Slashdot Mirror
Clarificiation on the IP Address Security in Dropbox Case
At issue was the list of IP addresses that had accessed the Dropbox account of Orange County Mayor Teresa Jacobs. A public interest group called Organize Now wanted to know whether the documents in her Dropbox account had been shared with outside parties, such as lobbyists, and filed a public records request to obtain the access logs. The county provided the logs with the IP addresses redacted, claiming that they were withheld for security reasons; Orange County asked a court to declare that there was no legitimate security-related reason for the IP addresses to be blacked out. On Monday, Judge Robert Egan ruled that the county had to release the unredacted version of the logs.
In the judge's ruling, he trivially rejected some arguments that the county had made, determining for example that IP addresses by themselves were not "data processing software" (duh). The trickier question was whether the IP address logs could be considered "information relating to security systems", and whether publishing the IP addresses in the logs could enable a security breach.
Judge Egan correctly wrote that all the IP addresses did was "identify specific computers used to access Dropbox" (actually, of course, computer IP addresses can change, and if the computer is behind a proxy server then it will be the proxy server's IP address that shows up in the log; but that's close enough, let's give it to him). He rejected the county's analogy to another case, in which a judge ruled that the city of Clearwater did not have to turn over the names and addresses of residents who had installed a particular alarm system; Judge Egan said that confidentiality in that case was more obviously justified, because there's no public interest in giving thieves a list of houses to avoid hitting.
However, in declaring that there was no good reason for the IP addresses to be redacted, Judge Egan wrote:
While the County has expressed a legitimate concern that disclosure of IP addresses would constitute an additional security threat because they would identify specific computers used to access Dropbox, which would then become potential targets for hacking, it also acknowledged that it already identifies 20,000-30,000 intrusion attempts daily and it has measures in place to deal with those attempts.
When Judge Egan says "it already identifies 20,000-30,000 intrusion attempts daily", it's not clear whether "it" refers to Dropbox, or the county's own computer system (presumably the latter, since 30,000 seems a bit low for Dropbox). But either way, the argument fails because the "measures in place" only refer to protection for the Dropbox servers and/or the county's own servers. If the mayor ever connects to Dropbox from her home computer, and the logs can be used to identify her home IP address, then the "measures in place" won't do anything to stop an attacker from trying to attack her home computer. And if an attacker can take control of her home computer, and her home computer is set up to log into Dropbox automatically, then the attacker can use her home computer to access the Dropbox files, and those accesses will look indistinguishable from legitimate accesses from the mayor herself.
In this scenario, the biggest obstacle to an attacker is that knowing the mayor's home IP address would normally not be enough information to take over her computer. Even if the attacker had knowledge of a security vulnerability in the operating system being used on the mayor's home machine, it's usually impossible for an outsider to connect directly to a user's machine, because the machines are behind wireless routers which are shared with other computers in the same house. (An attacker could first find a way to hack the security of the router, and re-program it to forward incoming Internet traffic to the mayor's computer, and then find a way to compromise the home computer -- but that's two security systems that have to be hacked independently, and every extra hurdle reduces the chances that you'll be able to clear all of them to pull off an attack.)
A much easier attack would be to try to get the mayor to view a web page from one of her computers -- either her home computer or her office computer, as long as it's one of the computers that she uses to access the Dropbox account -- and then try to infect that computer using code on the web page itself which exploits a security vulnerability in the web browser. (Web browser security vulnerabilities are quite common, compared to the far more rare security holes which allow you to take over a computer by sending traffic to its IP address.) To do that, all you need would be to reach the mayor directly, or talk to someone who would pass information on to her: "I'm a concerned constituent, and here's a web page that I've set up describing my plight and how the county government could help." Wait, scratch that: "I'm a concerned consituent, and here's a web page describing the dirt that I've dug up on your opponent."
And if the mayor does visit your web page, even if you don't succeed in infecting her computer or taking it over, at least now you've got her IP address.
So a better line of reasoning would have gone something like this:
"It's not inconceivable that someone could use the IP addresses in the logs to facilitate an attack, and anyway, the county's 'security measures' wouldn't do anything to prevent an attack against, say, the mayor's home computer. However, it would be much easier for an attacker to attempt an attack by other means (e.g. a browser vulnerability), and in any case it would not be hard for an attacker to find the mayor's IP address indirectly, without even resorting to any security breaches. So the disclosure of IP addresses has only a negligible effect on the odds of a break-in."
Run that through your standard judicial IWentToHarvard-izer, replacing a couple of random words with their longest equivalent in the thesaurus, and you've got a pretty solid legal opinion.
Then again, maybe some other Florida public servants are in more urgent need of training in how IP addresses work. After the judge's ruling, Rafael Mena, the mayor's Chief of Information Systems & Services, said in a statement:
"We don't agree with the decision. We are responsible for protecting crucial public health and safety infrastructure, including our 911 systems, our jail facilities, and providing clean drinking water to more than a half million residents. Internet Protocol (IP) addresses control everything from the cameras at the courthouse to the locks on the jail cells. We're also concerned about the security of the health records and financial information of thousands of citizens. Releasing IP addresses leaves organizations vulnerable to the type of security breaches that the public sees every day on the news."
Drinking water. OK, forget press releases for a second: If you were the head of security, and you asked your assistant head of security to evaluate the impact of releasing the IP addresses that had accessed the mayor's Dropbox account, and your assistant gave you a reply like the one above, what would you think? Would you put up with that nonsense from someone who worked for you?
Well, government security officials do work for us. The people of Orange County should tell Mr. Mena: If you want to try and bamboozle people with irrelevant factoids and scare them with veiled references to terrorist threats, go get a lucrative job in the private sector! As soon as you finish stocking up on botted water.
Uh... no.
#DeleteChrome
That's the best kind of correct!
Keep Reading to see what Bennett has to say about the case.
And you expect this to increase page hits? Does the Spock in your universe have a beard?
Please stop using the front page as your personal blog. May you <insert-untimely-thing-here> in a <insert-energetic-thing-here>.
but... go to hell Bennet. Go to hell Slashdot. Please stop with this shit.
Please please please stop posting Bennett Haselton's crap
i started reading, looked interesting, spotted the name - goddam trolled again. fuck you bennett, why the fuck are you blogging here you wet blanket soppy mug squidgy brained muthafucker
I am on my one remaining knee.
I mean that, why? This is an incredibly crappy post. As is anything Bennet writes... The readers of this site avidly hate Bennet. Why do you keep posting his crap?
...oh it's Bennett. Anyone else want to post here first? Anyone? Maybe you're all still reading the 28 paragraph TFS?
Nothing posted to
Please learn to fucking spell before you post. "Clarificiation"? I mean fuuuck. I don't expect much from Sammypuss, but I expect Bennet Hasselhoff, the great and glorious leader of GayWAD to do better!
GayWAD! GayWAD! GayWAD!
You know what, screw it. Just piss off already.
We need a logo for posts that are just about swearing at Bennett. Dunce cap?
Judge Egan correctly wrote that all the IP addresses did was "identify specific computers used to access Dropbox" (actually, of course, computer IP addresses can change, and if the computer is behind a proxy server then it will be the proxy server's IP address that shows up in the log; but that's close enough, let's give it to him).
No, moron, let's not "give it to him", unless "it" refers to "a firm tongue lashing for getting it wrong wrong wrong." He's just created exactly the precedent that you don't want created: "the IP address identifies specific computers". It's not "close enough" when **AA claims it in court, it's not "close enough" when a judge says it regarding a FOIA case.
Who the hell are you?
So we can be over with this shit, JonKatz2.0
http://tech.slashdot.org/story/01/11/17/204207/message-from-kabul
Someone, who has no apparent power, wants to correct a judge. Just because they think they're right and the judge had inaccurate reasoning, despite coming to the same conclusion. (There's a good XKCD comic on the subject of correcting people in the Internet.) The critic's opinion will carry no legal weight. The same critic has a history of proposing long-winded, half-baked ideas to correct issues he sees with various societal inefficiencies that have gone no-where. I'm not going to waste my time.
Would someone be so kind as to please remind me how we can block posts from a given author?
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
Every slashdot reader and their mother, to say nothing of the dog, hate reading these inane Haselton blog posts, why do they keep being posted? I mean most of the posts on these "stories" are about how stupid the "story" is, showing it is probably the only Slashdot feature that is more annoying than the beta, and yet they keep on coming... Is there some sort of strong affiliation? Is slashdot simply paid by this Bennett guy? If it is, I would probably be more understanding - I know how the world works - just tell us it is so and we will move on...
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
That was an interesting clarificiation.
Filter error: You can type more than that for your comment.
Bennett Haselton spends 1341 words on what should be a 3 sentence summary.
If you want to know whether X accessed the mayor's dropbox (why is the mayor using dropbox in the first place) then you need to
a. get the IP addresses & times that they were used to access it
b. match the IP addresses to ISP user accounts at those times
Now, if the judge does not support you, personally, having access to the IP addresses then the judge can appoint a disinterested 3rd party do handle it. You are only interested in the ISP user accounts and whether those belong to lobbyists.
There! Done! And no need for Bennett Haselton's weird tangent on cracking via web browsers.
Sorry to interrupt the usual "hate on Bennett" fest, but I read the article and have a question.
In the judge's ruling, he trivially rejected some arguments that the county had made, determining for example that IP addresses by themselves were not "data processing software" (duh).
And if the mayor does visit your web page, even if you don't succeed in infecting her computer or taking it over, at least now you've got her IP address.
Alright, so with that in mind, lets say your at home, laying in bed, kinda half asleep. It's dark, but you glance over and see something shimmering near the trash can you keep across the room. You kinda wake up enough to look closely at it and notice movement. Paniced you flip on your bedside lamp and are horrified to see spiders, lots of spiders, just pouring out of the trashcan. I'm not talking like one of those little nest things breaks open, I'm talking like a carpet of spiders, way more then should physically be able to occupy the space in the trash can, just pouring out covering the whole floor. You grab your blanket for what protection it provides and shimmy into the corner of your bed as they begin crawling up the frame. Just as you think you are about to completely lose your mind, they stop. In the sea of spiders covering your floor, walls, and half of your bed, you notice one spider that stands out. Slightly larger and a bit shiny, it makes its way through the crowd of its brothers and sisters toward you. Stopping just at the edge of your bed sheet it looks straight at you and asks a single question.
What do you think that question would be?
I will trade you my firstborn pygmy possum to pull this proactively pissy prose from the front page of Slashdot.
In other news, can we just ban Bennet? Can't we report every post he makes, tag every story he posts as "nothanks", and just generally downmod him until he can't post more than twice a day?
Please die.
Rafael Mena, the mayor's Chief of Information Systems & Services, said in a statement:
Because what this Chief dipshit saw was totally wrong. And even our favourite blogger noticed it.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
...and no one cares. I think we should however appeal to some sort of internet tribunal as to whether wasting so much space on this, on such a high traffic website like Slashdot, warrants a sentence of an electronic gag device.
Keep Reading to see what Bennett has to say
Nope. I guess I've already learned my lesson. The only reason I clicked into this story was to add my complaint to the list of comments. Bennett's posts have too much of a track record for inferiority. I join those who do not want to see that name on the main page.
If articles from Bennett must be included, may they be a sub-board or default-collapsed or whatever.
Posting Bennett articles generates additional complaints.
If Bennett is so completely unwanted on this blog, why don't we do something about it?
In the manner of the fine people at 4chan, suppose we referred to Bennett in the past tense - as if he had passed away. Make all of our responses polite and sincere, but with the assumption that he is no longer with us.
Here's the kicker: the internet works by consensus. If there's an abundance of commentary referring to him in the past tense, it'll get picked up and echoed everywhere, possibly by Wikipedia. I don't know what the full ramifications would be, but hopefully it will play hob with his attempts to get traction on the net. Anyone who googles for him by name or things he has said will get the impression that he's unavailable for comment, interviews, and possibly employment.
Of course, we need to give Bennett fair warning, so I propose the following:
Starting with the next Bennett Haselton article on Slashdot that's more than 2 short paragraphs, we start referring to Bennett in the past tense - as if he had passed away. We're going to start a new internet meme.
Pleading, complaining, and asking has had no effect and we've certainly done due diligence.
It's time to take action.
The author draws more attention than the subject.
On that note, I'm Godwinng this fucker right now:
All propaganda has to be popular and has to accommodate itself to the comprehension of the least intelligent of those whom it seeks to reach.
So there! PFFFT! I fart in your general direction..
Fuck right off, ok? We're not here to listen to your bullshit, assholes!
But I... can... no longer... resist... the tide.
Very well. This article sucks. Most of Bennett's articles mostly suck.
Where do I pick up my bucket of tar and feathers?
Il n'y a pas de Planet B.
IP is not an ACCURATE ENOUGH identifier to send you to jail.
Sorta the way your car's lenience plates alone would not be good enough for such a purpose.
It must be proven beyond doubt that YOU were the one driving the car that ran over Justin Bieber.
But it is accurate enough for someone to come to the physical address associated with IP at that time and toss a Molotov cocktail through the window to send you a message that they don't like your comments on the "Beliebers" forum.
Hence, privacy issues.
Mit der Dummheit kämpfen Götter selbst vergebens
It's "Duty Calls". http://xkcd.com/386.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
It is not sufficient for prosecution.
First off, an IP address can be re-assigned. So you'd need an IP address and date/time to be able to link it to a specific ISP account.
Each account can have multiple machines behind it that may or may not belong to that account (depending upon the security of their wireless network for example or whether any have been cracked already).
So an IP address is not sufficient for prosecution BUT it can be a personal privacy issue.
Bennett Haselton needs to go away.
I love reading the comments on Bennett's posts, though. Makes me miss the old Microsoft-hate and vi-vs-emacs comments. Now everything is all level-headed +1 Informative. Bah.
OOoooo, look @ the wannabe clever little homo fuck flopsquad *trying* to "play smart". Ever wonder why you're such a loser? Don't. Your entire life and attitude show you're just a nerd loser fuckwad that skulks in the shadows and plays wiseguy online. Have a nice life (in poverty), ya little irrelevant fuckwad.
Lmao: The nerd worm's STILL *trying* to "play smart". Pity you don't realize what a waste you are.
Perfect! Judging by the ac replies after it you got to that little worm douche flopdick.
TAKE A READ http://features.slashdot.org/c...
Did Bennett suddenly earn his JD and take his oath? If not, then he can kindly shut the fuck up.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Good grief. I'm a resident of Orange County Florida. So I actually read the "summary" since I was curious.
This has been all over the local newspaper lately. The upshot is that like many places, Florida has a public records law. The law has a cute name : "government in the sunshine". The county is storing documents in a Dropbox account. A citizens group is concerned that lobbyists may have access to the account and may be hiding some things in there from the public. So the citizens group wants to know who has accessed the account.
If you want to read a lot more on this, don't read the summary, read these newspaper articles:
Orlando Sentinel 9/26/2014
Orlando Sentinel 11/12/2014
Orlando Sentinel 11/24/2014
It would be really nice if Bennett Haselton, who already has a Slashdot account, decided to make a post regarding his position of power on Slashdot. He can't possibly be ignorant of his impression by the readers - he knows how he's perceived, and despite the negative reactions to his postings he continues to make long-winded posts as if large essays are more persuasive than a few simple, clear, easy to digest sentences.
If he explained how he came to have such an elevated position of posting power on Slashdot, it'd at least explain a few things.
Now that Slashdot's blog feature is up and running, I can't wait for for something that lets Bennett pin interesting pictures to the front page!
tl;dr - Fuck you, Bennett. Nobody likes you, your submissions are long-winded while saying nothing, and you are a cancer on the already diseased pustule that is Slashdot. Stop trying to turn it into your personal blog and go languish on WordPress with all the other wannabe journalists.
I have little respect for Bennett's excessive, often not carefully considered, and mostly useless prose, so I don't come to Bennett threads to actually read what spews forth from his keyboard. I read them because I find the new and different ways he gets panned by the Slashdot readership to be entertaining. He's like the Slashdot Punching Bag - you punch him, and he invariably swings back again a little later for more.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
Who do you dislike the most:
1) Bennett
2) systemd
3) The switch rape girl
lucm, indeed.
So many people in his posts complaining. Oh, the hate does fly.
Why not just ignore the posts if they are so unloved? Are his posts somehow stopping other posts? Preventing other important news from showing? Just skip them! Don't come in and make angry comments or belittle the guy. Treat him like a troll, and don't feed him.
Please do yourself and everyone else a favor and shut the fuck up
This whole "talking about technology" thing isn't for everyone. In particular, it isn't for you, so just stop
See my subject-line above? You mean you + sockpuppets you made + ac posts is more like it. Who're you *trying* to bullshit, yourself?? Are you some disgruntled old girlfriend of his or some wannabe he got the better of in technical debate, that you go through such efforts to attempt to hurt him??? It looks it. Guess it goes to show you that YOU and your sockpuppets + ac posts don't matter. The mgt. here isn't listening to your crap.