Sealed U.S. Court Records Exposed in SolarWinds Breach

I work at the courts and manage our ECF system. Our government was very quick to respond, but not sure it matters considering Russians were in the system for 8 months. On top of that, several vendors were exploited VMware and Microsoft. I’ve fought for the federal government to create instead of buy. I continue to fail. It’s becoming increasing obvious the United States needs a privacy branch for data breaches and also for a whole bunch of engineers building out the next generation of apps for a better/smarter government. This is my life’s work, and I will keep trying.

This solarwinds breach feels like it might spiral into one of the major new stories this year with it’s likely legs. Really depends on how much data was snapped up. It’s like an onion each layer bringing more tears.

If you read an indictment such as this Indian tech support scam from last month, they nabbed multiple guys in different airports on different flights, presumedly using sealed court orders combined with scanning names of aircraft passenger lists, then having appropriate federal or local police at the airport to handle the arrest upon boarding or deboarding.<p><a href="https:&#x2F;&#x2F;www.justice.gov&#x2F;usao-ri&#x2F;pr&#x2F;five-tied-millions-dollars-telemarketing-fraud-convicted" rel="nofollow">https:&#x2F;&#x2F;www.justice.gov&#x2F;usao-ri&#x2F;pr&#x2F;five-tied-millions-dollar...</a><p>The Russians or whoever it was could use this to warn individuals (ie state hackers) from flying because of sealed arrest warrants for very serious cases.<p>This is very serious indeed. And that’s only one scenario.

Am I the only one wondering if any cases exposed are just by chance related to certain politicians or their business partners? Just a thought..

Ooohhh...that&#x27;s gonna leave a mark.<p>They can wreak all kinds of havoc with that information.

Sealed documents for ongoing cases being on a server, fine. But for closed cases? Those should only be in hard copy. Indices, at most, could be digital.

&gt; Under the AO’s new procedures, highly sensitive court documents filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive<p>Aren&#x27;t thumb drives (USB) also vulnerable?

I can&#x27;t imagine the amount of political capital they gained from that information. By political capital I mean blackmail.

Why are we only hearing about these breaches in the US? Whoever exploited this weakness, must have attacked all targets in Europe, Asia, etc. Are they keeping it quiet somehow? Or maybe they aren&#x27;t as good at identifying the breaches?

Kind of feels like the US should have been focusing more on defensive cybersecurity rather than building cool hacking tools to go on the offensive.

is the solarwinds product windows only, or are unix hosts also exposed via mono or the like?

There&#x27;s a couple of interesting problems in Law that come up, as a result of this.<p>In order to explain them more effectively, let&#x27;s suppose that for the purposes of discussion that you are Mark Zuckerberg and that you run Facebook...<p>OK, so when you start Facebook, you make a promise to users, and that is, that their data that will be confidential, that is, only shared with parties that they give explicit permission to share that data with, and no one else, never.<p>In other words, that you will respect users&#x27; privacy.<p>This becomes part of the agreement you make with all new users, it becomes part of the user agreement -- the CONTRACT you made with them.<p>You engineer the system such that it will respect those rules, and you assume that nothing possible can go wrong.<p>But then later on, you realize that all of this was not as foolproof as you had once thought.<p>That&#x27;s because Government, via it&#x27;s Police and Lawyers, and it&#x27;s NSL&#x27;s and other legal instruments -- are now requesting information from you about your users, to solve criminal cases, but they&#x27;re asking you to keep silent about user data you give them, basically because you were coerced by their Lawyers.<p>You begrudgingly turn over the data and keep silent about it, that is, you respect the Law -- but deep in your mind, in your conscience -- you know that something about this whole thing is very, very wrong.<p>You see, the problem that now occurs, legally, lawfully, morally and ethically -- is now that basically <i>YOU&#x27;VE VIOLATED THAT CONTRACT YOU MADE WITH YOUR USERS</i>.<p>You broke that CONTRACT.<p>And you also destroyed that trust.<p>You told people that a future set of events was going to happen (that their data would be kept private), that they relied on in making the decision of whether to give you their business or not, to give you their eyeballs or not, and <i>YOU BETRAYED THAT TRUST</i>.<p><i>YOU BROKE THAT CONTRACT</i><p>You didn&#x27;t do it intentionally -- you had no way of knowing what future circumstances would turn out to be, but nonetheless, those circumstances resulted in <i>YOUR BREACH OF CONTRACT</i>.<p>That&#x27;s because explicity or implicity or in both ways, <i>YOU AGREED TO THAT RESPONSIBILITY</i>.<p><i>THAT YOU WOULD PROTECT USERS</i><p>And because of circumstances, <i>YOU DIDN&#x27;T</i><p>But nonetheless, <i>YOU AGREED TO THAT RESPONSIBILITY</i>.<p>Now, if you understand all of that... then here&#x27;s the next piece of understanding...<p>The sealed court records -- are no different than Facebook user data in the above example.<p>The Court -- had a CONTRACT -- implicit, explicit (heck, I&#x27;ll let Lawyers figure it out) -- <i>TO KEEP THOSE DOCUMENTS SEALED</i>.<p>Even though it was a third party, a set of circumstances, that caused the breach of that CONTRACT,<p><i>THERE STILL WAS A BREACH OF CONTRACT</i>.<p>See?<p>Even though the players and the parts and the modes and the mechanisms are different, <i>THERE STILL WAS A BREACH OF CONTRACT</i>.<p>The Court contracted, <i>CONTRACTED</i> that it would keep these records confidential (compare Attorney-Client privilege), and they basically <i>BROKE THAT CONTRACT</i>.<p>What you have here is grounds for a super-big-ass <i>CLASS ACTION LAWSUIT</i>.<p>I&#x27;ll let all of the Lawyers (aka &quot;Bar Association Members&quot;) attend to that.<p>My point is simply this:<p><i>If you&#x27;re running an online service in this day and age, if you have users, you cannot, CANNOT make any guarantees of privacy to them. Your best bet is to be honest and tell them that you&#x27;ll take all the security best practices you can on your end, but at the end of the day, even that is no guarantee against a data breach, wanted or unwanted, done via lawful or unlawful means, executed by the Government or hacker group, or whomever.</i><p><i>YOU CANNOT GUARANTEE PRIVACY IN THIS DAY AND AGE</i>.<p>It would be simpler just to be honest and up-front to all of your users and simply tell them that, <i>EVEN IF</i> as a result of this they stopped doing business with you, or using your website, or whatever.<p>You&#x27;d get a lot more sleep at night -- if you had a clear conscience...<p>I quote to you the 3rd Delphic Maxim:<p>&quot;Surety brings ruin&quot;.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Delphic_maxims" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Delphic_maxims</a><p>If the Court (or any other entity, Government, Corporation, Person) makes promises to anyone else, implicitly or explicity, while those promises might not be written down, those promises constitute a <i>CONTRACT</i>.

Somebody has blackmail material...

oooh I have a shopping list of court cases!

I wonder if it was anything interesting.

Hey devs! The article indicates jetbrains software might be compromised.