 More than 125 U.S. law enforcement agencies have suffered some form of data breach over the last 10 years. Our next talk will feature the data sets about such breaches and the factors enabling them, the EFF's research into unsecured surveillance tech, and one of the largest dumps of internal police documents in history, and what all of this data has to teach us. We present M. Best, Dave Moss, and Madison Belpondo with When Cops Get Hacked, Lessons Unlearned from a Decade of Law Enforcement Breaches. Thanks, Gila. So my name is Dave Moss, and I am a senior investigative researcher at Electronic Frontier Foundation, and I work on EFF's Threat Lab. To just give you an idea of how this panel is going to work today, we're going to start off with a sort of 20-minute presentation or so from Madison Belpondo that I'm going to talk for a little bit for about maybe 10, 15 minutes, then we're going to do a Q&A with M. of Best, and then hopefully we'll have some time for some questions at the end. Let me just do some quick introductions. So Madison Belpondo is a recent graduate from the Reynolds School of Journalism at the University of Nevada, Reno. In 2019 and 2020, I had the pleasure of working with Madison, first as an intern, then as a student, and then doing an independent study, where Madison was helping gather information about what police departments are using surveillance technology around the country. So Madison's final research project focused on cybersecurity vulnerabilities in law enforcement agencies. She also recently graduated, and so she's a freelance journalist looking for some new opportunities, especially opportunities that would help her scrutinize law enforcement and corporate surveillance. Now, Emma Best is an independent journalist and transparency activist who has filed thousands of Freedom of Information Act requests with government agencies. They are known for their tenacity and their keen eye for details and documents, and they are Russell's advocate for the truth at any cost. They also co-founded the Distributed Denial of Secrets Collective and coordinates its operations. And you might know DDOS because of the Blue Leaks, which has taken over a lot of the news recently. I would also like to say that Emma is also one of my personal heroes. And if you just go onto Muckrock and go through their requests, you will receive a master class on wrenching information from the government. So at this stage, I'm going to hand it off to Madison, who has a slide presentation about law enforcement agencies and breaches. So as we've said previously, this is when cops get hacked, lessons unlearned from a decade of law enforcement breaches. I'll just go a little bit about me. My name is Madison Valpando, and I'm a recent graduate from the Reynolds School of Journalism at the University of Nevada Reno. In 2019 and 2020, I worked as a student researcher and intern with the Electronic Frontier Foundation Threat Lab. And what started as a three-month internship quickly turned into me weaseling my way into volunteering and then having my own independent study my last year of college. In my final project, I spent over 200 hours researching and collecting data on cyber attacks and their effect on law enforcement agencies. So a little bit of background. Throughout my work at EFF, I worked on the Atlas of Surveillance, which documents the most pervasive technology used by law enforcement throughout the United States. These technologies included automated license plate readers, facial recognition, and cell site simulators, as well as many others. The project uses open source intelligence to map where surveillance tech is being used and by what jurisdiction. And during my time, we have been collecting instances of surveillance concentrated around the US-Mexico border and had collected over 200 instances. Since then, the research has moved nationally with over 5,000 data points since Atlas went live. With the data clearly showing the exponential increase of law enforcement agencies buying into surveillance technology, I noticed that the rate at which surveillance technology was evolving did not match the rate of IT resources evolving. And this led me to believe that the allure of technology overshadows the implications and the threat of poor IT resources. In fact, it seemed to be the last thing on everyone's mind. In addition, with one quick Google search, it was quite clear that data breaches and cyber attacks were slowly but surely becoming a more prevalent threat to privacy. I started to form in my observation a few overarching questions to implement within my own research. These questions included how many law enforcement agencies experience cyber attacks and breaches, how are they protecting their digital evidence, what information is generally exposed, and are law enforcement agencies properly equipped to protect their technology? With these questions in mind, I began collecting news articles, press releases, public records, writing FOIA requests, and basically trying to find any open source intelligence in order to create a database that could potentially answer my questions and show whether or not the protection of data was a high priority for law enforcement. In the 200 plus hours that I've been working on implementing this project, I have documented so far that over 125 law enforcement agencies, 126 to be exact, have suffered some sort of data breaches cyber attacks since 2012. The data taken includes source security numbers, phone numbers, addresses, license plate information on the US Mexico border, fingerprint identification, and data from fusion centers. And with months and months of research under my belt, I woke up about June 22nd, only to see that more than 250 police departments had been hacked. And with that, the data tripled. In what is now called Blue Leaks, over 269 gigabytes of law enforcement data was published on the distributed denial secrets website, and most of the data was taken from fusion centers and local police departments. The research that I've done so far could have only alluded to major data breach that affect the data of thousands of people. And in what took me three months or six months to collect, tripled in near seconds, only magnifying the dangers of poor IT security protocols. To create my initial database, I wanted to use information that could help me verify any trends and whether or not my observations had any weight. These categories, of course, included the name of agency, the technology breach, whether it be automated license plate readers or servers, the type of attack, whether that be malware, distributed denial service, or insider threats, the method of attack, whether that be ransomware, Trojan horse or spyware, and other methods, including fishing. If it was a ransomware, whether that was paid or unpaid, if there was any information stolen or breached, and the year of incident. In addition to creating a database, I also began development on a map that would show these overarching trends. The map that you see here is representative of the data that we have prior to Blue Leaks, but that will, of course, be added later. This working map includes instances of ransomware, distributed denial service, telephone denial service, viruses, negligence, and physical theft. And there are several trends that we can take off away from this map right off the bat. Most notably is the quantity of breaches that are concentrated in the South and Northeastern parts of the United States. In fact, both Georgia and Texas experienced the most cyber attacks, specifically ransomware, which was the most common form of cyber crime. Ransomware at this point, takes them more than half of the cyber attacks that affect law enforcement agencies on this dataset. Ransomware is one of the most expensive cyber attacks that I've seen so far. And because of this, I also checked how many paid and how many did not. What I found so far is that 34% paid, 45% refused payment, and 21% were unclear. The most common method at which this happened was phishing, when an employee or volunteer would accidentally open a malicious link from a third party email. This is not surprising given that in 2017, Digital Guardian reported that 91% of successful cyber attacks are launched via phishing email. Furthermore, in a report from the International Association of Chiefs of Police, between 2014 and 2017, Michigan auditors conducted a phishing attack on 5,000 randomly selected state employees to see how they would deal with this potential threat. One third of the recipients opened the email and almost one fifth provided their user ID and password. And if this is the case, then the lack of cyber knowledge with these employees has the potential to create a very expensive crisis. In fact, the Riviera Beach Police Department paid $600,000 and the Lake City Police Department paid $470,000. And in both instances, not including the cost of IT resources, the state of Florida and the respective cities had to pay over a million dollars to restore their servers back to normal. According to Motorola's solutions in their cyber report in 2018, the average cost of a data breach was estimated to be about 6.53 million. However, in many cities, the cost can be even higher and the price of failing to secure networks is clearly rising. In 2018, Atlanta, Georgia was subject to a massive ransomware attack that demanded the city pay $51,000. The ransomware forced most of the city's services to go back to pay reforms. And while it's unclear if Atlanta paid their ransomware, the city initially had to pay $2.6 million in order to restore their servers. More interesting though, prior to the attack, Atlanta had been criticized after an audit in early 2018 revealed over 1,500 vulnerabilities to the city systems. The inspectors found that over a hundred servers were using a version of Windows that had been unsupported by Microsoft since 2015 and that there was a relaxed approach to cybersecurity practices. In fact, weak passwords were to blame for this expensive attack. In 2019, state scoop reported that the initial payment was not enough and the city actually had to pay $17 million in order to remedy the loss. In 2019, most of Baltimore's government computer systems were affected by ransomware that demanded Bitcoin around $76,000 for story access. According to another report by state scoop, Baltimore was susceptible to such an attack due to its poor IT practices which included decentralized control of their technology budget. This ended up being a really serious issue after the city refused to pay the ransom and instead had to allocate over $18 million in order to restore their servers. And the decision to pay ransomware is an absolute gamble. In fact, the FBI and the Secret Service advised against paying ransom as it could embolden more attacks. And in the case of the Baltimore Police Department, their expensive decision stemmed from the belief that paying ransom was rewarding criminal behavior. In another important case of ransomware discovered in my research, in 2016, the Cockrell Hill Police Department, Texas lost over 200,000 records after the chief of police decided to wipe the servers rather than pay the ransomware of 4,000. The department lost all Microsoft Office documents such as Word and Excel files. In addition, they lost all body-worn camera video, dash cam and in-car video, in-house surveillance videos and photographs that were stored on the server. To make matters worse, the Cockrell Hill Police Department failed to maintain their digital evidence which had some public defenders worried since at the time there were multiple cases that were relying on body-worn camera footage to prove innocence. These cases were ultimately forced to rely on police reports which brought a lot of scrutiny to the department. In such cases as this, the ransomware not only undermined the police duties but eroded the trust between the department and the public as they lost over eight years of evidence. Within the dataset, the second most common form of cybercrime was a breach implemented by third-party individual or individuals. Third-party breaches often resulted in confidential data such as personal data, passwords, informant information, and et cetera being breached. For purposes of this research, any method in which there was a breach that was accounted for within this category, whether that be through a physical theft, phishing, trojan, or any other method. Pre-Blue Leaks, in fact, in 2019, information of thousands of federal agents became public after three chapters of the FBI National Academy were breached. More than 4,000 records that could have negatively affected agents were made public, including their names, job titles, and addresses. In addition to the breach of information on federal agents, in 2019, the LAPD was also breached. They'd been personal information of over 20,000 applicants open to the public in addition to hundreds of sworn officers. The information that was potentially stolen included email addresses, birth dates, and the last four digits of social security numbers. And to make matters worse, they also had passwords used to log into the database. The department only found out about this breach after the perpetrator revealed themselves to the agency with the knowledge about people who had applied between 2010 and 2018. Luckily, in response, the LA Times reports the department did bolster IT funding after this. In a less known, but more common to the types of breaches in this dataset, in February 2012, hackers breached the Dallas Supplies Department's internal servers and stole the usernames and passwords for several officers, including information about informants and jail inmates. A small scope breach such as this one, however, was notable because it occurred in 2012, again in 2014, in 2017, and recently in 2020, showing no real change in IT practices. The third most prevalent form of cyber attack on law enforcement agencies was a distributed denial of service. This took about nine instances so far of the 2126 that I found in my data. I'm certain there are more, but as of right now, this is what I found. In instances of DDOS, the access to emails, websites, servers, and legitimate traffic were often disrupted. DDOS from what has been evidenced by the data is also often a tool for hacktivist against police. For example, in 2017, an ACRON man executed a distributed denial of service against the ACRON Police Department, the Ohio Department of Public Safety, and the Department of Defense after he uploaded a video to Twitter saying that the ACRON Police Department abuses the law. Furthermore, in 2014, the St. Louis County Police Department was taken offline for several hours as a result of a DDOS attack and retaliation for the police shooting of Michael Brown and in support of the protests that resulted from that shooting. One other concerning trend in the data is the denial of safety services from a telephone denial of service. While DDOS seems to be more uncommon, it is on the rise and in these instances, communication systems become inaccessible due to an attack, 911 systems, and incident response. In fact, in 2017, a six-month-old Dallas boy died after his babysitter called 911 and these calls were delayed due to a DDOS attack. Furthermore, it's also dangerous for public safety professionals as paramedics cannot request police support and firefighters cannot call for mutual aid. With all of this data under my belt, here's what it tells us. So the unauthorized access or loss of law enforcement data due to a cybertech has serious operational and privacy implications. A cybertech could compromise an agency's ability to protect life and maintain order. And if the rate law enforcement agencies are being breached, I think it's an important reminder that law enforcement knows that they're high-profile and need better protocols. In addition, law enforcement has been purchasing and using the most pervasive data-collecting tools without first flushing out their IT departments or providing funding to provide a cushion for when these cybertechs occur. Furthermore, cybertechs erode the trust and the credibility of an agency further calling into question law enforcement practices. In addition, there are two major attitudes that affect cyber safety for law enforcement agencies and that is compliance and negligence. Law enforcement and their respective leaders do not treat cyber risk as a system-wide threat and attribute it to underfunded and poorly equipped IT departments. It's important to keep in mind though that this is a system-wide threat and all members of the agency must have some responsibility for it to be protected. In addition, it's also incredibly easy to be negligent, whether that be through lack of training or knowledge about cybersecurity risks. Staff members and officers cannot afford to dismiss security protocols. Staff members can't use old passwords. They shouldn't be downloading software that they know nothing about or plugging in USB devices without verifying its safety. In addition to compliance and negligence, major surveillance companies such as Axon and Vigilant Solutions have profited from the rising need of surveillance technology. In fact, just recently, Axon came under fire after decommissioned body-worn cameras were found to still have the raw video data on them. In addition, Clearview AI, facial recognition, drones and perceptics, automated license plate readers, all major vendors of surveillance suffered major data breaches in the last 10 years. Perceptics came under fire after they, against their contract, copied images of travelers and license plate onto their own private computer servers and were subsequently breached. Clearview AI's client list was breached in an incident that affected law enforcement agencies whose names were exposed publicly as well as the searches that they had been conducting. It's very clear that this need for new technology has overshadowed the need for better security protocols. In fact, according to a 2018 report by the National Association of State Chief Information Officers, most states only allocate 3% of their IT budgets to cybersecurity. It's like putting new tires on a junkyard car. It doesn't make any sense at all. If departments are gonna be in the near future collecting our data on a grand scale, then they must protect that data and make sure that it's stable. So let's go back to the research questions. How many law enforcement agencies experience cyber attacks or breaches? Well, 126 so far, but 385 County Blue Leaks and the numbers rising. How are they protecting their digital evidence? They're not. Poor passwords and protocols evidence a lack of care or knowledge about the importance of protecting this data and our privacy. What data is generally exposed? Well, personal data, social security numbers, addresses, phone numbers, any information for doxing, as well as people who have been booked or come into the department. In addition, organizational data has also been taken, such as user names and passwords in order to get into the servers. And are law enforcement agencies properly equipped to protect their technology? No, they're not. It seems to me that they've been focusing more on the looks of surveillance technology rather than the safety or providing that safety through funding. So what lessons can they learn? Well, first training. It's imperative that staff receive cybersecurity training at every single level of the organization, not just the IT departments. Users need to be aware of the cybersecurity hazards, including fake emails, USB devices and better password protocols. And what do they do if they feel like their account has been compromised? Furthermore, law enforcement executives must understand that their systems must be attacked and must provide backups. The organization must provide security for digital evidence and provide backups to their servers. In addition, they should save original copies, hard copies, files, printed images of videos, oversaving and over documentation of this evidence to make sure that if they do lose it, obviously they still have it. And lastly, they should be doing some incident response. Departments need to be better prepared for these attacks and preparing and rehearsing is the only way to determine readiness. Rehearsing the response to such an incident is critical. It must be determined how an IT partner will respond to an attack. Does the city have enough money? And what available resources are there? And maybe with some stronger protocols, some lessons can actually be learned. All right, well, thank you so much. And now we are gonna be moving on to Dave Moss who has his presentation. Thank you. Thank you so much. So I just wanted to give everybody, if everybody could just sort of give a digital round of applause, I don't think we're gonna be able to hear it or anything like that, because this was Madison's first conference talk and it was fantastic. But my name is Dave Moss. I'm a senior investigative researcher at the Electronic Frontier Foundation. I work on EFS Threat Lab and I just recently published the project, atlasandsurveillance.org. If you haven't had a chance to play with it, please go check it out. It will tell you how certain technologies are spreading across the country as well as potentially what is being used in your local communities. So I work on EFS Threat Lab and we've been around about a year and a half and we are designed to do deep dive investigations into surveillance technology. We look into questions about how and where is tech used, how is the technology abused to target particularly vulnerable communities and how can we counter the technology or hold its users and sellers accountable? And a lot of what the EFS Threat Lab does has emerged from collaboration from more journalistic types like me along with our infosec researchers like my colleagues, Bill Buddington who's already given a talk at Hope and Cooper Quinton, one of our senior staff technologists. And what will end up happening is that somebody will discover a vulnerability in a police technology or we'll discover it and then we go and investigate it and also try to get it fixed or addressed. I specifically focus at EFS on what we call street-level surveillance and these are the technologies that law enforcement uses around the country. Oh, sorry. I think my slides are not shown right now which is okay. I will try to explain what they are and then we can add them in. They're showing, they're showing me. Sorry, what's that? They're on the live stream. Oh, they're on the live stream? Excellent. So when we talk about street-level surveillance we're talking about drones and license plate readers and body work cameras and face recognition. I'm gonna go over two examples of when we have had to go to law enforcement about some sort of vulnerability we found and I wanna show you an example of police responding badly and an example of police responding well. And a lot of these things I'm gonna show you are gonna seem like they're several years old but that's because there's a narrative arc here that goes over several years and because we're so far out I can tell you a little bit more about what happened than we could when we first announced these. So back in 2014, we had learned from a mother in San Diego that the San Diego District Attorney's Office was giving out CD-ROMs to the public with parental safety software, with software meant to monitor your children to make sure they're not dealing drugs or engaging with predators online. And we were very curious about this and we obtained a copy and started analyzing it. And at the same time, we started noticing that there were hundreds of agencies around the country giving out this software and all the software kind of worked the same. It was like in a very slick DVD case, there was usually the emblem of the sheriff or the district attorney on it. There would be a video on the CD-ROM of the police chief or whatever reading out like a promotional thing. It really seemed to be very promotional rather than actually safety related. Once we got the software started analyzing it and had a few features that were pretty boring like it would show you where, what all the JPEGs were on a particular computer or what the browsing history was of the user. But one of the more difficult or one of the more controversial elements is that it included a key logger. There was a feature that you needed to install which allowed you to put some keywords in up to 10 keywords that anytime your child typed in this keyword, you would start getting emails in real time of their chat logs or their keystrokes. And even though they're marketing this as parental software, those of us who work at EFF know that this is spyware. This is stockware. This is the kind of stuff that is illegal a lot of places. This is the sort of stuff that is used in domestic violence. It is used in cyber crime. It's just this sort of thing that's totally inappropriate for a law enforcement agency to be giving out. But what made it even worse is that once we started inspecting it, we realized that when it is sending those key logs outside of the computer, it was sending them unencrypted. So you could actually just snatch right out of the air everything that somebody was sending they're typing as long as you had added in a keyword. And so if you added it in the word the it would just start sending it to you all the time because people are typing the word the. And so this was really a serious problem. And our first thought was, well, there's 200 plus agencies using this. They need to recall it. Let's go to the vendor. And so we explained this to the vendor and they came back with his nonsensical response. Like we told them, I'm like, you know, if you're putting people more at risk if people can snatch their password out of the air. And the response was computer cop software doesn't give sexual predator or identity thieves more access to children's computers as our dot key logger works with. I can't even read this. This makes like no sense whatsoever. And it was very clear that the people running computer cop really didn't know much about technology and perhaps the software hadn't even been updated since the late nineties. And so what was actually driving the software if it wasn't people who were specializing in technology? Well, we started looking at the promotional material and here's how this is being pitched to police departments. That this is a win-win for your families and your department. It can be customized for your department. We will throw an extra, you know, give us a little money we'll throw in a high produced video of you into the CD-ROM. But there's a little line here at the very bottom of the screen that I want to zoom in on. And that is that this is a perfect election and fundraising tool. And this really revealed the motivation for police departments to be distributing this software to families. The idea here was to give people a product and say this is great and get a TV coverage for giving it out for free and being able to put something in the hands of people that has their image. It seems like it's valuable. When we started filing public records requests, we found that our, you know, theory here was actually bore out. So here is an email exchange from, you know, a guy named Jerry Cobb in the Mary Cobra County Attorney's Office. He's actually the media relations person, their press person. And he was the one who approached Computer Cop and purchased the software. It didn't come from their internet crimes against children task force. It didn't come from their cyber crimes task force. It came from their media division. And rather than get a full examination of this software by a cybersecurity specialist, this guy Jerry Cobb just went to their IT guy and their IT guy played around with it a little bit and did a little research on it. And then it appears to be clean, he said. But then he also said that nothing is installed on the PC, which is good. That could be good if it was actually true. Because if you actually look at the software, and this is a slide from the presentation that the Computer Cop company gives, you have to install the key longer. It does install on the computer. And it doesn't just install on the computer. In order to uninstall it, you need the CD ROM. Now I think that most people who have a lot of, people are attending this conference or have a computer background, wouldn't be able to remove it manually without going through the uninstall function. But your average family person, if they had found this on their computer, they wouldn't have known how to get rid of it because they didn't have the CD ROM. So when our blog post about this issue came out, there's a lot of press coverage and a lot of reporters went to their local law enforcement agencies to ask them about the security plots. And there were some terrible responses out there. So the Contra Costa District Attorney's Office in California said, well, there are so many agencies using it and we've never heard about identity theft. So it must be okay. And then they said, well, if we find out there's some sort of breach later, then we'll recall the software, but we're not gonna do it until then. And that's like the equivalent of like reporting to a government agency or reporting to a restaurant that their food is poisoned once you did a lab testing. And they're like, nobody died yet. So we're not gonna take that out of our ingredients and out of our recipe. But my favorite response came from the Limestone County Sheriff, Mike Blakely in Alabama. And his response was, we've had the key logger checked out with our IT people. They have run it on our computer system. There is no malware. And I think if the mics were turned on, I can hear everybody's heads hitting their desks several times over right now. Because did they actually install a key logger on their police computers? Do they not know what a key logger is? I don't know. But then they went on, oh, so let me tell you one other thing. So they're IT people. When you research their IT people, the guy at the IT person, his main job seems to be organizing the Sheriff's Office's annual rodeo, which apparently is like the fifth best outdoor rodeo in the country. Great on him for organizing the rodeo. Shame on him for not vetting the software. But then they also went on to attack us in the press, calling EFF an ultra-liberal organization that is not in any way credible on this. They're more interested in protecting predators and pedophiles than in protecting our children. And so the question is, if we're not credible, why do they think computer crop is credible? And the reason is that computer cop was lying. Computer cop claimed in all of its promotional materials that the software was endorsed by the National Center for Missing Exploited Children as well as the ACLU. But I called both of these groups. And Nick Mick said that, sure, in 1998, they had given a one-year endorsement, and that was the limit of it. They hadn't been in contact for 15 years and they were gonna send a cease and desist to computer cop. And then meanwhile, when I asked computer cop like who at the ACLU did it, they were like, oh, well, it was the ACLU of Michigan. They said something in a news article once, ACLU of Michigan came back and said, unequivocally, they did not endorse the product. But the most, probably the strongest piece of endorsement that they would circulate was this letter from the Treasury Office saying that this is a great thing to spend your civil asset forfeiture money on. Like use your excess funds to buy this software, it's great. And I got a copy of this letter and I was like, hmm, this looks a little strange. Like I've seen government letters before. Usually there's a date, there's a return address, there's usually a line under here, this doesn't kind of look like the logo. Something weird is going on here. And then I looked later in the letter and you might be able to tell on the screen, but this middle paragraph is the really promotional paragraph and it's larger font, it's spaced differently. And I'm like, there's something weird going on here. So I put in a FOIA request to try to get an original version of this document. And I included the version I had. And then a few days later, like I didn't even get my FOIA documents back, but within a few days later, I got tipped off that the Treasury Department's Director General had put a fraud warning on its website with a copy of this letter saying that this letter purporting to be from the Treasury Office is not genuine. So here we have like a company actually fabricating a government document in order to get contracts. So the Treasury Office ran an investigation. It took three years. They found out that it was substantiated and that at least three law enforcement agencies purchased the software having read that memo and thinking it was real. However, because Computer Cop stopped using the letter and posted a disclaimer on its website and because the investigation took three years and the statute of limitation is three years, they decided to just leave it at that. Meanwhile, Computer Cop gets to still have its website and still sell its product to law enforcement agencies, except now it's on USB instead of CD-ROM. I also wanted to just sort of close the loop on this narrative and go back to Limestone County Sheriff Mike Blakely and see where he is today. He has been arrested on theft and ethics charges and is facing criminal trial in Alabama. So there you go. All right, the second thing I wanna talk about is automated license plate readers. So these are cameras that law enforcement will install on streetlights, on highway overpasses and they look for license plates, do OCR on the license plates and upload them to a database with time, date, GPS coordinates. The idea is to build up a database where you could search somebody's license plate and see wherever they were over a period of time or to get real-time alerts on where they are if you're trying to track somebody. But that means there's all these cameras around the country that are just connected to the internet. And for years, there have been researchers like Darius Freeman and Dan Tentler and a group of cybersecurity students at the University of Arizona who have found and reported over and over again that these cameras are online without password protection or with default passwords that are just there. And so like Holly Cooper and I decided that enough was enough we're gonna figure out who these belong to and get them to shut them down. And so first thing we did was verify that yes, you could go to a URL and sometimes these were very obvious URLs some of them we got the URLs through Shodan. And yeah, fair enough you could go and there was the configuration settings you could mess with those you could bring up the camera and watch it live you could siphon off the license plates through it or you could connect via telnet and just get a floating feed of the license plates. And that was good we confirmed that that was happening but we still didn't know who they belonged to through the IP address and Shodan we had an idea of what city or what general region they were in but if you look here, you can see there's a thing called camera name and there's a lane name so 28th and University and Eastbound using that along with the listing where the IP address was we were able to then go into Google Maps and Google Street View and just basically virtually drive around the neighborhood until we could find the cameras. And then once we mapped them out we found that most of the cameras were in the outskirts of New Orleans. There were a few at the University of Southern California and there was one in Healea, Florida as well but most of them were in this area and they were all cameras belonging to this company called PIPs which at the time was owned by 3M. And so we went to 3M at first because we didn't know who the cameras belonged to we knew where they were but we didn't know what agency was responsible for them. And so 3M came back and said you know what we stand behind our security features we have a password feature you know like it's explained on the box how to set up the password if the agency isn't gonna actually put on a password that's not our business. So this is the second time both of these cases we have a vendor not taking responsibility for our security issue. And so what we ended up doing and so we knew University of Southern California's cameras were among them because the web URL was something like pipscam1.usc.edu. And so we emailed USC and they came back they took down the cameras they fixed them they ventured us for our time they wanted to start an open dialogue about cybersecurity and that was like the perfect response. I mean actually it would have been more perfect if they just killed the whole program all together but at least they didn't malign us they listened to us and they took action. Similar thing happened with St. Tammany Parish Sheriff Jack Strain. So when we sent all these emails we ended up having to send emails to all the law enforcement agencies in the New Orleans area saying are these your cameras they're unsecured. St. Tammany came back to us immediately they thanked us for bringing it to their attention they brought the cameras down they mobilized their staff to start auditing the cameras and to figuring out new solutions for putting up firewalls. But not only that but they reached out to all of the other law enforcement agencies for us and got them to walk down their cameras as well. So this was a huge success story this was exactly how a law enforcement agency should respond when someone like EFF comes to them. As a result of this whole situation with these cameras in New Orleans we actually got some action in a political fashion related to this. At that same time that year there was a bill passed by the Louisiana legislature to create a statewide network of license plate readers in order to catch people who weren't doing insurance who hadn't paid their insurance bills. But Bobby Jindal the governor at the time learned about what we'd done with St. Tammany and vetoed the bill saying that these cameras create large pools of information that can be extremely vulnerable to theft or misuse. Unfortunately, Jack Strain as good as he was in cybersecurity has met the same fate as our limestone county sheriff. He also last year was charged with corruption and is facing trial. However, Jack Strain actually has worse off because he's also charged with rape and incest as well. So doesn't matter if you're good or bad at cybersecurity if you are an allegedly corrupt elected law enforcement officer. So checking back in on these license plate readers we looked at these back in I think 2016 Zach Whitaker at TechCrunch essentially duplicated the research in 2019 and found that there were 150 license plate reader devices still online, still searchable via the internet and that a majority had default passwords set up. So like even though we went through this whole thing and we got a lot of media coverage and we were able to approach some law enforcement agencies this is a problem that hasn't been solved and it's a lesson that hasn't been learned. So when I talk to cops about cybersecurity I bring up a few issues. First I say don't collect more data than you can protect. It's very tempting to purchase every particular technology out there and collect everything in case it becomes useful but every new piece of data you collect is another thing that you can lose. Don't purchase any technology that you can't independently verify. If you don't have the staff to verify to be able to verify the claims you need to hire a third party auditor or third party to do it and if the company won't let you do that then don't buy it. Also this should be obvious. Don't let your PR people make decisions about surveillance technology and don't like decide that it's better to get a press bump take a short cup on technology in order to get a press bump. Also you've got to vet your vendors and don't take them at their word. You've got to look into them or at least Google them. And then also I encourage law enforcement to defend encryption. There is this war against encryption among law enforcement claiming that strong encryption facilitates crime but ultimately it's what protects us and it doesn't just protect the privacy of regular people which it does but it also protects all this data that is held by police. And so if you weaken encryption for us you're weakening encryption for police departments as well. And then finally police departments need to conduct meaningful audits and these audits need to be designed to catch breaches and catch vulnerabilities and not just the bare minimum that they can say to the FBI, hey, we complied with your basic requirements. So that is all I have for now. I'll be having to take questions in a second but I do wanna make sure that we spend some time with Emma Best talking about their project BlueLeaks. I'm gonna stop sharing right now but I think I'm gonna pass it back to Madison who has some questions. Emma, are you good to go? Yep, sweet. So I'm just gonna start with a few questions for you and the first one is can you introduce Distributed Denial of Secrets? What is it? How was it started and what's its mission? Distributed Denial of Secrets is a transparency collective that archives and publishes leaked and hacked data that is likely to be of public interest now or in the future. I co-founded the group in late 2018 and since then we have released over four terabytes of data including Paco Leaks and Gora Leaks which were Latin American breaches of police systems and most recently notably BlueLeaks. What, can you kind of explain what BlueLeaks is? Yes, so BlueLeaks is one of in terms of data size it's one of if not the largest single breach of police systems that has been made public. Certainly in the number of agencies that are directly affected it is, it's I believe just over 250 agencies and training and support resources that had their data in the breach. We published it in June on Juneteenth and since then there have been dozens of articles in response as well as the government seizure of our servers. So what kind of data is included in BlueLeaks and where does it come from? The data in BlueLeaks mostly deals with what's commonly known as fusion centers, information exchanges. Many people have pointed out that most of the servers affected seem to be run by NetCentral and an examination of the code found a lot of vulnerabilities in there that weren't even exploited or fixed. Yeah. Any particular release from BlueLeaks that you find to be your favorite or most important? I think what seems most important so far and I expect this to change and evolve in the coming years because it's not just a release for the immediate future. It's 24 years of data that is an important historical archive. But the thing that has struck me as most immediately relevant is exactly how low the bar is for these fusion centers to gather and share with heavy air quotes intelligence on things in the name of situational awareness. These have included labeling a teen TikTok artist, a comedian as training people how to riot and basically commit terrorist acts by showing some tweets that were made by well-known comedians. It has involved, it has shown that the fusion centers have passed on highly questionable intelligence including claiming that services are being used to pay leftist protesters to riot. And this was an FBI alert that specifically cited a website that is a satirical website. And when the alert went out, the website said in giant red letters this website is fake. When confronted with these things fusion centers have consistently defended it and said they're not responsible for vetting the information that's up to specific law enforcement and that it doesn't matter if the information is actually accurate or not because it informs the preparations and stance of police as well as their quote situational awareness. The fact that these situational awareness bulletins are often drawing from right wing conspiracy theorists including QAnon doesn't really seem to be a problem to them and they don't consider it as creating a situation where they're more likely to be violent with protesters which is an odd stance to take when you are circulating warnings that leftist protesters are going to use car bombs to attack police stations which of course was completely fabricated. I think this tells us about the cybersecurity of law enforcement agencies. It tells us that they're not taking it seriously. Like I said in the beginning several people have looked at some of the code that was exposed in the breach and it was woefully out of date. It appears that many of the agencies must not have even done proper audits and the preparation they did in terms of security was an instance of cover your ass, that was it. And even afterwards through the Freedom of Information Act we got the TLP Amber alert that they sent out about blue leaks and it has at the end a recommendation section which says, be vigilant for new waves of phishing campaigns. Use DKIM verification, update your antivirus and don't click on strange links. That is the extent of their effort to fix things and educate their user base. And as a result, we're winding up with systems where they consistently gather information that they are not able to protect. I'm getting from us that it is time for us to start wrapping up and so we will let the hope and moderators take back over and thank you. Fantastic, thank you so much, Madison, Dave, Emma. Thank you very, very much for this talk. Again, when cops get hacked, lessons unlearned from a decade of law enforcement reaches lots of conversation in the matrix chat. Feel free to keep that going. Thank you very, very much to all of you.