Want To Report A Dangerous Drug Dealer? Just Enter Your Personal Info Into The DEA's Unsecured Webform

from the we-know-all-about-you,-but-good-luck-finding-out-about-us dept

Chris Soghoian, the ACLU's chief technologist, has decided to troll the DEA. His complaint is valid, though. The problem is, how do you troll the DEA when it's almost impossible to find the contact info of the person you want to speak to? Just like the FBI has more options at its disposal than simply demanding Apple help it beat down an iPhone's front door, Soghoian was able to route around the DEA's unforthcoming attitude.

If you can't read/see the tweet, it says:
How to disclose a security flaw to the DEA.
1 Find CISO on LinkedIn.
2 Look up consulting company records.
3 Email.
The email address was harvested from a third-party website for a company DEA CISO Bret Stevens is apparently associated with, Innovative Security Solutions, Inc., conveniently located in northeastern Virginia, right outside of Washington, DC.


This site will allow you to edit company info, provided you can socially engineer your way into a position at the company. That being said, it looks loads better than the company's original site, which appears to have been last updated five minutes after the domain was registered (2004).


There's nothing on this site referring to Bret Stevens, current DEA security chief, but then again, the site doesn't appear to be subject to frequent updates. Or any updates.

Anyway, Soghoian wanted to point out a security flaw on the DEA's website. The DEA will accept tips from citizens. However, it does absolutely nothing to protect these helpful citizens. From Soghoian's notification email:
The DEA operates an online tip­form, through which individuals can report "possible violation of controlled substances laws and regulations. Violations may include the growing, manufacture, distribution or trafficking of controlled substances."

See: http://www.dea.gov/ops/submit.php

This website does not use HTTPS to protect the transmission of information. It should.
Quite correct. Not only has the Office of Management and Budget stated every agency must use HTTPS on all public-facing websites by the end of 2016, but you'd think a form that collects personal info about members of the public -- especially in conjunction with info about possibly armed and violent criminals -- would be given an extra layer of security. Apparently, the DEA is not all that concerned about its tips being scooped by criminals, or criminals intercepting unsecured tips in order to target do-gooders.

Soghoian's email also suggests the agency be a little more transparent about its security staff.
On a more general note, I would also like to encourage you to post publicly contact information for your information security team, so that researchers and other individuals can responsibly disclose flaws such as this issue. This is a best practice followed by some federal agencies, widely adopted by those in the private sector, and promoted as a best practice by the Federal Trade Commission.
If this email manages to reach Bret Stevens, it will likely be sneered/groused at before being discarded as the imperious communications of a meddling motormouth representing an entity far too concerned about the rights of all Americans, especially the guilty, drug-dealing ones. As for its unsecured tip form, it will likely remain unsecured until the DEA is finally forced into compliance with the OMB's instructions.

Use at your own risk.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bret stevens, chris soghoian, dea, failures, https, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Vidiot (profile), 29 Feb 2016 @ 6:46am

    Brilliant

    Sending the notification to Stevens' "side job" address has the same impact as writing it on his bathroom mirror in red lipstick. That ought to grab his attention.

    link to this | view in thread ]

  2. icon
    rw (profile), 29 Feb 2016 @ 6:55am

    Re: Brilliant

    I don't know. He's probably had so much red lipstick on his mirror that it doesn't even register.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 29 Feb 2016 @ 8:51am

    Re: Brilliant

    The way our luck is going the "side job" email server will spam filter it to the trash. Then he can honestly say he did not receive it.

    link to this | view in thread ]

  4. icon
    Berenerd (profile), 29 Feb 2016 @ 8:51am

    "If this email manages to reach Bret Stevens, it will likely be sneered/groused at before being discarded as the imperious communications of a meddling motormouth representing an entity far too concerned about the rights of all Americans, especially the guilty, drug-dealing ones."

    Or possibly shoot the messenger

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 29 Feb 2016 @ 8:55am

    Straight from the WHAT COULD POSSIBLY GO WRONG Department.

    link to this | view in thread ]

  6. icon
    NeghVar (profile), 29 Feb 2016 @ 9:04am

    a new target

    and that unsecured database becomes a new target for hackers working for the drug dealers. Search the database for informants, put a price on their head, and quickly locate them since they had to enter their personal info.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 29 Feb 2016 @ 9:17am

    > Apparently, the DEA is not all that concerned about its tips being scooped by criminals, ...

    That's a given. It's going to the DEA, after all.

    link to this | view in thread ]

  8. identicon
    Ross Ulbricht, 29 Feb 2016 @ 9:17am

    shits given

    It's almost as if they have none to give.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 29 Feb 2016 @ 9:20am

    One thing I've learned about the Government is that security only matters to them when it's used to push an agenda.

    link to this | view in thread ]

  10. identicon
    Anonymous Anonymous Coward, 29 Feb 2016 @ 9:28am

    In house expertise ignored

    "Not only has the Office of Management and Budget stated every agency must use HTTPS on all public-facing websites by the end of 2016..."
    It's a wonder that no one from this agency is going to be named to the commission. How is one to eliminate encryption when required to use it?

    link to this | view in thread ]

  11. icon
    Coyne Tibbets (profile), 29 Feb 2016 @ 11:29am

    They wouldn't do that

    I won't go so far as to suggest that DEA would deliberately reveal an informant's details, because if they're murdered it makes for a so much meatier trial.

    But if such should happen, it doesn't hurt their feelings.

    link to this | view in thread ]

  12. icon
    trollificus (profile), 29 Feb 2016 @ 12:38pm

    Re: Re: Brilliant

    Mail filtered to the Spam folder is the same as not received...FOR MY GRANDMOTHER. Not for a federal agency, right?

    Seriously, there aren't procedures to follow, protocols to implement, some vague internal understanding that there are, you know, industry standards and best practices??

    More of a "Give the contract to the bosses' company, they can hack together something." process, apparently.

    *shrugs* The gov't doesn't even bother to pretend anymore.

    link to this | view in thread ]

  13. icon
    tqk (profile), 29 Feb 2016 @ 12:41pm

    Re:

    One thing I've learned about the Government is that security only matters to them when it's used to push an agenda.

    I think it's simpler than that. Your security interferes with their feeling secure. I'd call that paranoid psychosis on their part, but I don't have much (if any) say in this. C'est la vie.

    link to this | view in thread ]

  14. icon
    trollificus (profile), 29 Feb 2016 @ 12:47pm

    Re: shits given

    In fairness to the decision-makers at the DEA, how likely and how dire are they to expect consequences to be when the IRS basically used the "Dog ate our homework." defense and the DOJ and Congress just went "Darn that dog!'

    Kind of Levyesque? "Do what thou with shall be the whole of the law."

    link to this | view in thread ]

  15. icon
    trollificus (profile), 29 Feb 2016 @ 12:50pm

    Re: They wouldn't do that

    Hrrrmmm...the cynicism strong with this one is.

    link to this | view in thread ]

  16. icon
    Groaker (profile), 29 Feb 2016 @ 1:26pm

    Having created a bunch of bogeymen, the DEA, et al, have and abuse the power to do far more harm than the substances they are at war with. Just remember that we, the citizens of the nation, are the battleground.

    link to this | view in thread ]

  17. identicon
    Anonymous Blowhard, 29 Feb 2016 @ 2:29pm

    Ahhhh Corruption

    Thankfully for the people in Latin American their governments decided to rid their countries of the DEA. They already had their own corrupt police force, why host somebody else's? If the drug war was an actual war the DEA would be on trial for war crimes. You are always guaranteed a corrupt agent or two for any investigation. It wastes millions of dollars and possibly allows dangerous criminals to carry on business as usual but who cares right? It's all good for the DEA which serves the DEA and basically nobody else. Too bad Anglo America isn't quite as smart as Latin America.

    link to this | view in thread ]

  18. icon
    Valis (profile), 1 Mar 2016 @ 7:24am

    Drug dealers are NOT criminals.

    "The law is an ass."

    link to this | view in thread ]

  19. icon
    Coyne Tibbets (profile), 3 Mar 2016 @ 2:03am

    Re: Re: They wouldn't do that

    Millions Missing From DEA Money-Laundering Operation
    At one point, the prosecutor cross-examined me by asking if I thought the agents handling Princess [the informant] were plotting to kill Princess by exposing her to one deadly situation after the other until she was killed. I testified (paraphrased according to my memory) that with more than $20 million missing and unaccounted for, and in consideration of the way they were handling her, it was a reasonable possibility.

    link to this | view in thread ]

  20. identicon
    Michael Price, 5 Mar 2016 @ 3:41am

    It's like they fired the competent people for mentioning problems.

    What other explanation is there? I mean even if they were evil, you'd think that this is just asking for trouble.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.