Want To Report A Dangerous Drug Dealer? Just Enter Your Personal Info Into The DEA's Unsecured Webform

from the we-know-all-about-you,-but-good-luck-finding-out-about-us dept

Chris Soghoian, the ACLU’s chief technologist, has decided to troll the DEA. His complaint is valid, though. The problem is, how do you troll the DEA when it’s almost impossible to find the contact info of the person you want to speak to? Just like the FBI has more options at its disposal than simply demanding Apple help it beat down an iPhone’s front door, Soghoian was able to route around the DEA’s unforthcoming attitude.

If you can’t read/see the tweet, it says:

How to disclose a security flaw to the DEA.
1 Find CISO on LinkedIn.
2 Look up consulting company records.
3 Email.

The email address was harvested from a third-party website for a company DEA CISO Bret Stevens is apparently associated with, Innovative Security Solutions, Inc., conveniently located in northeastern Virginia, right outside of Washington, DC.

This site will allow you to edit company info, provided you can socially engineer your way into a position at the company. That being said, it looks loads better than the company’s original site, which appears to have been last updated five minutes after the domain was registered (2004).

There’s nothing on this site referring to Bret Stevens, current DEA security chief, but then again, the site doesn’t appear to be subject to frequent updates. Or any updates.

Anyway, Soghoian wanted to point out a security flaw on the DEA’s website. The DEA will accept tips from citizens. However, it does absolutely nothing to protect these helpful citizens. From Soghoian’s notification email:

The DEA operates an online tip­form, through which individuals can report “possible violation of controlled substances laws and regulations. Violations may include the growing, manufacture, distribution or trafficking of controlled substances.”

See: http://www.dea.gov/ops/submit.php

This website does not use HTTPS to protect the transmission of information. It should.

Quite correct. Not only has the Office of Management and Budget stated every agency must use HTTPS on all public-facing websites by the end of 2016, but you’d think a form that collects personal info about members of the public — especially in conjunction with info about possibly armed and violent criminals — would be given an extra layer of security. Apparently, the DEA is not all that concerned about its tips being scooped by criminals, or criminals intercepting unsecured tips in order to target do-gooders.

Soghoian’s email also suggests the agency be a little more transparent about its security staff.

On a more general note, I would also like to encourage you to post publicly contact information for your information security team, so that researchers and other individuals can responsibly disclose flaws such as this issue. This is a best practice followed by some federal agencies, widely adopted by those in the private sector, and promoted as a best practice by the Federal Trade Commission.

If this email manages to reach Bret Stevens, it will likely be sneered/groused at before being discarded as the imperious communications of a meddling motormouth representing an entity far too concerned about the rights of all Americans, especially the guilty, drug-dealing ones. As for its unsecured tip form, it will likely remain unsecured until the DEA is finally forced into compliance with the OMB’s instructions.

Use at your own risk.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Want To Report A Dangerous Drug Dealer? Just Enter Your Personal Info Into The DEA's Unsecured Webform”

Subscribe: RSS Leave a comment
trollificus (profile) says:

Re: Re: Brilliant

Mail filtered to the Spam folder is the same as not received…FOR MY GRANDMOTHER. Not for a federal agency, right?

Seriously, there aren’t procedures to follow, protocols to implement, some vague internal understanding that there are, you know, industry standards and best practices??

More of a “Give the contract to the bosses’ company, they can hack together something.” process, apparently.

shrugs The gov’t doesn’t even bother to pretend anymore.

Coyne Tibbets (profile) says:

Re: Re: They wouldn't do that

Millions Missing From DEA Money-Laundering Operation

At one point, the prosecutor cross-examined me by asking if I thought the agents handling Princess [the informant] were plotting to kill Princess by exposing her to one deadly situation after the other until she was killed. I testified (paraphrased according to my memory) that with more than $20 million missing and unaccounted for, and in consideration of the way they were handling her, it was a reasonable possibility.

Anonymous Blowhard says:

Ahhhh Corruption

Thankfully for the people in Latin American their governments decided to rid their countries of the DEA. They already had their own corrupt police force, why host somebody else’s? If the drug war was an actual war the DEA would be on trial for war crimes. You are always guaranteed a corrupt agent or two for any investigation. It wastes millions of dollars and possibly allows dangerous criminals to carry on business as usual but who cares right? It’s all good for the DEA which serves the DEA and basically nobody else. Too bad Anglo America isn’t quite as smart as Latin America.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...