No Skeletons in Howard Dean's Online Closet

[InfoSec News <isn () c4i org>]

http://www.pc-radio.com/dean-ftp.html

By Brian McWilliams
December 10, 2003

Political opponents and journalists are frustrated over former Vermont 
governor Howard Dean's refusal to unseal 145 boxes of hard copy 
documents from his 12-year term in office. Judicial Watch, a 
Washington, D.C. nonprofit, has even sued Dean, who is running for 
president, to open the estimated 400,000 records to public 
examination.

I wondered if anyone had checked whether Dean accidentally exposed any 
documents of the electronic variety when he ended his gubernatorial 
tenure last January.

So I visited The Internet Archive, where I pulled up a copy of the 
1997 edition of the Vermont State Web site, including a page titled 
The Virtual Office of Vermont Governor Howard Dean. 

A quick review revealed nothing particularly noteworthy there, aside 
from the fact that the old site had apparently been designed by 
Montpelier High School students.

But visiting an archived version of Vermont's main page, as well as 
the current version of the site, I noticed a page with a hyperlink 
labeled State of Vermont FTP server. 

Clicking the link enables anyone with a Web browser to log in 
"anonymously" to the state's file transfer protocol (FTP) server.

Last week, I found over a gigabyte of files on the FTP server, many of 
them created during Dean's term in office, from 1991 through January 
2003. 

After I told Vermont officials about it, they deleted the files last 
Friday. 

There were no references to Dean in any of the files, so you can stop 
reading right now if you were hoping for some embarrassing evidence.

§

About the most interesting thing I found on the FTP server were a half 
dozen or so files in a folder named "courts." They contained records 
on over 2,000 individuals arrested in July of 2000, including their 
name, city of residence, and date of birth, and the reason for their 
arrest, which included misdemeanors such as disorderly conduct to 
felonies including sexual assault, kidnapping, and homicide.

A representative of Vermont's office of court administrator told me 
the arrest records were intended for internal use by Vermont's 
district court system. He said they were placed on the server prior to 
being transferred to another government department. Due to an 
oversight, the records were never deleted, he said.

Vermont's assistant attorney general Bill Griffin said the files 
contained only public information, and that no privacy laws were 
violated as a result.

One privacy expert, however, said the security lapse was potentially 
serious.

While Vermont law does not specifically prohibit the publication of 
such data, individuals named in the exposed files might still be able 
to sue the state for violating their privacy, according to Robert 
Ellis Smith, publisher of Privacy Journal. 

"Any disclosure of private facts that are offensive about an 
individual could lead to somebody collecting damages," said Smith. He 
noted that many states treat arrest records as confidential, to 
protect the privacy of individuals who are arrested but never 
prosecuted.

In a folder labelled "psd" I found a compressed archive with nearly a 
gigabyte of binary files dated May 14, 2003 and apparently generated 
by a relatively obscure database program. Vermont's department of 
public service didn't respond when I asked what was contained in the 
archive. It was among the files removed from the FTP server last week.

"This is potentially very sensitive information. It had no business 
being left on a server accessible to the public," said Lee Tien, staff 
attorney with the Electronic Frontier Foundation.

Robin Siss, Vermont's chief information officer, apparently agreed.

"[The files] should not have been there," said Siss, who was hired in 
September by Republican governor Jim Douglas.

Siss noted that the FTP site "predates my administration" and that her 
department is still "going through its discovery" but is confident 
that only "appropriate" content is now on the server. 

Citing "executive privilege," attorneys for Dean last year asked the 
state to seal his records for 24 years. Dean has recently said that he 
made the request to protect the privacy rights of his personnel and 
members of the public. But in January Dean reportedly told Vermont 
Public Radio that he arranged to have the records kept confidential 
for "political considerations" and to avoid embarrassment "at a 
critical time in any future endeavor." 

Dean now says that a judge should decide what records should be made 
public, a process that could take months. Spokespeople for Dean have 
noted that many other records from his governorship are open for 
public viewing in the Vermont state archives.

Dean's campaign has received a lot of attention for its Internet 
grassroots organizing and fund raising. About all you can conclude 
from this FTP server incident is that some members of his 
gubernatorial administration were mediocre at Internet security.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.