Password that Florida data scientist Rebekah Jones allegedly used is publicly available

Originally published at: https://boingboing.net/2020/12/09/password-that-florida-data-scientist-rebekah-jones-allegedly-used-is-publicly-available.html

4 Likes

Here’s a Twitter thread that discusses whether or not it’s possible to pinpoint a user from an IPv6 address.

A home IP address can definitely be spoofed by a determined bad actor (e.g a right-wing populist governor’s dirty tricks operative), right down to the timing of when a legit dynamic IP might be in use. Combined with the publicly available shared login credentials to a sensitive government system (a concept that makes my head hurt) her defense attorney will roll over this easily with some expert witnesses.

And that’s before you get to the punitive raid for this non-violent alleged crime that amounts to a SWATting by a vindictive politician.

32 Likes

Can they even mount a credible prosecution for accessing a secure system when there was zero effort made to actually, you know… secure the system?

22 Likes

straight up fascist bullying right here. don’t want to publicly lie for your governor? fine, the goon squad will come over and break your shit and sieze (steal) your stuff just as soon as we make up some weak-ass bullshit to make it seem legit (to morons who will buy it).
this is governor ron-boy being a vindictive asshole, once again. nothing more. that he will get away with it pisses me off all the more.
edit: typos

22 Likes

Absolutely. They might need more to convict, but not to make her miserable and broke.

17 Likes

id presume the goal is to gain access to her machines to look for unrelated embarrassing or incriminating info or her or the people she talks to.

so not just punitive. also fishing

20 Likes

That is a “feature” of the Computer Fraud and Abuse Act.

11 Likes

I saw a lot of these spurious claims in the linked Twitter thread - it’s far more difficult than people seem to be making out. The issue here is that actual data was transmitted and received from what I presume to be a HTTP service, using credentials, which means getting a session back from the remote side. To spoof the source address in this scenario would require someone to own a router near the target or similar.

If she indeed did not send the communication, the simpler answer is just that her computer was hacked.

Or if this is really some kind of conspiracy, just doctor the logs, it is interesting to see that conspiracy theories swing both ways though.

8 Likes

It is difficult, which is why I specified a determined bad actor. But it’s far from impossible.

DeSantis tells his ratf-cker-in-chief “make it look like she hacked the system”. Ratf-cker finds a trusted black-hat hacker to do it and make it look convincing for a lot of money. Hacker (after his laughter dies down when he sees how credentials are handled) maybe enlists one other person to help him conduct an attack through one of several established and entirely possible methods.

That or her home network. I agree about this or doctoring the logs as other ways she could have been framed. Since the state is using the IP address as evidence, though, defense has to cover all their bases which means bringing up the possibility of spoofing.

Yes, probably just as easy given the lax security. You don’t need any special hacker skills for that one – more social engineering to get yourself on a terminal with access to the server logs.

I would presume it as well. There’s no way the lazy clowns who run this system bothered to get an SSL cert.

The “conspiracy theory” in this case is allowing for the possibility that a powerful governor with a history of shady dealings and a vindictive streak might have tried to punish someone he considered disloyal by framing her. If there is a conspiracy here, it would involve only a few people (fewer than five) to make any framing scenario happen.

That’s qualitatively different from the guano-crazy conspiracy theories emerging from the kind of people who support DeSantis.

17 Likes

And just like how cops say that they “saw” the black guy had a gun (or gun planted) and win their murder defense, they can state their opinion (or lie) as a fact. “Our investigators found the IP address match.” Provide actual evidence? Just their own “expert’s” testimony.

I would hope that the fact of the widely available username/password and the possibility of spoofing will be enough to create reasonable doubt.

8 Likes

Is it “password” or “P@ssword”?

6 Likes

Exactly this. A private eye wouldn’t be able to get closer than the very rough neighborhood the IP address belonged to (barring some super-secret system they paid to get access to which is populated by the ISP’s). The ISP would have to provide the subscriber info, since they only assign IP’s to people who have paid their bills.

OTOH, I wouldn’t put it past Comcast to provide bogus info on request to LE just to maintain a good relationship with them.

The most likely sequence of events is they used an independent contractor who analyzed it, for whom they can say they took at his word and did not question his methods. His methods being, the IP address resolved to one maybe in the same town as this lady, and he just claimed he mapped it to her house as he implicitly understood what they were looking for.

A good defense attorney will get it thrown out.

ETA: The IP address is actually mentioned in CNN’s *.pdf link. It resolves to Tallahassee or New Jersey geo-mapping depending on which database you use.

8 Likes

Sounds like they’ve already done a good job of that.

4 Likes

Seems spurious considering most home routers and ISP’s still heavily rely on IPv4

2 Likes

An important part of the Whistleblower Act is that the whistleblower does not have to claim status in order for retribution against them to be illegal.

12 Likes

If your ISP hands out a v6 address most routers will run with it these days. IPv6 support is not some exotic thing, no matter what corporate IT might want you to believe. IPv6 has been around for 22 years now, there’s no excuse for a piece of networking gear to not support it.

I think it’s entirely possible that Mrs. Jones did access the database after she was fired. Her whole point was that the government was lying to the people and causing unnecessary death and suffering. The fact that the same government went all gestapo on her is helping her cause IMHO.

9 Likes

And in my experience, this is actually one of the things Comcast does quite well. When I was on Comcast they delegated a whole /60 prefix to my router. I would be quite surprised if they didn’t keep records of which prefixes were delegated to which subscriber. And since a typical IPv6 home network doesn’t masquerade all devices behind a single address with NAT as is necessary with IPv4, an address could theoretically even be tied back to a single device (though there are mitigations in place in all modern operating systems to make this difficult: most devices will use randomly chosen, ephemeral addresses for outgoing connections).

5 Likes

IPv6 is deployed and in use much more than most people suspect. Comcast is an ISP that has deployed IPv6 widely. We’d easily be able to have an all IPv6 Internet if not for all the Enterprise firewall techs that deny IPv6 exists, and refuse to set it up, even though their systems all behind the firewall are already using IPv6 now, and potentially insecure because they don’t want to learn IPv6.

I get somewhere around 65% of residential users hitting my public services over IPv6 connections vs. IPv4. The major residential ISPs in my area and mobile cellular service all mostly do IPv6 native.

3 Likes

He totally will. People here are just that stupid and/or evil.

We’ve been talking about migrating elsewhere. It’s been getting increasingly hot and wet and gross here anyway.

I always swore I’d never move north of the Mason-Dixon Line (because I like being toasty warm) but Pennsylvania is looking increasingly like an option, since the Mr. has family there and we’d both be thrilled to live in a state with citizens smart enough to elect folks like Fetterman to statewide office.

7 Likes

So, how hard would it to be to make a call to Comcast, find out what the default Wifi password is for their home router, sit outside in a car, and send the message from her network?

2 Likes