Trojan Phone

Speaker 1: During World War two, there was a Swiss cryptography company called Crypto AG, and they got their big break with a contract to build code making machines for The States during the war. They make a bunch of money and they become the go to maker of encryption devices for decades. Gears, circuits, eventually silicon, there's new tech coming and going, crypto AG, they ride it all out. Throughout the twenty first century they sell to over 120 different countries. They sell to nuclear rivals. They sell to military juntas. When the Vatican needed encryption, they bought it from Crypto AG. But what none of their customers knew was who really owned Crypto AG. For the last fifty years of its existence, Crypto AG was owned by a highly classified partnership with West German intelligence and the CIA. And the devices they made that whole time were, for decades, rigged so The US could easily break the codes that countries used to send encrypted messages to each other. A CIA report described the Crypto AG situation as, quote, the intelligence coup of the century. Foreign governments were paying good money to The US and West Germany for the privilege of having their most secret communications read by at least two and as many as five or six foreign countries. They designed the tech, they put the back doors in and they sold it and then spies listened. Decades went by and until crypto AG eventually got squeezed out by the spread of online encryption tech. They didn't manage to make that most recent jump, but for decades they heard everything based on this very simple idea rather than trying to break the encryption. Why not be the one to sell it? So that's crypto AG Fifty years later, just those last couple years, some folks started asking the same questions that those Crypto AG folks did back in the seventies. Same question, but about new tech. And while their target was criminal rather than foreign powers, the idea was the exact same. Rather than break the encryption tool, why not become the one to sell it? The question then is what device do people rely on to encrypt their messages in 2022. So we're going to talk about the very wild story of the a nom phone Here on hacked. It sounds like a crypto company, doesn't it?

Speaker 2: Well, we literally just spent the hour before starting to record this episode talking about FTX and the goings on of the crypto world. Yay, crypto. So I just love the fact that we're transitioning hot from a crypto conversation about crypto to a crypto conversation about cryptography because I actually much prefer cryptography.

Speaker 1: It sounds like it should be a crypto company that's either running TV ads or in the news for having, fled with a a whole bunch of money.

Speaker 2: Or just, you know, been been completely out of this the Ponzi scheme it was. One of those things.

Speaker 1: In reality, it is a, the weirdest phone startup I have ever heard about. Super interesting story. Also, I think kind of our our second part, it's making this month into the month of Hollywood Hacked where last episode was all about a show that was being adapted for film. And then I think in the last couple days, a book being written about this by one of my main kind of sources in my note taking got adapted or got licensed by Netflix to be another show, I think this time by the makers of Ozark. So this is our second thing in a row that's gonna get the Hollywood treatment over the cup next couple years.

Speaker 2: Hell, yeah.

Speaker 1: Today's podcast is brought to you by NordLayer. NordLayer safeguards your company's network, but it's also a lot more than just a VPN for business. As you already know from this podcast, business networks today are more vulnerable than ever due to, where do we start, remote work, ransomware attacks, and data leak incidents. NordLayer secures and protects both remote workforces as well as business data, and it can even help you ensure security compliance. Simply go to nordlayer.com/hacked and get an entire month free. NordLayer is easy to start. It takes less than ten minutes to onboard your entire business onto a secure network. NordLayer is easy to combine as it's hardware free and is compatible with all major operating systems. And finally, NordLayer is easy to scale as you can choose a plan unique to your business requirements and your rate of growth. If you wanna secure your business network, go to nordlayer.com/hacked to get your first month free. That's nord layer dot com slash hacked.

Speaker 3: I would now like to invite, Kelvin Shivers representing The United States Of America, assistant director, criminal investigative division of the US Federal Bureau of Investigation. Mister Shivers, the floor is yours.

Speaker 4: Over the last eighteen months, the FBI provided criminal organizations over 300, as mentioned by my colleague, in over 100 countries encrypted devices that allowed us to monitor their communications.

Speaker 1: Scott, let's say you're a criminal shopping for a smartphone. You're not a cyber criminal. You are a analog criminal who needs phone a phone to do your crimes. Sure. But these are these are serious crimes. Right? Like, there you could reasonably have a, you know, a warrant out or a tap against your phone. There might be an international warrant for your arrest, but you're not necessarily technically sophisticated.

Speaker 2: I want, like, the ultimate criminal burner is what you're saying.

Speaker 1: Exactly. So what kind of smartphone do you buy? What are you shopping for?

Speaker 2: Oh, I would love something that probably doesn't have internal microphones. So it's something that I'd have to plug in like a headset to use. I'd probably love something that didn't have cameras on it. Sure. Something that probably doesn't have a GPS chip in it Yeah. Would be better and good. Yep. What else would I want? I want something that, like there's probably no way you could find a phone that could do this, but something with, like, a physical destroy button on it. Like, when I flip a little slider on the back and push a button, the inside of it essentially just melts. That would be ideal. Mhmm. Something with flippable SIM cards for sure, not an eSIM because you probably wanna be rolling SIMs. I don't know. I feel like that would be the beginning of my shopping list.

Speaker 1: That's pretty that's honestly pretty comprehensive. Like, that's a lot of a lot of those features you just said, and even ones that you weren't sure if they would be available, that's a pretty good summary of what this marketplace in '20, say, '20 looked like.

Speaker 2: Okay.

Speaker 1: To get into the Anom phone, let's start by taking a little tour through some of the the real world answers to that question. Because the competition of this this device, this sort of honeypot, gives a pretty good sense of what this phone had to do and who it was doing it for. First big example is an EncroChat phone. EncroChat is created by a European communications network and service provider of the same name, started out as a privacy focused phone that very quickly found its audience in the, you know, the criminal community.

Speaker 2: In

Speaker 1: terms of its unique hardware qualities, you just named most of them. It had a panic button.

Speaker 2: It actually had a panic button.

Speaker 1: It had a panic button. It deleted the contents of the phone. Wow. But you push it, and it wipes the whole thing. And a lot of the features are just about wiping this thing as fast as humanly possible. It also had, as you said, all of its sensors removed. No camera, no mic. I believe no GPS. If you wanna talk in it, you have to plug in a headphone with a microphone.

Speaker 2: I I I just wanna interrupt and say that I had never looked at this device before I said that list of things. So if it's pretty accurate, then maybe I am a criminal.

Speaker 1: I think you have a go bag, and you were like, oh, I don't know off the top of my head, and you were staring at one of these devices. In terms of the software, and it's the same basic set of goals. Right? It came with a PIN that isn't the real PIN. It's for if you need to provide the cops with a PIN and they enter that pin it would wipe the device a fake pin for deleting all the contents off it. Brilliant. Came with a kill pill feature which allowed you to send say say you didn't have the phone and you couldn't provide a fake pin you could send this kill pill to it that would remotely wipe it. You can send encrypted messages, make encrypted calls, and write encrypted notes all using the encroachats proprietary apps encroachalk, encroachnotes, encroachat. And all of the data for all of that, the kill pill, all of their different sort of pre baked in apps, all of it through flowed through their central servers located in France. And if that is sticking out as a potential vulnerability, having all of that stuff go through servers operated by some company you've never heard of, you have correctly identified the problem with EncroChat.

Speaker 2: Nice. I just I really had never looked at one of these phones, so it's really funny that I, like, nailed that list. I'm a little shocked, But

Speaker 1: It kinda makes sense. Right? There's only so many things that you need Us a crime phone to do, and most of it's privacy based. So how extreme can you get with privacy on the hardware? Exactly.

Speaker 2: All the remote stuff, I kind of just assume would be there no matter what.

Speaker 1: It was originally marketed to celebrities. But by 2017 it was regarded by law enforcement as kind of the go to for criminals, and it's a pretty good option. But those French servers were all the messages went through. In 2019 a joint operation between The UK, French, and Dutch police got a warrant, They broke into those servers and they put a piece of malware on them which interrupted the panic wipe feature, gave them access to the messages that were being sent between users, recorded the real pins on the lock screens being used. It's unclear to me whether the content was actually unencrypted or it was encrypted but they broke it once they got in. But regardless, by April 2020 European agencies had access to millions of texts, hundreds and thousands of images being sent between these devices. Led them to make hundreds of arrests and they seized millions of pounds of drugs cashing weapons.

Speaker 2: If you've been a long time fan of the show, you remember my first problem with passwords episode where I kinda go on about password managers being like the key chain. And if you ever lose access to the key chain, you, like, lose everything. And I feel like that's the same thing they did here. It's like they gave these phones out.

Speaker 1: Mhmm.

Speaker 2: They got people to trust them, and then they took them over and they got access to everything. It's like, yeah, all of the things and the features and safety features you think you have, you don't have. But you trust that you have them, and we're gonna, like, exploit that trust.

Speaker 1: All the security features we've sold to you are only as secure as our operation is and most operations aren't that secure in the face of a warrant is kind of what this keeps going back to. Anchor Shack goes down but another one pops up. Phantom secure a firm that sold privacy focused BlackBerry phones, which ended up catering again primarily to the criminal market. Their big famous customer was El Chapo. And if it's good enough for him, you know, what are you doing that he isn't? So for a while, PhantomSecure was the big one until its CEO was arrested. And interestingly was offered significantly less time following his arrest if he installed a backdoor, but according to multiple sources refused because the only thing scarier than the FBI is the Sinaloa Cartel. You probably don't wanna use Phantom secure. And Kerchak comes up, goes down. Phantom secure, goes up, comes down. As long as there are people technical enough to use a phone in, you know, criminal endeavors but not technical enough to say to stay secure, there's gonna be a market for this kind of thing. And law enforcement just ends up playing whack a mole the whole time. Typically, there's some kind of a distributor in the middle of all this. Someone who knows these devices has a good lay of the land but also knows the criminals and can buy and set up the device for them acting as kind of a middleman, right? Mhmm. And the story of the Anam phone starts with one of those middlemen. In 2018, the FBI gets a new informant. We don't know exactly who this person is, but he sold these types of phones. He had buyers, he kept them up to date on the hottest new device. That was his niche. And the San Diego FBI branch had been working with this informant who was facing charges and had offered to cooperate with the FBI in exchange for a lighter sentence. And I'm really, really curious what the pitch he gave is for this next part because this informant comes up with an idea. Prior to his arrest, the middleman had been developing his own product to distribute. This sales middleman was getting into the manufacturing and supply side. And the idea he brought the FBI is what if just like Crypto AG did eighty years ago after World War II, instead of law enforcement waiting for another one of these things to pop up and having to inject malware on the server or try and get the CEO to install a backdoor? What if you skipped all that and law enforcement made and distributed the phone itself? What if law enforcement ran his company he wanted to start and produce the devices and sold them to criminals all around the world, all with the backdoor pre installed. This whole, like, theater of security. That is the idea behind the Anom phone.

Speaker 2: It it seems like you would be you'd be making friends with a very powerful group and then making dire enemies with very

Speaker 1: a multitude of very bad people. Yeah. Like, internationally, hundreds of them around the world, you are It's like, hey you have the worst enemies you could have.

Speaker 2: I got I got a few buddies at the FBI now, but I also have, like, 80,000 mortal enemies in every criminal syndicate around the world. Mhmm. You know, I I don't know if there's enough money in that transaction for you to to be safe for the rest of your life. Yeah. That's a that's a scary proposition.

Speaker 1: Is there enough jail time it could get you out of that you would take that deal is another interesting question.

Speaker 2: Totally. I I don't think so.

Speaker 1: Just gonna go to jail. I'm safe. I have I haven't I haven't done anything to these criminals that I'm hanging out with here in prison. I'll I'll just yeah. I don't know. It's an interesting question. Let's talk about the Anam phone itself. Joseph Cox, a journalist who we weren't able to get a hold of for this and has done a lot of the essential reporting on this story, He's got that book coming out. Very excited to read it. He got his hands on one of these devices. The one he got was a normal Pixel four a. You turn it on normally, and it's got all the standard apps, Instagram, Facebook, Netflix, but none of them actually work. You click into them, they don't actually open. But if you reset the phone and you enter a different pen, it opens this whole other partition space within the phone running something called arcane OS, which is how folks who bought these years later on Craigslist by accident realized what they had bought. It's got new apps, new wallpaper, clock calculator settings, pretty much that's it. Go into the calculator app however, you can get access through it to a login screen that says enter a nom ID, which is where once you enter your a nom ID set up for you by the middleman, you find the concealed messaging app called the nom. It's kind of the beating heart of this whole thing. It's what you'd use to communicate with other a nom users and this app that you have to go through all of that theater to get to is the place where the CA had access to.

Speaker 2: I like that theater. It's fun. Right? Yeah. You

Speaker 1: gotta punch a code into the calculator to open the login, to type in your password, to let the CIA see what you're sending.

Speaker 2: You gotta notify them. You gotta notify them by going through this process of steps.

Speaker 1: You gotta really let them know. And then

Speaker 2: they're like, oh, okay. This person's a criminal. Like like, turn on monitoring on this device. Completely. We don't wanna waste space in our monitoring matrix.

Speaker 1: We only got so much server space.

Speaker 2: Exactly. Exactly.

Speaker 1: It's got the same pin wipe functionality as the Encore chat phone. It's got a lot of the same features as most of these other devices. If you've bought a phone like this before, it's a little different, but it's the same basic idea. And it brought up this interesting question when I was reading about this, which is if you buy a privacy phone like this from a company that there is intentionally very little written about, just on a technical level, is there any way to test if it's actually private and secure? Does it always come down to trust? Yeah. Probably.

Speaker 2: Unless you hacked the communications process and got access to the servers and could look at

Speaker 1: Right.

Speaker 2: Everything, there'd be very little way to tell. Because, like, how do you even even if there was, like, key base encryption, like, how would you even trust that the keys are I don't know. It'd be it'd be very technically challenging.

Speaker 1: Which means you're not just trusting you're not just trusting this company you've never heard of. You're also trusting whatever dude showed up at your doorstep with a trench coat full of weird smartphones and has told you that, oh, yeah, The Anom phone is super legitimate and locked down and encrypted, or the Encore chat phone is super legitimate and locked down. You have to trust that guy, and you have to trust the company you've never heard of. There's a lot of trust involved in using a device that seems like it would only be used by people who have very little reason to trust anybody.

Speaker 2: Yeah. Very it's I don't know. I guess the motto of the Internet these days, trust everybody. Nobody's trustworthy.

Speaker 1: So what's involved in starting and operating a fake crime phone company? First, the FBI had to get a network of people who were selling anchor chat and phantom secure type devices to start selling their Anom phone. At first, it was a small kind of launch, 50 devices distributed in Australia for beta testing in 2018. And they just did it through, you know, word-of-mouth, a couple undercover agents pushing it out to folks, but it was small, small launch. Most of the distributors were not informants. They did not know who was behind the device they were pushing. So they start getting it out there, which is when the nitty gritty of actually running a phone company becomes reality. They're phones, so over time people want upgrades, new devices, smaller phones, bigger screen, whatever. So now they're iterating, come up with new versions. They have to provide software updates as people find bugs, They have to handle customer service. But they kinda pull this off. They keep moving units. But because of who their clientele is and in turn who their competition is, these weird edge cases start to emerge. So your competition's also catering to criminals, which means that the risk of, I don't know if you call it hackers or corporate espionage in this context, but that goes through the roof. They're just trying to fend off attacks now while they're running this, so they don't get figured out by their competition as being the feds. You also have to avoid the thing becoming too popular. It really can't get into the hands of anyone that isn't a criminal you've individually targeted because then you have the public having their messages routed through government operated servers, which has pretty intense legal implications.

Speaker 2: So I'm just trying to see if there's actually, like, some messaging app out there that's actually like, you could build a messaging app where if you wanted to talk to me, I send you my public key, all messages to me get encrypted and you need my private key to unencrypt them and vice versa. How do you know that any quote unquote secure messaging apps are actually secure?

Speaker 1: Right.

Speaker 2: Like are any of them open source? Can I like see the code? And and anyway, now I'm just curious.

Speaker 1: I don't know enough about these apps, but I would be looking at signal because I know that there's enough people using it that it's probably been dug into pretty hard.

Speaker 2: And it's open source. I'm looking at the source code for it right now.

Speaker 1: There you go. Let's talk about how they talked over this device. Motherboard talked with a guy in Australia who said that Anom was able to make big inroads in the criminal community there. And I guess that the common way it was used was in tandem with a couple different encrypted phones. The big one in Australia was called Cipher, but the idea was sort of the same everywhere. Folks would use one phone for discussing the logistics of an operation and another phone for talking about the money side of things. They would split communications between multiple different devices and chat services. A lot of these encrypted phones only let users communicate to each other solely on their network. Anom users were talking to other Anom users through the Anom app. Cypher users were talking to other Cypher users users through the Cypher app, meaning that if you wanted to talk to people on that network, you needed to have a phone that worked on that network. So you'd end up with, like, a bag of these different things. Then over time, a nom made its way into thousands of people's bags of burner phones, and they used it, as we will discuss, to share millions and millions of messages over the window of time when this was all going down. A nom distribution starts out slow. In October 2019, there was only a a couple 100 of users of these things around the world. They run this company, and over the years, it starts to grow. By May 2021, there were 11,800 devices with a nom installed around the world. Swedish police had access to 1,600 conversations. Europol stated that 27,000,000 messages were collected from a nom devices around 100 countries. In 2021, there was a very large volume of data flowing through this network that law enforcement had built. And the question then is when, if ever, do you put a bow on this thing and start arresting people?

Speaker 2: Sure. The second you pull the pin once, that's gonna travel so fast. It's not like the Exactly.

Speaker 1: It's

Speaker 2: not like people aren't communicating like they were fifty years ago, sixty, seventy years ago.

Speaker 1: Mhmm.

Speaker 2: I'm not sending a letter to somebody to be like, yo, don't trust this service. Yeah. It's like instantly everybody will know that they're burnt and throw them away. Mhmm. The second it's like at what point you're sitting there watching active crimes happen and at what point do you say that crime is so big that it's Sure. More valuable to shut that crime down than to turn off this entire network we've built of intel. That's gonna be tough.

Speaker 1: Mhmm.

Speaker 2: Especially because it probably wasn't cheap either. No. Like, you beat hundreds of millions of dollars in at this point, probably.

Speaker 1: Yeah. The thing that makes it different from Crypto AG is that let's imagine some country figures out that their communications on this device were unencrypted, and they become suspicious. Mhmm. They have no reason to tell crypto AG's other customers about their, suspicions because they're other countries. If a criminal gets arrested for something that they communicated about on this phone, they do have an incentive to tell other criminals, hey. Stop using this phone. Mhmm. So you don't have that level of, like, the the motivations are just completely different when you're dealing with criminals versus versus nation states. So the second you arrest one person, you kinda have to arrest everybody at the same time.

Speaker 2: Yeah. That's a that's a big day. That is what happened. We arrested, like, a few thousand people. It's a big day. Just decided to blow the entire thing up and just arrest everybody. Let's go.

Speaker 1: Let's talk about that.

Speaker 2: Have after the break. You will be arrested.

Speaker 1: Starting something new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts sort of getting abandoned in the parking lot and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, That's shopify dot com slash hacked.

Speaker 5: No one goes to Hank's for spreadsheets. They go for a darn good pizza. Lately though, the shop's been quiet, so Hank decides to bring back the $1 slice. He asks Copilot in Microsoft Excel to look at his sales and costs and help him see if he can afford it. Copilot shows Hank where the money's going and which little extras make the dollar slice work. Now Hanks has a line out the door. Hank makes the pizza. Copilot handles the spreadsheets. Learn more at m365copilot.com/work.

Speaker 6: You have one new message. Translating. Disney and Pixar's Hoppers is now available on Disney plus

Speaker 7: You could say that again.

Speaker 6: Critics are calling it Pixar's funniest movie ever and a wildly entertaining ride. Blizzard potato, it's certified fresh and verified hot.

Speaker 2: Now we party.

Speaker 6: This is incredible. Wow.

Speaker 2: I am clearing the rest of the day.

Speaker 6: Disney and Pixar's Hoppers now available on Disney plus rated PG.

Speaker 8: When you finally find your thing, you want the whole world to know about that thing. So you use a thing called Canva to make it an even bigger and better thing. Whether you want to create flyers for that thing, make presentations for that thing, or design merch for that thing, you can do anything. So people can see your thing, feel your thing, love your thing. The next thing you know, it's a thing. Canva, the thing that makes anything a thing.

Speaker 4: And there are a number of things that resulted from this. Not only have we heard about the number of rest and number of seizures, but there were over 100 threats to life that were mitigated. And to give you an idea of the magnitude of of our penetration, we were able to actually see photographs of hundreds of tons of cocaine that were concealed in shipments of fruit. We're able to see hundreds of kilos of cocaine that were concealed in canned goods.

Speaker 1: There's speculation that the reason Anam ended had to do with a warrant to a server expiring. This suggests maybe that they had repurposed a server that they had gotten a warrant to at some point. It's unclear to me technically what went on here. But, on June 7 a warrant to a server they were using in this operation was set to end. Which lines up pretty perfectly with the grand finale to this whole thing. Around the world, the next day, 06/08/2021, search warrants were simultaneously executed. Across 16 countries, over 800 people were arrested. You got alleged members of the Australian based Italian mafia, you have got outlaw motorcycle gangs, you've got drug syndicates, you've got Albanian organized crime. This this one day they seize 40 tons of drugs, eight tons of cocaine, 22 tons of weed, two fifty guns, 55 luxury cars, and $58,000,000 in cryptocurrency. We get this deluge of court documents that paint a pretty good picture of the scope of this thing not just in terms of the arrests but the resources that went into it that you mentioned earlier. Over the three years it was going, more than 9,000 police officers across 18 countries were involved in the operation. Woah. Europol described it as the biggest ever law enforcement operation against encrypted communication. I won't list off all the different countries where there were arrests, but interestingly, there was one country where no one was arrested for crimes communicated about on the Anom network. No arrests were made in The US because of privacy laws that prevent the law enforcement from collecting messages about domestic subjects. It would have been illegal to collect the messages necessary to arrest people for crimes talked about on and on phones. But the DOJ did indict 17 people for national living in The States not for crimes they talked about on and on phones which they couldn't do, but they were able to arrest them under the racketeering act for their participation, as distributors of these phones. The people who were doing customer service, setting up subscriptions for new customers, canceling accounts, those middlemen moving a nom phones were arrested by the people who made the phone that those people were working for. What? When the FBI wanted to distribute a nom phones, they wanted it to seem legitimate. So they tricked the middlemen that sold other phones in the past things like encroachat phones and phantom secure to move this this hot new crime phone, the a nom phone. And then at the very end, they arrested all of those people.

Speaker 2: For doing what they asked them to do. Precisely. Isn't that, isn't that like entrapment? Isn't that isn't there laws against that?

Speaker 1: Apparently, they managed to find a way to to wiggle their way through it because, several of those people were arrested.

Speaker 2: I'm definitely not a criminal lawyer.

Speaker 1: That's not if you are 55 episodes deep into the show and that was not immediately clear to you, I sure am not a criminal lawyer.

Speaker 2: One day, Jordan. One day, we'll both be criminal lawyers. This represents the the the the liability of trust. Mhmm. And it's like I feel I feel like that liability of trust. And and, you know, now, today, we're not talking about, like, cybersecurity from the, like, yay, pro cybersecurity and keep the bad guys out. This is definitely a conversation about, like, yay, the bad guys. So it's like the the second you start trusting something, the the second you become liable for it, you know. It becomes a liability in your life, obviously. We've all seen enough criminal movies to know that you need to clean up loose ends, etcetera, etcetera. And I feel like this is one of those things where it's like, if you choose a messaging platform that you inherently believe to be secure, chances are it's probably not secure. Mhmm. It's like the only thing that's like you can truly verify for security. It's like, you know, if you go back with criminals and organized crime for years, you know, that they used to they have their own cryptography, you know, you you create your own ciphers, you know, whatever that is, whether it's specific language or whether it's literally specific ciphers and actually using ciphers to code messages. If you can do that, you know, that is something that you can trust because you've created it. But it is again out of the as it is again hackable. So, you know, is there is there really anything you can trust these days, Jordan? Certainly can't trust the crypto market. So

Speaker 1: This is idea that comes up sometimes of going dark. It's a term that law enforcement uses. It's military lingo, and it's for when communications drops from a public channel where you can monitor it to a private channel. And it's had a big spike in usage in terms of the debate over how strong encryption used by normal people should be mobile app that uses like end to end encryption designed to protect your data, but that same tech can be used to prevent law enforcement, from being able to get access to those communications, which however you feel about it, sometimes they do legally have a right to do. To put a name to this idea and to frame this debate, they call it going dark. And the argument typically coming from law enforcement is that tech companies shouldn't make products that let people go truly, truly dark. NSA has proposed, something I hadn't heard of called split key encryption.

Speaker 2: Mhmm.

Speaker 1: I didn't know about that. Basically, they have one half of a key. The vendor has the other half. But with all that stuff, folks on the other side of that debate maintain that the complexity of implementing that provides, again, a point of entry that would ultimately endanger the end users data.

Speaker 2: I think the I think the the conversation around it you know, I'm I'm by no means an expert in online messaging platforms. But

Speaker 1: Mhmm.

Speaker 2: When people use terms like end to end or point to point encryption, I'm assuming they're talking about something like SSL on the web. Mhmm. So it's like my connection from my device to the server connection is encrypted so that nobody can sniff and see what I'm saying. Right. And then the connection from the server to the other device, say yourself, is encrypted so nobody can sniff and see what you're saying. But the passage of of information between those two devices is probably done in raw text. So, like, they're probably I I I highly doubt, like, maybe signal, but, like, WhatsApp and Facebook Messenger and stuff are not using individually assigned keys where when I type a message in, it gets encrypted in your public key, sends to you, and then decrypted with your private key. I can I don't wanna guarantee it, but there's a high likelihood that they don't do that?

Speaker 1: Mhmm.

Speaker 2: Some of the true encryption, you know, privacy based messaging apps might do that, but I don't think 90% are. And when they use terms like end to end and point to point, that leads me to believe that it's not truly encrypted. They're just encrypting the tunnel that the messages are going through.

Speaker 1: So the debate here, as I understand it, is assuming not just the tunnel, but the package itself is encrypted. And you live in a jurisdiction, we do, probably everyone listening to this does, where if law enforcement has good evidence that you've done a crime, they can go get a warrant to try and get access to your phone or your messages or whatever. Mhmm. But because of hypothetically the strength of that encryption being robust enough that they actually just can't get access to the message, What does it mean if they come to a tech company, say we need access to this message, and the tech company says because of the design of this platform, we literally cannot give that to you if we want it to. Privacy minded folks would say that is the product being used by the user as it was designed and intended.

Speaker 5: Mhmm.

Speaker 1: Law enforcement is saying that makes it impossible for, you to respond to this legal request. And that's where the debate about going dark is sort of living right now. It should law enforcement and the government have the right to tell the manufacturers of that tech that they can't encrypt it to the degree that makes it impossible for them to respond to these warrants.

Speaker 2: Yeah. We've we're just going full circle back to the philosophy episode about the right to privacy and, like, you know, the email and Twitter scanning stuff where it's Right.

Speaker 1: Yeah.

Speaker 2: You know, what is the trade off and what is the balance that society strikes between privacy and security? And this is just another one of those elements.

Speaker 1: Sure. It also introduces a question of how I used to zoom back in to the Anom phone itself outside of whether or not you wanna use signal versus iMessage versus WhatsApp. Devices like the Anom phone, EncroChat, Phantom secure. It introduces a question of how effective these devices can really be. Not whether a person can use a device securely, but what happens when you market and buy a device marketed to the hyper privacy concerned. Because does buying one of those devices, not using an app that lots of folks use, but buying a phone with the camera removed and the GPS taken out and the mic ripped out, does buying that phone inadvertently identify you to the kinds of people that would be looking into activities done on that phone to law enforcement? Does being on a shopping list of people who bought this phone shine a spotlight on you? This is gonna sound weird, but I bet 50 plus percent of

Speaker 2: the people that buy these devices aren't actually criminals.

Speaker 1: I would agree with that.

Speaker 2: They're just they're just people that have private they have a priority of privacy. For what reasons that's on them, but they have, you know, they're people that really are worried or maybe they're conspiracy theorists or maybe they're whatever. This so I bet a lot of these devices ends up end up in the hands of regular people or what I would say regular people, you know, air quotes, non criminals. Yeah. But if I'm a I don't know. Like, you know, if I'm a true criminal, like, especially if I'm a big organized criminal

Speaker 1: Mhmm.

Speaker 2: It's not that hard to write your own messaging platform. I'd be I'd be I'd be I'd be I'd be going so dark that they didn't even know it existed, you know. That's just me. And who am I?

Speaker 1: Yeah. This whole time I've been kind of glibly calling it a crime phone for doing crimes just because it's sort of funny to say. But the makers of devices like this could rightly say no. This is a privacy based device. And maybe a feature like a pin that lets you wipe the contents of the device seems like something that's only useful to a quote unquote criminal, but what if where you live being a political, like, dissident is criminal? Totally. Or being a journalist is kind of criminal. Those devices should probably be able to exist for those people in my personal opinion. Anyway, thanks for listening everybody and a big shout out to our main kind of sources for this episode. Again, all of Joseph Cox's motherboards fantastic reporting on this story as well as a piece by Lily Han Newman for Wired. We weren't able to get a you know an interview to pepper into this one, but that stuff was first and foremost fun and interesting to read fun to learn about and super useful for us again to talk about it for you folks. And thank you to our new patrons on patreon since the last episode Michael Oller and Cyber Dick Tracy who I owe a response to your message. Best way to support our little show patreon.com/hackedpodcast. That's patreon.com/hackedpodcast. The only patreon promoted in the final twenty seconds of each episode. Thanks again for listening. Catch you in the next one.

Speaker 7: Athletic Brewing Company crafts award winning non alcoholic beers for those who wanna be part of every round. With over 185 flavor awards, they're exceptional NA beers that fit your lifestyle and any social occasion. Summer's full of good times and athletic fits right in. Go to athleticbrewing.com to have brews delivered to your door or find them at a bar, restaurant, or store near you. Near beer, athletic brewing company, fit for all times.

Speaker 9: Summer weekends are all about family, sunshine, and making memories together. Before everyone arrives, I stop by my local Total Wine and More to pick up a great bottle, maybe a favorite we already love, or something new to enjoy with dinner on the patio. With so many bottles to choose from, it's easy to discover something amazing. And with the lowest prices, it's easy to grab an extra bottle for the table. Not sure what to pick? Their friendly guides are always there to help. Find what you love and love what you find only at Total Wine and more. Curbside pickup and delivery available in most areas. Visit totalwine.com to learn more. Spirits not sold in Virginia and North Carolina. Drink responsibly. Must be 21.

Speaker 10: Ryan Reynolds here from Mint Mobile with a message for everyone paying big wireless way too much. Please, for the love of everything good in this world, stop. With Mint, you can get premium wireless for just $15 a month. Of course, if you enjoy overpaying, no judgments, but that's weird. Okay. One judgment. Anyway, give it a try at mintmobile.com/switch.

Speaker 5: Upfront payment of $45 for three month plan, equivalent to $15 per month required. Intro rate first three months only, then full price plan options available. Taxes and fees extra. See full terms at

Speaker 2: mintmobile.com.