Fullerton Admits to Criminal Incompetence

The City of Fullerton today admitted that they broke multiple laws in how they utilized Dropbox to illegally store what they claim are private and confidential files.

A few weeks back my attorney submitted a records request which the city just partially responded to today with any substance. There’s a lot of legal nonsense and lawfare going on here but one thing stood out related to Dropbox.

CPRA Fullerton Dropbox Response
No contract you say?

This is interesting because the Federal Department of Health and Human Services has very strict rules governing how you can and cannot store & transmit health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The two important issues here are known as the HIPAA Privacy Rule and the HIPAA Security Rule.

Basically you have to be smart in how you store personal medical files. To facilitate this Dropbox uses what is known as a Business associate agreement (BAA) which constitutes a contract. NOT ONLY do you have to sign this contract (electronically is fine) but it also, according to Dropbox’s terms, “must be in place before the transfer of [Personal Health Information] PHI from the covered entity to the business associate”.

The user, in this case the City of Fullerton, would also need to make sure THEY THEMSELVES comply with Federal Laws related to PHI.

Had the City of Fullerton’s attorneys done their job they would have seen this in the “getting started with HIPPA guide” from Dropbox:

“If your team handles Protected Health Information (PHI), you can configure your account so folders, links, and Paper docs can’t be shared with people outside of your team. When team members create shared folders, they can further customize the folders’ settings and choose the appropriate level of access — edit or view-only”

But wait – aren’t we being sued in part because we allegedly went to the City of Fullerton’s Dropbox account and “illegally” accessed files and information including personal heaslth records?

The City Council sure seemed to think that was the case. Back on 14 November 2019, City Council Member Ahmad Zahra asked me the following on Facebook (emphasis added):

“However, I’d like to ask you a question: Regardless of how or why it was obtained, do you hold in your possession any private and confidential city employee information that includes social security numbers, health records or other personal information?”

How would that be possible unless the City of Fullerton, who only alleges we accessed their Dropbox account, put such files into said Dropbox folder?

Because that’s exactly what they did – according to their own court filings they put these records into an unsecured Dropbox folder they opened up to the world.

Health Records on Dropbox

And furthermore, according to the City’s most recent court filing which was filed today:

Unaware of Access
They just ignored basic security because… reasons

“The City was unaware Appellants were accessing materials not intended for them to which the City had not specifically directed them or given them permission to access.”

That ALONE ignores basic access controls in clear violation of the HIPPA Security Rule:

“The standards require covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission.”

They city admits to putting PHI online and not verifying who was accessing, or even who had access, to such information. But at least they took the security of the files themselves seriously in compliance with State & Federal laws, correct?

Not even close.

Reused Passwords
Reused Passwords.

Unfortunately, City staff reused passwords, so that passwords to other files and folders within the City’s Dropbox account, to which Appellants were not given direction or permission to access, could be guessed by Appellants.”

“Reused passwords”. Let that sink in for a minute. Yeah, total violation of Federal HIPPA laws.

But wait, there's more!
But wait, there’s more!

Because Dropbox requires a Business Associate Agreement BEFORE you can place Personal Health Information on their servers, and the City claims they have no such agreement (ie contract) AND that they didn’t follow Dropbox’s access requirements, then they are in violation of the Computer Fraud & Abuse Act of 1986 (CFAA) & the state variant (CDAFA) for being, and I quote with a great bit or irony, in “excess of authorization”.

Jones & Mayer opened the City of Fullerton up to an unknown number of lawsuits with their wanton disregard for the most basic of security protocols.

On top of the hacking crimes against Dropbox, this is a Department of Health & Human Services Civil Rights lawsuit waiting to happen. No wonder Jones & Mayer are spending so much time papering the courts with bullshittery to hide their illegal actions and gross incompetence from the City. It’d be a real shame if the impacted people, who the city was legally required to notify, were to file federal complaints over Privacy [HERE] or Security [HERE] against Fullerton.

As an aside, the city claims emails referencing “dropbox,” “cityoffullerton/com/outbox,” “Fullerton!,” “Full3rtOn!,” or “synoptek” from 2015 to 10/24/2019 yielded 9,700 results. Even AFTER excluding “Fullerton!” & “Full3rtOn!” owing to the wildcard nature of the “!” they claim 9,700 results and they want about $21,000 to sort and redact them. They totally weren’t sharing this information we “hacked” far and wide. Right.

This is yet another example of how the City of Fullerton wastes your money. The cost to sue us is a colossal waste to taxpayers for the sole purpose of covering up the City Attorney’s mistakes and the impending lawsuits over HIPPA will likewise come out of your taxes without a single bureaucrat or attorney being held accountable for their crimes/incompetence.

Fullerton v. FFFF – New Judge, New Court Dates

OC Superior Court in Santa Ana

Things just keep on moving in the legal battles between us and Fullerton.

Yesterday the Hon. Judge Lee ruled that our two cases, Joshua Ferguson v. Fullerton and Fullerton v. FFFF, Joshua Ferguson, et al are related in response to our request for such a ruling.

As such we will no longer be gracing Judge Lee’s courtroom in Department C31 on 27 February 2019.

Currently we have a Status Conference regarding the City suing us on 12 Dec & a Case Management Conference on my Writ of Mandate case on 16 Dec in front of the Hon. Judge James Crandall in Department C33.

OC Superior Court Related Cases Dec2019

For context we argued, and the city opposed, the point that these two cases are related owing to them involving the same parties and general facts:

“[T]he two actions are based on similar claims, arise from the same transactions and events, and require the determination of substantially identical questions of law and fact. The CPRA lawsuit alleges that the City has improperly withheld records it claims are confidential or exempt from disclosure. The City’s lawsuit claims that in the process of responding to Defendants’ CPRA requests, it placed confidential or exempt information on its website, www.cityoffullerton.com/outbox. In both cases, the City has the burden to show that the documents are confidential.”

We’re of the opinion that the city’s case against myself and this blog is retaliatory owing to the fact that the city waited months to file their case and only did so AFTER I filed my Public Records lawsuit.

The city claims they waited to “secure their network” which is utter nonsense considering their own experts, in their own declaration, stated that the city needed approximately 30 days for the company Glass Box to fix their network (not Dropbox) vulnerability. Yet the city sent their original Cease & Desist email on 14 June, their letter to our attorney Kelly Aviles on 17 July and then they waited an additional 99 days to file their lawsuit against us on 24 Oct.

That’s a lot more than the 30 days recommended by Glass Box and sure is convenient timing. It’s even more convenient that the City had to vote “again” on 19 November “in an effort to clarify any Brown Act violations” when they refused to report out about their alleged vote back in September that Whitaker denies even took place.

I will be very surprised it the city does not attempt to appeal this decision to link the cases.

Fullerton v FFFF – Fullerton’s Small Loss & Big Costs

OC Superior Court in Santa Ana

Yesterday Kimberly Barlow with Jones & Mayer, on behalf of the City of Fullerton, asked the Hon. Richard Y. Lee to change the Temporary Restraining Order (TRO) against myself and this blog. An exhibit to said TRO was NOT INCLUDED when the Judge signed the original order and Jones & Mayer wanted to substitute the list of files we were originally told we couldn’t publish, share or delete with a shiny new list that allegedly only included private records. Read about that issue in our previous post [HERE].

The judge denied Ms. Barlow’s ex parte request. While Judge Lee agreed he had authority to change the TRO, he wasn’t going to do so as he didn’t believe it was necessarily the “clerical error” Fullerton’s attorney was claiming. Chalk up yet another loss for Jones & Mayer.

During the hearing Ms. Barlow took umbrage with our opposition paperwork, specifically the part about costs. Here’s the relevant part from our opposition (emphasis added, linked [HERE]):

Finally, filing of the anti-SLAPP motion by the Defendants within a week of the date this lawsuit was filed, halts proceedings so that Defendants and the Court are not burdened by the time and ever-increasing costs incurred in response to a frivolous lawsuit.

Yet, at present, the Defendants have been required to incur the expense of filing multiple briefs, a writ petition, numerous objections, last week’s court appearance, and are now must oppose on the City’s ex parte request to reconsider a restraining order, a request this Court has already rejected. Currently, Defendants have incurred nearly $100,000 in legal fees, which despite the pending SLAPP motion, are continuing to increase.This is exactly the point of SLAPP suits: To discourage public participation by running up litigation expenses, even though the City’s suit is completely meritless.

Ms. Barlow didn’t understand how it could possibly cost so much to fight her nonsense. She claimed it couldn’t cost so much to fight a TRO that in her words had no effect because the exhibit listing the files had been left off.

How could it cost so much? Gee. I wonder.

Perhaps if the City Attorney didn’t co-mingle everything up to and including billable hours she would understand how every time our attorney responds to the City’s paperwork, filings, declarations (alone totaling 21 and counting with 4 declarations from Strebe, 3 from Klein and so on and so forth), it costs money. There are more pages in those declarations than the first two Harry Potter novels combined. Plus every time our attorney has to read an email, field a phone call, talk to media on our behalf and show up to court, it costs us money. Every time the City does something, she informs us, which costs us money. And on and on.

We’re a month into this process, with three months to go before the anti-SLAPP motion, and we’re already staring down $100k. Imagine the bill when the dust settles. If our ONE attorney is racking up billable hours responding to the city’s filings, one can only imagine the costs being incurred over at Jones & Mayer in creating all of that paper they’re attempting to bury us under each day.

Yesterday, three weeks after getting it, Ms. Barlow went to court to argue that the TRO she demanded, received and then we had stayed, is incomplete. This mistake, which Barlow blames on the court, led to that hearing. Her appearance as well as our attorney’s appearance is costing billable hours and somebody is going to have to pay the piper.

We’re betting it’ll be the taxpayers.

As always we’ll keep you posted as to the details of this case as they happen.

Fullerton Stopped Us From Publishing Public Records

OCR- Top of the Fold

Fullerton is headed back to court tomorrow to try and fix what it claims is a “clerical error” in their Temporary Restraining Order (TRO) against us here at FFFF. The TRO that’s already in front of the Court of Appeals and has mostly been stayed. The meat here is that the City Attorney did not incorporate into the TRO the list of files we’re alleged to have “hacked” by clicking links the city gave out to the world.

To try and fix their mistake, the City’s attorneys are running back to court to get the TRO fixed. This is all a part of their quest to search our digital lives to see if we have files they themselves admit they put on the internet.

For those just catching up, the core of the city’s illegal SLAPP case is that the public can only access information on the City’s website that the City has sent you a link and express permission to access/download.

This is preposterous and amounts to me calling you, dear reader, a “thief” and “hacker” if you click the “Contact” link on this page without me giving you express permission to click it despite me inviting you onto this page. This idiocy, if allowed to stand in court, will break the internet as we know it.

But in true Fullerton fashion it gets better.

You see, when the city was rushing to stomp on our First Amendment rights (despite Jan Flory expecting that to get struck down and Bruce Whitaker claiming there was no vote to do so at all), they couldn’t even be bothered to check their work. This is the list of files in question according to the City and the files we were restrained (gagged) from publishing or sharing:

TROed Public Records

Those red arrows are files that the City claims are public records disclosed as part of records requests according to the declaration of Mea Klein. You can likely spot other obvious public records on your own.

In other words – the city got a court to stop us from publishing and sharing records they themselves claim are public. Files the clerk’s office released to members of the public.

Let us contrast that with the City’s argument where they claim we should have known which files/folders on the city’s Dropbox account were public versus private before allegedly accessing anything. The City Attorney, as evidenced by this exhibit of their own creation, can’t discern public from allegedly private files. They not only admit to co-mingling files they have a legal duty to keep confidential with documents they have a legal duty to share with the public but they did it again in their TRO against us.

Allow me to repeat this very important point:

At the behest of our City Council, the City Attorney actually convinced a court to restrain us from publishing and sharing things they themselves admit are public records.

One might expect a little more due diligence when working to step on the First Amendment. We’ll see what the judge says tomorrow regarding this TRO update and we’ll keep you posted as this case continues.

Jan Flory Knowingly Voted Against the 1st Amendment

JanFlory-Official

It’s not often that a sitting politician admits to violating the rights of the people but we’re seeing a lot of firsts here in Fullerton lately and the issue of ethics is no different.

Let us start by reminding the class that councilwoman Jan Flory is only currently on council because Ahmad Zahra sold out in record time and put her there. Despite Zahra’s peacocking and preening as a man of ethics and great concern for the Constitution and voting rights – he showed us early on that he’s an empty suit.

Now in an amusing twist of events it turns out that not only did Zahra and the council vote to kick our 1st Amendment rights in the teeth – his appointee Flory knew that what they were doing wasn’t going to hold up in the courts.

In a recent article [HERE] in the Voice of OC, Councilwoman Jan Flory said the following (emphasis added):

Councilwoman Jan Flory said while she respects the First Amendment, the privacy of city employees is also at stake. Like Whitaker, she said she couldn’t speak about the legal advice given to the Council during closed session.

I think that First Amendment rights trump everything else, but I believe that Kim Barlow has done a good job in that the city also wants to protect Mr. Ferguson’s First Amendment rights,” said Flory in a Nov. 8 phone interview.

She said the First Amendment isn’t the core issue.

“That’s not what’s at issue here. What’s at issue is he (Ferguson) obtained records that are private,” Flory said. “Or have some implications concerning the confidentiality of our city employees as well as members of the public.”

Flory also expected the publication gag order to get blocked, at least temporarily, she said.

“Was I shocked by it? No, not at all,” Flory said.

So Jan Flory, as a lawyer, expected the gag order to get blocked?

On what grounds could it possibly be blocked? On 1st Amendment grounds, perhaps?

Why? Because the gag order against publishing was and is an illegal prior restraint against the 1st Amendment and as a lawyer Jan Flory might be familiar with this particular point.

Now according to The Other Dick Jones™ at the last council meeting the entire council, Flory included, voted for this 1st Amendment violating gag order back in September despite Flory expecting it to be shot down.

There you have it folks.

Jan Flory “thinks that First Amendment rights trump everything else” but that didn’t stop her from voting to put the boot of government on the throat of OUR 1st Amendment rights when it suited the CYA needs of the city.

While fully expecting the courts to slap the city’s illegal SLAPP lawsuit/TRO – she voted against the 1st Amendment on 17 September 2019 and then did it again on 05 November 2019. I’m sorry Jan, but your postulating about the importance of the 1st Amendment is meaningless when you yourself voted against Freedom of the Press not once but twice.

You care about the 1st Amendment?

SureJan

Fullerton v FFFF – Expert Response

You may have seen the City of Fullerton via their attorney Kim Barlow throwing around words like “thieves” and “hackers” in regards to the current litigation they initiated against us here at FFFF. You may have also seen the Fullerton Observer Pravda parroting their nonsense with their own “expert”.

In response we’ve decided to publish the bulk our tech expert’s declaration as submitted to the court for easy reading right here on the blog (CV, footnotes, et in link). We hope this helps clear up a lot of the BS being bandied around to baffle the masses by City Hall and their water carriers.

Please allow us to present the stellar work by John Bambenek.

John Bambenek

Enjoy:

I. INTRODUCTION

I, JOHN BAMBENEK, hereby declare as follows:

1. The facts stated in this Declaration are true and correct of my own personal knowledge, except for those matters expressly stated on information and belief, which matters I believe to be true. If called as a witness, I could and would competently testify thereto.

2. I am filing this declaration in support of the Defendants Friends for Fullerton’s Future, Joshua Ferguson, and David Curlee’s Opposition to OSC re Preliminary Injunction sought by the City of Fullerton (“City”).

3. I have reviewed the following pleadings and documents filed in this case:

  • Complaint for (1) Violation of Comprehensive Computer Data Access and Fraud Act (Cal. Pen. Code § 502 et seq.); (2) Violation of the Computer Fraud and Abuse Act (18 U.S.C. et seq.); (3) Violation of Cal. Gov’t Code § 6204 et seq; Conversion; Trespass to Chattels; and (6) Conspiracy (filed by the City on October 24, 2019);
  • Ex Parte Application for Temporary Restraining Order and Order to Show Cause as to why a Preliminary Injunction should not be issued; Memorandum of Points and Authorities (filed by the City on October 24, 2019);
  • Declaration of Matthew Strebe and attached exhibits (filed by the City on October 24, 2019);
  • Declaration of Mea Klein and attached exhibits (filed by the City on October 24, 2019);
  • Declaration of Steve Lee (filed by the City on October 24, 2019);
  • Declaration of Bruce Lindsay (filed by the City on October 24, 2019);
  • Opposition to Plaintiff’s Ex Parte Application for an Unconstitutional Prior Restraint (filed by Defendants on October 25, 2019);
  • Transcript of the October 25, 2019 Hearing on Plaintiff’s Ex Parte Application;
  • Supplemental Memorandum of Points and Authorities in Support of Plaintiff’s
  • Motion for Preliminary Injunction (filed by Defendants on November 1, 2019);
  • Supplemental Declaration of Matthew Strebe (filed by Defendants on November 1, 2019);
  • Supplemental Declaration of Mea Klein (filed by Defendants on November 1, 2019);
  • Declaration of Christopher Tennyson (filed by Defendants on November 1, 2019);
  • Declaration of Mike Rice (filed by Defendants on November 1, 2019);
  • Declaration of Marni Rice (filed by Defendants on November 1, 2019); and
  • Declaration of Ivy Tsai (filed by Defendants on November 1, 2019);

4. Based on my expertise and claims made in the declarations filed by the City (as set out in paragraph 3, above), I have reached the following conclusions:

  1. The City’s declarations do NOT substantiate any evidence of unauthorized access or “hacking” as those terms are typically defined;
  2. The use of a VPN or Tor is common among a wide variety of users, including journalists;
  3. The attribution of VPN traffic, Tor traffic, and other “foreign IP addresses” to Mr. Ferguson and Mr. Curlee is, at best, deeply flawed.

5. For purposes of this declaration and to aid the Court in its understanding of the issues presented in this case, I have created a Dropbox folder to simulate the underlying circumstances that gave rise to this case. I do not have any access to the documents that are at issue in this case, and do not have the ability to reconstruct the exact configuration or access the Dropbox account at issue since it has since been modified and is no longer available through its original link, www.cityoffullerton.com/outbox. However, my reconstruction is consistent with information provided by the City in its declarations and the websites and information associated with this case.

II. QUALIFICATIONS AND BACKGROUND

6. I am President of Bambenek Consulting, LTD, a cybersecurity investigation and intelligence firm in Champaign, Illinois. I have worked 20 years in cybersecurity and consult with a wide range of law enforcement entities both in the United States and abroad on matters related to cybercrime or hostile nation-state activity. A true and correct copy of my curriculum vitae is attached as Exhibit A, and is incorporated by reference herein as if set forth in full.

7. I have been an adjunct lecturer in the Department of Computer Science and the School of Information Sciences at the University of Illinois teaching courses on digital forensics and cybersecurity. I am additionally an instructor at Parkland College also teaching a course on networking.

8. I am a co-author and helped design a digital forensics curriculum with the Information Trust Institute at the University of Illinois that lead to the create of interdisciplinary CS and Law courses on digital forensics and investigation.

9. Additionally, I have advised and continue to advise individuals on privacy and how to protect their information and privacy against hostile governments, abusive ex-partners, and variety of threat groups that target typically disadvantaged individuals and groups. I recently spoke at a conference discussing mobile malware attacks attributed to the Chinese government against Uighur Muslims and Tibetans .

10. I have assisted in law enforcement investigations including cases involving the 2016 presidential election including activity that helped retrieve some documents stolen by the Russian Government from the Democratic Congressional Campaign Committee. Most recently, I was the expert witness in Obeidallah v. Anglin, 2:17-CS-00720 (S. D. Ohio) where I testified in matters related to cryptocurrency and financial assets in a civil litigation matter.

11. I additionally provide auditing and consulting for a variety of companies, including law firms, on data protection and obligations around data security to comply with regulation or privilege.

12. I speak at conferences all over the world on matters relating to cybercrime investigation and threat intelligence and how to attribute malicious activity to individuals using technical information and metadata.

III. ANALYSIS

A. The City’s Declarations Provide No Evidence of “Hacking” or Unauthorized Access.

13. Dropbox is a web-based, file sharing application that allows individuals or organizations to store documents for their own use, share them with specific e-mail addresses (accounts are tied to e-mail address in Dropbox), or to make them available globally, worldwide, and without any access control.

14. These settings are under the complete control of the owner of the files. In the web interface, there is a “share” button that allows file owners to either share their files or keep them confidential however they may see fit. For example, if a user wishes to share a file, via Dropbox, with their attorney for review, the user could send an email from the web interface to the attorney’s specific email address. Below is an example of a screenshot of the interface demonstrating this capability, which was created in a simulated folder created for this declaration:

15. Dropbox provides a variety of security settings and access limitations, which could expire a link at a given time, prevent downloads, and determine who has access. A screenshot of the possible access restrictions for the fictional folder used as an example in paragraph 9, is below:

16. It appears from the City’s declarations that the City set its folder permissions to intentionally allow anyone with the link can view it. When you select this level of access, Dropbox makes clear that “Anyone with this link can view the folder.” A screenshot of how this would appear to the creator of the folder or the administrator of the account appears below:

17. This means that the City created the URL (or internet address for the Dropbox account) and mere knowledge of that URL is sufficient for access. Anyone with knowledge of the URL would have access would only have to go to that website to find that the entire folder contents are available and visible, including any and all subfolders that are stored therein. An example of how that would appear to a user who enters the URL of an unrestricted Dropbox account appears below:

18. The City’s administrator for its Dropbox account could have also changed the global access restrictions so as to prevent information from being disclosed outside of various groups. An example of these global settings can be seen in this screenshot:

19. While explanations of the configuration of the City’s Dropbox security settings are notably absent from its declaration, there are no allegations in the City’s declarations that I have reviewed that even allege that there was any access or password restrictions on the City’s Dropbox account. This confirms that the set up I have described in the preceding paragraphs was the manner in which the City’s Dropbox account was configured and that anyone with knowledge of the URL could see and access the folders contained therein.

20. As the City set the configurations on its Dropbox account so anyone with the URL could access the folders, subfolders, (and by extension the content contained therein), they themselves made this information available to anyone, anywhere in the world to download at any time and for any reason.

21. Compounding these problems, the City then expressly changed its URL (or the address of its Dropbox) to www.cityoffullerton.com/outbox, making it appear that the Dropbox account was an ordinary part of the City’s website.

22. Accessing a typical Dropbox account would require someone to go to www.dropbox.com and enter their login credentials, including a user name/email address and a password. An example of this can be seen in the following screenshot:

23. However, the City’s Dropbox was intentionally changed from this routine configuration, leaving no conspicuous way for the average user to know that the webpage housing the files was anything other than the City’s website.

24. From my review of the City’s website, the City also uses this configuration for various other types of disclosable public records and information. For example, information about the City’s meetings, including agenda and minutes, is available through the City’s website, by going to www.cityoffullerton.com, then clicking on the “Government” link, then on the “City Clerk” link, and then on the “Meetings and Agendas” link. However, this directs the user to the City’s Granicus account, which is a software platform used to manage government meeting data, including the storage and public access of agendas, minutes, and recordings of public meetings. The City uses OpenGov, another cloud-based software program, to manage and provide public access to its financial data. This is available directly through the City’s website by searching for “budget” in the website’s search feature, and clicking on the first link “City Budget”, and then clicking on link “OpenGov,” where the City directs users for information. There is no statement by the City in contained in any of these links or on any of these webpages which provide “express authorization” as to which links or files can be accessed by the public because the presumption is that information on a City website is public.

25. I have also reviewed the emails and communications described in and attached to the City’s declarations, but found no reference to any use restriction or admonishment until the City’s July 2019 correspondence to Kelly Aviles advising that accessing the Dropbox account was no longer authorized. Nor are there even any “terms of use” on the Plaintiff’s website to indicate such a restriction, even though that would not necessarily be sufficient to notify visitors that information on a public agency’s website was not intended for public access.

26. In my professional capacity as someone who evaluates security configurations of organizations with privileged and confidential information, I would have rated such a setup at an extremely high risk and priority for immediate change. The use of Dropbox to share confidential information or privileged communications is simply an unacceptable risk. Its use in this way can accurately be assessed as gross negligence.

27. This is particularly problematic for certain uses that are bound to keep information confidential. For example, attorneys have a duty of confidentiality, requiring them to take reasonable steps to maintain client information. (See California Rules of Professional Conduct, Rule 1.6; Cal. Bus. & Prof. Code § 6068.) This set up would be insufficient to ensure that confidential information is maintained. (See, e.g., https://www.americanbar.org/groups/business_law/publications/ blt/2017/09/01_kohut/; http://www.abajournal.com/magazine/article/ethics_secure_ client_communications/?utm_source=maestro&utm_medium=email&utm_campaign=tech_monthly; https://www.calbar.ca.gov/Portals/0/documents/ethics/Opinions/2010-179-Interim-No-08-0002- PAW.pdf; https://www.sdcba.org/index.cfm?pg=Legal-Ethics-Opinion-2012-1.)

28. Similarly, Dropbox provides information on the appropriate use of its platform for HIPAA-related information, which requires specific configurations and access restrictions. It appears from Plaintiff’s declarations that the City failed to follow any of these steps to protect the information they stored on their Dropbox which they claim is confidential. In fact, the steps they did take removed what little security is typically available in a default configuration.

29. Typically, “hacking” refers to the use of some tool or technique that defeats defenses in a computer system. A password cracking program may try to guess the password for an account. A tool may attempt to exploit a vulnerability to get access to the underlying database of a website. Malware (or colloquially, a “computer virus”) may be installed on a victim machine to give access to information. There is no evidence that any tool, vulnerability, technique, or manipulation of a computer system occurred by the Defendants in this case, nor does the City allege that there was any such action.

30. In the terms of the Computer Fraud and Abuse Act and its related state statute, the specific formulation is “exceeding access” or “unauthorized access” of a protected computer system. In this case, the Defendant could not have exceeded or acquired unauthorized access. The computer system (Dropbox) gave Defendants and the public exactly the access that the City set in the first place.

That may have been a mistake on the City’s part, but the system worked exactly how it was designed with the exact settings it was given.

31. In light of the above and in the absence of other evidence not yet in the record, I conclude that the city had no technical restrictions on accessing the data so a computer system was not subverted to access the information. I further conclude there was no stated access restrictions, so no “administrative” access controls were subverted either.

B. VPN Use is Common and Appropriate

32. A VPN is an encryption-based technology to keep one’s network traffic secure.

33. The City and its “expert” appear to infer that its use demonstrates an ill intent or conscious of guilt. Use of a VPN says nothing about the propriety of the actions taken while using a VPN. There are a wide variety of use cases for this tool and like all tools, it can be used for good or for ill.

34. Journalists use VPNs. The Global Investigative Journalism Network recommends the use of VPNs for journalists . This is especially true for investigative journalists who are looking into government misconduct (like the kind uncovered and alleged by the journalist in this case). This is because governments often retaliate against those journalists and impose “personal costs” (such as losing one’s job) as a price for uncovering misconduct. Ironically, the City’s actions in retaliation for the reporting done by Defendants in this case is exactly the kind of case study for why this advice exists.

35. The FBI recommends that political campaigns use VPNs in light of election manipulation attempts, the Electronic Frontier Foundation produces a guide on personal VPNs designed for journalists, activists, LGBTQ persons, academic researchers, and others. A personal VPN might be used by a victim of a domestic abuses to make them harder to stalk.

36. A VPN is used often in business for secure access to corporate networks. A VPN can be used in academic to access University resources while remote. A VPN can be used to access video content, circumvent censorship, or to protect the confidentiality of someone who may be facing threats.

37. I, too, use several VPNs, one to access corporate files securely on untrusted networks, one to access campus resources provided for faculty and students only, and a personal VPN to watch “American” Netflix while overseas.

C. Attribution of VPN and Tor traffic is deeply flawed

38. There at no statements in Mr. Strebe’s declarations authenticating the logs attached as Exhibit A. The logs contain a table of information. The eighth column has no header but is populated with names from time to time (e.g. Tor, PureVPN, etc). There is no information about what this is, how it was gathered, or how it can be reproduced.

39. I created a Dropbox business account to compare the format of the logs that Dropbox itself generated. An example of what I saw in my experimental logs is below:

40. There appear to be key differences in the formats of the logs I obtained from the Dropbox account I created and the logs attached to Mr. Strebe’s declarations. For example, there is no corresponding column provided by Dropbox that maps to the 7th (“Region”) and 8th (untitled) columns in the logs attached as Exhibit A to Mr. Strebe’s original declaration. In Mr. Strebe’s supplemental declaration, the 8th untitled column is no longer included.

41. Also of note is that the logs I accessed from Dropbox using the account I created, unauthenticated users were logged, but only 1st and 2nd octet of the IP address were logged, the other half of the IP address was obscured (i.e. instead of seeing 12.24.36.48, what was produced shows 12.24.XXX.XXX).

42. While the City’s declarations do not state how the logs attached to Mr. Strebe’s declarations were generated, the discrepancies raise serious questions about the integrity and authentication of the logs attached to Mr. Strebe’s declarations, as they appear to have been manipulated or modified by the “expert,” compromising the integrity of the evidence.

43. Even presuming that these logs are authentic, and the information contained therein is accurate, there are serious flaws in the City’s analysis of what they purportedly show.

44. Several entries allege Mr. Ferguson’s account was logged into Dropbox and accessed city records purportedly from PureVPN (12/28/2017, 12/30/2017, and 3/29/2018 from Oslo and 10/26/2018, 10/27/2018, 10/30/2018, and 11/06/2018 from the Netherlands). There are no log entries produced by the City that indicate other occasions of Mr. Ferguson account accessing the City’s Dropbox. There are no logs at all indicating Mr. Curlee’s purported access.

45. Plaintiff then uses these brief occurrences to conclude that all access via PureVPN to Plaintiff’s Dropbox must be from Ferguson, Curlee, or their “unnamed associates.” (Strebe Dec., ¶ 40).

46. The City then reaches even farther to suggest all accesses via Tor must also be from the Defendants despite the complete and utter lack of evidence for that conclusion in their own exhibits. (See Strebe Dec., ¶ 60.)

47. The City and Mr. Strebe, undaunted by a complete lack of evidence and unhindered by any respect for appropriate investigative reasoning, then decide all access from foreign IPs otherwise unattributed must also be from the Defendants. (See Strebe Dec., ¶ 51.)

48. The only indication Plaintiff’s give for such reasoning is that some of the access attributed to Tor, PureVPN, or other “foreign” IP addresses was for documents responsive to records requests made by the Plaintiff that no one else would know. But this is a conclusion, not evidence. Nor is such a conclusion warranted based on the purported Dropbox logs.

49. PureVPN, according to Crunchbase has $15.7 million in revenue. Assuming that is correct, and based on the listed monthly cost of service (before discount) at $10.95/month , this would equate to approximately 120,000 PureVPN users. It defies credulity that Plaintiff could have eliminated all but 2 of those users from this activity.

50. According to the Tor Project, there are currently around 1.75 million active daily tor users . While there was at least some limited activity that Plaintiff could attribute to Defendant Ferguson via PureVPN, there is no activity over Tor that contains metadata implicating the Defendants.

51. The City and its “expert” stated there was a foreign access to Dropbox content on August 23, 2017. (See Strebe Dec., ¶ 37.) They argued this was “likely an authorized user” but provide absolutely no evidence for that conclusion. Who is the authorized user? How do they know its authorized? The ambiguity on that point stands in stark contrast to the certainty they express previously about all PureVPN, foreign VPN, and Tor traffic must be the Defendants.

52. Mr. Strebe also makes liberal use of printouts from a website myip.ms. This is not a forensically sound way to attribute IP addresses. There is no documentation as to how myip.ms works or where it gets its information, which makes it use questionable, at best.

IV. CONCLUSION

53. The evidence presented by the City in no way supports any allegation of “unauthorized access” or “exceeding access” of any computer system. The evidence shows that the City itself placed this information on the internet without access control allowing anyone full permission to download the content. The access logs, even if authenticated, do not substantiate, in the absence of other corroborating evidence, that all Tor, VPN, and foreign traffic belongs to the Defendants. Nor is Mr. Ferguson’s use of PureVPN a sufficient or even suggestive data point to implicate guilt.

I declare under penalty of perjury under the laws of the State of California that the foregoing is true and correct and that this declaration was executed on November 7, 2019, at Chula Vista, California.

Joshua Speaks about Fullerton v FFFF Lawsuit

Joshua Voice of OC
Photo by JULIE LEOPO, Voice of OC

I’ve been pretty quiet since the City of Fullerton decided to sue me, David Curlee and this blog. We were under a Temporary Restraining Order (TRO) so knowing what I could and could not post was up for legal debate. Yet at the same time the TRO was active, the City Attorney, Kim Barlow, was out in the open calling us hackers and thieves to our friends, neighbors and the world at large.  Yay illegal prior restraints in violation of the 1st Amendment.

The basic issue here is that City Hall screwed up and then decided to smear and scapegoat us to cover their own bureaucratic hindquarters.

To this end they hired some experts to bloviate about BS in an attempt to confuse people and obscure the truth about what is actually being alleged against us and City Council bought it hook, line and sinker.

The ink on the City’s Press Release hit-piece was barely dry before The Fullerton Observer uncritically reprinted it and in an effort to attempt cover the story they brought in their own “expert” who copy and pasted the City’s nonsense in order to paint us as hackers and villains with malicious intentions and evil schemes.

But now I’ll tell you what is actually being alleged; The City is alleging that we went to it’s website and clicked links.

That’s it.

All of their preening about VPNs/TOR, link hashes, network security – All Of It – is a smokescreen. Despite the nonsense about needing to delay the lawsuit to secure the city’s network, the city never alleges that the their network was ever breached or hacked.

The real meat and substance of their argument and allegations is that we “exceeded authorized access” and are therefore “thieves” and “hackers” under the Computer Fraud and Abuse Act as well as the California Comprehensive Computer Data Access and Fraud Act.

We allegedly “exceeded access” because they say we went to a link on the city’s own website, a link they themselves claim that they told us about, and allegedly clicked on files and folders they put there for the whole world to see plain as day. The argument is that we should have known better and shouldn’t have clicked on the files they put on the internet at the website they told us about. That is literally their allegations. That’s it.

We’re apparently supposed to have known what a $1Million+/year worth of government employees & lawyers didn’t know – that some files the city put online shouldn’t have been accessible from the city’s own website.

To bypass the obvious First Amendment issues in this lawsuit and to obtain their TRO the city made the claim that we accessed files that contain privileged medical records of police and their families, etc.

This is why they claim to have needed the prior restraint against us publishing data – to mitigate financial risks to the city. But there is no evidence this blog has published any such information made in the city’s grand accusations. Information, mind you, that the City themselves claim to have put on the internet for the entire world to access. By their logic we shouldn’t be allowed to do as journalists what they themselves have already admitted to doing as incompetents.

The City is trying to unring a bell here and blaming those who allegedly heard it instead of admitting they caused the commotion when they bonked their own heads.

Even if what the city alleges is true, that we allegedly went to the city’s own website and clicked links, the liability and financial risks to the city are of their own doing by their own admissions. It is not the responsibility of journalists or even the public to safeguard the city’s corruption and secrecy after the city itself has put it on display for the entire world.

To call the allegation that we went to their website and clicked links “hacking” and “stealing” is absurd. To demand myself, David Curlee, my former co-worker, this blog at large and unnamed Does 1-50 turn over our entire digital lives (phones, computers, hard drives, flash drives, CDs/DVDs, etc) to the city to cure this alleged link clicking is ludicrous on top of the absurd. And frankly it’s insulting and malicious.

Fullerton is rotten to the core when it actively buries misconduct by employees and officers but attacks bloggers & journalists for revealing truths. That our council would vote 5-0 to pursue this lawsuit and then vote 4-1 to continue it says a lot about our supposed leadership.

Thankfully the TRO was stayed by the Appellate Court and we are free to resume publishing. This is going to continue at least until 21 November and we’ll keep you posted as to the status of this ridiculous lawsuit.

Meanwhile I’m now out of a job thanks to this lawsuit while bills and attorney fees stack up. A good friend and all around great guy, Erik Wehn, set up a GoFundMe account and I’ll incur his wrath if I don’t mention it [HERE] so there it is and thank you to all of the people who have supported myself and this blog financially, emotionally and spiritually in these trying times. Sincerely thank you.