Criminal Hack versus FOIA request: The Showdown

Posted on 10 September 2011 by

12


It’s been a whirlwind week, and that’s pretty much all I have to say about that. The commercial data loss prevention firm IdentityFinder set its product to search through the 3GB dump of data that criminal hackers stole from Texas law enforcement agencies last week.

IF published its findings on Wednesday, which were quoted in several media outlets. The IF report does not list any of the data, but rather catalogs its impact in terms of data breach.

According to the report, the dump contained a relatively small cache of PII, including 418 unique Social Security Numbers, 26 unique credit card and bank account numbers,  and other information which was among the stolen data.

Now, as we said last week, the criminals released lots of embarrassing emails. These contained racist and sexist jokes, pornographic, risque and PG-13-rated images and other stupid crap that no police officer should ever have had on his computer in the first place.

They also released officers’ personal information, the personal information of civilians, some intelligence reports labeled Law Enforcement Sensitive and described incorrectly by the hackers as Classified*, a whole lot of administrivia, and a whole bunch of work-related stuff like rosters and patrol schedules and the like.

There has been lots of fallout, and law enforcement officers in Texas are, well, unhappy.

The most interesting comment, though, came in the Fort Worth Star-Telegram’s coverage of the incident. Entitled Police e-mails were vulnerable to hackers’ attack,  the piece contains the best quote of this entire affair. It is from Saginaw, TX police chief Roger Macon, my new hero.

Macon told the Star-Telegram:

“Ironically, they could have had … a whole lot more [e-mails] just by sending a public information request.”

Awesome! What an amazing, astute and accurate quote.

In fact, this is the single best analysis of these attacks against law enforcement.

We wondered, so we spoke to a lawyer, who tells us that in fact, the chief is right.

Let’s say you think law enforcement officers are using their computers for porn and racist humor and making fun of people. First, though it’s by no means necessary, you’d want to get a lawyer. File a civil suit to get disclosure of the non-investigative emails from an agency. You’d need to convince the judge that this is likely, however a good lawyer can make the case that taxpayer dollars paid for the machines and the people who placed the information upon them, so you’d probably prevail. Prolly cost you a thousand bucks – since you’ve got lots of friends, ask 100 of them for $10 and you’re good to go.

The agency would release the emails and you could go to town, plastering them on websites and declaring victory, publicly. You could print them out and place on Facebook photographs of you holding the printouts, smiling.

Legally. Or, as AnonymousIRC tweeted, use the ACLU’s Guide to Fighting Police Abuse: A Community Action Manual, which tells you specifically what kinds of information to look for.

Or, you can take the current route, which is to claim a high moral calling, get a bunch of people whipped up into a heady froth, encourage them to commit felonies and then target law enforcement computers, gaining a momentary splash and getting less than what you would have got had you done it legally.

And in the process, these acts threaten and directly attack cops, who have investigative skills and authority to investigate crime.

It’s short-sighted, to say the least. Here’s one example: Let’s suppose for a moment that you’re caught. At some indeterminate time in the future you might turn your attention, for example, to seeking legitimate employment. You know, to eat.

A felony mark in your record will be a real conversation starter at job interviews.

Especially job interviews in the IT department.

Five years from now, when Anonymous is not in the news, the only people who won’t have forgotten the attacks will be your victims, you and your potential employers.

It’s just like one of the conversations we had with an Anonymous supporter some time back**: he mentioned the PayPal boycott. That was ultimately dramatically more meaningful to PayPal than the DDOS attack which took PayPal down for eight hours: the boycott deprived PayPal of money, of customers. Ultimately, that is the most effective way to attack: legally.

Let’s look at some of the advantages and disadvantages of doing it legally versus illegally:

FOIA REQUEST VERSUS HACK ATTACK
Feature FOIA Request Hack Attack
Embarrassing, sexually-charged content revelation YES YES
Embarrassing, racist-remark-filled content revelation YES YES
Stupid, ignorant remark revelation YES YES
Embarrassing, goofing-off-at-work content revelation YES YES
Revelation of personally identifiable officer information NO YES
Revelation of titillating intelligence report images SOME YES
Victimizing victims by releasing publicly crime information NO YES
Revelation of confidential informant information NO YES
Revelation of training documents SOME YES
Revelation of sensitive intel reports NO YES
Revelation of ongoing-investigation docs NO YES
Providing murderous drug cartels with intelligence YES YES
Providing murderous drug cartels with intelligence on specific officers NO YES
Committing felony NO YES
Time from initiation to release 6 mos 3 weeks
Time on your personal criminal record 0 Forever

What kinds of things would you not get? Well, you wouldn’t get the home addresses, SSNs, bank account numbers of cops.

You wouldn’t get some of the more graphic or sensitive intelligence reports, whose revelation shows citizens in sickening detail amazing and unexpected information, such as that drug dealing gangs resort to horrific violence; that murderers are dangerous and regularly swear that they will kill police officers who try to apprehend them. And you wouldn’t get to email around nauseating and gruesome photographs which do much to confirm that police officers are actually – not theoretically – risking their lives when they go out on patrol and undercover to protect the people of their communities.

We’ll issue this challenge: if you are really dedicated to your quest for the truth, show your faces and use the system against itself. America provides its citizens the means for legal and effective dissent, and the means to topple the corrupt, the incompetent and the deviant.

Not using those avenues spits in the face of those who have died defending this country, and it disrespects the wisdom of its founding fathers.

The Constitution of the United States of America is a spectacular, timeless framework for civil order and human rights. Eschewing the fruits of its protections by behaving illegally when legal means would accomplish the most important of your goals is not brave.

It’s just stupid. Or certainly it is unnecessary.

Hacking Public Information

Then this morning, AnonCMD announced on its Twitter feed that a new “Wild Leak” was out there. It is a list of public information from the Wichita Police Department, which is prepared each day for the media. To disseminate. Publicly.

The blogpost by anoncmd said, ” We hate police brutality, ooh, look what I stumbled upon ;)

Let’s look at the “police brutality” it describes:

  • A1 ARR/BKD ON UCC#[redacted] FOR DV BATTERY AUTH SGT [redacted]. MUG CKD BY [redacted]  WITH A NEW MUG ISSUED. KAS. V1 RPTS BEING CHOKED BY HER FATHER, A1, WITH BOTH HANDS AROUND HER NECK FOR 15SECONDS DURING AN ARGUMENT. NO VISIBLE INJURIES. INCIDENT WITNESSED BY W1 WHO STATED THAT THERE WAS NO PHYSICAL ALTERCATION, AND W2 WHO STATED HE SAW A1 TURN V1 AROUND TO FACE HIM, BUT DID NOT SEE HIM CHOKE HER
  • V1 RPTS HER BOYFRIEND S1 GRABBING HER BY THE FACE, CAUSING SCRATCHES TO BOTH CHEEKS. *PICK-UP ISS’D FOR S1 ON UCC #09D26035 FOR DV BATTERY  AUTH LT [redacted]
  • R1 RPTS S1 & S2 RUNNING FROM SCHOOL.
  • V1 RPTS S1 SENDING HIM A FAKE MONEY ORDER FOR A KEYBOARD HE IS SELLING BUT HADN’T MAILED IT YET. NO LOSS. COPY OF MONEY ORDER SUBMITTED. ORIGINAL RETAINED BY THE POST OFFICE. CLASS PER SGT [redacted]. NO VEH INFO. – [redacted]
  • V1 RPTS THEFT OF HER BICYCLE BY S1/UNK B/M. BICYCLE RCVRD AT 1100 S MARTINSON AND RETURNED TO V1.PHOTOS SUBMITTED. ** [redacted]
  • R1 RPTS S1 AND S2 ENTERING LISTED UNLOCKED PROPERTY FOR SALE AND ATTEMPTING TO TAKE PROPERTYBUT LEAVING WITHOUT  IT WHEN CONFRONTED BY R1. O1 OF OWNERS REAL ESTATED MANAGEMENT COMPANY NOTIFIED. NO VEH INFO.. - [redacted]

Whoa! Police officers responding to community needs, calls for service. Helping domestic violence victims, including the accusation of a father allegedly choking his daughter. Looking for school kids playing hooky. Investigating fraud. Investigating attempted burglary of homes. Yes, this does show that the police are oppressive. We’d ask everyone to read through what these police officers do every day and recognize that it is not about oppressing, but rather serving and helping, their communities.

I’m not saying that anyone hacked anything, actually, in this case – but if they did? If someone hacked a system, committing a felony to get public information prepared for the media? Then that is, well, hilarious.

Talk about Lulz.

____________________________
* ‘For Official Use Only,’ which is the banner under which the marking, ‘Law Enforcement Sensitive’ falls, is different from classified, because it applies only to information which is unclassified but is also exempt from  release under the Freedom of Information Act. ‘Law Enforcement Sensitive’ is not truly a security classification, so the documents that were released were not, despite breathless prose and tweets, ‘classified’ data.

** By the way, the conversations we’ve had with those supporting the group have been respectful and we hope that continues – we welcome intelligent debate on all these matters.