'BlueLeaks' Exposes Files From Hundreds of Police Departments (krebsonsecurity.com) 147
New submitter bmimatt shares a report from Krebs On Security: Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed "BlueLeaks" and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals. The collection -- nearly 270 gigabytes in total -- is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data.
In a post on Twitter, DDoSecrets said the BlueLeaks archive indexes "ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources," and that "among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more." KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data. The NFCA alert noted that the dates of the files in the leak actually span nearly 24 years -- from August 1996 through June 19, 2020 -- and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files. The NFCA said it appears the data published by BlueLeaks was taken after a security breach at Netsential, a Houston-based web development firm.
In a post on Twitter, DDoSecrets said the BlueLeaks archive indexes "ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources," and that "among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more." KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data. The NFCA alert noted that the dates of the files in the leak actually span nearly 24 years -- from August 1996 through June 19, 2020 -- and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files. The NFCA said it appears the data published by BlueLeaks was taken after a security breach at Netsential, a Houston-based web development firm.
That's really bad. (Score:5, Insightful)
Fusion centers are filled with information on suspects and victims. This is the wet dream of anyone seeking revenge against a snitch, an abusive ex, blackmailers, organized criminals, and other scumbags. They basically painted huge targets on an unfathomable amount of private citizens.
Re:That's really bad. (Score:5, Insightful)
They're also full of data about political activists, both on the right and left, third party candidates, and religious minorities with no criminal history.
We started setting these things up in the aftermath of 9/11, but in the 17 years we've had them they've achieved nothing.
Re: (Score:3)
Undoubtedly there will be plenty of the absurd threat notices from Fatherland Security. Read a few of those things if you want lessons in absurdity, incompetence, and bureaucratic butt-covering.
Re: (Score:3)
If you're worried about people coming after you I'd suggest exercising your second amendment rights to self defense. I doubt most people are in any particular form of danger though or the world would have descended into far worse
Re: (Score:2)
One of the rules of the internet, once it's online, it's NEVER coming off.
Re: (Score:2, Troll)
Re:That's really bad. (Score:5, Interesting)
Re: (Score:3, Insightful)
I would much rather have my criminal information as well as LEO's available out in the the wild than having my information available to LEO's and LEO's information available to no-one.
But those aren't the choices here, the choice is "your information", not "your criminal information".
Re:That's really bad. (Score:5, Insightful)
They did not do this. The US police forces who in the most idiotic fashion imaginable, thought it was appropriate to hand out all this information to the 'LOWEST' fucking tenders that would inevitably find a million reasons why the additional costs need to be charged post contract.
DO you know what the lowest tender does, they do everything in the cheapest way possible, including security, that is where the profits come from you fucking idiot junk yard dog law enforcers. The more of this shite you contract out, the greater the number of failures there will be. ZERO fucking efficiency gains with maximum losses.
Foreign governments, will have a field day with this data, finding exactly those they need to contact for all sorts of criminal activity, with minimal payment. USA you contracting morons, you could exactly what your stupidity deserved.
Re:That's really bad. (Score:5, Insightful)
DO you know what the lowest tender does, they do everything in the cheapest way possible, including security, that is where the profits come from you fucking idiot
I've known plenty of highest tenders who do that, too.
The only difference is that the bosses buy new cars immediately after signing instead of having to wait six months.
Re: (Score:2)
According to TFA it only contains information on suspects about whom various inter-agency requests were made, but of course that is still extremely bad and many of them are entirely innocent. It does seem extremely irresponsible.
Normally this kind of data would be given to journalists who can redact it and release it bit by bit for maximum impact. The Snowden leaks were a great example, we go some excellent analysis and whenever the security services refuted something they would produce another leak showing
Re: (Score:2)
All while redacting things like personal information of individuals who may get targeted as a result. That was the critical part of it, and why it's genuinely impossible to differentiate between what Assange's organisation did and what any other investigative journalism outlet does.
Problem here is that whoever leaked this, actually leaked unredacted personal details. That's just fucked up. That is something you do NOT do if you have a shred of decency.
Re: (Score:2)
Krebs and TFS failed to mention that this was NOT an indiscriminate publish. DDoSecrets worked to scrub it of information on victims and children, among other things. It's only briefly mentioned in this Wired article [wired.com] but that's more mention that this report is giving.
It's a pretty damn important note to include though.
Turds (Score:3, Insightful)
Great, you indiscriminately leaked police reports online. ...
So now anybody who wants to can get names, addresses, and phone numbers of domestic abuse victims, rape victims, witnesses to each crime
Total shitheads.
Re: (Score:3, Insightful)
Yeah I don't get this. It's just anarchy. Release all the information, let the world burn. No question that law enforcement agencies have problems with transparency but this isn't really helping.
Re:Turds (Score:5, Insightful)
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Which crackpot book did you get this from? If you think eliminating need-to-know security will somehow eliminate what is being recorded, you're out of your mind. Look at all the private consumer data leaks that are happening on a daily basis - is that stopping companies from collecting or consumers from handing over? This kind of stuff unequivocally makes things worse.
It's called the reality of history. The 4th amendment isn't really about making it easy for crooks, or the common person running around. It's there to stop the king from rummaging at will through peoples' lives and papers and houses, looking for things to hurt political opponents with.
You've just waived away one of the greatest protections a free society can have.
And by the way, this is much worse than whether a private corporation wants to know if you might be more interested in ads for Pampers or Depend
Re: (Score:2)
No. "need-to-know security" could, in principle, supply that kind of protection, but that requires that the "need-to-know" be uniformly supervised by persons of honor, integrity, and insight. This is not what happens.
This doesn't mean releasing it isn't worse, but the current system is in and of itself horrendously corrupt. BLM grossly understates the width of the corruption and also understates, to a lesser extent, the width of the suppression.
Re: (Score:2)
P.S.: This doesn't mean that anarchy or rule by strongman is any better. But checks and balances need to be strengthened and protected against regulatory capture. Nobody seems willing to do that.
Re: (Score:2)
Again, need-to-know security provides reasonable protection for citizens
this event seems to indicate otherwise.
when also countered with checks and balances for ensuring that it isn't abused.
it was abused, that's the point.
the more i reflect on privacy in general the more i get to think that the best solution would be to get rid of it. since it seems people/organizations just can't be trusted to keep secrets nor to abstain from abusing them, no privacy for absolutely anybody with no exceptions at least would protect population from the abuse part and would leave everyone on equal standing. now, how to enforce 100% publicity is the nut to crack unless you'r
Reality (Score:2)
Re: (Score:2)
And to your point but on another angle:
For every motherfucker out there with a computer is another motherfucker with a computer. ~ © 2020 CaptainDork
Rhetorical question: Why does the web service have the same equipment as the rest of us?
Re: (Score:2)
This is like saying the US has nukes and ISIS doesn't, releasing blueprints and simulation data would be a good thing. I'm sure that'd level the playing field but not in a good way. If you can't trust the cops with info, then you can't go to the cops and that's a win for all bad guys everywhere.
Re: (Score:2)
This is like saying the US has nukes and ISIS doesn't
well isis wouldn't have been a thing if some superpower hadn't fucked up the whole region with/for their dirty little secrets and lies, to get an edge over some competition with their own little secrets and lies.
Re:Turds (Score:5, Insightful)
Yea, I'm all for the BLM protests and leaking incriminating data that show maleficence by the police, but this is bullshit. This is burning dozens, or hundreds, of innocents to catch one witch (if you're lucky). There are some crimes that people will punish you for just being accused of it, take pedophilia, for instance. Even if there was found to be no basis to the charges, there are people who would persecute you for the accusation. (I knew someone who was accused, person was nearly 18, had parent's permission, no crime was found by police and people still hounded him for the rest of his life. The only reason it came to the police's attention was the parent's got divorced and one parent accused the other of child trafficking to win custody and child support [it worked]. Custody was for less than four months so, it was obviously to just be vindictive against their ex). This is just one example of how this could damage people. You also have witnesses, some confidential against either abusive spouses or organized crime (you can bet every gang is going to go through this database to find anyone that snitched). And this is just the tip of the iceberg!
Re: (Score:2)
Re: (Score:2)
Re: Turds (Score:5, Insightful)
I don't agree with it either, but it's not much different from some company being hacked, particularly if the exfiltrated data was PII such as SSNs or mailing addresses. Innocent people will be hurt by it. I mention this because, when some company gets hacked and it's reported here, the primary sentiment seems to be mockery for some foolish IT person failing to secure things appropriately.
I guess my point is, perhaps our reaction to large data breaches should always be concern for innocent victims. I think the important lesson here, however, is that security risks of fusion centers may outweigh potential benefits. It's not clear what those benefits might be anyway, as they seem shrouded in secrecy.
Re: (Score:2)
I am carefully sifting the data to see if any of my clients are on it.
I definitely will want to know if someone is up to no good or might be a risk to me.
Hey the data is free and available why not mine it for it's advantage.
Re: (Score:2)
Re: (Score:2)
Why do you really believe an internet post? Or is that your point?
Not shitheads, but state adversaries (Score:2)
These aren't just random sociopaths. They're military units of states hostile to the United States, such as the GRU in Russia. You can bet this breach came down to Russia, China, or North Korea.
Re: (Score:2)
Possibly. The sheer size of the link makes that plausible. But I sure wouldn't claim that as a certainty.
P.S.: This doesn't look like the work of a sociopath, assuming non-state actors, but rather someone who dislikes authority and doesn't think things through. At a guess someone under 22 years of age. There *are* sociopaths who would do this kind of thing with intent, and there are also political stances that would find it justifiable. Assigning a motive to this based on current evidence can only be
Re: (Score:2)
Maybe, just maybe, it was a really DUMB idea to keep that record in a place where it can be stolen?
Re: (Score:3)
They claim to have redacted the victim's personal information. About 1/6 of the database was redacted.
They only spent a month doing it, so I doubt they did a perfect job. I don't know if they did an acceptable job.
Re: (Score:2)
They redacted it ? Good. Apparently DDoSecrets is a 'journalistic collective' which may or may not mean something. With 270GB redacting has to be a scripted job. Unlikely to work on scanned documents and unlikely to be thorough: you have sample the results and rerun with corrected scripts, do multiple iterations like that. Without doing a perfect job it is possible to reduce the damage very significantly this way though.
Re: (Score:2)
Krebs and TFS failed to mention that this was NOT an indiscriminate publish. DDoSecrets worked to scrub it of information on victims and children, among other things. It's only briefly mentioned in this Wired article [wired.com] but that's more mention that this report is giving.
It's a pretty damn important note to include though.
Would be important, they really didn't (Score:2)
According to the article you linked, it's 25 years of documents from at least 200 departments and the person days they spent a week taking out some of the most obvious ans most problematic information. One week. They didn't get it all, of course, they left a lot of stuff they know they should have taken out, but they only spent a week, says the person who did the "scrubbing".
Krebs notes he's already seen people's banking information is included in the public dump.
> I'll probably copy-and-paste this rep
Re: (Score:2)
Krebs notes he's already seen people's banking information is included in the public dump.
Please be accurate about it.
"Best notes, however, that DDOSecrets published the financial information knowingly, arguing that it could be correlated with other information to further expose police behavior in ways that serve the public interest."
Indeed, please do.
Re: (Score:2)
Both you and I had our comments briefly modded as "flamebait". Fragile piggies.
You're both still modded as "flamebait" at the time of my posting at 20%. You say fragile, I say stupid.
Re: (Score:2)
Imposing laws about handling the data only works if those laws both can be and will be enforced. Otherwise it's just more noise in the system, and we've already got plenty of unenforced, or "randomly enforce" laws in the system. Enough that I suspect many of them are preserved just so that they'll always be able to find an excuse. And note that who "they" is varies enormously. It includes the local cop, the DA, the judge, and various political agents. Anyone who can apply pressure with the authority of
I don't think it matters (Score:5, Insightful)
Gawker used to have folks who would pour over this and do the hard work of investigative journalism, but they paid the bills with sleeze and folks hated that so they let Hulk Hogan & his billionaire backer kill them.
I predict this'll amount to Dickie McGeezaks.
Re:I don't think it matters (Score:5, Insightful)
Gawker was nothing but a slimeball celebrity gossip news site in the same vein as TMZ, only less successful.
Not True (Score:3)
Re: (Score:2)
the reason Theil (I remembered his name) went after them wasn't that he was outed gay (he's rich, he doesn't care) it was because they kept running stories about his shady business deals.
It's Peter Thiel. Gawker wrote plenty about Thiels personal failings but perhaps you'd like to substantiate your claim how Gawker "kept running stories about his shady business deals" because afaik that never happened. Link goes to archive of Gawker with the tag peter-thiel for your conveniance: https://kinja.com/tag/peter-th... [kinja.com]
Re: (Score:2)
There's still less work being done (Score:3)
Re: (Score:2)
All the real journalists are going through YEARS of social media to find that one time someone said, did, or wore something that resembled non compliance with the hive mind. Check back in a few months.
Also..
>corroboration
All the cool kids just go for what drives click and copy; a retraction and a flimsy excuse are WAY simpler.
GAWKER? (Score:2, Troll)
Really? thats what you think investigative journalism is?
I'm sorry, this leak probably doesnt have a ton of dick and tits out picks, and little celeb dirt, so gawker would not really be interested.
Yes, we have lost investigative journalism, mostly because the newsrooms are now full of 20something 'interns' trying to 'make it' with little or no life skill, and simply intending to tow whatever is the currently most popular party line.
THAT is the problem. Gawkers death is a plus, not a minus.
Re: (Score:2)
There is The Guardian which is funded by subscriptions and ads. Buzzfeed of all people do some great investigative work, although they gutted their serious journalism department so I don't know if they still can.
Re: (Score:2)
Gawker used to have folks
The fact that you think Gawker was held up as some standard of journalism speaks volumes. Like holy shit man. Not sure if you were going for troll or funny, but what you said sure as heck wasn't insightful.
Re: (Score:2)
The National Enquirer was up for a Pulitzer ar one point. It can happen.
How Regular People Will View This (Score:3, Insightful)
There will be negative outcomes from this that affect the victims of crime, and that also unjustly impact people accused of being criminal.
Ordinary people, as opposed to zealots of various idelogical bents, will recognize the damage these leaks represent.
Advocates of police secrecy will have a field day using examples from the outcome of these leaks to justify further and mor rigorous secrecy.
It's probably fun to be one of the adventurist putzes who stole the info and threw it out in public.
Steps away (Score:2)
um (Score:2, Insightful)
If you are unhappy with big city police departments, here's an idea: figure out who has been running them for the last 40 - 60 years, and vote against them.
Re: (Score:2, Insightful)
Re: um (Score:2)
You dont see politicians advocate that bc its unpopular. Most people know there are certain problems where police are right solution, but they are being used for situations that need social programs to really solve.
Re: (Score:2)
You really think in this climate right now that would be a unpopular opinion?
Re: (Score:2)
"Vote against them" implies that there are alternatives you could vote for who are against them.
How many politicians have you ever seen advocate for defunding the police, much less abolishing them? That's the kind of thing that causes a bag of cocaine to mysteriously be found by a police dog in your car.
Hmm. So the "institutional racism" of Democrat politicians in big cities in unstoppable?
Re: (Score:2)
They posted a searchable archive (Score:2)
along with the torrent, but it looks like ddossecrets is basically ddosed itself right now.
here is the searchable link [ddosecrets.com]
There should be no reason for it to be, but I'm personally curious if there is anything about myself, my family, or anyone else I know in there.
Unethical AF. (Score:2)
I know the current sentiment among teen edge lords is "ACAB" but this crosses way way beyond the line of ethical hacking and goes straight to gutter trash. Really disappointed to see anyone that's happy about this. A lot of completely unrelated data that potentially exposes abuse and crime victims. This is no better than the garbage dumped by Manning & Reality Winner.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
When you proofread your post, did you actually read it? Did you think to ask "why does google, apple, and facebook deliver better data security than an organization dedicated to protecting (security) and serving citizens"?
Just saying, Apple never leaked my icloud library online.
Re: (Score:2)
Re:Where are our vanguards of privacy? (Score:4, Insightful)
If you put something online, expect it to be published at some point in the future. That's why you don't keep your private stuff online. Or rather, that's why you shouldn't.
Re: (Score:2)
OK. So then Google, Apple, Facebook can do whatever they want with our data, because it's already out there.
What does this have to do with anything? There are multiple things wrong with the world, and even within the tech sector. Everything doesn't boil down to one issue.
Re: (Score:2)
Yes. Under the best of circumstances this is a secret shared, and therefore its secrecy is weakened. But the police are not the best of circumstances. They are explicitly allowed to promise anything they feel like and then act contrary to those promises. They are also allowed to lie about what they already know in any way they find convenient. They're probably forbidden to lie to their superior officers, but I can't see how that could reasonably be depended upon unless recorded evidence was available.
Re: (Score:2)
If the world leaders have access to data then the literal worst people on Earth already have the data.
You really think world leaders are the worst people on earth?
Re: (Score:2)
"holding the world hostage from the rest of us"
This is both dumb and ignorant, but hey, you do you.
Re: (Score:2)
I think that that's an unfair criticism of Mao. There are many fair criticisms, but he really does seem to have tried to do what he thought was best for his country. And while it was "expensive", it was largely successful. China is now a powerful country, where before it was pulled apart by foreign "investors" and manipulators.
I don't like his politics, but they seemed to work to the benefit of his country, if not to the benefit of numerous of it's inhabitants. And famines in China are now rare, where b
Re: Where are our vanguards of privacy? (Score:3)
How did you come to equate Epstein, who was arrested by law enforcement with law enforcement? Cops were told to back off from him as he was intell, above their paygrades. The problem there is criminality in high places, not what law we have or cops enforcing it.
Re: (Score:3)
If the world leaders have access to data then the literal worst people on Earth already have the data.
The only thing world leaders are the worst at is intelligence and functioning brains. Not every world leader is Hitler and there are orders of magnitude worse people out there who can have your data.
That's not to say governments having all data indiscriminately is a good thing, but jesus man get some fucking perspective.
Re: (Score:2)
There's a reasonable argument to be made that a persons position on the better/worse axis is a function of both their morality and their effective power. Thus a head of government who isn't morally as bad as someone else may be effectively much worse because of the effective amplification of their action/position/desires/etc. given by their position of power.
Perhaps you are arguing from two different ways of judging good/bad. And both positions may be reasonable.
Re: (Score:2)
... literal worst people on Earth already have the data. If you think that system was anything other than a blackmail and extortion tool for Epstein's friends you're wrong.
Whoah dude. You are in way to deep. There is a hint of validity in what you are saying but there is no truth in it. Sometimes, fighting crime is just fighting crime. Back off and become de-radicalized if you can. Your wording implies batshit levels of insanity.
Re: (Score:2)
The problem is that the system is corrupt. It encourages the abuse of power rather than limiting it. Yes, often the power is exercised correctly and justly, but quite often it isn't. And those who abuse power are often not punished, but rather rewarded. (Often this is just a psychological reward, and revealed by inadvertently revealed jokes or comments, like "did you hear him squeal" and supportive laughter and comments. So I must admit the evidence for this is a bit scant, but that's what any reasonab
Re: (Score:2)
When did you hear DDoSecrets complaining about the sanctity of an iToy? Don't make shit up, and don't paint everyone that you don't like with the same broad brush. There are lots of different people doing shit you don't like for lots of different reasons, and most of them disagree with each other about the reasons for taking this or that action. There is no unified movement of people marching in lockstep called "The Left", sorry if that makes your world far more complicated but that's just the way things
Re: (Score:2)
The data was already readily available to all sorts of crooks, it's not like that pool was increased significantly by the breach.
Re: (Score:2)
You're going to need to weave that straw man a little tighter if you want it to hold any water.
Re:Why would anyone hire that web development firm (Score:5, Interesting)
I see you never had to satisfy a government bid before where they required a web presence. Doesn't matter if you only contract with the government, you need a website. So they put one up (in 1998) and then walked away because government contracts don't care whats on the website.
I can point you to several of my buddy's passthrough S-corp's that have been contracting with the feds since the 90s with similar websites. During my last and most recent venture into a consulting startup, I didn't have a website for 18 months before I stood one up solely to make a partner (who was generating no revenue) happy.
No one cares.
Re: (Score:2)
They probably did not have the ability to actually filter what they got. Or to even carefully look at it. Stealing large masses of data has gotten so easy, even semi-fuckups can sometimes do it these days.
Not saying that makes it ok. The real problem is the absolute abysmal state of IT security at many companies that handle privacy-relevant data. Remember Equifax that simply did not patch their webserver despite exploits already circulating? The base-problem, of course, is that nothing happens to those resp
Re: (Score:2)
You can hope, I guess, but that's not the way to bet. More likely more laws against publishing data that are selectively enforced.
Re: (Score:2)
Unfortunately, I have to fully agree to that. Lawmakers are generally dumb and disconnected from reality. That is why laws rarely solve any problems. In principle, the mechanism is (somewhat) sound and could be used in beneficial ways. But doing so is tricky and requires exceptional skills. The typical lawmaker does not even have average skills.
Re: (Score:2)
Re: Marxist MORONS! (Score:2)
We have to. People do not understand the status quo cannot last. It requires constant expansion, and only moves in a single direction.
Re: (Score:2)
Re: (Score:2)
Destroying statues is basically harmless. It's not as if they are generally works of art. And I don't really see the benefit in glorifying traitors.
There are many more valid criticism you could make. On of your good ones is "So what's your ideal magical new society look like...". That a really valid one. My proposal would be to start by forbidding anyone who works for a regulatory agency to EVER collect ANY emolument from the groups that they regulated. And to REQUIRE that all police be photographed w
Re:Awesome, lets see how they kill minorities.... (Score:4, Insightful)
No. You probably won't. If the data isn't in the system, you can't find it. So all the people responsible for entering the data need to fudge it a little ... leave off of check the wrong box for race; drop a gun on a dead victim, and suddenly they were armed - and the cop feared for his life!; there are a disturbing - and growing - number of police body cam videos where the victim is shot using a side stance (power point, bullseye, blade) rather than the trained triangle stance (isoceles, Weaver, or Chapman); and, as somehow keeps happening, footage seems to get lost; not to mention some situations where no report is filed at all.
I've seen this happen in the financial world.
There's a quote from the first security course I took that stuck.
"As soon as rules are codified, people will find ways around them" - some Roman dude, a couple of thousand years ago.
Re: Awesome, lets see how they kill minorities.... (Score:4, Funny)
As is always the case with lunatics and fanatics, lack of evidence is taken as incontrovertible evidence.
"Of course there are UFOs abducting people! Why else would the government be hiding the evidence!"
Re: Awesome, lets see how they kill minorities.... (Score:4, Insightful)
If there is a defined process that has to be heeded and produces an evidence trail, and that evidence is no there, it is by definition missing. And police procedures, if followed correctly, nearly always produce such an evidence trail.
Re: Awesome, lets see how they kill minorities... (Score:2)
If there is a defined process that has to be heeded and produces an evidence trail, and that evidence is no there, it is by definition missing.
Yes, that's how we know that the evidence of UFO abductions is missing.
Re: (Score:2)
There's a defined process for documenting UFO abductions now? Did bad hair guy get his way finally?
Re: Awesome, lets see how they kill minorities... (Score:2)
There's a defined process for documenting racism now? Wow, that's a massive game changer.
Re: (Score:2)
Afaik there is a process for documenting police proceedings, this is what this was about.