Slashdot Mirror
Clarificiation on the IP Address Security in Dropbox Case
At issue was the list of IP addresses that had accessed the Dropbox account of Orange County Mayor Teresa Jacobs. A public interest group called Organize Now wanted to know whether the documents in her Dropbox account had been shared with outside parties, such as lobbyists, and filed a public records request to obtain the access logs. The county provided the logs with the IP addresses redacted, claiming that they were withheld for security reasons; Orange County asked a court to declare that there was no legitimate security-related reason for the IP addresses to be blacked out. On Monday, Judge Robert Egan ruled that the county had to release the unredacted version of the logs.
In the judge's ruling, he trivially rejected some arguments that the county had made, determining for example that IP addresses by themselves were not "data processing software" (duh). The trickier question was whether the IP address logs could be considered "information relating to security systems", and whether publishing the IP addresses in the logs could enable a security breach.
Judge Egan correctly wrote that all the IP addresses did was "identify specific computers used to access Dropbox" (actually, of course, computer IP addresses can change, and if the computer is behind a proxy server then it will be the proxy server's IP address that shows up in the log; but that's close enough, let's give it to him). He rejected the county's analogy to another case, in which a judge ruled that the city of Clearwater did not have to turn over the names and addresses of residents who had installed a particular alarm system; Judge Egan said that confidentiality in that case was more obviously justified, because there's no public interest in giving thieves a list of houses to avoid hitting.
However, in declaring that there was no good reason for the IP addresses to be redacted, Judge Egan wrote:
While the County has expressed a legitimate concern that disclosure of IP addresses would constitute an additional security threat because they would identify specific computers used to access Dropbox, which would then become potential targets for hacking, it also acknowledged that it already identifies 20,000-30,000 intrusion attempts daily and it has measures in place to deal with those attempts.
When Judge Egan says "it already identifies 20,000-30,000 intrusion attempts daily", it's not clear whether "it" refers to Dropbox, or the county's own computer system (presumably the latter, since 30,000 seems a bit low for Dropbox). But either way, the argument fails because the "measures in place" only refer to protection for the Dropbox servers and/or the county's own servers. If the mayor ever connects to Dropbox from her home computer, and the logs can be used to identify her home IP address, then the "measures in place" won't do anything to stop an attacker from trying to attack her home computer. And if an attacker can take control of her home computer, and her home computer is set up to log into Dropbox automatically, then the attacker can use her home computer to access the Dropbox files, and those accesses will look indistinguishable from legitimate accesses from the mayor herself.
In this scenario, the biggest obstacle to an attacker is that knowing the mayor's home IP address would normally not be enough information to take over her computer. Even if the attacker had knowledge of a security vulnerability in the operating system being used on the mayor's home machine, it's usually impossible for an outsider to connect directly to a user's machine, because the machines are behind wireless routers which are shared with other computers in the same house. (An attacker could first find a way to hack the security of the router, and re-program it to forward incoming Internet traffic to the mayor's computer, and then find a way to compromise the home computer -- but that's two security systems that have to be hacked independently, and every extra hurdle reduces the chances that you'll be able to clear all of them to pull off an attack.)
A much easier attack would be to try to get the mayor to view a web page from one of her computers -- either her home computer or her office computer, as long as it's one of the computers that she uses to access the Dropbox account -- and then try to infect that computer using code on the web page itself which exploits a security vulnerability in the web browser. (Web browser security vulnerabilities are quite common, compared to the far more rare security holes which allow you to take over a computer by sending traffic to its IP address.) To do that, all you need would be to reach the mayor directly, or talk to someone who would pass information on to her: "I'm a concerned constituent, and here's a web page that I've set up describing my plight and how the county government could help." Wait, scratch that: "I'm a concerned consituent, and here's a web page describing the dirt that I've dug up on your opponent."
And if the mayor does visit your web page, even if you don't succeed in infecting her computer or taking it over, at least now you've got her IP address.
So a better line of reasoning would have gone something like this:
"It's not inconceivable that someone could use the IP addresses in the logs to facilitate an attack, and anyway, the county's 'security measures' wouldn't do anything to prevent an attack against, say, the mayor's home computer. However, it would be much easier for an attacker to attempt an attack by other means (e.g. a browser vulnerability), and in any case it would not be hard for an attacker to find the mayor's IP address indirectly, without even resorting to any security breaches. So the disclosure of IP addresses has only a negligible effect on the odds of a break-in."
Run that through your standard judicial IWentToHarvard-izer, replacing a couple of random words with their longest equivalent in the thesaurus, and you've got a pretty solid legal opinion.
Then again, maybe some other Florida public servants are in more urgent need of training in how IP addresses work. After the judge's ruling, Rafael Mena, the mayor's Chief of Information Systems & Services, said in a statement:
"We don't agree with the decision. We are responsible for protecting crucial public health and safety infrastructure, including our 911 systems, our jail facilities, and providing clean drinking water to more than a half million residents. Internet Protocol (IP) addresses control everything from the cameras at the courthouse to the locks on the jail cells. We're also concerned about the security of the health records and financial information of thousands of citizens. Releasing IP addresses leaves organizations vulnerable to the type of security breaches that the public sees every day on the news."
Drinking water. OK, forget press releases for a second: If you were the head of security, and you asked your assistant head of security to evaluate the impact of releasing the IP addresses that had accessed the mayor's Dropbox account, and your assistant gave you a reply like the one above, what would you think? Would you put up with that nonsense from someone who worked for you?
Well, government security officials do work for us. The people of Orange County should tell Mr. Mena: If you want to try and bamboozle people with irrelevant factoids and scare them with veiled references to terrorist threats, go get a lucrative job in the private sector! As soon as you finish stocking up on botted water.
Use this greasemonkey script to hide Bennett's shit from the main (and "older") pages. http://pastebin.com/RWCxT0jJ
(I disable it once in a while to check for his shit so I can tell people about the script.)