With hundreds of courts and gov agencies affected, chances are, one near you is, too.
See full article...
See full article...
Systems used by courts and govs across the US riddled with vulnerabilities
- Thread starter JournalBot
- Start date
And, to make matters worse, judges and courts have started sending out questionnaires to potential jurors and telling them that they say are "legally required to answer". The questionnaires include information such as:
Social Security Number
Date of Birth
Mother's Maiden Name
Places that you've lived
Marital status
Name of spouse
I've chewed out two judges over this; neither one seemed to understand that those questionnaires would be a windfall to any identity thief.
Social Security Number
Date of Birth
Mother's Maiden Name
Places that you've lived
Marital status
Name of spouse
I've chewed out two judges over this; neither one seemed to understand that those questionnaires would be a windfall to any identity thief.
Upvote
63
(63
/
0)
Guessing that should be "state of Georgia".
Good and important article overall, thanks for writing it.
Upvote
15
(15
/
0)
After you informed them did they respond positively to change or dismissively? I'm suspecting the latter...
Upvote
36
(36
/
0)
- Add bookmark
- Featured
- #7
"Parker is urging vendors and customers alike to shore up security of their systems by performing penetration testing and software audits and training employees, particularly those in IT departments. He also said that multi-factor authentication should be universally available for all such systems."
Aspirational at best. I'd love to see the governments in the US actually (not just lip service) buckle down and solve the severe threat current IT systems pose to our national security and privacy because they're actually intertwined concepts. You can't have one without the other.
But, court staffs are filled with people that can barely turn on computers, let alone understand the implications of their actions. They can't, and in many cases won't, think through things to their logical ends. Politicians that create and fund the mandates are no better, and in both cases theoretical ideological ends often override reality.
The vendors have no incentives to improve this system. There metrics are to minimize the number of support calls over the lifetime of their deployments. This disincentivizes changes to methods of access and utilization while incentivizing "common sense" - which is anything BUT common nor sensible in these cases - loop holes to security policies and enforcement.
Aspirational at best. I'd love to see the governments in the US actually (not just lip service) buckle down and solve the severe threat current IT systems pose to our national security and privacy because they're actually intertwined concepts. You can't have one without the other.
But, court staffs are filled with people that can barely turn on computers, let alone understand the implications of their actions. They can't, and in many cases won't, think through things to their logical ends. Politicians that create and fund the mandates are no better, and in both cases theoretical ideological ends often override reality.
The vendors have no incentives to improve this system. There metrics are to minimize the number of support calls over the lifetime of their deployments. This disincentivizes changes to methods of access and utilization while incentivizing "common sense" - which is anything BUT common nor sensible in these cases - loop holes to security policies and enforcement.
Upvote
34
(34
/
0)
Full credit to bluhorse, fixing the issue over 2000 years before it was reported. I can imaging the dev responsible doing the commit with his chisel into stonehub 
Upvote
9
(9
/
0)
You realize you just admitted to both a state and federal felony, right?
Upvote
43
(44
/
-1)
- Add bookmark
- Featured
- #10
I worked with a lawyer as a client for decades, mostly tending to all of his IT needs. And that included the actual filing of the cases. I didn't need to be a lawyer to follow those instructions. He filled in the paperwork. I just made sure all the paperwork was filled in where it needed to be (a program helped do that automatically).
Then the clusterfuck began. Two systems had to authenticate, one of them was the case preparation software, and the other was to the courthouse, through a third party access portal called PACER.
Yes, you could log into the courthouse directly, but the program wouldn't let you auto-file the case, which saves like an hour and a half worth of nonsense. CASES were limited to about 10 MB (most are black and white PDF's, but it's very easy to exceed 10 MB for a complicated case), which threw errors and stuff that shouldn't have been there. And this is up until about 2022, when he finally retired.
For the record, this did not substantively change from the first time I was introduced to the program about 20 years previously. The procedures were the same, constant changing of passwords, constant requirements for "complicated passwords", and a host of other things. And the connection seemed to be set at 56K, which suggested to me that it had its origins during the dial up period. Faxing was still very, VERY common.
The point being, the court system filing and access appears to have been progressively built upon the rotting corpses of what came before, without the bother of clearing away the corpses.
I made a LOT of money troubleshooting the fucking thing, making it ten times harder to just do anything, but somehow not making it ten times more expensive, too. Except when you get paid by the hour and spend a couple of them on hold with tech support. Then it gets expensive.
So that they have vulnerabilities riddled throughout that system surprises me NOT AT ALL. It always seemed like a security protocol that was conceived sometime before I was born, made more complicated by budget and regulatory constraints across multiple entities and jurisdictions.
I mean, people say the wheels of justice grind slowly, but I it appears to be that the system has square wheels to start with. It makes for a very slow, and very bumpy ride.
I'm really glad I'm not fucking around with that thing anymore. And I feel sincere pity for those unfortunate souls who are.
Then the clusterfuck began. Two systems had to authenticate, one of them was the case preparation software, and the other was to the courthouse, through a third party access portal called PACER.
Yes, you could log into the courthouse directly, but the program wouldn't let you auto-file the case, which saves like an hour and a half worth of nonsense. CASES were limited to about 10 MB (most are black and white PDF's, but it's very easy to exceed 10 MB for a complicated case), which threw errors and stuff that shouldn't have been there. And this is up until about 2022, when he finally retired.
For the record, this did not substantively change from the first time I was introduced to the program about 20 years previously. The procedures were the same, constant changing of passwords, constant requirements for "complicated passwords", and a host of other things. And the connection seemed to be set at 56K, which suggested to me that it had its origins during the dial up period. Faxing was still very, VERY common.
The point being, the court system filing and access appears to have been progressively built upon the rotting corpses of what came before, without the bother of clearing away the corpses.
I made a LOT of money troubleshooting the fucking thing, making it ten times harder to just do anything, but somehow not making it ten times more expensive, too. Except when you get paid by the hour and spend a couple of them on hold with tech support. Then it gets expensive.
So that they have vulnerabilities riddled throughout that system surprises me NOT AT ALL. It always seemed like a security protocol that was conceived sometime before I was born, made more complicated by budget and regulatory constraints across multiple entities and jurisdictions.
I mean, people say the wheels of justice grind slowly, but I it appears to be that the system has square wheels to start with. It makes for a very slow, and very bumpy ride.
I'm really glad I'm not fucking around with that thing anymore. And I feel sincere pity for those unfortunate souls who are.
Upvote
30
(30
/
0)
Ask the judges to quote the law that requires such forms. Possible some legi-critter thought this was a good idea and added it to a justice dept funding bill, for reasons.
Upvote
22
(22
/
0)
northantara
Smack-Fu Master, in training
That one was tricky. They told me that it would take longer to fix that issue than it would to finish and roll out their new platform, and I never figured out when that actually happened. It wasn't serious enough to warrant its own disclosure, outside of a post on Mastodon, so I didn't really care to find out. So 0000-00-00 it is!Full credit to bluhorse, fixing the issue over 2000 years before it was reported. I can imaging the dev responsible doing the commit with his chisel into stonehub
Upvote
11
(11
/
0)
"...voter registration cancellation portal for the state of Georgia, for instance, allowed anyone visiting it to cancel the registration of any voter in that state when the visitor knew the name, birthdate, and county of residence of the voter" -- truly frightening, and likely being exploited right now. use a decent vpn to do it and it might be pretty damned hard to prove anything down the road. nightmare, actually. you drive around and see a political sign on someone's front lawn and you're just about there...
Upvote
17
(17
/
0)
You'd win that bet.
My favorite part was his assertion that "there is no danger of that happening; only my clerk and I look at the forms".
Oh, really? Then why are the attorneys quoting my answers? Why did I give the form to a functionary when I checked in for jury duty instead of giving it directly to you?
On the bright side, he did promise to take it up at the next judge conference.
The federal one just said that it was legally required. The Texas state one actually cites the statute (and has gotten rid of some of the more problematic questions - I guess I had an effect!).
Upvote
24
(24
/
0)
They are using Tyler Technologies in multiple states now and it seems ... outdated ... at best. IAAL and a pretty tech saavy one, and I worry a lot about the implications of both security in these systems and the ability of these systems to just get it wrong and then everybody's pointing their fingers at somebody else while the innocent sit in or go to jail.
Just by way of example, I uploaded a standard PDF to the court system today in our state, and it gets rejected "because it's a photo". It's definitely a PDF, so fine, I format/flatten the PDF and they write back and say "don't resubmit the same thing". First off, they were NOT the same thing. Secondly, it's ecourt. The scan/PDF is literally a photo of the document. What the actual heck.
But nobody wants to properly fund or vet these things... they just want it to work for the cheapest possible cost and funding security upgrades/maintenance is a pure afterthought. Hell they can't even get it to work reliably as is.... I can't see them fixing a security patch until somebody calls them out on it publicly.
Just by way of example, I uploaded a standard PDF to the court system today in our state, and it gets rejected "because it's a photo". It's definitely a PDF, so fine, I format/flatten the PDF and they write back and say "don't resubmit the same thing". First off, they were NOT the same thing. Secondly, it's ecourt. The scan/PDF is literally a photo of the document. What the actual heck.
But nobody wants to properly fund or vet these things... they just want it to work for the cheapest possible cost and funding security upgrades/maintenance is a pure afterthought. Hell they can't even get it to work reliably as is.... I can't see them fixing a security patch until somebody calls them out on it publicly.
Upvote
17
(18
/
-1)
Ah, yes Tyler Technologies. Their documents strongly urge you to turn off the firewall so everything works.
During log4j, they wouldn't acknowledge a ticket I sent in asking them to fix their server with the flaw. I went in and patched it myself after waiting about a week.
So happy I'm not dealing with them anymore.
During log4j, they wouldn't acknowledge a ticket I sent in asking them to fix their server with the flaw. I went in and patched it myself after waiting about a week.
So happy I'm not dealing with them anymore.
Upvote
30
(30
/
0)
enlightened.doggo
Ars Scholae Palatinae
Tip of the iceberg. It is generally safe to assume that local government systems are vulnerable given the types of vendors they have and the horrendous wages they pay IT administrators. Hilarious things happen all the time that nobody knows about, like that one guy who got access to all the wallets for the Seattle public transit system by incrementing a counter.
Upvote
10
(10
/
0)
robert.walter
Ars Praefectus
If you’ve ever used pacer you know this is true.
Pacer is like stepping back in time.
What’s worse they charge for documents.
What’s worse courts aren’t required to make all the unsealed documents available to the public online.
Pacer is like stepping back in time.
What’s worse they charge for documents.
What’s worse courts aren’t required to make all the unsealed documents available to the public online.
Upvote
5
(5
/
0)
Based upon other companies and agencies where I have pointed out this sort of thing the answer is:
But WE take your privacy seriously (BS #1) and OUR data is secure (BS#2). Got to wonder if they believe their own BS?
Upvote
4
(4
/
0)
So how many managers have been convicted of gross criminal negligence over these defects? None? So then the conclusion is that nobody did anything wrong and nothing needs to change?
(I say "managers" because I assume that in each case there was some manager who rushed the programmers so much that they didn't have time for correctness, and who didn't arrange for penetration testing.)
(I say "managers" because I assume that in each case there was some manager who rushed the programmers so much that they didn't have time for correctness, and who didn't arrange for penetration testing.)
Upvote
1
(3
/
-2)
Especially when one party has decided falsely claiming voter fraud is a strategy, finding out things like this increases people’s belief that they fraud was possible. And it won’t matter if some “expert” from the state proves that it didn’t happen as the party’s “expert” will argue it did and then the public’s too short-attention-spanned will ignore the facts as just “disagreements between experts”
Upvote
6
(6
/
0)
As someone who currently works for a company who is a vendor to local governments, this article is SPOT ON! I've been at this over 25 years now, and the glaring incompetence due to the fact that there is no monetary incentives outside the largest local governments is unforgivable.
I have striven, simply because I give at least a little bit of a sh*, to put as much security into the software as possible. I was taught that! I watch cops put their lives on the line in these smaller communities to be paid such crappy wages, only because the government had no money. Who am I to take advantage of that? I'm no di*.
I have striven, simply because I give at least a little bit of a sh*, to put as much security into the software as possible. I was taught that! I watch cops put their lives on the line in these smaller communities to be paid such crappy wages, only because the government had no money. Who am I to take advantage of that? I'm no di*.
Upvote
4
(6
/
-2)
Not security related, but on the general topic of court information systems being a mess:
Have you ever tried to search for the docket for a specific case, to try to get more details about a case you maybe saw being reported in the news, or maybe going viral on social media? News orgs will sometimes include a link to the docket, but that even seems pretty rare (I wish news orgs would ALWAYS provide the link to the docket).
Social media posts NEVER include a link to the docket.
The thing is, pretty much every court in the country (well, I'm not a lawyer, so I don't know, perhaps some states have better systems) is a completely different site.
Even if you, for example, know the names of two litigants in a case, and what state it's in, you might have a very hard time finding the case. Why? You go to the website for the state courts, and you try to search for the case and that site maybe only returns cases for the state supreme court (or the equivalent in New York which is an odd duck - their highest court isn't their supreme court, but something like the New York Court of Appeals or something like that).
The thing is, for a case or lawsuit that is still in a local city or county court or district court, you have to know exactly WHICH court the case is filed in to search for it - there's no statewide search which will even tell you what court you have to go to to find the case.
So it becomes nearly impossible to find a case your are interested in, unless you happen to already know what court it's filed in.
I think to solve this problem, Professional Lawyers use expensive, privately owned/operated third party services like Westlaw and Lexus-Nexus? I think those platforms provide a universal search.
But as an interested member of the public, I can't afford access to those services just so I can research a case to satisfy my curiosity or to correct misinformation that my relatives have seen online and accepted without any further research. I could research the case if I could find the docket, to try to find out what's actually going on (because, very often, right wing social media will make a case go viral, and nobody else is reporting on it, and if you do manage to find anything about the case, you often discover that right wing social media has reported as fact the allegations of just one side in the case/suit, and that reality is a lot messier and more complex and nuanced than the memes report).
An example was a recent post I saw, maybe a month ago, claiming a lawsuit from California where, allegedly, the father was suing for custody because the mother was "trying to force their son to be a trans girl" and I really, really doubt that that's the truth of the situation (I've never heard of a parent trying to FORCE their kid to be trans - that sounds like some bull$%^& to me). But I couldn't find the case, and the only 'news' reporting I could find were a couple of Murdoch-owned tabloids (New York Post, etc) and those Murdoch 'news' orgs are notorious for distorting the truth, treating the claims of an anti-lgbtq father as gospel truth.
Have you ever tried to search for the docket for a specific case, to try to get more details about a case you maybe saw being reported in the news, or maybe going viral on social media? News orgs will sometimes include a link to the docket, but that even seems pretty rare (I wish news orgs would ALWAYS provide the link to the docket).
Social media posts NEVER include a link to the docket.
The thing is, pretty much every court in the country (well, I'm not a lawyer, so I don't know, perhaps some states have better systems) is a completely different site.
Even if you, for example, know the names of two litigants in a case, and what state it's in, you might have a very hard time finding the case. Why? You go to the website for the state courts, and you try to search for the case and that site maybe only returns cases for the state supreme court (or the equivalent in New York which is an odd duck - their highest court isn't their supreme court, but something like the New York Court of Appeals or something like that).
The thing is, for a case or lawsuit that is still in a local city or county court or district court, you have to know exactly WHICH court the case is filed in to search for it - there's no statewide search which will even tell you what court you have to go to to find the case.
So it becomes nearly impossible to find a case your are interested in, unless you happen to already know what court it's filed in.
I think to solve this problem, Professional Lawyers use expensive, privately owned/operated third party services like Westlaw and Lexus-Nexus? I think those platforms provide a universal search.
But as an interested member of the public, I can't afford access to those services just so I can research a case to satisfy my curiosity or to correct misinformation that my relatives have seen online and accepted without any further research. I could research the case if I could find the docket, to try to find out what's actually going on (because, very often, right wing social media will make a case go viral, and nobody else is reporting on it, and if you do manage to find anything about the case, you often discover that right wing social media has reported as fact the allegations of just one side in the case/suit, and that reality is a lot messier and more complex and nuanced than the memes report).
An example was a recent post I saw, maybe a month ago, claiming a lawsuit from California where, allegedly, the father was suing for custody because the mother was "trying to force their son to be a trans girl" and I really, really doubt that that's the truth of the situation (I've never heard of a parent trying to FORCE their kid to be trans - that sounds like some bull$%^& to me). But I couldn't find the case, and the only 'news' reporting I could find were a couple of Murdoch-owned tabloids (New York Post, etc) and those Murdoch 'news' orgs are notorious for distorting the truth, treating the claims of an anti-lgbtq father as gospel truth.
Upvote
7
(7
/
0)
Not sure if there's state-level restrictions but it'd be nice if more things moved to login.gov. Seems to be a pretty decent identity provider (IdP) that supports MFA
I think it currently relies on individual apps to do identity validation, though (unfortunately). Ideally this could tie into BMV/DMV since they're already doing identity validation to issue physical ID cards--something simple like an online signup PIN
All these ad-hoc "enter arbitrary, usually publicly available information to authenticate" govt sites are pretty ridiculous
I think it currently relies on individual apps to do identity validation, though (unfortunately). Ideally this could tie into BMV/DMV since they're already doing identity validation to issue physical ID cards--something simple like an online signup PIN
All these ad-hoc "enter arbitrary, usually publicly available information to authenticate" govt sites are pretty ridiculous
Upvote
0
(0
/
0)
Especially terrifying given voter registration info is usually (always?) public and finding out who lives at an address is usually not terribly difficult ("reverse address" or "neighbor" search)
Upvote
2
(2
/
0)
The other year I was doxxed because of voter registration info. I couldn't even fathom that was public but dog bless, it is.
And the thing is it doesn't have to be this way. Other countries I have lived in have functional government websites and a decent amount of privacy. It's just in the US we have an obsession with government contracting driven by legalized corruption. The country is fucked. Even if Harris wins, it is only delaying the inevitable.
Upvote
1
(1
/
0)
enlightened.doggo
Ars Scholae Palatinae
The only things that are inevitable are death and taxes. Governments being messy is normal. People being stupid is normal. Currencies failing is normal. So cheer up!
Upvote
1
(1
/
0)
Messy, maybe, but outright incompetence is far more common in the US. As the article shows, it's the rule rather than the exception here.
Americans are not uniquely stupid, absolutely. It just our system of legalized corruption results in the stupid being put in charge of things they shouldn't be
Upvote
0
(0
/
0)
It's also possible it's not a legal requirement at all and someone just added that language to the form to get more people to fill it out. I saw things like that a few times when I worked in government.
Upvote
2
(2
/
0)
One thing we've seen repeatedly is that in america judges aren't selected based on competence, intellectual capacity, or integrity. They're chosen based on how easily they can be purchased by the federalist treason society.
Upvote
0
(0
/
0)
Upvote
0
(0
/
0)
Many, perhaps most, public libraries offer access to Westlaw and/or Lexus/Nexus. There may or may not be a small fee, but you don't have to subscribe to the service just to check on one case. If it's a large library system, call the main branch; otherwise, call the reference desk of your local branch.
Upvote
1
(1
/
0)
It's Lexis/Nexis, no relation to Lexus. I was working with some folks at Lexis/Nexis once while the company got itself into a major scandal because someone registered an account, claimed to be a police officer, and acquired something like 10,000 personal records. I've seen the kind of data that those records include, and I assure you that you would not want any random bozo having access to that information.
Lexis/Nexis isn't particular trustworthy.
Upvote
0
(0
/
0)