SAFETY: Police Data Breaches

[dewline]

Maybe it's the superhero comics fan in me, but this is the kind of thing that should get a Batman or an Iron Man's attention. Or more likely, Alpha Flight.

Thirty-eight police agencies across Canada?

https://www.cbc.ca/news/canada/ottawa/blueleaks-published-thousands-of-documents-from-canadian-police-agencies-1.5734311

Comments

[thewayne]

This is a problem with trusting your data to third parties. But the reciprocol is having to keep your data in-house and ensuring that you have top-notch computer security people on staff. Tricky balance.

When I worked for law enforcement, our criminal records were locked up in a mainframe, the Microsoft network that I was on did not contain criminal information. But now everything is in the cloud, and all that means is somebody else's server, and you are dependent on their security. And it is demonstrated on pretty much a weekly basis that THEIR SECURITY SUCKS.

Computer security is tough. If it's online, it seems almost inevitable that it's going to leak. This is one of the reasons that I'm happy to be out of that biz.

[dewline]

Of that last detail, I have no doubt. Clearly, there's a need to maintain dual systems throughout law enforcement. One for networking with each other and with the wider public, and another for Highly Sensitive Operational Stuff. Whether or not your police (or other public safety-minded agency) is able to manage that depends on a lot of things likely to be outside their control.

[thewayne]

I clearly don't know how things are done 'these days' as I left that job almost 20 years ago and became much more specialized.  It seems to me that there needs to be a good national system for storing criminal information securely, and there is a good national criminal information center.  And everyone should use it!  And the feds have the resources to keep it secure, and to push that security to the lower levels and enforce that security.  They need to have the ability to go to these state and local agencies and say "This is how it is done.  This is how YOU WILL DO IT.  And if you don't do it this way, THERE WILL BE CONSEQUENCES" and slap them about the head a few times with a salami as a warning. When I worked at the PD, I had literally two computers in my office with two keyboards/monitors (17" CRTs).  One had my admin account which did not have internet access, the other my non-admin account which had internet access.  Never the twain shall meet.  This is where problems happen.  The vast majority of problems that we encountered were programs that "required" admin privileges on the computer in order to execute.  This was from bad programming practices where the developers had admin access on their computer when they were developing 'because it made things easy', and they never tested and fixed things in a non-admin environment, so the code shipped requiring admin access to run.  And this violated all network security concepts of bog-standard users having least-possible privileges! It caused endless frustration for us.  And all of this "cloud" shit, I imagine, is even worse for admins these days.  I'm so glad that I'm out of it!  At least it's easier to lock down programs these days, not quite the all or nothing that it was 20-30 years ago, much more granular.