return to table of content

Verizon fell for fake "search warrant," gave victim's phone data to stalker

pseingatl
91 replies
16h18m

Forging a judicial order is trivial. There is no way Verizon or anyone else knows if there is a specific form used in one of the 1700+ counties that comprise the US. Federal subpoenae are even easier because they are uniform and are filed under seal. Verizon can't call the Clerk's office and ask, "did the grand jury really issue a subpoena?" The documents are written on simple copy paper and lack any kind of security features. Expect more of these as word gets out. Also, it's easy enough to file a small claims case and have a subpoena issued. Usually, there's no one to quash the subpoena. Civil subpoenas take a little longer than criminal ones and you have to pay to have them served, but so what?

usrbinbash
31 replies
11h31m

The documents are written on simple copy paper and lack any kind of security features.

Wait, sorry, sorry, sorry, hold up, full stop...could you repeat that again?

These orders arrive AS GODDAMN PAPER PRINTOUTS?!?

Am I to understand that official orders that instruct telco providers to provide the private communication data of people, are transmitted as smushes of pigment on thin pieces of wood-paste, instead of a digitally signed file that the recipient can trivially verify with the ordering entities public key?

eqvinox
11 replies
11h13m

Am I to understand that official orders that instruct telco providers to provide the private communication data of people, are transmitted as smushes of pigment on thin pieces of wood-paste,

Yes. Or a PDF attachment on an e-mail, possibly scanned from something that was printed a few minutes earlier because someone had to sign it with a pen.

trivially verify with the ordering entities public key

You're underestimating the complexity of establishing a PKI infrastructure to handle federal, state and local authorities, signalling which keys have what exact authority, revoking compromised keys, … and then doing tech support for some redneck judge that owns more guns than electronic devices.

hnfong
6 replies
10h55m

Having a cert from a validated *.gov CA doesn’t seem that complicated, or at least, should be “just as complicated” as setting up properly TLs certs.

Getting the tech adopted might be difficult (like you say some judges may not see the point of it) but the PKI doesn’t have to be super complicated…

Having different authorities provide signatures for different types of documents may or may not be needed, in theory it is more secure, but just checking the domain name suffix should be a good start. And every tech literate person has a general idea how to tell “valid” domain names from phishing sites, so the scheme translates well

ben_w
4 replies
9h52m

Having a cert from a validated *.gov CA doesn’t seem that complicated, or at least, should be “just as complicated” as setting up properly TLs certs.

You're not wrong, but you are overestimating the tech skill level of the average non techie.

I'm travelling right now, and a surprising fraction of restaurant websites here aren't https.

hnfong
3 replies
5h6m

Yes, but we're talking about the judiciary here, not restaurants... Surely they'd have a minimal IT department...

pixl97
0 replies
10m

Surely they'd have a minimal IT department...

That is horrifically underfunded, so the pay is low, so the employees get poached all the time. I have a bit more insider information here than most as I had family that has worked in the court system and law enforcement 20+ years, and was good friends with IT at the county.

These counties are generally so busy fixing past problems there is zero time, budget, and manpower to implement new technology like you're talking about. Seriously recovering encrypted systems is a major part of their time. As to the poaching, the number one 'company' that poached good IT people in the county was the feds. They tend to pay a lot more, and they too are generally critically understaffed.

Most IT people simply don't want to work for county/state/fed at the end of the day because pay isn't great, and for that not great pay there are a lot of restrictions.

kotaKat
0 replies
1h5m

I pointed this out in a previous post elsewhere but there are places out there with little to no manpower, period.

https://www.wwnytv.com/2023/11/15/st-lawrence-county-struggl...

A single judge, and likely, a single court clerk, are the only people in many, many rural courthouses. And sometimes, that judge themselves might have been able to get into the job with one vote as a joke. Neither of them could have any IT support, just a couple laptops from the county if that to help them out.

These courts out there run a lot more on paper and fax and occasionally normal email (https is 'secure email' right? /s). They'd have zero clue what a CA even is, other than the Golden State.

ben_w
0 replies
4h46m

You might hope so, but I have no reason to think they are magically more ept than anyone else.

I don't know much about the American ones, but the British ones are complaining about the ceilings falling down due to chronic underfunding of basic maintenance; getting the digital infrastructure right is probably lower down their wish list than ceilings that don't collapse:

https://www.standard.co.uk/news/london/courtroom-shut-ceilin...

alwaysrunning
0 replies
4h59m

But you also assume they wouldn't give up using it due to frustration.

mulmen
3 replies
6h39m

and then doing tech support for some redneck judge that owns more guns than electronic devices.

This is an unnecessary dig. Not all "rednecks" are dumb. They got us to the moon. Not all people who resist tech "innovation" in their space are "rednecks" or "dumb". They probably know a whole hell of a lot more about their domain than you do.

Be cautious of the toxic sense of superiority tech people have that they somehow know better than the unwashed masses, even before immersing themselves in the domain to understand and then solve problems.

Take delivery apps that have somehow made the previously thriving small business of delivering food a giant industry that loses money for everyone involved.

Adding a tech doesn't automatically make things better. When people resist your shiny new (and likely ill conceived) tech that doesn't mean they are dumb. They might just recall the sting from last time.

bdzr
1 replies
4h51m

Take delivery apps that have somehow made the previously thriving small business of delivering food a giant industry that loses money for everyone involved.

I agree with everything you said but this. It seems like an industry with sustainability problems where the consumers are winning big. It also seems like it ignores the small businesses that could never support delivery drivers in the first place. I'm not super familiar with this industry but I hear similar arguments against ride sharing which is at worst 10x better on the consumer side than it was before.

Moru
0 replies
4h7m

The problem with the big tech trying to fix problem in one country can turn out destroying something that actually works better in some other country. Here in Sweden we have had something called e-invoices for a very long time. You just ordered something and the invoice ended up automatically on your bank. Just a few clicks to pay all your invoices no matter how many.

Now there are several different payment apps that wants to fight for the customers and they all require you to get their app. Or you will have to jump through five hoops to get to pay the invoice. It's called rentseeking I believe...

eqvinox
0 replies
2h33m

Not all "rednecks" are dumb.

I didn't call anyone dumb. Why did you jump to that?

If I translate "redneck" to my native language, the result is roughly "someone who lives away from civilization", "lacking higher education", "anti-progressive and behind the times". Those are exactly what I was aiming for, as that's the kind of person that will (by definition, essentially) have the most & worst IT support issues.

(Also—what's your definition of "redneck" when you say "rednecks got us to the moon"? By my understanding, at the point you start working on the space program you're not a "redneck" anymore…)

wruza
4 replies
9h8m

It’s amusing how much HN expects from “the outer world”.

Companies can adopt new tech in 1-2 years. Industries have around 5-10 years inertia. Bureaucracies like courts still live in the past millenia. You should be happy that they are using email.

The best security measure they will implement after this article going wide is something like “only emails from @<domain> are valid, but we’ll destroy you anyway in case a judge mistakenly sends you an order from his own gmail”.

mulmen
3 replies
6h44m

Bureaucracies like courts still live in the past millenia. You should be happy that they are using email.

This is a feature. We don't want courts to "move fast" because the consequence of breaking is far more severe than losing a few files on Google Drive.

fallingknife
2 replies
5h24m

If you don't move fast with new tech, you are broken. E.g. the article in this post.

respondo2134
0 replies
4h55m

The implied assumption here is that everything needs to adopt new tech. Lots of things are essentially "as perfect as we're going to get them" and everything new is a very marginal improvement or a big step backwards.

mulmen
0 replies
3h43m

The only thing broken is Verizon’s lawyer’s phone.

vintermann
2 replies
10h9m

instead of a digitally signed file that the recipient can trivially verify with the ordering entities public key?

They wouldn't want that, because they don't want it to be easy to prove that they demanded surrender either.

ben_w
1 replies
6h48m

Why not?

ethanbond
0 replies
5h3m

Yeah this sounds like fringe government boogeyman stuff.

csunbird
2 replies
7h16m

Oh wow! In my country, legal documents like this arrive with a QR code or confirmation code attached that can be used to verify legitimacy of the document on the official e-government internet site.

deaddodo
1 replies
5h3m

Every valid warrant has a verification authority contact. You are allowed to withhold access until verification can be made, and generally it can be done in 5-30mins.

I worked in a data center once, and we would have FBI contacts that would come in regularly to access criminal data (CP, terrorist communique, heavy piracy, etc). We would verify the warrant before secure entry+accompany them to the specific requested entity. I know procedures are similar + even more stringent for the medical field. Things get even more complex for small local authorities, but the idea that "just having a slip of paper" is enough is ridiculous; unless the person accepting the request is dumb/lazy/uninformed/undertrained/etc, as in any social engineering feat (in your case, the responsible person decides to not bother with the QR because their phone connection is bad, it takes too long, etc; for example).

PrimeMcFly
0 replies
32m

You are allowed to withhold access until verification can be made, and generally it can be done in 5-30mins.

So it's not like on TV where if they have the paper they can just show it to you and barge past you by force?

For arrest warrants that makes sense, but they portray search warrants the same way.

Schiendelman
1 replies
11h25m

Yes, and until we pass real consequences for data breaches - protections for individuals - none of this will change.

bdavbdav
0 replies
9h19m

I think their point is that the fault here is on the system that requires people comply with non verifiable warrants, as opposed to the people handing over the data.

yladiz
0 replies
4h54m

The point of sending a letter, compared to an email, isn’t only about proving who issued the subpoena, but also being able to prove it was received. You can’t really prove an email was received, but you can send a verified letter proving it was delivered.

wayfinder
0 replies
8h2m

I mean digital signatures have really only been a thing for like 20 years, and barely because people only started caring about it more in the past 10.

While the US has been around for nearly 250 years.

And truthfully, despite a highly technical crowd, how many of y’all have actually ever sent or received a digitally signed email? If you’ve tried, you know why no one ever does it.

multjoy
0 replies
7h7m

The much-derided SnOOPEr'S CHarteR in the UK (which actually formalised and regulated stuff that was already being done) means that while it's not a judge signing off warrants for comms data, it involves police gatekeepers (and believe me, getting a warrant to blow someone's door off is a piece of piss compared to writing up a comms data application), who then send it to an independent decision making body who then return it to the police who then upload the request to CSP systems using a pre-agreed portal with appropriate authentication.

This touchstone of 'judicial oversight' is frequently nonsense. You can't tell me that every judge who has to give a warrant for a DUI blood draw at 3am in smalltown US is giving the matter any kind of scrutiny, nor that that judge has any legal or judicial experience at all.

hn_throwaway_99
0 replies
11h9m

Am I to understand that official orders that instruct telco providers to provide the private communication data of people, are transmitted as smushes of pigment on thin pieces of wood-paste, instead of a digitally signed file that the recipient can trivially verify with the ordering entities public key?

Was honestly having a difficult time determining (a) if this was sarcasm or (b) you just have no idea of the technical competence of many of these jurisdictions, not to mention the complexity of managing this type of public key verification system for the number of jurisdictions involved.

esaym
0 replies
11h21m

What, gmail is better?

autoexec
0 replies
10h54m

At one place I worked for we used to get them via fax! That said, you could call and verify that the person the document claimed to send it actually did.

chatmasta
24 replies
16h1m

I'm always torn about this kind of exploit. On the one hand it's obviously vulnerable. On the other hand, securing it would require centralization of authority. I think I'm actually okay with accepting the tradeoff of insecure verification of "legitimacy," in exchange for decentralization of police power.

But it's also worth noting that the "vulnerable" system is not the centuries old system of policing. If you get arrested by a fake cop, that system affords you legal remedies - it might take a few days but you'll see justice. The vulnerable system here is Verizon's process for responding to inbound messages claiming to be search warrants. And when this system fails, the victim has effectively no remedy - their stalker already read the data that Verizon sent him.

So that's even less of a reason to increase centralization of the policing system. It won't solve the problem because the problem is with a different system.

jncfhnb
9 replies
15h55m

Sorry who do you want having the right to subpoena these records besides the government?

chatmasta
8 replies
15h51m

There's more than one "government," that's what I mean by decentralization. There are thousands of courts throughout the country. I don't want some federal agency to be responsible for verifying the legitimacy of every warrant sent from every court.

gruez
7 replies
15h18m

How about having the federal government be responsible for publishing a list of public keys for each court jurisdiction?

chatmasta
5 replies
14h25m

Does the court in each jurisdiction need to submit their public key for inclusion? Who in the federal government is responsible for verifying that a legitimate court submitted the key?

What if the head of the agency responsible for verifying these courts institutes a policy that courts will lose their verification for rulings against abortion?

What if two courts in neighboring jurisdictions claim to be the same court? They each submit a different public key, but both can verify they hold the private key that pairs with the public key they submitted. How does the federal agency even verify the identity of a courthouse? Do they need to physically visit them and meet with the judge to tap a Yubikey?

What if somebody steals the YubiKey from the judge? What if a referendum dissolves a jurisdiction?

What is the process for revocation of verification?

gruez
4 replies
13h41m

Most of the concerns you raised are either non-issues or can be resolved a minor amount of legal legwork. Even if the system isn't perfect and there are edge cases that it can't handle, having any sort of key registry is better than the current system where anyone can claim to be a judge, and it's up to some lowly corporate employee to do the verification themselves.

Teever
3 replies
12h34m

As a non American it's pretty comical watching Americans make mountains out of molehills for problems that are solved in other countries.

staunton
2 replies
7h23m

Which country has such systems?

gruez
0 replies
2h36m

A national id system, for one.

Teever
0 replies
1h21m

I've never looked into this specific issue but I would imagine that the Estonian e-Identity system has solved this specific problem among many others.

https://e-estonia.com/solutions/e-identity/id-card/

h_r
0 replies
14h55m

That's what I was thinking... Why can't we solve this with non-repudiation crypto that is already available?

pas
5 replies
15h56m

every judiciary authorized to issue warrants should simply put them on their own website, put some id on the paper, folks can verify. what else is needed? these aren't supposed to be secret anyway

gpm
2 replies
13h45m

I believe warrants are frequently sealed (secret, at least temporarily) to prevent people from destroying evidence/fleeing...

jszymborski
1 replies
13h22m

Right, but I can imagine a system where you can enter a "subpoena ID" and it can tell you if it's valid and when it was issued, possibly even which jurisdiction.

That should be enough info where folks can verify the validity of their subpoena w/o revealing too much data. Including date of issuance and jurisdiction should help prevent using stale IDs to scare someone.

If the subpoena is not sealed, the ID would show all the subpoena info, further narrowing down the ability to replay stale IDs.

I'm definitely missing something obvious though because technical solutions are often not a panacea in cases like this

pas
0 replies
8h11m

no, I don't there's anything missing, other than the usual apathy toward systems reforms in most societies.

this would probably work pretty well for these "utility-like big gatekeeper corps" which handle a shitton of subpoena requests, of course it doesn't help if a SWAT team is executing a someone-shout-and-knock-with-that-huge-doorfucker-implement on the wrong house.

in many countries there are state-managed online id systems allowing sending documents to legal persons ... which would make it really really trivial. send the warrant to the department executing it and to the department handling these at Verizon. (I wouldn't be surprised to learn that most of the US states already have something like this, but not used like this.)

it can be optional/voluntary for natural persons, it can be mandatory for companies above some size, etc.

chatmasta
1 replies
15h48m

That's the least bad solution available IMO, since the Internet and DNS is the closest thing to decentralized we have available to us. But it requires a special TLD available exclusively to courts, which would make the TLD registry a centralized authority. What if a political activist refuses to validate the TLD of a court in the middle of Texas because of a disagreement with a ruling?

CaliforniaKarl
0 replies
15h10m

But it requires a special TLD available exclusively to courts, which would make the TLD registry a centralized authority.

The .gov domain already exists: https://beta.get.gov/domains/before/

smsm42
2 replies
15h8m

There's a solution for this, which is relatively easy to implement, if we dare to. Recognize data privacy as a right. Enable the victim to sue the leaking party, with easy recovery and costs, for any bad subpoena accepted, and pay substantial fine for violating the rights. Very heavily substantial if it leads to subsequent other damage (such as stalking or violence). Miraculously, the data hoarders would find ways to verify subpoenas (and design protocols and pay for development of necessary tools) very quickly, I think.

Of course, this would require such law to actually survive the lobbying block of the data hoarders in the first place, and that's not likely to happen, alas.

kevin_thibedeau
1 replies
11h57m

We need an embarrassing data leak on Congress before they will be motivated. They covered their asses quick when Bork's video rentals were publicized.

autoexec
0 replies
10h47m

Even then they might likely just pass a law that makes it illegal to leak the data of a member of congress while leaving the rest of the American public screwed.

cortesoft
1 replies
14h42m

And when this system fails, the victim has effectively no remedy - their stalker already read the data that Verizon sent him.

Shouldn't the remedy be the guy goes to jail for a long time for forging a search warrant?

KennyBlanken
0 replies
14h31m

You're assuming the perpetrator can be identified, the US government gives a shit enough to pursue the matter (unless the victim is someone economically or politically elite, they won't), and the perp is somewhere our government can reach them in terms of extradition.

The most relevant example I can think of would be a CCP hacker forging a search warrant for a US-based political activist. The government would probably care, but good luck identifying some random Chinese Army hacker, much less extraditing them.

timthelion
0 replies
9h28m

Cryptographic signatures exist. This is a trivial exploit to solve...

ramraj07
0 replies
15h4m

They could just come up with a standard hologram sticker that certifies all govt orders..

a_subsystem
0 replies
13h49m

Why can't the police come to one of the Verizon stores in person and have a manager there verify by calling back the officially posted number of the department they are from?

eqvinox
19 replies
14h50m

A search warrant is not a sealed subpoena, and you should always at least be able verify the people who issued it exist and have the authority to do so. I would hope you can also verify some identification number and major details, but I only know the German legal system, not the US one.

KennyBlanken
17 replies
14h35m

Literally nothing stops these companies from having a staff member look up the courthouse's contact info on the official court website, call a clerk, and verify the warrant....except they don't want to pay for the labor to do so.

photonbeam
15 replies
13h24m

Perhaps they should be reimbursed for the cost

lnxg33k1
13 replies
12h23m

Perhaps if they can't operate without being a danger to society they shouldn't be allowed to exist

ZhadruOmjar
10 replies
12h3m

Is offering phone services to the public being a danger to society?

eqvinox
9 replies
11h48m

Responding to legal requests is part of operating a phone service, and apparently they failed to do that without seriously endangering a stalking victim.

I have no idea what exact laws and liabilities apply here, but my feeling is there's very likely going to be an undisclosed civil settlement between Verizon and the victim, and maybe some laughable fine (let's say ≤$10k) for violating privacy laws on the criminal side.

multjoy
4 replies
7h4m

If the law is "you will hand over this data in response to a warrant", how did they fail?

The fact that the US warrant system has holes capable of driving a truck through isn't the fault of Verizon - there exists no sensible way of validating a warrant.

mulmen
2 replies
6h30m

If there's no way to validate a warrant how does Verizon validate compliance?

ethanbond
1 replies
5h0m

There is a way, that’s the whole point. They can contact the issuing authority, just like you do when you get any letter or email asking you for sensitive information.

mulmen
0 replies
3h11m

Yes, exactly.

cogman10
0 replies
6h16m

If the law is "you will hand over this data in response to a warrant", how did they fail?

Just because a piece of paper claims to be a warrant, doesn't mean it is one. Warrants and subpoenas contain contact information for the person that issued them. It is on verizon to verify that the warrant the received was legitimate and if it wasn't, to report to the DA that someone is issuing fake warrants (which is a crime all by itself).

Subpoenas (like verizon was issued) are never immediately actionable. You have a right to appeal subpoenas. If the subpoena had a "You must respond right now" trigger it'd eliminate that right. Something I'm CERTAIN verizon knows because they file motions to quash all the time [1].

[1] https://casetext.com/case/in-re-verizon-internet-services-in...

InCityDreams
3 replies
11h40m

Oh, if only there were such a thing as GDPR (or the victim sues in Cali).

saati
1 replies
10h26m

The perp is an individual, GDPR only applies for organizations.

eqvinox
0 replies
9h38m

We're talking about Verizon's liability here, not the stalker.

eqvinox
0 replies
11h26m

I don't think it'd actually be a GDPR case in EU; it's more of a wiretapping case - note some of the victims communication was revealed. (GDPR violations might be a secondary charge, but wiretapping would be way more significant.)

That said it really depends on the exact legal framework (which I have no clue about) and eagerness of a prosecutor to make a case. Hence my "maybe".

FWIW I have a side job at a small community ISP in the EU and the GDPR was a no-op for us. The requirements for anyone operating in the telco space were already stricter. If I remember correctly the GDPR fines are higher though, whereas wiretapping (& co.) laws are much more likely to land you personally in jail.

(I was being intentionally vague with "privacy laws"; I do include wiretapping charges in that but, again, I don't know the US legal situation.)

spacebanana7
1 replies
3h53m

Law enforcement should be free, or at least paid for by generic taxes.

If I host a movie night with some friends, and an altercation occurs between them, then it's unjust for the police to create unreasonable cost on me as a host. They shouldn't tear up the house or create lots of time consuming paperwork without compensation.

You may think that my movie nights are inherently a danger to society. But even if that's correct, we should create direct legislation to discourage this dangerous activity rather than using search processes/warrants to impose cost in an approximate and roundabout way.

lnxg33k1
0 replies
2h28m

You’re not a company, if you host a movie night privately its different than a company that handles and has the responsibility of the personal data of millions of people, I am not even sure wtf I am reading, do you guys even consider scale and contexts when writing things or just throw random examples around

But also the cost for you would be the time to call law enforcement, for them is the time to verify the validity of a document, so its just nonsense

NoToP
0 replies
8h36m

Generally speaking, when you get a subpoena you can demand "conduct money" precisely to reimburse this cost. Otherwise the subpoena is unenforceable. Not sure exactly how warrants work

autoexec
0 replies
10h50m

except they don't want to pay for the labor to do so.

I doubt it wouldn't have cost them anything more than what they're already paying to staff their legal department.

Johnny555
0 replies
13h12m

and you should always at least be able verify the people who issued it exist and have the authority to do so

I don't think that would have helped in this case since although it was based on an affidavit from a fake police officer, the name of a real judge was used to approve the fake warrant.

What would have helped is Verizon calling the court and verifying that they issued the warrant.

cogman10
6 replies
6h24m

Verizon can't call the Clerk's office and ask, "did the grand jury really issue a subpoena?"

Yes, they actually can. There should be contact information associated with a subpoena that verizon can both verify are legitimate and then directly contact to validate the subpoena.

This comes up in the medical field and, due to much higher penalties if they respond to a fake, medical staff get trained to do just this [1]. HIPAA doesn't care if you are tricked into revealing HIPAA information.

[1] https://www.hipaaexams.com/blog/medical-record-subpoena

yladiz
5 replies
4h58m

If the subpoena is fake, and contains fake contact info (like a phone number), how does the receiver verify it is actually a real number from the courts? I guess the phone numbers are public record?

hiatus
1 replies
4h32m

The phone company can't validate a phone number?

pixl97
0 replies
19m

Who pays for the phone number may not have anything to do with who's using the phone number. It's not like the old days where everything has a copper wire going to one particular place.

I mean if the registered owner says "TXSTRGCT" is that the "Texas State Regional Court" or something a spammer setup over some VOIP service?

dehugger
0 replies
4h39m

Independently validate contact information! don't use what's on the letter/form/email. This is basic security for everything, from Grandma's savings account on up.

The State/Fed have public official websites with this information.

corobo
0 replies
4h38m

Much like when you receive mail from your bank, you call them via a known number. Never trust user input, even irl.

chislobog
0 replies
4h47m

Oddly enough this is more complex in places with multiple jurisdictional overlap.

Imagine a city with police force of 6,000 combined with country, federal, state, and university LE. You might have a total of 20 neighboring or overlapping agencies ranging from 6 to 6,000 employees.

Personal cellphone numbers are used in LE sometimes, whatever one might think of that practice or implications for discovery and preservation.

hn_throwaway_99
3 replies
14h33m

Forging a judicial order is trivial.

That's like saying forging a plea from a Nigerian prince is trivial. Verizon should be deeply embarrassed by this - I mean the initial request came from a proton account with misspellings and grammar mistakes of a child.

I don't know how Verizon does it, but I have a friend who works in the "respond-to-law-enforcement department" at one of the FAANGs. Given the company, they get tons of legal requests for info, but also tons of fraudulent ones, not to mention ones from real governmental organizations but that are dubious that they challenge. Point being they have extremely detailed processes and technology to respond to these requests. Verizon is the biggest cell phone company in the US, they can afford to not look like a total clown show in this regard.

gpm
1 replies
13h42m

I mean the initial request came from a proton account with misspellings and grammar mistakes of a child.

Many phishing attempts are shockingly bad like this - but that doesn't make it difficult to not have mispellings and grammar mistakes and come from a vaguely plausible domain (gmail?). If your defense against phishing relies on your adversary not knowing what a legitimate request looks like - it's not a very good defense.

hn_throwaway_99
0 replies
11h14m

Two points:

"Normal" phishing is a bad example, because many phishing emails notoriously use misspellings and bad grammar on purpose because scammers don't want to waste their time on people with half a brain, they only want people dumb enough to respond in spite of the ludicrous misspellings. But in this Verizon case, that logic doesn't apply, because there was only a single targeted recipient.

With respect to "If your defense against phishing relies on your adversary not knowing what a legitimate request looks like - it's not a very good defense", I wholeheartedly agree. My point was only that the fact that Verizon responded to this fake subpoena despite the reddest of red flags makes me think that they must have horrible procedures generally for verifying these types of requests.

mariuolo
0 replies
14h8m

Verizon should be deeply embarrassed by this

Companies have no feelings, only pockets.

Make carelessness expensive enough and they will care.

tiahura
0 replies
15h59m

Verizon can't call the Clerk's office and ask, "did the grand jury really issue a subpoena?"

Says who? I'm not aware of any rule or statute that prohibits the recipient of a subpoena from confirming with the court that it is legitimate?

Usually, there's no one to quash the subpoena.

There's always someone who can move to quash - the recipient. There's usually two people - the recipient and the opposing party.

A federal subpoena includes the rule on how to do it right on the subpoena. https://www.uscourts.gov/sites/default/files/ao088b.pdf

As a side note, there are a myriad of potentially applicable statutes and case law relating to obtaining phone records. Depending on what was requested, a subpoena may not be required.

NoToP
0 replies
8h40m

Usually subpoenas and search warrants come with a stamp, and more importantly records are returned to the court registrar, not handed over directly to the person claiming to be servicing a court order. The registrar would presumably say "wtf we didn't order this" and then the gig is up.

0xDEADFED5
0 replies
15h30m

cryptome has been reporting on this shit for a long time. here's a document from 2010 that was the first result for for my first search:

https://cryptome.org/isp-spy/le-tel-spy.pdf

piperswe
27 replies
18h28m

It’s wild that the primary way of validating an order was signed off by a judge is by looking at an easily forgeable signature.

aidenn0
15 replies
17h47m

Forging a judges signature, by itself, will get you jail time. So will impersonating a police officer in most states[1]. By taking this method of locating the woman, the stalker basically guaranteed himself prison time; plenty of stalkers do some really scary stuff without getting sentenced to any time in prison.

1: It really varies; surprisingly enough it's not a felony in all states, and in at least one state, it's only a felony if there is intent to benefit from the authority granted.

jonhohle
5 replies
17h11m

That’s the thing with laws, they don’t prevent crime, they just enumerate it.

Any time I hear a politician say they are going to reduce a particular crime by passing a law, I wonder why existing laws aren’t enforced that likely already cover the behavior being targeted. I suppose that would mean planning, logistics, and execution - things politicians don’t know how to do.

bbarnett
3 replies
16h51m

There is most definitely a section of society which is held in check by laws, and their outcome.

Those that do not fit the above, having no impulse control, or perhaps mental issues, then laws result in stuffing them away.

It's not perfect. Yet every human society does this, and has done this for millenia. Consider that.

willy_k
2 replies
16h36m

Don’t you think it’s disingenuous to reduce “law breakers” to those people?

peyton
0 replies
15h31m

This story is about a dude who drove 30–40 hours to kill somebody and still had a quarter ounce of meth left in his Jeep when he got caught. He should serve some time.

bbarnett
0 replies
13h52m

Two categories, with no statement that this was all categories. And, one of the two categories are not law breakers at all, merely held in check by fear of laws.

Note I was responding to someone who effectly said laws don't prevent crime, and citing ways they do. Understand the context. My statement was not a 200 page dissertation on "those who might break laws" and a deep dive into societal ethics, etc.

bawolff
0 replies
16h31m

Laws enumerate both punidhment and ways to do things. The latter can prevent crimes.

E.g. there is a law saying you cant serve alcohol to minors. That in and of itself doesnt prevent beyond threat of punishment if caught.

There is also a law saying you have to check ids. Procedures like that do have a preventitive effect.

_dain_
2 replies
16h34m

>Forging a judges signature, by itself, will get you jail time. So will impersonating a police officer in most states[1]. By taking this method of locating the woman, the stalker basically guaranteed himself prison time

well good thing emails can only be sent within the USA

cqqxo4zV46cp
1 replies
16h2m

You aren’t giving any credit to the fact that, worldwide, society largely operates lawfully, in no small part thanks to the penalties associated with breaking laws. These things often have a way of working themselves out.

I’m not saying that Verizon’s handling of this was anything other than grossly negligent, but let’s not pretend that the sole solution to, well, any problem involve…what? Asymmetric cryptography?

Something being illegal, even in another jurisdiction, is certainly a deterrent for a lot of people.

darkerside
0 replies
15h56m

Exactly. Did you know bank safes are vulnerable to an easily fashioned homemade pipe bomb?

resoluteteeth
0 replies
5h8m

Forging a judges signature, by itself, will get you jail time. So will impersonating a police officer in most states[1]. By taking this method of locating the woman, the stalker basically guaranteed himself prison time; plenty of stalkers do some really scary stuff without getting sentenced to any time in prison.

OK, and what if it was, say, the Saudi government doing it rather than a crazy stalker in the US?

jacoblambda
0 replies
17h10m

the issue with this is that something like this shouldn't be an option for systems that can be trivially accessed anonymously.

Like if the system can easily be used to exfiltrate information or perform criminal actions but you can do so anonymously without much effort or more generally doing so remotely in a jurisdiction where you can never be prosecuted, then that system is broken.

Systems that rely on a person not wanting to get caught breaking the rules only work when A the person cares and B the person is capable of being punished. If that invariant doesn't hold up then the system is broken.

dclowd9901
0 replies
12h20m

Uhm, judging by the stalker’s rhetoric, I don’t think they were worried about going to jail.

bdd8f1df777b
0 replies
15h26m

Prevention is always better than cure. Some people are just not deterred by consequences, and by the time they face their consequences, the damage to the victim cannot be undone.

NoLsAfterMid
0 replies
14h42m

Oh well if there's jail time, surely people will be dissuaded and follow the law.

FireBeyond
0 replies
32m

1: It really varies; surprisingly enough it's not a felony in all states, and in at least one state, it's only a felony if there is intent to benefit from the authority granted.

You think that's surprising? Wait til you hear that in 35 states, a police officer can claim that a detainee, in custody, even handcuffed at the time, can 'consent' to intercourse with the officer. (That's even before you get to the lesser issue of why a police officer is having intercourse at work...)

vivekd
10 replies
17h51m

Seems like the government's fault. In every other area of even marginal importance we have better and more advanced authentication systems. Yet governments the world over continue to use signatures.

I mean something as simple as a piece of paper with a password that lets you find an authentication info in the court website. An email. Or even an automated phone or email address that lets you authenticate online

Eisenstein
7 replies
15h20m

The problem is that there are tens of thousands of counties with more judges and cops and each county has an IT department and are you telling me that there is any way to get them all to agree to some standard procedure that they are going to have to figure out, and then pay for? The only way to accomplish this would be to centralize it at least by state, like a DMV for courts.

vivekd
6 replies
14h22m

You don't need a standard procedure followed all over the world. You just need some authentication procedure that's better than an easily forgable signature. I gave a few examples of the top of my head in the parent.

This is why I would rather have profit hungry corporations manage things than governments. Because with government there's always a legion of people rushing to excuse and explain away even the most serious examples of ineptitude and mismanagement.

Would you accept it if Facebook or Google let people login to user accounts via signed letter? So why is a signature enough for a search warrant?

A signature is not an acceptable method of authentication in 2023 for important documents. I don't see how that's not obvious.

Eisenstein
5 replies
14h9m

What does having local governments have to do with huge monolithic corporations? If google was in charge of our physical security then a) it would be a de facto government b) it wouldn't care about individuals at all. Google doesn't let you log in with a signature not because they care about your security, but because it wouldn't be profitable. The problem is that when it becomes more profitable to sell your data to Corp B, who then has as a client Stalker Creep A, then they will do that. Making motivation money instead of public good is a strange way to achieve either of those goals.

vivekd
4 replies
13h30m

How would google lose money if stalkers broke into my Gmail? No it's because in every other area besides government we have standards of security because government is the only place where people tolerate, accept and even defend massive security lapses

There's a large group of the population that has an ideological frenzy to defend government no matter what so they're able to get away with terrible lapses like this

Eisenstein
3 replies
11h30m

Not sure I understand. You brought up a claim that for profit companies are better to manage people's physical and legal security needs than the courts themselves and law enforcement. That would de facto make them government -- so we are both defending government, just different forms. You think an undemocratic, for profit motivation would work to fulfill public good, and I disagree.

No it's because in every other area besides government we have standards of security

I guess you never heard of NIST?

I suppose private companies never get hacked and have all their customer's data stolen?

vivekd
2 replies
3h46m

You're getting lost in words not touching substance. I can distill it to this - If private contractors did warrants we'd be better off because there are no ideologically driven zealots who will defend and excuse it if they had weak security like a signature and nothing else. Thus they would be forced to have a basic workable security system. This can be extrapolated to every other area

Eisenstein
1 replies
1h3m

The problem is that when you say private interests should take over the duties of a entire branch of government, you are literally telling people you want an undemocratic system motivated by money above all else in charge of the public good.

If you mean something else, then you should find a better way to articulate it. People defending against what you are literally calling for is not 'ideological zealotry', it is pushing back against extremism.

vivekd
0 replies
2m

[delayed]

dclowd9901
1 replies
12h18m

This isn’t even close to true. Sure, for legal documents. But any cursory check of this document would’ve led right back to the judge in the court who supposedly signed it and a quick “hey did you actually sign this” would have rendered a very specific and correct answer.

Otherwise, the government uses all sorts of modern authentication mechanisms when dealing with sensitive materials.

spacebanana7
0 replies
3h40m

Unfortunately any information in the government can be accessed with the right legal document.

boomboomsubban
6 replies
17h54m

Wow, the emails even included the proton default signature of "sent with Proton Mail secure email." I can maybe see not noticing in the "from" field, but how does that not raise red flags?

I wouldn't be surprised if the answer is that police routinely use their personal accounts for such things.

marcus0x62
1 replies
17h51m

Or "nobody reads or even looks at email signatures."

bombcar
0 replies
14h28m

Look, it said it was secure right in the email. Very diligent. Much due.

whalesalad
0 replies
16h35m

Kevin Mitnick taught us decades ago that the weakest link in any environment are humans. Social engineering is so much easier than you’d imagine it to be.

shermozle
0 replies
16h16m

I worked at a telco next to the law enforcement liason team's office and overheard a lot of their calls and conversations. They were all ex-cops and extremely inclined to hand over anything requested, ever. They also weren't particularly sharp, shall we say.

n_plus_1_acc
0 replies
10h5m

"But it says secure"

acchow
0 replies
14h29m

This is probably intentional so they filter away all the agents that have a high guard about security.

midtake
3 replies
15h26m

It's almost as if such emails should be PGP signed.

eqvinox
1 replies
14h57m

And how do you establish that a particular PGP key is being used by an authorized party in an official capacity for a valid purpose?

If you said S/MIME, that'd actually make sense with the X.509 authority system, but PGP with its WoT is just entirely the wrong tool here.

midtake
0 replies
14h39m

Fair. For what it's worth I thought that PGP's trust system could operate in a similar manner to the X.509 authority system.

ycombinatrix
0 replies
12h59m

PGP has an archaic trust system that likely wouldn't have helped in this case.

forthwall
3 replies
13h13m

Outside of the insanity of the original story; I am most surprised of this tidbit

Glauner and the victim met in August or September 2023 on hamster.com, a porn website with dating features, and "had an online romantic relationship," the affidavit said. The victim ended the relationship, but Glauner "continued to contact or try to contact" her, the document said.

I had no idea porn site dating features were not scams/phishint attempts themselves

SandraBucky
2 replies
12h42m

Some OF content creators use these platforms to advertise their material.

InCityDreams
1 replies
11h45m

Darn, now i have to search for "OF".

lionkor
0 replies
9h37m

only fans

eqvinox
2 replies
15h25m

We contacted Verizon about the incident today and will update this article if we get a response. A Verizon spokesperson told 404 Media that the company is cooperating with law enforcement on this matter.

Someone at Verizon should maaaayyyybe have sliiiiiightly adapted that boilerplate response in this particular instance ;D

(Also, yes, no laughing matter really, but still very funny.)

--

FWIW I moonlight at a small community ISP and we've had to deal with the legal system twice. When we first got a request, we scratched our heads trying to figure out how to authenticate it. Our procedure became to discard all contact information from the warrant, find fresh contact from some trustworthy source (ended up being the official state webpage in both of our cases), and call them to verify.

… maybe Verizon should adopt that procedure, sounds like it would've caught this instance:

The Cary Police Department confirmed that no officer named Steven Cooper is employed by their agency, […]
twright0
1 replies
13h48m

Issuing a fake search warrant is presumably a crime, so they would/should be cooperating with law enforcement about it.

dundarious
0 replies
13h29m

Fake law enforcement, or real law enforcement? That is the intended joke.

2-718-281-828
1 replies
10h8m

when i had to liquidate my mother's life i found it sometimes rather scary how much harm you can potentially cause by forging two simple pieces of paper featuring signatures noone can verify and some stamp (death and heirship certs) often just a scan or photography by email or being nice on the phone is all that it takes to do pretty much anything. only few things like closing bank accounts sometimes require personal presence and authentication by id. you just need to know what some piece of paper looks like and the world lies at your feet.

unforgivenpasta
0 replies
3h29m

It is! This video is a bit old now but it's still so unbelievable how easy it was for the speaker to "kill" people (in Australia)

https://www.youtube.com/watch?v=9FdHq3WfJgs

xyst
0 replies
11h11m

I vaguely recall something like this depicted in a TV show called Mr. Robot.

He was hired to find person of interest through a cell number. Impersonated or intercepted NYPD fax line? Forged some document that NYPD uses to obtain data from carriers. Sent the forged fax and just waited for a response.

Definitely more elegant than sending forged doc from a protonmail address. But nevertheless the same method.

edit: found it. https://youtu.be/AdHE5Nss4HI?si=b4Et34pHKx8p1uP9

Looks like he just used some public WiFi to remain anonymous and forged NYPD fax number to make it more legit haha. Have to rewatch this show.

wmf
0 replies
17h4m

Straight out of Mr. Robot.

treffer
0 replies
8h29m

It is very common that these things get faked.

Especially combined with: urgency (matter of life & death), referenceng laws/penalty if not handled (quickly), reference to kaws/penalties if disclosed.

Now some poor lawyer has to figure out what to do.

Now just heavily increase what you I.agine the scale to be. Those revealed cases are just the tip of the iceberg.

As much as I would like to blame Verizon or any other entity: I think the key point is that the way these warrants get handled is totally unsuitable for the internet age.

Forgery is usually a crime. So sending a warrant (via paper mail) through a country is sorta safe as you can start chasing the criminals, especially through return addresses.

This all changes on the internet. Someone in a different country or a mostly anonymous person can forge and send these warrents at close to zero costs. Enough police stations got hacked to get realistic templates (and sometimes even direct e-mail access). The whole cost/benefit/risk relation shifted in favor of the attacker.

And it doesn't help that most countries want to fast-track these requests even more.

toasted-subs
0 replies
14h1m

And I get weird looks for not wanting to give away personal information.

the_common_man
0 replies
9h25m

The incompetence is astounding

naikrovek
0 replies
2h18m

I wonder if those court orders go to an outsourced team.

the lack of an eye for such details used to make me immediately think an overworked team in India or the Philippines was responsible, but now I'm not so sure.

gjsman-1000
0 replies
15h43m

The victim shouldn’t be blamed - but meeting on a porn website, should go without saying, is a terrible idea.

demarq
0 replies
11h52m

backdoors know not their guests

DrNosferatu
0 replies
6h40m

Doesn’t a company the size of Verizon have specific procedures to reply to law enforcement requests?

1-6
0 replies
13h48m

At this point, all the world’s systems are by far incapable of staving off social engineering scams.