Email Provider ProtonMail Says It Hacked Back, Then Walks Claim Back (vice.com) 30
An anonymous reader shares a report: On Wednesday, encrypted email provider ProtonMail claimed it had hacked someone who was impersonating its service in phishing emails, and the company then swiftly deleted the tweet. Early Wednesday morning, the security researcher known as x0rz tweeted out a series of screenshots allegedly showing someone sending emails that directed targets to a fake ProtonMail login screen. "You have an overdue invoice," the message read. In response, ProtonMail said it had taken action. "We also hacked the phishing site so the link is down now," ProtonMail tweeted. Depending on the context and what exactly the retaliating organization did, hacking back can be illegal. Hacking could violate the Computer Fraud and Abuse Act, or perhaps even wiretapping legislation. A recently proposed bill would attempt to legalize the practice. ProtonMail swiftly deleted its tweet, but not before x0rz could grab and subsequently tweet a screenshot. x0rz then deleted his own tweet at the request of ProtonMail.
Re: (Score:3)
https://blog.0day.rocks/@x0rz [blog.0day.rocks]
Very Bad Idea (Score:5, Insightful)
So apparently, this is some amateur-hour outfit? I thought they were supposed to be technically and legally astute.
They either don't have lawyers, don't know when to talk to them, or don't listen to them. Or they let random idiots post on their Twitter feed.
Re:Very Bad Idea (Score:5, Insightful)
" random idiots post on their Twitter" is there any exception to this rule?
Re: (Score:2)
Yes. Often specific idiots are allowed to post.
Re: (Score:3)
perchance... do they post randomly?!
Re: (Score:3)
The promise is simple, secure email, from a privacy loving company and backed by a country that seems to respect privacy (Switzerland)
Re: (Score:2)
Re: (Score:2)
The 'Computer Fraud and Abuse Act' is an American law and so doesn't apply in Switzerland where ProtonMail is based. It might be that Swiss law also bans 'hacking back' but the 'Computer Fraud and Abuse Act' is not relevant in this case.
Re: (Score:2)
CFAA applies if the person that got hacked is in the USA. We have these things called Treaties, you know.
Re: (Score:1)
While you're correct, something tells me
- a phisher isn't going to call up the FBI to lodge a complaint
- the idiot whose WordPress was probably already hacked by the phisher won't understand what happened
- the hosting provider doesn't give a shit either
There's little risk in ProtonMail fucking around with some US-based phishing site. Admitting to it was stupid, though.
Only the .gov can hack (Score:1)
You cant legally but hey can
Who would be behind phishing ProtonMail users? (Score:1)
Wrong Jurisdiction (Score:1)
Re: (Score:2)
This article mentions the CFAA, however ProtonMail (and Proton Technologies AG) seem to be located wholly in Switzerland, so this law would not apply. I am not sure of any equivalent laws Switzerland may have.
I think the CEO has to place an apple on his son's head.
Heh (Score:5, Interesting)
x0rz found the tweet, posted it and then ProtonMail told them who they hacked and x0rz promptly yanked down their post too!
If that's not "oh sh--!" moment, I dunno what is!
Re: (Score:2)
Wish I had mod points
Hacking back is illegal (Score:1)
The US is not the world... (Score:3)
Hacking could violate the Computer Fraud and Abuse Act, or perhaps even wiretapping legislation.
This is clearly a reference to US law. ProtonMail is based in Switzerland, hence, US law is utterly irrelevant. I know that most /.ers are located in the US, but your country does not encompass the world.
Of course, we have our own laws regarding electronic breaking and entering, and IANAL so I'm not going to speculate about the legalities here. Just wanted to point out that ProtonMail is not a US company, so comments about US law are off-base.
Re: (Score:2)