Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Cloud Government Privacy The Courts Your Rights Online

Clarificiation on the IP Address Security in Dropbox Case 152

Bennett Haselton writes A judge rules that a county has to turn over the IP addresses that were used to access a county mayor's Dropbox account, stating that there is no valid security-related reason why the IP addresses should be exempt from a public records request. I think the judge's conclusion about IP addresses was right, but the reasoning was flawed; here is a technically more correct argument that would have led to the same answer. Keep Reading to see what Bennett has to say about the case.

At issue was the list of IP addresses that had accessed the Dropbox account of Orange County Mayor Teresa Jacobs. A public interest group called Organize Now wanted to know whether the documents in her Dropbox account had been shared with outside parties, such as lobbyists, and filed a public records request to obtain the access logs. The county provided the logs with the IP addresses redacted, claiming that they were withheld for security reasons; Orange County asked a court to declare that there was no legitimate security-related reason for the IP addresses to be blacked out. On Monday, Judge Robert Egan ruled that the county had to release the unredacted version of the logs.

In the judge's ruling, he trivially rejected some arguments that the county had made, determining for example that IP addresses by themselves were not "data processing software" (duh). The trickier question was whether the IP address logs could be considered "information relating to security systems", and whether publishing the IP addresses in the logs could enable a security breach.

Judge Egan correctly wrote that all the IP addresses did was "identify specific computers used to access Dropbox" (actually, of course, computer IP addresses can change, and if the computer is behind a proxy server then it will be the proxy server's IP address that shows up in the log; but that's close enough, let's give it to him). He rejected the county's analogy to another case, in which a judge ruled that the city of Clearwater did not have to turn over the names and addresses of residents who had installed a particular alarm system; Judge Egan said that confidentiality in that case was more obviously justified, because there's no public interest in giving thieves a list of houses to avoid hitting.

However, in declaring that there was no good reason for the IP addresses to be redacted, Judge Egan wrote:

While the County has expressed a legitimate concern that disclosure of IP addresses would constitute an additional security threat because they would identify specific computers used to access Dropbox, which would then become potential targets for hacking, it also acknowledged that it already identifies 20,000-30,000 intrusion attempts daily and it has measures in place to deal with those attempts.

When Judge Egan says "it already identifies 20,000-30,000 intrusion attempts daily", it's not clear whether "it" refers to Dropbox, or the county's own computer system (presumably the latter, since 30,000 seems a bit low for Dropbox). But either way, the argument fails because the "measures in place" only refer to protection for the Dropbox servers and/or the county's own servers. If the mayor ever connects to Dropbox from her home computer, and the logs can be used to identify her home IP address, then the "measures in place" won't do anything to stop an attacker from trying to attack her home computer. And if an attacker can take control of her home computer, and her home computer is set up to log into Dropbox automatically, then the attacker can use her home computer to access the Dropbox files, and those accesses will look indistinguishable from legitimate accesses from the mayor herself.

In this scenario, the biggest obstacle to an attacker is that knowing the mayor's home IP address would normally not be enough information to take over her computer. Even if the attacker had knowledge of a security vulnerability in the operating system being used on the mayor's home machine, it's usually impossible for an outsider to connect directly to a user's machine, because the machines are behind wireless routers which are shared with other computers in the same house. (An attacker could first find a way to hack the security of the router, and re-program it to forward incoming Internet traffic to the mayor's computer, and then find a way to compromise the home computer -- but that's two security systems that have to be hacked independently, and every extra hurdle reduces the chances that you'll be able to clear all of them to pull off an attack.)

A much easier attack would be to try to get the mayor to view a web page from one of her computers -- either her home computer or her office computer, as long as it's one of the computers that she uses to access the Dropbox account -- and then try to infect that computer using code on the web page itself which exploits a security vulnerability in the web browser. (Web browser security vulnerabilities are quite common, compared to the far more rare security holes which allow you to take over a computer by sending traffic to its IP address.) To do that, all you need would be to reach the mayor directly, or talk to someone who would pass information on to her: "I'm a concerned constituent, and here's a web page that I've set up describing my plight and how the county government could help." Wait, scratch that: "I'm a concerned consituent, and here's a web page describing the dirt that I've dug up on your opponent."

And if the mayor does visit your web page, even if you don't succeed in infecting her computer or taking it over, at least now you've got her IP address.

So a better line of reasoning would have gone something like this:

"It's not inconceivable that someone could use the IP addresses in the logs to facilitate an attack, and anyway, the county's 'security measures' wouldn't do anything to prevent an attack against, say, the mayor's home computer. However, it would be much easier for an attacker to attempt an attack by other means (e.g. a browser vulnerability), and in any case it would not be hard for an attacker to find the mayor's IP address indirectly, without even resorting to any security breaches. So the disclosure of IP addresses has only a negligible effect on the odds of a break-in."

Run that through your standard judicial IWentToHarvard-izer, replacing a couple of random words with their longest equivalent in the thesaurus, and you've got a pretty solid legal opinion.

Then again, maybe some other Florida public servants are in more urgent need of training in how IP addresses work. After the judge's ruling, Rafael Mena, the mayor's Chief of Information Systems & Services, said in a statement:

"We don't agree with the decision. We are responsible for protecting crucial public health and safety infrastructure, including our 911 systems, our jail facilities, and providing clean drinking water to more than a half million residents. Internet Protocol (IP) addresses control everything from the cameras at the courthouse to the locks on the jail cells. We're also concerned about the security of the health records and financial information of thousands of citizens. Releasing IP addresses leaves organizations vulnerable to the type of security breaches that the public sees every day on the news."

Drinking water. OK, forget press releases for a second: If you were the head of security, and you asked your assistant head of security to evaluate the impact of releasing the IP addresses that had accessed the mayor's Dropbox account, and your assistant gave you a reply like the one above, what would you think? Would you put up with that nonsense from someone who worked for you?

Well, government security officials do work for us. The people of Orange County should tell Mr. Mena: If you want to try and bamboozle people with irrelevant factoids and scare them with veiled references to terrorist threats, go get a lucrative job in the private sector! As soon as you finish stocking up on botted water.

This discussion has been archived. No new comments can be posted.

Clarificiation on the IP Address Security in Dropbox Case

Comments Filter:
  • by 93 Escort Wagon ( 326346 ) on Wednesday November 26, 2014 @02:00PM (#48468845)

    Uh... no.

    • Don't you wanna read about "clarificiations"?

      • by sexconker ( 1179573 ) on Wednesday November 26, 2014 @04:00PM (#48469803)

        Use this greasemonkey script to hide Bennett's shit from the main (and "older") pages. http://pastebin.com/RWCxT0jJ [pastebin.com]
        (I disable it once in a while to check for his shit so I can tell people about the script.)

        • Use this greasemonkey script to hide Bennett's shit from the main (and "older") pages. http://pastebin.com/RWCxT0jJ [pastebin.com]
          (I disable it once in a while to check for his shit so I can tell people about the script.)

          If we ever meet IRL I owe you at least one beer for this!!

          • Pardon me for hijacking this higher position, but a serious pet peeve has been triggered.

            Hey, Bennett, or samzenpus, or whoever did it:

            You do NOT put your own hypotheticals in quotes. Got it? Quotes are used for QUOTING OTHER PEOPLE. That's their purpose. Learn it. Use it. And it's usually best if readers can tell who is being quoted, even if only via context.

            Thank you very much.
            • by dave420 ( 699308 )

              Oh dear oh dear. Yes, quotation marks can be used to show quoted content, but they can also be used to highlight euphemisms, slang, sarcasm etc. They can also be used to highlight the using of a reference (to a work).

              Your pet peeve is not founded in reality, much like the majority of the drivel you see fit to repeatedly spew forth in the midst of otherwise decent discussions.

              Get a grip - you really need some help.

        • Use this greasemonkey script to hide Bennett's shit from the main (and "older") pages. http://pastebin.com/RWCxT0jJ [pastebin.com] (I disable it once in a while to check for his shit so I can tell people about the script.)

          Give Haselton a break. He has done us all not just one but many public services.

          Having said that... let's be honest: sometimes Haselton expounds on things that are very clearly not in his area of expertise, and certain Slashdot editors (for that is exactly what they are) probably give him too much "air time" on Slashdot. Especially, it seems, when he is expounding on something that is not in his area of expertise.

          But while this one is rather long-winded, it IS an issue everyone here should pay attenti

      • by grcumb ( 781340 )

        Don't you wanna read about "clarificiations"?

        Indeed. Now, most of you are out in the world seeking clarity. But, as long-time contributor Bennett Haselton writes, much more important than that is 'clarifice', the ability to explain truthiness without resorting to expertise or insight. Keep reading to see Bennett's clarification of how over two hundred years or jurisprudence can be usefully transposed onto decades-old technology....

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      If I had mod points, I'd mod up all 11 first posts telling Bennett to go fuck himself. I think this must be some kind of record.

      Slashdot readers, I want to thank you for your kind and enduring service to your community. You are all great citizens. Thank you very much. May your karma scores remain Excellent, may your trolls be well-received, and may your neckbeards grow long and silky. Thank you.

      CAPTCHA: decency (something BH lacks)

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Tagging these stories as "nothanks"

    • Good call. (Score:5, Insightful)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Wednesday November 26, 2014 @02:29PM (#48469139)

      Bennett Haselton spends 1341 words on what should be a 3 sentence summary.

      If you want to know whether X accessed the mayor's dropbox (why is the mayor using dropbox in the first place) then you need to
      a. get the IP addresses & times that they were used to access it
      b. match the IP addresses to ISP user accounts at those times

      Now, if the judge does not support you, personally, having access to the IP addresses then the judge can appoint a disinterested 3rd party do handle it. You are only interested in the ISP user accounts and whether those belong to lobbyists.

      There! Done! And no need for Bennett Haselton's weird tangent on cracking via web browsers.

    • I'm confused. Is this the frequent contributor or another person of the same name? I need to know so I know who to trust and where to form my opinion on this issue

    • Too bad, you missed this.

      Run that through your standard judicial IWentToHarvard-izer, replacing a couple of random words with their longest equivalent in the thesaurus, and you've got a pretty solid legal opinion.

      Fuck a bag of shit in the morning. That's not how the legal system works. It was priceless. Ignorance in little parts pisses me right the feck off. But grand-scale ignorance, the kind that could gag a gigantosaurus, is fricken hilarious.

      I could stab a guy with a dictionary, watch him bleed out

    • by dnebin ( 594347 )
      Sign the petition to get rid of bennett haselton: http://petitions.moveon.org/si... [moveon.org]
  • by Anonymous Coward

    That's the best kind of correct!

    • I think the issue here is not with security but with privacy. for many people the ip address is PII (personally identifiable information). My hope ip is static and only used by me. so any records showing my ip address are equivalent to showing my home address. If we're going to protect people's PII we should be protecting IP addresses too.

      • I thought we argued on all the downloading stories that an IP is not an identifier?

        • by dgatwood ( 11270 )

          For home users, it is not a useful identifier because it usually changes regularly. For government users and business users, it is a fairly robust identifier, because most of those folks have static IPs (or at least fixed IPs assigned by a DHCP server).

          Of course, there's not a 1:1 mapping between user and IP. So it would be more accurate to describe it as familially identifying information.

          • by lucm ( 889690 )

            Of course, there's not a 1:1 mapping between user and IP. So it would be more accurate to describe it as familially identifying information.

            Your mom's IP is so big, she needs two routing tables.

          • by muridae ( 966931 )

            And, if the mayor had been holding private meetings with a sign-in ledger, and a public action group wanted a copy of that to see if the mayor was meeting with known lobbyists, a judge would have turned over the "personally identifiable information" of a list of names. The mayor thought they could outsmart the system by having the meeting online, and claiming "security" or something to cover what is supposed to be public information to begin with.

            TL;DR: if you meet with a government official, your name (may

        • IP is not an ACCURATE ENOUGH identifier to send you to jail.
          Sorta the way your car's lenience plates alone would not be good enough for such a purpose.
          It must be proven beyond doubt that YOU were the one driving the car that ran over Justin Bieber.

          But it is accurate enough for someone to come to the physical address associated with IP at that time and toss a Molotov cocktail through the window to send you a message that they don't like your comments on the "Beliebers" forum.

          Hence, privacy issues.

          • by dysmal ( 3361085 )
            Unfortunately (in the US) your IP address is more than enough to prove your guilt if the accusing parties happen to be the RIAA/MPAA
        • I thought we argued on all the downloading stories that an IP is not an identifier?

          It is not sufficient for prosecution.

          First off, an IP address can be re-assigned. So you'd need an IP address and date/time to be able to link it to a specific ISP account.

          Each account can have multiple machines behind it that may or may not belong to that account (depending upon the security of their wireless network for example or whether any have been cracked already).

          So an IP address is not sufficient for prosecution BUT

      • If they are logged and stored, they are impossible to protect without destroying the records. The best defense of privacy comes from spoofing. Unfortunate, but that's the way they want to play it.

        • what are you talking about? just redact the records. Records are often redacted to protect sensitive information for FOIA requests.

          • Please, forget that I even exist.... Excuse me for bumping into you. I'm playing a different game that doesn't seem to apply here.. Maybe tomorrow, when I'm sober...

      • I think the issue here is not with security but with privacy. for many people the ip address is PII (personally identifiable information). My hope ip is static and only used by me. so any records showing my ip address are equivalent to showing my home address. If we're going to protect people's PII we should be protecting IP addresses too.

        But that was the idea. The intent was to find out who accessed a dropbox account. That information wasn't available directly, but apparently the IP addresses were available. If someone has a legitimate reason to want to find the person, then there is no reason not to hand over IP addresses.

        • that's fine perhaps, my point is that ip addresses need to be treated with the same sensitivity as names and mailing addresses. To balance privacy against disclosure, there are rules for when names and addresses are withheld and when they are released. These rules should also apply to IP addresses.

  • Fuck This Shit (Score:5, Insightful)

    by weilawei ( 897823 ) on Wednesday November 26, 2014 @02:01PM (#48468867)

    Please stop using the front page as your personal blog. May you <insert-untimely-thing-here> in a <insert-energetic-thing-here>.

  • fuck off bennett (Score:2, Insightful)

    by Anonymous Coward

    i started reading, looked interesting, spotted the name - goddam trolled again. fuck you bennett, why the fuck are you blogging here you wet blanket soppy mug squidgy brained muthafucker

  • by flopsquad ( 3518045 ) on Wednesday November 26, 2014 @02:09PM (#48468951)
    ...oh it's Bennett. Anyone else want to post here first? Anyone? Maybe you're all still reading the 28 paragraph TFS?
  • by Anonymous Coward

    We need a logo for posts that are just about swearing at Bennett. Dunce cap?

    • We need a logo for posts that are just about swearing at Bennett. Dunce cap?

      AC, that's a capital idea! I like dunce cap, but allow me to propose some alternative icons for Bennett articles:
      - A hot air balloon
      - A whoopie cushion
      - The smiling poop emoticon
      - Rageface
      - That truck window sticker of Calvin peeing, but he's peeing on TFS

      That's just a few off the top of my head. Feel free to add suggestions!

  • by Obfuscant ( 592200 ) on Wednesday November 26, 2014 @02:15PM (#48469003)

    Judge Egan correctly wrote that all the IP addresses did was "identify specific computers used to access Dropbox" (actually, of course, computer IP addresses can change, and if the computer is behind a proxy server then it will be the proxy server's IP address that shows up in the log; but that's close enough, let's give it to him).

    No, moron, let's not "give it to him", unless "it" refers to "a firm tongue lashing for getting it wrong wrong wrong." He's just created exactly the precedent that you don't want created: "the IP address identifies specific computers". It's not "close enough" when **AA claims it in court, it's not "close enough" when a judge says it regarding a FOIA case.

  • Relevance? (Score:5, Insightful)

    by pz ( 113803 ) on Wednesday November 26, 2014 @02:23PM (#48469073) Journal

    Someone, who has no apparent power, wants to correct a judge. Just because they think they're right and the judge had inaccurate reasoning, despite coming to the same conclusion. (There's a good XKCD comic on the subject of correcting people in the Internet.) The critic's opinion will carry no legal weight. The same critic has a history of proposing long-winded, half-baked ideas to correct issues he sees with various societal inefficiencies that have gone no-where. I'm not going to waste my time.

    Would someone be so kind as to please remind me how we can block posts from a given author?

  • I don't get it... (Score:5, Insightful)

    by Ecuador ( 740021 ) on Wednesday November 26, 2014 @02:23PM (#48469075) Homepage
    Every slashdot reader and their mother, to say nothing of the dog, hate reading these inane Haselton blog posts, why do they keep being posted? I mean most of the posts on these "stories" are about how stupid the "story" is, showing it is probably the only Slashdot feature that is more annoying than the beta, and yet they keep on coming... Is there some sort of strong affiliation? Is slashdot simply paid by this Bennett guy? If it is, I would probably be more understanding - I know how the world works - just tell us it is so and we will move on...
    • 1) I think Dice gets ad revenue based on page views, and... maybe posts per article factors in?

      2) They know when they put up some dubious Bennett novella, we'll all swoop in and post "What the fuck?!"

      3) ???

      4) Profit?
      • by Anonymous Coward

        In following proper /. tradition, I skip right over these "articles" and go straight to the comments. And I must say that the Bennett bashing is usually pretty funny.

        As much as I would like to see him gone, part of me would miss reading the responses to his "articles."

    • by dnebin ( 594347 )
      Sign the petition: http://petitions.moveon.org/si... [moveon.org]
  • Filter error: You can type more than that for your comment.

  • by Anonymous Coward

    Sorry to interrupt the usual "hate on Bennett" fest, but I read the article and have a question.

    In the judge's ruling, he trivially rejected some arguments that the county had made, determining for example that IP addresses by themselves were not "data processing software" (duh).

    And if the mayor does visit your web page, even if you don't succeed in infecting her computer or taking it over, at least now you've got her IP address.

    Alright, so with that in mind, lets say your at home, laying in bed, kinda half asleep. It's dark, but you glance over and see something shimmering near the trash can you keep across the room. You kinda wake up enough to look closely at it and notice movement. Paniced you flip on your bedside lamp and are horrified to see spiders, lots of spiders, just pouring out of the trashcan. I'm not talking like one of thos

  • by Teun ( 17872 ) on Wednesday November 26, 2014 @02:33PM (#48469189)
    The interesting part of this story is this:

    Rafael Mena, the mayor's Chief of Information Systems & Services, said in a statement:

    Because what this Chief dipshit saw was totally wrong. And even our favourite blogger noticed it.

  • ...and no one cares. I think we should however appeal to some sort of internet tribunal as to whether wasting so much space on this, on such a high traffic website like Slashdot, warrants a sentence of an electronic gag device.
    • by Anonymous Coward

      You can do your part by tagging Bennet submissions as "nothanks" and downmodding any posts of his you might encounter.

      Thank you for your service, loyal Slashdot newbie.

  • A plan for Bennett (Score:4, Interesting)

    by Okian Warrior ( 537106 ) on Wednesday November 26, 2014 @02:51PM (#48469329) Homepage Journal

    If Bennett is so completely unwanted on this blog, why don't we do something about it?

    In the manner of the fine people at 4chan, suppose we referred to Bennett in the past tense - as if he had passed away. Make all of our responses polite and sincere, but with the assumption that he is no longer with us.

    Here's the kicker: the internet works by consensus. If there's an abundance of commentary referring to him in the past tense, it'll get picked up and echoed everywhere, possibly by Wikipedia. I don't know what the full ramifications would be, but hopefully it will play hob with his attempts to get traction on the net. Anyone who googles for him by name or things he has said will get the impression that he's unavailable for comment, interviews, and possibly employment.

    Of course, we need to give Bennett fair warning, so I propose the following:

    Starting with the next Bennett Haselton article on Slashdot that's more than 2 short paragraphs, we start referring to Bennett in the past tense - as if he had passed away. We're going to start a new internet meme.

    Pleading, complaining, and asking has had no effect and we've certainly done due diligence.

    It's time to take action.

    • If Bennett is so completely unwanted on this blog, why don't we do something about it?

      Load this user script into greasemonkey - http://pastebin.com/RWCxT0jJ [pastebin.com] .
      Never see Bennett's shit on the main page (or "older") pages again.

      (I disable it once in a while to look for his shit so I can tell people about this simple script.)

    • Not that I disagree with jettisoning him, but this is a stupid fucking idea.
    • by dave420 ( 699308 )
      Maybe also berate anyone posting under the name "bennetthaselton" or derivatives for besmirching the fine reputation of the deceased... That should effectively quell any dissent from a certain interested party without breaking character.
    • by dnebin ( 594347 )
      Check out the petition: http://petitions.moveon.org/si... [moveon.org]
  • But I... can... no longer... resist... the tide.

    Very well. This article sucks. Most of Bennett's articles mostly suck.

    Where do I pick up my bucket of tar and feathers?

  • Bennett Haselton needs to go away.

    I love reading the comments on Bennett's posts, though. Makes me miss the old Microsoft-hate and vi-vs-emacs comments. Now everything is all level-headed +1 Informative. Bah.

  • Did Bennett suddenly earn his JD and take his oath? If not, then he can kindly shut the fuck up.

  • by ZipK ( 1051658 ) on Wednesday November 26, 2014 @06:45PM (#48470865)
    Now that Slashdot's blog feature is up and running, I can't wait for for something that lets Bennett pin interesting pictures to the front page!
  • by NormalVisual ( 565491 ) on Wednesday November 26, 2014 @08:25PM (#48471399)
    I have little respect for Bennett's excessive, often not carefully considered, and mostly useless prose, so I don't come to Bennett threads to actually read what spews forth from his keyboard. I read them because I find the new and different ways he gets panned by the Slashdot readership to be entertaining. He's like the Slashdot Punching Bag - you punch him, and he invariably swings back again a little later for more.

You are always doing something marginal when the boss drops by your desk.

Working...