
Analysing the alleged Minneapolis police department “hack” - weinzierl
https://www.troyhunt.com/analysing-the-alleged-minneapolis-police-department-hack/
======
tialaramex
> it's extremely unusual to see the same email address with multiple different
> passwords in a legitimate data breach as most systems simply won't let an
> address register more than once

I've actually built a system which did this years ago, over our initial
protestations, and the reasoning went like this:

Our client (this was a white label product) has lots of elderly couples as
customers, these are our end users and although they're on the Internet (makes
sense, this is after all a web site you've white labelled so if you have
customers without Internet that's a red flag right there) they only have one
email address between them. So some end users want two accounts, but with one
email address.

This made the login procedure a bit hairy and obviously there are scary corner
cases for things like change password (Alice decides to use the same password
as her husband Bob, now we can't tell their accounts apart!) but we felt that
arguing with clients about why they should do Single Sign On (and thus
eliminate the separate login for our white label product altogether) was more
valuable than trying to change old people's minds about what constitutes a
reasonable thing for two people to share.

~~~
fastball

      nice.old.couple+alice@gmail.com
    
      nice.old.couple+bob@gmail.com

~~~
inspector-g
The number of websites that prevent me from doing this, because somebody wrote
a shitty regex to invalidate most punctuation in an email address, is
infuriatingly high.

~~~
diffrinse
Haven't had a problem with a lot of popular services, only Sling so far. Even
my local utilities let it fly.

------
rvz
Great analysis on uncovering a credential stuffing attack (using passwords
found from a previous breach) disguised as a "MPD hack" by "Anonymous" which
Troy also discussed here. [0]

> But anger shouldn't mean throwing logic and reason out the window and I
> cannot think of a time where fact-checking has ever been more important than
> now, not just because of the Minneapolis situation, but because so much of
> what we see online simply can't be trusted. So by all means, be angry, but
> don't spread disinformation and right now all signs point to just that - the
> alleged Minneapolis Police Department "breach" is fake.

The above text really does question what we see on the internet since it is
very easy to fabricate news and evidence like this. With that being disproved,
we should take such news on social media with a grain of salt until the full
evidence from each side and analysis is available.

Once we do that we will be less susceptible to being deceived unlike the
retweeter at the bottom of the blog post.

[0]
[https://twitter.com/troyhunt/status/1267237884949483522](https://twitter.com/troyhunt/status/1267237884949483522)

~~~
amrrs
My heuristics is, By default, Anything controversial I see on the internet is
fake until it's proven to be true. I've been advocating this to my parents and
a few others for quite a while. Especially from a country like India where
there are people being lynched and killed just based on WhatsApp videos
(mostly fake), Skepticism is required more than ever.

~~~
jobigoud
This rule means you have to consider almost everything as fake. Like say, a
video of police brutality filmed by one person. How do you "prove" it to be
non fake?

~~~
rvz
> a video of police brutality filmed by one person. How do you "prove" it to
> be non fake?

You might have almost answered your own question. If there are many videos
shot by random bystanders in multiple angles of the event, even if one is
fabricated, another video can disprove it; making it harder to fake the event.

This would mean that one would have to 'fake' all the videos and angles from
other people which is difficult to do, especially if it is live. So with that,
it can be proved to 'have happened' but only if the bystanders are un-related
to each other. Otherwise it will look 'staged'.

------
brenden2
My take: I don't think the government understands how must distrust there is
for public institutions. The fact that they keep going on these pressers and
lying to the public, only to be discredited after the fact, shows how tone
deaf and disconnected from reality the politicians are. What's even more
bizarre is all the people who are cheering on the police brutality, and
encouraging more violence against unarmed protestors.

There are systemic issues all throughout the government, and as long as cops
keep killing people the riots will continue. Maybe they'll temporarily
subside, but when the next killing happens it will flare right back up. Cops
operate with impunity, and the politicians go on TV apologizing for them
because they're afraid of the police too. Just look what happened to de
Blasio's daughter, who was arrested by the NYPD under questionable
circumstances.

It's crazy watching this all unfold, but if real change isn't implemented soon
it will continue to foment. It doesn't help that along with racism, there's
significantly economic inequality. Real unemployment is somewhere around
24%[0], food prices keep going up[1], and many still haven't been able to
access unemployment benefits.

[0]: [https://fortune.com/2020/05/28/us-unemployment-rate-
numbers-...](https://fortune.com/2020/05/28/us-unemployment-rate-numbers-
claims-this-week-total-job-losses-may-28-2020-benefits-claims-job-losses/)

[1]:
[https://apnews.com/54f1efe0afa71b0a939fda91cf917366](https://apnews.com/54f1efe0afa71b0a939fda91cf917366)

~~~
throwaway894345
> What's even more bizarre is all the people who are cheering on the police
> brutality, and encouraging more violence against unarmed protestors.

There’s lots of people cheering on the violence. The strangest are the white
collar professionals, the celebrities, and the executives. I will say, in a
few instances it felt good when these Twitter agitators got spooked as the
violence they wished upon others neared their own gated neighborhoods (and I
don’t say this lightly as my neighborhood is being terrorized right now).

[https://pjmedia.com/instapundit/wp-
content/uploads/2020/05/c...](https://pjmedia.com/instapundit/wp-
content/uploads/2020/05/chris_palmer_nba_5-31-20.jpg)

~~~
thrwaway69
Historically they used to do this for slaves where they would fight each other
for entertainment of the elites or upper class people. It seems perfectly in
align with that.

------
MattGaiser
The power of disinformation even when it was not even done well. I swallowed
the report hook, line, and sinker.

~~~
jcims
I'm sure some would reject this but it's the human condition, we've all let
our guard down at some point and let falsehoods...not just the uncertain or
unsubstantiated, but outright intentional lies...gain purchase in our
worldview.

~~~
snazz
For sure. I forget who said it, but there's some quote about the intelligent
person having strong opinions weakly held. I'm willing to reevaluate my
beliefs on things, but unless I've seen evidence to the contrary, I hold them
strongly.

------
raverbashing
Most often, when the media/pr announces a "sophisticated cyber attack" has
happened, what actually has happened is that the password was "123456" or the
site ran an old WordPress version, etc

~~~
genghisjahn
Example?

~~~
taneq
The Cambridge Analytica scandal comes to mind. It was reported in some places
as a "hack" when they literally just used Facebook's APIs for their intended
purposes.

------
bargle0
What is the point of fabricating this attack?

~~~
seangrogg
Consider whose voice, opinion, or stance stands to gain by making the police
look incompetent or incapable of managing their own affairs.

~~~
rectang
Or, stands to gain from making Anonymous appear more threatening.

------
tehjoker
I get the point that's being made here, but the real question is do the
passwords work even if they are derivative? Did someone extract anything of
value using them?

------
pelasaco
somebody with a twitter handle "Antifa Bunny #BlackLivesMatter #ACAB ️ ️"
doesn't need this analysis to discover that he/she is dumb.

------
a-wu
The other thing I keep seeing is a "leak" of a court filing by "Anonymous"
alleging that Trump and Epstein committed various sexual offenses. I think
it's unfortunate that the disinformation attributing this to Anonymous is
spreading because the court filing has been publicly available since 2016. It
seems that two Twitter accounts are parroting this around under the guises on
Anonymous which really discredits the actual group.

~~~
zucker42
Has Anonymous ever been an actual group or more of a loose collection of
people claiming the name?

~~~
kart23
Read the wikipedia page, its pretty accurate. There have been arrests for
'Anonymous' hacks but it's not really a group, more so an idea.

~~~
a-wu
You're totally right and I shouldn't have referred to them as one entity. Even
so, I think that Twitter accounts "representing" Anonymous spreading
misinformation really discredits the work other Anonymous members do.

~~~
monadic2
I don’t think the point of taking up the “anonymous” moniker is to get credit.
That’s a fundamental misunderstanding of the underlying meme, which is
populist, not meritocratic or whatever. It’s spelled out quite well in V for
Vendetta...

------
julianeon
Sounds like the 'hack' wasn't one. From the article:

> So by all means, be angry, but don't spread disinformation and right now,
> all signs point to just that - the alleged Minneapolis Police Department
> "breach" is fake.

~~~
TremendousJudge
Yes, that's why the title has scare quotes and says "alleged"

~~~
julianeon
It's a long article and I thought I could be helpful by summarizing the
conclusion; I don't think a person who didn't read it would grasp that from
the quotation marks alone.

