[messaging] Crypto standards in modern-day consumer apps

Mon Jun 8 10:45:33 PDT 2020

Hello modern crypto crew,

I've lurked on this list for a year or two, knowing that one day I'd seek
your help. Today's the day.

i'm a journalist specialising in drugs, tech, and the net. I wrote the
book Drugs
2.0
<https://www.amazon.co.uk/Drugs-2-0-Revolution-Thats-Changing/dp/1846274591>
about the emergence of a digital drug market. (I once sold 25 bitcoin for
£100, to give you an idea of my all-seeing prescience in the field...)

Part of my work involves communicating with anonymous sources in the
organised criminal underworld. Security is important to me, and much more
important to them. I'm losing key contacts and stories because I can't
afford an Encro phone lease (£3,000 a year).

Anyway, I'm researching a piece on Encro phones and crypto standards in
commercial phone software for a book i'm pitching, and also for a series of
planned articles.

I understand that Encro phones are sold in Holland on six-month leases. I'm
struggling to understand this company's model, and customer base. I've
spoken to users and they just say "it's safe". But they don't even use or
understand PGP or keybase. Every serious criminal I have ever met has an
Encro phone.

This story alerted me to the phenomenon:

https://www.liverpoolecho.co.uk/news/liverpool-news/sold-liverpool-3k-year-mobile-15652444

Almost every murder case or major drug bust in Liverpool involves these
devices.
https://encrophone.com/en/

My questions follow. Any assistance on or off-list would be much
appreciated, and I would cite and attribute any quote of yours that I
use, or we can work anonymously with you as a protected source if required.

Thanks for reading what I think may become a long mail. If anyone would
like to call me instead of writing, I'm on signal and can supply my number
if you mail me at mikepeterpower at fastmail.fm.

So:

1. What advantages, if any, do these Encro phones offer over standard
consumer devices fitted with the latest crypto messaging software? Why not
just use Wickr, Telegram, Signal, etc?  Are they that technically
advaadvanced? How? What makes them better?

2. Would anyone be so kind as to rate, in order of security first, the
following OS and messaging app combos. (The threat model is that of an
experienced drug laboratory owner in the Netherlands selling, but not exporting
 drugs to the value of £10m a year. He works a few months in one spot and
then moves. Interpol would love to arrest him, as would the Dutch police.)

Which oS should this (entirely imaginary) criminal use, and why?

*Android: *
Encro phone with encrochat: https://encrophone.com/en/
Wickr – free version
Signal
Telegram
Keybase
Bat
https://tox.chat
https://www.batmessenger.com
Whatsapp ( I know.! But I need to have a line from an expert telling me it
sucks. The public think it is safe but do not realise that Whatsapp
metadata and lack of perfect forward secrecy, and the fact all messages
pass through a centralised server, is a high-risk set up.
Encro phone with encrochat

*Apple iOS*
Wickr
Signal
Telegram
Keybase
https://tox.chat
https://www.batmessenger.com
Bat
Whatsapp ( I know... but I need to have a line from an expert telling me it
sucks.
Encro phone with encrochat

The theoretical use case is my imaginary drug dealer communicating with
local wholesalers in Holland and the EU, infrequently, on a traceless,
non-contract phone acquired with cash from a trusted third party. No calls,
just text.

I know, thanks to thegrugq, that security involves much more than tech. So
although I want to know about the strength of the crypto used by each of
these,  I want to know about the  ephemerality of messages, and companies'
willingness/ability to co-operate with the law. For example, Wickr claims
it cooperates with police, but that one's messages are inaccessible.

In short, I'd like to know why cops can't access Encro phones, or if Moxie
Marlinspike's free Signal app doesn't just do a similar job.

I'd also like to know if I am safe using these apps to speak to criminals,
and what police can do to identify them if they seize my, or their phone.

Examples of my work:
*• Undercover sting on Chinese MDMA precursor sting*
https://mixmag.net/feature/we-went-undercover-in-a-chinese-mdma-factory

*• here's a longform piece for US readers. *
https://www.playboy.com/read/molly-s-lethal-rebirth

Contact details follow. any help would be so very gratefully received.

keybase: researchsystems
twitter: mrmichaelpower

PGP follows this select portfolio.
---------------------------
*Mike Power*
Winner: ABSW Best Investigative Journalism
<https://medium.com/matter-archive/the-drug-revolution-that-no-one-can-stop-19f753fb15e0>Drugs
2.0 – out now
<http://www.amazon.co.uk/Drugs-2-0-Revolution-Thats-Changing/dp/1846274591>
Portfolio
<http://mikepower.pressfolios.com/>Guardian
<http://www.theguardian.com/profile/mike-power>-----------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.2
Comment: GPGTools - http://gpgtools.org

mQENBFHcirQBCADWJsvEHUnV8f2VlJygwvOIIFSfqmtv209bVqslMBebis7mkr3n
UVs55Qh7bopub71vInU09ukNxrKW8cCAA49VaProJuGYxEPkaSZhSdz1MMdLNoPs
myMNPDF7F7bosKzmknb0rfSOURIyjElyTFK3TBVvyGLW9y+1KCRDZNjBBWlUC69x
FVD3egUB5OhqAW7RXTotH9db8Eu7w14DNzdMlRDNtK39XTVk16k4ZNstNy8rHGl9
2n59kvB50xiTll5GH4n4OeB+hYWECAvMFBUqD7Iqa9dntpKn5Nisqhj22V8zDPwD
Yqubb2PO1fWGnBN2wpb1JQpa7VWnj/0SKptXABEBAAG0QG1pY2hhZWwgcG93ZXIg
KEZPUiBQUklWQVRFIFdPUksgR0ROKSA8bWlrZS5wb3dlckBndWFyZGlhbi5jby51
az6JAVcEEwEKAEECGy8FCwkIBwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQSm24BR
RpUp//oB3xeXEtwdBf/qzQUCWvmR1QUJFklkIQAKCRCXEtwdBf/qzQ94B/9XWTg4
RmUZNuV0vTmlHfjGZVwTtc1YzTAkvJz1D7IUGAIPMEYVU1gia9IYt2NnJf9Ey0i7
uGhVDNDPSkTZfoQ/trvRfeQZPGFGOcMpM1RwsA0OuG7ao0sAyw0tFQQqj/YxhNyT
nJxgkxHJ3EizYdc0fq9SUez2Wz7y+FGHS+A7QY94BihYiXhsd0KgPj2BebHhH+xL
eueZ5HMW9p0UoaNBYM3SCz82JJ3IlhIf3WJyP4qms1OERuUfR147OkwkzsRpy12v
3jHKFwZ7+RfVBXSgOH/JLntloUdXhaoh0alB4aNCWcUsJSvzIkgsibKnXOsKOLj6
D24OMDsmtKhrfLuMtD9NaWtlIFBvd2VyIChob21lKSAoYWRkZWQgSmFuIDIwMTQp
IDxtaWtlcGV0ZXJwb3dlckBmYXN0bWFpbC5mbT6JAVQEEwEKAD4CGy8FCwkIBwMF
FQoJCAsFFgIDAQACHgECF4AWIQSm24BRRpUp//oB3xeXEtwdBf/qzQUCWvmR3wUJ
FklkIQAKCRCXEtwdBf/qzWdqB/sE254moBy/2raekgazv7jwAEFGarjTHPnZ+WSG
rSvJ1GeLOvLpIs2ZlwH/fiFAIlhCHiRa3g5fAnlCjShnl1oT1WWkno7YalUJpNHB
eQqt5NwWA35KN21q/ilXTOROz+v8i9I5sTd8VcUmYopIRwRv/S7c1YokoRhJhA6x
MDW1KRZXbNzLSxwGJ3LTONsmuFWb/srWvasKGXJh8X+yaU1n6dJeK209ULJ8Iz0j
zBdoSAx8Z4GrqPqjGoJPFUzgijyPfUI1dpPUW4sjRdEllLmLJoCoC/FmeVmZeFrd
Tr3ShaG5JMBpGx3ULp2sEQCaZo/61JpTykoVdolymrJKEgEruQENBFHcirQBCADl
hu7UoZ2+otViSVTj22n7PeC0Rojiie/s45bGvMmNtSLSJcQjGIjGy4K38N+6jaJL
SkgAzZnKlI/mLM57MiBujV7pQY4/sBmcoGzXJnzr+WN005852rlbUtreN+1ntrVR
jE6EKd7/wxE7ItOCUgX/g3mCioIrijN42CiuzHVXQWtnx4mn1OMsXcSAjvmng9JL
7p2oKv9jLk5xNH/qWaMXP6smQW9Vlp66WvWklMK3VNDCaEspvvq+UnUw7iyr6O57
Lb2sZLVo0pvXSBF/yT0KAT9oGJTRTwAkVq8mDRHI53GnB0VKtm6UWnQ00htDFTsR
a4xvzuM3BZFH5iA02/1RABEBAAGJAkQEGAEKAA8CGy4FAlNgFi8FCQJ3cPsBKcBd
IAQZAQoABgUCUdyKtAAKCRA/nMu2/lRGfsozCADRZpArJ1EnOHhhbhr3oYAVlvDJ
j30b1LQTx84vOzPw7UhQUule/1qM2vpsQzAmstmPbiVMewhNN+x1Sh00859ttGkK
Im9qZ9IJv/F1XTZJ7UmOmwB01GUD5sB6pv3JdbbmG7IeGFEk2Jm1rvC5aTahLpan
oY2AwTFetsAW6pzfAjnI7XJCVmoqqwY48XxFoRrQrup9ErP5Uf21TIl7/XYMGIpG
lys3QAom1KLVwPHsCwrNvRlakhBVB4vHZV/x6zX3M3yo5hTCr1LtHlE9+h1Yj1GD
ZiPQ1qDJug0dU5eDsRNLC8d5OV3YOxRrjn13F1NZeR2wJ59uS7ZplEvKjRnhCRCX
EtwdBf/qzcMiB/93WUuU2VikoEl4fwhRjGWT+Q+gdjXGlfpTzM5ivrYN44LSxve/
/WJQd4BEnuWN+Mzt22emhgRM6v2XjV0E66HqRq4DWArPTTGuP9JCv0G1pD+UJGLQ
HNFsUPpGOiKf3rthe3vuqwyy9HQo4COa3cHhqn/h4uSNJRuhZzEQGbDF19twr4Qe
gf5UiU2Ixi/xe2XYTrX7kIPu8iEIIQUqA3whLPpW8chGQ6/xaxqshAf9jKP21Rtu
/QF1HOGNEsDzcKGbfNmORTZQ301QlPmqdbp3vJaGR+LwVk32bFdezx69lAnyHlZo
6h4rJWoNYYfdV29exYjFnTV28EpV6jbEJoMJuQINBFKzat4BEADdvPKsvj42+b9f
ZIpNQFvfm7gCkgGm5iUKPdFRkn2cxALewfNmAUnTCp086E4BQcxPRM93EU2ELOGC
VXiY8Q4a12ocmwKQNv2rHm3+r8DDaDdr1JXEr/iOa/BxdMmw7zMf5Go+jxeqaHod
qsqgqnXHNhGF5hCgjJcfj8023W2arxOgj65lQO3grxnIpTbAH5Bm6Hk11HebFuJe
nSu3WfjujcPypE/wB+dO5OLcDD6S5Bp8MsiDIOzRPuna7s//xvBQasmqoqEN9Q3M
Giu5MGti2JB9GtyPtfa1hv7Mh5kX2YGxRePc3Mg4wZaUy0dr48CoK2pTkEbnF0UE
+D+9P6Ynb7qGf0N4rDrtCXhAo4YntTdsVlKMpzXOdIZFW2Om6QQ5wX/tEgFYDxO7
W+8KDmfqisvtMAa2WuiSl+XxX5fhgRvo0naT04agtXOBj/C8IJwzdHUDOINI8Hp4
ILdZLGp6Roq5pThDMHb1TUI+9C0rVG6W9JFz1ddxECe4mjrccHlqWCsc8b1g4aBS
kcNPGdeW0Cm80GS+yuAhVpoPIsBplpztHJ3Irg/rXiT1LCg7ppjaSfc1P2/KiSDa
eb3bUrSTPlxPEMxm6At0a63N1lEvkP8sEx+Fdgnc0g49EcagVpPB+QkypJ5GT0wB
L5Hn3x0SSN6sLxKlCrvbwyRSh2IoQwARAQABiQE8BBgBCgAmAhsMFiEEptuAUUaV
Kf/6Ad8XlxLcHQX/6s0FAlr5kgsFCRGuy60ACgkQlxLcHQX/6s1lwwf8C0uC0qZT
AG+A3OCCDTcnAopuEMSbnqhF9D48cQB2+fuisSMim5wc3DtVZB2ygWH1ond/K2Zx
CRwQI3ILVEKjX4e+EcZZxbrQyY4nXXSlRaYqmDnwhWEQXq8q1C5XSXeHz8RjzHkk
x923jOG1Xnzg8rqp3UTR4tSX64e4EZRvUUsUN0Y/QdZlO6DsC+/KN+b/U9LhiQPu
WQ1vOr3ygPN9uG6mTKQYcH9vGbUSX8k5v8Hw8hZzjtpvGJl7/yhh3o26PFHU6IWm
QK82/SZC3DzZwAmwnVLCXp9ocwWge66nZJWzNEABGyazVD86psz9DSItuFuT5N5/
I8IqpGYVRYVJOw==
=S1zC
-----END PGP PUBLIC KEY BLOCK-----

<https://www.playboy.com/read/molly-s-lethal-rebirth>

-- 

This e-mail and all attachments are confidential and may also be 
privileged. If you are not the named recipient, please notify the sender 
and delete the e-mail and all attachments immediately. Do not disclose the 
contents to another person. You may not use the information for any 
purpose, or store, or copy, it in any way.  Guardian News & Media Limited 
is not liable for any computer viruses or other material transmitted with 
or as part of this e-mail. You should employ virus checking software.

Guardian News & Media Limited is a member of Guardian Media Group plc. 
Registered Office: PO Box 68164, Kings Place, 90 York Way, London, N1P 2AP. 
 Registered in England Number 908396

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20200608/e3a4decb/attachment.html>