This post really could have been published back in December 2015. It wasn’t because, well, mostly I had nowhere to post it. Nor did I think it would have been particularly ethical.
To start the story at the beginning; it was a typical Sunday in December. Meaning I was sitting around the house in whatever clothing was comfortable, with the heat turned up to Insane, some sci-fi playing on the TV and the Internets on my laptop.
This particular December I had been talking to a friend from Wisconsin and we’d been kicking around the idea of going deer hunting some day. I figured I’d look into requirements for foreigners to hunt because, well, what else are you going to do on a Sunday? 1
During this research I came across a server owned by the state of Connecticut. Not that odd, since I was looking for legal information and states tend to be providers of those. The thing that caught my attention was that it was an FTP server. Almost nobody has been running those on the Internet in nearly a decade, except for very specific purposes.
Interest peaked I started poking around the server. Mind, this was a public server on the public Internet, operated by a public entity. It was also indexed by Google. So I literally needed no more tools or skills than a Google search and a mouse click.
Prodding around the server some interesting things popped up. This server was clearly not meant to be on the Internet. Or at the very least not all the files were meant to public. I wasn’t sure about the financial reports, but there were also third party applications in .iso format. There were files labelled “Critical Infrastructure.” There were even backups that included passwords in plain text. Yeah, that’s not supposed to be there.
So, with nothing better to do, I Googled around some more and found a helpdesk phone number. I figured “why not?” and gave them a call. It turns out it was the right department first time around. We spoke briefly on the phone and decided that it would be best if I sent an e-mail with the details. I did. It’s this e-mail, addressed to the helpdesk:
I ‘m sending you this e-mail per our phone conversation just now.
Last night (my time) I Googled some specific information for a hunter education course. The following site came up: link
That probably already shouldn’t be there, but it doesn’t seem too harmful.
Today I looked at the other information available on the FTP site ftp://ftp.state.ct.us/pub/
Some information that definitely shouldn’t be on the Internet is on there.
link contains ArcGIS software, which I believe is copyrighted, and some GIS data called “Critical Infrastructure,” which, I’m guessing by the name, probably shouldn’t be online.
There’s some backups of websites on there, including passwords: link
By the date stamp I assume they are no longer active/in use, but still. There are also some e-mail addresses in there, mostly from rideworks.com which is a domain that, I assume from the contents, has been sold since.
Also access logs including client IP-addresses which definitely shouldn’t be public: link
There’s other software, configuration, e-mails, and reports scattered throughout the site, like for DigitalHIWAY, FTP client software, and other EXE and ZIPs that I have no idea what they do.
If you need any other information feel free to contact me on this e-mail address or by telephone at 515-REDACTED
They replied to this e-mail almost immediately, to my amusement referring to me as “a concerned citizen from Iowa” (my telephone area code is the one for Des Moines, IA). They seemd to be taking me seriously and actually handling this, which was entirely unexpected but pretty great.
This all happened in December 2015. I never heard back from them and I never really followed up because, well, I lost interest. Until now for some reason. I checked back in and the directory with most of the suspicious stuff was removed (or at least made not publicly accessible), a robots.txt got added, and it looks like they actually did stuff. Awesome.
However, there are still plenty of things there that I legitimately have no idea if they should be public or not. Things like draft minutes of board meetings, a complete (vehicle-specific) overview for gas bills for various departments, detailed GIS information, draft project plans, and software. Then again, all of it is so exceptionally boring that maybe it is meant to be public. My eyes glaze over before I can tell.
It’s kind of cool if the state of Connecticut is actually being this transparent on purpose. I fully support a system where individual government employees can just toss files in a folder and publish them on the Internet. It costs virtually nothing and enables much better access to government data. Several thumbs up from me in that case.
The disclaimer shown when you connect definitely does confirm that all the data is supposed to be public. But as we all know, an operator denying responsibility does not equal a user taking responsibility. The disclaimer:
220-This ftp site allows public/anonymous read access to 220-all content. Do not upload any information restricted 220-by any law that prohibits you from doing so. All host 220-logs stored off site for evidence chain of custody 220-integrity purposes. Call 860.622.2300 for support.
Here is all the raw information:
It turns out you can do a 100% online course with the state of Oregon, and the hunter-ed credential will be valid in all 50 states and Canuckistan. They will even mail you a card! ↩
Cris van Pelt