can work anonymously with you as a protected source if required.
Thanks for reading what I think may become a long mail. If anyone would
like to call me instead of writing, I'm on signal and can supply my number
if you mail me at mikepeterpower at fastmail.fm.
1. What advantages, if any, do these Encro phones offer over standard
consumer devices fitted with the latest crypto messaging software? Why not
just use Wickr, Telegram, Signal, etc? Are they that technically
advaadvanced? How? What makes them better?
2. Would anyone be so kind as to rate, in order of security first, the
following OS and messaging app combos. (The threat model is that of an
experienced drug laboratory owner in the Netherlands selling, but not exporting
drugs to the value of £10m a year. He works a few months in one spot and
then moves. Interpol would love to arrest him, as would the Dutch police.)
Which oS should this (entirely imaginary) criminal use, and why?
Encro phone with encrochat: https://encrophone.com/en/
Wickr – free version
Whatsapp ( I know.! But I need to have a line from an expert telling me it
sucks. The public think it is safe but do not realise that Whatsapp
metadata and lack of perfect forward secrecy, and the fact all messages
pass through a centralised server, is a high-risk set up.
Encro phone with encrochat
Whatsapp ( I know... but I need to have a line from an expert telling me it
Encro phone with encrochat
The theoretical use case is my imaginary drug dealer communicating with
local wholesalers in Holland and the EU, infrequently, on a traceless,
non-contract phone acquired with cash from a trusted third party. No calls,
I know, thanks to thegrugq, that security involves much more than tech. So
although I want to know about the strength of the crypto used by each of
these, I want to know about the ephemerality of messages, and companies'
willingness/ability to co-operate with the law. For example, Wickr claims
it cooperates with police, but that one's messages are inaccessible.
In short, I'd like to know why cops can't access Encro phones, or if Moxie
Marlinspike's free Signal app doesn't just do a similar job.
I'd also like to know if I am safe using these apps to speak to criminals,
and what police can do to identify them if they seize my, or their phone.
Examples of my work:
*• Undercover sting on Chinese MDMA precursor sting*
*• here's a longform piece for US readers. *
Contact details follow. any help would be so very gratefully received.
PGP follows this select portfolio.
Winner: ABSW Best Investigative Journalism
2.0 – out now
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.2
Comment: GPGTools - http://gpgtools.org
-----END PGP PUBLIC KEY BLOCK-----
This e-mail and all attachments are confidential and may also be
privileged. If you are not the named recipient, please notify the sender
and delete the e-mail and all attachments immediately. Do not disclose the
contents to another person. You may not use the information for any
purpose, or store, or copy, it in any way. Guardian News & Media Limited
is not liable for any computer viruses or other material transmitted with
or as part of this e-mail. You should employ virus checking software.
Guardian News & Media Limited is a member of Guardian Media Group plc.
Registered Office: PO Box 68164, Kings Place, 90 York Way, London, N1P 2AP.
Registered in England Number 908396
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging