[HN Gopher] Dangerous Gift
___________________________________________________________________
Dangerous Gift
Author : rdpintqogeogsaa
Score : 286 points
Date : 2022-06-03 15:25 UTC (7 hours ago)
(HTM) web link (www.tbray.org)
(TXT) w3m dump (www.tbray.org)
| quartz wrote:
| This is true of crypto wallets and NFTs as well. More than one
| project has attempted to send NFTs or assets to high profile
| wallets (ex: trillions of dog-coins sent to Vitalik's wallet that
| he ultimately donated to get rid of but not before drawing the
| intended media attention[1]) and the whole concept of airdrops is
| based around the idea of permissionless receiving.
|
| Unfortunately, re: swatting via an non-tech-savy LEA and domain
| registrars: you could likely just update the contact details on a
| domain you own to the intended target and that'd probably be
| enough.
|
| [1] https://www.coindesk.com/markets/2021/10/20/vitalik-
| buterin-...
| TremendousJudge wrote:
| The NFT can also be a program that when you try to move the
| token or interact with it in any way, it can do things such as
| transferring funds to another wallet.
| pcthrowaway wrote:
| There is no way this would work without approving the NFT
| contract to spend your tokens.
|
| Realistically, lots of people would do this because the
| complexity of blockchain tech is beyond most peoples' grasp,
| but there is a reasonable failsafe at least.
| TremendousJudge wrote:
| afaik it's already been done:
| https://bitcoinist.com/hackers-are-now-trying-to-steal-
| crypt...
| pcthrowaway wrote:
| > The source of the problem was not just the NFT and the
| airdrop. However, by releasing an NFT to a victim, they
| will see it. Then, there comes a follow-up message that
| demands a signature for connecting to a wallet. >
| Furthermore, a prompting request for a secondary
| signature will come up. If the user accepts it, the
| hackers will access the unsuspecting user's wallet and
| funds.
|
| This is light on details, but as I said, the only way
| another address can spend a users tokens is if the victim
| address approves it (or if the token is not ERC20
| conforming). This approval might be what the article
| refers to here as signatures.
|
| Alternately, this attack could somehow get a user to
| reveal their private key, in which case, of course an
| attacker has access to their funds.
| [deleted]
| WalterSear wrote:
| A while ago I read an amusing tweet about some person
| airdropping racist NFTs on people, that were then automagically
| displayed as their avatars.
| jonny_eh wrote:
| Also true of text messages and email, which can include
| unsavory content.
| simonw wrote:
| Text messages and email are different because they're
| private: if someone sends you an abusive text only you can
| see it.
|
| The problem with NFT wallets is that you can send someone
| something which will then be publicly visible and associated
| with them, without their consent.
| munificent wrote:
| _> Text messages and email are different because they 're
| private: if someone sends you an abusive text only you can
| see it._
|
| https://en.wikipedia.org/wiki/PRISM
| soco wrote:
| PRISM is not even needed, a warrant is often enough (and
| sometimes only pressure).
| PaulDavisThe1st wrote:
| No, text messages and email are different because they
| contain implicit sender/origination information, which even
| if fake, shows that the material in the messages _comes
| from someone else_.
|
| Domain ownership does not have this property. "WhoUsedToBe"
| is not a well-known database.
| Animats wrote:
| > non-tech-savy LEA
|
| Yes. Someone owns the location that's the "center of the United
| States" for broken IP address lookups. MaxMind gave 38 north,
| 97 west as the default location for 600 million IP addresses.
| It's a farm in Kansas.[1] MaxMind did that for 14 years. The
| farm was regularly visited by law enforcement, looking for
| various people.
|
| [1]
| https://web.archive.org/web/20160817013603/http://fusion.net...
| bragr wrote:
| I believe MaxMind finally updated the default US location
| into the middle of nearby lake to help stop this issue. How
| long it takes everyone to update their GeoIP DBs.... who can
| say?
|
| edit:
|
| >Following Hill's extraordinary piece in Fusion, MaxMind
| shifted its default "United States" location to the center of
| a lake, west of Wichita.
|
| https://archive.ph/i6gao
| wildrhythms wrote:
| Wow this was a great (and terrifying) article. I feel like
| companies like MaxMind shouldn't be allowed to just advertise
| a pin on a map and point queries for IP addresses to it. Why
| even have a "default" latitude and longitude? Just return
| null. Just terrible, irresponsible, dangerous behavior.
| duxup wrote:
| This feels plausible but if someone wanted to SWAT someone ...
| there's probably other / likely easier ways to do it.
|
| Having to registrar a domain, come up with some content, or just
| point the domain at some content ... then transfer it ... and
| then make a big deal out of it (getting attention is hard) and
| hoping nobody notices the easy to prove explanation that "someone
| transferred this to me" ... and avoiding getting caught seems
| like a big ordeal.
|
| The story here is "hey random guy also hosts horrible stuff at
| his domain that he registered in his own name ... well he did".
| Maybe some folks run with that, but I'm not so so sure.
|
| The mechanism here seems "easy" on the surface, but actually
| rather complicated, and odds of success seems low.
| ghaff wrote:
| I tend to agree. There are certainly potential bad outcomes but
| a lot of it boils down to SWATing and there are almost
| certainly easier and less traceable ways to SWAT someone. And
| getting attention on Twitter or whatnot presumably means
| getting the attention of people who can quickly determine that
| something is amiss.
|
| ADDED: While this process should probably be fixed in this
| case, at the end of the day, there's probably no foolproof way
| to keep people from sending you illegal stuff in either the
| physical or digital world in general.
| zitterbewegung wrote:
| SWATing someone generally involves two things.
|
| 1. Somehow you get the IP address of the target maybe by
| playing a game with them (which can be p2p) or some other way
| of getting the IP address and then geolocating (this can
| partially be avoided by using a VPN 2. If someone is live-
| streaming outside in the real world you recognize where the
| person is.
|
| I haven't heard of someone being SWATed by a nefarious actor
| inside a company and never really a domain probably because you
| either purchased some protection plan to avoid spam so that if
| someone looks you up on the domain they won't find any
| information and also most people don't self host things using
| their own domain.
|
| With that said that doesn't mean it is impossible to occur. For
| example Krebs on security has had SWATing attempts due to the
| content he posts. If you aren't live-streaming video games or
| doing IRL posts and or not reporting on bad actors you should
| consider other things to worry about.
| Beltalowda wrote:
| > SWATing someone generally involves two things.
|
| A third requirement is living in a country with an
| overaggressive police force with more guns than some they
| know what to do with ready to shoot your dog or anything else
| that moves.
|
| Not that it doesn't make sense to consider this situation
| when designing systems such as domain transfers, but this is
| the "Real Problem"(tm) IMO.
| formerkrogemp wrote:
| Just a friendly reminder that there are approximately 120
| guns to 100 people in the US. That are registered.
| vkou wrote:
| Which makes no-knock police home invasions even more
| baffling, as a policy.
| SahAssar wrote:
| > IP address and then geolocating
|
| IP geolocation is not anywhere near precise enough to get you
| an address. It can give you a best-guess as to what city you
| are in (and even that is a guess), but not much better. If
| you aim to swat someone and you only know the IP you would
| contact the police who would contact the ISP to get your
| address connected to the internet subscription.
| zitterbewegung wrote:
| Yea, I should have probably indicated that you have to do a
| bit more of open source intelligence to get people's
| locations.
| [deleted]
| bombcar wrote:
| Was this a "privacy protected domain"?
|
| Because if you look at GoDaddy (probably R) domains that are
| "privacy protected" you see the registrant is _actually_ "Domains
| By Proxy, LLC" and switching _that_ domain to another GoDaddy
| account would be _invisible_ on the whois system.
| dotBen wrote:
| But you can elect not to have your domain privacy protected.
| And if a bad actor is trying to grief another person they could
| list out their entire address, email, phone etc in the public
| WHOIS then transfer it over to them to create the "ultimate
| smoking gun".
| albert_e wrote:
| This does not seem to be an option for some of the newer
| (cheaper) domains like .link and .click
|
| There are available for $5 per year but need to publicly show
| your details
| Bytewave81 wrote:
| That's to the public whois system, sure. But LEAs could still
| obtain court orders to get the actual contact information for
| the domain owner; registrars are legally mandated to maintain
| that information, and customers are expected to keep that up to
| date.
| bombcar wrote:
| Yeah, it's just that they _probably_ aren 't doing anything
| against the rules since the "technical" registrant never
| changed.
|
| It's still a silly setup - but then again, we have the same
| thing in banking - I could send you funds if I know your
| routing and ACH number (which is available on any of your
| checks, etc). So if I were a big crime lord I could randomly
| send money directly to people I didn't like so they'd go down
| with me.
| gigel82 wrote:
| This reminds me of how Apple (and likely Google at some point)
| scans all your photos for "illegal content" and how the defaults
| are set up:
|
| * WhatsApp will accept incoming messages from accounts not in
| your contacts
|
| * WhatsApp will save all incoming photos to your library
|
| * iCloud will upload all photos in your library to the cloud
|
| Scary stuff.
| zaik wrote:
| Does WhatsApp download media from strangers?
| Operyl wrote:
| In group chats it appears to.
| bsnal wrote:
| Apple chose not to scan photos, at least for now.
| jonny_eh wrote:
| Wasn't that just scanning on the phone? Don't they already
| scan photos uploaded to iCloud?
| corrral wrote:
| _Every_ cloud service scans media uploaded to them.
| jonny_eh wrote:
| Right, but people are asserting that Apple doesn't scan
| personal photos, which is false for most iPhone users.
| [deleted]
| choxi wrote:
| Apple didn't end up rolling out the CSAM scanning, but a new EU
| law might require them to:
| https://9to5mac.com/2022/05/11/apples-csam-troubles-may-be-b...
| capableweb wrote:
| Worth noting that the "new EU law" has just been proposed,
| not accepted nor ratified. It's not too late to stop it from
| actually going through.
| sneak wrote:
| Apple did roll out the technical infrastructure, including
| clientside code, and still intends to enable it.
|
| Nothing significant has changed.
| praptak wrote:
| Accepting any picture from a stranger seems scary (see Pegasus
| spyware analysis).
| abcd_f wrote:
| Tangentially related, but we stepped on a rake by forwarding spam
| and malware emails to abuse@outlook.com.
|
| These morons got our poor mail server blacklisted in some super-
| exotic way that required several days of escalations to sort out.
| Moreover, they did it more than once, several months apart, each
| time causing a week of non-deliverability problems, and it took
| us a damn long while to add 1 and 1 to see why it was happening.
| Stopped reporting the abuse to them after that and all is good
| now.
| mrandish wrote:
| If you want to get ICANN to fix this vulnerability, you could fix
| it:
|
| A. The Proper Way: Find the right person at ICANN, send letters,
| follow-up, and hope they understand and prioritize the issue so
| it's addressed in some number of years.
|
| or
|
| B. The Fast Way: Register a funny yet embarrassing domain name,
| transfer it to a senior ICANN official, tweet to some journalists
| idle speculation wondering why this person has such a domain
| name. The vulnerability will be addressed ASAP. :-)
| darig wrote:
| snowwrestler wrote:
| The senior ICANN official would need to already own at least
| one domain at that (unnamed as yet) registrar for the transfer
| to be possible.
| [deleted]
| linkdd wrote:
| B. And then get in trouble (or sued) for diffamation once we
| discover that the domain was initially registered by you.
|
| EDIT: Being downvoted because I'm against public shaming, way
| to go HN! Go on, downvote me.
| loceng wrote:
| If there isn't 1) intent for defamation, and 2) identifiable
| damages (monetary) then there's no viable lawsuit; and
| arguably any reputation "damage" is deserved if the
| organization they're in charge of allowed this to happen so
| easily.
| roflyear wrote:
| There doesn't have to be those things to make your life
| hell, at least not in the US. There just has to be enough
| of an argument where a judge will be OK with bringing it to
| court - and even if he isn't OK with it, you'll still have
| tons of lawyer fees to deal with.
| linkdd wrote:
| Either way, I think it's irresponsible to target a random
| employee and throw journalists at him.
|
| No, nobody deserves "reputation damage" for the misbehavior
| of their company (and here, the one at fault is another
| company).
| loceng wrote:
| I mean, what kind of domain name are you imagining is
| being registered and transferred to them? I'm imagining
| something relatively mundane but funny.
| linkdd wrote:
| The domain name must be paid by someone. After the
| transfer, if the employee is not up to date with their
| inbox, they may end up paying for something they did not
| consent.
|
| Is there really no legal basis to sue someone because of
| this? Is that clearly not malicious behavior from the one
| who transferred the domain?
|
| The domain could be haha.com it would not matter.
| loceng wrote:
| You're responsible for checking your credit card for
| fraudulent charges, too.
| linkdd wrote:
| And if you're responsible for fraudulent charges on
| someone else's credit card, you can get into a lot of
| troubles.
| alexeldeib wrote:
| There are technical ways to avoid that, I suspect. Paying
| Njalla with monero comes to mind.
| ev1 wrote:
| The point of it is same-registrar push not requiring a
| confirmation: you can't do this with Njalla bc they
| probably don't use Njalla.
| samatman wrote:
| When I saw "funny yet embarrassing" I pictured something like
| rewrite-the-internet-in-Qbasic.com, creating grounds for a
| lawsuit is completely optional.
| bena wrote:
| This feels a lot like complaining anyone can send you mail. I can
| send anyone anything provided I know their name and address. Even
| illicit materials. Or illegal materials. I don't even have to
| provide my real name. Or address. I can make it look like anyone
| is a criminal. Muahahahaha.
|
| Did they reset the DNS information? Because that's all that's
| really needed to prevent the sort of weird malicious behavior
| he's describing.
| benjaminwootton wrote:
| You normally have to click to accept an inbound transferred
| domain.
| ianbutler wrote:
| Just did this at another well known registrar, two clicks and my
| friend transferred 8 domains to me without much in the way of
| checks. Crazy to think of but here we are.
| [deleted]
| neves wrote:
| No reason to worry. After this page topped HN all the SWAT teams
| will be overwhelmed and when they get to your house in 10 years
| you probably will already have moved.
| gwern wrote:
| https://www.schneier.com/blog/archives/2008/03/the_security_...
|
| 'Uncle Milton Industries has been selling ant farms to children
| since 1956. Some years ago, I remember opening one up with a
| friend. There were no actual ants included in the box. Instead,
| there was a card that you filled in with your address, and the
| company would mail you some ants. My friend expressed surprise
| that you could get ants sent to you in the mail.
|
| I replied: "What's really interesting is that these people will
| send a tube of live ants to anyone you tell them to."'
| tomcatfish wrote:
| Since you're being modest, I'll follow with the relevant
| article of yours that I was going to take that quote from:
| https://www.gwern.net/Unseeing
|
| (A collection of musings on the difference in mindset between
| "Moving the domain to a friend is okay" and "Wait, you can move
| the domain to anyone? How do you not see the issue with that?")
| greyface- wrote:
| This is true of real estate titles in many jurisdictions, too.
| You can quit claim a property to anyone without their consent,
| and then from that point on they are on the hook for property
| taxes, compliance with title covenants, etc.
| blip54321 wrote:
| After 9/11, a clever MIT undergrad grabbed some form of
| alqaeda.net. Any email sent to the address went to the
| corresponding @mit.edu email address. You could email
| professor_alice@alqaeda.net, and it'd arrive at
| professor_alice@mit.edu.
|
| Undergrads sent emails like that for the lols. Recipients got
| freaked out they'd end up on some government watch list.
| thesausageking wrote:
| Reminds me of the "iced coffee obama nsa inside job syria"
| Venmo payment
|
| https://www.gawker.com/the-words-that-will-get-you-in-troubl...
| hyperdimension wrote:
| And don't ever, _ever_ mention Iran.
| a4isms wrote:
| "Listen, don't mention the war. I mentioned it once, but I
| think I got away with it all right."--Basil Fawlty
| Sebguer wrote:
| There's much more trivial ways (and less funny ones) like
| just dropping a name from:
| https://sanctionssearch.ofac.treas.gov/
| simonw wrote:
| I've been calling this kind of thing a "reputation attack". They
| come in all sorts of shapes.
|
| Here's a common one: a platform allows you to create teams and
| invite other users to be members of those teams. The teams that a
| user is a member of are shown on their profile.
|
| Someone could create a team called "Paid up members of the Nazi
| party" and add people as members!
|
| That's why it's crucial to have a "accept invitation" step if you
| build anything like this.
|
| Getting a lot of press these days is the similar thing where you
| can transfer an NFT to someone's wallet without their permission.
| javajosh wrote:
| Tangentially related, now that SWAT'ing is a known-problem, is it
| possible to contact local law enforcement and forewarn them "Hey,
| I think I'm at high risk of being SWATed" such that if they
| receive a call they do some extra diligence to verify? (Like, for
| example, call you before dispatching.)
| FemmeAndroid wrote:
| Yes. I'm sure it works better in some locations and worse in
| others, but I know at least a few people who have proactively
| called law enforcement agencies about being a high probability
| target of SWATing and related activities.
| throwaway787544 wrote:
| You don't get SWATed for owning a child porn domain. SWAT teams
| only break down your door if you might have a weapon and be
| violent with it. If the police just think you're involved in a
| crime, they have to get a warrant for your arrest and then knock
| on your door and wait "a reasonable amount of time". They're also
| less trigger happy if they don't suspect you of having a weapon.
| munificent wrote:
| "The 2017 Wichita swatting occurred on December 28, 2017, in
| Wichita, Kansas, United States. The incident began as an online
| dispute between Casey Viner and Shane Gaskill, regarding the
| video game Call of Duty: WWII. During the dispute, Viner
| threatened to have Gaskill swatted, and Gaskill responded by
| giving him a false address for his residence, one that was
| occupied by an uninvolved person, Andrew Finch. Viner then
| asked Tyler Barriss to make the required fraudulent call to
| initiate the swatting. Wichita Police responded to the address,
| and as Finch was exiting his house, police officer Justin Rapp
| fatally shot him."
|
| https://en.wikipedia.org/wiki/2017_Wichita_swatting
| throwaway787544 wrote:
| "Barriss, identifying himself as "Brian", claimed that he was
| at the residence at 1033 West McCormick Street, had fatally
| shot his father, and was holding family members at gunpoint.
| He asked if police were coming to the house, saying he had
| already poured gasoline all over the house and was
| threatening to set it on fire."
|
| ^ THAT is why the police shot. Not because someone had
| registered a domain name called "imakechildporn.com". They
| need a credible and imminent threat of violence. You can't
| just roll up on someone who might be hosting a "illegal
| website" and use that as a pretext to shoot first ask
| questions later.
| Beltalowda wrote:
| I'd argue that someone phoning in such an over-the-top
| movie scenario threat from an anonymous phone number is
| also not a "credible and imminent threat of violence".
| Definitely something that warrants investigation of course,
| but not something to start pulling out all the guns and
| start shooting people when they open the front door to see
| what all the ruckus is about.
| boplicity wrote:
| 1. Did the DNS information transfer, or did it get reverted? In
| other words, could the domain still be pointing at the nefarious
| server?
|
| 2. Do law enforcement, as standard practice, have access to the
| history of domain ownership? Would they see that it was recently
| transferred, or not?
| upofadown wrote:
| How would someone get away with this? Wouldn't this be something
| like "filing a false police report"?
| joshstrange wrote:
| People who swat doesn't care about the person being charged and
| tried, it's all about making the police kick your door down,
| kill your dog/pet, and potentially kill you (at least scare the
| shit out of you).
| dblohm7 wrote:
| It seems to me like, by that point, the damage has already been
| done.
| cowtools wrote:
| pretty easy to get away with if you register the original
| domain using a shell company/pseudonym in a foreign nation
| [deleted]
| gwbas1c wrote:
| It stinks that we can't trust people.
|
| What's more frustrating is when software designers / product
| managers / business-ey people forget that "we can't trust
| people."
| gmiller123456 wrote:
| Unless things have changed, this isn't an issue with any
| particular registrar, you can put anyone's contact info in for
| the WHOIS information. In fact, just not having your name in the
| WHOIS won't help with the SWAT problem. Someone could just as
| easily create any website and just say they are you. I haven't
| talked to a SWAT team member in quite a while, but I still doubt
| they're very adept at looking up HWOIS information. I think it'd
| suffice to say that if anyone creates a website that says "I am
| ..., this is my plan to commit some serious crime". You're
| probably getting a visit, rather than an assumption that it's a
| spoof just because the WHOIS info doesn't match.
| legohead wrote:
| Waiting on the day someone puts some extremely illegal content on
| a major blockchain...
| l33t2328 wrote:
| People already have. The hash lives on the blockchain, not the
| thing itself, so it's a non issue.
| gpm wrote:
| It shouldn't be hard to make the actual bits themselves live
| on the blockchain. It's trivial to make values so that their
| hashes have certain bits set to 0 or 1 as you chose (as long
| as you only use a few bits per hash)...
| layer8 wrote:
| There is actual illegal content on the Bitcoin blockchain:
| https://www.schneier.com/blog/archives/2021/03/illegal-
| conte...
| justin_oaks wrote:
| Being able to send people things without their approval is a
| problem on all sorts of things across the internet.
|
| Spam email is the most common, but the same problem exists for
| people sharing things in Google Drive.
|
| I had a password manager application that allowed you to share
| password entries to anyone else who has an account with that
| password manager company. The app/site actually did require you
| to approve the incoming entries, but didn't let you know what was
| in them, how many there were, etc.
| skykooler wrote:
| I was wondering about this with regards to bitcoin and other
| crypto currencies (which also have no way to choose whether or
| not to receive something sent to you). Surely someone could do
| some crime with coins in a certain wallet, and then transfer
| them to you; your wallet now contains illegal money and you
| don't really have a way to prove that you weren't involved.
| TremendousJudge wrote:
| Way ahead of you: it's already been done
| https://bitcoinist.com/hackers-are-now-trying-to-steal-
| crypt...
| nicoburns wrote:
| I mean, this is why we have due process and a trial, right? At
| which you can present evidence that you didn't purchase the
| domain. Probably it wouldn't even get that far.
| teakettle42 wrote:
| > due process and a trial
|
| Good luck with that.
|
| Even on completely spurious charges, you'll spend time in jail,
| spend tens of thousands on legal fees, and spend months of your
| life sweating bullets.
|
| Afterwards, you won't even be able to sue the police thanks to
| qualified immunity.
| akersten wrote:
| The point the author is making is that that "due process"
| happens _after_ your hypothetical front door is kicked down and
| dog shot, unfortunately.
| nicoburns wrote:
| I mean, that may well be true. But is so that's a problem
| with law enforcement and the justice system in general, not
| with the domain registrar.
|
| I believe for example, that it is extremely rare to have your
| door knocked down here in the UK. The police will generally
| politely knock and or ring the doorbell, and only knock your
| door down if you refuse to let them in.
| cgriswald wrote:
| > I mean, that may well be true. But is so that's a problem
| with law enforcement and the justice system in general, not
| with the domain registrar.
|
| It is a problem with the justice system.
|
| It is _also_ a problem with the registrar. The registrar
| operates in this environment and is seemingly breaking
| official ICANN rules.
| Shank wrote:
| > The police will generally politely knock and or ring the
| doorbell, and only knock your door down if you refuse to
| let them in.
|
| I highly doubt that this is going to be the case if the
| warrant says that you're wanted for child abuse imagery or
| human trafficking. I'm sure they're lovely for small
| infractions, though.
| bckygldstn wrote:
| That's a surprising pair of crimes to equate, as to me
| they warrant very different police responses. Police
| violence ought to be a last-resort tool to e.g. prevent
| further crime or injury to innocents. Not as a punishment
| that scales with the abhorrence (or moral panic) of the
| crime.
|
| There's no need to send the swat team for a non-violent
| non-organised criminal, monster though they may be.
|
| > I highly doubt
|
| At least on paper UK police aim to take a more evidence-
| based light-touch community-building approach to
| policing, so I'd be curious what reasons you have to
| doubt this claim?
|
| The assumption that US morality and culture applies
| globally is tiring and misses out on an opportunity for
| learning through comparison.
| njovin wrote:
| And after you possibly have assets seized, which you may not
| even get back even if charges are never filed (in the US).
| dmd wrote:
| Is this a joke? You don't get due process and a trial in this
| kind of situation - you've already been shot dead by the SWAT
| team.
| inetsee wrote:
| Yeah, but that might involve lawyers and that could get
| expensive fast.
| usefulcat wrote:
| The point of swatting isn't to get someone convicted, it's to
| get the police to harass someone.
|
| Have you ever seen a no-knock raid? It happened to a house 5
| houses down from where I live. They broke down the door and
| threw a couple of flash-bangs inside. Even from 5 houses away
| with all doors and windows closed, I could have sworn someone
| just fired off a cannon. Pretty sure they won't be fixing or
| paying for any damages either.
| corrral wrote:
| > Pretty sure they won't be fixing or paying for any damages
| either.
|
| There was a somewhat-well-publicized incident a couple
| years(?) back when IIRC a shoplifting suspect (who was armed,
| I think) was chased by the cops, hid in a stranger's house,
| the police _wrecked_ the house getting the guy out, and then
| didn 't pay a dime to fix it, let alone anything to
| compensate for the significant inconvenience of having a
| messed-up house and having to have a lot of work done to
| repair it. Can't recall whether there were any successful
| lawsuits after, but the default was definitely, "nope, that's
| entirely your problem, we just break stuff, we don't fix it".
|
| And that's for someone who wasn't even any kind of target for
| the police, but an innocent bystander.
| cgriswald wrote:
| Unless the LEA or the judge are savvy enough, a warrant might
| be issued allowing police to raid your house and seize all your
| computer equipment.
|
| If that happens, you'll get arrested in front of at least some
| of your neighbors, who might also find out _why_ you were
| arrested. (Even some of the local cops might think you 're just
| getting away on a technicality.) Eventually being found
| innocent or not charged may not matter to some of them.
|
| You will be in jail, at least for a while. You now have an
| arrest record. When people ask, "Have you ever been arrested,"
| the answer will be "Yes." You might lose your job.
|
| Your computer equipment will be seized and police will go
| through it. It'll be used against you in and out of court--even
| things that are legal--if they think it makes you look bad or
| will get you to talk. Getting that equipment back after charges
| are dropped or you are found innocent in court may or may not
| be slow and byzantine.
|
| You will need to pay a lawyer, both to defend yourself, and to
| help you get your equipment back.
|
| ...
| ansible wrote:
| I wish I could upvote this comment more.
|
| Yes, this is all fixable... if you are not poor and not
| rather unlucky. But it will take time and money. Even if you
| don't lose your job, I'd estimate that it would cost you $20K
| on the low end for legal fees.
|
| Also, if you've done anything else even slightly illegal, and
| the LEA finds evidence of that when searching your stuff,
| even though you've been careful and haven't had cause to
| attract their attention previously... well... that's another
| whole bunch of trouble.
| teakettle42 wrote:
| The justice system in the US is so infuriatingly bad, I
| don't even know where to start when it comes to fixing it.
|
| The class issues are enormous; if you're wealthy enough to
| be able to defend yourself, you'll still only be treated
| with something only loosely approximating fairness at
| absolutely best.
|
| However, if you can't afford tens of thousands for an
| attorney, experts, etc, you're pretty much fucked.
|
| We need to seriously rethink how we treat the accused in
| this country, from automatic sanctions that are applied to
| any accused, to how much leeway the police and justice
| system have to destroy people's lives before there's even
| been any evidence presented of an actual crime.
| macintux wrote:
| Not to mention the loss of voting rights once you've been
| convicted of a felony. Completely broken.
| rurp wrote:
| To add to this, it is insane that someone can be locked
| in jail for _years_ without being convicted for a crime.
| In some cases innocent people have spent over a decade in
| prison before being exonerated!
| rascul wrote:
| Where are you asked if you were arrested? I'm curious, since
| I've only been asked if I was convicted of a crime, so I
| thought it a bit odd.
| cgriswald wrote:
| Only about a dozen states ban employer questions about
| arrest records outright. More states have no restrictions
| on it at all. Another set of states bans asking about
| expunged or sealed records, but anything else is fair game.
|
| Among the ones who have partial bans they range from "No,
| unless you run a bank and the arrest was for alleged fraud
| or bank robbery" to "Basically yes, unless it's a really
| old arrest and the salary is below a threshold."
| nicoburns wrote:
| What seems bizarre is that an employer would care about a
| mistaken arrest.
| cgriswald wrote:
| There's often an implication that an arrest wasn't
| necessarily mistaken, even if no charges were filed, the
| charges were dropped, or the person was acquitted.
|
| I can see it making a sort of sense in some edges cases.
| Would you hire a bartender who had been arrested six
| times on suspicion of DUI just because he was never
| convicted? I think that would be hard to justify, if my
| insurance company would even allow it. (So, in my
| opinion, it's better if I never found out!) However, in
| general I find the idea distasteful, uncharitable, and
| un-American.
|
| That said, I suspect most employers just like to have as
| many legal reasons to reject an applicant as possible to
| make it harder to be sued (irrespective of whether those
| employers are racists). In Michigan they were more or
| less explicit that they put their ban in place because
| black people are being arrested and charged at rates
| disproportional to eventual convictions versus other
| groups.
| DarylZero wrote:
| DUI example is strange. There are blood alcohol tests,
| can't really avoid conviction if you fail the test.
| What's the explanation supposed to be for all the
| acquittals?
|
| The way you say it, it's like you think that more and
| more acquittals is evidence of guilt, but that doesn't
| make any sense to me.
|
| Repeated arrests would be no accident of chance, but
| those repeated acquittals would even call into question a
| conviction in the future. Something is going on to
| generate false accusations.
| dragonwriter wrote:
| > There are blood alcohol tests, can't really avoid
| conviction if you fail the test.
|
| You can't be forced to take (or, even, given additional
| punishment based on an advance-consent licensing
| provision, as California has and used to enforce) a blood
| alcohol test without a warrant under Supreme Court case
| law, and warrants take time.
| rascul wrote:
| In Pennsylvania, their implied consent law means refusal
| results in the suspension of your driver's license.
|
| https://www.mtvlaw.com/blog/2019/august/what-are-
| pennsylvani...
| rascul wrote:
| Arrest records are generally public, in my experience.
| Perhaps it wasn't important to ask me since it would come
| up in a background check. But then so are conviction
| records. It's just not what I remember when applying to
| jobs, is all.
| cgriswald wrote:
| In my previous state it wasn't banned and I saw it on
| every application I ever filled out, but that was quite
| some years ago and my current state doesn't allow it.
| I've heard stories of people being fired for other
| reasons, but officially because the company did a
| background check _later_ and the person had lied on their
| application.
| rascul wrote:
| That's interesting to me. Thank you for sharing.
| ActorNightly wrote:
| Unlikely tbh.
|
| Unless the starts align the wrong way, generally the way its
| gonna go is first they will pull your background, and see
| that there is no criminal record, good credit and a tech job.
| So the first thing that is going to happen is that you will
| get a couple of FBI agents probably show up to your door and
| ask you questions. At which point you could sit down in front
| of your computer with them, pull up your accounts, and see
| the evidence of the transfer, all without answering questions
| with a chance to self incriminate.
| zionic wrote:
| No lawyer would ever advise anyone to just "casually talk
| to FBI agents that show up at your door".
| ActorNightly wrote:
| Talking =/= answering questions.
|
| The advice of "not answering questions" applies mostly
| for situations where cops are looking for the guilty
| party, and you don't want to accidentally self
| incriminate (or if you are guilty, you have a higher
| chance of getting off)
|
| FBI having records of you specifically in relation to a
| shady website is already past the point of looking for a
| guilty party - the people they send are specialized in
| cyber crime, are there to investigate the entirety of the
| situation with enough information about you already
| collected from all the sources like ISP logs, background
| check, and so on, all indicating that you are probably
| not guilty, as people who actually run sites like that
| statistically lead very different lives
|
| You can refuse to answer questions and let them in,
| however that has a higher rate of a search warrant,
| seizure and possibly arrest. Or you could just show them
| your domain registrars, tell them that you have no idea
| where it came from, and then look up history that shows
| the transfer, and that could be the end of your trouble,
| without any self incriminating statements.
| justrudd wrote:
| I generally like to think I'm a rather calm individual. It
| takes quite a bit to get me flustered.
|
| But let me tell you, I have had a couple of FBI agents show
| up at my door. And when I saw those badges, even though I
| know I've not done anything, I was nervous. Had a legit
| adrenaline dump. All because my address was the last known
| address of someone they wanted to speak with. This someone
| was male, brown hair, about the same height and build as
| me, etc. As soon as they noticed the similarities, it was
| not a "sit down in front of your computer and straighten
| this out" kind of situation. They are there for a reason -
| to find a criminal. They aren't there to shoot the shit
| with you and explain "it's all just a big
| misunderstanding".
|
| If the FBI shows up at your door without a warrant, don't
| let them in and don't speak to them. If they insist, insist
| on having a lawyer present.
|
| Luckily my situation ended up OK. I got a lawyer who
| specifically had experience with federal law enforcement
| and had them do all the "straightening up of the
| situation". But it cost me money and took weeks of what
| should have been "here is my driver's license, passport,
| and deed. I am me, not the other guy".
| outworlder wrote:
| > When people ask, "Have you ever been arrested," the answer
| will be "Yes."
|
| And that's hoping you are a citizen. Because visa renewals
| (and permanent residency applications, etc) also ask the
| exact same question. Depending on the reason for the arrest,
| you can also be denied naturalization or be placed in
| deportation proceedings without an actual conviction being
| required. On the basis of your "moral character".
| [deleted]
| ygjb wrote:
| Well sure, if you are sufficiently privileged to warrant
| getting a polite knock on the door rather than an amped up
| heavily armed borderline hit squad kicking your door in.
|
| It's also worth noting that the author specifically called out
| in the article that the concern here is SWATing which has
| become such a notorious problem in some circles that the
| concept has made it into mainstream TV shows covering the
| practice.
|
| Due process only counts when it's uniformly available, and
| there is ample evidence in the United States, and other
| countries that have similar policy, that the effectiveness of
| civil rights protections varies widely by economic status and
| ethnicity.
| cgriswald wrote:
| II.A.1.2:
|
| > 1.2 "Designated Agent" means an individual or entity that the
| Prior Registrant or New Registrant explicitly authorizes to
| approve a Change of Registrant on its behalf.
|
| Unless there is some other mechanism for preventing the Registrar
| from also being Designated Agent, it might be that R has terms in
| its EULA where registrants agree that R is also Designated Agent.
| natch wrote:
| > You could instead just tell R, but I can't really imagine a
| scenario where even a great tech support person would both
| understand the problem and be able to get it to the right people
| on their legal team in an reliable fashion."
|
| That depends.... with the right R I could see it. The tech person
| I interact with (rarely) at nearlyfreespeech.net deeply gets it
| -- tech, business, legal. I doubt he's a lawyer of course, but
| expect he knows when to get them involved. Probably the owner of
| the whole operation, if I had to guess.
|
| And yes I realize they are probably just front ending for the
| real registrar, but to me they are effectively the registrar; not
| here to argue about that.
| opendomain wrote:
| So will ICANN fix this?
| joshstrange wrote:
| > These days, one would hope LEA officers would at least look at
| who owns the domain name, but you just said that the registrar
| transferred it to you and changed the WHOIS data to use your full
| name and address.
|
| I started to write a comment about how horribly optimistic this
| is but then I thought about it some more.
|
| If it is indeed "Local" police you are probably screwed. They
| have zero understanding of the internet/tech and even people in
| positions with titles like "Cyber security" at your local station
| are probably just cops that got promoted into that role and have
| very little to zero understanding. Every interaction with my
| local cops w.r.t. technology has been painful and fruitless.
|
| Of course this assumes they would follow up on it in the first
| place. My LEA outright refused to lift a finger with a harassment
| case even when provided step by step instructions (and we knew
| who was behind it) on how to request information from the company
| the harasser was using (throwaway phone numbers). That said,
| maybe an instance like the author describes would get them off
| their butts.
|
| If it goes up to a federal level then maybe they would understand
| the nuance of domain transfers but not before kicking in you
| door.
___________________________________________________________________
(page generated 2022-06-03 23:01 UTC)