On Tue 24/Oct/2023 06:53:37 +0200 Matt Palmer via mailop wrote:
On Tue, Oct 24, 2023 at 03:11:06AM +0100, Richard Clayton via mailop wrote:
In message <07d58480-7dde-4d15-a5ca-5bb6c8e10...@mtasv.net>, Matt Palmer
via mailop <mailop@mailop.org> writes
The relative "noisiness" of the attack, in fact, is a fairly strong signal
that it *isn't* lawful intercept; western law enforcement agencies are
typically very hesitant to do anything that could "tip off" the target of
their investigation.
In my, perhaps jaundiced, view the revelation of the attack (an expired
cert) suggests that it was indeed LI ... it's the sort of thing that
goes wrong with ad hoc arrangements.
I would contend that p(noisy hackers) >> p(noisy lawful intercept). It's
not that the cops don't screw up now and then, but rather that their
failures tend to have greater adverse consequences (media, politicians,
blown investigations, abrupt career termination, etc), so they're more
motivated to not make this sort of mistake.
Meanwhile, hackers (and I include most of the non-western nation states
here) don't have to worry about PR problems, so forgetting to clean up after
themselves is less of a concern. The exception of course is opsec failures
that lead to lengthy terms of incarceration, but forgetting to renew a cert
isn't *that* kind of mistake.
Is that the way it went? Let's Encrypt certificates get renewed automatically,
so it's hard to "forget" to do it. In order to get those certificates, and to
divert traffic toward their proxy, they must have had access to a local router
or something. When that was fixed, fake certificates failed to renew. No?
I'm not clear what the role of an anonymous cipher would have been.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
