Hi everyone, I'm the plaintiff in this lawsuit. I'm still working on my companion post for tptacek's post! I'll have it ready Soon TM, but feel free to me any questions in the meantime here.<p>While you're waiting, check out this older post: <a href="https://mchap.io/that-time-the-city-of-seattle-accidentally-gave-me-32m-emails-for-40-dollars4997.html" rel="nofollow">https://mchap.io/that-time-the-city-of-seattle-accidentally-...</a>
While I believe that the city should share the schema, and that the city is effectively argues for security through obscurity, I disagree with the main premise of the article: that knowing SQL schema doesn't help the attacker.<p>If I understand the argument of the author here:<p>> Attackers like me use SQL injection attacks to recover SQL schemas. The schema is the product of an attack, not one of its predicates<p>The author appears to imply that once the vulnerability is found, the schema can be recovered anyway. It is not always the case. It is perfectly viable to find a SQL injection that would allow to fetch some data from the table that is being queried, but not from any other table, including `information_schema` or similar. If all the signal you get from the vunlerability is also "query failed" or "query succeeded, here's the data", knowing the schema makes it much easier to exploit.<p>> the problem is that every computer system connected to the Internet is being attacked every minute of every day<p>If you specifically log failed DB queries, than for all the possible injections that such 24/7 attacks would find you have already patched them. The log would then be not deafening until someone stumbles on the actual injection (that, for example, only exists for logged in users, and thus is not found by bots), in which case you have time to see it and patch before the attacker finds a way to actually utilize it.<p>Knowing schema both expedites their ability to take advantage of the vulnerability, but also increases their chances of probing the injection without triggering the query failure to begin with.
Kurt posted this to troll me. Just know my audience here was, mostly, non-technical people involved in politics in my local Chicagoland municipality.<p>Permit me a PSA about local politics: engaging in national politics is bleak and dispiriting, like being a gnat bouncing off the glass plate window of a skyscraper. Local politics is, by contrast, extremely responsive. I've gotten things done --- including a law passed --- in my spare time and at practically no expense (<i>drastically</i> unlike national politics).<p>An amazing thing about local politics, at least in a lot of places, is that they revolve around message boards. The boards won't be in places you want to be (in particular: a lot of them are Facebook Groups) and you just have to suck it up. But if you enjoy participating in a community like HN, you can participate in politics, too, and message-board your way towards making things happen.
Is it not absurd that the supreme and appeal courts disagreed on a syntactical matter? Never mind that this isn't uncommon, or that (IMHO) it would be ridiculous to interpret it as "any file layouts at all, and other stuff too, but only bad other stuff". It's crazy to me that were happy for laws to sit on the books being utterly ambiguous.<p>I know this suits the courts who benefit from the leeway, and that (despite valiant efforts) we're not going to get "formal formal" language into statutes. I know that the law is an ass. I know that the laws are written by fallible and naive humans.<p>Even after all that, if the basic sentence structure of what's in the law isn't clear <i>to the courts</i>, hasn't the whole system fallen at the first hurdle?
Am I the only one slightly perplexed/worried by the point-blank source code exemption?<p>It's easy to imagine a scenario where the city decides to develop a specific software in-house and hide the "biases" in the source code, or any other thing one might not find desirable.<p>Hell, they don't even need to make everything from scratch! Could just patch and use a permissively licensed 3rd-party component.<p>In my opinion, the proposed amendment does not go far enough.
Very interesting read.<p>It does seem absurd to think of divulging schema as protected, as described it allows for a magical sort of outcome where: "well it's in a database you can't know anything about, and if you can't tell me how to find it you're sol".<p>Working at a small company with lots of clients I wouldn't want to hand out DB schema outright, but I also go out of my way to search / get the client the data they want ... not reject them.
I FOIA'ed >1M pages of docs for my project cleartap.com, a DB of water quality of the USA.<p>Most states would charge a small amount to gather the documents.<p>Michigan wanted $50K to for the FOIA request. I think because of the Flint lead crisis. They wanted me to go away.
"Retrieve the data of every parking ticket issued to ‘Bob O’ and also all the rest of the information in the database including everyone’s passwords."<p>This is the example of SQL Injection written in plain English, yet "everyone's" is problematic here in that it's an orphaned single quote. If "Bob O'Conner" is bad, so is "everyone's"
> <i>You also generally can't FOIA the source code of programs they run.</i><p>Alas, that part should be illegal under FOIA.<p>Source code should be <i>open source</i> and <i>verifiable</i>. Being exempt from FOIA circumvents public confidence in the government's use of software.<p>I'd be curious to learn if/where courts have decided such things already.
This is part of what discouraged me from going to law school. So much of litigation is Kabuki theater, grant rhetoric not in any way intended at achieving a just or logical outcomes, but designed only to the person in power an excuse to decide however they had already wanted to decide before the case was tried.
> Each spreadsheet has a header row, labeling the columns, like “price” and “quantity” and “name”. A database schema is simply the names of all the tabs, and each of those header rows.<p>This is also how I explain it to my relatives, I'm kind of surprised this analogy (one so direct that it's almost literal) didn't fly with the judges.<p>If database column names cannot be revealed, then shouldn't that mean the state is also able to redact the headers of all their spreadsheets?
Great read. Frustrating that the court ruled that a schema was a file layout, since I don't think it is, but at the same time if it didn't fall under that exception, there is a strong arguments that would be considered "documentation pertaining to all logical ... design of computerized systems". A schema is literally, the logical design of the database, and the database is a part of the computerized system. Once it was ruled that those examples are "per se" exempt it was a long shot to argue that schema wasn't covered by any of the examples.
What stands out to me about this article is the time between court appearances. Seems like if you want to accomplish anything in court you need to be prepared to spend years of your life on it.
Given the Illinois Supremes decision, seems like an opportunistic time to say "Everything is a file".<p>1. <a href="https://en.m.wikipedia.org/wiki/Everything_is_a_file" rel="nofollow">https://en.m.wikipedia.org/wiki/Everything_is_a_file</a>
Random thought: someone should drive to Chicago, get a parking ticket, and then make a FOIA request for all of their information contained in that database.<p>It won't be the whole database schema, but it would be a start.
Wowzers, that was <i>a lot</i> of words to express something that's very simple.<p>A database schema is just an empty form. By looking at an empty form, you know what fields <i>have</i> be filled in, what type of information they'll contain, etc.<p><i>Of course</i> people making data requests need to know what forms are being used to collect and store information.<p>As for security - not letting people do anything because 'it might be dangerous' is bonkers. The way to secure databases has been known for decades. Let's start living in the 21st century :)
> Unfortunately, the Illinois Supreme Court had at their disposal a second dictionary. In the Merriam-Webster Online Dictionary, a “schema” is defined as “a structured framework or plan: outline”. “This is a difference in name only”, said the court. Argh. Schemas are now file layouts. We lose.<p>This is really bad. Words have different meanings in different domains. You can't just point to a dictionary definition for the wrong domain. This is absolute madness and should be grounds for termination as a judge. Imagine how angry that judge would be if you did that for some random legal jargon that is very different from the common definition of a word!
It's Matt Champan! <a href="https://mchap.io/" rel="nofollow">https://mchap.io/</a><p>I helped him process and visualize the original batch of parking ticket data waaaay back in 2016.<p>I can't believe he's still on this in 2025. We need more junkyard dogs like him fighting for what's right.
> [Public bodies] shall provide a sufficient description of the structures of all databases under the control of the public body to allow a requester to request the public body to perform specific database queries.<p>I sure hope the impact of this is <i>not</i> that government entities switch to schema less databases!
In the new language proposed in SB0226 (as linked, didnt search for authoritative sources, can't tell how durable that link will be for posterity, arrgh archiving the web is hard etc), doesn't that language leave open a hole for excessive complexity to be a reservoir for FOIA resistance?<p>Feels like there is an important theme here that SB0226 is dancing around --could government be legible in addition to being "plain-text" transparent?<p>"plain-text description" of "each field of each database of the public body" and "specific database queries" may not do what you mean.<p>Not sure how to fix it though.<p>I could see gratuitous ORMs and database-of-databases patterns winning tax dollars with taunt-them-with-the-schema listed as a feature.
I understand freedom of information, but what exactly does the public gain by Matt getting the database schema ?<p>If the answer is "the ability of the request data from a specific table/column", I would say that this should possible to do by asking for the relevant data directly (instead of asking for "the timestamps of each ticket" ask for the "time-related data of each ticket" for example) ?<p>And yes, having your db schema out in the wild can be a vector of attack, if only because it allows targeting the sql injections (the blog author himself argues this in court).<p>The court was right to reject this. Maybe the exact word of the law doesn't ask for it, but the spirit certainly does.
How were you able to stand as an expert witness when you have a personal relationship with the plaintiff? I don’t know the specifics of the law in Illinois, but my understanding is that that would generally be a disqualifying conflict of interest.
I'm confused why file layout is included in the list of exceptions in the first place. If an adversary knowing your <i>file format</i> is a security problem, then you are doing something very wrong!<p>And with the ruling that the condition only applies to "other information" (which to me seems like a very strange reading, and probably not the intent of the law), regardless of if a SQL schema is considered a "file layout", creates a massive loophole, where the government can just use some obtuse custom file layout to avoid FOIA requests.
Does disclosure of a database schema really jeopardize the security of the system? <i>Yes</i><p>How plausible or likely does that jeopardy need to be? <i>Very</i><p>Does a database Schemas constitute “source code”? <i>Yes</i><p>Is a SQL schema a “file format”? <i>No & yes. In that order.</i><p>And, finally, does the “would jeopardize” language apply to everything in the exemption, or just to the nearest noun “any other information”? <i>Yes</i>
> where the only way to get at the underlying data is to FOIA a database query<p>Was this ever attempted?<p><pre><code> SELECT * FROM `information_schema`.`tables`;</code></pre>
Interesting takeaways from me:<p>All that pompous sounding legalese can still be ambiguous! I feel less bad for not understanding contracts that have 100 word compound sentences.<p>Legal people can't keep up with our tech jargon but they have their own jargon including "predicate" lol. So same logical thinking, different jargon framework.<p>Question: why do they want the schema not the data?
> Does the “would jeopardize” language in the statute apply to everything in the exemption, or just to the nearest noun “any other information”?<p>I think law and lawmaking would be vastly improved if only lawyers learned the miracle of parentheses.
Anyone with a legal background willing to opine about potential workarounds to this ruling?<p>Specifically, would a request for “data field labels” (i.e. a column list without any table structure info) likely circumvent the exemption?
> I’ll conclude this long piece by saying (1) obviously the bill should pass, and (2) it should be called “The Chapman Act”.<p>(3) I imagine Chicago greatly regrets towing Matt Chapman "over a facially bogus ticket".
> <i>[...] where the only way to get at the underlying data is to FOIA a database query.</i><p>Can you request the desired information using natural language, based on your guesses of what information they store?
Got to see this happen day by day on the Midwest Venture Partners Slack. There was another lawsuit Chappman and Tom did for laser based speed detection in Chicago.
Do stored procedures count as part of the schema? I've recently found a SQL injection vulnerability in a client's SP that was using concat (very badly)
Enjoyed the read. Good luck with the future developments.<p>Now a nerdy question. As someone who investigates SQL injections, why are you running a server based on nginx 1.4.6? Do you know something I don't? :-)
I got to about 1/3rd of the way before I noticed my eyes were kinda struggling to read the article. Toggling different CSS rules, it's the #333 gray color. Turning that off is instantly better. The custom font is much thinner than the default, but that by itself doesn't seem to be the issue if the color is (closer to) black. (There is also a font-weight rule, but toggling it makes no visual difference in Firefox. Maybe the text is intended to look different?)<p>Since there is no contact method on the website, figured I'd mention it in a comment; hope this helps
This was fine, legally, but I'd be pretty irritated if someone I knew wasted everyone's time on this. The schema clearly <i>is</i> (marginally) useful for hacking, but who cares; it clearly is a file layout also, but who cares; those matter legally but not morally. Morally, this is just dumb: it's not something they really needed, and they're just irritating people and wasting resources for the fun of it. Shameful.
Juxtapose this legal process with DOGE hoovering (in more ways than one) data willy-nilly from everywhere. The dissonance between THIS uninteresting DB schema being so rigorously protected while massive amounts of sensitive data is completely misappropriated is painful.