Slashdot Mirror
Sheriff's Online Database Leaks Info On Informants
Tootech writes with this snippet from NPR:
"A Colorado sheriff's online database mistakenly revealed the identities of confidential drug informants and listed phone numbers, addresses and Social Security numbers of suspects, victims and others interviewed during criminal investigations, authorities said. The breach potentially affects some 200,000 people, and Mesa County sheriff's deputies have been sifting through the database to determine who, if anyone, is in jeopardy. ... The FBI and Google Inc. are trying to determine who accessed the database, the sheriff said. Their concern: That someone may have copied it and could post it, WikiLeaks-style, on the Internet. 'The truth is, once it's been out there and on the Internet and copied, you're never going to regain total control,' Hilkey said. Thousands of pages of confidential information were vulnerable from April until Nov. 24, when someone notified authorities after finding their name on the Internet. Officials said the database was accessed from within the United States, as well as outside the country, before it was removed from the server."
Now these fools are gonna see what happens to snitches, Vince Foster-style!!!
Donutleaks is committed to releasing classified documents !
What if they didn't put that database on a server facing the internet? Could that be a good idea? Or maybe they should just return all their computers since they can't be trusted to use them securely... Let the flames begin.
/M
The article makes this situation comparable to the current wikileaks situation, which it isn't.
Some IT person left the data freely accessible on the internet and eventually a crawler found it. They're guessing it was a malicious person but in all odds it is not.
This is just another IT mistake not an act of whistleblowing or terrorism or something else the government wants to make illegal.
Wikileaks wouldn't released this because it definitely WOULD put peoples lives at risk, and it isn't knowledge that would be for the greater good at all.
Redacting names / contact info wouldn't secure it at all, *any* information in it could identify an individual, they would have to redact the whole thing.
It's only value would be to those seeking revenge.
The fact it wasn't properly secured is of interest. the personal details and reports Wikileaks would agree should remain confidential.
"'The truth is, once it's been out there and on the Internet and copied, you're never going to regain total control"
That's a remarkably pragmatic approach, and portrays the Sherrif's office as focussed and efficient. Public perception matters a lot in these instances, and while they could've threatened to rip off the ears of anyone who shares the files, it would have had no effect on actual information sharing, at a great cost to their public image in at least some quarters.
It's also nice to see that someone understands what "information wants to be free" means: that information tends to be free, and you have to plan for this.
No kidding!!! What do you say at this point?
Is cop-speak for damage control.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Maybe this will help end another useless "War".
Set your phasers on "funky"!
I hope someone at the Sheriff's office will be charged with felony negligence for this. I know that leaving a weapon where it can be accessed by a child or a felon is against the law so it should be logical that leaving a database of information open to the world that could easily destroy many lives is worth a felony too.
"To Serve And Protect"...
Deputies have used the database since 1989 to collect and share intelligence gathered during the course of police work. It contains 200,000 names — Mesa County's population is about 150,000 — and includes investigative files from a local drug task force.
Is it just me or does it seem odd to you that they have 200,000 confidential informants in a county with a population of 150,000? What the frack is going on in Mesa County?
It would be funny if it wasn't so sad.
He who knows best knows how little he knows. - Thomas Jefferson
Decided our fate in a microsecond: extermination.
I said it before, and I will say it again. In computer time a microsecond is a very, very, very long time. So please stop thinking that the machines didn't give us time to change our ways...
Seven puppies were harmed during the making of this post.
Everyone on Slashdot should download as many copies as they can and then delete them (Shift + Delete only!). That way the world will run out of copies and everyone will be safe.
-nt
What if annual security training was mandatory for all the IT staff connected with law enforcement IT equipment...
I don't see why that last phrase is on there, i.e., why the statement should be restricted to law enforcement. IT staff in every internet-connected company which stores data on other people (which is most companies larger than a mom&pop gas station these days) have a responsibility to the people that data pertains to.
Every time I hear about another database getting hacked, I blame the idiots who let it happen. It makes me really leery of doing simple things like buying *anything* from *anywhere* with a credit card, because I am entrusting the seller to keep my data secure. And so many of them demonstrate that they have not earned that trust.
Do you think doctors' offices maintain good data security? Or the local pizza place that has an account for you? It's pretty amazing how open our data is to those who wish to harvest it.
But the sad truth is that in the end IT is seen as a cost center that needs to be minimzed. And security... well, that's like insurance. You don't need it until you need it (at which point of course it is far too late).
If Assange isn't CIA he won't and if he is it's Americans killing Americans anyway. But I guess you're just a troll.
>The breach potentially affects some 200,000
Well we can kiss another 200k people good bye, as soon as the list springs on wikileaks, all mafioso will be checking that list twice to make sure their naughty and not nice!
Methinks this might hurt their ability to recruit informants in the future as well.
SJW: Someone who has run out of real oppression, and has to fake it.
Their concern: That someone may have copied it and could post it, WikiLeaks-style, on the Internet.
My understanding of WikiLeaks-style is redacting information which could put individuals in danger before posting it. In this case it seems like almost the entire database would be redacted. So, are they really talking about this being posted WikiLeaks style? I don't think so.
If Assange is charged with terrorist charges, the police should be charged with the same crime because they did the same thing - Released confidential information. It is important to remember ignorance is not a defense. In this country all people get equal treatment - police and Assange.
Their concern: That someone may have copied it and could post it, WikiLeaks-style, on the Internet.
Let's hope they post it WikiLeaks-style. That would mean they spend months coordinating with journalists to redact names and other information that might put individuals' lives at risk. Then, they would only release a few select important parts of the material in a completely responsible manner.
Of course, that is not what the editors and poster were trying to convey by 'WikiLeaks' style. Why insert this useless anti-free-speech FUD into the story?
More likely, if any informants are harmed, it will be used to justify an escalation.
Palm trees and 8
what about paying for new hardware and software as well as more IT workers! not cutting staff that makes some IT jobs not get done / get done alot slower.
A leak is a leak. Doesn't matter how or why it happened, what matters is the information was leaked out hence a "leak". Doesn't mean it is a good thing, just means it is what it is.
However for that matter in some of the Wikileaks discussion threads there were people advocating total transparency of government information. I pointed out this would include things like names of people in witness protection and so on and they said that was fine, that the government should figure out how to not need to keep that secret. It'll be interesting to see if people espouse that in this discussion regarding this information.
Regardless, when it comes to leaked info the how and why are completely separate from what it is and if it is a good thing or not. If you feel that the information from Wikileaks is good, where good means "Should have been released for public consumption," then it doesn't really matter how it happened. Had it been a virus, or some kind of computer security breach that would in no way make the information any less good. For that matter in the Wikileaks situation you could well support the release of the information, while simultaneously saying that the reason for its initial release were not good ones (that Manning did it out of spite, not out of morals).
In the case of this it was a leak because of a mistake, not any active action, but still a leak.
so you want a low level IT guy to take the heat for some PHB lack of knowing about IT?
What does either of those people have to do with this? Someone put very sensitive on a publicly exposed resource that could destroy a large number of lives. Whoever did it (PHB or low-level IT guy) should face charges for it.
Maybe database servers (like MySQL) are safer than stuff like access (or sqlite), since is possible and easy to copy a whole database file mistakely put on /www, while is very rare to put /var/mysql/data on /www
Remember this point when defending database server against database files.
-Woof woof woof!
Depends... if the machine had to do some virtual memory paging, it might be spending time waiting for the data to get under the HDD head as opposed to deciding the fate of humanity.
This is why you always put your Skynet systems on tier 2 or tier 3 storage. Tier 1 flash storage just lets it decide that humanity has to go a lot faster.
Data: I did consider it for a time.
Picard: Really? For how long?
Data: Ten milliseconds. But that's a long time for an android.
No wonder Marvin was so depressed!
Free Martian Whores!
Something wrong with that sentence?
One would think that alcohol prohibition would have taught us that such laws are incredibly harmful. by mcgrew (92797) *
on Tuesday December 14, @08:51AM (#34545360)
The only reason it's kept going is because there are millions of jobs around "drug enforcement" and law enforcement. To make drugs legal would do that little gravy train right in, and the "powers that be" (those who are living off of your taxpayer monies paid) can't and won't allow that to happen. In this case, and others like it? All you have to do, is follow the old adage of "follow the money" (you'll get right to the bottom of it, and this is it). All those "crony appointee assistant-to-the-assistant" jobs and all.
The business of government.
Drug prohibition has probably done more to expand the business of government, measured both in revenue and power over the people, than any other government program short of war. The US government of today dwarfs the US government of only 50, let alone 100 years ago. Hence the business of government is much more lucrative than it was before (for those who sit at the top of the pyramid).
On the one hand, I see how important it is to control personal information, whether it's your information or if you are the person entrusted to keep it safe. On the other hand, I see government-style regulations like HIPAA causing nothing but heartache and useless redundant paperwork for service providers and consumers alike. I mean, Jesus, how many times should I have to sign a HIPAA disclosure statement? Multiply that times the number of people in the United States who visit the doctor, times the number of times those people go to the doctor per year; that's a lot of trees, and that's just one single form that everyone is required to fill out. Disaster. In the end, does it really keep your information safe, or is it just the appearance of safety? Would that disclosure keep someone from hacking into a database server and performing a full dump of its contents? I don't think so. I mean, it might compel improved security, better training, and (once again) more paperwork and identification checking - but credentials can be forged, people can be compromised using social engineering strategies and paperwork is pretty much useless except for lawyers to pour through later at $250 an hour.
I do like the idea of a set of standardized, public, standards-based (open-source?) information security guidelines that businesses can follow check-list style, with auditing for maximum benefit, possibly tiers ("Silver" for check-list compliance, "Gold" for annual audits, "Platinum" for monthly audits by a certified third-party). My password was one of the many leaked over on Lifehacker, but that's okay, because compartmentalization is a basic security premise I live by. Compromised in one area? That's okay. The 200+ other places I connect are still secure. But, seriously, how would one know when creating an account for the first time on a service that the place is secure or not?
Take that a step further, and more germane to this discussion, any of these informants could be tracked down and killed. Granted, if someone were to gain access to my "I Can Haz Cheeseburger?" profile, they could wreak some serious havoc. But if local criminals had access to an indexed database of informants, I would consider that a slightly more serious compromise.
The government needs to have some sort of oversight department (Homeland Security, perhaps?) that has the authority and responsibility to randomly audit every agency in the US that stores sensitive information. The data owners need to be held accountable for their fiduciary responsibility for this information, and heads would need to roll if there's a compromise of this nature and depth. In the case of an audited system, why wasn't this caught? What was that, six or seven months? It's a bit scary that it took someone performing an Internet search to fix this leak. An easy way to fix this problem would be to pepper all databases with normal-looking but fake information. Set-up a Google Alert for each piece of information and if that info is seen anywhere by Google, trace the leak. I'll bet Google could have found the leak much sooner, and a large company like that could easily be asked to purge the data and assist with forensics.
It's not to protect drug dealers, it's to protect *themselves* from this kind of crap.
I swear to God...I swear to God! That is NOT how you treat your human!
... and the subjects will spill their guts. It's a time honored tactic.
What wikileaks stands for is total transparency of how governments (and other large entities) go about their business, not total transparency in the form of all information about everybody anytime. Else wikileaks wouldn't take their time redacting information for safe public consumption (gasp! they do that?) and would just release the information as fast as they can verify it. ./ article is about how names of informants and the like has been leaked and can therefore be a danger to said informants. The focus is not on, say, what methods were used to make said informants talk or how evidence was collected to nail a criminal. The former has nothing to do with how wikileaks operates, the latter does.
The difference? The focus of this
This "leak" is a world apart from what wikileaks does and makes an unfair comparison that deviles what wikileak does.
That said, it is understandable that any unwilling exposure of a large amount of information is mislabeled "wikileaks-style" simply due to the sheer association between wikileaks and leaks in general these days... But visibility doesn't make it a correct association.
Yes. The low level IT guy (or PHB) shouldn't be handling, accessing, or even seeing the information in the first place if s/he isn't responsible and knows how to take proper precautions. That takes a high level of trust having people's lives in your hands, with sensitive information such as social security numbers or informants in dangerous situations. Have low level IT's work with other databases (or tables) under a different user and permission set that don't require such security.
Who watches the morons?
It be a shame to see Dr. Drew out of a job
Everyone in Mesa County is high anyway, so I'm sure there's a few dupes in there, well, just like here.
http://deoxy.org/lawenfor.htm
Here is who it really benefits.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
One can usually tell a story is important by the fact the mainstream media won't run it. The fact that this got published raises the question, what was the purpose. Perhaps the powers that be realized the War On Terror (Military Keynesianism fighting a made-up enemy) is so discredited in the public's eye already, it's time to switch to the War On Data Leaks (IT Keynesianism, fighting made-up leakers) to continue the economic stimulus?
Hopefully some good can come from this.
Now people know who the rats are. If you're a paid CI, that's exactly what you are... a RAT. A paid one no less.
Whatever happens to any of these individuals is nothing more than a natural consequence of being outed as a low down rat, and those consequences are well earned.