DeSantis for the win

More speculative information coming out today...

Please note that all of the below is speculation at this point. None of this is confirmed facts yet. But it all is very likely IMO.
  • The Florida Emergency Broadcast web portal which sends out email was created by a third party contractor.
  • The contract for the portal included license fees based on the number of allowed login ids. This assumes that every user would use AD/SSO types of services to use the portal based on their Florida IT credentials.
  • Florida simply left the login as the vendor default. This is viewed as a way to screw the vendor from additional license revenue or possibly they were too inept to set it up properly. This meant the Florida Emergency Broadcast web portal has only one very basic login. The credentials were provided to state employees who were allowed to broadcast.
  • The vendor user id / password default was something very simple. But it was not admin/password.
  • It is not clear if the Florida Emergency Broadcast web portal could be accessed externally or if login into the Florida state systems was required in order to reach it (prior mid-November). Currently scans of the web show no external access, but it may have had external access earlier (possibly).
  • Initial versions of the tool sent bulk emails with everyone included in the To: line. Later updates used bcc. This may be related to how exchange email lists were set-up rather than the broadcast web portal. This means that someone could simply save/forward an earlier email to have the complete distribution list.
  • The State of Florida has refused to share further information on the investigation with Rebekah Jones' lawyers.
  • Comcast has responded to Rebekah Jones' lawyers indicating they never received a request from the State of Florida to reveal an IP address associated with this customer's account (which would mean the search warrant contains absolutely false information). Others noted that this may simply mean Comcast refuses to reveal anything additional.
  • It appears the state is pursing charging Rebekah Jones with unauthorized access to a computer which could lead to a 5 year sentence as per Florida statue 815.06 2a) http://www.leg.state.fl.us/Statutes...tute&URL=0800-0899/0815/Sections/0815.06.html
Note that all of the above is speculation at this point!

Information on the Florida documentation about the StateESF8.Planning@ email list can be found here - http://www.floridahealth.gov/progra...aredness-and-response/_documents/esf8-sop.pdf
Note that only portions of this appear to be implemented.

But it does lead to this. :)

Lawyer: and what was the password
Florida IT guy: password
Lawyer: Yes, what was the password
Florida IT guy: password
Lawyer: "our honor, can you please ask the witness to answer the question
Judge: Witness will answer the question
Florida guy: the password was "password"

Lawyer: Is "password" still the password.
Florida IT Guy: No, it has been reset and is now secret
Lawyer: So no one has been provided the new password
Florida IT Guy: No, I gave it to everyone
Lawyer: but you said it was secret
Florida IT Guy: it is
 
The IT idiocy in Florida keeps getting worse...

COVID data manager investigated, raided for using publicly available password
Not only does the whole state share one password, but it’s posted publicly.
https://arstechnica.com/tech-policy...word-to-a-key-disaster-system-on-its-website/

Florida police said a raid they conducted Monday on the Tallahassee home of Rebekah Jones, a data scientist the state fired from her job in May, was part of an investigation into an unauthorized access of a state emergency-responder system. It turns out, however, that not only do all state employees with access to that system share a single username and password, but also those credentials are publicly available on the Internet for anyone to read.

The background
Jones on Monday shared a video of the police raid on her house as part of a Twitter thread in which she explained the police were serving a search warrant on her house following a complaint from the Department of Health. That complaint, in turn, was related to a message sent to Florida emergency responders back in November.

About 1,700 members of Florida's emergency-response team received the communication on November 10, according to the affidavit (PDF) cited in the search warrant for Jones' home. The message urged recipients to "speak up before another 17,000 people are dead. You know this is wrong. You don’t have to be a part of this. Be a hero. Speak out before it's too late."

That unauthorized message was sent to the contact list for Florida's Emergency Support Function 8, or ESF-8, one of 18 groups of Florida state emergency-response personnel. ESF-8 is headed under the Florida Department of Health and coordinates public health response, including "triage, treatment, and transportation" across multiple agencies. All users in the group share the same username and password, the affidavit confirms. Investigators looked at system logs and identified an IPv6 address associated with the message, which they then determined to be connected to Jones' house.

After the raid on her home, Jones gave multiple media interviews in which she repeatedly denied having anything to do with the message. To CNN, for example, she said, "I'm not a hacker," and added that neither the tone nor the content of the message matches her communication style.

(In)security
In November, when the message went out, state DOH spokesman Jason Mahon declined to answer the Tampa Bay Times' questions about "what, if anything, had been done to better secure the emergency alert system against future hacks, nor whether there have been other instances where the system had been hacked."

It now seems the Times' question may have gone unanswered because the Florida Department of Health had no answer, other than to continue bad security practices.

"All users assigned to [ESF-8 tools] share the same username and password," the affidavit cited in the search warrant confirmed. That set of login credentials apparently does not change when users resign or are fired; instead, "once [employees] are no longer associated with ESF8 they are no longer authorized to access the multi-user group."

That set of account credentials that all users share is part of a logistics operation manual that is publicly searchable and accessible on the Florida DOH's website.

FLORIDA-640x446.jpg


A link to the manual was shared in a Reddit thread discussing the raid on Jones' house, which multiple Ars readers flagged to us. (Thanks!) We are choosing not to share a direct link, but as of publication time, the link was still live and working.

The document is a guideline for ESF-8 logistics staff. The first section includes a list of tasks management needs to complete in certain given periods. The second section includes a list of systems log-in information along with points of contact for each of those systems if they should be needed. It's the kind of information anyone who has worked in an administrative or support role for any organization has likely had on hand—for internal use only.

Ars contacted the Florida Department of Health about the document prior to publication; officials did not immediately provide a response. We will update this story if we receive additional comment.
 
Last edited:
gwb-trading said:
Tsing Tao shows back up -- -but doesn't have a thing to say about DeFacist raiding the home of the former Florida COVID GIS administrator.
More...

Sorry, I'm not able to be here every day for your enjoyment, GWB. Board meeting tomorrow, slides had to be done.

As for the other stuff, I don't give a shit - never have. Whine all you want and maybe others will care enough to read your posts on the subject. I rather doubt it, though.

But hey, all is good in Florida! Sun is out, it is a bit cold (for us, mind you) and businesses is running. People are out and about.

That's all we care about.
 
gwb-trading said:
DeFascist his having his gestapo goons hold people at gunpoint to intimidate them for disagreeing with him. What's your point?

Florida has the oldest percentage of at-risk people over the age of 65 in the U.S. The COVID fiasco Florida has experienced and the next few months hold was easily preventable -- except the DeSantis administration did everything possible to undermine proper public health policy.

So once again -- you stated I was a liar -- Answer the question: Does Florida currently have over 1 Million reported COVID cases? Yes or No.

If you fail to answer once again I can only assume that it is an admission that Florida does indeed have over 1 Million COVID cases and I am perfectly correct.
More...

In cases per million Florida ranks 25th of 50 states. How exactly is that a Covid fiasco in Florida?

You are a complete moron.
 
wildchild said:
In cases per million Florida ranks 25th of 50 states. How exactly is that a Covid fiasco in Florida?

You are a complete moron.
More...

The White House COVID Task Force weekly report states very clearly that Florida is a fiasco and the state is not taking appropriate actions to stop the spread.
 
gwb-trading said:
The White House COVID Task Force weekly report states very clearly that Florida is a fiasco and the state is not taking appropriate actions to stop the spread.
More...

Hey Stolen Valor, can point to where it says that Florida is fiasco in the report?
 
You must log in or register to reply here.
Back
Top