Bloomberg: tech giants (practically ALL of them) "duped" into releasing data through fraudulent legal requests which was used to sexually extort minors

[Commissar SFLUFAN]

Tech Giants Duped Into Giving Up Data Used to Sexually Extort Minors

 

Quote

 

Major technology companies have been duped into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and even sexually extort minors, according to four federal law enforcement officials and two industry investigators.

 

The companies that have complied with the bogus requests include Meta Platforms Inc., Apple Inc., Alphabet Inc.’s Google, Snap Inc., Twitter Inc. and Discord Inc., according to three of the people. All of the people requested anonymity to speak frankly about the devious new brand of online crime that involves underage victims.

 

 

Unfuckingbelievable.

 

Smash all of them to pieces, each and every one of them.

[Firewithin]

imagine the salaries the lawyers for these companies are making they get duped like this lol

[chakoo]

 

It takes courage to give away your customers data to fraudulent individuals while talking big about how much privacy matters to you.

[b_m_b_m_b_m]

“But I have nothing to hide why should I care about privacy?!?”

[finaljedi]

Data in general being held and moved by large corporations is just a giant clusterfuck.  I didn't realize it until I pivoted into working EDI feeds for large carriers how much no one keeps track of what they have or how it moves.  That's just a narrow piece of the benefits side.  I think there was an article in the Discord about how Meta has no idea at all how data flows or who gets it on their own fucking platforms and how compliance with GDPR is simply not possible.  There are also pretty much no protections once you get access.  The big Anthem hack back in 2015 or whatever, they phished a database admin's account login credentials and used that to extract like 65 million people's information, and it took them a month to catch it.

 

Quote

“Police departments are going to have to focus on preventing account compromises with multifactor authentication and better analysis of user behavior, and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers,” Stamos said.

 

Cool they're relying on police departments to practice good infosec.  They either have the password literally posted everywhere on notes, if the city IT guy wouldn't budge on making a secure password, or it's something like "spurburypolice123"

[Guest]

We need to move most data back to the device, and encrypted. 

[Comet]

How does this even happen? 

[stepee]

Isn’t this nothing about network security and simply human error of not doing due diligence and detecting the fraudulent requests?

[b_m_b_m_b_m]

18 minutes ago, sblfilms said:

We need to move most data back to the device, and encrypted. 

Lol. Lmao

[finaljedi]

3 minutes ago, stepee said:

Isn’t this nothing about network security and simply human error of not doing due diligence and detecting the fraudulent requests?

 

It seems largely to be a process issue, and yeah the weak human element.  They have processes set up to process emergency requests for info from police departments without a court order.  This relies on the police department accounts not being compromised and I'm guessing the people handling whatever queues they feed into don't have the capacity to do much in the way of verification.

[stepee]

Just now, finaljedi said:

 

It seems largely to be a process issue, and yeah the weak human element.  They have processes set up to process emergency requests for info from police departments without a court order.  This relies on the police department accounts not being compromised and I'm guessing the people handling whatever queues they feed into don't have the capacity to do much in the way of verification.

 

Relying on accounts not being compromised seems like human error in deciding the process still. It should be assumed first that the accounts have been compromised and then allowed through once verified to be legitimate. 

[Guest]

8 minutes ago, b_m_b_m_b_m said:

Lol. Lmao

it is doable. I think we will likely need to wait for EU regulators to force the issue as even with the some times bipartisan disdain for big tech, the US doesn’t have the will to do it. They are much better on data privacy, though still have a ways to go.

[stepee]

They could have good security for this sort of  thing it’s just expensive for both the technology and the talent to run and maintain it and they don’t wanna.

[b_m_b_m_b_m]

3 minutes ago, sblfilms said:

it is doable. I think we will likely need to wait for EU regulators to force the issue as even with the some times bipartisan disdain for big tech, the US doesn’t have the will to do it. They are much better on data privacy, though still have a ways to go.

Nearly everything of any consequence that crosses the internet is encrypted for one, data on devices is encrypted, and storing data on user devices is just lol lmao

[TwinIon]

34 minutes ago, Comet said:

How does this even happen? 

From the article:
 

Quote

 

The exact method of the attacks varies, but they tend to follow a general pattern, according to the law enforcement officers. It starts with the perpetrator compromising the email system of a foreign law enforcement agency.

Then, the attacker will forge an “emergency data request” to a technology company, seeking information about a user’s account, the officers said. Such requests are used by law enforcement to obtain information amount online accounts in cases involving imminent danger such as suicide, murder or abductions.

In return, the companies provide the attacker with basic subscriber information -- the same data provided to law enforcement in response to a court-ordered subpoena, said law enforcement officials and people familiar with the legal processes.

 

Honestly, the biggest problems I see here is the system for these requests relies on a simple email, and apparently law enforcement emails aren't well secured. If Google gets a request from a legit law enforcement email address, I don't blame them if they comply.

 

If the system was better set up and required some sort of additional call back (like suggested in the article), that would be a start. As would requiring two factor auth and other security measures for all .gov emails.

[finaljedi]

7 minutes ago, stepee said:

They could have good security for this sort of  thing it’s just expensive for both the technology and the talent to run and maintain it and they don’t wanna.

 

Pretty much.  It's solvable, but the solution will be expensive for them and probably inconvenient for the police departments and other orgs that use this data.  2 factor authentication, like two people per police department who have access who have to be verified at the time of request.  But I'm guessing some project managers sold it as cheap, easy, and good for PR by saving lives in imminent danger.

[Slug]

1 hour ago, Commissar SFLUFAN said:

Smash all of them to pieces, each and every one of them.

 

It's tough to fault the companies.  Well, I mean we can fault them; they got tricked and that shouldn't happen.  But the bigger the company the harder this kind of thing is to deal with.  When you have millions of users and receive thousands of legal requests every month being worked by dozens of different legal analysts..shit's going to fall through.  With the lower bar to release being held on emergency disclosure orders and those orders usually being extremely time sensitive, it's a pretty ripe avenue for mistakes.

 

44 minutes ago, Comet said:

How does this even happen? 

 

Normally release of a user's data requires an order to be applied for and signed by a judge.  In the case of an emergency disclosure request, the judge's approval is not required so long as the law enforcement officer affirms that they will be following up with a full order for the information after the emergency has abated.  So these people just need to get official letterhead, know how to talk like a cop, and if they get ahold of an analyst who doesn't research to make sure the person is an actual officer...there ya go.

[b_m_b_m_b_m]

All data requests should require the sign off of a judge. If we’re not doing that there’s a good starting point for easy reform to say nothing of the human element that will need to be trained and secured. 

[Slug]

2 minutes ago, finaljedi said:

 

Pretty much.  It's solvable, but the solution will be expensive for them and probably inconvenient for the police departments and other orgs that use this data.  2 factor authentication, like two people per police department who have access who have to be verified at the time of request.  But I'm guessing some project managers sold it as cheap, easy, and good for PR by saving lives in imminent danger.

Yeah, that's a non-starter due to sheer volume.  There's no way it would be manageable.  People would die.

[Slug]

2 minutes ago, b_m_b_m_b_m said:

All data requests should require the sign off of a judge. If we’re not doing that there’s a good starting point for easy reform to say nothing of the human element that will need to be trained and secured. 

Not all requests can wait for a judge.

[b_m_b_m_b_m]

2 minutes ago, Slug said:

Not all requests can wait for a judge.

I’d rather not leave it up to cops. Checks on state power are good. 

[Slug]

Just now, b_m_b_m_b_m said:

I’d rather not leave it up to cops. Checks on state power are good. 

I agree with the latter.  I don't know how you solve the former.  Someone has to be able to do it.

[b_m_b_m_b_m]

Just now, Slug said:

I agree with the latter.  I don't know how you solve the former.  Someone has to be able to do it.

The point is without the check on state power through the supposedly independent judiciary then these decision are in the realm of cops, it won’t be any other way because of the inherent nature of these requests. Not that the judiciary is *really* a functional check (these guys work in tandem) but that’s what we’ve got. Really basic 4th amendment shit here

[Guest]

35 minutes ago, b_m_b_m_b_m said:

Nearly everything of any consequence that crosses the internet is encrypted for one, data on devices is encrypted, and storing data on user devices is just lol lmao

There is tons of user data that does not need to be anywhere but the device, but is collected for monetization purposes. Look at how much the half baked “as not to track” change cost FB. Imagine if you didn’t have to just hope devs complied with that request.

[Slug]

1 minute ago, b_m_b_m_b_m said:

The point is without the check on state power through the supposedly independent judiciary then these decision are in the realm of cops, it won’t be any other way because of the inherent nature of these requests. Not that the judiciary is *really* a functional check (these guys work in tandem) but that’s what we’ve got. Really basic 4th amendment shit here

The problem is one of function in emergency situations.  Drafting a full order, finding a judge and getting sign off can be the difference between an ambulance arriving in time or 20 minutes too late.  Not all districts have the luxury of having a night magistrate judge on staff that can be raised at a moment's notice and sign an order at 2am.

[Guest]

2 minutes ago, Slug said:

The problem is one of function in emergency situations.  Drafting a full order, finding a judge and getting sign off can be the difference between an ambulance arriving in time or 20 minutes too late.  Not all districts have the luxury of having a night magistrate judge on staff that can be raised at a moment's notice and sign an order at 2am.

What is the scenario in which police need access to private user data and they can’t possibly wait for a judge to review and issue the warrant?

 

Honestly, this feels like one of those 24 scenarios where Jack HAS to go NOW or else, and not the real world where most things can wait.

[Slug]

16 minutes ago, sblfilms said:

What is the scenario in which police need access to private user data and they can’t possibly wait for a judge to review and issue the warrant?

 

We get them all the time.  911 caller in distress who can't communicate.  Someone in an online chat threatening imminent suicide.  Livestreamed rape.  Kidnappings and missing persons.  The list goes on.

 

16 minutes ago, sblfilms said:

Honestly, this feels like one of those 24 scenarios where Jack HAS to go NOW or else, and not the real world where most things can wait.

 

Most things can. Some things cannot.  Emergency disclosures are a very small percentage of the lawful requests a company receives.

[Ghost_MH]

53 minutes ago, sblfilms said:

There is tons of user data that does not need to be anywhere but the device, but is collected for monetization purposes. Look at how much the half baked “as not to track” change cost FB. Imagine if you didn’t have to just hope devs complied with that request.

 

Unfortunately, the user data that most needs to be in the cloud is the data that's most easily used to extort minors. Private messages and images.  Both need the cloud because we are long passed the days where people didn't expect a new phone to just have an their pictures and contacts and such the moment they log in. That genie is impossible to bottle right now. There is no security argument to be made that would have folks willingly roll back to the days where losing your phone meant losing the data on it.

 

People were flipping out over there game saves not being backed up on the Switch. We're talking that kind of freakout, but over baby pictures.

[Guest]

1 minute ago, Ghost_MH said:

 

Unfortunately, the user data that most needs to be in the cloud is the data that's most easily used to extort minors. Private messages and images.  Both need the cloud because we are long passed the days where people didn't expect a new phone to just have an their pictures and contacts and such the moment they log in. That genie is impossible to bottle right now. There is no security argument to be made that would have folks willingly roll back to the days where losing your phone meant losing the data on it.

 

People were flipping out over there game saves not being backed up on the Switch. We're talking that kind of freakout, but over baby pictures.

People want convenience, I understand. My position has nothing to do with consumer desires, which are often in opposition to their own good.

 

The convenience is what gives the tech giants a significant amount of their control and profitability.

[Kal-El814]

1 hour ago, Slug said:

It's tough to fault the companies.  Well, I mean we can fault them; they got tricked and that shouldn't happen.  But the bigger the company the harder this kind of thing is to deal with.  When you have millions of users and receive thousands of legal requests every month being worked by dozens of different legal analysts..shit's going to fall through.  With the lower bar to release being held on emergency disclosure orders and those orders usually being extremely time sensitive, it's a pretty ripe avenue for mistakes.

 

This whole topic at large is the blood sacrifice made on the altar of tech companies "needing" to grow as large as possible as quickly as possible. Regulators attempt to catch up but that process is slower than the technological advancement and it's done while opposing the pressure from capitalists to "not interfere with the market," and here we stand.

 

It's not impossible to have avoided this but shareholders want the line to go up and the bros that lead these companies almost universally feel like they know best.

 

 

[Slug]

27 minutes ago, Kal-El814 said:

 

This whole topic at large is the blood sacrifice made on the altar of tech companies "needing" to grow as large as possible as quickly as possible. Regulators attempt to catch up but that process is slower than the technological advancement and it's done while opposing the pressure from capitalists to "not interfere with the market," and here we stand.

 

It's not impossible to have avoided this but shareholders want the line to go up and the bros that lead these companies almost universally feel like they know best.

 

 

Oh for sure. I'm just saying that it's hard to fault them specifically for criminal abuse of the emergency disclosure system as it exists. It shouldn't happen, but I get it. They need to have better procedures and better training for their legal operations folk that handle them. 

[DarkStar189]

2 hours ago, stepee said:

They could have good security for this sort of  thing it’s just expensive for both the technology and the talent to run and maintain it and they don’t wanna.

But also.... why bother.  When you are the tech giant, you run the show. It's so rare that any meaningful punishment will be handed down to them. It would have to be catastrophic and economic breaking. Credit reporting agencies and health insurance companies can all lose millions upon millions of user data at what cost to them? Offering a few years worth of free credit monitoring? That a majority of people won't sign up for. 

This new story, while shocking, could just be a drop in the bucket when it comes to tech giants and their screw ups. 

[b_m_b_m_b_m]

46 minutes ago, sblfilms said:

There is tons of user data that does not need to be anywhere but the device, but is collected for monetization purposes. Look at how much the half baked “as not to track” change cost FB. Imagine if you didn’t have to just hope devs complied with that request.

The devil is in the details but what needs to remain on the device to one is a useful feature to another. 

42 minutes ago, Slug said:

The problem is one of function in emergency situations.  Drafting a full order, finding a judge and getting sign off can be the difference between an ambulance arriving in time or 20 minutes too late.  Not all districts have the luxury of having a night magistrate judge on staff that can be raised at a moment's notice and sign an order at 2am.

There’s trade offs but the odds and amount of actual abuse to come from not having a warrant far exceed the alleged safety gained from not requiring it. 

[stepee]

11 minutes ago, DarkStar189 said:

But also.... why bother.  When you are the tech giant, you run the show. It's so rare that any meaningful punishment will be handed down to them. It would have to be catastrophic and economic breaking. Credit reporting agencies and health insurance companies can all lose millions upon millions of user data at what cost to them? Offering a few years worth of free credit monitoring? That a majority of people won't sign up for. 

This new story, while shocking, could just be a drop in the bucket when it comes to tech giants and their screw ups. 

 

I think it’s kind of the same thing, if they could just flip a switch and have good security they probably would just to make their own lives easier. They don’t because spending time and money on it is worse than they perceive good security is good for them, and there are no consequences because of the things you mentioned, so cookies crumbling and such.

[Slug]

1 hour ago, b_m_b_m_b_m said:

There’s trade offs but the odds and amount of actual abuse to come from not having a warrant far exceed the alleged safety gained from not requiring it. 

I honestly have no idea what the numbers look like on law enforcement abuse of emergency requests.  I'm sure it happens.  Legitimate emergency requests are supposed to be followed up with a full signed order after the fact, to confirm their use.  This story is about unauthorized (non law enforcement) parties scamming that system so that's the angle I'm speaking towards.