Hackers selling hacked police emails to request user data from TikTok, Facebook (opens in new tab)

(404media.co)

152 pointsfouadmatin2y ago46 comments

46 comments

Whatever happened to the concept of receiving a legal-order, having your lawyers scrutinize it and complying afterwards? None of these high-stakes data handoffs coordinated over insecure email.

happytiger2y ago

You want private courts? You destroy due process? You want pay-to-play legal systems?

You pay the price. This is the price. And you better not complain.

You can either have one, or the other. But you can’t compromise one and keep the the other.

coldtea2y ago

I want public no pay-to-play legal systems.

what-no-tests2y ago

The emails should just be made public anyway.

They are public servants, yes?

"To serve and to protect."

dahdum2y ago

It’s about fraudulent data requests using hacked email accounts from government bodies all around the world. What emails are you referring to that should be made public?

what-no-tests2y ago

Well if they have nothing to hide then what's the issue, officer?

1 more reply

singleshot_2y ago

Castle Rock v. Gonzales, 545 U.S. 748 (2005) (Police not required to serve or to protect).

what-no-tests2y ago

False advertising.

1 more reply

cameronh902y ago

This is a great example of why E2EE is important even if you trust your government.

TZubiri2y ago

According to Meta Whatsapp is E2EE and Data requests by government agencies can only reveal metadata like recipients, durations of calls, frequency of messages, but not content of messages.

EricMausler2y ago

"Hey Timmy I noticed you talk to Susan 5 times a day sometimes for 5 minutes and sometimes for 2 hours. Always right after you say goodnight to us. Sometimes I see you call her late at night from outside her house for 10 seconds when you were supposed to be in your room and then you don't use your phone again for a couple hours -- No no, im not invading your privacy, it's only metadata"

1 more reply

jacquesm2y ago

Meta data is often as valuable or even more valuable than the data itself.

Because you might be talking to the mob boss about the weather. But the fact that you are talking to the mob boss is an extremely interesting data point. It pins you to the map in a way that you are immediately a POI and causes a file to be opened on you and your other contacts to further map your place in the network. Who talks to who is very powerful information.

3 more replies

jjoonathan2y ago

> only

"We kill people based on metadata." - General Michael Hayden, former director NSA and CIA

omginternets2y ago

That's enough to tell you if a given request is being seriously discussed.

candiddevmike2y ago

Someone should create haveibeensubpoenaed.com

1 more reply

NoZebra120vClip2y ago

Ok if these social media giants are authenticating LEOs by origin email only, without benefit of GPG, or secure token, or whatever, then they are stuck on stupid, and deserve any hacking they get. Ouch.

jazzyjackson2y ago

Email actually has very well thought out authentication mechanisms such that its not unreasonable to expect a domain is not spoofed, and it came from the server it says it came from

but if some baddies have logged into your server and sending messages as you, then DKIM can't save you

so say social media companies want a higher standard of proof that emails are coming from a particular institution, what mechanisms are available that doesn't involve onboarding every individual officer to the subtleties of public key crpyotgraphy?

omniglottal2y ago

Never buillding a back door for LEOs sounds like a reasonable option.

jstarfish2y ago

It's the unsuspecting users that are the victim of this.

heavyset_go2y ago

Tech companies don't give a shit, it's the same reason why they're handing over data when just simply asked.

vkou2y ago

You'll be horrified to learn exactly how much business is conducted through unsecured fax machines.

fullspectrumdev2y ago

For some absurd reason fax is often seen by bureaucracies in some countries as “more secure” than email.

3 more replies

wmf2y ago

I don't think most law enforcement agencies have any second factor to authenticate themselves online. And it's not the social media companies that suffer but their users whose privacy is being violated.

jazzyjackson2y ago

Don't you think it's within the social media companies interest to respond to as few subpeonas as possible i.e. only genuine ones from authorities?

but maybe you're right and this problem won't be solved because the person being harmed has no power and the institution in power sees no harm

2 more replies

extraduder_ire2y ago

To many normal people the "from" field in an email means that it came from there.

I am wondering how they get the data back though, unless they demand it is faxed, or sent to another email address. (Or the person replying doesn't notice the different reply-to address.)

hedora2y ago

Interestingly, gmail trusts the from field, so if I send a message “from” you to your account, it will put it in your sent folder.

Urban legend says people have been fired after forged harassment emails were delivered this way.

Google claims this is a feature, and the sent “label” isn’t meant to mean that it came from your gmail account.

For instance, there could be a corporate service firehosing spam at coworkers on your behalf, and obviously you don’t want to notice that, so it puts it in the sent box.

1 more reply

jaywalk2y ago

If the email account has been hacked (which it has in this case) then it can just go back to the original hacked email.

singleshot_2y ago

Generally email systems will have rules that support things like “if this account gets any mail from this address at Facebook.com, move it to some obscure folder and forward it to badguy@gmail.com” which is sometimes how this plays out.

nitwit0052y ago

They respond to written letters too (and they have a legal obligation to do so).

There is, unfortunately, no way to get every police force on the globe to agree to some authentication scheme.

j / k navigate · click thread line to collapse

46 comments

lisbon442y ago

Whatever happened to the concept of receiving a legal-order, having your lawyers scrutinize it and complying afterwards? None of these high-stakes data handoffs coordinated over insecure email.

happytiger2y ago

You want private courts? You destroy due process? You want pay-to-play legal systems?

You pay the price. This is the price. And you better not complain.

You can either have one, or the other. But you can’t compromise one and keep the the other.

coldtea2y ago

I want public no pay-to-play legal systems.

what-no-tests2y ago

The emails should just be made public anyway.

They are public servants, yes?

"To serve and to protect."

dahdum2y ago

It’s about fraudulent data requests using hacked email accounts from government bodies all around the world. What emails are you referring to that should be made public?

what-no-tests2y ago

Well if they have nothing to hide then what's the issue, officer?

1 more reply

singleshot_2y ago

Castle Rock v. Gonzales, 545 U.S. 748 (2005) (Police not required to serve or to protect).

what-no-tests2y ago

False advertising.

1 more reply

cameronh902y ago

This is a great example of why E2EE is important even if you trust your government.

TZubiri2y ago

According to Meta Whatsapp is E2EE and Data requests by government agencies can only reveal metadata like recipients, durations of calls, frequency of messages, but not content of messages.

EricMausler2y ago

1 more reply

jacquesm2y ago

Meta data is often as valuable or even more valuable than the data itself.

3 more replies

jjoonathan2y ago

> only

"We kill people based on metadata." - General Michael Hayden, former director NSA and CIA

omginternets2y ago

That's enough to tell you if a given request is being seriously discussed.

candiddevmike2y ago

Someone should create haveibeensubpoenaed.com

1 more reply

NoZebra120vClip2y ago

jazzyjackson2y ago

Email actually has very well thought out authentication mechanisms such that its not unreasonable to expect a domain is not spoofed, and it came from the server it says it came from

but if some baddies have logged into your server and sending messages as you, then DKIM can't save you

omniglottal2y ago

Never buillding a back door for LEOs sounds like a reasonable option.

jstarfish2y ago

It's the unsuspecting users that are the victim of this.

heavyset_go2y ago

Tech companies don't give a shit, it's the same reason why they're handing over data when just simply asked.

vkou2y ago

You'll be horrified to learn exactly how much business is conducted through unsecured fax machines.

fullspectrumdev2y ago

For some absurd reason fax is often seen by bureaucracies in some countries as “more secure” than email.

3 more replies

wmf2y ago

jazzyjackson2y ago

Don't you think it's within the social media companies interest to respond to as few subpeonas as possible i.e. only genuine ones from authorities?

but maybe you're right and this problem won't be solved because the person being harmed has no power and the institution in power sees no harm

2 more replies

extraduder_ire2y ago

To many normal people the "from" field in an email means that it came from there.

I am wondering how they get the data back though, unless they demand it is faxed, or sent to another email address. (Or the person replying doesn't notice the different reply-to address.)

hedora2y ago

Interestingly, gmail trusts the from field, so if I send a message “from” you to your account, it will put it in your sent folder.

Urban legend says people have been fired after forged harassment emails were delivered this way.

Google claims this is a feature, and the sent “label” isn’t meant to mean that it came from your gmail account.

For instance, there could be a corporate service firehosing spam at coworkers on your behalf, and obviously you don’t want to notice that, so it puts it in the sent box.

1 more reply

jaywalk2y ago

If the email account has been hacked (which it has in this case) then it can just go back to the original hacked email.

singleshot_2y ago

nitwit0052y ago

They respond to written letters too (and they have a legal obligation to do so).

There is, unfortunately, no way to get every police force on the globe to agree to some authentication scheme.

j / k navigate · click thread line to collapse