[HN Gopher] Hackers gaining power of subpoena via fake "emergenc...
___________________________________________________________________
Hackers gaining power of subpoena via fake "emergency data
requests"
Author : todsacerdoti
Score : 396 points
Date : 2022-03-29 14:11 UTC (8 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| tlogan wrote:
| The only way to verify that something is send by certain perosn
| to contact that person over "secure line" and ask them about it.
|
| The "secure line" can be just a phone call to police department
| and ask for officer with badge number xyz.
| sonicggg wrote:
| It sounds like EDRs shouldn't really be a thing. If police needs
| a court-issued warrant to enter my home, why can't they enforce
| the same for data access?
|
| If there's one thing I learned from practice in programming is
| the more "exceptions" you make, the more room there is for bugs
| and security flaws. The same applies for everything. Keep rules
| simple. The more "if this, then that" you add, the more loopholes
| you may find.
| IncRnd wrote:
| In methodology this is similar to an ancient scam, where scammers
| would send fake yellow page/phone book invoices to companies.
| Many companies would just pay the bills.
| judge2020 wrote:
| https://www.npr.org/2019/03/25/706715377/man-pleads-guilty-t...
| ivanhoe wrote:
| Wouldn't it be better if federal government would open a service
| for handling all EDRs nation-wide, and then forward the legit
| ones to the IT companies as needed? It would simplify the
| verification, maybe scare some hackers away because it'd become a
| federal crime to fake it, and also allow for some stats on how
| many such request are really urgent, and how many (I presume a
| lot) are just used to circumvent the law because courts would
| reject them.
| goodluckchuck wrote:
| That might work great if the federal authorities were reliable,
| motivated, and their interests were always aligned with state
| authorities.
|
| However, there are often disputes where the feds do not what to
| prosecute certain groups or individuals, and might interfere
| with state / local authorities. (e.g. police in a Democrat-run
| state prosecuting allies of a Republican president and vise
| versa, or investigations into federal informants who are
| violating state law).
|
| This would also allow make it easier for the feds to perform
| on-path attacks where they "forward" EDRs from state / local
| authorities that were never issued by those state / local
| authorities.
| caymanjim wrote:
| This is, to me, the only real solution. We can't have the onus
| be on individual companies to vet requests coming from random
| podunk police departments nationwide. Companies will err on the
| side of caution/CYA and honor requests they shouldn't, lest
| they find themselves responsible for causing harm by inaction.
| But companies don't have the resources or legal authority to
| make those determinations, nor vet the authenticity of requests
| from every time government entity that might make one. There's
| also plenty of reason not to trust some small town police force
| that might not have adequate internal controls, or might have a
| rogue officer far exceeding his authority.
|
| The feds need to own this and all requests need to flow through
| them. It wouldn't be hard for them to have a small staff
| available 24/7 to confirm requests and forward them on to
| businesses, and then the business only needs to trust a single
| entity. There may still be disputes over the legality, but
| those disputes will need to be defended by the central federal
| authority, rather than putting the burden on every company.
| KennyBlanken wrote:
| > lest they find themselves responsible for causing harm by
| inaction.
|
| In the US, the police aren't responsible (in a criminal or
| civil sense) for harm due to inaction. I don't know why you
| think a national/multi-national corporation would be.
| caymanjim wrote:
| I was referring to companies fearing repercussions from
| inaction and acting without adequately vetting requests
| because they aren't able to and err on the wrong side.
| ivanhoe wrote:
| It's not just a legal action that a company has to think
| about. Getting caught into a case of someone dying or being
| hurt because your company wasn't prompt to assist police
| could be a huge PR screwup, even if there's no legal
| responsibility.
|
| And it doesn't have to even be a decision on a company
| level, ordinary people are strongly inclined to follow the
| police requests and see them as an authority, so employees
| of the company will feel as their duty to provide the data
| promptly. Just look on all those cases of pranksters posing
| as police officers and making ordinary people do insane and
| even clearly illegal things just because they were "ordered
| so by the police". Compared to what that McDonalds manager
| did [1], pulling some personal data from the database and
| emailing it back to the person one believes is a police
| officer is nothing.
|
| [1]
| https://en.wikipedia.org/wiki/Strip_search_phone_call_scam
| heavyset_go wrote:
| > _We can 't have the onus be on individual companies to vet
| requests coming from random podunk police departments
| nationwide._
|
| The onus is already on individual companies to vet requests
| from private individuals that want to move money around via
| Know Your Customer laws. I don't see why the same shouldn't
| apply to verifying whether or not a request for customers'
| private information is valid or not.
| Jerrrry wrote:
| Faking EDR's and GDPR is the newest way to take over anyone's
| account, for many platforms.
|
| just the effort companies made to support the requests allow for
| shenanigans.
|
| if you cant take over the account - you request it be deleted,
| then remake the account with the username/email desired.
| phendrenad2 wrote:
| Interesting. And since you can't even store the email address,
| you can't detect that someone is recreating a deleted account.
| Hashes to the rescue though. You can just return a cryptic
| "email/account name not accepted" message.
| Jerrrry wrote:
| Is storing a hash not also invasive?
|
| I don't store your IP or SSN. I store the Md5 hash of it.
|
| If the bit-space is easily enumerable, it is just as bad...
|
| but is it?
| ttyp3 wrote:
| How about requiring phone verification that routes through a
| public number/central source?
|
| If it's a true emergency, someone should have no difficulty being
| available for a call.
|
| (The main number could be compromised too, but come on...)
| nomercy400 wrote:
| Yea exactly. Maybe we can give it a name, how about multi-
| factor authentication? So you verify who you say who you are
| through a different factor/channel. And making a phone call to
| actually talk to a person in real time.
| rvr_ wrote:
| One way to approach crime is to make the risk too big. What about
| punishing with death those who do identity theft and
| impersonation? Our society tolerates too much crime.
| nullc wrote:
| "Hi, I'm rvr_ member of law enforcement, someone's life is in
| danger, please provide customer details for IP 1.2.3.4
| immediately!"
|
| ... ignoring those double impersonation swatting problems,
| enforcement against crimes online is really hard due to global
| scope. Police won't even investigate because all they find is
| that the hacker was some russian and they can't do anything
| about it.
| theknocker wrote:
| einpoklum wrote:
| > It involves compromising email accounts and websites tied to
| police departments and government agencies, and then sending
| unauthorized demands for subscriber data while claiming the
| information being requested can't wait for a court order because
| it relates to an urgent matter of life and death.
|
| Ah, very simple then: Ignore such demands for as long as you can,
| then, if approached by actual law enforcement, tell them you were
| told such messages are phishing attempts from hackers.
| cwkoss wrote:
| I've always wondered how many fake national security letters have
| been sent to companies, and what the success rate on them is.
|
| Cant LEO get things in front of judges in hours? Is bypassing
| courts ever actually necessary?
| Ekaros wrote:
| Why not make federal service for this? Give access to all
| relevant authorities to file such request there and then make it
| possible to cross-reference it? Leaks of access can be tracked
| more easily.
| psychlops wrote:
| All this high speed life or death information and yet the
| clearance rate of solved homicides in the US has dropped from 70%
| in the 1980's to 50% today.
| hackerfromthefu wrote:
| I expect this is true, and shows the ridiculous scope creep of
| government snooping and stalking on individual privacy for what
| it largely is, power grabs by individuals in government drunk
| on the power of control.
|
| That said, do you have a source?
| psychlops wrote:
| I had read it previously elsewhere, then recently re-read it
| here:
|
| https://www.themarshallproject.org/2022/01/12/as-murders-
| spi...
|
| I imagine the picture is a lot more complex than the charts
| make it out to be. For example, I'd be curious about rate
| trendlines of false imprisonment.
| rahimnathwani wrote:
| "KT said fake EDRs don't have to come from police departments
| based in the United States, and that some people in the community
| of those sending fake EDRs are hacking into police department
| emails by first compromising the agency's website. From there,
| they can drop a backdoor "shell" on the server to secure
| permanent access, and then create new email accounts within the
| hacked organization."
|
| This sounds extremely unlikely.
|
| Maybe in 1999 someone would have hosted their mail server on the
| same server as their web site. But today?
| jahewson wrote:
| I wouldn't put it past them. But hacking an admin portal would
| probably suffice.
| CrazyMusicians wrote:
| From: https://twitter.com/briankrebs/status/1508819347963363329
|
| Some backstory that's not in the piece. I originally started
| reporting this about six months ago, when an anonymous tip
| suggested people were creating fake police department .org
| domains and sending requests from there. Spent ridiculous amt
| of time chasing that to no end.
|
| As part of that research I looked at all new police dept
| domains in the last year. Found so many I was sure were fake.
| They were all real. Some were half-done. Some completely wide
| open, security-wise. It was depressing to learn after that
| there are > 18k police depts nationwide.
| ellen364 wrote:
| 18k police departments is mind blowing. I looked it up
| because I wasn't sure it was plausible, but a Department of
| Justice publication confirmed [0]. Meanwhile the UK has 48
| police forces [1].
|
| 330,000,000 / 18,000 = 18,500 Americans per police force
|
| 67,000,000 / 48 = 1,396,000 Brits per police force
|
| Not sure what to make of that.
|
| [0] https://bjs.ojp.gov/content/pub/pdf/nsleed.pdf [1]
| https://www.police.uk/pu/contact-the-police/uk-police-
| forces...
| cwkoss wrote:
| The average police officer doesn't even know the law very well.
| I'd be shocked if the average police dept had someone
| technically competent enough to speak to network security
| concerns: that's not their job.
| rahimnathwani wrote:
| Right, but setting up a web site and email server on the same
| host (even poorly, in a just-about-works state) requires
| _more_ expertise to set up than getting a web site and email
| set up on GoDaddy or whatever.
| detaro wrote:
| > _But today?_
|
| Today they use the same crappy hosting company as in 1999, that
| does the same thing it's always done, just only slightly newer
| hardware. Especially on a municipal level, there still is not
| much of a standard when it comes to such things.
| rahimnathwani wrote:
| Hmm... it seems trivial to do a lookup of the A records for @
| and www, and see if there's any overlap with the MX records.
|
| If so, then it was likely set up a long time ago and not
| maintained well.
| buildbot wrote:
| This seems like on of those ill-advised crimes that carries a
| huge federal penalty if caught right? Pretending to be a police
| officer feels like something that typically gets smacked down
| pretty aggressively if not officially sanctioned.
| bhk wrote:
| > "One of the problems you have is there's no validated master
| list of people who are authorized to make that demand"
|
| It sounds like there isn't even a well-defined _policy_ for who
| is authorized.
| photochemsyn wrote:
| I wonder if an 'Emergency Data Request' to Amazon by a law
| enforcement organization has to go through all the hoop jumping
| described here:
|
| https://news.ycombinator.com/item?id=30820424
|
| relevant comment: "I had to click through more than 100 links to
| download all the data, how can this be acceptable? Specially
| coming from Amazon. How hard is it for them to create an archive
| with all the data? This is ridiculous, I can't imagine how was
| the meeting when they decided to produce purposefully such
| garbage UX."
|
| This would indicate that Amazon has some kind of internal
| interface for these Emergency Data Requests for law enforcement
| that just dumps all the data to them immediately without all
| those barriers to access. Makes one wonder why that's not also
| available to Amazon users?
|
| Also, are these Emergency Data Requests ever subjected to post-
| mortem court review of any kind? Is anyone in law enforcement
| ever subjected to discipline for bogus requests?
| CaptainNegative wrote:
| Just a guess, but perhaps Amazon responds to EDRs only with
| potentially meaningful data rather than how many minutes into
| your third viewing of The Simpsons S16E4 you paused the video
| last, how often you've clicked on but never carried through
| with that Roomba purchase on woot.com, or the full history of
| Amazon App Store promotions you took part in back in 2015 to
| get free coins added to your wallet that you've completely
| forgotten about.
| upofadown wrote:
| >"The only way to clean it up would be to have the FBI act as the
| sole identity provider for all state and local law enforcement,"
| Weaver said. "But even that won't necessarily work because how
| does the FBI vet in real time that some request is really from
| some podunk police department?"
|
| There are already preexisting systems for solving this sort of
| problem. For example the FBI could set up a PGP based certificate
| authority[1] for email. Then the FBI signs the identities of the
| podunk police departments ahead of time. All the service
| providers would need would be the FBI identity (PGP public key)
| which they would sign once to authorize it and then they would be
| able to verify emails coming from any of the podunk police
| departments with no extra work on their part. This example comes
| with a revocation system that actually would work in this case.
|
| All secret key material would remain under the control of the
| specific FBI department acting as the certificate authority. No
| third party involvement would be required.
|
| [1] https://sequoia-pgp.org/blog/2021/05/12/202105-hello-
| openpgp...
| Avamander wrote:
| If they're already building a central identity provider then
| something built upon Web/EU standards would work much much
| better. Tried and tested for decades, ASiC-E (or S/MIME if you
| really really want) works great.
| heavyset_go wrote:
| A simple web application on the FBI's end that takes requests
| from verified parties and then forwards them to companies would
| be enough. No need for PGP or anything like that.
|
| Real subpoenas would also work.
| nightpool wrote:
| How does this solve the issue? If a local police department
| laptop gets pwnd, or a local police officer's credentials get
| compromised through a reuse attack/stuffing (as seems to have
| happened here), what oversight mechanisms would prevent their
| email from getting PGP signed? In this case, these emails were
| probably DKIM and SPF verified already, which (as I understand
| your proposed system) seems entirely equivalent.
|
| There's no "magic bullet" in security, you can't just
| "authenticate" individual emails "with no extra work" and hope
| that that solves things without addressing the gaping security
| holes that allowed those emails to be sent from official
| servers in the first place.
| woah wrote:
| Dongle
| upofadown wrote:
| Normally the secret key stuff is protected by a passphrase
| for a PGP verified email. So the entity owning the laptop
| would have to wait for the department to make a request first
| (rare) to keylog the passphrase and would only get to make
| one bogus request before revocation of the identity.
|
| DKIM and SPF only prove that an email passed through a
| particular email server. The whole point of doing the
| verification end to end is that the stuff in between does not
| have to be secure.
| nightpool wrote:
| Yes, if you're assuming that police departments can keep a
| rarely-used passphrase secure and not written down in
| online documentation anywhere, while also being accessible
| in emergencies, then that system might work. (But then you
| also have to remember to rotate the passphrase when anybody
| in the entire department leaves or gets fired).
| upofadown wrote:
| Access to the passphrase would not by itself provide
| access to anything. The malicious person leaving would
| also have to take along a copy of the encrypted private
| key.
|
| In practice you would just register 2 or more keys left
| in the care of 2 or more people. Each person would be
| individually responsible, as it should be. When someone
| left you would revoke the key. You would not have to go
| super hard on this, most of the requests would be routine
| and not time sensitive. In an emergency you do the best
| you can with what you have available.
| mef wrote:
| wouldn't this just shift the trust from the police email
| address to the police email PGP signer? wouldn't hackers then
| just target that part of the infrastructure?
| Avamander wrote:
| That would be significantly harder, especially with hardware
| key storage.
| willcipriano wrote:
| The alternative is due process, where a judge issues a court
| order and the police have to wait a few hours for that to
| happen.
| 300bps wrote:
| Probably take 5 minutes to find an example order online from
| most judges in the country. Make a fake document to look just
| like it saying whatever you want. Send it in - how do they
| authenticate it?
| willcipriano wrote:
| Same way they validate them now. Call up the court and ask.
| The clerk will be happy to help you. If you can fake a
| district court into existence we've got bigger problems.
| KennyBlanken wrote:
| Slim to no chance that a US telecom actually bothers to
| call up the court and verify an order with the clerk
| except for orders that are unusual (say: overly broad in
| scope, or targeting a recognizable name such as a
| politician or celebrity). My guess is that at best they
| look at the fax caller ID and/or email headers and that's
| that.
|
| Their position is likely "it looked like it came from a
| cop, not our problem if the cop is forging court orders."
| mmazing wrote:
| So punish them for not verifying?
|
| We're already very familiar with the concept that
| ignorance of the law isn't a valid reason for violating
| the law. What's wrong with that in this scenario?
| heavyset_go wrote:
| Then make it their problem with regulators or
| legislation. KYC is law of the land when dealing with
| private individuals, same logic should apply to verifying
| court orders or law enforcement requests.
| elzbardico wrote:
| Well that's just one of lesser things that happens for a paranoid
| society that trades freedom and privacy for what the oppression
| apparatus calls security.
|
| You don't have security, just a police-state, and to add insult
| to injury besides having less freedom now you also have less
| security too.
|
| And yes, let's pretend that only China, Iran and Russia are
| police states, let's keep singing star spangled banner while we
| happily slip through this slope towards the gulags.
| renewiltord wrote:
| Spotify records all the songs I listen to. Last week 10 songs.
| This week 100. Next week 200. The week after? PRISON IN A
| FROZEN WASTE! I suffer endlessly from the data they have
| collected. Cold bits are thrown upon me every morning; I've
| lost my toes to frostbyte due to data in cold storage; I have
| made friends, nay fellow sufferers, in the bitcoin mines, as we
| hash out issues together.
|
| If only I could have seen this last week. L'horreur! L'horreur!
| BolexNOLA wrote:
| >let's keep singing star spangled banner while we happily slip
| through this slope towards the gulags
|
| You had a point until "gulags." You honestly think we're on the
| verge of becoming a Stalinist state that imprisons and murders
| political dissidents by the millions?
|
| Maybe that's a _tad_ alarmist?
| pyronik19 wrote:
| There are influential media personalities calling for the
| jailing people who aren't towing the line on the war drum
| beat on ukraine/russia... that any narrative deviation is
| treasonous and thus a jailable offense. Yeah, so what if our
| gulags have rainbow flags and black fists murals.
| mrtranscendence wrote:
| > There are influential media personalities calling for the
| jailing people who aren't towing the line on the war drum
| beat on ukraine/russia
|
| Source on these influential media personalities? I assume
| they're not fringe in any way, since you called them
| "influential".
| DiabloD3 wrote:
| America elected Trump and then Congress knowingly rejected
| evidence that he colluded with Putin to defraud voters and
| steal the election. He then occupied that office for four
| years, while additional evidence continued to mount against
| the increasingly obviousness of Russian interference.
|
| Not only did a sitting President betray people and killed
| millions with anti-masker/anti-vaccine rhetoric, he did so to
| aid a foreign country that is known for murdering political
| dissidents, and did so during WW2, during the Cold War, and
| the post-Soviet era that exists today; but also our Congress,
| most of those still occupying those seats today, aided and
| abetted him. What Trump and his Congress did is terrorism
| without being formally charged with it, and is hardly any
| different than the pre-Stalin era of Soviet Russia and the
| pre-Kristallnacht era of the Nazi occupation of Germany.
|
| So, please, I'd like you to tell me why you think people
| _shouldn 't_ be seriously alarmed? You sound like all the
| deniers in the history books: "Oh, the Nazis wouldn't kill
| Jews and political dissidents", "Oh, Stalin wouldn't (also)
| kill Jews and political dissidents", "Oh, Chairman Mao
| wouldn't just starve tens of millions to gratify his own
| ego". People keep saying this, it keeps not being true.
|
| History is a goddamned broken record.
| encryptluks2 wrote:
| I'd encourage you to consider that Democrats and
| Republicans work in parallel as much as they'd like you to
| think otherwise to coerce Americans into subscribing to a
| two-party system. It will continue as long as people
| believe that if they don't subscribe to it that Democracy
| will fail and the only thing preventing it from happening
| is to vote for one of the two-party candidates that fits
| their propaganda news network approved message.
|
| Also, it is funny how when it comes to politics Republicans
| have moved so far right that now center-right is considered
| the left party.
| DiabloD3 wrote:
| Don't get me wrong, I agree with this.
|
| Many Democrats _also_ decided to join the Putin-backed
| coup attempt, and also voted to not impeach during one or
| both trials. Many Democrats _also_ tried to claim Hunter
| Biden, while working for a natural gas company in
| Ukraine, somehow was up to _something_ and using his dad
| 's appointment as VP for _something_.
|
| Funny how Biden became President, and now Russia is
| invading Ukraine to maintain their stranglehold on
| Europe's energy supply, and all the pro-Russian bot
| accounts on Twitter and Facebook that were repeating the
| "Hunter's Laptop" and "But Her Emails" stories to divide
| and conquer, suddenly vanished.
|
| I am a socialist, and what both parties do is disgusting,
| and, honestly, anti-American. Our government has been
| rapidly degrading my entire lifetime, and the only
| reasonable action is to ring the alarm bell and hope
| other people wake up and start fighting the fascism that
| is threatening to destroy our nation.
| BolexNOLA wrote:
| >Funny how Biden became President, and now Russia is
| invading Ukraine to maintain their stranglehold on
| Europe's energy supply, and all the pro-Russian bot
| accounts on Twitter and Facebook that were repeating the
| "Hunter's Laptop" and "But Her Emails" stories to divide
| and conquer, suddenly vanished.
|
| It's not "funny." It makes complete sense. Services for
| .ru accounts are being suspended around the world.
| djmips wrote:
| Just letting you know that 'funny' in this sense is
| sarcasm and they are fully aware of what you just stated.
| BolexNOLA wrote:
| I understood how they used funny, but we drew different
| conclusions. They're alluding to a conspiracy.
| pstuart wrote:
| The funny thing about Hunter Biden is that it _was_
| genteel corruption, in that he brought nothing to his
| role but a family connection. But the attention about it
| was also corrupt -- there was no interest in "how do we
| have less of this", but only about smearing a rival.
| jacquesm wrote:
| The sad thing is that after the Trumps any lesser level
| of nepotism is going to be acceptable.
| pstuart wrote:
| There's many sad things. Partisanship is destroying this
| country; we should be united in being against corruption
| even if it's _one of our own_ , so to speak.
| BolexNOLA wrote:
| Democrats hold their own accountable for more than
| Republicans, even if it isn't enough (it isn't). The GOP
| couldn't even kick Roy Moore to the curb.
| jgod wrote:
| The right has moved further right, and the left has moved
| further left.
|
| Moreover, the left has moved further left than the right
| has moved right. https://jabberwocking.com/if-you-hate-
| the-culture-wars-blame...
| AnimalMuppet wrote:
| You say "Democrats and Republicans work in parallel". And
| then you say "Republicans have moved so far right". Which
| is it?
|
| Also, _some_ Republicans have moved far right. Some
| Democrats have moved pretty far left, too. I will admit
| that more Republicans moved than Democrats. But both
| parties have sections near the center, and both have
| extreme parts. And both are having trouble maintaining
| unity in the face of that tension.
| [deleted]
| BolexNOLA wrote:
| The GOP has been sidelining or primarying out the few
| they still have near the center tbh.
| merely-unlikely wrote:
| Total US death count from Covid is up to 975k according to
| the CDC[1].
|
| [1] https://covid.cdc.gov/covid-data-tracker/#datatracker-
| home
| tiahura wrote:
| _Congress knowingly rejected evidence that he colluded with
| Putin to defraud voters and steal the election._
|
| You shouldn't let your personal animosity towards Trump
| lead to believing misinformation.
|
| _Mueller finds no collusion with Russia, leaves
| obstruction question open_
|
| https://www.americanbar.org/news/abanews/aba-news-
| archives/2...
|
| You should take this opportunity to consider what other
| things you know to be true about Trump may also be
| misinformation.
|
| _The Washington Post corrects, removes parts of two
| stories regarding the Steele dossier_
|
| https://www.washingtonpost.com/lifestyle/style/media-
| washing...
| DiabloD3 wrote:
| > You shouldn't let your personal animosity towards Trump
| lead to believing misinformation.
|
| I don't have to. I witnessed several Republican
| congressmembers go out of their way to announce that no
| matter what evidence presented is, they had already
| decided to ignore it and vote against the removal of
| Trump from office.
|
| Now, I can't tell you why they decided to announce their
| criminal enterprise shortly before enacting it, but a
| quick Google tells me their names are Cindy Hyde-Smith,
| Roger Wicker, Thom Tillis, Rob Portman, James Inhofe,
| Mike Rounds, and Jerry Moran.
|
| > Mueller finds no collusion with Russia, leaves
| obstruction question open
|
| https://en.wikipedia.org/wiki/Mueller_report is a well
| cited article.
|
| "On March 27, 2019, Mueller reportedly wrote to Barr in a
| letter, as stated in the New York Times "expressing his
| and his team's concerns that the attorney general had
| inadequately portrayed their conclusions".[226] This was
| first reported on April 30, 2019. Mueller thought that
| the Barr letter "did not fully capture the context,
| nature, and substance" of the findings of the special
| counsel investigation that he led.[227] "There is now
| public confusion about critical aspects of the results of
| our investigation". Mueller also requested Barr release
| the Mueller report's introductions and executive
| summaries.[228][229]"
|
| What you linked to covers Barr's misleading summary of
| the Muller report.
|
| > The Washington Post corrects, removes parts of two
| stories regarding the Steele dossier
|
| Again, Wikipedia has a well cited article on the subject:
| https://en.wikipedia.org/wiki/Steele_dossier
| BolexNOLA wrote:
| It is well-known that _nowhere_ in the mueller report
| does he exonerate the president. He leaves it to Congress
| to determine how to move forward. He explicitly wrote
| that his investigation did not find him innocent.
| treeman79 wrote:
| It's also looking like some of the Bidens are going to
| jail for what they were accusing Trump.
|
| The entire Trump Russia gate was to divert attention from
| what Hillary / Biden were doing.
|
| Oh a laptop was found with solid evidence showing
| collusion between the Bidens and various countries. Well
| naturally the same response is to sensor anyone that
| wants to talk about it and to impeach Trump.
|
| https://legalinsurrection.com/2022/03/mainstream-media-
| outle...
| encryptluks2 wrote:
| Oh please, no one is going to jail. This idea that
| someone is going to jail is just a boogeyman to create
| votes come election time.
| pstuart wrote:
| I see your downvotes brother, and feel your pain.
|
| The tribalism of politics is fierce, and even a forum with
| as much collective intelligence as HN is not immune from
| that force.
|
| We should be able to discuss _policy_ and _actions_ on
| their own merits without it being taken as a personal
| affront. I wish I could find the magical incantation that
| would allow that dialog to manifest.
| stuckinhell wrote:
| I don't think so, America has a massive amount of political
| unrest. Both parties seem to adore violence on their
| political enemies these days, and most Americans think civil
| war is on the way.
| pstuart wrote:
| > Both parties seem to adore violence on their political
| enemies these days
|
| Let's stop with the both sides are the same bit, m'kay?
| Plenty to criticize on the left but please stick to facts.
| BolexNOLA wrote:
| >most Americans think civil war is on the way
|
| Source?
|
| Personally, if we survived the 60's/70's, I think we can
| survive this. They literally murdered college students in
| front of the world.
|
| I'm also not sure how any of this translates into Stalin-
| era gulags. People throw that term around too lightly, like
| "nazi." If you've actually studied any Russian/Soviet
| history you should know how insane those were, even for an
| era with rampant fascism.
| hackerfromthefu wrote:
| Absolutely correct.
|
| It seems in vogue to use words without understanding the
| actual meanings. Most people haven't read history and
| speak, loudly, of that which they don't know.
| thechao wrote:
| Right; I think _at worst_ we 're managing to rewind
| ourselves to the `90s, at this point. I think a lot of
| people don't remember how much social change there was
| starting in the early `00s through the early `10s. I'm
| not pleased with the retrogression; I think Project Red
| Map has really uncovered a large scale hack/flaw in the
| US electorate that needs to be fixed _quickly_ , but the
| political situation is certainly nothing like the
| `60s/`70s.
|
| My parents were activists in the 60s, and my grandparents
| were activists in the 20s & 30s. My parents mostly feared
| being beaten, with a background fear of being shot at. My
| grandparents feared being _disappeared_ along with
| retribution to their extended family, friends, and
| _neighborhoods_.
| BolexNOLA wrote:
| Re: your grandparents, I really don't think people
| appreciate how easy it was to cross the government with
| your speech - especially in wartime - prior to late 20th
| century.
| ashtonkem wrote:
| It is worth pointing out that the American penal system is
| already distressingly close to the scope of the gulag system
| in Stalinist Russia. The gulag system hit a high of 1.5m
| prisoners in the 1940s out of a population of 168m (pre war),
| or about 0.89%. America's prison population peaked in 2009 at
| an estimated 0.754%. If you include parole that shoots up to
| 3.1%, but I'm not sure how to compare that to the gulag
| system
|
| Wildly different death tolls though. Our best estimate is
| that the gulag system had an 8.88% death rate, with that
| varying wildly on a year by year basis. Meanwhile the US
| prison system as of 2018 kills 344 per 100,000, or .344%. But
| unfortunately those numbers are getting worse, not better. I
| think the difference here is less about our system being more
| humane, and more the fact that food and antibiotics are
| cheap. Heck, just look at how the prison system responded to
| covid.
|
| I honestly think we're a lot closer to a gulag system than
| people think. We've already built the majority of the
| machinery to actually implement such a system, and
| politically making the system harsher and less humane is very
| popular. There is also a bipartisan consensus that what we
| need is to fund the system even more. All that we're missing
| is the jump to directly imprisoning political opponents, and
| we've already seen some calls for that although it isn't
| quite mainstream yet.
| BolexNOLA wrote:
| >It is worth pointing out that the American penal system is
| already distressingly close to the scope of the gulag
| system in Stalinist Russia
|
| What do you know about the gulag system? Serious question,
| not baiting or anything. What are the broad strokes of what
| you understand to be "The Gulags"? Because like you, I am
| VERY concerned with the US penal system, but to compare the
| two is...a stretch for me.
| [deleted]
| elzbardico wrote:
| This is what we call an hyperbole.
| BolexNOLA wrote:
| Pretty over-the-top example if you ask me
| maxbond wrote:
| This is sort of a dodge, isn't it? The question wasn't,
| what rhetorical device are you employing? It's, do you
| truly believe the situation is as extreme as you imply? If
| the answer is "no", then there's an implied invitation to
| lay out what you actually believe. If the answer is "yes",
| there's an implied request to justify why you think that
| way.
|
| Saying 'this is what we call hyperbole' seems to imply, 'my
| ideas stand so well on their own, I don't need to respond
| to your criticism; the problem is not with my ideas or how
| I've expressed them, it is with your inability to recognize
| a particular rhetorical device.' Which is both patronizing
| and wrong. Your use of hyperbole was recognized and is
| being interrogated.
|
| You're under no obligation to respond to that challenge, no
| one here has a right to your time, but if you're going to,
| it would be more productive for everyone if you did so in
| good faith.
| nahkoots wrote:
| Don't forget that we very nearly had a successful coup, which
| would have spelled the end of American democracy. Are we on
| the verge of becoming a Stalinist state? No, not really.
| Could it happen? Absolutely, and we need to recognize that
| possibility to avoid becoming the next one.
| AnimalMuppet wrote:
| An attempt to overturn the results of the election? Yes. A
| coup? Not really; doesn't fit the definition, though it was
| far closer than I thought I would ever see. "Very nearly
| successful"? No.
| coliveira wrote:
| A failed coup, since "overturn the results of the
| election" is pretty much what we may call a coup.
| AnimalMuppet wrote:
| Hmm. I went to dictionary.com, looked up coup d'etat, and
| it said:
|
| > a sudden and decisive action in politics, especially
| one resulting in a change of government illegally or by
| force.
|
| So, I stand corrected. It _does_ meet the definition of
| "attempted coup".
| coliveira wrote:
| Yes, many people are under the impression that a coup is
| only the result of military or generalized revolt. In
| fact most modern coups are staged as a political
| mechanism to avoid the results of the democratic norm.
| ipaddr wrote:
| Please forget whatever idea you came up with. America was
| never under a coup attempt. Hard to even attempt to call it
| a coup without weapons. Don't worry America is safe from
| farmers rallying at the white house.
| whateveracct wrote:
| Maybe they're referring to the attempts to invalidate the
| 2020 election? No weapons, but what is a better word for
| a coordinated attempt to undermine the government?
| hackerfromthefu wrote:
| How about 'attempt to undermine the government'? That is
| much more accurate than coup.
|
| Words have meanings, and using the words inaccurate/the
| wrong meanings is saying one thing but meaning another,
| and the word for that is lying.
| verve_rat wrote:
| Just because it wasn't a very good or well organised coup
| attempt doesn't mean it wasn't a coup attempt.
| dragonwriter wrote:
| > How about 'attempt to undermine the government'? That
| is much more accurate than coup.
|
| No, attempted coup (specifically, attempted self-coup) is
| much more accurate.
|
| > Words have meanings
|
| Yes, they do. And the precise political science terms for
| the coordinated attempts by the 45th President and his
| allies to extend his powers beyond their lawful duration
| by extralegal means is "self-coup" or "auto-coup" (in the
| original French, "autogolpe"), which is a form of coup
| carried out by or on behalf of the existing leader.
|
| > and using the words inaccurate/the wrong meanings is
| saying one thing but meaning another, and the word for
| that is lying.
|
| Yes, that is exactly what you are doing when you
| explicitly refuse to use the correct term in attempt to
| minimize the act.
| jetpks wrote:
| This is the same verbal gymnastics confederate
| sympathizers use when trying to say that the civil war
| was about "states rights." All you have to do is follow
| the logic to its conclusion.
|
| What was the civil war about? States rights. What rights,
| specifically? The right of states to allow their citizens
| to practice slavery. Therefore, the civil war was about
| slavery.
|
| What was jan 6 about? It was about an attempt to
| undermine the government. An attempt to undermine what,
| specifically? The election process. Why did they seek to
| undermine the election process? So that the mob could
| extra-judicially install a leader of their preference.
| Another word for this is coup d'etat.
| hackerfromthefu wrote:
| I can see where you're coming from.
|
| AFAIK, in common use the word coup involves the military
| taking control of the government.
| ashtonkem wrote:
| You're using a much more narrow definition of what a coup
| d'etat means.
|
| > The sudden overthrow of a government by a usually small
| group of persons in or previously in positions of
| authority.
|
| Or to use Wikipedia's definition
|
| > A coup d'etat (French for "blow of state"), often
| shortened to coup in English (also known as an
| overthrow), is a seizure and removal of a government and
| its powers. Typically, it is an illegal seizure of power
| by a political faction, rebel group, military, or a
| dictator. Many scholars consider a coup successful when
| the usurpers seize and hold power for at least seven
| days.
|
| Yes, the military can be involved in a coup, but the
| essential definition does not require their involvement.
| Different terms might be applied if the military is
| involved, and based on whether or not the military is the
| primary driver (as in Myanmar) or is backing one side.
| dragonwriter wrote:
| > AFAIK, in common use the word coup involves the
| military taking control of the government.
|
| That is one common _kind_ of coup, but distinguished from
| the broader category. That 's why the phrase "military
| coup" exists to distinguish the kind of coup where the
| military (or some part of it) is the main actor in
| seizing control outside of normal bounds.
| StanislavPetrov wrote:
| >What was jan 6 about?
|
| Jan 6th was about a small number of ignorant people who
| bought into a bunch of lies. A protest that got out of
| control. One that was far, far less violent, with far
| fewer casualties than dozens of protests that happened
| around the country the prior year. All mobs are bad, all
| riots are bad. Unfortunately different partisans have
| been trying to blow up the implications of one riot while
| downplaying all the others.
| krapp wrote:
| People involved have already been charged with seditious
| conspiracy. Sympathizers were found among the Capitol
| Police, members of the government openly supported a
| coup. Supreme Court Justice Clarence Thomas may either be
| impeached or have to resign over his wife's pro-
| insurrectionist texts to Trump's chief of staff. There
| were plans. There were conspiracies. We have the
| receipts.
|
| And stuff is still coming out about Trump. A mysterious
| seven hour gap in the White House communications logs. A
| Federal judge ruling that it's "more likely than not"
| that Trump "corruptly attempted to obstruct Congress"
| attempting to overturn the election results. He called it
| a "coup in search of a legal theory." Yes, that's not
| "beyond a reasonable doubt," but it's also not nothing.
|
| You're right that it was far less violent, and had far
| fewer casualties, but it wasn't just a riot, nor were
| there just a small number of ignorant people involved. To
| think that at this point, or to dismiss all concerns as
| partisan hyperbole, is kind of ridiculous.
| BolexNOLA wrote:
| > All mobs are bad, all riots are bad.
|
| Yet the GOP is sidelining and smearing the few among them
| who actually want to hold the insurrectionists
| accountable.
| mojzu wrote:
| The 'without weapons' implies it wasn't violent, which
| seems a stretch to me when a police officer was beaten to
| death and plenty of others were injured
| edm0nd wrote:
| >when a police officer was beaten to death
|
| Not single LEO was beaten to death on Jan 6th. You are
| literally spreading misinformation and fake news lol. SCP
| Officer Brian Sicknick died after having two strokes aka
| natural causes.
| mpalczewski wrote:
| First I'm hearing of this, do you have a source about the
| officer being beaten to death?
| webstrand wrote:
| They're probably referring to this:
| https://www.nytimes.com/2021/01/08/us/brian-sicknick-
| police-...
| mpalczewski wrote:
| oh looks like fake news, even the ny times article says.
|
| "New information has emerged regarding the death of the
| Capitol Police officer Brian Sicknick that questions the
| initial cause of his death provided by officials close to
| the Capitol Police."
|
| Wikipedia says
|
| "The cause of Sicknick's death was first thought to be
| from injuries, but months later the medical examiner
| reported there were none."
|
| "The District of Columbia chief medical examiner found
| that Sicknick had died from stroke, classifying his death
| as natural"
|
| The original commenter said some officer was beaten to
| death. Maybe another officer, or were they just mistaken?
| StanislavPetrov wrote:
| >The 'without weapons' implies it wasn't violent
|
| There is no such implication at all. "Without weapons"
| means "without weapons". The vast majority of people at
| that riot were gun owners, and none of them were armed or
| fired a shot. I can assure you, people who own guns and
| are committed to violently overthrowing the government
| bring those guns and shoot them. For evidence see any of
| the numerous coups that occur in countries around the
| world.
| BolexNOLA wrote:
| That's a lot of talk about guns considering - which you
| pointed out - there weren't guns (that we know of) used
| by the insurrectionists.
|
| Do you acknowledge it was violent?
| coliveira wrote:
| From your words, it seems that history rewriting is in
| full swing right now.
| BolexNOLA wrote:
| >America was never under a coup attempt
|
| Oh come now. "Hang Mike Pence." "Stop the steal." The
| former president calling election officials telling them
| to "find the votes." I don't care what your politics are,
| what we saw this last election was like nothing we've
| ever seen before in this country. It was a failed attempt
| to overturn a democratic election on the basis of a lie.
| mywittyname wrote:
| We'll get our own flavor of gulags. The USA already has a
| pretty nasty and oppressive prison system. We have pro-
| authoritarian politicians in office, in the police forces,
| and now throughout the court system. So it doesn't seem
| alarmist to me.
|
| I'm pretty sure the police could get away with murdering
| political rivals right now. But a few key court decisions are
| all we need to formalize that capability for the next 100 or
| so years.
| consumer451 wrote:
| > "I wanted to tell everyone that there is a cancer within
| the government and when I tried to weed it out, I got
| fired," Gilmore wrote. "It was just easier for government
| management to get rid of me rather than to deal with the
| underlying issue."
|
| https://www.military.com/daily-news/2022/03/13/classified-
| us...
| treeman79 wrote:
| There are tons of reports of officers being disciplined
| punished or jailed for using a gun when the other person
| was violently resisting arrest.
|
| Police across the country are letting criminals run rampant
| due to fear of prosecution for doing their job.
| BolexNOLA wrote:
| >Police across the country are letting criminals run
| rampant due to fear of prosecution for doing their job.
|
| Police are "letting criminals run rampant" because they
| throw tantrums the moment money or accountability is
| discussed. Just watch how they behave the moment a city
| even _whispers_ "pension" despite the fact that police
| pensions are crushing city budgets across the nation.
|
| https://www.bridgemi.com/michigan-government/pension-
| costs-b...
|
| https://www.reuters.com/article/us-usa-pensions-
| policeandfir...
|
| https://www.latimes.com/projects/la-me-pension-squeeze/
| Zpalmtree wrote:
| > Police are "letting criminals run rampant" because they
| throw tantrums the moment money or accountability is
| discussed. Just watch how they behave the moment a city
| even whispers "pension" despite the fact that police
| pensions are crushing city budgets across the nation.
|
| What? I see no-one throwing 'tantrums' in the articles
| you linked. I see some people trying to keep the pensions
| they have earned. Do you expect ordinary Americans to
| jump to take a pension cut after working all their lives?
|
| And this in the hope that magically that money will go to
| the right places and reduce crime?
| BolexNOLA wrote:
| Where that money goes is not what's up for debate.
|
| We have conservatives non-stop calling for "reduced
| spending" and "tightening the belt" who are all too happy
| to cut everything they feel "their people" don't need,
| but the big ticket items - military, pensions, etc. - are
| arbitrarily sacrosanct. Well, it's not actually
| arbitrary. It's because they want to hurt "the right
| people."
|
| Reduced spending will never be fair to the people on the
| receiving end.
| frankfrankfrank wrote:
| Yet again I find myself in between rather detached
| perspectives. I agree with you regarding the trajectory
| because it is clear as day by all objective measures where
| this is all heading, yet I am left befuddled by your
| parroting of tropes about the "pretty nasty and oppressive
| prison system" that the very people are pushing who are
| leading us to the state where an equivalent of gulags will
| be created.
|
| The American prisons are not full of thought criminals just
| because you are being denied all the footage and proof of
| the violent crimes the people in US prisons commit,
| constantly. I realize that most people live in a negative
| bubble, where they have no idea what is happening because
| the truth has been withheld from them, but that does not
| change the reality most people are at least unwittingly
| ignorant of.
|
| But yes, the gulag system actually already exists in
| America, and the political prisoners in the USA right now
| already know that. Assange is also in that gulag system and
| can probably be considered the first, Prisoner #1 of the
| American Empire's Gulag Equivalent System, even though it
| is on foreign soil.
| [deleted]
| dalbasal wrote:
| There's more than one road to hell.
|
| All or nothing nihilism, that makes no major distinction
| between the US & china, Russia and Iran is also a road to
| totalitarian hell. It's a favoured rhetoric style if Putin and
| many reactionary extremists.
| dang wrote:
| " _Eschew flamebait. Avoid unrelated controversies and generic
| tangents._ "
|
| https://news.ycombinator.com/newsguidelines.html
| cycomanic wrote:
| I have to admit I find this whole situation (and also Krebs
| article bizarre). The problem seems to be that tech companies
| approve EDRs without much checking. Then the argument somehow
| becomes it is essentially impossible for them to check because
| there could be any of the thousands of police departments in the
| world requesting the EDR? Why should MS in the US somehow respond
| to a request from police department in Cuxhafen in Germany?
|
| I think the argument being made here is one of those "we can't
| make a perfect solution so no solution works", which is nonsense.
| Simply don't answer requests from police departmenents you can't
| verify. I bet you if a police department would request some
| business sensitive information they would not hand it over
| without going over the subpoena with a fine toothed comb. The
| issue is just that they don't value their customers privacy high
| enough to do a proper check.
| AJ007 wrote:
| This isn't even an EDR specific issue -- if someone makes an
| extraordinary request you should verify it, and if you don't
| you are probably falling for scams constantly.
| jonas21 wrote:
| > _The issue is just that they don 't value their customers
| privacy high enough to do a proper check._
|
| I think the real issue is that the backlash from politicians
| and the public for failing to respond to a legitimate emergency
| will be orders of magnitude larger than the backlash for
| disclosing some customer information.
| mmazing wrote:
| Usually when the solution is "just remember to do X", you've
| found a bad solution.
|
| Re-approach the problem from a different perspective -
| companies don't value their customer's privacy enough. What
| solution can we put in place to force them to care about their
| customer's privacy? Can we force them?
|
| You have to start there for a worthwhile solution.
| 1vuio0pswjnm7 wrote:
| "I think the argument being made here is one of those "we can't
| make a perfect solution so no solution works", which is
| nonsense."
|
| I have seen this type of "argument" countless times reading HN.
| I always wondered if I was the only one who noticed. Thank you
| for calling it out. It is indeed nonsense.
|
| IMO, if "tech" companies cannot exercise due care, then they
| are at fault. There is no exception based on some idea that
| "our company must be large and serve millions of people to
| succeed so we should not be held to the same standard as a
| smaller company." If "scale" and nonexistent or grossly reduced
| customer service comes at a cost (e.g., fraud), then "tech"
| companies should have to pay that cost, not anyone else.
|
| "The current situation with fraudulent EDRs illustrates the
| dangers of relying solely on email to process legal requests
| for highly sensitive subscriber data."
|
| IMHO, the amount of important stuff today that rests on the
| presumed integrity of an email address is astounding
| chockchocschoir wrote:
| > Why should MS in the US somehow respond to a request from
| police department in Cuxhafen in Germany?
|
| If a non-US company does business in the US, most people would
| expect the business to also answer to US law enforcement. You
| can't just operate in a business and not follow the law of that
| country. Same applies the other way around, you do business as
| a US company in Germany, you better follow German law. Hence
| companies tend to have HQ in one country, and then subsidiaries
| in other countries, who know how the local market and laws
| work.
| verve_rat wrote:
| That's the point though. MS US headquarters is not responding
| to these requests. MS {local country} branch is responding.
| And I'm sure the people that work in country X know how to
| contact country X's police.
|
| This is really a non issue being blown up in to some
| unsolvable conundrum by people in this conversation that want
| to find problems in using a phone book.
| harry8 wrote:
| How about:
|
| "This clearly isn't working. We have evidence of it not
| working." So needs to be shut down immediately because nobody
| agreed to this level of failure.
|
| From there the next argument becomes "This cannot work." I.e.
| there can be no adequate solution. But hey, if you disagree
| with that part and you've got a solution that you think /can/
| work let's get it out there and analyse it and see if its worth
| the risk.
|
| Note that data in Cuxhafen (??) Germany won't be partitioned
| from your home town and stored in a different and differently
| secured database. So the weakest link in the weakest country is
| the one relevant to your data security.
|
| Please note I'm not agreeing with Krebs's argument here. I
| haven't got all the information to process it, nor have I had
| time, nor is this my area of expertise, nor do I have to have a
| firm opinion on everything.
|
| I'm just spelling out Krebs's argument because I really don't
| care for your summary of it.
|
| If you have a solution you think can work, let's hear it.
| riskable wrote:
| The statements about this being "unfixable" are utter nonsense.
| If someone claims to be from a particular law enforcement agency
| it is _trivial_ to just call up said police department and ask to
| speak to that person. If no one answers or the person can 't be
| reached you don't approve the request.
|
| The only thing that's "unfixable" about this is that it's not
| something you can automate. You need an actual human being to
| perform the verification step(s).
| xhkkffbf wrote:
| Yes, the call back mechanism is a pretty good one but it has
| limitations too. It requires the switchboard operator at the
| police station to be trustable. Indeed, that human needs to
| actually pick up the phone. In many cases, the 911 line is the
| only one that's routinely answered.
| skybrian wrote:
| If it's really an emergency then calling the 911 line seems
| justified?
| throwawayboise wrote:
| How do you call 911 in aother city? AFAIK, 911 calls always
| go to the local dispatch center.
| AnimalMuppet wrote:
| Area code, then 911. And often, the 911 dispatcher asks
| "What city?" as the very first thing they say.
| bell-cot wrote:
| I'm thinking that the number of "Gun to victim's head; we
| need secrets from $Corporation_Name _now_!!! " situations
| which a typical small police dept. would actually experience,
| even over a decade, is ~ZERO. And the chance that a small
| police dept. would have the skill set, familiarity with the
| procedure, etc., so that they _could_ correctly request the
| right data, from the right part of the right corporation, is
| about the same.
|
| SO - move the power to make such requests up to (say) State
| Police departments, or even somewhere in the DHS. Those guys
| have (or should have) sufficient resources to secure their
| e-mail, staff call-back phone lines 24/7, etc. And in the
| other direction, they should be far better able to vet
| alleged local police officers who contact them with emergency
| requests.
| lostcolony wrote:
| Require police stations to register their callback number for
| EDRs. Require a response before releasing information.
|
| You still have the issue of vetting each police station, but
| you can do that once before the EDR comes in. Then when the
| EDR comes in, you call that number, confirm the details.
|
| It can still be hacked, but not nearly as easily as a random
| officer's email account.
| aqme28 wrote:
| Trivial for someone who is suspicious and cares, sure. But that
| is not _prevention_ by any stretch. People still get phished
| via email every single day. I wish I could rely on something
| more robust than just the services I use being extra careful.
| verve_rat wrote:
| Sure, but the point is the process at the company receiving
| the request for data should change. They should verify the
| requesting entity.
|
| Then if the people processing these requests don't follow
| that process, then that is a different problem. But as it
| stands now, those people can follow the process to the letter
| and we still get the wrong outcome.
| giantg2 wrote:
| In theory you could automate it, but that would require a
| different architecture.
|
| It's honestly pretty stupid that email is being used for this
| instead of having a secure portal which could include things
| like RSA hard tokens, or even just passwords with 2FA would be
| a step up. Nothing is fool proof, but this sort of stuff is
| common with other sensitive information like finance.
| ryukafalz wrote:
| Honestly, email would do the job too, if it was signed email.
|
| I'm pretty sure the largest deployed PKI system is the US
| federal government's - it really feels like we should be able
| to deploy something for law enforcement agencies. (And in
| fact that's what the legislation mentioned at the end of the
| article appears to do.)
| giantg2 wrote:
| Does that actually fix the issue if they've compromised the
| security of the email server using real or generated
| accounts?
| ryukafalz wrote:
| The email server typically does not contain key material.
| If you've ever interacted with the military or related
| contractors you may recognize this card:
| https://www.cac.mil/common-access-card/
|
| That's a smart card, containing a certificate that can be
| used to sign email, be used as a client cert for web
| access, etc.
|
| Now, it has _moved_ the problem to some extent, in that
| now you have to secure the CA that's issuing these certs.
| giantg2 wrote:
| I'm a little familiar with CAC cards from years ago. I
| don't believe they were using them to sign emails at that
| time. Thats different than the signing process I was
| familiar with. That would work.
| nonameiguess wrote:
| The DoD root CAs are pretty damn secure. They're offline
| in physical vaults on military installations.
| Compromising one of those is a far cry more difficult
| than some town of 400's local PD e-mail server.
|
| Granted, you only need to compromise a RAPIDs office to
| issue yourself a CAC, but that is still offline and on
| military installations (though often much less secure
| reserve/guard installations).
| giantg2 wrote:
| Wouldn't the cert need to be specific to the individual
| for proper identification? So getting one for yourself
| might not provide the sufficient privilege.
| chipsa wrote:
| The cert would verify that a specific individual signed
| the email, with someone having previously verified
| issuing the credential to the right person (this sort of
| thing is usually issued as a smart card ID, so it's used
| for several things, and it's unlikely people lose it
| without reporting it lost and getting it revoked).
| giantg2 wrote:
| They specifically mentioned issuing themself one, not
| stealing one.
| chipsa wrote:
| Yeah, issuing themself one through RAPIDS. You need to
| authenticate against RAPIDS to issue one. So you're
| looking at stealing a credential, and hoping you can get
| it done before it's noticed it's gone and revoked, and
| hoping that they don't go ahead and look at logins
| between when it was last seen and when it was revoked in
| order to see if there's any weirdness, at which point
| your credential gets revoked.
|
| If they did something similar for law enforcement, it
| would probably have the same sort of restrictions: you
| need to authenticate to get a credential, but to
| authenticate you need a credential. So you need to steal
| one to issue yourself one.
| logifail wrote:
| > In theory you could automate it [..]
|
| Sorry for the somewhat off-message thought, but perhaps this
| kind of thing is actually more secure if you _don't_ attempt
| to automate it?
|
| Maybe the person receiving the request should actually go and
| look up the phone number of the police department or court
| who allegedly issued it/approved it, and then call _that
| number_ (note: not the number mentioned on the request
| itself).
|
| Surely if that was the SOP, this kind of stuff would just
| stop?
| giantg2 wrote:
| Where are they looking it up? Is that source secure? If
| it's just on a website, that could be easily corrupted.
|
| There's a huge number of systems across the US. I am
| assuming that a centralized system would provide better
| security overall compared to the many small and often
| neglected local systems. This would also standardize the
| process, reducing the possibility of some locales practice
| insecure processes.
| logifail wrote:
| > If it's just on a website, that could be easily
| corrupted.
|
| Back in the day we had things called "telephone
| directories" (I'm showing my age somewhat)
|
| Is it beyond the wit of man to have the CIA/FBI/NSA/$TLA
| publish a "list of places to phone" when you receive an
| Emergency Data Request?
|
| If the source isn't on the list, you can ignore it. If it
| is on the list, phone the number _on the list_ to verify
| it?
|
| This really isn't rocket science. At least not for those
| of use who grew up in an age where you could step into a
| phone box and open up a printed directory and look up
| someone's phone number...
| giantg2 wrote:
| That is a possibility. It would likely need to be
| digital, not printed, to avoid stale data. The identity
| verification will still be less than what you could do
| with something certificates or RSA tokens since there's
| nothing guaranteeing the person on the other end is who
| they say they are (numbers change, area could be
| unsecured/unmanned, call redirected, etc).
| logifail wrote:
| > It would likely need to be digital, not printed, to
| avoid stale data
|
| Q: Would one expect police departments to be the kind of
| places which would change their main telephone number
| regularly?
|
| Consumers change providers often. Institutions? Maybe not
| so much. (As an aside, I've just checked, and my old
| university's phone number is exactly the same as it was
| 30-odd years ago when I enrolled).
|
| To be frank, I'd prefer a printed version for something
| like this. Harder to hack a directory that's hard copy
| and whose entries really ought not to be changing very
| often. If ever.
| giantg2 wrote:
| "Harder to hack a directory that's hard copy and whose
| entries really ought not to be changing very often."
|
| Phreaks often dumpster dove for this info.
|
| How does it not change often? There are constantly new
| departments starting, departments/precincts merging, and
| departments shutting down.
| logifail wrote:
| > Phreaks often dumpster dove for this info
|
| For the telephone number of their local police
| department? Is it supposed to be secret? My point is that
| it should be public!
|
| > How does it not change often? There are constantly new
| departments starting, departments/precincts merging, and
| departments shutting down
|
| There is simply no reason for a newly-started/merged
| police department to be able to unilaterally issue an
| Emergency Data Request, and I say this as a father of
| three young kids.
|
| For $deity's sake, some new and/or newly-merged and/or
| micro police force must surely have their local, regional
| and national-level police forces on speed dial on all
| their phones. If someone is missing and needs to be found
| quickly, all they need to do is _pick up the phone and
| reach out to "higher authority"_ (who can be quickly
| authenticated, because they definitely have been around
| for decades), not start acting like the local heroes.
|
| This isn't a technical problem, folks :(
| giantg2 wrote:
| "Is it supposed to be secret? My point is that it should
| be public!"
|
| If I have a list of _all_ the agency numbers, then I can
| look for organizations that disbanded and use those
| numbers. Since they could still exist in the book
| (because it wasn 't updated instantly), the other party
| could think you're legitimate.
|
| "There is simply no reason for a newly-started/merged
| police department to be able to unilaterally issue an
| Emergency Data Request, and I say this as a father of
| three young kids."
|
| How so? For the first year of existence they can't issue
| anything because they have to wait for the next book to
| be publish. That's sounds dumb. There's no reason they
| shouldn't be able to issue anything they have the lawful
| authority to do so. Have any support/logic for your claim
| that they have no reason?
|
| "some new and/or newly-merged and/or micro police force
| must surely have their local, regional and national-level
| police forces on speed dial on all their phones. If
| someone is missing and needs to be found quickly, all
| they need to do is pick up the phone and reach out to
| "higher authority" (who can be quickly authenticated,
| because they definitely have been around for decades),
| not start acting like the local heroes."
|
| Um... so how does this higher level authority
| authenticate this lower level authority if they aren't in
| the book we are using for authentication? In some cases,
| jurisdiction can get in the way of the scenario you just
| described. And again, how long are you going to prevent a
| department from doing what they are lawfully allowed to
| do?
|
| "This isn't a technical problem, folks"
|
| Ok, then how do you solve the authentication issues in my
| previous comment? So far your system hasn't addressed
| them.
| verve_rat wrote:
| Yeah, I'm baffled by the idea that the internet is the
| only possible way to convey information about phone
| numbers.
|
| It's not even that we are old enough to have experienced
| looking up a number in a phone book and some people here
| are to young to have that experience. The obvious
| solution to this seemingly unsolvable problem is to print
| some numbers on a piece of paper and post it to each
| company you want to get data from in the future.
| giantg2 wrote:
| So are they issuing a new book every time a
| department/precinct is created, merged, disbanded, or the
| number is otherwise changed? This still doesn't solve the
| issue of authentication of the issuing party since the
| phone location could be unsecured, or the call rerouted.
| rosndo wrote:
| This is a solution that can only be implemented by the
| legislative branch of the federal government. (Very
| unlikely to happen)
|
| The problem is indeed unsolvable by the recipients.
| bleuchase wrote:
| > The statements about this being "unfixable" are utter
| nonsense.
|
| It's not unfixable. It's broken by design.
| sharken wrote:
| Already the part where an EDR can override any safeguards is
| broken.
|
| If it's that important, then you need to design a safer
| system and pay the cost of doing so.
|
| Anything else is leaving the front door wide open for
| hackers.
| hitpointdrew wrote:
| Yup, came here to say this. Look up the number (don't trust any
| number provided in the email, actually go look it up) and pick
| up the phone.
|
| Very effective and simple solution.
| IncRnd wrote:
| The real fix is to require a warrant without these loopholes.
| Judges can be available on a moment's notice for these sorts of
| issues.
| Miner49er wrote:
| Are we sure it's not trivial to fake a warrant?
| stingraycharles wrote:
| All of which makes me wonder, and this being HN, wouldn't
| it make so much sense of law enforcement agencies start
| signing these kind of requests with verifiable public keys?
|
| It seems like such a trivial problem from a technology
| point of view, it makes me believe it's mostly an
| organizational problem.
| ozfive wrote:
| Let's add Blockchain to this so warrants are verifiable
| on a private Blockchain.
| istjohn wrote:
| At the very bottom of the article:
|
| 8<--------------------------------------------
|
| The current situation with fraudulent EDRs illustrates
| the dangers of relying solely on email to process legal
| requests for highly sensitive subscriber data. In July
| 2021, a bipartisan group of U.S. senators introduced new
| legislation to combat the growing use of counterfeit
| court orders by scammers and criminals. The bill calls
| for funding for state and tribal courts to adopt widely
| available digital signature technology that meets
| standards developed by the National Institute of
| Standards and Technology.
|
| "Forged court orders, usually involving copy-and-pasted
| signatures of judges, have been used to authorize illegal
| wiretaps and fraudulently take down legitimate reviews
| and websites by those seeking to conceal negative
| information and past crimes," the lawmakers said in a
| statement introducing their bill.
|
| The Digital Authenticity for Court Orders Act would
| require federal, state and tribal courts to use a digital
| signature for orders authorizing surveillance, domain
| seizures and removal of online content.
|
| 8<--------------------------------------------
| stingraycharles wrote:
| I should have done a better job at reading the article,
| thanks for this.
| verve_rat wrote:
| From the end of the article:
|
| The current situation with fraudulent EDRs illustrates
| the dangers of relying solely on email to process legal
| requests for highly sensitive subscriber data. In July
| 2021, a bipartisan group of U.S. senators introduced new
| legislation to combat the growing use of counterfeit
| court orders by scammers and criminals. The bill calls
| for funding for state and tribal courts to adopt widely
| available digital signature technology that meets
| standards developed by the National Institute of
| Standards and Technology.
| mcbutterbunz wrote:
| I agree that it does seem like a trivial problem that is
| mostly organizational. There are nearly 18,000 police
| departments in the US. Standardizing anything across a
| subset these and getting approval from the judicial
| system just seems like a nightmare.
|
| This seems like one of those issues that is solved only
| when someone is murdered and a law is written after their
| name.
| qbasic_forever wrote:
| Faking a warrant is a felony, perhaps even a federal one
| that would get the FBI involved I assume. You'd have to
| forge an official court document, forge a signature of a
| judge, etc. That has _serious_ consequences and prison time
| vs. faking a "data request" that might be entirely digital
| with no physical document or signatures, etc.
|
| Not saying it can't happen or won't happen, but a criminal
| has to be seriously determined and ready to risk a long
| prison sentence to fake a warrant.
| netizen-936824 wrote:
| Ah yes, the good old "just make crime illegal"
|
| Do people honestly think that's a deterrent for people
| already committing felonies?
| [deleted]
| supercheetah wrote:
| Most criminals aren't thinking about any of that at all.
| Either they're so goal focused, any possible punishments
| don't even cross their mind, or they think they're clever
| enough to not have to worry about it.
| verve_rat wrote:
| From the end of the article:
|
| "Forged court orders, usually involving copy-and-pasted
| signatures of judges, have been used to authorize illegal
| wiretaps and fraudulently take down legitimate reviews
| and websites by those seeking to conceal negative
| information and past crimes," the lawmakers said in a
| statement introducing their bill.
|
| The Digital Authenticity for Court Orders Act would
| require federal, state and tribal courts to use a digital
| signature for orders authorizing surveillance, domain
| seizures and removal of online content.
|
| So yes, people are faking court documents.
| macksd wrote:
| I feel like I've been seeing a lot of comments lately to
| the effect of, "no - that would be illegal!" Yeah, we are
| talking about criminals who are already breaking one law.
| Often criminals who, in the very nature of their crime,
| are hard to identify.
|
| But then, even if they're not overtly breaking the law
| with a simple request for information, debt collectors
| and car warranty salesman are notorious for sending
| letters that will imply they are your financial
| institution, the letter was sent by your account manager,
| etc. IRS impersonators will tell people that jail time is
| imminent. I can imagine someone could create something
| that looks to a non-lawyer (who's afraid and not paying
| attention) like it's basically warrant signed by someone
| who's basically a judge, but just doesn't outright say
| that. You'd still need to verify - hey is this person
| actually a judge, and did this person actually sign that
| as a warrant?
| qbasic_forever wrote:
| Yes, which is why just set the bar at responding to any
| request for any data with "Sorry we do not respond to
| requests for data that aren't court ordered warrants.
| Please come back with a warrant we can verify."
|
| The problem here is that companies have a policy of
| trusting some government email address for little one-
| off, no warrant needed requests. Don't have that policy.
| rosndo wrote:
| > Please come back with a warrant we can verify
|
| The problem is that it might not be easy to verify a real
| warrant, but that's not grounds for noncompliance.
| macksd wrote:
| >> Please come back with a warrant we can verify
|
| Ok. Now how do I verify one, assuming the information in
| this article is accurate?
| qbasic_forever wrote:
| You check the court records. These are easy to find with
| a digital records search, or you call the court clerk.
| The phone number is listed on the warrant. This is not
| hard, but it's not an automated process by design.
| wmf wrote:
| Yeah, it's the same issue. You'd have to call the court
| back to verify the warrant.
| lazyier wrote:
| If it's important enough to issue a warrant then it's
| important enough to have a court official and issuing
| police/judge on call to confirm its validity.
|
| Being able to read back a code to validate the contact is
| all that is enough. It doesn't even have been
| complicated.
|
| If they can't be bothered to answer the phone then it's
| not important.
| chipsa wrote:
| How do you give them a call? Info given on the warrant?
| Which is fake? And so they fake the call back info?
| otterley wrote:
| The court's own website usually has contact information
| that can be independently verified. This isn't that
| difficult a problem to solve.
| sodality2 wrote:
| Do courts all have domains under a government subdomain?
| willcipriano wrote:
| All the courts that would issue these types of warrants
| will be easy to find. This isn't the sort of thing you do
| over a traffic ticket or shoplifting. It's not the court
| you go to when your neighbor owes you fifty bucks. These
| are murder and kidnapping cases. The people processing
| these warrants today are likely already on a first name
| basis with the clerks of these courts.
|
| Think about it, how do you validate any court order? Why
| is this only a problem now? I think it's beacuse they
| want to side step the judicial oversight process. Keep
| that intact, as the constitution requires, and this issue
| disappears.
| chipsa wrote:
| Local-ish courthouse for me only has a contact info for
| regular business hours. So if not in business hours, then
| what? There's ~3200 counties (or equivalent) in the US.
| There's no way to be on a first name basis with the
| clerks of each county courthouse, let alone if you have a
| big county with multiple different types of courts.
|
| As for how you validate court orders now? You largely
| don't. That's why it's possible to use fake court orders
| to take down true but unpleasant information:
| https://www.cnet.com/news/privacy/forged-court-papers-
| are-be...
| otterley wrote:
| Is being unable to independently verify a request for
| information or a warrant a real problem, or are you just
| making up problems that may not actually exist?
|
| Let's stick to reality, folks.
|
| If you have ever received a demand from a court that you
| couldn't verify the authenticity of, I'd like to hear
| from you.
| willcipriano wrote:
| Your local courthouse may not even do jury trials. It
| doesn't do the sort of cases that require 3AM emergency
| warrants. If it's that important it can go in front of a
| district or federal judge, otherwise it can wait for
| business hours.
|
| Local police departments don't need the ability to engage
| a global surveillance apperatus at the drop of a hat.
| Stuff like that can be ran up the chain first.
| rosndo wrote:
| > It doesn't do the sort of cases that require 3AM
| emergency warrants
|
| You will be in trouble if you ignore a real warrant on
| this basis.
|
| Your lawyers will probably tell you that it's better to
| just take the risk of possibly complying with a fake
| warrant.
| willcipriano wrote:
| Who would you even give the data to if they are closed?
| Fax it over the the courthouse if you are concerned, or
| tell them it's at your location ready for pickup. If they
| are legit that won't be a problem.
| otterley wrote:
| The data is collected by the LEO, not the court. But yes,
| you can fax it to the law enforcement office, whose
| number should also be independently verifiable.
| kenniskrag wrote:
| Do not forget that it is world wide. The gov has next to
| a signature a feature called apostille.
| [deleted]
| salawat wrote:
| They do not! And you'll be surprised how tricky it is to
| find local/state courts as someone with non-regular
| contact with the legal system.
|
| Even more fun would be the process of jurisdictional
| verification. All of which I'm sure the "Officers" would
| be more than happy to leave you be with your electronics
| and whatnot long enough to verify, right?
|
| Longer I'm alive, the more insane our system seems to me
| on a daily basis. Not sure if it's just cognitive decline
| or rapidly amplified cynicism as I dig into the
| signalling nightmare that is the interface between the
| executive and the judiciary system.
| otterley wrote:
| > And you'll be surprised how tricky it is to find
| local/state courts as someone with non-regular contact
| with the legal system.
|
| Name one court that signs warrants to service providers
| that can't be verified by spending 5 minutes doing some
| basic research, or that has a LEO office serving such
| warrants that also can't be verified.
| IncRnd wrote:
| People were able to do this for years prior to Google's
| existence. I'm sure a social media company can determine
| how to find a court without Google.
| grepfru_it wrote:
| Every court has a phone number, you can lookup the court
| independently and call the main line to get routed to the
| appropriate party
| verve_rat wrote:
| Use a phone book?
| AviationAtom wrote:
| I think the article kind of hit on a good system:
|
| - FBI is CA?
|
| -- Issues hardware PKI to local departments
|
| --- Only PKI-signed EDRs are processed without manual phone
| verification
| wmf wrote:
| Then local cops with poor security get hacked...
| Polycryptus wrote:
| This could work for domestic requests, but the one example of
| this I've seen in the wild (and this was mentioned in the
| original post) involved a request (supposedly) coming from
| police internationally. Though, requests from foreign police
| are more likely to be handled with scrutiny, so maybe forcing
| more manual verification (and identification of the proper
| process in the first place) aren't bad things.
| mrmanner wrote:
| It could also be "fixed" by deciding that the risks associated
| with government not getting data that could help stop an
| ongoing crime is less severe than the risks associated with
| these data leaks.
| sbarre wrote:
| Who makes that decision?
| lazyier wrote:
| Us. By not using shitty systems to host our data as well as
| actively combatting laws and regulations that require
| backdoors or cross-platform compatibility.
|
| I don't want my conversations to be "cross-platform
| compatible" with Facebook. Thank you very much.
| mrmanner wrote:
| The lawmaker or the voters, depending on how you look at
| things.
| verve_rat wrote:
| And also the companies in question. They are responding
| to non warrant requests. As I understand it there is not
| legal obligation to do anything on their part.
|
| It is a public perception thing. The companies (probably
| rightly) think the public will react badly to headlines
| about "Little kidnapped girl could have been saved by
| Google, but they didn't care" more so than the current
| article we are discussing.
| diamondo25 wrote:
| Require PGP signed requests, and you should have more
| guarantee?
| jandrese wrote:
| How do you verify the PGP key for a random LEO? The web of
| trust is a total failure for general use verification, it
| only solves the special ultra-paranoid use case.
|
| Key distribution has always been the weak point of PGP.
| EricE wrote:
| DHS already has a portal LEOs use to collaborate - would be
| pretty easy to set up something at the federal level - if
| there was the will.
| est31 wrote:
| Government institutions are some of the best places where
| centralized certificate handling/signing infrastructures
| shine.
| jandrese wrote:
| And yet it's basically impossible to get a government
| organization to sign emails except internally using MS
| Exchange's encrypted email support.
| ryukafalz wrote:
| You would use something like WKD and not the web of trust.
| https://wiki.gnupg.org/WKD
| g_p wrote:
| The problem would be establishing a web of trust of which PGP
| keys are valid, who still is "law enforcement", and whether
| they're on gardening leave or have retired etc.
|
| There's too many (US) law enforcement bodies to make a
| centralised system work, as you'd need to get a certificate
| authority managing every individual officer's status for
| every one of these (small and large) agencies, and handle
| onboarding and offboarding.
|
| In other countries there are more formal structures for these
| request through verifiable channels, with standard operating
| procedures in place.
|
| The question is whether the companies are adopting a lowest
| common denominator model (a false but assumed valid US
| request can request any user's data) or not, as that might
| start to make it a more global concern, and get it on
| European data protection regulators' radars.
| technofiend wrote:
| There is already a FedPKI and it's already the Department
| of Justice's job to track law enforcement, is it not?
| SkittyDog wrote:
| No, I don't believe it's the DoJ's job to track law
| enforcement. There is some Federal-level recordkeeping of
| crime statistics... training... intelligence sharing.
|
| Could you explain what you mean, or give some examples?
| tehwebguy wrote:
| This would be a good step.
|
| Others have brought up problems with this but another one is
| that companies get _paid_ by police agencies to provide these
| data in response to records requests, they are incentivized to
| not rate-limit these responses.
| verve_rat wrote:
| How much are they paid? It seems unlikely that they get
| enough income to cover a department dedicated to this
| processing, let alone make significant money out of it.
| rosndo wrote:
| Haha.
|
| It's also trivial to create a fake police department in some
| small town, set up google maps entry etc...
|
| What then? What about when you operate internationally and have
| to accept requests from 100+ jurisdictions?
| Apocryphon wrote:
| Ah, the fake blade runner station in _Do Androids Dream of
| Electric Sheep?_
| jelly wrote:
| It's not trivial. But regardless, you're saying the hacker
| should submit data to Google and also answer a telephone
| call, both of which increase the risk of getting caught
| later. The aim should be to stop or mitigate the misuse of
| EDRs, not to cure the underlying problem of social
| engineering.
| coospep wrote:
| The people discussed in this article are absolutely capable
| and willing to pick up phone calls.
| djmips wrote:
| Well maybe not 14 year old British kids. Not until they
| come up with better real-time voice synthesis.
| comrh wrote:
| Get the police department phone number from the town's
| government and not google maps.
| rosndo wrote:
| And how do you identify the real government for some small
| town? There are many that don't even have websites.
|
| Contact the state government to ask? There's a good chance
| nobody will be able to provide the answers you seek on
| short notice.
| BolexNOLA wrote:
| If you're in a community that's so small it has _no_
| online presence for their government, then chances are
| you already know who to call anyway.
| rosndo wrote:
| I'm really confused as to how this relates to what is
| being discussed here.
| BolexNOLA wrote:
| >And how do you identify the real government for some
| small town? There are many that don't even have websites.
|
| This was the question I responded to. I'm not sure how
| else to explain it?
| coospep wrote:
| We are talking about fake law enforcement requests sent
| to big internet companies. Do you think these bigcos have
| presence in McMullen, AL?
| voxic11 wrote:
| So google gets one of these requests and supposedly its
| from a police force in a small town that has no
| government website. How do they know who to call to
| confirm?
| rootusrootus wrote:
| County? State? I would argue that this should be the
| method anyway. Start from the lowest level of known
| authentic bureaucracy and then work down from there until
| you reach a legitimate city government representative. I
| don't think website is an ideal method in any case.
| rosndo wrote:
| So your solution is to get rid of speedy emergency
| requests entirely?
|
| Sounds like you're just repeating the point that
| authenticating these requests is impossible, as that
| authentication would have to happen fast.
|
| And then you need to do this internationally. What will
| you do? Contact the embassy? Suddenly your authentication
| process could take months, which is a problem if you're
| legally required to comply sooner than that.
| BolexNOLA wrote:
| >So your solution is to get rid of speedy emergency
| requests entirely?
|
| Who said that?
| coospep wrote:
| That's the implication. A lengthy verification process
| makes speedy processing of requests impossible.
| BolexNOLA wrote:
| A fake subpoena is not a home invasion. It's not like
| seconds matter.
| coospep wrote:
| Until you get in trouble for not complying with a real
| one.
|
| Worst case scenario is probably a horrible PR disaster
| after a child dies because you couldn't process a real
| request fast enough.
|
| And we're not talking about seconds, but easily days or
| weeks.
| BolexNOLA wrote:
| You think this is something someone can't figure out in a
| matter of weeks?
| coospep wrote:
| BolexNOLA wrote:
| >Sorry, but this isn't your first comment demonstrating
| severe struggles with reading comprehension.
|
| This isn't reddit, you can't talk to people like that
| here. I'm not engaging this further.
|
| https://news.ycombinator.com/newsguidelines.html
| coospep wrote:
| throwawayboise wrote:
| For some problems, there is no good solution.
| coospep wrote:
| That's my point. The OP "riskable" claimed the opposite
| though.
| novok wrote:
| Nope, but for cities to be prepared for such emergencies
| before hand by completing some basics of bureaucracy by
| being properly authenticated, much like you expect a city
| fire department to have some fire trucks purchased
| already instead of expecting to purchase one in seconds
| when they need one from the dealership 1000 miles away.
| coospep wrote:
| Yeah, of course the federal government could legislate
| this problem away. Not gonna happen though.
|
| It is literally impossible for request recipients to
| solve this problem.
| rootusrootus wrote:
| > It is literally impossible for request recipients to
| solve this problem.
|
| This I agree with. I'm trying to find the actual text of
| the law, I'm surprised the government isn't pretty
| specific about what constitutes a valid EDR, who can send
| them, etc. Bureaucrats love to write rules.
| novok wrote:
| From the article, I couldn't see what actually compelled
| the need to comply with an "EDR". From what I could see,
| they were not actual warrants or subpoenas that legally
| compelled performance, they were requests. They do it out
| of not wanting to have bad PR in case it was real,
| because the consequences for a screw up are pretty much
| nil.
|
| The end solution is either an authentication scheme, a
| $1000 rush processing fee that includes a verification
| process and the requirement to call it in (It is an
| emergency, isn't it? Emergencies do not happen often, so
| what is $1000 to an american organization funded by
| taxpayer dollars?) or E2E encryption that makes it they
| can't give data.
|
| Another thing about the $1000 fee, is you get to see the
| payment information about the account it comes from, and
| you can further require it comes from a government
| account which matches the requesting organization. Thanks
| to governments being very gung ho about their financial
| surveillance infrastructure being a hard requirement for
| almost everything now.
| rootusrootus wrote:
| > So your solution is to get rid of speedy emergency
| requests entirely?
|
| No?
|
| Anecdotally, from what we are reading today, a typical
| EDR response time is on the order of an hour. So while
| someone on my team is gathering the requested data,
| someone else is doing the verification.
|
| > Sounds like you're just repeating the point that
| authenticating these requests is impossible, as that
| authentication would have to happen fast.
|
| If anything, I'm implying that if the government mandates
| that EDRs exist, they should have to back it up with
| someone to handle authentication. A phone number at the
| state level would do the trick.
|
| > And then you need to do this internationally. What will
| you do?
|
| First I'd have to be convinced why I should do this in
| every jurisdiction, why that jurisdiction would have
| access to customer data from other jurisdictions, etc.
|
| Sounds like you're saying the problem is that the
| government is mandating things and providing no rules
| about how it should work. That seems like such an un-
| government-like thing to do, they usually get weirdly
| specific.
| logifail wrote:
| > if the government mandates that EDRs exist
|
| Q: _Is_ government mandating this? At what level?
|
| ...and if so, why?
| rootusrootus wrote:
| Well, I assumed that the only reason anybody was
| complying with an EDR was because there was a law
| mandating they do so. Otherwise, why aren't they just
| dropping these requests in the trash?
| coospep wrote:
| > So while someone on my team is gathering the requested
| data, someone else is doing the verification
|
| The whole point is that verification will take much
| longer than hours.
|
| > Sounds like you're saying the problem is that the
| government is mandating things and providing no rules
| about how it should work. That seems like such an un-
| government-like thing to do, they usually get weirdly
| specific.
|
| The government is very specific when it comes to what is
| required of you. The government is not very specific when
| it comes to what is required of the government.
| logifail wrote:
| > The whole point is that verification will take much
| longer than hours.
|
| How can it take _longer than hours_ to reach the actual
| police department in $someSmallTown, USA ?
|
| $Deity forbid you actually happen to live in
| $someSmallTown and need the police in a hurry...
| coospep wrote:
| $someSmallTown might not even have a police department,
| how are you supposed to find out if the only one that
| comes up on the internet is fake?
| [deleted]
| giantg2 wrote:
| Research the village constables in Alaska. There are also
| small towns that have only part time police forces. This
| sort of stuff really isn't uncommon.
| l33t2328 wrote:
| The secretary of state for that state can provide that
| information.
| coospep wrote:
| If you give them days, weeks or perhaps months to come up
| with a response. Sure.
|
| Not going to work internationally anyway.
| verve_rat wrote:
| You are being intentionally argumentative, and not in a
| devil's advocate, let's explore all the consequences of
| the topic at hand kind of way.
|
| You are engaging in bad faith, please stop it.
| BolexNOLA wrote:
| His account is just a couple of hours old. I'm guessing
| he stumbled across HN and just had some axe to grind.
| cortesoft wrote:
| Only in the United States. There are almost two hundred
| countries in the world. What if the request comes in from
| Kiribati?
| verve_rat wrote:
| Are the white pages a thing in the States?
|
| I mean I want to call some entity in the US that doesn't
| have its number on a website, how do I do that now in a
| non emergency situation? Is there any reason that
| wouldn't work in an emergency?
|
| This doesn't seem like an actual problem anyone has ever
| had.
| 3np wrote:
| Somehow there were ways to get this done before websites
| existed. I do not believe that those channels for
| government no longer exist. If they choose to make
| themselves impossible to locate offline, this is on them.
| If all else fails, government-to-government should still
| be viable, and then the local government will take it
| from there.
| astura wrote:
| I'm not sure there was ever much verifying before
| websites existed. Just less fraud.
|
| Back in the NES days Tengen called the United States
| Copyright Office and told them they needed the technical
| details of the NES lockout chip to defend themselves in a
| copyright lawsuit. The Copyright Office faxed over the
| requested information. Except it was social engineering,
| there was no copyright lawsuit. Tengen used that
| proprietary information to build their own cartridges
| without paying the NES licences costs.
| coospep wrote:
| > Somehow there were ways to get this done before
| websites existed
|
| Ah yeah, because fake subpoenas didn't work before the
| internet existed?
|
| > I do not believe that those channels for government no
| longer exist. If they choose to make themselves
| impossible to locate offline, this is on them.
|
| Who says they ever existed? Back in the pre-internet days
| the situation was just worse.
|
| Even the federal government can't manage this, just look
| at misissuances of .gov domain names.
| jltsiren wrote:
| Contacting the state government should be the right
| choice (but it may not be in practice). In many
| countries, every public official has the legal duty to
| direct you to the relevant authority if you contact them
| with matters outside their duties. That's a sensible
| requirement, because citizens should not have to be
| familiar with the internal administrative structures of
| government agencies.
| logifail wrote:
| > And how do you identify the real government for some
| small town? There are many that don't even have websites
|
| (Sorry to have to ask) but are there [m]any towns in the
| USA without telephones?
| rosndo wrote:
| Where do you intend to find the numbers to call?
|
| There are towns in the US where the local government
| consists only of a couple of people who may only do local
| government work for a few hours a week.
|
| There are towns with essentially no online presence, you
| could easily create your own fake local government,
| police and whatever you'd like.
| voxic11 wrote:
| So every major technology company will need to figure out
| the real contact details of every town government (how do
| you propose they will they do this?) and then when they
| receive one of these "life or death situation, you must
| respond immediately" requests they are supposed to call up
| the town, get the number for the police department in the
| town (hopefully the police department isn't shared between
| multiple towns or this could get confusing) and then call
| up the police department to confirm that they are the ones
| who sent the request?
|
| I guess I don't see the value the town government contact
| details is providing here. If you have some way of figuring
| out the real contact details for every town why wouldn't
| that same mechanism work for figuring out the real contact
| details of every police department?
| R0b0t1 wrote:
| Yes? Tech companies don't have to do arbitrary things for
| whoever calls up. The court or law enforcement official
| has to convince you they are real and that they have a
| warrant.
| coospep wrote:
| Try refusing to comply with a real warrant because you
| aren't convinced that it's real. You will go to jail.
|
| Turns out the government actually has no duty to convince
| you, locking you up tends to be convincing enough.
| R0b0t1 wrote:
| They'll lose their case if all they did was call you and
| make a demand. Expecting them to show up in person in
| some capacity and show you the paperwork is fully
| reasonable. For a while they mostly operated with letters
| and sometimes registered mail but that can be faked also.
|
| Look, if you want to preserve your rights you've gotta
| stand up for them.
| mywittyname wrote:
| Someone will sell this information. West Law / Lexis
| Nexis already provide a lot of this kind of thing
| (contact info for judges and people in various government
| agencies).
| voxic11 wrote:
| I wasn't able to find this information on West Law or
| Lexis Nexis, do you know what term they use to describe
| this category of information?
| mywittyname wrote:
| Try Judicial Profile.
| tiahura wrote:
| Accurint
| joelkevinjones wrote:
| In the United States, does <area code> 555-1212 not work
| anymore? It certainly seems to:
| https://www.businessinsider.com/555-phone-number-tv-
| movies-t... https://www.nationalnanpa.com/number_resource
| _info/555_numbe...
| jahewson wrote:
| Create a fake small town?
| idontwantthis wrote:
| https://en.wikipedia.org/wiki/Agloe,_New_York
| baxtr wrote:
| Absolutely. This is "just" another control measure that needs
| to be (a) made aware of (b) implemented stringently throughout
| organizations.
|
| Most people don't realize how boring cyber prevention often is.
| indymike wrote:
| This one is easy. Require a warrant.
| exabrial wrote:
| Ah stole a move from Politicians and fake emergency powers
| rootusrootus wrote:
| Trying to find more information about Emergency Data Requests
| leads in large part right back to this discussion and the
| original Brian Krebs post, with a few hits to various private
| organizations that explain what it takes to use an Emergency Data
| Request with them.
|
| I'm having trouble finding any basis for this in law. Can anyone
| help clarify that? Are EDRs just 100% voluntary compliance on the
| part of some private organizations who are choosing to divulge
| customer information without an actual court order?
|
| If that's the case, why are we lamenting the existence of the
| hackers and not publicly shaming the companies complying with
| these nonsense EDRs? Real court orders aren't _that_ hard to get,
| and at least there 'd be a more blatant crime to prosecute if
| anyone forges them.
| therein wrote:
| This is hilarious. That email with Vinny Troia, and fast-flux...
| I received that email at my previous employer. We had a good
| laugh about it with our security team at the time.
| TeeMassive wrote:
| Great, the privacy equivalent of swatting.
| darig wrote:
| throwbigdata wrote:
| If only there were a way to cryptographically verify such things.
| ibejoeb wrote:
| This bill was introduced last summer:
| https://www.wyden.senate.gov/imo/media/doc/The%20Digital%20A...
| rootusrootus wrote:
| Every time I start to feel despondent about the state of the
| US Congress, I remember that Wyden exists, and I feel a
| twinge of hope.
| Avamander wrote:
| Let's hope what was proposed comes to fruition while
| remaining interoperable with the EU.
|
| It would be such a "two steps forward, one step back"-move if
| it doesn't.
| vimax wrote:
| Right. There should be agency run certificate authorities for
| this. One to issue certificates to law enforcement, and one to
| issue certificates to judges
|
| A valid warrant would include the intended judge and be signed
| by the department and the issuing officer before going to the
| judge, then signed by that judge's cert to be authorized.
| Avamander wrote:
| And such an approach would absolutely work, at least one
| country has used PKI for such purposes for almost more a
| decade.
|
| This attack vector from the article? Unheard of clownery.
| tiahura wrote:
| I've been doing a fair amount of subpoenaing phone records
| lately.
|
| It does seem like AT&T, for example, just sends the records
| (late) without any sort of verification.
| avs733 wrote:
| because there is no incentivization not to.
| tiahura wrote:
| Absolutely. However, if anyone is harmed by a bogus subpoena
| request, please give me a call because I need a new car.
| bhk wrote:
| But Apple says "Any government agency seeking customer content
| from Apple must obtain a search warrant issued upon a showing of
| probable cause." So what's up?
| rnk wrote:
| I doubt the public is aware of the very large number of different
| electronic requests for their information, and how many can be
| faked, from dmca takedowns to these fake emergency data requests
| to requests from the feds for your email etc in the name of
| 'national security'. Somehow we need to get this out there
| better, and get more lawmakers aware. It's doubtful in my
| lifetime that the addiction of law enforcement to these easy
| electronic requests will cease.
|
| The fact that such requests can't really be authenticated
| reliably without a human in the loop (because as Krebs says, you
| can just create real email accounts on the police dept email
| server) and there are so many of them is terrifying. You could
| put our entire society (in the us) into chaos just be pushing
| this more and more until our law enforcement is just overwhelmed.
| If we were in a war with Russia or China, why wouldn't they do
| that?
| woah wrote:
| > You could put our entire society (in the us) into chaos just
| be pushing this more and more until our law enforcement is just
| overwhelmed.
|
| What? If the attack you describe was going on, there would be a
| very simple remedy: Stop requiring people to comply with
| possibly-false subpoenas.
| freeone3000 wrote:
| This would require police departments to give up their power
| to illegally obtain information. I'm not going to hold my
| breath.
___________________________________________________________________
(page generated 2022-03-29 23:00 UTC)