The media and its misunderstanding technology

[robfosters]

if the police have a legal warrant, then they should get access, otherwise no, Facebook shouldn't give the password or access.

That’s how Facebook works, but the problem is they’re based in the US and it takes months to go through the US justice department to get the warrant. I’m saying there should be separate processes in countries that Facebook operates to make the process quicker and more efficient.

 

[FortuitousFluke]

Have the police tried Password1? It's almost certainly Password1.

 

[Christmas themed thank]

I know what you mean, but as others have said, password or not, Facebook can easily give access to an account.

I severely hope not. That would show a worrying lack of security.

 

[glenimp617]

Have the police tried Password1? It's almost certainly Password1.

I once worked at a place who had p@ss1word for the domain admin account

Never worked with such a bunch of muppets in all my time. They were totally clueless about all things IT (leaving was the best decision I ever made)

This was the place who thought swapping office for openoffice was a good idea, only to move back a few years later.....then get heavily fined for lack of software licencing lol

 

[robfosters]

I severely hope not. That would show a worrying lack of security.

https://bgr.com/2018/05/04/facebook-profile-backdoor-account/

 

[skyripper]

I once worked at a place who had p@ss1word for the domain admin account

Never worked with such a bunch of muppets in all my time. They were totally clueless about all things IT (leaving was the best decision I ever made)

This was the place who thought swapping office for openoffice was a good idea, only to move back a few years later.....then get heavily fined for lack of software licencing lol

I'll raise you that by saying I found a domain admin account hardcoded into a batch file.
This was part of the standard laptop image build rolled out on every company laptop in the root of the C: drive.
A very large domain...

 

[glenimp617]

I'll raise you that by saying I found a domain admin account hardcoded into a batch file.
This was part of the standard laptop image build rolled out on every company laptop in the root of the C: drive.
A very large domain...

hahaha, that is amazing

 

[FortuitousFluke]

I once worked at a place who had p@ss1word for the domain admin account

Never worked with such a bunch of muppets in all my time. They were totally clueless about all things IT (leaving was the best decision I ever made)

This was the place who thought swapping office for openoffice was a good idea, only to move back a few years later.....then get heavily fined for lack of software licencing lol

I think the nature of this forum gives a false metric in terms of how clued up (or bothered) people are about cyber security. I fully expect the police to announce a new tool that allows them to crack the passwords of any criminals, a buzzfeed article from 2015 entitled "you won't believe what the top 100 account passwords are!". Police simply try each password in order, in 10,000 attempts they've yet to get past the top ten.

 

[ubersonic]

I once worked at a place who had p@ss1word for the domain admin account

Well, in fairness that's not really a security issue. You're not going to be randomly guessing or brute forcing that any easier than most domain admin account passwords.

 

[gord]

Everything is sat on a database. Just find the tables and rows and export the data.

That'd be a story in itself. Passwords should be salted and hashed, meaning you can't just grab them from the DB. Resetting the password makes much more sense.

 

[Christmas themed thank]

Everything is sat on a database. Just find the tables and rows and export the data.

or....reset the password (cause its easier).

Nonsense.

 

[glenimp617]

That'd be a story in itself. Passwords should be salted and hashed, meaning you can't just grab them from the DB. Resetting the password makes much more sense.

I don't mean looking in the database for the password, just the actually data you want like text messages or posts. Unless everything is encrypted? but then they built the platform so again I assume worse case they just change the code to do what they want

or as posted earlier, use the back door account

Zuckerberg himself told congress it can technically be done

 

[gord]

I don't mean looking in the database for the password, just the actually data you want like text messages or posts. Unless everything is encrypted?

Ah ok, thought you meant the password. Messages and posts are probably encrypted too, but with access controls to review that information.

 

[jpaul]

Everything is sat on a database. Just find the tables and rows and export the data.
or....reset the password (cause its easier).

as he said -

the data in the facebook account can just be exported/copied/handed-over - it is not personally encrypted,
the word password in the articles is just a euphemism/simplification, for the procedure required.

 

[arknor]

can't the police just get access to his email and reset the password for facebook? what about his phone is it linked to facebook, can't you get an SMS to reset the password?

There must be multiple ways the police can get access to his facebook legally that are probably far easier than going through facebook themselves

 

[jsmoke]

You can definitely crack the hash, salted or not, via rainbow tables or other methods depending on how fb have setup the encryption.

The NSA can crack VPN by sending the key to a supercomputer and crack it in a couple of minutes while the suspects are still communicating.

Fb would have to tell the cops the extact encryption method.

Any encryption can be cracked just need some serious GPU power.

 

[peterwalkley]

Whilst we don't have the fifth amendment here, the suspect still has the right to not incriminate himself. He's not breaking any laws by refusing to hand over his password.

EDIT: Removed above after it was pointed out I'm wrong under RIPA laws.


I'm wondering if the police are approaching this the wrong way round. If they're looking for an "I hate you and am going to kill you" message, then accessing the victim's FB account might be easier as they presumably have access to her phone, email etc and her family can surely provide all legal consent required.

Facebook will require a legal warrant and will play hard ball because the precedent it sets otherwise will cause them grief in the long run. US law enforcement have a long history of unwarranted intrusions into privacy and the last thing they want is every bubba boy local sheriff fishing for evidence on any random crime they can think of.

 

[TheVoice]

can't the police just get access to his email and reset the password for facebook? what about his phone is it linked to facebook, can't you get an SMS to reset the password?

There must be multiple ways the police can get access to his facebook legally that are probably far easier than going through facebook themselves

Nope, the police have already exhausted available legislation and options hence why they're having to do things the long way now.

He's not breaking any laws by refusing to hand over his password.

He is, which is why he's been convicted under RIPA.

 

[GGizmo]

I'm sure someone at facebook can access accounts. When people die don't they put the account in to archive mode?

There will be passwords that can override regular user passwords. I'm sure its not difficult.

From my understanding these tech companies always demand to see a warrant of some kind before they will hand over the information.

 

[touch]

the data in the facebook account can just be exported/copied/handed-over - it is not personally encrypted

How do you know he wasn't using encrypted messages?

AFAIK, Facebook havn't commented other than a standard response that they'll comply with law enforcement and he himself hasn't given any details about his messages.