Hacker News new | ask | show | jobs
by BoredPositron 282 days ago
This makes the situation even worse for me. CERTs lack any legal authority to compel action or enforce compliance. Without a thorough and fast post mortem analysis, this incident is deeply concerning for anyone who relies on Proton as their primary email provider. I guess getting trigger happy just comes as soon as you get a bigger user base but that's exactly when you get caught slipping. Like they did with the false positives it honestly reads like:

"We have good relationships and trust this CERT so we carpet bombed all accounts they send us without even looking at them."

I wonder what would have happened to accounts or users without the reach on socials.
1 comments
93po 282 days ago
they didnt do it because CERT said they legally had to - they did it presumably because they pay CERT to catch abuse and misuse and take action based on their findings
link
BoredPositron 282 days ago
This doesn't change my statement, even if they take the word of the CERTs as gospel. This represents a significant attack vector for denial-of-service attacks, as demonstrated by what happened here, and for a service like Proton, such a vulnerability is nearly inexcusable.
link
93po 282 days ago
What's the attack vector? I'm genuinely curious, I'm not seeing it. My understanding that I'm too lazy to investigate further is that the use of this account by a journalist got caught up in a block of accounts because the nature of its legitimate activities too closely mimicked the behavior used by illegitimate accounts. No one can force a journalist's account to take actions if they don't have the credentials of the account.
link
BoredPositron 282 days ago
Automated Trust Chain. According to their official statement, the accounts were reinstated following individual review. The vector is that legitimate accounts that don't break the ToS get dumped in a big set of accounts that actually do. A classic case of automated systems being gamed to trigger false positives. The vague statement about other accounts from the same set that couldn't be restored while not explicitly naming that these accounts were also phrack accounts makes the case even stronger. It was a denial-of-service and they blatantly didn't care until social media outrage hit them. I am not even blaming the CERT here maybe they were real false positives on their side. It's on Proton. They need to verify before taking actions against their own customers.
link