[HN Gopher] Hackers gaining power of subpoena via fake "emergenc... ___________________________________________________________________ Hackers gaining power of subpoena via fake "emergency data requests" Author : todsacerdoti Score : 396 points Date : 2022-03-29 14:11 UTC (8 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | tlogan wrote: | The only way to verify that something is send by certain perosn | to contact that person over "secure line" and ask them about it. | | The "secure line" can be just a phone call to police department | and ask for officer with badge number xyz. | sonicggg wrote: | It sounds like EDRs shouldn't really be a thing. If police needs | a court-issued warrant to enter my home, why can't they enforce | the same for data access? | | If there's one thing I learned from practice in programming is | the more "exceptions" you make, the more room there is for bugs | and security flaws. The same applies for everything. Keep rules | simple. The more "if this, then that" you add, the more loopholes | you may find. | IncRnd wrote: | In methodology this is similar to an ancient scam, where scammers | would send fake yellow page/phone book invoices to companies. | Many companies would just pay the bills. | judge2020 wrote: | https://www.npr.org/2019/03/25/706715377/man-pleads-guilty-t... | ivanhoe wrote: | Wouldn't it be better if federal government would open a service | for handling all EDRs nation-wide, and then forward the legit | ones to the IT companies as needed? It would simplify the | verification, maybe scare some hackers away because it'd become a | federal crime to fake it, and also allow for some stats on how | many such request are really urgent, and how many (I presume a | lot) are just used to circumvent the law because courts would | reject them. | goodluckchuck wrote: | That might work great if the federal authorities were reliable, | motivated, and their interests were always aligned with state | authorities. | | However, there are often disputes where the feds do not what to | prosecute certain groups or individuals, and might interfere | with state / local authorities. (e.g. police in a Democrat-run | state prosecuting allies of a Republican president and vise | versa, or investigations into federal informants who are | violating state law). | | This would also allow make it easier for the feds to perform | on-path attacks where they "forward" EDRs from state / local | authorities that were never issued by those state / local | authorities. | caymanjim wrote: | This is, to me, the only real solution. We can't have the onus | be on individual companies to vet requests coming from random | podunk police departments nationwide. Companies will err on the | side of caution/CYA and honor requests they shouldn't, lest | they find themselves responsible for causing harm by inaction. | But companies don't have the resources or legal authority to | make those determinations, nor vet the authenticity of requests | from every time government entity that might make one. There's | also plenty of reason not to trust some small town police force | that might not have adequate internal controls, or might have a | rogue officer far exceeding his authority. | | The feds need to own this and all requests need to flow through | them. It wouldn't be hard for them to have a small staff | available 24/7 to confirm requests and forward them on to | businesses, and then the business only needs to trust a single | entity. There may still be disputes over the legality, but | those disputes will need to be defended by the central federal | authority, rather than putting the burden on every company. | KennyBlanken wrote: | > lest they find themselves responsible for causing harm by | inaction. | | In the US, the police aren't responsible (in a criminal or | civil sense) for harm due to inaction. I don't know why you | think a national/multi-national corporation would be. | caymanjim wrote: | I was referring to companies fearing repercussions from | inaction and acting without adequately vetting requests | because they aren't able to and err on the wrong side. | ivanhoe wrote: | It's not just a legal action that a company has to think | about. Getting caught into a case of someone dying or being | hurt because your company wasn't prompt to assist police | could be a huge PR screwup, even if there's no legal | responsibility. | | And it doesn't have to even be a decision on a company | level, ordinary people are strongly inclined to follow the | police requests and see them as an authority, so employees | of the company will feel as their duty to provide the data | promptly. Just look on all those cases of pranksters posing | as police officers and making ordinary people do insane and | even clearly illegal things just because they were "ordered | so by the police". Compared to what that McDonalds manager | did [1], pulling some personal data from the database and | emailing it back to the person one believes is a police | officer is nothing. | | [1] | https://en.wikipedia.org/wiki/Strip_search_phone_call_scam | heavyset_go wrote: | > _We can 't have the onus be on individual companies to vet | requests coming from random podunk police departments | nationwide._ | | The onus is already on individual companies to vet requests | from private individuals that want to move money around via | Know Your Customer laws. I don't see why the same shouldn't | apply to verifying whether or not a request for customers' | private information is valid or not. | Jerrrry wrote: | Faking EDR's and GDPR is the newest way to take over anyone's | account, for many platforms. | | just the effort companies made to support the requests allow for | shenanigans. | | if you cant take over the account - you request it be deleted, | then remake the account with the username/email desired. | phendrenad2 wrote: | Interesting. And since you can't even store the email address, | you can't detect that someone is recreating a deleted account. | Hashes to the rescue though. You can just return a cryptic | "email/account name not accepted" message. | Jerrrry wrote: | Is storing a hash not also invasive? | | I don't store your IP or SSN. I store the Md5 hash of it. | | If the bit-space is easily enumerable, it is just as bad... | | but is it? | ttyp3 wrote: | How about requiring phone verification that routes through a | public number/central source? | | If it's a true emergency, someone should have no difficulty being | available for a call. | | (The main number could be compromised too, but come on...) | nomercy400 wrote: | Yea exactly. Maybe we can give it a name, how about multi- | factor authentication? So you verify who you say who you are | through a different factor/channel. And making a phone call to | actually talk to a person in real time. | rvr_ wrote: | One way to approach crime is to make the risk too big. What about | punishing with death those who do identity theft and | impersonation? Our society tolerates too much crime. | nullc wrote: | "Hi, I'm rvr_ member of law enforcement, someone's life is in | danger, please provide customer details for IP 1.2.3.4 | immediately!" | | ... ignoring those double impersonation swatting problems, | enforcement against crimes online is really hard due to global | scope. Police won't even investigate because all they find is | that the hacker was some russian and they can't do anything | about it. | theknocker wrote: | einpoklum wrote: | > It involves compromising email accounts and websites tied to | police departments and government agencies, and then sending | unauthorized demands for subscriber data while claiming the | information being requested can't wait for a court order because | it relates to an urgent matter of life and death. | | Ah, very simple then: Ignore such demands for as long as you can, | then, if approached by actual law enforcement, tell them you were | told such messages are phishing attempts from hackers. | cwkoss wrote: | I've always wondered how many fake national security letters have | been sent to companies, and what the success rate on them is. | | Cant LEO get things in front of judges in hours? Is bypassing | courts ever actually necessary? | Ekaros wrote: | Why not make federal service for this? Give access to all | relevant authorities to file such request there and then make it | possible to cross-reference it? Leaks of access can be tracked | more easily. | psychlops wrote: | All this high speed life or death information and yet the | clearance rate of solved homicides in the US has dropped from 70% | in the 1980's to 50% today. | hackerfromthefu wrote: | I expect this is true, and shows the ridiculous scope creep of | government snooping and stalking on individual privacy for what | it largely is, power grabs by individuals in government drunk | on the power of control. | | That said, do you have a source? | psychlops wrote: | I had read it previously elsewhere, then recently re-read it | here: | | https://www.themarshallproject.org/2022/01/12/as-murders- | spi... | | I imagine the picture is a lot more complex than the charts | make it out to be. For example, I'd be curious about rate | trendlines of false imprisonment. | rahimnathwani wrote: | "KT said fake EDRs don't have to come from police departments | based in the United States, and that some people in the community | of those sending fake EDRs are hacking into police department | emails by first compromising the agency's website. From there, | they can drop a backdoor "shell" on the server to secure | permanent access, and then create new email accounts within the | hacked organization." | | This sounds extremely unlikely. | | Maybe in 1999 someone would have hosted their mail server on the | same server as their web site. But today? | jahewson wrote: | I wouldn't put it past them. But hacking an admin portal would | probably suffice. | CrazyMusicians wrote: | From: https://twitter.com/briankrebs/status/1508819347963363329 | | Some backstory that's not in the piece. I originally started | reporting this about six months ago, when an anonymous tip | suggested people were creating fake police department .org | domains and sending requests from there. Spent ridiculous amt | of time chasing that to no end. | | As part of that research I looked at all new police dept | domains in the last year. Found so many I was sure were fake. | They were all real. Some were half-done. Some completely wide | open, security-wise. It was depressing to learn after that | there are > 18k police depts nationwide. | ellen364 wrote: | 18k police departments is mind blowing. I looked it up | because I wasn't sure it was plausible, but a Department of | Justice publication confirmed [0]. Meanwhile the UK has 48 | police forces [1]. | | 330,000,000 / 18,000 = 18,500 Americans per police force | | 67,000,000 / 48 = 1,396,000 Brits per police force | | Not sure what to make of that. | | [0] https://bjs.ojp.gov/content/pub/pdf/nsleed.pdf [1] | https://www.police.uk/pu/contact-the-police/uk-police- | forces... | cwkoss wrote: | The average police officer doesn't even know the law very well. | I'd be shocked if the average police dept had someone | technically competent enough to speak to network security | concerns: that's not their job. | rahimnathwani wrote: | Right, but setting up a web site and email server on the same | host (even poorly, in a just-about-works state) requires | _more_ expertise to set up than getting a web site and email | set up on GoDaddy or whatever. | detaro wrote: | > _But today?_ | | Today they use the same crappy hosting company as in 1999, that | does the same thing it's always done, just only slightly newer | hardware. Especially on a municipal level, there still is not | much of a standard when it comes to such things. | rahimnathwani wrote: | Hmm... it seems trivial to do a lookup of the A records for @ | and www, and see if there's any overlap with the MX records. | | If so, then it was likely set up a long time ago and not | maintained well. | buildbot wrote: | This seems like on of those ill-advised crimes that carries a | huge federal penalty if caught right? Pretending to be a police | officer feels like something that typically gets smacked down | pretty aggressively if not officially sanctioned. | bhk wrote: | > "One of the problems you have is there's no validated master | list of people who are authorized to make that demand" | | It sounds like there isn't even a well-defined _policy_ for who | is authorized. | photochemsyn wrote: | I wonder if an 'Emergency Data Request' to Amazon by a law | enforcement organization has to go through all the hoop jumping | described here: | | https://news.ycombinator.com/item?id=30820424 | | relevant comment: "I had to click through more than 100 links to | download all the data, how can this be acceptable? Specially | coming from Amazon. How hard is it for them to create an archive | with all the data? This is ridiculous, I can't imagine how was | the meeting when they decided to produce purposefully such | garbage UX." | | This would indicate that Amazon has some kind of internal | interface for these Emergency Data Requests for law enforcement | that just dumps all the data to them immediately without all | those barriers to access. Makes one wonder why that's not also | available to Amazon users? | | Also, are these Emergency Data Requests ever subjected to post- | mortem court review of any kind? Is anyone in law enforcement | ever subjected to discipline for bogus requests? | CaptainNegative wrote: | Just a guess, but perhaps Amazon responds to EDRs only with | potentially meaningful data rather than how many minutes into | your third viewing of The Simpsons S16E4 you paused the video | last, how often you've clicked on but never carried through | with that Roomba purchase on woot.com, or the full history of | Amazon App Store promotions you took part in back in 2015 to | get free coins added to your wallet that you've completely | forgotten about. | upofadown wrote: | >"The only way to clean it up would be to have the FBI act as the | sole identity provider for all state and local law enforcement," | Weaver said. "But even that won't necessarily work because how | does the FBI vet in real time that some request is really from | some podunk police department?" | | There are already preexisting systems for solving this sort of | problem. For example the FBI could set up a PGP based certificate | authority[1] for email. Then the FBI signs the identities of the | podunk police departments ahead of time. All the service | providers would need would be the FBI identity (PGP public key) | which they would sign once to authorize it and then they would be | able to verify emails coming from any of the podunk police | departments with no extra work on their part. This example comes | with a revocation system that actually would work in this case. | | All secret key material would remain under the control of the | specific FBI department acting as the certificate authority. No | third party involvement would be required. | | [1] https://sequoia-pgp.org/blog/2021/05/12/202105-hello- | openpgp... | Avamander wrote: | If they're already building a central identity provider then | something built upon Web/EU standards would work much much | better. Tried and tested for decades, ASiC-E (or S/MIME if you | really really want) works great. | heavyset_go wrote: | A simple web application on the FBI's end that takes requests | from verified parties and then forwards them to companies would | be enough. No need for PGP or anything like that. | | Real subpoenas would also work. | nightpool wrote: | How does this solve the issue? If a local police department | laptop gets pwnd, or a local police officer's credentials get | compromised through a reuse attack/stuffing (as seems to have | happened here), what oversight mechanisms would prevent their | email from getting PGP signed? In this case, these emails were | probably DKIM and SPF verified already, which (as I understand | your proposed system) seems entirely equivalent. | | There's no "magic bullet" in security, you can't just | "authenticate" individual emails "with no extra work" and hope | that that solves things without addressing the gaping security | holes that allowed those emails to be sent from official | servers in the first place. | woah wrote: | Dongle | upofadown wrote: | Normally the secret key stuff is protected by a passphrase | for a PGP verified email. So the entity owning the laptop | would have to wait for the department to make a request first | (rare) to keylog the passphrase and would only get to make | one bogus request before revocation of the identity. | | DKIM and SPF only prove that an email passed through a | particular email server. The whole point of doing the | verification end to end is that the stuff in between does not | have to be secure. | nightpool wrote: | Yes, if you're assuming that police departments can keep a | rarely-used passphrase secure and not written down in | online documentation anywhere, while also being accessible | in emergencies, then that system might work. (But then you | also have to remember to rotate the passphrase when anybody | in the entire department leaves or gets fired). | upofadown wrote: | Access to the passphrase would not by itself provide | access to anything. The malicious person leaving would | also have to take along a copy of the encrypted private | key. | | In practice you would just register 2 or more keys left | in the care of 2 or more people. Each person would be | individually responsible, as it should be. When someone | left you would revoke the key. You would not have to go | super hard on this, most of the requests would be routine | and not time sensitive. In an emergency you do the best | you can with what you have available. | mef wrote: | wouldn't this just shift the trust from the police email | address to the police email PGP signer? wouldn't hackers then | just target that part of the infrastructure? | Avamander wrote: | That would be significantly harder, especially with hardware | key storage. | willcipriano wrote: | The alternative is due process, where a judge issues a court | order and the police have to wait a few hours for that to | happen. | 300bps wrote: | Probably take 5 minutes to find an example order online from | most judges in the country. Make a fake document to look just | like it saying whatever you want. Send it in - how do they | authenticate it? | willcipriano wrote: | Same way they validate them now. Call up the court and ask. | The clerk will be happy to help you. If you can fake a | district court into existence we've got bigger problems. | KennyBlanken wrote: | Slim to no chance that a US telecom actually bothers to | call up the court and verify an order with the clerk | except for orders that are unusual (say: overly broad in | scope, or targeting a recognizable name such as a | politician or celebrity). My guess is that at best they | look at the fax caller ID and/or email headers and that's | that. | | Their position is likely "it looked like it came from a | cop, not our problem if the cop is forging court orders." | mmazing wrote: | So punish them for not verifying? | | We're already very familiar with the concept that | ignorance of the law isn't a valid reason for violating | the law. What's wrong with that in this scenario? | heavyset_go wrote: | Then make it their problem with regulators or | legislation. KYC is law of the land when dealing with | private individuals, same logic should apply to verifying | court orders or law enforcement requests. | elzbardico wrote: | Well that's just one of lesser things that happens for a paranoid | society that trades freedom and privacy for what the oppression | apparatus calls security. | | You don't have security, just a police-state, and to add insult | to injury besides having less freedom now you also have less | security too. | | And yes, let's pretend that only China, Iran and Russia are | police states, let's keep singing star spangled banner while we | happily slip through this slope towards the gulags. | renewiltord wrote: | Spotify records all the songs I listen to. Last week 10 songs. | This week 100. Next week 200. The week after? PRISON IN A | FROZEN WASTE! I suffer endlessly from the data they have | collected. Cold bits are thrown upon me every morning; I've | lost my toes to frostbyte due to data in cold storage; I have | made friends, nay fellow sufferers, in the bitcoin mines, as we | hash out issues together. | | If only I could have seen this last week. L'horreur! L'horreur! | BolexNOLA wrote: | >let's keep singing star spangled banner while we happily slip | through this slope towards the gulags | | You had a point until "gulags." You honestly think we're on the | verge of becoming a Stalinist state that imprisons and murders | political dissidents by the millions? | | Maybe that's a _tad_ alarmist? | pyronik19 wrote: | There are influential media personalities calling for the | jailing people who aren't towing the line on the war drum | beat on ukraine/russia... that any narrative deviation is | treasonous and thus a jailable offense. Yeah, so what if our | gulags have rainbow flags and black fists murals. | mrtranscendence wrote: | > There are influential media personalities calling for the | jailing people who aren't towing the line on the war drum | beat on ukraine/russia | | Source on these influential media personalities? I assume | they're not fringe in any way, since you called them | "influential". | DiabloD3 wrote: | America elected Trump and then Congress knowingly rejected | evidence that he colluded with Putin to defraud voters and | steal the election. He then occupied that office for four | years, while additional evidence continued to mount against | the increasingly obviousness of Russian interference. | | Not only did a sitting President betray people and killed | millions with anti-masker/anti-vaccine rhetoric, he did so to | aid a foreign country that is known for murdering political | dissidents, and did so during WW2, during the Cold War, and | the post-Soviet era that exists today; but also our Congress, | most of those still occupying those seats today, aided and | abetted him. What Trump and his Congress did is terrorism | without being formally charged with it, and is hardly any | different than the pre-Stalin era of Soviet Russia and the | pre-Kristallnacht era of the Nazi occupation of Germany. | | So, please, I'd like you to tell me why you think people | _shouldn 't_ be seriously alarmed? You sound like all the | deniers in the history books: "Oh, the Nazis wouldn't kill | Jews and political dissidents", "Oh, Stalin wouldn't (also) | kill Jews and political dissidents", "Oh, Chairman Mao | wouldn't just starve tens of millions to gratify his own | ego". People keep saying this, it keeps not being true. | | History is a goddamned broken record. | encryptluks2 wrote: | I'd encourage you to consider that Democrats and | Republicans work in parallel as much as they'd like you to | think otherwise to coerce Americans into subscribing to a | two-party system. It will continue as long as people | believe that if they don't subscribe to it that Democracy | will fail and the only thing preventing it from happening | is to vote for one of the two-party candidates that fits | their propaganda news network approved message. | | Also, it is funny how when it comes to politics Republicans | have moved so far right that now center-right is considered | the left party. | DiabloD3 wrote: | Don't get me wrong, I agree with this. | | Many Democrats _also_ decided to join the Putin-backed | coup attempt, and also voted to not impeach during one or | both trials. Many Democrats _also_ tried to claim Hunter | Biden, while working for a natural gas company in | Ukraine, somehow was up to _something_ and using his dad | 's appointment as VP for _something_. | | Funny how Biden became President, and now Russia is | invading Ukraine to maintain their stranglehold on | Europe's energy supply, and all the pro-Russian bot | accounts on Twitter and Facebook that were repeating the | "Hunter's Laptop" and "But Her Emails" stories to divide | and conquer, suddenly vanished. | | I am a socialist, and what both parties do is disgusting, | and, honestly, anti-American. Our government has been | rapidly degrading my entire lifetime, and the only | reasonable action is to ring the alarm bell and hope | other people wake up and start fighting the fascism that | is threatening to destroy our nation. | BolexNOLA wrote: | >Funny how Biden became President, and now Russia is | invading Ukraine to maintain their stranglehold on | Europe's energy supply, and all the pro-Russian bot | accounts on Twitter and Facebook that were repeating the | "Hunter's Laptop" and "But Her Emails" stories to divide | and conquer, suddenly vanished. | | It's not "funny." It makes complete sense. Services for | .ru accounts are being suspended around the world. | djmips wrote: | Just letting you know that 'funny' in this sense is | sarcasm and they are fully aware of what you just stated. | BolexNOLA wrote: | I understood how they used funny, but we drew different | conclusions. They're alluding to a conspiracy. | pstuart wrote: | The funny thing about Hunter Biden is that it _was_ | genteel corruption, in that he brought nothing to his | role but a family connection. But the attention about it | was also corrupt -- there was no interest in "how do we | have less of this", but only about smearing a rival. | jacquesm wrote: | The sad thing is that after the Trumps any lesser level | of nepotism is going to be acceptable. | pstuart wrote: | There's many sad things. Partisanship is destroying this | country; we should be united in being against corruption | even if it's _one of our own_ , so to speak. | BolexNOLA wrote: | Democrats hold their own accountable for more than | Republicans, even if it isn't enough (it isn't). The GOP | couldn't even kick Roy Moore to the curb. | jgod wrote: | The right has moved further right, and the left has moved | further left. | | Moreover, the left has moved further left than the right | has moved right. https://jabberwocking.com/if-you-hate- | the-culture-wars-blame... | AnimalMuppet wrote: | You say "Democrats and Republicans work in parallel". And | then you say "Republicans have moved so far right". Which | is it? | | Also, _some_ Republicans have moved far right. Some | Democrats have moved pretty far left, too. I will admit | that more Republicans moved than Democrats. But both | parties have sections near the center, and both have | extreme parts. And both are having trouble maintaining | unity in the face of that tension. | [deleted] | BolexNOLA wrote: | The GOP has been sidelining or primarying out the few | they still have near the center tbh. | merely-unlikely wrote: | Total US death count from Covid is up to 975k according to | the CDC[1]. | | [1] https://covid.cdc.gov/covid-data-tracker/#datatracker- | home | tiahura wrote: | _Congress knowingly rejected evidence that he colluded with | Putin to defraud voters and steal the election._ | | You shouldn't let your personal animosity towards Trump | lead to believing misinformation. | | _Mueller finds no collusion with Russia, leaves | obstruction question open_ | | https://www.americanbar.org/news/abanews/aba-news- | archives/2... | | You should take this opportunity to consider what other | things you know to be true about Trump may also be | misinformation. | | _The Washington Post corrects, removes parts of two | stories regarding the Steele dossier_ | | https://www.washingtonpost.com/lifestyle/style/media- | washing... | DiabloD3 wrote: | > You shouldn't let your personal animosity towards Trump | lead to believing misinformation. | | I don't have to. I witnessed several Republican | congressmembers go out of their way to announce that no | matter what evidence presented is, they had already | decided to ignore it and vote against the removal of | Trump from office. | | Now, I can't tell you why they decided to announce their | criminal enterprise shortly before enacting it, but a | quick Google tells me their names are Cindy Hyde-Smith, | Roger Wicker, Thom Tillis, Rob Portman, James Inhofe, | Mike Rounds, and Jerry Moran. | | > Mueller finds no collusion with Russia, leaves | obstruction question open | | https://en.wikipedia.org/wiki/Mueller_report is a well | cited article. | | "On March 27, 2019, Mueller reportedly wrote to Barr in a | letter, as stated in the New York Times "expressing his | and his team's concerns that the attorney general had | inadequately portrayed their conclusions".[226] This was | first reported on April 30, 2019. Mueller thought that | the Barr letter "did not fully capture the context, | nature, and substance" of the findings of the special | counsel investigation that he led.[227] "There is now | public confusion about critical aspects of the results of | our investigation". Mueller also requested Barr release | the Mueller report's introductions and executive | summaries.[228][229]" | | What you linked to covers Barr's misleading summary of | the Muller report. | | > The Washington Post corrects, removes parts of two | stories regarding the Steele dossier | | Again, Wikipedia has a well cited article on the subject: | https://en.wikipedia.org/wiki/Steele_dossier | BolexNOLA wrote: | It is well-known that _nowhere_ in the mueller report | does he exonerate the president. He leaves it to Congress | to determine how to move forward. He explicitly wrote | that his investigation did not find him innocent. | treeman79 wrote: | It's also looking like some of the Bidens are going to | jail for what they were accusing Trump. | | The entire Trump Russia gate was to divert attention from | what Hillary / Biden were doing. | | Oh a laptop was found with solid evidence showing | collusion between the Bidens and various countries. Well | naturally the same response is to sensor anyone that | wants to talk about it and to impeach Trump. | | https://legalinsurrection.com/2022/03/mainstream-media- | outle... | encryptluks2 wrote: | Oh please, no one is going to jail. This idea that | someone is going to jail is just a boogeyman to create | votes come election time. | pstuart wrote: | I see your downvotes brother, and feel your pain. | | The tribalism of politics is fierce, and even a forum with | as much collective intelligence as HN is not immune from | that force. | | We should be able to discuss _policy_ and _actions_ on | their own merits without it being taken as a personal | affront. I wish I could find the magical incantation that | would allow that dialog to manifest. | stuckinhell wrote: | I don't think so, America has a massive amount of political | unrest. Both parties seem to adore violence on their | political enemies these days, and most Americans think civil | war is on the way. | pstuart wrote: | > Both parties seem to adore violence on their political | enemies these days | | Let's stop with the both sides are the same bit, m'kay? | Plenty to criticize on the left but please stick to facts. | BolexNOLA wrote: | >most Americans think civil war is on the way | | Source? | | Personally, if we survived the 60's/70's, I think we can | survive this. They literally murdered college students in | front of the world. | | I'm also not sure how any of this translates into Stalin- | era gulags. People throw that term around too lightly, like | "nazi." If you've actually studied any Russian/Soviet | history you should know how insane those were, even for an | era with rampant fascism. | hackerfromthefu wrote: | Absolutely correct. | | It seems in vogue to use words without understanding the | actual meanings. Most people haven't read history and | speak, loudly, of that which they don't know. | thechao wrote: | Right; I think _at worst_ we 're managing to rewind | ourselves to the `90s, at this point. I think a lot of | people don't remember how much social change there was | starting in the early `00s through the early `10s. I'm | not pleased with the retrogression; I think Project Red | Map has really uncovered a large scale hack/flaw in the | US electorate that needs to be fixed _quickly_ , but the | political situation is certainly nothing like the | `60s/`70s. | | My parents were activists in the 60s, and my grandparents | were activists in the 20s & 30s. My parents mostly feared | being beaten, with a background fear of being shot at. My | grandparents feared being _disappeared_ along with | retribution to their extended family, friends, and | _neighborhoods_. | BolexNOLA wrote: | Re: your grandparents, I really don't think people | appreciate how easy it was to cross the government with | your speech - especially in wartime - prior to late 20th | century. | ashtonkem wrote: | It is worth pointing out that the American penal system is | already distressingly close to the scope of the gulag system | in Stalinist Russia. The gulag system hit a high of 1.5m | prisoners in the 1940s out of a population of 168m (pre war), | or about 0.89%. America's prison population peaked in 2009 at | an estimated 0.754%. If you include parole that shoots up to | 3.1%, but I'm not sure how to compare that to the gulag | system | | Wildly different death tolls though. Our best estimate is | that the gulag system had an 8.88% death rate, with that | varying wildly on a year by year basis. Meanwhile the US | prison system as of 2018 kills 344 per 100,000, or .344%. But | unfortunately those numbers are getting worse, not better. I | think the difference here is less about our system being more | humane, and more the fact that food and antibiotics are | cheap. Heck, just look at how the prison system responded to | covid. | | I honestly think we're a lot closer to a gulag system than | people think. We've already built the majority of the | machinery to actually implement such a system, and | politically making the system harsher and less humane is very | popular. There is also a bipartisan consensus that what we | need is to fund the system even more. All that we're missing | is the jump to directly imprisoning political opponents, and | we've already seen some calls for that although it isn't | quite mainstream yet. | BolexNOLA wrote: | >It is worth pointing out that the American penal system is | already distressingly close to the scope of the gulag | system in Stalinist Russia | | What do you know about the gulag system? Serious question, | not baiting or anything. What are the broad strokes of what | you understand to be "The Gulags"? Because like you, I am | VERY concerned with the US penal system, but to compare the | two is...a stretch for me. | [deleted] | elzbardico wrote: | This is what we call an hyperbole. | BolexNOLA wrote: | Pretty over-the-top example if you ask me | maxbond wrote: | This is sort of a dodge, isn't it? The question wasn't, | what rhetorical device are you employing? It's, do you | truly believe the situation is as extreme as you imply? If | the answer is "no", then there's an implied invitation to | lay out what you actually believe. If the answer is "yes", | there's an implied request to justify why you think that | way. | | Saying 'this is what we call hyperbole' seems to imply, 'my | ideas stand so well on their own, I don't need to respond | to your criticism; the problem is not with my ideas or how | I've expressed them, it is with your inability to recognize | a particular rhetorical device.' Which is both patronizing | and wrong. Your use of hyperbole was recognized and is | being interrogated. | | You're under no obligation to respond to that challenge, no | one here has a right to your time, but if you're going to, | it would be more productive for everyone if you did so in | good faith. | nahkoots wrote: | Don't forget that we very nearly had a successful coup, which | would have spelled the end of American democracy. Are we on | the verge of becoming a Stalinist state? No, not really. | Could it happen? Absolutely, and we need to recognize that | possibility to avoid becoming the next one. | AnimalMuppet wrote: | An attempt to overturn the results of the election? Yes. A | coup? Not really; doesn't fit the definition, though it was | far closer than I thought I would ever see. "Very nearly | successful"? No. | coliveira wrote: | A failed coup, since "overturn the results of the | election" is pretty much what we may call a coup. | AnimalMuppet wrote: | Hmm. I went to dictionary.com, looked up coup d'etat, and | it said: | | > a sudden and decisive action in politics, especially | one resulting in a change of government illegally or by | force. | | So, I stand corrected. It _does_ meet the definition of | "attempted coup". | coliveira wrote: | Yes, many people are under the impression that a coup is | only the result of military or generalized revolt. In | fact most modern coups are staged as a political | mechanism to avoid the results of the democratic norm. | ipaddr wrote: | Please forget whatever idea you came up with. America was | never under a coup attempt. Hard to even attempt to call it | a coup without weapons. Don't worry America is safe from | farmers rallying at the white house. | whateveracct wrote: | Maybe they're referring to the attempts to invalidate the | 2020 election? No weapons, but what is a better word for | a coordinated attempt to undermine the government? | hackerfromthefu wrote: | How about 'attempt to undermine the government'? That is | much more accurate than coup. | | Words have meanings, and using the words inaccurate/the | wrong meanings is saying one thing but meaning another, | and the word for that is lying. | verve_rat wrote: | Just because it wasn't a very good or well organised coup | attempt doesn't mean it wasn't a coup attempt. | dragonwriter wrote: | > How about 'attempt to undermine the government'? That | is much more accurate than coup. | | No, attempted coup (specifically, attempted self-coup) is | much more accurate. | | > Words have meanings | | Yes, they do. And the precise political science terms for | the coordinated attempts by the 45th President and his | allies to extend his powers beyond their lawful duration | by extralegal means is "self-coup" or "auto-coup" (in the | original French, "autogolpe"), which is a form of coup | carried out by or on behalf of the existing leader. | | > and using the words inaccurate/the wrong meanings is | saying one thing but meaning another, and the word for | that is lying. | | Yes, that is exactly what you are doing when you | explicitly refuse to use the correct term in attempt to | minimize the act. | jetpks wrote: | This is the same verbal gymnastics confederate | sympathizers use when trying to say that the civil war | was about "states rights." All you have to do is follow | the logic to its conclusion. | | What was the civil war about? States rights. What rights, | specifically? The right of states to allow their citizens | to practice slavery. Therefore, the civil war was about | slavery. | | What was jan 6 about? It was about an attempt to | undermine the government. An attempt to undermine what, | specifically? The election process. Why did they seek to | undermine the election process? So that the mob could | extra-judicially install a leader of their preference. | Another word for this is coup d'etat. | hackerfromthefu wrote: | I can see where you're coming from. | | AFAIK, in common use the word coup involves the military | taking control of the government. | ashtonkem wrote: | You're using a much more narrow definition of what a coup | d'etat means. | | > The sudden overthrow of a government by a usually small | group of persons in or previously in positions of | authority. | | Or to use Wikipedia's definition | | > A coup d'etat (French for "blow of state"), often | shortened to coup in English (also known as an | overthrow), is a seizure and removal of a government and | its powers. Typically, it is an illegal seizure of power | by a political faction, rebel group, military, or a | dictator. Many scholars consider a coup successful when | the usurpers seize and hold power for at least seven | days. | | Yes, the military can be involved in a coup, but the | essential definition does not require their involvement. | Different terms might be applied if the military is | involved, and based on whether or not the military is the | primary driver (as in Myanmar) or is backing one side. | dragonwriter wrote: | > AFAIK, in common use the word coup involves the | military taking control of the government. | | That is one common _kind_ of coup, but distinguished from | the broader category. That 's why the phrase "military | coup" exists to distinguish the kind of coup where the | military (or some part of it) is the main actor in | seizing control outside of normal bounds. | StanislavPetrov wrote: | >What was jan 6 about? | | Jan 6th was about a small number of ignorant people who | bought into a bunch of lies. A protest that got out of | control. One that was far, far less violent, with far | fewer casualties than dozens of protests that happened | around the country the prior year. All mobs are bad, all | riots are bad. Unfortunately different partisans have | been trying to blow up the implications of one riot while | downplaying all the others. | krapp wrote: | People involved have already been charged with seditious | conspiracy. Sympathizers were found among the Capitol | Police, members of the government openly supported a | coup. Supreme Court Justice Clarence Thomas may either be | impeached or have to resign over his wife's pro- | insurrectionist texts to Trump's chief of staff. There | were plans. There were conspiracies. We have the | receipts. | | And stuff is still coming out about Trump. A mysterious | seven hour gap in the White House communications logs. A | Federal judge ruling that it's "more likely than not" | that Trump "corruptly attempted to obstruct Congress" | attempting to overturn the election results. He called it | a "coup in search of a legal theory." Yes, that's not | "beyond a reasonable doubt," but it's also not nothing. | | You're right that it was far less violent, and had far | fewer casualties, but it wasn't just a riot, nor were | there just a small number of ignorant people involved. To | think that at this point, or to dismiss all concerns as | partisan hyperbole, is kind of ridiculous. | BolexNOLA wrote: | > All mobs are bad, all riots are bad. | | Yet the GOP is sidelining and smearing the few among them | who actually want to hold the insurrectionists | accountable. | mojzu wrote: | The 'without weapons' implies it wasn't violent, which | seems a stretch to me when a police officer was beaten to | death and plenty of others were injured | edm0nd wrote: | >when a police officer was beaten to death | | Not single LEO was beaten to death on Jan 6th. You are | literally spreading misinformation and fake news lol. SCP | Officer Brian Sicknick died after having two strokes aka | natural causes. | mpalczewski wrote: | First I'm hearing of this, do you have a source about the | officer being beaten to death? | webstrand wrote: | They're probably referring to this: | https://www.nytimes.com/2021/01/08/us/brian-sicknick- | police-... | mpalczewski wrote: | oh looks like fake news, even the ny times article says. | | "New information has emerged regarding the death of the | Capitol Police officer Brian Sicknick that questions the | initial cause of his death provided by officials close to | the Capitol Police." | | Wikipedia says | | "The cause of Sicknick's death was first thought to be | from injuries, but months later the medical examiner | reported there were none." | | "The District of Columbia chief medical examiner found | that Sicknick had died from stroke, classifying his death | as natural" | | The original commenter said some officer was beaten to | death. Maybe another officer, or were they just mistaken? | StanislavPetrov wrote: | >The 'without weapons' implies it wasn't violent | | There is no such implication at all. "Without weapons" | means "without weapons". The vast majority of people at | that riot were gun owners, and none of them were armed or | fired a shot. I can assure you, people who own guns and | are committed to violently overthrowing the government | bring those guns and shoot them. For evidence see any of | the numerous coups that occur in countries around the | world. | BolexNOLA wrote: | That's a lot of talk about guns considering - which you | pointed out - there weren't guns (that we know of) used | by the insurrectionists. | | Do you acknowledge it was violent? | coliveira wrote: | From your words, it seems that history rewriting is in | full swing right now. | BolexNOLA wrote: | >America was never under a coup attempt | | Oh come now. "Hang Mike Pence." "Stop the steal." The | former president calling election officials telling them | to "find the votes." I don't care what your politics are, | what we saw this last election was like nothing we've | ever seen before in this country. It was a failed attempt | to overturn a democratic election on the basis of a lie. | mywittyname wrote: | We'll get our own flavor of gulags. The USA already has a | pretty nasty and oppressive prison system. We have pro- | authoritarian politicians in office, in the police forces, | and now throughout the court system. So it doesn't seem | alarmist to me. | | I'm pretty sure the police could get away with murdering | political rivals right now. But a few key court decisions are | all we need to formalize that capability for the next 100 or | so years. | consumer451 wrote: | > "I wanted to tell everyone that there is a cancer within | the government and when I tried to weed it out, I got | fired," Gilmore wrote. "It was just easier for government | management to get rid of me rather than to deal with the | underlying issue." | | https://www.military.com/daily-news/2022/03/13/classified- | us... | treeman79 wrote: | There are tons of reports of officers being disciplined | punished or jailed for using a gun when the other person | was violently resisting arrest. | | Police across the country are letting criminals run rampant | due to fear of prosecution for doing their job. | BolexNOLA wrote: | >Police across the country are letting criminals run | rampant due to fear of prosecution for doing their job. | | Police are "letting criminals run rampant" because they | throw tantrums the moment money or accountability is | discussed. Just watch how they behave the moment a city | even _whispers_ "pension" despite the fact that police | pensions are crushing city budgets across the nation. | | https://www.bridgemi.com/michigan-government/pension- | costs-b... | | https://www.reuters.com/article/us-usa-pensions- | policeandfir... | | https://www.latimes.com/projects/la-me-pension-squeeze/ | Zpalmtree wrote: | > Police are "letting criminals run rampant" because they | throw tantrums the moment money or accountability is | discussed. Just watch how they behave the moment a city | even whispers "pension" despite the fact that police | pensions are crushing city budgets across the nation. | | What? I see no-one throwing 'tantrums' in the articles | you linked. I see some people trying to keep the pensions | they have earned. Do you expect ordinary Americans to | jump to take a pension cut after working all their lives? | | And this in the hope that magically that money will go to | the right places and reduce crime? | BolexNOLA wrote: | Where that money goes is not what's up for debate. | | We have conservatives non-stop calling for "reduced | spending" and "tightening the belt" who are all too happy | to cut everything they feel "their people" don't need, | but the big ticket items - military, pensions, etc. - are | arbitrarily sacrosanct. Well, it's not actually | arbitrary. It's because they want to hurt "the right | people." | | Reduced spending will never be fair to the people on the | receiving end. | frankfrankfrank wrote: | Yet again I find myself in between rather detached | perspectives. I agree with you regarding the trajectory | because it is clear as day by all objective measures where | this is all heading, yet I am left befuddled by your | parroting of tropes about the "pretty nasty and oppressive | prison system" that the very people are pushing who are | leading us to the state where an equivalent of gulags will | be created. | | The American prisons are not full of thought criminals just | because you are being denied all the footage and proof of | the violent crimes the people in US prisons commit, | constantly. I realize that most people live in a negative | bubble, where they have no idea what is happening because | the truth has been withheld from them, but that does not | change the reality most people are at least unwittingly | ignorant of. | | But yes, the gulag system actually already exists in | America, and the political prisoners in the USA right now | already know that. Assange is also in that gulag system and | can probably be considered the first, Prisoner #1 of the | American Empire's Gulag Equivalent System, even though it | is on foreign soil. | [deleted] | dalbasal wrote: | There's more than one road to hell. | | All or nothing nihilism, that makes no major distinction | between the US & china, Russia and Iran is also a road to | totalitarian hell. It's a favoured rhetoric style if Putin and | many reactionary extremists. | dang wrote: | " _Eschew flamebait. Avoid unrelated controversies and generic | tangents._ " | | https://news.ycombinator.com/newsguidelines.html | cycomanic wrote: | I have to admit I find this whole situation (and also Krebs | article bizarre). The problem seems to be that tech companies | approve EDRs without much checking. Then the argument somehow | becomes it is essentially impossible for them to check because | there could be any of the thousands of police departments in the | world requesting the EDR? Why should MS in the US somehow respond | to a request from police department in Cuxhafen in Germany? | | I think the argument being made here is one of those "we can't | make a perfect solution so no solution works", which is nonsense. | Simply don't answer requests from police departmenents you can't | verify. I bet you if a police department would request some | business sensitive information they would not hand it over | without going over the subpoena with a fine toothed comb. The | issue is just that they don't value their customers privacy high | enough to do a proper check. | AJ007 wrote: | This isn't even an EDR specific issue -- if someone makes an | extraordinary request you should verify it, and if you don't | you are probably falling for scams constantly. | jonas21 wrote: | > _The issue is just that they don 't value their customers | privacy high enough to do a proper check._ | | I think the real issue is that the backlash from politicians | and the public for failing to respond to a legitimate emergency | will be orders of magnitude larger than the backlash for | disclosing some customer information. | mmazing wrote: | Usually when the solution is "just remember to do X", you've | found a bad solution. | | Re-approach the problem from a different perspective - | companies don't value their customer's privacy enough. What | solution can we put in place to force them to care about their | customer's privacy? Can we force them? | | You have to start there for a worthwhile solution. | 1vuio0pswjnm7 wrote: | "I think the argument being made here is one of those "we can't | make a perfect solution so no solution works", which is | nonsense." | | I have seen this type of "argument" countless times reading HN. | I always wondered if I was the only one who noticed. Thank you | for calling it out. It is indeed nonsense. | | IMO, if "tech" companies cannot exercise due care, then they | are at fault. There is no exception based on some idea that | "our company must be large and serve millions of people to | succeed so we should not be held to the same standard as a | smaller company." If "scale" and nonexistent or grossly reduced | customer service comes at a cost (e.g., fraud), then "tech" | companies should have to pay that cost, not anyone else. | | "The current situation with fraudulent EDRs illustrates the | dangers of relying solely on email to process legal requests | for highly sensitive subscriber data." | | IMHO, the amount of important stuff today that rests on the | presumed integrity of an email address is astounding | chockchocschoir wrote: | > Why should MS in the US somehow respond to a request from | police department in Cuxhafen in Germany? | | If a non-US company does business in the US, most people would | expect the business to also answer to US law enforcement. You | can't just operate in a business and not follow the law of that | country. Same applies the other way around, you do business as | a US company in Germany, you better follow German law. Hence | companies tend to have HQ in one country, and then subsidiaries | in other countries, who know how the local market and laws | work. | verve_rat wrote: | That's the point though. MS US headquarters is not responding | to these requests. MS {local country} branch is responding. | And I'm sure the people that work in country X know how to | contact country X's police. | | This is really a non issue being blown up in to some | unsolvable conundrum by people in this conversation that want | to find problems in using a phone book. | harry8 wrote: | How about: | | "This clearly isn't working. We have evidence of it not | working." So needs to be shut down immediately because nobody | agreed to this level of failure. | | From there the next argument becomes "This cannot work." I.e. | there can be no adequate solution. But hey, if you disagree | with that part and you've got a solution that you think /can/ | work let's get it out there and analyse it and see if its worth | the risk. | | Note that data in Cuxhafen (??) Germany won't be partitioned | from your home town and stored in a different and differently | secured database. So the weakest link in the weakest country is | the one relevant to your data security. | | Please note I'm not agreeing with Krebs's argument here. I | haven't got all the information to process it, nor have I had | time, nor is this my area of expertise, nor do I have to have a | firm opinion on everything. | | I'm just spelling out Krebs's argument because I really don't | care for your summary of it. | | If you have a solution you think can work, let's hear it. | riskable wrote: | The statements about this being "unfixable" are utter nonsense. | If someone claims to be from a particular law enforcement agency | it is _trivial_ to just call up said police department and ask to | speak to that person. If no one answers or the person can 't be | reached you don't approve the request. | | The only thing that's "unfixable" about this is that it's not | something you can automate. You need an actual human being to | perform the verification step(s). | xhkkffbf wrote: | Yes, the call back mechanism is a pretty good one but it has | limitations too. It requires the switchboard operator at the | police station to be trustable. Indeed, that human needs to | actually pick up the phone. In many cases, the 911 line is the | only one that's routinely answered. | skybrian wrote: | If it's really an emergency then calling the 911 line seems | justified? | throwawayboise wrote: | How do you call 911 in aother city? AFAIK, 911 calls always | go to the local dispatch center. | AnimalMuppet wrote: | Area code, then 911. And often, the 911 dispatcher asks | "What city?" as the very first thing they say. | bell-cot wrote: | I'm thinking that the number of "Gun to victim's head; we | need secrets from $Corporation_Name _now_!!! " situations | which a typical small police dept. would actually experience, | even over a decade, is ~ZERO. And the chance that a small | police dept. would have the skill set, familiarity with the | procedure, etc., so that they _could_ correctly request the | right data, from the right part of the right corporation, is | about the same. | | SO - move the power to make such requests up to (say) State | Police departments, or even somewhere in the DHS. Those guys | have (or should have) sufficient resources to secure their | e-mail, staff call-back phone lines 24/7, etc. And in the | other direction, they should be far better able to vet | alleged local police officers who contact them with emergency | requests. | lostcolony wrote: | Require police stations to register their callback number for | EDRs. Require a response before releasing information. | | You still have the issue of vetting each police station, but | you can do that once before the EDR comes in. Then when the | EDR comes in, you call that number, confirm the details. | | It can still be hacked, but not nearly as easily as a random | officer's email account. | aqme28 wrote: | Trivial for someone who is suspicious and cares, sure. But that | is not _prevention_ by any stretch. People still get phished | via email every single day. I wish I could rely on something | more robust than just the services I use being extra careful. | verve_rat wrote: | Sure, but the point is the process at the company receiving | the request for data should change. They should verify the | requesting entity. | | Then if the people processing these requests don't follow | that process, then that is a different problem. But as it | stands now, those people can follow the process to the letter | and we still get the wrong outcome. | giantg2 wrote: | In theory you could automate it, but that would require a | different architecture. | | It's honestly pretty stupid that email is being used for this | instead of having a secure portal which could include things | like RSA hard tokens, or even just passwords with 2FA would be | a step up. Nothing is fool proof, but this sort of stuff is | common with other sensitive information like finance. | ryukafalz wrote: | Honestly, email would do the job too, if it was signed email. | | I'm pretty sure the largest deployed PKI system is the US | federal government's - it really feels like we should be able | to deploy something for law enforcement agencies. (And in | fact that's what the legislation mentioned at the end of the | article appears to do.) | giantg2 wrote: | Does that actually fix the issue if they've compromised the | security of the email server using real or generated | accounts? | ryukafalz wrote: | The email server typically does not contain key material. | If you've ever interacted with the military or related | contractors you may recognize this card: | https://www.cac.mil/common-access-card/ | | That's a smart card, containing a certificate that can be | used to sign email, be used as a client cert for web | access, etc. | | Now, it has _moved_ the problem to some extent, in that | now you have to secure the CA that's issuing these certs. | giantg2 wrote: | I'm a little familiar with CAC cards from years ago. I | don't believe they were using them to sign emails at that | time. Thats different than the signing process I was | familiar with. That would work. | nonameiguess wrote: | The DoD root CAs are pretty damn secure. They're offline | in physical vaults on military installations. | Compromising one of those is a far cry more difficult | than some town of 400's local PD e-mail server. | | Granted, you only need to compromise a RAPIDs office to | issue yourself a CAC, but that is still offline and on | military installations (though often much less secure | reserve/guard installations). | giantg2 wrote: | Wouldn't the cert need to be specific to the individual | for proper identification? So getting one for yourself | might not provide the sufficient privilege. | chipsa wrote: | The cert would verify that a specific individual signed | the email, with someone having previously verified | issuing the credential to the right person (this sort of | thing is usually issued as a smart card ID, so it's used | for several things, and it's unlikely people lose it | without reporting it lost and getting it revoked). | giantg2 wrote: | They specifically mentioned issuing themself one, not | stealing one. | chipsa wrote: | Yeah, issuing themself one through RAPIDS. You need to | authenticate against RAPIDS to issue one. So you're | looking at stealing a credential, and hoping you can get | it done before it's noticed it's gone and revoked, and | hoping that they don't go ahead and look at logins | between when it was last seen and when it was revoked in | order to see if there's any weirdness, at which point | your credential gets revoked. | | If they did something similar for law enforcement, it | would probably have the same sort of restrictions: you | need to authenticate to get a credential, but to | authenticate you need a credential. So you need to steal | one to issue yourself one. | logifail wrote: | > In theory you could automate it [..] | | Sorry for the somewhat off-message thought, but perhaps this | kind of thing is actually more secure if you _don't_ attempt | to automate it? | | Maybe the person receiving the request should actually go and | look up the phone number of the police department or court | who allegedly issued it/approved it, and then call _that | number_ (note: not the number mentioned on the request | itself). | | Surely if that was the SOP, this kind of stuff would just | stop? | giantg2 wrote: | Where are they looking it up? Is that source secure? If | it's just on a website, that could be easily corrupted. | | There's a huge number of systems across the US. I am | assuming that a centralized system would provide better | security overall compared to the many small and often | neglected local systems. This would also standardize the | process, reducing the possibility of some locales practice | insecure processes. | logifail wrote: | > If it's just on a website, that could be easily | corrupted. | | Back in the day we had things called "telephone | directories" (I'm showing my age somewhat) | | Is it beyond the wit of man to have the CIA/FBI/NSA/$TLA | publish a "list of places to phone" when you receive an | Emergency Data Request? | | If the source isn't on the list, you can ignore it. If it | is on the list, phone the number _on the list_ to verify | it? | | This really isn't rocket science. At least not for those | of use who grew up in an age where you could step into a | phone box and open up a printed directory and look up | someone's phone number... | giantg2 wrote: | That is a possibility. It would likely need to be | digital, not printed, to avoid stale data. The identity | verification will still be less than what you could do | with something certificates or RSA tokens since there's | nothing guaranteeing the person on the other end is who | they say they are (numbers change, area could be | unsecured/unmanned, call redirected, etc). | logifail wrote: | > It would likely need to be digital, not printed, to | avoid stale data | | Q: Would one expect police departments to be the kind of | places which would change their main telephone number | regularly? | | Consumers change providers often. Institutions? Maybe not | so much. (As an aside, I've just checked, and my old | university's phone number is exactly the same as it was | 30-odd years ago when I enrolled). | | To be frank, I'd prefer a printed version for something | like this. Harder to hack a directory that's hard copy | and whose entries really ought not to be changing very | often. If ever. | giantg2 wrote: | "Harder to hack a directory that's hard copy and whose | entries really ought not to be changing very often." | | Phreaks often dumpster dove for this info. | | How does it not change often? There are constantly new | departments starting, departments/precincts merging, and | departments shutting down. | logifail wrote: | > Phreaks often dumpster dove for this info | | For the telephone number of their local police | department? Is it supposed to be secret? My point is that | it should be public! | | > How does it not change often? There are constantly new | departments starting, departments/precincts merging, and | departments shutting down | | There is simply no reason for a newly-started/merged | police department to be able to unilaterally issue an | Emergency Data Request, and I say this as a father of | three young kids. | | For $deity's sake, some new and/or newly-merged and/or | micro police force must surely have their local, regional | and national-level police forces on speed dial on all | their phones. If someone is missing and needs to be found | quickly, all they need to do is _pick up the phone and | reach out to "higher authority"_ (who can be quickly | authenticated, because they definitely have been around | for decades), not start acting like the local heroes. | | This isn't a technical problem, folks :( | giantg2 wrote: | "Is it supposed to be secret? My point is that it should | be public!" | | If I have a list of _all_ the agency numbers, then I can | look for organizations that disbanded and use those | numbers. Since they could still exist in the book | (because it wasn 't updated instantly), the other party | could think you're legitimate. | | "There is simply no reason for a newly-started/merged | police department to be able to unilaterally issue an | Emergency Data Request, and I say this as a father of | three young kids." | | How so? For the first year of existence they can't issue | anything because they have to wait for the next book to | be publish. That's sounds dumb. There's no reason they | shouldn't be able to issue anything they have the lawful | authority to do so. Have any support/logic for your claim | that they have no reason? | | "some new and/or newly-merged and/or micro police force | must surely have their local, regional and national-level | police forces on speed dial on all their phones. If | someone is missing and needs to be found quickly, all | they need to do is pick up the phone and reach out to | "higher authority" (who can be quickly authenticated, | because they definitely have been around for decades), | not start acting like the local heroes." | | Um... so how does this higher level authority | authenticate this lower level authority if they aren't in | the book we are using for authentication? In some cases, | jurisdiction can get in the way of the scenario you just | described. And again, how long are you going to prevent a | department from doing what they are lawfully allowed to | do? | | "This isn't a technical problem, folks" | | Ok, then how do you solve the authentication issues in my | previous comment? So far your system hasn't addressed | them. | verve_rat wrote: | Yeah, I'm baffled by the idea that the internet is the | only possible way to convey information about phone | numbers. | | It's not even that we are old enough to have experienced | looking up a number in a phone book and some people here | are to young to have that experience. The obvious | solution to this seemingly unsolvable problem is to print | some numbers on a piece of paper and post it to each | company you want to get data from in the future. | giantg2 wrote: | So are they issuing a new book every time a | department/precinct is created, merged, disbanded, or the | number is otherwise changed? This still doesn't solve the | issue of authentication of the issuing party since the | phone location could be unsecured, or the call rerouted. | rosndo wrote: | This is a solution that can only be implemented by the | legislative branch of the federal government. (Very | unlikely to happen) | | The problem is indeed unsolvable by the recipients. | bleuchase wrote: | > The statements about this being "unfixable" are utter | nonsense. | | It's not unfixable. It's broken by design. | sharken wrote: | Already the part where an EDR can override any safeguards is | broken. | | If it's that important, then you need to design a safer | system and pay the cost of doing so. | | Anything else is leaving the front door wide open for | hackers. | hitpointdrew wrote: | Yup, came here to say this. Look up the number (don't trust any | number provided in the email, actually go look it up) and pick | up the phone. | | Very effective and simple solution. | IncRnd wrote: | The real fix is to require a warrant without these loopholes. | Judges can be available on a moment's notice for these sorts of | issues. | Miner49er wrote: | Are we sure it's not trivial to fake a warrant? | stingraycharles wrote: | All of which makes me wonder, and this being HN, wouldn't | it make so much sense of law enforcement agencies start | signing these kind of requests with verifiable public keys? | | It seems like such a trivial problem from a technology | point of view, it makes me believe it's mostly an | organizational problem. | ozfive wrote: | Let's add Blockchain to this so warrants are verifiable | on a private Blockchain. | istjohn wrote: | At the very bottom of the article: | | 8<-------------------------------------------- | | The current situation with fraudulent EDRs illustrates | the dangers of relying solely on email to process legal | requests for highly sensitive subscriber data. In July | 2021, a bipartisan group of U.S. senators introduced new | legislation to combat the growing use of counterfeit | court orders by scammers and criminals. The bill calls | for funding for state and tribal courts to adopt widely | available digital signature technology that meets | standards developed by the National Institute of | Standards and Technology. | | "Forged court orders, usually involving copy-and-pasted | signatures of judges, have been used to authorize illegal | wiretaps and fraudulently take down legitimate reviews | and websites by those seeking to conceal negative | information and past crimes," the lawmakers said in a | statement introducing their bill. | | The Digital Authenticity for Court Orders Act would | require federal, state and tribal courts to use a digital | signature for orders authorizing surveillance, domain | seizures and removal of online content. | | 8<-------------------------------------------- | stingraycharles wrote: | I should have done a better job at reading the article, | thanks for this. | verve_rat wrote: | From the end of the article: | | The current situation with fraudulent EDRs illustrates | the dangers of relying solely on email to process legal | requests for highly sensitive subscriber data. In July | 2021, a bipartisan group of U.S. senators introduced new | legislation to combat the growing use of counterfeit | court orders by scammers and criminals. The bill calls | for funding for state and tribal courts to adopt widely | available digital signature technology that meets | standards developed by the National Institute of | Standards and Technology. | mcbutterbunz wrote: | I agree that it does seem like a trivial problem that is | mostly organizational. There are nearly 18,000 police | departments in the US. Standardizing anything across a | subset these and getting approval from the judicial | system just seems like a nightmare. | | This seems like one of those issues that is solved only | when someone is murdered and a law is written after their | name. | qbasic_forever wrote: | Faking a warrant is a felony, perhaps even a federal one | that would get the FBI involved I assume. You'd have to | forge an official court document, forge a signature of a | judge, etc. That has _serious_ consequences and prison time | vs. faking a "data request" that might be entirely digital | with no physical document or signatures, etc. | | Not saying it can't happen or won't happen, but a criminal | has to be seriously determined and ready to risk a long | prison sentence to fake a warrant. | netizen-936824 wrote: | Ah yes, the good old "just make crime illegal" | | Do people honestly think that's a deterrent for people | already committing felonies? | [deleted] | supercheetah wrote: | Most criminals aren't thinking about any of that at all. | Either they're so goal focused, any possible punishments | don't even cross their mind, or they think they're clever | enough to not have to worry about it. | verve_rat wrote: | From the end of the article: | | "Forged court orders, usually involving copy-and-pasted | signatures of judges, have been used to authorize illegal | wiretaps and fraudulently take down legitimate reviews | and websites by those seeking to conceal negative | information and past crimes," the lawmakers said in a | statement introducing their bill. | | The Digital Authenticity for Court Orders Act would | require federal, state and tribal courts to use a digital | signature for orders authorizing surveillance, domain | seizures and removal of online content. | | So yes, people are faking court documents. | macksd wrote: | I feel like I've been seeing a lot of comments lately to | the effect of, "no - that would be illegal!" Yeah, we are | talking about criminals who are already breaking one law. | Often criminals who, in the very nature of their crime, | are hard to identify. | | But then, even if they're not overtly breaking the law | with a simple request for information, debt collectors | and car warranty salesman are notorious for sending | letters that will imply they are your financial | institution, the letter was sent by your account manager, | etc. IRS impersonators will tell people that jail time is | imminent. I can imagine someone could create something | that looks to a non-lawyer (who's afraid and not paying | attention) like it's basically warrant signed by someone | who's basically a judge, but just doesn't outright say | that. You'd still need to verify - hey is this person | actually a judge, and did this person actually sign that | as a warrant? | qbasic_forever wrote: | Yes, which is why just set the bar at responding to any | request for any data with "Sorry we do not respond to | requests for data that aren't court ordered warrants. | Please come back with a warrant we can verify." | | The problem here is that companies have a policy of | trusting some government email address for little one- | off, no warrant needed requests. Don't have that policy. | rosndo wrote: | > Please come back with a warrant we can verify | | The problem is that it might not be easy to verify a real | warrant, but that's not grounds for noncompliance. | macksd wrote: | >> Please come back with a warrant we can verify | | Ok. Now how do I verify one, assuming the information in | this article is accurate? | qbasic_forever wrote: | You check the court records. These are easy to find with | a digital records search, or you call the court clerk. | The phone number is listed on the warrant. This is not | hard, but it's not an automated process by design. | wmf wrote: | Yeah, it's the same issue. You'd have to call the court | back to verify the warrant. | lazyier wrote: | If it's important enough to issue a warrant then it's | important enough to have a court official and issuing | police/judge on call to confirm its validity. | | Being able to read back a code to validate the contact is | all that is enough. It doesn't even have been | complicated. | | If they can't be bothered to answer the phone then it's | not important. | chipsa wrote: | How do you give them a call? Info given on the warrant? | Which is fake? And so they fake the call back info? | otterley wrote: | The court's own website usually has contact information | that can be independently verified. This isn't that | difficult a problem to solve. | sodality2 wrote: | Do courts all have domains under a government subdomain? | willcipriano wrote: | All the courts that would issue these types of warrants | will be easy to find. This isn't the sort of thing you do | over a traffic ticket or shoplifting. It's not the court | you go to when your neighbor owes you fifty bucks. These | are murder and kidnapping cases. The people processing | these warrants today are likely already on a first name | basis with the clerks of these courts. | | Think about it, how do you validate any court order? Why | is this only a problem now? I think it's beacuse they | want to side step the judicial oversight process. Keep | that intact, as the constitution requires, and this issue | disappears. | chipsa wrote: | Local-ish courthouse for me only has a contact info for | regular business hours. So if not in business hours, then | what? There's ~3200 counties (or equivalent) in the US. | There's no way to be on a first name basis with the | clerks of each county courthouse, let alone if you have a | big county with multiple different types of courts. | | As for how you validate court orders now? You largely | don't. That's why it's possible to use fake court orders | to take down true but unpleasant information: | https://www.cnet.com/news/privacy/forged-court-papers- | are-be... | otterley wrote: | Is being unable to independently verify a request for | information or a warrant a real problem, or are you just | making up problems that may not actually exist? | | Let's stick to reality, folks. | | If you have ever received a demand from a court that you | couldn't verify the authenticity of, I'd like to hear | from you. | willcipriano wrote: | Your local courthouse may not even do jury trials. It | doesn't do the sort of cases that require 3AM emergency | warrants. If it's that important it can go in front of a | district or federal judge, otherwise it can wait for | business hours. | | Local police departments don't need the ability to engage | a global surveillance apperatus at the drop of a hat. | Stuff like that can be ran up the chain first. | rosndo wrote: | > It doesn't do the sort of cases that require 3AM | emergency warrants | | You will be in trouble if you ignore a real warrant on | this basis. | | Your lawyers will probably tell you that it's better to | just take the risk of possibly complying with a fake | warrant. | willcipriano wrote: | Who would you even give the data to if they are closed? | Fax it over the the courthouse if you are concerned, or | tell them it's at your location ready for pickup. If they | are legit that won't be a problem. | otterley wrote: | The data is collected by the LEO, not the court. But yes, | you can fax it to the law enforcement office, whose | number should also be independently verifiable. | kenniskrag wrote: | Do not forget that it is world wide. The gov has next to | a signature a feature called apostille. | [deleted] | salawat wrote: | They do not! And you'll be surprised how tricky it is to | find local/state courts as someone with non-regular | contact with the legal system. | | Even more fun would be the process of jurisdictional | verification. All of which I'm sure the "Officers" would | be more than happy to leave you be with your electronics | and whatnot long enough to verify, right? | | Longer I'm alive, the more insane our system seems to me | on a daily basis. Not sure if it's just cognitive decline | or rapidly amplified cynicism as I dig into the | signalling nightmare that is the interface between the | executive and the judiciary system. | otterley wrote: | > And you'll be surprised how tricky it is to find | local/state courts as someone with non-regular contact | with the legal system. | | Name one court that signs warrants to service providers | that can't be verified by spending 5 minutes doing some | basic research, or that has a LEO office serving such | warrants that also can't be verified. | IncRnd wrote: | People were able to do this for years prior to Google's | existence. I'm sure a social media company can determine | how to find a court without Google. | grepfru_it wrote: | Every court has a phone number, you can lookup the court | independently and call the main line to get routed to the | appropriate party | verve_rat wrote: | Use a phone book? | AviationAtom wrote: | I think the article kind of hit on a good system: | | - FBI is CA? | | -- Issues hardware PKI to local departments | | --- Only PKI-signed EDRs are processed without manual phone | verification | wmf wrote: | Then local cops with poor security get hacked... | Polycryptus wrote: | This could work for domestic requests, but the one example of | this I've seen in the wild (and this was mentioned in the | original post) involved a request (supposedly) coming from | police internationally. Though, requests from foreign police | are more likely to be handled with scrutiny, so maybe forcing | more manual verification (and identification of the proper | process in the first place) aren't bad things. | mrmanner wrote: | It could also be "fixed" by deciding that the risks associated | with government not getting data that could help stop an | ongoing crime is less severe than the risks associated with | these data leaks. | sbarre wrote: | Who makes that decision? | lazyier wrote: | Us. By not using shitty systems to host our data as well as | actively combatting laws and regulations that require | backdoors or cross-platform compatibility. | | I don't want my conversations to be "cross-platform | compatible" with Facebook. Thank you very much. | mrmanner wrote: | The lawmaker or the voters, depending on how you look at | things. | verve_rat wrote: | And also the companies in question. They are responding | to non warrant requests. As I understand it there is not | legal obligation to do anything on their part. | | It is a public perception thing. The companies (probably | rightly) think the public will react badly to headlines | about "Little kidnapped girl could have been saved by | Google, but they didn't care" more so than the current | article we are discussing. | diamondo25 wrote: | Require PGP signed requests, and you should have more | guarantee? | jandrese wrote: | How do you verify the PGP key for a random LEO? The web of | trust is a total failure for general use verification, it | only solves the special ultra-paranoid use case. | | Key distribution has always been the weak point of PGP. | EricE wrote: | DHS already has a portal LEOs use to collaborate - would be | pretty easy to set up something at the federal level - if | there was the will. | est31 wrote: | Government institutions are some of the best places where | centralized certificate handling/signing infrastructures | shine. | jandrese wrote: | And yet it's basically impossible to get a government | organization to sign emails except internally using MS | Exchange's encrypted email support. | ryukafalz wrote: | You would use something like WKD and not the web of trust. | https://wiki.gnupg.org/WKD | g_p wrote: | The problem would be establishing a web of trust of which PGP | keys are valid, who still is "law enforcement", and whether | they're on gardening leave or have retired etc. | | There's too many (US) law enforcement bodies to make a | centralised system work, as you'd need to get a certificate | authority managing every individual officer's status for | every one of these (small and large) agencies, and handle | onboarding and offboarding. | | In other countries there are more formal structures for these | request through verifiable channels, with standard operating | procedures in place. | | The question is whether the companies are adopting a lowest | common denominator model (a false but assumed valid US | request can request any user's data) or not, as that might | start to make it a more global concern, and get it on | European data protection regulators' radars. | technofiend wrote: | There is already a FedPKI and it's already the Department | of Justice's job to track law enforcement, is it not? | SkittyDog wrote: | No, I don't believe it's the DoJ's job to track law | enforcement. There is some Federal-level recordkeeping of | crime statistics... training... intelligence sharing. | | Could you explain what you mean, or give some examples? | tehwebguy wrote: | This would be a good step. | | Others have brought up problems with this but another one is | that companies get _paid_ by police agencies to provide these | data in response to records requests, they are incentivized to | not rate-limit these responses. | verve_rat wrote: | How much are they paid? It seems unlikely that they get | enough income to cover a department dedicated to this | processing, let alone make significant money out of it. | rosndo wrote: | Haha. | | It's also trivial to create a fake police department in some | small town, set up google maps entry etc... | | What then? What about when you operate internationally and have | to accept requests from 100+ jurisdictions? | Apocryphon wrote: | Ah, the fake blade runner station in _Do Androids Dream of | Electric Sheep?_ | jelly wrote: | It's not trivial. But regardless, you're saying the hacker | should submit data to Google and also answer a telephone | call, both of which increase the risk of getting caught | later. The aim should be to stop or mitigate the misuse of | EDRs, not to cure the underlying problem of social | engineering. | coospep wrote: | The people discussed in this article are absolutely capable | and willing to pick up phone calls. | djmips wrote: | Well maybe not 14 year old British kids. Not until they | come up with better real-time voice synthesis. | comrh wrote: | Get the police department phone number from the town's | government and not google maps. | rosndo wrote: | And how do you identify the real government for some small | town? There are many that don't even have websites. | | Contact the state government to ask? There's a good chance | nobody will be able to provide the answers you seek on | short notice. | BolexNOLA wrote: | If you're in a community that's so small it has _no_ | online presence for their government, then chances are | you already know who to call anyway. | rosndo wrote: | I'm really confused as to how this relates to what is | being discussed here. | BolexNOLA wrote: | >And how do you identify the real government for some | small town? There are many that don't even have websites. | | This was the question I responded to. I'm not sure how | else to explain it? | coospep wrote: | We are talking about fake law enforcement requests sent | to big internet companies. Do you think these bigcos have | presence in McMullen, AL? | voxic11 wrote: | So google gets one of these requests and supposedly its | from a police force in a small town that has no | government website. How do they know who to call to | confirm? | rootusrootus wrote: | County? State? I would argue that this should be the | method anyway. Start from the lowest level of known | authentic bureaucracy and then work down from there until | you reach a legitimate city government representative. I | don't think website is an ideal method in any case. | rosndo wrote: | So your solution is to get rid of speedy emergency | requests entirely? | | Sounds like you're just repeating the point that | authenticating these requests is impossible, as that | authentication would have to happen fast. | | And then you need to do this internationally. What will | you do? Contact the embassy? Suddenly your authentication | process could take months, which is a problem if you're | legally required to comply sooner than that. | BolexNOLA wrote: | >So your solution is to get rid of speedy emergency | requests entirely? | | Who said that? | coospep wrote: | That's the implication. A lengthy verification process | makes speedy processing of requests impossible. | BolexNOLA wrote: | A fake subpoena is not a home invasion. It's not like | seconds matter. | coospep wrote: | Until you get in trouble for not complying with a real | one. | | Worst case scenario is probably a horrible PR disaster | after a child dies because you couldn't process a real | request fast enough. | | And we're not talking about seconds, but easily days or | weeks. | BolexNOLA wrote: | You think this is something someone can't figure out in a | matter of weeks? | coospep wrote: | BolexNOLA wrote: | >Sorry, but this isn't your first comment demonstrating | severe struggles with reading comprehension. | | This isn't reddit, you can't talk to people like that | here. I'm not engaging this further. | | https://news.ycombinator.com/newsguidelines.html | coospep wrote: | throwawayboise wrote: | For some problems, there is no good solution. | coospep wrote: | That's my point. The OP "riskable" claimed the opposite | though. | novok wrote: | Nope, but for cities to be prepared for such emergencies | before hand by completing some basics of bureaucracy by | being properly authenticated, much like you expect a city | fire department to have some fire trucks purchased | already instead of expecting to purchase one in seconds | when they need one from the dealership 1000 miles away. | coospep wrote: | Yeah, of course the federal government could legislate | this problem away. Not gonna happen though. | | It is literally impossible for request recipients to | solve this problem. | rootusrootus wrote: | > It is literally impossible for request recipients to | solve this problem. | | This I agree with. I'm trying to find the actual text of | the law, I'm surprised the government isn't pretty | specific about what constitutes a valid EDR, who can send | them, etc. Bureaucrats love to write rules. | novok wrote: | From the article, I couldn't see what actually compelled | the need to comply with an "EDR". From what I could see, | they were not actual warrants or subpoenas that legally | compelled performance, they were requests. They do it out | of not wanting to have bad PR in case it was real, | because the consequences for a screw up are pretty much | nil. | | The end solution is either an authentication scheme, a | $1000 rush processing fee that includes a verification | process and the requirement to call it in (It is an | emergency, isn't it? Emergencies do not happen often, so | what is $1000 to an american organization funded by | taxpayer dollars?) or E2E encryption that makes it they | can't give data. | | Another thing about the $1000 fee, is you get to see the | payment information about the account it comes from, and | you can further require it comes from a government | account which matches the requesting organization. Thanks | to governments being very gung ho about their financial | surveillance infrastructure being a hard requirement for | almost everything now. | rootusrootus wrote: | > So your solution is to get rid of speedy emergency | requests entirely? | | No? | | Anecdotally, from what we are reading today, a typical | EDR response time is on the order of an hour. So while | someone on my team is gathering the requested data, | someone else is doing the verification. | | > Sounds like you're just repeating the point that | authenticating these requests is impossible, as that | authentication would have to happen fast. | | If anything, I'm implying that if the government mandates | that EDRs exist, they should have to back it up with | someone to handle authentication. A phone number at the | state level would do the trick. | | > And then you need to do this internationally. What will | you do? | | First I'd have to be convinced why I should do this in | every jurisdiction, why that jurisdiction would have | access to customer data from other jurisdictions, etc. | | Sounds like you're saying the problem is that the | government is mandating things and providing no rules | about how it should work. That seems like such an un- | government-like thing to do, they usually get weirdly | specific. | logifail wrote: | > if the government mandates that EDRs exist | | Q: _Is_ government mandating this? At what level? | | ...and if so, why? | rootusrootus wrote: | Well, I assumed that the only reason anybody was | complying with an EDR was because there was a law | mandating they do so. Otherwise, why aren't they just | dropping these requests in the trash? | coospep wrote: | > So while someone on my team is gathering the requested | data, someone else is doing the verification | | The whole point is that verification will take much | longer than hours. | | > Sounds like you're saying the problem is that the | government is mandating things and providing no rules | about how it should work. That seems like such an un- | government-like thing to do, they usually get weirdly | specific. | | The government is very specific when it comes to what is | required of you. The government is not very specific when | it comes to what is required of the government. | logifail wrote: | > The whole point is that verification will take much | longer than hours. | | How can it take _longer than hours_ to reach the actual | police department in $someSmallTown, USA ? | | $Deity forbid you actually happen to live in | $someSmallTown and need the police in a hurry... | coospep wrote: | $someSmallTown might not even have a police department, | how are you supposed to find out if the only one that | comes up on the internet is fake? | [deleted] | giantg2 wrote: | Research the village constables in Alaska. There are also | small towns that have only part time police forces. This | sort of stuff really isn't uncommon. | l33t2328 wrote: | The secretary of state for that state can provide that | information. | coospep wrote: | If you give them days, weeks or perhaps months to come up | with a response. Sure. | | Not going to work internationally anyway. | verve_rat wrote: | You are being intentionally argumentative, and not in a | devil's advocate, let's explore all the consequences of | the topic at hand kind of way. | | You are engaging in bad faith, please stop it. | BolexNOLA wrote: | His account is just a couple of hours old. I'm guessing | he stumbled across HN and just had some axe to grind. | cortesoft wrote: | Only in the United States. There are almost two hundred | countries in the world. What if the request comes in from | Kiribati? | verve_rat wrote: | Are the white pages a thing in the States? | | I mean I want to call some entity in the US that doesn't | have its number on a website, how do I do that now in a | non emergency situation? Is there any reason that | wouldn't work in an emergency? | | This doesn't seem like an actual problem anyone has ever | had. | 3np wrote: | Somehow there were ways to get this done before websites | existed. I do not believe that those channels for | government no longer exist. If they choose to make | themselves impossible to locate offline, this is on them. | If all else fails, government-to-government should still | be viable, and then the local government will take it | from there. | astura wrote: | I'm not sure there was ever much verifying before | websites existed. Just less fraud. | | Back in the NES days Tengen called the United States | Copyright Office and told them they needed the technical | details of the NES lockout chip to defend themselves in a | copyright lawsuit. The Copyright Office faxed over the | requested information. Except it was social engineering, | there was no copyright lawsuit. Tengen used that | proprietary information to build their own cartridges | without paying the NES licences costs. | coospep wrote: | > Somehow there were ways to get this done before | websites existed | | Ah yeah, because fake subpoenas didn't work before the | internet existed? | | > I do not believe that those channels for government no | longer exist. If they choose to make themselves | impossible to locate offline, this is on them. | | Who says they ever existed? Back in the pre-internet days | the situation was just worse. | | Even the federal government can't manage this, just look | at misissuances of .gov domain names. | jltsiren wrote: | Contacting the state government should be the right | choice (but it may not be in practice). In many | countries, every public official has the legal duty to | direct you to the relevant authority if you contact them | with matters outside their duties. That's a sensible | requirement, because citizens should not have to be | familiar with the internal administrative structures of | government agencies. | logifail wrote: | > And how do you identify the real government for some | small town? There are many that don't even have websites | | (Sorry to have to ask) but are there [m]any towns in the | USA without telephones? | rosndo wrote: | Where do you intend to find the numbers to call? | | There are towns in the US where the local government | consists only of a couple of people who may only do local | government work for a few hours a week. | | There are towns with essentially no online presence, you | could easily create your own fake local government, | police and whatever you'd like. | voxic11 wrote: | So every major technology company will need to figure out | the real contact details of every town government (how do | you propose they will they do this?) and then when they | receive one of these "life or death situation, you must | respond immediately" requests they are supposed to call up | the town, get the number for the police department in the | town (hopefully the police department isn't shared between | multiple towns or this could get confusing) and then call | up the police department to confirm that they are the ones | who sent the request? | | I guess I don't see the value the town government contact | details is providing here. If you have some way of figuring | out the real contact details for every town why wouldn't | that same mechanism work for figuring out the real contact | details of every police department? | R0b0t1 wrote: | Yes? Tech companies don't have to do arbitrary things for | whoever calls up. The court or law enforcement official | has to convince you they are real and that they have a | warrant. | coospep wrote: | Try refusing to comply with a real warrant because you | aren't convinced that it's real. You will go to jail. | | Turns out the government actually has no duty to convince | you, locking you up tends to be convincing enough. | R0b0t1 wrote: | They'll lose their case if all they did was call you and | make a demand. Expecting them to show up in person in | some capacity and show you the paperwork is fully | reasonable. For a while they mostly operated with letters | and sometimes registered mail but that can be faked also. | | Look, if you want to preserve your rights you've gotta | stand up for them. | mywittyname wrote: | Someone will sell this information. West Law / Lexis | Nexis already provide a lot of this kind of thing | (contact info for judges and people in various government | agencies). | voxic11 wrote: | I wasn't able to find this information on West Law or | Lexis Nexis, do you know what term they use to describe | this category of information? | mywittyname wrote: | Try Judicial Profile. | tiahura wrote: | Accurint | joelkevinjones wrote: | In the United States, does <area code> 555-1212 not work | anymore? It certainly seems to: | https://www.businessinsider.com/555-phone-number-tv- | movies-t... https://www.nationalnanpa.com/number_resource | _info/555_numbe... | jahewson wrote: | Create a fake small town? | idontwantthis wrote: | https://en.wikipedia.org/wiki/Agloe,_New_York | baxtr wrote: | Absolutely. This is "just" another control measure that needs | to be (a) made aware of (b) implemented stringently throughout | organizations. | | Most people don't realize how boring cyber prevention often is. | indymike wrote: | This one is easy. Require a warrant. | exabrial wrote: | Ah stole a move from Politicians and fake emergency powers | rootusrootus wrote: | Trying to find more information about Emergency Data Requests | leads in large part right back to this discussion and the | original Brian Krebs post, with a few hits to various private | organizations that explain what it takes to use an Emergency Data | Request with them. | | I'm having trouble finding any basis for this in law. Can anyone | help clarify that? Are EDRs just 100% voluntary compliance on the | part of some private organizations who are choosing to divulge | customer information without an actual court order? | | If that's the case, why are we lamenting the existence of the | hackers and not publicly shaming the companies complying with | these nonsense EDRs? Real court orders aren't _that_ hard to get, | and at least there 'd be a more blatant crime to prosecute if | anyone forges them. | therein wrote: | This is hilarious. That email with Vinny Troia, and fast-flux... | I received that email at my previous employer. We had a good | laugh about it with our security team at the time. | TeeMassive wrote: | Great, the privacy equivalent of swatting. | darig wrote: | throwbigdata wrote: | If only there were a way to cryptographically verify such things. | ibejoeb wrote: | This bill was introduced last summer: | https://www.wyden.senate.gov/imo/media/doc/The%20Digital%20A... | rootusrootus wrote: | Every time I start to feel despondent about the state of the | US Congress, I remember that Wyden exists, and I feel a | twinge of hope. | Avamander wrote: | Let's hope what was proposed comes to fruition while | remaining interoperable with the EU. | | It would be such a "two steps forward, one step back"-move if | it doesn't. | vimax wrote: | Right. There should be agency run certificate authorities for | this. One to issue certificates to law enforcement, and one to | issue certificates to judges | | A valid warrant would include the intended judge and be signed | by the department and the issuing officer before going to the | judge, then signed by that judge's cert to be authorized. | Avamander wrote: | And such an approach would absolutely work, at least one | country has used PKI for such purposes for almost more a | decade. | | This attack vector from the article? Unheard of clownery. | tiahura wrote: | I've been doing a fair amount of subpoenaing phone records | lately. | | It does seem like AT&T, for example, just sends the records | (late) without any sort of verification. | avs733 wrote: | because there is no incentivization not to. | tiahura wrote: | Absolutely. However, if anyone is harmed by a bogus subpoena | request, please give me a call because I need a new car. | bhk wrote: | But Apple says "Any government agency seeking customer content | from Apple must obtain a search warrant issued upon a showing of | probable cause." So what's up? | rnk wrote: | I doubt the public is aware of the very large number of different | electronic requests for their information, and how many can be | faked, from dmca takedowns to these fake emergency data requests | to requests from the feds for your email etc in the name of | 'national security'. Somehow we need to get this out there | better, and get more lawmakers aware. It's doubtful in my | lifetime that the addiction of law enforcement to these easy | electronic requests will cease. | | The fact that such requests can't really be authenticated | reliably without a human in the loop (because as Krebs says, you | can just create real email accounts on the police dept email | server) and there are so many of them is terrifying. You could | put our entire society (in the us) into chaos just be pushing | this more and more until our law enforcement is just overwhelmed. | If we were in a war with Russia or China, why wouldn't they do | that? | woah wrote: | > You could put our entire society (in the us) into chaos just | be pushing this more and more until our law enforcement is just | overwhelmed. | | What? If the attack you describe was going on, there would be a | very simple remedy: Stop requiring people to comply with | possibly-false subpoenas. | freeone3000 wrote: | This would require police departments to give up their power | to illegally obtain information. I'm not going to hold my | breath. ___________________________________________________________________ (page generated 2022-03-29 23:00 UTC)