I have to admit I find this whole situation (and also Krebs article bizarre). The problem seems to be that tech companies approve EDRs without much checking. Then the argument somehow becomes it is essentially impossible for them to check because there could be any of the thousands of police departments in the world requesting the EDR? Why should MS in the US somehow respond to a request from police department in Cuxhafen in Germany?
I think the argument being made here is one of those "we can't make a perfect solution so no solution works", which is nonsense. Simply don't answer requests from police departmenents you can't verify. I bet you if a police department would request some business sensitive information they would not hand it over without going over the subpoena with a fine toothed comb. The issue is just that they don't value their customers privacy high enough to do a proper check.
"I think the argument being made here is one of those "we can't make a perfect solution so no solution works", which is nonsense."
I have seen this type of "argument" countless times reading HN. I always wondered if I was the only one who noticed. Thank you for calling it out. It is indeed nonsense.
IMO, if "tech" companies cannot exercise due care, then they are at fault. There is no exception based on some idea that "our company must be large and serve millions of people in order to make money therefore we should not be held to the same standard as a smaller company." If necessary "scale" and nonexistent or grossly reduced customer service comes at a cost (e.g., fraud), then "tech" companies should have to pay that cost, not anyone else.
"The current situation with fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for highly sensitive subscriber data."
IMHO, the amount of important stuff today that depends on the presumed integrity of an email address is astounding.
> The issue is just that they don't value their customers privacy high enough to do a proper check.
I think the real issue is that the backlash from politicians and the public for failing to respond to a legitimate emergency will be orders of magnitude larger than the backlash for disclosing some customer information.
The solution to that is having a well defined and understood mechanism to verify the police departments that the departments can easily be referred to (or look up themselves in advance) to fall back on.
For example, in the U.S. E911 services use a database of coordinates and other info to determine what police department to route you to based on location. Requiring an EDR to come from an agency in this database (or larger state and federal institutions that are well known) could solve a lot of this problem. Having a way to look up police badges might help as well, and is also just a good idea.
An EDR is essentially the same as some person on the street stopping you and saying they are police and need to commandeer your vehicle. It makes sense to verify that in some way (such as a badge), as otherwise even if you think a crime has just been committed, you could just as easily be giving a vehicle to the criminal as the police.
It shouldn’t and can not be the responsibility of the recipient to solve this. All the blame rests of the federal legislators, not companies which have to process requests from entities without any clear mechanism to verify them.
> It makes sense to verify that in some way (such as a badge)
But that’s hardly real verification, a badge is trivial to fake.
Yes, but in certain situations is very unlikely to be present. It's not a great way to verify an officer of the law, but it's better than nothing, and lack of it is a good indication that someone is not one.
> Why should MS in the US somehow respond to a request from police department in Cuxhafen in Germany?
If a non-US company does business in the US, most people would expect the business to also answer to US law enforcement. You can't just operate in a business and not follow the law of that country. Same applies the other way around, you do business as a US company in Germany, you better follow German law. Hence companies tend to have HQ in one country, and then subsidiaries in other countries, who know how the local market and laws work.
That's the point though. MS US headquarters is not responding to these requests. MS {local country} branch is responding. And I'm sure the people that work in country X know how to contact country X's police.
This is really a non issue being blown up in to some unsolvable conundrum by people in this conversation that want to find problems in using a phone book.
So much phishing potential in the links below. I know every GP surgery in the UK that uses a windows server is accessible online and Shodan can give away so much information, lets hope people like Cisco and netgear dont have any zero days.
"This clearly isn't working. We have evidence of it not working." So needs to be shut down immediately because nobody agreed to this level of failure.
From there the next argument becomes "This cannot work." I.e. there can be no adequate solution. But hey, if you disagree with that part and you've got a solution that you think /can/ work let's get it out there and analyse it and see if its worth the risk.
Note that data in Cuxhafen (??) Germany won't be partitioned from your home town and stored in a different and differently secured database. So the weakest link in the weakest country is the one relevant to your data security.
Please note I'm not agreeing with Krebs's argument here. I haven't got all the information to process it, nor have I had time, nor is this my area of expertise, nor do I have to have a firm opinion on everything.
I'm just spelling out Krebs's argument because I really don't care for your summary of it.
If you have a solution you think can work, let's hear it.
I'd be curious to hear from anyone with legal knowledge about the potential consequences (if any) of not swiftly complying with an EDR. I could imagine a scenario where the law was at fault, designed for a world before the internet in which police departments only ever need to subpoena local businesses.
Although, this:
> I bet you if a police department would request some business sensitive information they would not hand it over without going over the subpoena with a fine toothed comb.
This isn’t even an EDR specific issue — if someone makes an extraordinary request you should verify it, and if you don’t you are probably falling for scams constantly.
If a supposed police officers shows up at my door, and I have any doubts as to their authority, I'm supposed to call the publicly listed phone number of the local police department to verify. Seems that should be the very minimum standard of verification employed in this scenario as well ("our robot can't do that" isn't a very compelling excuse to me).
I think calling is a good verification step, but note that if a police officer shows up at your door with a warrant, you're not allowed to verify their authority before letting them in. Without knowing the particulars of these requests, asking "just wait while I verify your details" may not be legally sound.
Thanks for the clarification, I should have added "IANAL" of course. Not being able to verify the identity of an officer / warrant does sound a bit like the real-world equivalent of this issue unfortunately (though the supposed remedy is high penalties for impersonating a police officer, a remedy that is a lot harder to pursue in these online cases) ;)
If only there was some secure technology capable of hierarchical accreditation and authentication that already ran on every single computer operating system that could resolve this situation for no cost beyond administrative overhead and was so easy to deploy that a small team could prototype a solution within weeks.
You mean the "secure" technology where countless barely accountable organization across the globe can provide accreditation for any entity they want and it will be trusted without any hierarchical restrictions?
Or the one that is hierarchical in theory but provides no accreditation in practice an uses a completely insecure protocol? Or the protocol replacement for that technology that replaces the hierarchical nature and replaces it with cantralized entities that again get full authority to answer any request how they want?
Plus from the article:
> It involves compromising email accounts and websites tied to police departments and government agencies
If websites and emails can be compromized then the hackers also have a good chance of gettng at certificates.
But the root problem isn't even that hackers can claim to be the police when making the requests but rather that the police can make these requests in the first place without getting a court order. "Police" is already a very large group of externally unaccountable actors that will include those willing to abuse these powers without the need for "hackers".
Yes. Issues of poor implementation are not my concern. I think you are very wrong about the difficulties you suggest. What you identify as the 'root' problem is a policy problem best addressed by legislation and not really relevant here. Please don't misunderstand that to be a rejection of your beliefs about policy.
there could be any of the thousands of police departments in the world requesting the EDR?
Just wanted to point out there are ~18,000 police departments in the US alone. So, the request doesn’t have to come from an unlikely foreign country for this scam to be a problem. Not that this fact absolves the ISPs and others from failing to secure their data via an appropriate verification process.
> The problem seems to be that tech companies approve EDRs without much checking. Then the argument somehow becomes it is essentially impossible for them to check because there could be any of the thousands of police departments in the world requesting the EDR?
What I got from reading is that there are conflicting concerns. An EDR needs to be answered as quickly as humanly possible; they exist for cases where it's likely that someone would die while waiting for a warrant/subpoena. Secondarily, tech companies really don't want to have a headline like "School bombed because $socialMediaCompany refused to hand over records in time".
The competing concern is privacy. The problem isn't directly with the number of police departments, but that there's no way to automatically authenticate the requests. They'd have to manually look up the police department, call them, and try to get routed to the officer that supposedly sent the request.
The difficult part is that in order for EDR's to be at all useful, they need to be faster than getting a warrant. They can probably get a warrant faster than Facebook or whoever can finish their game of phone tag to check on the request. So right now, they're checking the only thing that can be validated within the request itself: the domain name.
The solution he calls out seems workable: a global identity provider for police through the FBI or another government agency. In my rough interpretation, we could use something like GPG to sign the requests and have the FBI run a keyserver. We would need to secure the GPG keys, but if they were kept offline on USB sticks except in the rare case of submitting an EDR, that should be far better. It would require physical access to the keys to submit an EDR, and tech companies can infer that someone has physical access to the keys by the signature.
Usually when the solution is "just remember to do X", you've found a bad solution.
Re-approach the problem from a different perspective - companies don't value their customer's privacy enough. What solution can we put in place to force them to care about their customer's privacy? Can we force them?
You have to start there for a worthwhile solution.
> The issue is just that they don't value their customers privacy high enough to do a proper check.
It seems like the false positives (wrongly assuming fake police department) will cause more present damage than true negatives (giving away data to scammers) because the damage this does is very much somewhere in the future (it takes a lot of time for a person to realise their data had been leaked, especially if it’s not part of a dump)
Its not unverified. It's trust based on the email domain and hopefully DMARC etc. That's an ok trust model, it proves the request is coming from a government agency. In my opinion the issue is that police forces are not securing their email properly, which is a big issue, but not necessarily the tech companies fault. Domain ownership is the trust model of the internet after all.
I think the argument being made here is one of those "we can't make a perfect solution so no solution works", which is nonsense. Simply don't answer requests from police departmenents you can't verify. I bet you if a police department would request some business sensitive information they would not hand it over without going over the subpoena with a fine toothed comb. The issue is just that they don't value their customers privacy high enough to do a proper check.