Slashdot Mirror

← Back to Stories (view on slashdot.org)

Email Provider ProtonMail Says It Hacked Back, Then Walks Claim Back (vice.com)

Posted by msmash on from the getting-carried-away dept.

An anonymous reader shares a report: On Wednesday, encrypted email provider ProtonMail claimed it had hacked someone who was impersonating its service in phishing emails, and the company then swiftly deleted the tweet. Early Wednesday morning, the security researcher known as x0rz tweeted out a series of screenshots allegedly showing someone sending emails that directed targets to a fake ProtonMail login screen. "You have an overdue invoice," the message read. In response, ProtonMail said it had taken action. "We also hacked the phishing site so the link is down now," ProtonMail tweeted. Depending on the context and what exactly the retaliating organization did, hacking back can be illegal. Hacking could violate the Computer Fraud and Abuse Act, or perhaps even wiretapping legislation. A recently proposed bill would attempt to legalize the practice. ProtonMail swiftly deleted its tweet, but not before x0rz could grab and subsequently tweet a screenshot. x0rz then deleted his own tweet at the request of ProtonMail.

30 comments

  1. lol by Anonymous Coward · · Score: 0

    the security researcher known as x0rz

    oh, please. not an actual security researcher.

    1. Re:lol by GLMDesigns · · Score: 2

      Searched him up. Interesting tidbits.

      https://blog.0day.rocks/@x0rz

      --
      If you're scared of your govt then you need to further restrict its powers
      Vote 3rd Party in 2016 and beyond
  2. Very Bad Idea by EndlessNameless · · Score: 4, Insightful

    So apparently, this is some amateur-hour outfit? I thought they were supposed to be technically and legally astute.

    They either don't have lawyers, don't know when to talk to them, or don't listen to them. Or they let random idiots post on their Twitter feed.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    1. Re:Very Bad Idea by zlives · · Score: 4, Insightful

      " random idiots post on their Twitter" is there any exception to this rule?

    2. Re:Very Bad Idea by GLMDesigns · · Score: 2

      It looks bad. It's a great service - or at least I hope so :{

      The promise is simple, secure email, from a privacy loving company and backed by a country that seems to respect privacy (Switzerland)

      --
      If you're scared of your govt then you need to further restrict its powers
      Vote 3rd Party in 2016 and beyond
    3. Re:Very Bad Idea by GLMDesigns · · Score: 1

      Furthermore, I haven't seen any notices about said occurrence in the notices they send out,

      --
      If you're scared of your govt then you need to further restrict its powers
      Vote 3rd Party in 2016 and beyond
    4. Re:Very Bad Idea by Anonymous Coward · · Score: 0

      An exception would be... TRUMP!

    5. Re:Very Bad Idea by bsDaemon · · Score: 1

      Yes. Often specific idiots are allowed to post.

    6. Re:Very Bad Idea by Morris+von+Habsburg · · Score: 2

      The 'Computer Fraud and Abuse Act' is an American law and so doesn't apply in Switzerland where ProtonMail is based. It might be that Swiss law also bans 'hacking back' but the 'Computer Fraud and Abuse Act' is not relevant in this case.

    7. Re:Very Bad Idea by Khyber · · Score: 1

      CFAA applies if the person that got hacked is in the USA. We have these things called Treaties, you know.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    8. Re:Very Bad Idea by Anonymous Coward · · Score: 0

      It is relevant if they ever want to go to the US. Or have a stopover there. Or fly to a neighboring country and get rerouted there. They may even find themselves extradited: I'd hope Switzerland isn't burrowed as deeply in the US hindquarters as other countries are, but they may find themselves extradited from one of these other countries.

    9. Re:Very Bad Idea by zlives · · Score: 2

      perchance... do they post randomly?!

    10. Re:Very Bad Idea by Anonymous Coward · · Score: 1

      While you're correct, something tells me

      - a phisher isn't going to call up the FBI to lodge a complaint

      - the idiot whose WordPress was probably already hacked by the phisher won't understand what happened

      - the hosting provider doesn't give a shit either

      There's little risk in ProtonMail fucking around with some US-based phishing site. Admitting to it was stupid, though.

    11. Re:Very Bad Idea by Anonymous Coward · · Score: 0

      Privacy is just about dead in Switzerland. They fucked it up all by themselves...

    12. Re:Very Bad Idea by Anonymous Coward · · Score: 0

      that depends entirely on where the person and the server they hacked is running.

    13. Re: Very Bad Idea by Anonymous Coward · · Score: 0

      LOL

    14. Re: Very Bad Idea by Anonymous Coward · · Score: 0

      Are you talking about cnn?

  3. Only the .gov can hack by Anonymous Coward · · Score: 1

    You cant legally but hey can

  4. Who would be behind phishing ProtonMail users? by Anonymous Coward · · Score: 1

    They probably figured out they hacked a government phishing operation.

  5. Is it really illegal in Switzerland? by Anonymous Coward · · Score: 0

    Maybe not enough to be prosecuted (USA is a known knee-jerk place for prosecuting anyone they could because some prosecutor is hunting their career). Anyway I doubt the phishing site will press charges.

  6. Wrong Jurisdiction by clukawski · · Score: 1

    This article mentions the CFAA, however ProtonMail (and Proton Technologies AG) seem to be located wholly in Switzerland, so this law would not apply. I am not sure of any equivalent laws Switzerland may have.

    1. Re:Wrong Jurisdiction by arth1 · · Score: 1

      This article mentions the CFAA, however ProtonMail (and Proton Technologies AG) seem to be located wholly in Switzerland, so this law would not apply. I am not sure of any equivalent laws Switzerland may have.

      I think the CEO has to place an apple on his son's head.

  7. Heh by the_skywise · · Score: 4, Interesting

    They hacked the man behind the curtain didn't they?
    x0rz found the tweet, posted it and then ProtonMail told them who they hacked and x0rz promptly yanked down their post too!
    If that's not "oh sh--!" moment, I dunno what is!

    1. Re:Heh by GLMDesigns · · Score: 1

      good point!

      Wish I had mod points

      --
      If you're scared of your govt then you need to further restrict its powers
      Vote 3rd Party in 2016 and beyond
  8. Hacking back is illegal by VikingNation · · Score: 1

    If that is indeed true they violated the computer fraud act and opened them selves up to legal actions.

  9. The US is not the world... by bradley13 · · Score: 2

    Hacking could violate the Computer Fraud and Abuse Act, or perhaps even wiretapping legislation.

    This is clearly a reference to US law. ProtonMail is based in Switzerland, hence, US law is utterly irrelevant. I know that most /.ers are located in the US, but your country does not encompass the world.

    Of course, we have our own laws regarding electronic breaking and entering, and IANAL so I'm not going to speculate about the legalities here. Just wanted to point out that ProtonMail is not a US company, so comments about US law are off-base.

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:The US is not the world... by gravewax · · Score: 1

      they are only off base if the hacked target was also not in the US, not completely unlikely given the common use of cloud providers to perform such hacks.

    2. Re: The US is not the world... by DNS-and-BIND · · Score: 0

      Thanks for that scolding comment that put Americans in their place. With attitudes like that, is there any wonder that we want out of Europe?

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    3. Re:The US is not the world... by Anonymous Coward · · Score: 0

      ProtonMail is based in Switzerland, hence, US law is utterly irrelevant. I know that most /.ers are located in the US, but your country does not encompass the world.

      Then you'd better talk to the people running your country, because they agreed to extradition with the United States.

      IANAL

      We already figured that out.