Sheriff's Online Database Leaks Info On Informants

← Back to Stories (view on slashdot.org)

Sheriff's Online Database Leaks Info On Informants

Posted by Soulskill on Tuesday December 14, 2010 @01:14AM from the second-verse-same-as-the-first dept.

Tootech writes with this snippet from NPR: "A Colorado sheriff's online database mistakenly revealed the identities of confidential drug informants and listed phone numbers, addresses and Social Security numbers of suspects, victims and others interviewed during criminal investigations, authorities said. The breach potentially affects some 200,000 people, and Mesa County sheriff's deputies have been sifting through the database to determine who, if anyone, is in jeopardy. ... The FBI and Google Inc. are trying to determine who accessed the database, the sheriff said. Their concern: That someone may have copied it and could post it, WikiLeaks-style, on the Internet. 'The truth is, once it's been out there and on the Internet and copied, you're never going to regain total control,' Hilkey said. Thousands of pages of confidential information were vulnerable from April until Nov. 24, when someone notified authorities after finding their name on the Internet. Officials said the database was accessed from within the United States, as well as outside the country, before it was removed from the server."

41 of 185 comments (clear)

Min score:

Reason:

Sort:

Donutleaks strikes again! by assemblerex · 2010-12-14 01:18 · Score: 4, Funny

Donutleaks is committed to releasing classified documents !
1. Re:Donutleaks strikes again! by mcgrew · 2010-12-14 01:51 · Score: 5, Insightful
  
  They are terrorists!
  If you're referring to to the informants, IMO they are the terrorists. Most of the societal problems attributed to drugs are, in fact, caused by the laws against them.
  It's easier for a teenager to buy pot than it is for an adult. One slashdot wag's sig reads "thanks to the war on drugs, it's easier to buy meth than it is to buy cough syrup."
  One would think that alcohol prohibition would have taught us that such laws are incredibly harmful.
  The only segment of society that benefits from anti-drug laws are the smugglers and dealers, which tell you who's funding the anti-drug lobby.
  
  --
  Free Martian Whores!
2. Re:Donutleaks strikes again! by Lumpy · 2010-12-14 01:51 · Score: 3, Funny
  
  This is true, What does Fox News have to say on it? They are always 100% accurate!
  
  --
  Do not look at laser with remaining good eye.
3. Re:Donutleaks strikes again! by mwvdlee · 2010-12-14 01:52 · Score: 3, Funny
  
  Quick, have the sheriff accused of rape in a scandinavian country and let interpol track him down!
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
4. Re:Donutleaks strikes again! by Pojut · 2010-12-14 01:53 · Score: 5, Insightful
  
  The only segment of society that benefits from anti-drug laws are the smugglers and dealers, which tell you who's funding the anti-drug lobby.
  You forget pharmaceutical companies (hemp and marijuana would have a major impact on their bottom line for a lot of old standbys), so-called "rehab centers", and, let's not forget, our privately-owned prisons.
  
  --
  Living With a Nerd
5. Re:Donutleaks strikes again! by garcia · 2010-12-14 02:21 · Score: 3, Insightful
  
  Because people commit crimes from outside the county but are included in the database. I track the addresses of criminals with complaints in my county and while the majority reside within the boundaries, there are the outliers who hail from all over the State of Minnesota (this is a rolling 30 day picture and is purposefully limited to only the MSP metro area for clarity's sake): http://www.lazylightning.org/dakota-county-criminal-complaints-mapped-again
6. Re:Donutleaks strikes again! by tropicdog · 2010-12-14 02:44 · Score: 3, Insightful
  
  Stop looking for some conspiracy.
  
  FTFA:
  "Deputies have used the database since 1989 to collect and share intelligence gathered during the course of police work. It contains 200,000 names — Mesa County's population is about 150,000 — and includes investigative files from a local drug task force.
  
  The information included data about Mesa County employees, information from the nearby Fruita and Palisade police departments — and possibly information from the U.S. Drug Enforcement Administration and Grand Junction police."
  
  It wouldn't be very hard to have 200,000 entries in 21 years. Police investigations take in info on friends of friends and acquaintances. The data set likely includes most of the Mexican drug cartel's known players.
7. Re:Donutleaks strikes again! by Asclepius99 · 2010-12-14 02:49 · Score: 5, Insightful
  
  And don't forget companies that sell alcohol. I mean, why would you let someone take away your government monopoly on legal substance abuse?
8. Re:Donutleaks strikes again! by Aldenissin · 2010-12-14 03:09 · Score: 3, Insightful
  
  I wasn't aware that Mike Huckabe was calling for treason and the death penalty. I knew there was something about him I didn't like, but introducing "treason" executions for something that does not call for it so that the people will get desensitized to the idea.. yea he is the one that should be tried for treason.
  Wikileaks style... pshh.. I can't help but think this was done on purpose for that one line. Yes I know it has been out there for awhile, which is why it makes this all the more scary the planning and limits the G men will go to.
  Regardless, this has nothing to do with Wikileaks, and is completely the fault of whoever didn't make sure it was secured. But I bet Mike Huckabee won't call on that person to be brought up on charges of treason, even though they did in fact provably put people at risk.
  
  --
  Like a city whose walls are broken down is a man who lacks self-control.
9. Re:Donutleaks strikes again! by Just+Some+Guy · 2010-12-14 03:46 · Score: 3, Insightful
  
  I mean, why would you let someone take away your government monopoly on legal substance abuse?
  You're making the same mistake as people who gripe about "Big Oil" instead of "Big Energy". Just as Exxon-Mobil will gladly sell you hydrogen or biodiesel or whatever else when we migrate off oil, plenty of companies in the recreational drug industry will cheerfully market pot if it became legal.
  Anheuser-Busch isn't in the business of selling you alcohol. Ultimately, they're in the business of getting you high. While they're currently most efficient at doing that by distributing ethanol, you can bet they could sell other stuff, too.
  And think of the Super Bowl ads. You think they're funny now?
  
  --
  Dewey, what part of this looks like authorities should be involved?
10. Re:Donutleaks strikes again! by Gunkerty+Jeb · 2010-12-14 04:02 · Score: 2
  
  China was arguably the most sophisticated culture in the world, socially and technologically, but that stopped with the advent of widespread use and legalization of opium. By then end of the Opium Wars, China was a nothing, set back hundreds of years from the developing world. Some drugs should be legal. Many have no constructive use and are, to the contrary, quite detrimental to the functional society.
11. Re:Donutleaks strikes again! by formfeed · 2010-12-14 04:03 · Score: 2
  
  If you're referring to to the informants, IMO they are the terrorists.
  
  No, not terrorist. It is a time honored tradition that every witch you catch has to name two other witches.
12. Re:Donutleaks strikes again! by ShaunC · 2010-12-14 04:06 · Score: 2
  
  Well, at least someone noticed the sig. :)
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
13. Re:Donutleaks strikes again! by uniquename72 · 2010-12-14 04:11 · Score: 2
  
  Correlation is not causation. There were much more serious cultural issues that led to China's decline than opium. In fact, Europe also experienced a major decline after the Opium Wars. Clearly BANNING opium is quite detrimental to the functional society.
  
  BTW, opium is morphine-based, and morphine is perfectly legal, and used by hospitals worldwide every day.
14. Re:Donutleaks strikes again! by tophermeyer · 2010-12-14 04:17 · Score: 2
  
  Anheuser-Busch isn't in the business of selling you alcohol. Ultimately, they're in the business of getting you high. While they're currently most efficient at doing that by distributing ethanol, you can bet they could sell other stuff, too.
  If you keep carrying on that line of reasoning though, Anheuser-Busch is (like all companies) in the business of making profit. At the moment their core competencies are in the realm of making beer. As long as it is cheaper for them to continue to sell beer then to migrate into a new industry they will do that. Once they think they can make more profit by retooling to another industry, they will.
  That's why big-oil is so willing to pursue other energy sources. Because they predict that over time those alternative energy markets will be more profitable than oil alone.
15. Re:Donutleaks strikes again! by Lashat · 2010-12-14 05:07 · Score: 2
  
  Well, thanks. However you are not providing an apples to apples comparison. Something is out of whack somewhere in the reporting of the story of the database itself.
  +The article says 200,000 names (not complaints) were leaked from the database.
  +Even if you add up the populations of each adjacent county including Grand County, Utah, that population only reaches 316,148
  =2/3 of the population from 7 counties are informants for Mesa County? I guess that is possible, but obviously Mesa County has some issues with their manpower/skillset. How does that tiny department manage all those informants let alone that pandemic of drugs in the hepta-county area? I
  I'm calling BS somewhere on this situation. I don't know where for sure, but something is rotten in Mesa County beyond this leak.
  
  --
  For every benefit you receive a tax is levied. - Ralph Waldo Emerson
16. Re:Donutleaks strikes again! by dmmiller2k · 2010-12-14 05:40 · Score: 3, Insightful
  
  Their slogan is not "100% accurate"; it's "Fair and Balanced", which, from all available evidence, they apparently interpret as a mandate for airing any crackpot viewpoint as valid counterpoint to, shall we say, less sensationalist perspectives.
  
  --
  "No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin
17. Re:Donutleaks strikes again! by davester666 · 2010-12-14 06:01 · Score: 3, Interesting
  
  Well, with security breaches like this one, they do go through a LOT of informants...
  They are EXTREMELY accident prone. Brake failures, falling anvils, gas furnaces blowing up, allergy attack's, you name it, it's happened to informants in the area.
  Authorities have no idea why.
  
  --
  Sleep your way to a whiter smile...date a dentist!
18. Re:Donutleaks strikes again! by russ1337 · 2010-12-14 06:02 · Score: 2
  
  There was an entire documentary about this. I'm at work, so I'm not going to go googling for it, but I believe it was called "If Drugs Were Legal", or something to that effect. It talks about pharmaceutical companies making designer drugs that cause specific effects and side effects, allowing the user to tailor their experience to exactly what they want.
  Personally, I'm not so sure I'd be willing to take a recreational drug created by a pharmaceutical company, but the market would undoubtedly be massive.
  The entire movie appears to be on google video, but not working.
  there is a good debate here - around the movie: http://video.google.com/videoplay?docid=-9145573810535960472#docid=-3840911425491936015
19. Re:Donutleaks strikes again! by nospam007 · 2010-12-14 06:05 · Score: 2
  
  "I'm at work, so I'm not going to go googling for it..."
  https://encrypted.google.com/
What if by MrMarkie · 2010-12-14 01:18 · Score: 5, Insightful

What if they didn't put that database on a server facing the internet? Could that be a good idea? Or maybe they should just return all their computers since they can't be trusted to use them securely... Let the flames begin.

--
/M
1. Re:What if by AltairDusk · 2010-12-14 01:36 · Score: 4, Insightful
  
  I'd imagine the police in that county are going to have a very tough time getting information out of people now. Informants trust that the police will protect their identities, that trust has now been broken.
2. Re:What if by GaryOlson · 2010-12-14 01:36 · Score: 5, Interesting
  
  What if annual security training was mandatory for all the IT staff connected with law enforcement IT equipment -- just like weapons training is mandatory for all law enforcement officers. This includes the CIO [if they have one], the city manager, the systems architect [whichever poor IT technician is erroneously saddled with this responsibility], and all law enforcement officers who access this data. Failure to pass security training and any breach of security by any individual would initiate immediate administrative leave and/or an Internal Affairs or FBI investigation.
  
  Certain data is a lethal weapon and should be treated appropriately.
  
  --
  Every mans' island needs an ocean; choose your ocean carefully.
3. Re:What if by vlm · 2010-12-14 01:54 · Score: 2
  
  What if annual security training was mandatory for all the IT staff connected with law enforcement IT equipment -- just like weapons training is mandatory for all law enforcement officers. This includes the CIO [if they have one], the city manager, the systems architect [whichever poor IT technician is erroneously saddled with this responsibility], and all law enforcement officers who access this data.
  Let me guess, somebody with the proper political connections would make a lot of money by "training", but there would be no improvement in results?
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
4. Re:What if by Lumpy · 2010-12-14 01:55 · Score: 2
  
  2 reasons.
  1 - idiot manager syndrome. There are complete and utter morons in positions of power that make decisions like that. they go against all recommendations and do what they want because they know better! They are the BOSS!
  2 - hiring incompetent IT/Web-design because they cant understand why you need to actually pay that position a wage that attracts competent applicants. $12.95 an hour = guy who is handy and knows 'puters.... The position requires $35.00 an hour minimum to attract a competent guy that would have raised red flags all over the place when this was being designed.
  
  --
  Do not look at laser with remaining good eye.
5. Re:What if by mcgrew · 2010-12-14 02:14 · Score: 4, Insightful
  
  The government is not out to get you
  It is if you're a pot smoker or Julian Assange.
  
  --
  Free Martian Whores!
6. Re:What if by hairyfeet · 2010-12-14 02:52 · Score: 3, Interesting
  
  No they are the POLICE just like in Training Day. I have actually had a cop walk into my shop and ask me to hack into the state's email servers so if he could see if his wife was cheating on him. He actually had the brass balls to say "I'm the police, it's okay" like those are magic words or something.
  Sadly if anyone thinks those cops actually give a shit about the lives of snitches after they have served their usefulness you got another thing coming. I bet if it wasn't for the stink the attitude would have been "oh well, too bad so sad". I can't speak for how it is up north but down here in the south the snitches have to worry about the crooked cops as much as their fellow junkies. A cop here in "meth alley" makes a grand total of 35k a year to get shot at and can easily make that in a month and NOT get shot at just by giving the dealers a heads up and looking the other way. I used to be friend's with a dealer's son and she used to get a call from a cop in the dispatchers office before the cops were even given out the assignments so she knew when they were gonna be in the neighborhood before they did.
  In the end this kind of crap is just more proof the stupid drug war is just another monumental waste of taxpayer dollars. You would think after the failed booze war we would have learned, but I think a speech I heard years ago from an ultra conservative no less (I think it may have been William F Buckley) made the stupidity of the drug war clear as a bell for even the most clueless I've spoken to: "If I put a bottle on the table with a skull and crossbones on it and say 'This is poison. it will destroy your health, family, marriage, and ultimately kill you' and you push me out of the way and down the bottle? Well then frankly your are too stupid to live. Why should I have to spend billions building a fence around the bottle and cages to put you in, just to keep you from drinking it?"
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
7. Re:What if by Abcd1234 · 2010-12-14 04:30 · Score: 2
  
  Nah. You just need to be a black or poor pot smoker. Last I checked, an Ivy Leaguer with an ounce of green wasn't getting arrested on a regular basis.
This isn't a leak. by El+Neepo · 2010-12-14 01:19 · Score: 5, Insightful

The article makes this situation comparable to the current wikileaks situation, which it isn't.
Some IT person left the data freely accessible on the internet and eventually a crawler found it. They're guessing it was a malicious person but in all odds it is not.
This is just another IT mistake not an act of whistleblowing or terrorism or something else the government wants to make illegal.
1. Re:This isn't a leak. by Sockatume · 2010-12-14 01:32 · Score: 2
  
  The Wikileaks comparison has more to do with the Sheriff's Office's response to the leak, than the nature of the leak itself. They could've run around saying they were going to track down and dismember anybody who has a copy of the file, but instead their comments to the press focus on the nature of the problem, its possible consequences, and what they're doing about those consequences. Compare to the Wikileaks situation where much of the political hot air is about leaning on one group that's disseminating the information, as though eliminating Wikileaks would somehow stop the information getting around by other means.
  
  --
  No kidding!!! What do you say at this point?
2. Re:This isn't a leak. by gpuk · 2010-12-14 01:54 · Score: 2
  
  The joke of it is, this mistake/negligence probably has a higher risk of leading to someone getting killed than the wikileaks release does.
A concession to reality by Sockatume · 2010-12-14 01:24 · Score: 3, Insightful

"'The truth is, once it's been out there and on the Internet and copied, you're never going to regain total control"
That's a remarkably pragmatic approach, and portrays the Sherrif's office as focussed and efficient. Public perception matters a lot in these instances, and while they could've threatened to rip off the ears of anyone who shares the files, it would have had no effect on actual information sharing, at a great cost to their public image in at least some quarters.
It's also nice to see that someone understands what "information wants to be free" means: that information tends to be free, and you have to plan for this.

--
No kidding!!! What do you say at this point?
Charges by crow_t_robot · 2010-12-14 01:27 · Score: 3, Interesting

I hope someone at the Sheriff's office will be charged with felony negligence for this. I know that leaving a weapon where it can be accessed by a child or a felon is against the law so it should be logical that leaving a database of information open to the world that could easily destroy many lives is worth a felony too.

"To Serve And Protect"...
1. Re:Charges by mcgrew · 2010-12-14 07:51 · Score: 2
  
  The information is first hand information. In the late '70s when I was in college and my hair reached my ass, the price of pot got a little high (one guy had pretty much got a monopoly in my town) and I decided to go to a different city and buy a pound, figuring it would last a long time. It didn't; I wound up selling to five or six friends.
  One of them got busted. I was lucky; he showed up at my doorstep and I didn't even recognise him, he'd shaved and cut his hair. He confessed and apologized that he'd turned me in after the cops found some growing in his back yard. The next day a cop I'd known since I was a teenager showed up, and informed me confidentially that I was being investigated. I asked him what I should do, he said if I moved out of the county nobody would bother me. I was appreciative for the information, he could have gotten in trouble for telling me that.
  A few years later my house was burglarized (VERY nice stereo and all my records stolen). I found out from a different cop I'd known that they'd caught the burglar, and let him go for turning in some dope dealers. I never got my property back.
  A few years after that, a friend's brother called me asking if I wante dto buy some cocaine. I said "no", that I didn't do coke, and he asked me if I couold loan him $500 bucks to buy some. I said I didn't have the money.
  It wasn't long after that that he and most of my now ex-wife's graduating class went to prison. Seems the dealer I mentioned above, the one who had the town's dope trade sewn up, had turned in not only all his customers, but everyone he knew. He'd turned my friend's brother in, and my friend's brother didn;t even mess with drugs at all. The dealer gave him an offer that was hard to refuse, the same offer my friend's brother offered me -- loan a grand for dope and get two grand back a week later. My friend's brother and most of my ex-wife's graduating class spent the next four years in Federal prison for conspiracy to distribute cocaine.
  The dealer spent two years in prison.
  Drug laws don't simply cause corruption, the whole goddamned system is corrupt to the point of pure evil.
  
  --
  Free Martian Whores!
200,000 CI's? by Organic+Brain+Damage · 2010-12-14 01:29 · Score: 4, Interesting

Deputies have used the database since 1989 to collect and share intelligence gathered during the course of police work. It contains 200,000 names — Mesa County's population is about 150,000 — and includes investigative files from a local drug task force.
Is it just me or does it seem odd to you that they have 200,000 confidential informants in a county with a population of 150,000? What the frack is going on in Mesa County?
We can all help them by Again · 2010-12-14 01:48 · Score: 3, Funny

Everyone on Slashdot should download as many copies as they can and then delete them (Shift + Delete only!). That way the world will run out of copies and everyone will be safe.
Just law enforcement? by Toe,+The · 2010-12-14 01:53 · Score: 3, Insightful

What if annual security training was mandatory for all the IT staff connected with law enforcement IT equipment...
I don't see why that last phrase is on there, i.e., why the statement should be restricted to law enforcement. IT staff in every internet-connected company which stores data on other people (which is most companies larger than a mom&pop gas station these days) have a responsibility to the people that data pertains to.
Every time I hear about another database getting hacked, I blame the idiots who let it happen. It makes me really leery of doing simple things like buying *anything* from *anywhere* with a credit card, because I am entrusting the seller to keep my data secure. And so many of them demonstrate that they have not earned that trust.
Do you think doctors' offices maintain good data security? Or the local pizza place that has an account for you? It's pretty amazing how open our data is to those who wish to harvest it.
But the sad truth is that in the end IT is seen as a cost center that needs to be minimzed. And security... well, that's like insurance. You don't need it until you need it (at which point of course it is far too late).
1. Re:Just law enforcement? by mlts · 2010-12-14 03:16 · Score: 2
  
  I can sum it up by a phrase said to me by many PHBs that ignore basic security:
  "Security has no ROI".
  Until this attitude gets changed by laws with actual teeth, expect to continue to see more of "xxx hacked, millions of people's data exposed" stories.
  Two laws are needed: The first is obvious -- follow due diligent security practices or be shut down. A restaurant that doesn't pass health inspections gets shut down. Same with a store in a mall without a sales and use tax permit.
  It doesn't take much brainpower to turn on hard disk encryption to protect from theft. BitLocker, TrueCrypt, or PGP are no brainers. All mainstream Linux distros support encryption. AIX supports encryption both in the filesystem, and on the hardware itself. The EMC CLARiiON supports encryption on a LUN basis. Solaris supports encryption in ZFS. Every enterprise backup system has encryption built in, and the latest generation of tape drives have it in hardware. There is no excuse for physical data loss.
  Network security isn't that difficult either. It doesn't take many brain cells to have a decent IDS/IPS, use VLANs to isolate machines from each other, so database connections are only accessible by machines that need access,
  Web security is doable too. If a Web server only needs a subset of what a database has, create a view and lock the webserver to that view so it can't see anything other than the tables handed to it. If there is really sensitive data, have multiple hosts on separate VLANs, so the juicy stuff is separate from what isn't.
  Document security isn't tough, although it limits where documents can be viewed and can be F/OSS hostile. Microsoft's RMS is a decent solution so a Word document that ends up walking off won't be viewable outside the company. Another way to keep documents secure is to use Citrix and keep the critical stuff on a terminal server. This takes care of accidental loss/distribution of documents. Deliberate screenshot snapping, or even people sneaking a camera in is a HR or even a law enforcement issue, not a technical one, and no DRM is going to stop someone dedicated enough unless a business wants to strip search everyone entering and leaving.
  Of course, this means a SMB doesn't have to be 100% secure, but they need to at least follow the same precautions as a cafe does when preparing food so their patrons don't come down with a case of food poisoning. There are so many tools and appliances for doing this, it isn't that difficult.
  Basic computer security isn't rocket science, but because it doesn't earn businesses money, it ends up being given lip service in a lot of forms and that's it.
  The second law is also obvious -- expiration dates on data, and this means expired as in -gone-. Not stored in plaintext on an archive tape in offline storage. Not stored in the cloud where a rogue admin at the cloud site can slurp off the data to sell. The data is expired as in deleted, or cryptographically expired where the key is deleted and the data is rendered inaccessible.
WikiLeaks-Style?! by miro2 · 2010-12-14 02:21 · Score: 4, Insightful

Their concern: That someone may have copied it and could post it, WikiLeaks-style, on the Internet.
Let's hope they post it WikiLeaks-style. That would mean they spend months coordinating with journalists to redact names and other information that might put individuals' lives at risk. Then, they would only release a few select important parts of the material in a completely responsible manner.
Of course, that is not what the editors and poster were trying to convey by 'WikiLeaks' style. Why insert this useless anti-free-speech FUD into the story?
Not like by betterunixthanunix · 2010-12-14 02:25 · Score: 2

More likely, if any informants are harmed, it will be used to justify an escalation.

--
Palm trees and 8
Wikileaks-style? by Lazareth · 2010-12-14 05:09 · Score: 2

What wikileaks stands for is total transparency of how governments (and other large entities) go about their business, not total transparency in the form of all information about everybody anytime. Else wikileaks wouldn't take their time redacting information for safe public consumption (gasp! they do that?) and would just release the information as fast as they can verify it.
The difference? The focus of this ./ article is about how names of informants and the like has been leaked and can therefore be a danger to said informants. The focus is not on, say, what methods were used to make said informants talk or how evidence was collected to nail a criminal. The former has nothing to do with how wikileaks operates, the latter does.
This "leak" is a world apart from what wikileaks does and makes an unfair comparison that deviles what wikileak does.
That said, it is understandable that any unwilling exposure of a large amount of information is mislabeled "wikileaks-style" simply due to the sheer association between wikileaks and leaks in general these days... But visibility doesn't make it a correct association.