What we know about the security failure

I’m a panelist at theMedia and the Law Conferencethis morning, and as usual I’m having to spend the last hours before the conference to prep. So this is a short Morning File.

---

消息

1. We’ve published the search warrant documents

On Tuesday, the Halifax Examiner and Cape Breton Spectator obtained court documents related to the security failure of the province’s Freedom of Information and Protection of Privacy (FOIPOP) website.

Let’s review what happened.

The specific failure was that provincial employees mistakenly uploaded thousands of pages of documents onto the FOIPOP site. Those documents contained the personal information of citizens, including in some cases their social insurance numbers and birth dates. (Full disclosure: I’ve been notified that my own personal information was mistakenly loaded to the site, although I think that is merely my email and mailing addresses.)

The main page of the FOIPOP site did not link to the documents, nor was there a published index of the documents, but they were publicly available all the same — anyone could type in the right URL and one of the documents would pop up on their computer screen. As it turns out, the documents were numbered sequentially, so all you had to do is add one to each URL to get the next document. See Brett Ruskin’s excellent explanation of how you could that:

VIDEO: Nova Scotia’s government is accusing a 19-year-old of breaching their government website’s security ~ Privacy experts disagree.
Oh, and here’s how the teen did it:pic.twitter.com/fq2qxjop89

— Brett Ruskin (@Brett_CBC)April 13, 2018

When provincial employees learned that they had mistakenly placed citizens’ personal information on a public-facing website, they wanted to know if someone had accessed that information. They determined that someone had. They had the IP address of someone who had accessed the FOIPOP site, and they saw that that person had come to the site several times, and at 1:11pm on March 3 commenced to download all the public-facing pages. It took about 34 hours for the download to complete.

We now know that the provincial employees knew something else: someone using the same IP address that was later used to download the documents had a few days before made a payment to the FOIPOP site. That’s right: the person first used a credit card on the site. That means the province had the person’s name and credit card information.

当省级雇员得知自己的搞砸时，正确的做法就是拥有它，签发一堆MEA Culpas，与他们的信息不当并向他们道歉的人联系，并与该人联系。谁下载了信息并要求他们删除信息。最后，这并不难 - 他们毕竟拥有他的信用卡信息。

Instead, they went on the attack. They contacted Halifax police and told them the website had been “hacked,” the provincial computer system had been “compromised,” and that the documents had been “taken.”

None of that was true.

Unfortunately, the police investigators assigned to the case appear not to have had even a rudimentary understanding of how internet security works, and they didn’t ask for the assistance of anyone who did. This should worry us. The police are increasingly investigating cyber crime and issues like child porn on the internet; perhaps there should be more in-house IT expertise.

警方没有退后，问简单的问题。就像，为什么黑客首先要将黑客信用卡信息的目标提供给目标？而且，为什么黑客不使用虚拟专用网络（VPN）掩盖其身份？

The police would go on to portray the supposed hacker as an IT mastermind — with presumed “knowledge of data Science, Network Penetration, Network Security and/or Machine Learning” — and yet was stupid enough to use their credit card and openly use their home IP address to conduct this masterful “hack”? That’s absurd on the face of it.

In any event, the police accepted the provincial employees’ statements as simply true: the provincial computer system had been hacked, and some devious person had stolen private citizens’ information.

Even with that, there’s another failure in the investigation. Police at this point knew that the province had the credit card information of the supposed hacker, but they didn’t ask for it.

相反，他们想通过其IP地址识别所谓的黑客。因此，他们申请了和平朱迪思·加斯（Judith Gass）的大法官，以一项生产命令，要求EastLink确定IP地址的所有者。警察申请以“获取信息”的形式出现，该（ITO）阐明了警察通过调查收集的细节，以及为什么他们认为他们需要生产命令。

加斯批准了命令。Eastlink似乎很快向警察提供了IP地址所有者的名字，以及该人的家庭住址。事实证明，所有者是一名19岁男子，与父母和13岁的姐姐一起住在哈利法克斯的北端。然后，警察回到了和平的大法官（我猜想，可能再次是气体），并申请了少年家的搜查令。搜查令的申请将包括第二个ITO，可能包含与生产订单ITO中包含的相同信息。和平正义授予搜查令。

Police then executed the search, sending 15 officers to seize all the computers and other devices in the teenager’s house, and to arrest the teenager.Read CBC reporter Jack Julian’s account of the search here。

警察的回应在顶部。15名警察并不经常被派往逮捕谋杀嫌疑人。我不能说为什么警察认为需要如此大的行动来执行与怀疑非暴力犯罪有关的简单搜查令。

After considerable public outcry, police announced on Monday that they were not pursuing charges against the teenager.

然而，与此同时，审查员和观众一直在努力获取用于搜索少年家的应用程序中使用的ITO。We had hired lawyer David Coles to represent us, and after about a week of back-and-forth with the city’s lawyer, Marty Ward (representing the police department), we appeared in court on Tuesday to ask Judge Gregory Lenehan to unseal the ITO. This was coincidentally the morning after police announced they weren’t pursuing charges against the teenager. Lenehan agreed to our request and ordered the ITO unsealed.

Unfortunately, however, we were given the wrong ITO. We received the ITO for the production order to Eastlink and not the ITO for the search warrant of the teenager’s house. I can’t explain how that mix-up happened. We could go to court again and ask for the right ITO, but we’re not exactly made of money — Coles doesn’t come cheap — and I suspect that the second ITO pretty much contains the same narrative as the first ITO, so I doubt we’d get much new information in any event.

Anyway, the ITO in hand, we published two articles Tuesday afternoon.The firstdetails the information in the ITO.The secondis an explainer of how the search warrant process works, and is an insider look at how we decided to report on these issues.

On Tuesday, we did not publish the actual ITO. There were two reasons for this.

首先，虽然从我们收到的ITO中删除了这名少年的名字，但该文件有足够的信息（包括他的家庭住址），因此任何人都可以轻松地弄清楚他是谁。我们不想摆脱那个要求保护自己的隐私的人。在这种情况下，我认为他是不幸的受害者。

其次，这是我们的故事，我们不想简单地将其赠送给其他记者。他们至少可以走到法院并自己获取文件。如果您愿意的话，请称呼这个小事，但这是我们的倡议和我们的金钱取得了启动，我们希望尽可能地拥有这个故事。

Yesterday, however, I got wind that other reporters were re-reporting the story, so I decided to publish the ITO. What I published has two levels of redaction. The first are empty white spaces that are the court-ordered redactions of people named in the ITO. The second (black lines) are my own redactions, removing other information that could be used to identify the teenager.

Click here to read the ITO。

And those other reporters have now written their articles.单击此处阅读杰克·朱利安（Jack Julian）的《 ITO》, and单击此处阅读CP记者Michael Tutton的帐户。Both credited the Halifax Examiner for unsealing the document, and that’s appreciated.

There’s more reporting to do on this story, and I hope to follow up on lots of loose ends. This isn’t over.

---

视图

1. Inglis Street fire

“It was sad to get up the other morning and learn that the Knightsbridge apartment building on Inglis Street was on fire,” writes Stephen Archibald:

我不知道任何关于火或命运of the unfortunate residents who have lost their homes, but I do have a few thoughts about the building, because in the 80s we lived just across the street.

这是我们1980年左右的大楼厨房窗户的景色。1900年左右建造了三所房屋，它已成为一个为穷人工作的房子。在夏季晚上，居民将坐在前台阶上，来回戏ter。

This is a pretty amazing post from Archibald, but I don’t want to over-quote from it.It’s short; go read it yourself。

---

Government

No public meetings.

---

在校园

Dalhousie

纳达。

---

In the harbour

1am:Atlantic Star, container ship, sails from Fairview Cove for Liverpool, England
5:30am:Undine, car carrier, arrives at Autoport from Southampton, England
7am:Nolhanava, ro-ro cargo, arrives at Pier 36 from Halifax to Saint-Pierre
4:30pm:Nolhanava, ro-ro cargo, sails from Pier 36 for Saint-Pierre
晚上8点：Oceanex Sanderling, ro-ro container, sails from Pier 41 for St. John’s

---

Footnotes

We’ll be publishing the Examineradio podcast later today.