Want To Report A Dangerous Drug Dealer? Just Enter Your Personal Info Into The DEA's Unsecured Webform
from the we-know-all-about-you,-but-good-luck-finding-out-about-us dept
Chris Soghoian, the ACLU's chief technologist, has decided to troll the DEA. His complaint is valid, though. The problem is, how do you troll the DEA when it's almost impossible to find the contact info of the person you want to speak to? Just like the FBI has more options at its disposal than simply demanding Apple help it beat down an iPhone's front door, Soghoian was able to route around the DEA's unforthcoming attitude.
How to disclose a security flaw to the DEA.
— Christopher Soghoian (@csoghoian) February 28, 2016
1 Find CISO on LinkedIn.
2 Look up consulting company records.
3 Email.https://t.co/sRK56FSkEL
How to disclose a security flaw to the DEA.The email address was harvested from a third-party website for a company DEA CISO Bret Stevens is apparently associated with, Innovative Security Solutions, Inc., conveniently located in northeastern Virginia, right outside of Washington, DC.
1 Find CISO on LinkedIn.
2 Look up consulting company records.
3 Email.
This site will allow you to edit company info, provided you can socially engineer your way into a position at the company. That being said, it looks loads better than the company's original site, which appears to have been last updated five minutes after the domain was registered (2004).
There's nothing on this site referring to Bret Stevens, current DEA security chief, but then again, the site doesn't appear to be subject to frequent updates. Or any updates.
Anyway, Soghoian wanted to point out a security flaw on the DEA's website. The DEA will accept tips from citizens. However, it does absolutely nothing to protect these helpful citizens. From Soghoian's notification email:
The DEA operates an online tipform, through which individuals can report "possible violation of controlled substances laws and regulations. Violations may include the growing, manufacture, distribution or trafficking of controlled substances."Quite correct. Not only has the Office of Management and Budget stated every agency must use HTTPS on all public-facing websites by the end of 2016, but you'd think a form that collects personal info about members of the public -- especially in conjunction with info about possibly armed and violent criminals -- would be given an extra layer of security. Apparently, the DEA is not all that concerned about its tips being scooped by criminals, or criminals intercepting unsecured tips in order to target do-gooders.
See: http://www.dea.gov/ops/submit.php
This website does not use HTTPS to protect the transmission of information. It should.
Soghoian's email also suggests the agency be a little more transparent about its security staff.
On a more general note, I would also like to encourage you to post publicly contact information for your information security team, so that researchers and other individuals can responsibly disclose flaws such as this issue. This is a best practice followed by some federal agencies, widely adopted by those in the private sector, and promoted as a best practice by the Federal Trade Commission.If this email manages to reach Bret Stevens, it will likely be sneered/groused at before being discarded as the imperious communications of a meddling motormouth representing an entity far too concerned about the rights of all Americans, especially the guilty, drug-dealing ones. As for its unsecured tip form, it will likely remain unsecured until the DEA is finally forced into compliance with the OMB's instructions.
Use at your own risk.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bret stevens, chris soghoian, dea, failures, https, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Brilliant
[ link to this | view in chronology ]
Re: Brilliant
[ link to this | view in chronology ]
Re: Brilliant
[ link to this | view in chronology ]
Re: Re: Brilliant
Seriously, there aren't procedures to follow, protocols to implement, some vague internal understanding that there are, you know, industry standards and best practices??
More of a "Give the contract to the bosses' company, they can hack together something." process, apparently.
*shrugs* The gov't doesn't even bother to pretend anymore.
[ link to this | view in chronology ]
Or possibly shoot the messenger
[ link to this | view in chronology ]
[ link to this | view in chronology ]
a new target
[ link to this | view in chronology ]
That's a given. It's going to the DEA, after all.
[ link to this | view in chronology ]
shits given
[ link to this | view in chronology ]
Re: shits given
Kind of Levyesque? "Do what thou with shall be the whole of the law."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I think it's simpler than that. Your security interferes with their feeling secure. I'd call that paranoid psychosis on their part, but I don't have much (if any) say in this. C'est la vie.
[ link to this | view in chronology ]
In house expertise ignored
[ link to this | view in chronology ]
They wouldn't do that
But if such should happen, it doesn't hurt their feelings.
[ link to this | view in chronology ]
Re: They wouldn't do that
[ link to this | view in chronology ]
Re: Re: They wouldn't do that
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ahhhh Corruption
[ link to this | view in chronology ]
Drug dealers are NOT criminals.
[ link to this | view in chronology ]
It's like they fired the competent people for mentioning problems.
[ link to this | view in chronology ]