I don’t want to open new topic, even though this news might not be appropriate for this one. However, it was interesting to me this group have been used Wire and then switched to Riot for communication. Though it’s not clear how they got caught. But it seems, someone’s device was compromised. Also, there is no info of matrix homeserver that was used
I agree and considering that I will be moving this message + replies to a new thread once I have written this. I feel uncomfortable with marking this as News though.
Before I continue, I have to say that I feel insecure about commenting to mistakes criminals are making in case they learn from it, but that reminds me of the link below and I have to request everyone going to comment to check our Code of Conduct as I have fears towards what this topic can bring up.
I haven’t seen Wire mentioned before in connection with neonazi groups, but regarding Matrix there has been (is?) a problem with ISIS terrorists using it for recruitment and homeservers are depedent on user reports from users understanding their languages.
The article gives me an impression that someone pretended to be a neonazi and leaked messages that were (also) encrypted (to them). Alternatively someone developed a conscience. I will be continuing technical possibilities in the end.
With Matrix the used homeserver is irrelevantish as messages are stored on all homeservers that have members in the room. For example all messages sent to
#general.privacytools.io are stored on 138 homeservers (assuming they all are online), you can see this from e.g. https://chat.privacytools.io/_matrix/client/r0/directory/room/%23general%3Aprivacytools.io (json).
However the homeserver does have power over users and the admin could theoretically add devices for users and thus decrypt messages in the room if the users didn’t verify each others keys to be sure that that wasn’t happening.
It’s like tor browser it will help you to be anonymous but it won’t protect you unless you do it — I mean yes anybody can use tor but not anybody aware or can protect their info so you can leak your info over it and people will know its you so its important to use “privacy services” with “privacy” in mind (or it won’t help you if someone already hacked your device)
This should probably go into “Fails of the Week” kind of category. I have mixed feelings about this news in particular.
Generally speaking, antifascists infiltrate these groups and post their chats. Rather than trying to exploit apps, etc.
Nazis aren’t the smartest bunch.
Not only that, nazis tend to want to advertise to everyone and anything about their certain fixation.
I’m glad this happened for two reasons. First one is, of course, such organization is busted and its members will be prosecuted. The other one is, we see that E2EE is not something that will give criminals possibility to get away easily, and they can still be caught. It is important to bring such cases when it comes to EARN IT and similar acts. Law enforcement can actually do their work without it. Yes, it requires additional resources and more time, but that is not the reason to compromise people’s privacy and security. And cause many other issues.
Thanks. But I suppose in such cases, organizations will have its own homeserver limited to members only and restrict external communication, something like businesses usually use. So all messages will remain only there, right?
Oh, yes, if the homeserver requires federation and requires everyone to use their homeserver, then the security is up to administrator of the federation-disabled-homeserver (assuming users neglete verifying each others devices). That could be a bit challenging on mobile though if the user wanted to participate the wider Matrix ecosystem.
I don’t know if this is something to worry about, criminals have a lot of ways to learn things, I don’t think we should not talk about flaws in other people’s opsec to learn from them just because maybe bad actors will use that information.
When I saw the “How people got caught?” conference from the DEFCON I learnt a lot of how TBB works, the limitations and possible ways in which I could be de-anonymized and it never crossed my mind to use that information for genocide.
This is kinda shitty in terms of privacy to be honest, I don’t see a reason to store messages in so many home servers.
I am also glad that fascists got caught, but I don’t think this proves anything. If I’m not wrong, the EARN IT act is an attack on encryption as a whole, not just E2EE encryption, and in this case they weren’t caught because of a bad use of E2EE or because a flaw in it or something similar, just because someone infiltrated there and ratted them out. Still, I guess they could have either hacked their home server and try to get the data of the messages, hacked their phones or do a correlation attack, but yeah, it’s more complicated.
I’m obviously against said act, but I don’t think this proves anything, you can’t fight conservatives with facts (even less in the US), the current situation with COVID-19 is a living proof, they will find an excuse that adapts to their ideology. You fight conservatives with PR.
What I meant is - this proves you don’t need EARN IT (or any attack on encryption) in order to catch criminals. You just need more work. Which is ok, especially since we know many countries are spending their IA resources on some stupid stuff.
I think techcrunch article Mikaela posted sums it up very well
Yeah, I think it also might be an issue. Though with E2EE enabled, it’s not that big problem. But also, it might be a good thing, if one server goes down, messages/rooms will remain on other ones