Forgot your password?
typodupeerror
Privacy Crime Security IT Your Rights Online

Sheriff's Online Database Leaks Info On Informants 185

Posted by Soulskill
from the second-verse-same-as-the-first dept.
Tootech writes with this snippet from NPR: "A Colorado sheriff's online database mistakenly revealed the identities of confidential drug informants and listed phone numbers, addresses and Social Security numbers of suspects, victims and others interviewed during criminal investigations, authorities said. The breach potentially affects some 200,000 people, and Mesa County sheriff's deputies have been sifting through the database to determine who, if anyone, is in jeopardy. ... The FBI and Google Inc. are trying to determine who accessed the database, the sheriff said. Their concern: That someone may have copied it and could post it, WikiLeaks-style, on the Internet. 'The truth is, once it's been out there and on the Internet and copied, you're never going to regain total control,' Hilkey said. Thousands of pages of confidential information were vulnerable from April until Nov. 24, when someone notified authorities after finding their name on the Internet. Officials said the database was accessed from within the United States, as well as outside the country, before it was removed from the server."
This discussion has been archived. No new comments can be posted.

Sheriff's Online Database Leaks Info On Informants

Comments Filter:
  • by assemblerex (1275164) on Tuesday December 14, 2010 @09:18AM (#34545144)
    Donutleaks is committed to releasing classified documents !
    • Re: (Score:2, Interesting)

      by geegel (1587009)

      What I can't fathom is how a database from a county with 120.000 people [wikipedia.org] can affect 200.000 of them.

      Am I missing something here?

      • by garcia (6573) on Tuesday December 14, 2010 @10:21AM (#34545666) Homepage

        Because people commit crimes from outside the county but are included in the database. I track the addresses of criminals with complaints in my county and while the majority reside within the boundaries, there are the outliers who hail from all over the State of Minnesota (this is a rolling 30 day picture and is purposefully limited to only the MSP metro area for clarity's sake): http://www.lazylightning.org/dakota-county-criminal-complaints-mapped-again [lazylightning.org]

        • by geegel (1587009)

          Thank you. It all makes much more sense now.

        • by Lashat (1041424)

          Well, thanks. However you are not providing an apples to apples comparison. Something is out of whack somewhere in the reporting of the story of the database itself.
          +The article says 200,000 names (not complaints) were leaked from the database.
          +Even if you add up the populations of each adjacent county including Grand County, Utah, that population only reaches 316,148
          =2/3 of the population from 7 counties are informants for Mesa County? I guess that is possible, but obviously Mesa County has some issues

    • by mwvdlee (775178) on Tuesday December 14, 2010 @09:52AM (#34545374) Homepage

      Quick, have the sheriff accused of rape in a scandinavian country and let interpol track him down!

  • What if (Score:5, Insightful)

    by MrMarkie (1079197) on Tuesday December 14, 2010 @09:18AM (#34545146)
    What if they didn't put that database on a server facing the internet? Could that be a good idea? Or maybe they should just return all their computers since they can't be trusted to use them securely... Let the flames begin.
    • Re:What if (Score:5, Interesting)

      by GaryOlson (737642) <slashdot@NOSPaM.garyolson.org> on Tuesday December 14, 2010 @09:36AM (#34545274) Journal
      What if annual security training was mandatory for all the IT staff connected with law enforcement IT equipment -- just like weapons training is mandatory for all law enforcement officers. This includes the CIO [if they have one], the city manager, the systems architect [whichever poor IT technician is erroneously saddled with this responsibility], and all law enforcement officers who access this data. Failure to pass security training and any breach of security by any individual would initiate immediate administrative leave and/or an Internal Affairs or FBI investigation.

      Certain data is a lethal weapon and should be treated appropriately.
      • If police IT were as responsible about security as police are about weapons, we'd be seeing these sorts of stories a lot more often...
      • by Toe, The (545098)

        What if annual security training was mandatory for all the IT staff connected with law enforcement IT equipment...

        I don't see why that last phrase is on there, i.e., why the statement should be restricted to law enforcement. IT staff in every internet-connected company which stores data on other people (which is most companies larger than a mom&pop gas station these days) have a responsibility to the people that data pertains to.

        Every time I hear about another database getting hacked, I blame the idiots who let it happen. It makes me really leery of doing simple things like buying *anything* from *anywhere* with a

        • by mlts (1038732) *

          I can sum it up by a phrase said to me by many PHBs that ignore basic security:

          "Security has no ROI".

          Until this attitude gets changed by laws with actual teeth, expect to continue to see more of "xxx hacked, millions of people's data exposed" stories.

          Two laws are needed: The first is obvious -- follow due diligent security practices or be shut down. A restaurant that doesn't pass health inspections gets shut down. Same with a store in a mall without a sales and use tax permit.

          It doesn't take much brainpo

        • by cdrguru (88047)

          It might be nice if we had some kind of information security, but unfortunately people aren't perfect. Therefore, your information is going to get out.

          At least one of my credit cards is used fraudulently once a year. It is unavoidable because too many people have access to the information to possibly keep is secure. Also, you get paid for sending credit card info to certain folks, so there is a tremendous incentive to do so if you have access to 50-100 credit card numbers a day.

          There is no security which

      • by vlm (69642)

        What if annual security training was mandatory for all the IT staff connected with law enforcement IT equipment -- just like weapons training is mandatory for all law enforcement officers. This includes the CIO [if they have one], the city manager, the systems architect [whichever poor IT technician is erroneously saddled with this responsibility], and all law enforcement officers who access this data.

        Let me guess, somebody with the proper political connections would make a lot of money by "training", but there would be no improvement in results?

      • by ultranova (717540)

        What if annual security training was mandatory for all the IT staff connected with law enforcement IT equipment -- just like weapons training is mandatory for all law enforcement officers.

        What would that help? If you put data to an Internet-connected machine, there's a risk of it leaking. It doesn't require security training to understand that, simple common sense is sufficient. And no amount of training will help people who refuse to use their common sense because they can use "teh computers are scary" as

      • what about paying for new hardware and software as well as more IT workers! not cutting staff that makes some IT jobs not get done / get done alot slower.

      • by BobMcD (601576)

        What if annual security training was mandatory for all the IT staff connected with law enforcement IT equipment -- just like weapons training is mandatory for all law enforcement officers.

        Good idea, except:

        1) Better trained IT staff would get better-paying IT jobs elsewhere.
        2) ...would demand higher wages.
        3) ...which would raise your taxes.
        4) ...and if they could do THAT, they'd rather hire more officers, buy more guns - like maybe some AR14s! HELL YEAH!

        etc

        They're using bad IT staff because they're not an 'IT shop'. They point guns at people for a living - that's their core business. The 'database people' or 'website people' are going to be low on the totem pole, under paid, under appreci

    • by geegel (1587009)

      What if they didn't put that database on a server facing the internet? Could that be a good idea? Or maybe they should just return all their computers since they can't be trusted to use them securely...

      This is the best argument against the database state. Intentions might be good, but as long as they don't have the know how to secure the data, this type of information should be purged periodically or only kept in traditional archives. The government is not out to get you, but it's incompetent enough to let others harm you.

    • by Lumpy (12016)

      2 reasons.

      1 - idiot manager syndrome. There are complete and utter morons in positions of power that make decisions like that. they go against all recommendations and do what they want because they know better! They are the BOSS!

      2 - hiring incompetent IT/Web-design because they cant understand why you need to actually pay that position a wage that attracts competent applicants. $12.95 an hour = guy who is handy and knows 'puters.... The position requires $35.00 an hour minimum to attract a competent gu

      • Re:What if (Score:4, Interesting)

        by hairyfeet (841228) <bassbeast1968@@@gmail...com> on Tuesday December 14, 2010 @10:52AM (#34546044) Journal

        No they are the POLICE just like in Training Day. I have actually had a cop walk into my shop and ask me to hack into the state's email servers so if he could see if his wife was cheating on him. He actually had the brass balls to say "I'm the police, it's okay" like those are magic words or something.

        Sadly if anyone thinks those cops actually give a shit about the lives of snitches after they have served their usefulness you got another thing coming. I bet if it wasn't for the stink the attitude would have been "oh well, too bad so sad". I can't speak for how it is up north but down here in the south the snitches have to worry about the crooked cops as much as their fellow junkies. A cop here in "meth alley" makes a grand total of 35k a year to get shot at and can easily make that in a month and NOT get shot at just by giving the dealers a heads up and looking the other way. I used to be friend's with a dealer's son and she used to get a call from a cop in the dispatchers office before the cops were even given out the assignments so she knew when they were gonna be in the neighborhood before they did.

        In the end this kind of crap is just more proof the stupid drug war is just another monumental waste of taxpayer dollars. You would think after the failed booze war we would have learned, but I think a speech I heard years ago from an ultra conservative no less (I think it may have been William F Buckley) made the stupidity of the drug war clear as a bell for even the most clueless I've spoken to: "If I put a bottle on the table with a skull and crossbones on it and say 'This is poison. it will destroy your health, family, marriage, and ultimately kill you' and you push me out of the way and down the bottle? Well then frankly your are too stupid to live. Why should I have to spend billions building a fence around the bottle and cages to put you in, just to keep you from drinking it?"

        • by AJWM (19027)

          Yep. Things would be hell for a while (but possibly a lesser hell than what the drug war has given us) and then the problem would fix itself. "Think of it as evolution in action."

  • This isn't a leak. (Score:5, Insightful)

    by El Neepo (411885) on Tuesday December 14, 2010 @09:19AM (#34545152)

    The article makes this situation comparable to the current wikileaks situation, which it isn't.

    Some IT person left the data freely accessible on the internet and eventually a crawler found it. They're guessing it was a malicious person but in all odds it is not.

    This is just another IT mistake not an act of whistleblowing or terrorism or something else the government wants to make illegal.

    • by houghi (78078)

      This is just another IT mistake not an act of whistleblowing

      This 'mistake' could have been on purpose. Also Wikileaks is not the ones who leak it. The crawler is even worse then Wikileaks. Wikileaks itself does not actively look for content. It is handed over to them.

    • by Sockatume (732728)

      The Wikileaks comparison has more to do with the Sheriff's Office's response to the leak, than the nature of the leak itself. They could've run around saying they were going to track down and dismember anybody who has a copy of the file, but instead their comments to the press focus on the nature of the problem, its possible consequences, and what they're doing about those consequences. Compare to the Wikileaks situation where much of the political hot air is about leaning on one group that's disseminating

    • by gpuk (712102)

      The joke of it is, this mistake/negligence probably has a higher risk of leading to someone getting killed than the wikileaks release does.

    • A leak is a leak. Doesn't matter how or why it happened, what matters is the information was leaked out hence a "leak". Doesn't mean it is a good thing, just means it is what it is.

      However for that matter in some of the Wikileaks discussion threads there were people advocating total transparency of government information. I pointed out this would include things like names of people in witness protection and so on and they said that was fine, that the government should figure out how to not need to keep that

  • by Sockatume (732728) on Tuesday December 14, 2010 @09:24AM (#34545186)

    "'The truth is, once it's been out there and on the Internet and copied, you're never going to regain total control"

    That's a remarkably pragmatic approach, and portrays the Sherrif's office as focussed and efficient. Public perception matters a lot in these instances, and while they could've threatened to rip off the ears of anyone who shares the files, it would have had no effect on actual information sharing, at a great cost to their public image in at least some quarters.

    It's also nice to see that someone understands what "information wants to be free" means: that information tends to be free, and you have to plan for this.

    • and while they could've threatened to rip off the ears of anyone who shares the files, it would have had no effect on actual information sharing, at a great cost to their public image in at least some quarters.

      I think that threat still applies.

  • Is cop-speak for damage control.
  • by srussia (884021)
    Maybe this will help end another useless "War".
  • Charges (Score:4, Interesting)

    by crow_t_robot (528562) on Tuesday December 14, 2010 @09:27AM (#34545204)
    I hope someone at the Sheriff's office will be charged with felony negligence for this. I know that leaving a weapon where it can be accessed by a child or a felon is against the law so it should be logical that leaving a database of information open to the world that could easily destroy many lives is worth a felony too.

    "To Serve And Protect"...
    • so you want a low level IT guy to take the heat for some PHB lack of knowing about IT?

    • by mcgrew (92797) *

      Most informants are informants because they've been caught dealing dope, and snitch for a lighter sentence. So their lives have already been destroyed by the government itself.

      • I'd love to see where you got this information. "Informant" could be the nosy 70 year-old neighbor who sees the Johnsons' kid dealing on a street corner. Or, the roommate who knows people are selling out of his house and doesn't want to go down with them when they get caught. There are lots of innocent people who give information to the police, but refuse to become "witnesses" for their own safety.

        • by mcgrew (92797) *

          The information is first hand information. In the late '70s when I was in college and my hair reached my ass, the price of pot got a little high (one guy had pretty much got a monopoly in my town) and I decided to go to a different city and buy a pound, figuring it would last a long time. It didn't; I wound up selling to five or six friends.

          One of them got busted. I was lucky; he showed up at my doorstep and I didn't even recognise him, he'd shaved and cut his hair. He confessed and apologized that he'd tur

  • 200,000 CI's? (Score:5, Interesting)

    by Organic Brain Damage (863655) on Tuesday December 14, 2010 @09:29AM (#34545210)

    Deputies have used the database since 1989 to collect and share intelligence gathered during the course of police work. It contains 200,000 names — Mesa County's population is about 150,000 — and includes investigative files from a local drug task force.

    Is it just me or does it seem odd to you that they have 200,000 confidential informants in a county with a population of 150,000? What the frack is going on in Mesa County?

    • by ledow (319597)

      Nobody said "unique names". It could be the same person listed 200,000 times, or anything in between.

      • by Dunbal (464142) *

        It could be the same person listed 200,000 times, or anything in between.

              I also predict a strong correlation between the number of bullet holes in the bodies, and the number of times their name appears in the database...

    • That number includes persons of interest in past and current drug investigations. Also, portions of Colorado are a first and second-hop hub for a significant portion of the drug traffic that crosses the border.
    • by ultranova (717540)

      Is it just me or does it seem odd to you that they have 200,000 confidential informants in a county with a population of 150,000? What the frack is going on in Mesa County?

      They used Diebold machines for accounting.

  • It would be funny if it wasn't so sad.
  • by Again (1351325) on Tuesday December 14, 2010 @09:48AM (#34545338)

    Everyone on Slashdot should download as many copies as they can and then delete them (Shift + Delete only!). That way the world will run out of copies and everyone will be safe.

  • Methinks this might hurt their ability to recruit informants in the future as well.

  • WikiLeaks-Style?! (Score:5, Insightful)

    by miro2 (222748) on Tuesday December 14, 2010 @10:21AM (#34545670)

    Their concern: That someone may have copied it and could post it, WikiLeaks-style, on the Internet.

    Let's hope they post it WikiLeaks-style. That would mean they spend months coordinating with journalists to redact names and other information that might put individuals' lives at risk. Then, they would only release a few select important parts of the material in a completely responsible manner.

    Of course, that is not what the editors and poster were trying to convey by 'WikiLeaks' style. Why insert this useless anti-free-speech FUD into the story?

    • Just remember whose side the media is on, and interpret accordingly.

    • That would mean they spend months coordinating with journalists to redact names and other information that might put individuals' lives at risk. Then, they would only release a few select important parts of the material in a completely responsible manner.

      Of course, that is not what the editors and poster were trying to convey by 'WikiLeaks' style.

      In fairness, journalists aren't the ones making the calls to redact from wikileaks. Wikileaks has started to do some redaction, and then releasing their documents. Journalists/their bosses are deciding that wikileaks isn't redacting nearly enough, and applying further redaction. Take, for example, the list of sites that are vital to the security of the US, which includes mines and undersea communications cables that are located outside the US. Does it surprise ANYONE that a list like this exists, or that th

  • Maybe database servers (like MySQL) are safer than stuff like access (or sqlite), since is possible and easy to copy a whole database file mistakely put on /www, while is very rare to put /var/mysql/data on /www

    Remember this point when defending database server against database files.

  • It's not to protect drug dealers, it's to protect *themselves* from this kind of crap.

  • What wikileaks stands for is total transparency of how governments (and other large entities) go about their business, not total transparency in the form of all information about everybody anytime. Else wikileaks wouldn't take their time redacting information for safe public consumption (gasp! they do that?) and would just release the information as fast as they can verify it.
    The difference? The focus of this ./ article is about how names of informants and the like has been leaked and can therefore be a dan

  • Who watches the morons?

Often statistics are used as a drunken man uses lampposts -- for support rather than illumination.

Working...