[HN Gopher] Hackers selling hacked police emails to request user...
___________________________________________________________________
Hackers selling hacked police emails to request user data from
TikTok, Facebook
Author : fouadmatin
Score : 112 points
Date : 2023-09-05 16:26 UTC (6 hours ago)
(HTM) web link (www.404media.co)
(TXT) w3m dump (www.404media.co)
| NoZebra120vClip wrote:
| Ok if these social media giants are authenticating LEOs by origin
| email only, without benefit of GPG, or secure token, or whatever,
| then they are stuck on stupid, and deserve any hacking they get.
| Ouch.
| [deleted]
| extraduder_ire wrote:
| To many _normal_ people the "from" field in an email means
| that it came from there.
|
| I am wondering how they get the data back though, unless they
| demand it is faxed, or sent to another email address. (Or the
| person replying doesn't notice the different reply-to address.)
| singleshot_ wrote:
| Generally email systems will have rules that support things
| like "if this account gets any mail from this address at
| Facebook.com, move it to some obscure folder and forward it
| to badguy@gmail.com" which is sometimes how this plays out.
| jaywalk wrote:
| If the email account has been hacked (which it has in this
| case) then it can just go back to the original hacked email.
| jazzyjackson wrote:
| Email actually has very well thought out authentication
| mechanisms such that its not unreasonable to expect a domain is
| not spoofed, and it came from the server it says it came from
|
| but if some baddies have logged into your server and sending
| messages as you, then DKIM can't save you
|
| so say social media companies want a higher standard of proof
| that emails are coming from a particular institution, what
| mechanisms are available that doesn't involve onboarding every
| individual officer to the subtleties of public key
| crpyotgraphy?
| omniglottal wrote:
| Never buillding a back door for LEOs sounds like a reasonable
| option.
| vkou wrote:
| You'll be horrified to learn exactly how much business is
| conducted through unsecured _fax_ machines.
| fullspectrumdev wrote:
| For some absurd reason fax is often seen by bureaucracies in
| some countries as "more secure" than email.
| dahdum wrote:
| Isn't it though? You can attack email systems, network
| operators, and end users in a myriad of ways remotely from
| anywhere in the world. How can you compromise a traditional
| fax? Eavesdropping the PSTN itself? Physical access to one
| of the machines? Stealing the printed document?
|
| Network fax systems are more convenient to use than
| traditional, but still more secure than email because
| they've been designed to be so.
| omniglottal wrote:
| Analog. Unencrypted. Your intent to misinform appears
| evident.
| MichaelZuo wrote:
| How's that absurd? If you have 0 experienced security folks
| on staff/consulting, and no one willing to listen to them,
| then a fax is almost certainly more secure in practice.
| omniglottal wrote:
| One of those countries is the US. Fax is unencrypted
| analog. If practice, tgis is ver certainly not secure.
| It's only "more secure" in the sense that unauthorized
| access to it counts as wiretapping, whereas the feds
| carved a loophole allowing them to read private emails
| without going afoul our anti-wiretapping laws. That you
| don't see the absurdity means our educational system is
| also doing what feds built it to do.
| wmf wrote:
| In the 1990s the phone network probably was more secure
| than the Internet but it's not today.
| wmf wrote:
| I don't think most law enforcement agencies have any second
| factor to authenticate themselves online. And it's not the
| social media companies that suffer but their users whose
| privacy is being violated.
| jazzyjackson wrote:
| Don't you think it's within the social media companies
| interest to respond to as few subpeonas as possible i.e. only
| genuine ones from authorities?
|
| but maybe you're right and this problem won't be solved
| because the person being harmed has no power and the
| institution in power sees no harm
| MichaelZuo wrote:
| Why do you believe they would?, it's definitely not
| demonstrated here.
| wmf wrote:
| Obviously they're going to try to verify law enforcement
| requests. It's a tradeoff.
| omniglottal wrote:
| "Try" == "it's a .gov email - looks good!"
| jstarfish wrote:
| It's the unsuspecting _users_ that are the victim of this.
| heavyset_go wrote:
| Tech companies don't give a shit, it's the same reason why
| they're handing over data when just simply asked.
| candiddevmike wrote:
| Someone should create haveibeensubpoenaed.com
| [deleted]
| cameronh90 wrote:
| This is a great example of why E2EE is important even if you
| trust your government.
| MagaMuffin wrote:
| [dead]
| TZubiri wrote:
| According to Meta Whatsapp is E2EE and Data requests by
| government agencies can only reveal metadata like recipients,
| durations of calls, frequency of messages, but not content of
| messages.
| EricMausler wrote:
| "Hey Timmy I noticed you talk to Susan 5 times a day
| sometimes for 5 minutes and sometimes for 2 hours. Always
| right after you say goodnight to us. Sometimes I see you call
| her late at night from outside her house for 10 seconds when
| you were supposed to be in your room and then you don't use
| your phone again for a couple hours -- No no, im not invading
| your privacy, it's only metadata"
| omginternets wrote:
| That's enough to tell you if a given request is being
| seriously discussed.
| jjoonathan wrote:
| > only
|
| "We kill people based on metadata." - General Michael Hayden,
| former director NSA and CIA
| jacquesm wrote:
| Meta data is often as valuable _or even more valuable_ than
| the data itself.
|
| Because you might be talking to the mob boss about the
| weather. But the fact that you are talking to the mob boss is
| an extremely interesting data point. It pins you to the map
| in a way that you are immediately a POI and causes a file to
| be opened on you _and_ your other contacts to further map
| your place in the network. Who talks to who is very powerful
| information.
| canadiantim wrote:
| Meta meta data is so meta
| [deleted]
| [deleted]
| what-no-tests wrote:
| The emails should just be made public anyway.
|
| They are public servants, yes?
|
| "To serve and to protect."
| singleshot_ wrote:
| Castle Rock v. Gonzales, 545 U.S. 748 (2005) (Police not
| required to serve or to protect).
| what-no-tests wrote:
| False advertising.
| dahdum wrote:
| It's about fraudulent data requests using hacked email accounts
| from government bodies all around the world. What emails are
| you referring to that should be made public?
| what-no-tests wrote:
| Well if they have nothing to hide then what's the issue,
| officer?
___________________________________________________________________
(page generated 2023-09-05 23:02 UTC)