Ok if these social media giants are authenticating LEOs by origin email only, without benefit of GPG, or secure token, or whatever, then they are stuck on stupid, and deserve any hacking they get. Ouch.
Email actually has very well thought out authentication mechanisms such that its not unreasonable to expect a domain is not spoofed, and it came from the server it says it came from
but if some baddies have logged into your server and sending messages as you, then DKIM can't save you
so say social media companies want a higher standard of proof that emails are coming from a particular institution, what mechanisms are available that doesn't involve onboarding every individual officer to the subtleties of public key crpyotgraphy?
Isn’t it though? You can attack email systems, network operators, and end users in a myriad of ways remotely from anywhere in the world. How can you compromise a traditional fax? Eavesdropping the PSTN itself? Physical access to one of the machines? Stealing the printed document?
Network fax systems are more convenient to use than traditional, but still more secure than email because they’ve been designed to be so.
Where’s the attack surface to exploit this analog and unencrypted data? A government can order their telecoms (and they do), but the same happens with emails providers. Neither is secure from government intrusion, but email is easier to compromise than traditional fax systems because their exposure is so limited.
How's that absurd? If you have 0 experienced security folks on staff/consulting, and no one willing to listen to them, then a fax is almost certainly more secure in practice.
One of those countries is the US.
Fax is unencrypted analog. If practice, tgis is ver certainly not secure.
It's only "more secure" in the sense that unauthorized access to it counts as wiretapping, whereas the feds carved a loophole allowing them to read private emails without going afoul our anti-wiretapping laws.
That you don't see the absurdity means our educational system is also doing what feds built it to do.
> It's only "more secure" in the sense that unauthorized access to it counts as wiretapping, whereas the feds carved a loophole allowing them to read private emails without going afoul our anti-wiretapping laws.
How is that different from techbros trying to claim a loophole for their illegal business, because it's on the internet/through an app/'is a gig job'/on a blockchain?
When legislature hasn't kept up with technology, the only way to fight that behaviour is through lawsuits. Lawsuits have made some headway in dealing with both private, and government malfeasance, here.
I don't think most law enforcement agencies have any second factor to authenticate themselves online. And it's not the social media companies that suffer but their users whose privacy is being violated.
To many normal people the "from" field in an email means that it came from there.
I am wondering how they get the data back though, unless they demand it is faxed, or sent to another email address. (Or the person replying doesn't notice the different reply-to address.)
Interestingly, gmail trusts the from field, so if I send a message “from” you to your account, it will put it in your sent folder.
Urban legend says people have been fired after forged harassment emails were delivered this way.
Google claims this is a feature, and the sent “label” isn’t meant to mean that it came from your gmail account.
For instance, there could be a corporate service firehosing spam at coworkers on your behalf, and obviously you don’t want to notice that, so it puts it in the sent box.
I thought gmail enforces SPF for gmail emails. I'd try it myself, but I don't want the few machines I have with port 25 unblocked to get a worse spam rating.
Generally email systems will have rules that support things like “if this account gets any mail from this address at Facebook.com, move it to some obscure folder and forward it to badguy@gmail.com” which is sometimes how this plays out.
