
Hack of 251 Law Enforcement Websites Exposes Personal Data of 700k Cops - jbegley
https://theintercept.com/2020/07/15/blueleaks-anonymous-ddos-law-enforcement-hack/
======
ideals
I didn't realize Twitter and Reddit were suppressing discussion of the
blueLeaks data.

It's an interesting position to take. If you can discussion of all leaked data
dumps do you draw the line when it is about state actors?

Can you discuss Equifax hack, that is about personal information as well, but
was done by state actors?

~~~
rndgermandude
Wikileaks actually redacted a lot of (personal) data to protect people (tho
some people like to claim again and again they did not).

BlueLeaks, it appears, does not, and contains home addresses and other
personal information of cops.

Create transparency, investigate and show police misconduct? Great!

Put cops and their families at risk? Nope!

~~~
anonymousiam
The Julian Assange "poison pill" link was posted on Twitter, and later the
password to the archive was also posted. This provided FULL UNREDACTED
versions of all the leaked info.

~~~
rndgermandude
No, no password for any of the so called "insurance files" was ever released,
as far as I know and can google. All I can find are recent (2019, 2020)
articles talking about the files and how no password was ever revealed.

Relatedly, Assange described the files not as "dead man switches" to be
unleashed in case of his arrest, extradition, killing as the media liked to
portrait it, but instead said that the insurance files contained (unredacted)
data that wikileaks intended/intents to release later anyway, in redacted
form, and that the encrypted unredacted data was put online to be backups if
wikileaks lost the data e.g. due to a raid. The remains of wikileaks activists
could then recover the files from the torrents or other people who downloaded
the torrents, and could decrypt them to get the data back (but wouldn't
release the password into the wild).

Of course, that's what he/they said, and he/they might have lied. But so far
we don't know, because no password has been released.

~~~
anonymousiam
Somehow I got the password, but I never decrypted the archive. I remember
reading about how it was leaked many years ago. Perhaps somebody has gone
through and "cleaned" the archives so it's no longer visible...

------
upofadown
>For example, the Northern California Regional Intelligence Center has 29,114
accounts, and each one includes a full name; rank; police department or
agency; email address; home address, ...

So that means that anyone with access to the system can get the home addresses
of all their co-workers that also have accounts on the system? Why would all
this personal information be associated with an account of this type? This
isn't an HR database.

~~~
GaryNumanVevo
Honestly that's the most interesting part (at least until people sift through
the data more) of this story. Why the heck are they storing sensitive data on
what appears to be a CMS for e-commerce site?

~~~
driverdan
Home addresses aren't considered sensitive information. If you own your home
that information is public. Cops read people's addresses (and SSNs) out over
the radio all the time for anyone to hear.

I'm not saying I agree with this, privacy should be protected better, but
that's the US.

~~~
mschuster91
> Home addresses aren't considered sensitive information.

I wonder what will happen once the first protesters line up at cop houses or
pranksters bombard them with spam and fake pizza orders. Not that I'd condone
wasting pizza, but in many cases change only happens when the people in power
have problems.

------
canada_dry
> the sites were running VBScript, using Microsoft Access databases.

Why doesn't this surprise me?

~~~
vsareto
Someone had a talk at the DEFCON blue team village about police software and
how trivial it was to find something. I think it was like database creds in a
DLL and apostrophes in fields causing errors (likely SQLi). I can't remember
if it was something they ran in the patrol vehicles or at precincts.

~~~
Answerawake
Linecon was terrible in this last convention(my first). Missed out on so many
things I wanted to see because Linecon just got out of hand. I guess it is to
be expected. :/

CCC being a conference of just ~10k allowed event goers to experience much
more.

------
sebazzz
This isn't right. Group behavior should not affect individuals in this way.

~~~
thereisnospork
Why shouldn't it? Putting on a uniform assumes responsibility for the
positions and actions of the represented organization - here the various
police forces and unions of the United States.

Police officers aren't being judged or punished for the color of their skin,
creed, religion, or sexuality but their choices. I find it hard to stomach the
idea that people shouldn't be judged for the organizations they choose to
represent.

~~~
sebazzz
> Police officers aren't being judged or punished for the color of their skin,
> creed, religion, or sexuality but their choices.

No, many police officers are now being punished for being police officers.

You would just be doing your job properly - no racist actions anything unjust
- and now these details leak out.

Yes there are police officers which are racist, I don't have data so I won't
say few nor many, but there are. That doesn't justify this.

~~~
RangerScience
> being punished for being police officers.

Some of the logic is that bad police behavior is widespread enough that every
"good" cop works closely enough with at least one "bad" cop, and yet via
observation of outcomes, does not correct that bad cop's behavior (or doesn't
correct it enough). They're thus complicit AKA bad cops themselves, and thus
there are _no_ good police - everyone is sufficiently tainted.

The Godwin's Law version of this logic at work elsewhere is the German saying
"if there’s a Nazi at the table and 10 other people sitting there talking to
him, you got a table with 11 Nazis."

The folk wisdom encoding "a few bad apples spoil the bunch". Doesn't matter if
they were good apples going in, they're all bad apples now: the bunch is
spoiled.

(Not expressing an opinion on the correctness of this thinking, just
explaining what I know of it)

~~~
CodeAndCuffs
There are 700000 cops in America. I can name maybe 200. I've personally worked
with maybe 50. I investigated 1, and could find no evidence of crime, though
he realistically was likely committing some.

Out of 700000 cops I guarantee some are the scum of the earth who should be
locked away forever. I don't know where they are. I can't effect that

It's like getting mad at the manager or an applebee's in Chicago because the
waiter spit in your food at an olive garden in Seattle.

~~~
RangerScience
What was your process for investigation? Given that process, what crimes, if
any, would you have found in the cases of, say, George Floyd or Breona Taylor?

------
pnutjam
TFA says this could compromise user's password. I worked for a City and
handled the police dept. You could go far by just using username as
password...

Nobody wanted to hear about security.

~~~
thephyber
> Nobody wanted to hear about security.

System/network security. I guarantee physical security would get someone's
attention at a police department. The police in my family are paranoid and
have even broken lesser laws to increase their own physical security.

I suspect this mismatch is because police (like average consumers) don't know
the impact of a network security breach. It's a failure of imagination.
Hopefully BlueLeaks helps to change this.

------
meroes
Does it seem a little disjointed between the article's content (exposing
overuse and misuse of Fusion centers via a hack) and the headline/inline focus
of "700,000 Law Enforcement Officers Exposed"?

Almost like they were allowed to run the article but editor didn't like the
angle or something.

~~~
SiempreViernes
Yeah, my impression is that they haven't found anything interesting except
shitty security of a widely deployed web app.

------
LordKano
I have a philosophical problem with leaking people's personal information but
I admit that I'm curious. I want to see what's in this data.

~~~
throwawayway9
It's definitely worth the torrent, especially to see how slow many LE agencies
are with keeping up with the technical times.

~~~
LordKano
I may or may not have the torrent downloading right now. At this rate, it may
or may not be finished some time tomorrow.

------
anonymousiam
"After the BlueLeaks data was published, Twitter has permanently suspended the
DDoSecrets Twitter account, citing a policy against distributing hacked
material. Twitter has also taken the unprecedented step of blocking all links
to ddosecrets.com, falsely claiming, to users who click that the website may
be malicious."

Funny that Twitter had no problem with the Wikileaks dump from Bradley/Chelsea
Manning.

------
cairo_x
More interesting is why choose these shitty providers?

[https://blog.12security.com/darkness-at-
noon-01-waxtitan/](https://blog.12security.com/darkness-at-noon-01-waxtitan/)

------
tinus_hn
Perhaps this will teach them their username is not an appropriate password.
But probably not.

------
tomcam
Despicable. I assume the hackers were willing to expose their own addresses?

~~~
XMPPwocky
I assume the police were willing to shoot rubber bullets at themselves?

~~~
bigwavedave
Oh please, of the hundreds of thousands of police officers who've done far
more for the good of their society than you have, you're saying 100% of them
deserve to be doxxed. That would be like saying "because x% of software
engineers are pedophiles with child porn that they share around with others on
their secret servers, all 100% of them are disgusting and deserve the mercy of
the mob because they can't seem to fix the problem."

~~~
mountainboot
Software engineers don't rally to defend their coworker pedophiles. There is
no thin binary line.

------
opwieurposiu
If you are getting paid by tax dollars then your personal data is a matter of
public record. It is vital for prevention of corruption for the public to know
where the tax dollars actually go.

~~~
av_engr
Including address and phone number? Doesn't that also enable public workers to
be target of harassment?

~~~
opwieurposiu
Could this be a problem? Yes, naturally. But the good of preventing government
corruption outweighs the bad in this case. There are existing laws against
harassment that provide recourse.

~~~
mc32
So whenever there is a federal statute that criminalizes something means
states shouldn’t have redundant laws doing the same?

~~~
thephyber
I would argue we are already way too far down the road of "redundant
statutes".

According to the book "3 Felonies a Day", there are well over 300,000 crimes
in US jurisdictions, which is far beyond what any person could read, know,
understand, and internalize. At this point, if you're not a convicted felon,
it's simply because the government isn't efficient at prosecuting, not because
you haven't broken a law.

~~~
mc32
There should be periodic de duplication of laws. And also removal of laws are
are now archaic —like being able to sue a spouse for abandonment or laws that
impinge on civil liberties but aren’t enforced.

For every new law they should remove one or two that are redundant or archaic.

Theft is illegal but then they have other provisions to make sure it really is
illegal. Once is enough.

~~~
thephyber
I agree. There needs to be more maintenance effort to reduce the "technical
debt" of accumulated laws.

Sadly I think it's not done because there is no incentive. Voters don't vote
out incumbents who add too many news statutes or who don't remove
outdated/irrelevant/unconstitutional ones. I think it's a lot like refactoring
code without the ability to write unit tests or know if the change had any
secondary side effects for years or decades after.

