The “emergency alert system” is an email mailing list. With publicly available credentials. It’s “secure” in that you need to log in.
“Needing to log in” is a form of security, yes… I don’t understand your point.
If there’s an IP trace, and especially if they can find evidence on an actual machine in her house, I consider that pretty damning. The husband though, that’s tricky. I have no idea how the state might handle that because spousal privilege. Putting that aside, I can’t imagine a defense resting its case on the possibility of an alternative perpetrator without actually presenting any evidence in favor of that theory.
~Max
You wouldn’t even have to use their computer. All you need is someone’s wifi credentials (or an unsecured router) and you can sit in your car three houses down and access the internet with their IP address.
Don’t get me wrong, I’m not saying there aren’t other breadcrumbs leading back to the actual device or that the person leasing the IP address isn’t ultimately responsible for all data going through it, just that an IP address on it’s own doesn’t prove a whole lot.
Having said that, I’m guessing she’s using a VPN now.
Depending on the interface for the secure system she allegedly accessed, there might be more uniquely-identifying information. Also I’m not sure how long a home router running a DHCP server will store the MAC addresses, it might be possible to rule that out by examining the router.
~Max
Yeah, a lot of that I don’t know enough about. My random home router doesn’t appear to save MAC addresses, but it doesn’t mean someone with better knowledge of the factory firmware couldn’t dig something out of it that isn’t accessible via the GUI.
Similarly, even something like Google Analytics (which is free to install on your website) will narrow down to a device. Maybe not the exact device, but it has no problem differentiating between, say, an iPhone and an Android and can give other details such as screen size, resolution etc. Often it’ll even tell you (based on cookies maybe? or possibly grabbing data from facebook?) some personal details as well.
Again, not definitive proof of anything, but could be useful information to either side.
I’m assuming she didn’t expect such a nationally televised response (or even LE involvement) but a VPN would’ve hidden her tracks. At the very least, it would have made sure her actual IP address wasn’t logged on their system. And having the VPN route her connection through another server Florida would have removed a lot of suspicion (as opposed to them seeing an IP address from some other part of the world and assuming it was a VPN).
OTOH, even just taking her laptop to the parking lot of a random business with free wifi would have slowed them down, if it wasn’t a total dead end for them.
ETA: I seem to recall that some devices give you a way to spoof MAC addresses. I don’t remember why, I just know I’ve seen the option from time to time. I understand she clearly didn’t have the mindset of covering her tracks though.
IIRC, she claims it wasn’t her who wrote that email.
It’s entirely possible that someone who wanted to intimidate her wrote it, and used it as “evidence” to have armed cops break into her house, point guns in the general direction of the people living there, and confiscate her equipment. I am not an expert on these things, but I think if they sent it from another account on the same ISP, while sitting in a car near her house, they might well have used an IP address that’s also sometimes used by her.
Yes, it’s also possible that she did, indeed, write an improper email. But that’s not the only possibility of what prompted this. Especially since she claims she didn’t.
And either way, I think it’s reasonable to conclude that the response was disproportionate to the crime she is accused of having committed. And the response was intended to intimidate her, not to protect the system she is accused of hacking.
My point is that the crime she is accused of having committed is both a felony and an incredibly trivial thing to do. It’s completely bonkers that they were able to arrest her based on that accusation.
Let me recast it in terms of using this message board – which is also protected by a form of security. (you need to log in.)
I used to hang out on a similar message board where there were a handful of shared IDs. We had one associated with a thread game. The ID and its password were posted at the top of the game thread, where anyone (without any credentials) could read them.
So, imagine a user of that chat site got banned for posting so much about the threat China is to our economic system that she got on a lot of people’s nerves. Then she started posting her own blog about how China is a threat. And a few months after she was banned, she logged into that shared ID and posted a new thread about how China is a threat.
Do you think it would be appropriate for the message board to call the cops and have them raid her home, with drawn guns, and confiscate all her computer stuff?
Or would you send her a sternly worded note to stay off the website, and change the password of the shared ID, and only give the new password out to the people playing the thread game?
This is pretty much exactly analogous to what she is accused of having done.
Because I would do the latter. I think only a malicious individual with little regard for human life would do the former. What if her husband was black and made an unexpected movement and got shot? I mean, how is she going to pay her bills this month now that they’ve taken all her computers? That the law even allows the former is a serious failure of the law. But there was also REALLY BAD JUDGEMENT on the part of the person who called the cops. Like, that person is evil.
Also, I think that evil person was evil on purpose. Again, I don’t think their goal is to protect the mailing list. I think their goal is to intimidate her and anyone who might still be talking to her or helping her in any way. They delight in the press. They would have been delighted if her husband were killed, too, I bet. Better yet, if the cops had killed her.
It would be surprising if the IP trace were considered incontrovertible. Most carriers use some sort of NAT, with numerous customers sharing the same public-facing IP address. If you use an online test to check where the internet thinks you’re located, it might show you a location 100 or more miles away. There are other tools folks can use to obscure their IP such as anonymous proxies and TOR.
That’s not to say there can’t be lower-level logs and tracing. Just to say that NAT and proxies can really muddy the water.
Shouldn’t that be ‘if the state proves’?
– My IP address varies a bit; if the modem’s off or down, I often get assigned a different one when it comes back online. Presumably, while I’m assigned one version, the ISP has assigned the other variations to other people. I don’t know whether they keep records of who had which address when.
I wonder whether she had a backup stored offsite. If it was in the cloud, the police might be able to get that too; but if it was on a backup hard drive just kept at somebody else’s house, that would seem harder for them to confiscate – her computers might tell them that it existed, but they’d need to know where it was and get a warrant for that location.
So you are alleging that the system in Florida has their credentials publicly posted on a web site anyone can look at? If not, that isn’t anywhere close to your example.
There was a shared set of credentials but only shared with employees, it wasn’t public knowledge. It wasn’t posted on a web site that everyone can look at. It was poor security but it was an actual attempt at some kind of security.
I’m not arguing that the response here isn’t overdone. I’m not arguing that the law in Florida isn’t garbage. But cyber security is something that you shouldn’t just shrug off with a warning. In this particular circumstance, maybe the agency could have just tightened its security because there was no real harm done. But considering how sensitive a system like this has the potential to be, I can understand wanting to prosecute.
Hmm, I see another report that credentials were put on the web site if you know where to look.
That does weaken their case. If there really was just a message sent then it’s going to be hard to establish how much of a breach she is responsible for.
I even wonder if the case would go to trial. Florida is looking really bad here.
Yes. I haven’t verified that, but that has definitely been claimed in articles.
I think my example is a good analogy, both in the severity of the “security breach” and in the amount of harm done.
I think given that info your analogy is apt, yes.
I am confused. My understanding is that a MAC address is specific and unique to each device. It never changes. However, the IP address may change if it is dynamically assigned.
Are you saying that a home DHCP server stores the MAC address to IP address used each time the IP address for a networked home device is reassigned?
Also, do all home routers act as DHCP servers? (It’s been a long time since I worked in the IT world, and even then I R a technical writer, not a network engineer, so my understanding is not only out of date, it is not in-depth.)
Supposedly, each device has a permanent unique hard-coded MAC address that never changes. Other routers, DNS servers, or devices on the local network, etc., could save that information about other devices they have communicated with.
But what happens if the network card in some device blows out? You install a new network card, but you would like your device to keep the same MAC address it has always had. That’s why network cards commonly have an option to configure a different MAC address for your device.
MAC addresses can be spoofed.
This is the point.
If you start with the premise “she did”. Add in a minimal understanding of computer security / how networks work, she obviously wasn’t even trying to cover her tracks.
My understanding is that a “block” shares an IP address - (the last place I was specifically told this it was an apartment building of about 50 apartments)
If it were me - I would have bought a burner device and logged in from the local starbucks, failing that - a burner from home wifi.
If (and at the moment it’s a mighty big if) evidence is found that she logged in from her computer on her home network, she has been remarkably foolish in how she has gone about this.
Nothing in this whole affair suggests any kind of sophistication on her part. Not what led to her firing, nor how she behaved as an activist afterward. This isn’t meant as a dig at her or anything, and I expect she’s probably going to walk after this. I’m thinking that all that Florida has done is put a spotlight on her and her claims.
As foolish as she may have been, how foolish have the Florida authorities been? If this was an attempt to intimidate her into shutting up it backfired in the biggest way. Now everyone knows who she is and what she claims, and their treatment of her makes it hard to trust their side of the story.