Surveillance Used by a Drug Cartel

Once you build a surveillance system, you can’t control who will use it:

A hacker working for the Sinaloa drug cartel was able to obtain an FBI official’s phone records and use Mexico City’s surveillance cameras to help track and kill the agency’s informants in 2018, according to a new US justice department report.

The incident was disclosed in a justice department inspector general’s audit of the FBI’s efforts to mitigate the effects of “ubiquitous technical surveillance,” a term used to describe the global proliferation of cameras and the thriving trade in vast stores of communications, travel, and location data.

[…]

The report said the hacker identified an FBI assistant legal attaché at the US embassy in Mexico City and was able to use the attaché’s phone number “to obtain calls made and received, as well as geolocation data.” The report said the hacker also “used Mexico City’s camera system to follow the [FBI official] through the city and identify people the [official] met with.”

FBI report.

Tags: , , , , ,

Posted on July 3, 2025 at 7:06 AM21 Comments

Comments

Winter July 3, 2025 8:28 AM

As one does, so one meets

I guess the whole surveillance system in Mexico city has been installed by US companies. And I even am bold enough to suggest that the American Embassy houses people who are using it in the very same way as I write this.

There are “better” ways to use mobile phones when you want to keep your public phone number separated from your mobile SIM number [1].

I understand people of “interest” have used this successfully for some time now. Anyone doing sensitive work should do this too.

[1] Use this procedure of the below URL, but inverted:
‘https://protonvpn.com/blog/protect-your-privacy-with-second-phone-number-app/
Your second number is your public number and your SIM card number is data-only, anonymous, and kept secret from everybody, even yourself.

Clive Robinson July 3, 2025 8:51 AM

@ Bruce, ALL,

The possibility of,

“A hacker working for the Sinaloa drug cartel was able to obtain an FBI official’s phone records and use Mexico City’s surveillance cameras to help track”

Has very recently become a “political hot potato” with ICE “thugs” getting tagged by an application that runs anonymously on Apple Mobile Phones.

Called ICEBlock it’s become the number one app in the past couple of days,

https://www.msn.com/en-us/money/other/ice-tracking-app-surges-in-popularity-following-maga-meltdown/ar-AA1HQwhl

It’s been “freely advertised” by more than one of the “Orange Man’s” bimbos and brain-deads mouthing off to the press that the users of the app are “terrorists” (they are not unlike the ICE thugs who are by dictionary definition traditional terrorist and in some case murderers).

So I can see there being significant issues in the very near future or some other “face preserving” numpty nonsense from the “OOOK”[1]

[1] The “OOOK” is a somewhat appropriate insult standing for

Orange Oval Office Koochie (grabber).

(Don’t ask what Koochie means it will get me time in the “sin bin” especially as it’s easy enough to look up.

Jay Ashworth July 3, 2025 12:49 PM

I have dubbed this problem ‘capability creep’, by analogy to ‘feature creep’, and the canonical example is somebody having evidence provided in their divorce case that they were having an affair because they had a toll pass that showed that they were driving to a place on a regular basis they would have no other reason to need to drive to.

Opposing attorney subpoenaed the toll records, let the jury decide for itself what they thought.

If you build a data collection system, and you do not engineer protections against this sort of thing right into the lowest levels, you will get the worst possible outcome.

Tim July 3, 2025 12:53 PM

Now we know who’s watching the watchers. Who could’ve guessed? Oh wait, everyone.

Clive Robinson July 3, 2025 4:10 PM

@ Jay Ashworth, ALL,

With regards,

“If you build a data collection system, and you do not engineer protections against this sort of thing right into the lowest levels, you will get the worst possible outcome.”

Sorry no.

If you build a surveilling or data collecting system, there is no protection system you can engineer to stop the “worst possible outcome” becoming the most desirable to those who can “work the system”.

A few years back we talked of “Parallel Construction” now nobody bothers because it’s become the “default reality”.

john July 3, 2025 5:11 PM

The security cameras in Mexico City aren’t the only ones we control. I have access to every camera in DFW, SFO, CHI, NYC, DC, and MIA. And we’re coming for your cameras next.

Not really anonymous July 3, 2025 5:51 PM

That should have been duct tape. My excuse is going to be that I listened to “I want a new duck” a fair amount over the last couple of weeks.

Clive Robinson July 4, 2025 4:27 AM

@ Not really anonymous,

‘My excuse is going to be that I listened to “I want a new duck”…’

Hmm Weird Al” Yankovic “taking the mick” out of Huey Lewis and the News and their “I Want a New Drug” (with Huey’s assistance)…

https://www.youtube.com/watch?v=3KvgQIBcdRk

Yes I’ve been hearing stories that the song is becoming popular again this year in some circles of a certain “hue”. Because the song appeared in a “Disney special” in the mid 1980’s called,

Down and Out with Donald Duck, that was used as part of a montage of “The Donald’s fall” from popularity / stardom as part of the closing credits…

That gets rather more than a +1

But for something of more worldly appeal there are so many others…

How about,

1, “It’s a roll of Chinese fake duct tape.”

2, “It’s a noname brand that passes the duck test.”

3, “It’s got so expensive you’d have to be Quackers to buy it.”

It is “just made for plays on words”.

Telecom July 4, 2025 8:21 AM

Can someone explain how the city cameras could be related to phone location in real time?

Who? July 4, 2025 10:34 AM

@ Clive Robinson

Down and Out with Donald Duck

Just to make it clear… you are not talking about the President of the United States, right? 😉

Seriously, what happened with UTS deployment in this case was predictable, and can only get worse over time. By definition, something that is ubiquitous cannot be locked out against someone trying hard enough to break-in.

In this case, what would have been bad for citizens has become bad for government. The intended efect of UTS, but on an unwanted target.

Who cares? We are in the capitalism of surveillance for bad or worse.

No one will learn from this incident, I would say UTS will become even more ubiquitous over years, while the consequences will make it even more terrible for everyone.

Who? July 4, 2025 11:00 AM

@ Telecom

It is better outlined in the original report:
https://oig.justice.gov/sites/default/files/reports/25-065_t.pdf

(see page 2, “examples of the UTS threat”.)

They used ALAT’s mobile phone number to know who he called, or from whom he received calls, and geolocation data to know where he was. City’s camera system was used to track him through Mexico City and identify people that talked to him.

Clive Robinson July 4, 2025 1:28 PM

@ Who?

With regards,

“Seriously, what happened with UTS deployment in this case was predictable, and can only get worse over time. By definition, something that is ubiquitous cannot be locked out against someone trying hard enough to break-in.”

Firstly to be honest “Ubiquitous Technical Surveillance”(UTS) sometimes also called “Universal” because of the aggregation backends the likes of Palantir are involved in, scare me beyond what many can understand without sufficient in-depth knowledge.

The big problem with Pakantir is that they are using what many would think of as AI systems,

“To remove human detectives/analysts from the loop.”

They also “package up” from several databases including peoples confidential health and other records Law Enforcment and other entities are not supposed to have any kind of access to. The output of which after a little white washing gets sold on to other Agencies and Corporates.

This unfortunately can and does get used as input by other agencies with the result guesses become nonsense that after a few rounds become “verified facts” and even though complete nonsense get passed out in a “confidential way” to those who can pay.

It’s believed but not fully verified that this information is getting into the hands of financial institutions, insurance companies, and others who provide employers with potential employee screening etc.

The fact is much of the information is wrong, and oft deliberately so. Thus people are getting “serially harmed” and they have no real evidence they are being treated differently because of false information being not just generated but sold to who ever under some kind of “don’t let the victim know” “non disclosure agreement”.

As you mentioned the current US president, do you remember “The Christopher Steele Dossier”?

That 35 pages of mostly junk information much of which was at best “gossip” mixed in with fake-news. But nether the less got people fired up.

Well it’s been indicated that Palantir have automated that process. So type in just about any bodies name, hit enter then click the print button… And out pops twenty to fifty pages of similar nonsense on the person…

This is the “new normal” people are starting to have to live in…

Look into the history of “The Number 10 Nudge Unit” contrary to the way it’s painted it did not start with UK Prime Minister David Cameron. It originated as part of an idea by civil servants under Tony Blair and got squashed when he left office.

You will find refrence to the idea as,

“The basic idea is that humans make consistent errors in judgement when faced with choices. We do not make the decisions that are best for us, nor the ones that we would make ourselves if we reflected on them rationally and summoned up enough willpower.”

https://moneyweek.com/economy/nudge-theory-years-later

Whilst some people are impulsive especially “in the little things in life” the real idea of the “nudge” is State or Corporate control of entire populations, not for the benefit of the citizens –that’s the cover story– but the politicians and their pay masters.

The problem… It turns out that nudge units are a failure, yet they still persist.

A sensible question would be “Why?”

Well it turns out the idea is “oh so seductive” and the “belief is it should work”

So “Why did it not work?”

Might make the next logical question.

Well if you think about it as a “generic nudge” it’s just more noise in an economy of noise. So the argument from proponents of the idea is it was “too generic and lacked individual focus”…

Remember these reports that are in effect,

“Automated slander”

Well slander they may be, but pushed the right way they make good blackmail material.

So Plan B is not “Nudge them” but “Hit them” with “tailored blackmail”.

And that is what Palantir and others sucking in UTS feeds are doing with their AI systems… Making “blackmail” files to get compliance out of any unfortunate citizen who’s number has come up.

Few will believe this if you tell them but it was also part of the package Cambridge Analytica was selling to second and third world politicians based on unlawful access to “social media gossip”. And that was funded by the man who was trying to “Own the GOP” and the entirety of US politics… And although he’s supposedly retired from trying to be a King Maker, his daughter Rebekah Mercer is in it way beyond her eyebrows,

https://newstracs.com/update-on-cambridge-analytica-funder-rebekah-mercer/2024/07/08/

I think it’s fair to say that most around here are aware of Project 2025, and how Trump is blackmailing the tech industry for billions…

As they say “join the dots”, so “keep your head below the parapet”, and “with luck and fair winds following you will weather the storm”.

V. Serge July 4, 2025 5:48 PM

Bruce has often said (paraphrased) “either its secure for everyone or its NOT SECURE FOR ANYONE.”

Just really tiresome how brownie points and economics are still eclipsing the obvious.

Its seriously time to move into a SEIF cage, and use OTP if you want security.

Check out John Shearing’s idea from a while back: ‘github.com/johnshearing/PrivateKeyVault

(Use your phone to transmit QRCODE mpgs only, and put it back in a tested faraday bag in airplane mode, where you also charge it from a battery.)

Thanks again Bruce

Peter July 4, 2025 9:54 PM

Good for them.

BTW Winter that doesn’t work either in practice because all the burner numbers require you to tie it to a real phone number as ‘know your customer” laws have basically moved to every industry including telecommunication providers. Just like open relays, anonymous online boards, and anonymous email has died in practice. Cypherpunks lost, Brin won.

It used to work in the days of throw away prepaid SIMS but I don’t think those exist anymore, at least in the US.

Also many Americans who need that service most are legally precluded from having burner phone numbers. Remember we live in a police state in the US, have since the mid-90s.

Not saying it’s impossible to do but the effort is too much for must people as generally in involves buying stolen phones off homeless addicts.

Clive Robinson July 5, 2025 4:15 AM

@ Bruce, ALL,

First off hope the National Holiday was fun for everyone.

However “technical sophistication” goes many ways…

There are reports of a gang of high-tech robbers using high power broadband jammers, cutting cables in wide area and taking a million or so in jewelry out of safes after cutting through parts of the building.

https://abc7.com/post/7-men-arrested-hole-cut-roof-robbery-bidrussian-jewelry-glendale/16912269/

Whilst what I’ve seen is high on drama it’s all low on technical details which makes the burglaries difficult to asses.

From what I can tell at least seven of a larger gang were caught whilst performing another burglary using the same tactics as the May Bidrussian Store.

Which suggests that authorities were actively watching the criminals in some way other than the old fashioned gum-shoe sit and drink coffee in a van way.

But for those thinking about such a life of glamour consider the following.

Firstly the group was larger than the 7 caught to make the math simple lets say there was ten in the gang.

Secondly though the news talks of more than a $million that would be the “insurance value” not the “realisable value” that would have been closer to “ten cents on the dollar”. Lets say 20% if they are part of a sufficiently well organised crime group. Or just 2% or maybe $10k – 20k each. That is not “life changing money” in the US these days where even basic groceries are 5-10 times the price they are in Europe and other First World Nations.

And that’s before the inevitable cost of the equipment that is effectively a “use once and leave/dispose” thus consumable type expense.

On a technical note modern digital based communications are very vulnerable to jamming because of the need to be “synced-up” in various ways. So all you have to do is jam the “ack/sync” comming back to the handset and it will fail to establish communications.

Old style analog systems however, whilst you might jam “response signals” from control, the chances are the handset transmit signal will get to the controllers unless the users of the jammers are technically sophisticated and have good intelligence.

So if as a guard etc using old style analogue radio systems and you are taught to recognise received “man made interference”(QRM) and just “talk over it on high power”… The chances are good that your message will get through after two or three repeats.

Winter July 5, 2025 1:26 PM

@Peter

because all the burner numbers require you to tie it to a real phone number as ‘know your customer”

The number you are called on is “official” and has your name on it. Only the SIM card you use to get online is not. The burner phone is not used as a phone, but as an access point.

I don’t know the laws in the US, but here I can get a SIM without an ID. Anyhow, you can use any random phone you borrow or rent.

The idea is that my phone number cannot be used to locate and follow me as the call number is not the location number.

Clive Robinson July 6, 2025 9:30 AM

@ Bruce, ALL,

If your military can, our narco lords can.

A low profile or semi-submersable boat with StarLink on it is grabbed by the Columbian Navy : No drugs were hurt during the making of this story…

https://www.france24.com/en/americas/20250702-colombia-narco-submarine-starlink

“The vessel was not carrying drugs, but the Colombian navy and Western security sources based in the region told AFP they believed it was a trial run of an unmanned vessel by a cocaine trafficking cartel.

Manned semi-submersibles built in clandestine jungle shipyards have been used for decades to ferry cocaine north from Colombia, the world’s biggest cocaine producer, to Central America or Mexico.

But in recent years, they have been sailing much further afield, crossing the Atlantic and Pacific oceans.”

This is actually a bad idea by the drug lords… Because Starlink know exactly where the Starlink Terminal is to within a few meters at most.

So an odd path not accompanied by other telemetry such as AIS or similar, has a certain smell about it…

https://en.m.wikipedia.org/wiki/Automatic_identification_system

Thus data will make it out of Starlink to various Government agencies and entities.

lurker July 6, 2025 2:47 PM

@Clive, ALL

Starlink? Shades of Encrochat … Surely the Colombian Narco Lords should by now be able to afford their own cubesat. That would have made a better story for MSM.

Clive Robinson July 6, 2025 6:29 PM

@ lurker, ALL,

With regards,

“Surely the Colombian Narco Lords should by now be able to afford their own cubesat.”

Funny thing, I’ve got not just my own –hardware test prototype– cubesat sitting on the bench, I’ve a number of working “coinsats” of various sizes.

The least expensive of them would cost you less than $100 to make.

Thus the Narco Lords could afford a great many satellites, but that’s not the “big expense”.

Even when being re-used those rocket parts are expensive due to testing and quality control and you would probably be looking at several tens of millions to have your own launch, no matter where you go.

The big problem though is not money but “slots” to put satellites in. We’ve chucked up so much junk with no thought about how to get it down that in some respects it would be like trying to para-glide through a flock of geese unless you had access to all the right information.

But you can not just launch a rocket Uncle Sam would at the very least stamp his foot. A few years back both China and India in effect did a “flick the bird” at the red white and blue topper and started doing their own anti-satellite-weapon development launches without notification / consultation and this apparently caused twitchy fingers to hover over key switches for all sorts of retaliatory objects including ICBMs etc…

Since then things have backed off a bit, but there are now quite small rockets you could almost “carry up on you own”.

But a more serious limitation is radio spectrum. It can take ten years to get an agreed upon operating frequency. Unfortunately this has caused some to poach RF spectrum from Ham Bands.

But if it was me I’d use balloons much as China did a couple of years back.

A string of balloons would be relatively easy to put up into the jetstream and act as repeaters for each other…

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.