hngopher.com

       [HN Gopher] Companies make it too easy for thieves to impersonat...
       ___________________________________________________________________
        
       Companies make it too easy for thieves to impersonate police and
       steal data
        
       Author : alexzeitler
       Score  : 67 points
       Date   : 2024-01-20 19:22 UTC (3 hours ago)
        
 (HTM) web link (www.eff.org)
 (TXT) w3m dump (www.eff.org)
        
       | pi-e-sigma wrote:
       | Carefully checking every request costs money. Giving away data to
       | unauthorized parties pretending to have such authorization costs
       | nothing. Follow the incentives.
        
         | hammyhavoc wrote:
         | Receiving a fine for failing in due diligence to protect
         | personal information definitely costs money.
        
           | MichaelZuo wrote:
           | The people nominally responsible for issuing fines also have
           | their own incentives.
        
             | hammyhavoc wrote:
             | Whether that's the case or not, it is orthogonal to the
             | point being made.
        
               | MichaelZuo wrote:
               | No? I think it's quite relevant.
        
           | plagiarist wrote:
           | Maybe in does in the EU or California.
        
           | hanniabu wrote:
           | Fines are never high enough to align incentives
        
       | RecycledEle wrote:
       | Very true.
       | 
       | The companies that gave data to criminals need to be bankrupted.
        
         | pixl97 wrote:
         | I see this as exceptionally unlikely in most legal systems.
         | 
         | "Dear Court, this suit that is brought against us is going to
         | make the next case that comes in so much harder. Next time
         | we're going to challenge everything you as the court and law
         | enforcement ask for and this will lead to the bad guys getting
         | away. This could mean less funds for your next reelection. All
         | we were doing was acting in good faith giving the legal system
         | what it needed to be efficient".
        
       | lifeisstillgood wrote:
       | Then set minimum standards for data requests, possibly in law, if
       | not via the European idea of a data commissioner.
       | 
       | Then two things
       | 
       | 0. Persue companies that screw up like this. I mean the SEC
       | strikes terror into the hearts of the Boards of some of the
       | worlds richest companies so it's feasible
       | 
       | 1. Fucking prosecute the actual criminals! Yea companies should
       | put more effort in. So raise the floor so no one feels doing the
       | right thing leaves them at a disadvantage- but also, this is very
       | much a blame the banks for having cash in the safe during a
       | robbery. The robbers need to be prosecuted- and the companies
       | need to think of data like cash in transit - needs much better
       | protection than they currently do
        
       | nitwit005 wrote:
       | In a lot of places, you just bribe the police and do it
       | officially.
       | 
       | Governments could make these requests a lot easier to verify.
       | Companies shouldn't be in the position of having to guess at who
       | is a real government official.
        
       | myself248 wrote:
       | The government has been entirely too slow to adopt the really
       | simple stuff like PGP-signed email. If we had what was child's
       | play in the 90s, most of these problems would go away. (And be
       | replaced with different problems, like someone hacking the
       | police's computers to get their private key, but let's imagine
       | they can use some sort of HSM because those exist now.)
        
         | o11c wrote:
         | To be fair, PGP has broken usability by design. The (rarely-
         | recognized) problem is that it's too stateful, and thus hard to
         | reproduce.
        
       | wolverine876 wrote:
       | The solution is to minimize data in company's possession, which
       | includes minimizing collection and retension. Otherwise, even if
       | you close this loophole, another will appear. Your data is an
       | asset with value and people will seek it out.
        
       | lupire wrote:
       | The governments require this. This is 100% the governments'
       | fault.
        
       | tkems wrote:
       | First time I realized this was possible was in the TV show Mr.
       | Robot [0] and I thought it couldn't have been that easy. However,
       | after my experience within the cybersecurity sector, I can see
       | this happen easily. Old processes that require implicit trust
       | don't work in the modern, connected world.
       | 
       | We already have the technology (PKI with smartcards) to fix this,
       | but unless something really bad happens, there doesn't seem to be
       | a rush to do so.
       | 
       | [0] From Mr Robot Season 2 Episode 9
       | https://www.youtube.com/watch?v=5qTSoCzp-LY
        
       | wmf wrote:
       | There may an opportunity for a startup to authenticate law
       | enforcement, like a specialized version of id.me.
        
       | SoftTalker wrote:
       | It should not be too hard to verify?
       | 
       | Call up the clerk of the court who issued the order, or the
       | police department of the city, or whoever the relevant authority
       | is, and ask them to confirm.
       | 
       | You don't need digital signatures or encryption to do that.
        
       | throwaway914 wrote:
       | Why are we blaming the companies because the police are easy to
       | impersonate?
        
       ___________________________________________________________________
       (page generated 2024-01-20 23:01 UTC)