Fullerton’s Veritable Serpico Problem

Serpico

Fullerton, like most departments, has a problem reminiscent of Serpico and this problem is years in the making. This problem is part of the story of the sordid “Culture of Corruption” that was documented after the Kelly Thomas beating. This veritable Serpico problem is a cancer within the system where once in uniform even good people turn a blind eye to corruption and stand idle as their unions and water carriers work to stomp on both people working towards and laws aimed at transparency.

For those unfamiliar with Frank Serpico he was an officer in the NYPD who stood up against widespread corruption and suffered for this crime against the Blue Wall of Silence. When he was shot in the face in the line of duty his fellow officers went so far as refusing to call for help.

This reverse Serpico problem is the common issue of Officers refusing to speak out, refusing to stand up and refusing to be good ethical humans for fear of reprisals from their brothers and sisters in blue.

Today I want to tell a story that should have been told some time ago – the tale of how ethics can get you fired at Fullerton PD.

I’d like to tell you about one Corporal Paul Irish.

You see, Corporal Irish was fired for dishonesty. A year or so ago I spoke to Paul and I was given copies of the files related to his termination. Honestly I didn’t know what to do with what he gave me and I sort of let it sit waiting for the time to really dig into it. Life, kids, you know the drill. That box sat in my garage patiently waiting for me to have time. Skip ahead and, well, the city cost me my job recently and I find myself with more time on my hands. So I got to reading.

To sum up hundreds of pages of paperwork — what Corporal Irish DID was, allegedly, tell his supervisors he was giving a talk on seat belt safety when he actually gave a talk on ethics. When they hammered him for his dishonesty on what his talk was about they ran a full investigation into the issue which ultimately led to his termination for more alleged dishonesty.

The transcript of the talk is [HERE] and the actual audio as recorded by Corporal Irish is here;

According to the information I have seen, these are the charges for which Corporal Irish was fired:

PSB #2014-72​IA Investigation
Corporal Paul Irish
Potential Policy Violations:
​340.3.5 (g) – within policy
​340.3.5 (h)
​340.3.5 (i)
​340.3.5 (l)
​340.3.5 (n)
​340.3.5 (z)
Recommendation to Staff: Not within policy – Termination Approved

FPD Manual Conduct

That’s a bunch of jargon so I’ll allow the Fullerton Police Department’s Policy Manual chapter on Conduct explain all that legal speak:

(h)Knowingly making false, misleading or malicious statements that are reasonably calculated to harm or destroy the reputation, authority or official standing of the Department or members thereof.

(i)The falsification of any work-related records, the making of misleading entries or statements with the intent to deceive, or the willful and unauthorized destruction and/or mutilation of any department record, book, paper or document.

(l)Any knowing or negligent violation of the provisions of the department manual, operating procedures or other written directive of an authorized supervisor. Employees shall familiarize themselves with and be responsible for compliance with each of the above and the Department shall make each available to the employees.

(n)Criminal, dishonest, infamous or disgraceful conduct adversely affecting the employee/employer relationship, whether on or off duty.

(z)Any other on-duty or off-duty conduct which any employee knows or reasonably should know is unbecoming a member of the Department or which is contrary to good order, efficiency or morale, or which tends to reflect unfavorably upon the Department or its members.

Remember, this all stems from Corporal Irish giving a talk on ethics that his supervisors didn’t approve of him giving and being mad at being “lied to” about said briefing.

Here’s the pertinent part of the Hearing Officers Report:

Irish Allegations

This should be put into some context with current events in order to explain the aforementioned Serpico problem. When some cops are fired for seemingly trivial issues while others are given a pass for egregious conduct it sets bad examples. It tells Officers who to follow, which lies are okay and where things stand in regards to the Blue Wall of Silence. This is how a cancer grows in a department. A blind and subservient government is how it remains untreated and metastasizes.

This year, thanks to this blog, we learned that Fullerton PD and Fullerton City Hall worked to enter into an agreement in order to shield Lieutenant Kathryn Hamel from the disclosure of her crimes. The city was willing to stop investigations in order to protect her, the wife of Irvine Police Chief Mike Hamel, from any sustained findings of dishonesty which would have made her crimes public records under the CA law known as SB1421.

Currently there is an also an officer, Jeff Corbett, being charged with a felony for falsifying his reports as related to the drinking and driving of former Fullerton City Manager Joe Felz in November 2016. That Sergeant was only terminated after a friend of this blog filed a citizen complaint which triggered an investigation which led to a sustained finding of dishonesty. Only AFTER that investigation was concluded in September of 2017 did FPD open their own investigation and terminate Corbett.

These are current issues at the Fullerton Police Department as ignored by our current City Council, City Hall and police brass.

The hearings over Irish’s termination went through 2016 and well into 2017 while Sergeant Corbett was being given a pass for clearly violating department policy during the Felz incident. This is at best an inconsistent application of policy and a strong indicator of favoritism in the department – ergo, cancer.

If you think I’m being hyperbolic about comparing Paul Irish to Frank Serpico in premise, in the notion that the Department will crush one of their own to cover their corruption or incompetence – remember that I’m being sued, along with David Curlee and this blog, for allegedly clicking links and posting stories that showed police misconduct. Stories that showed the Kathryn Hamel deal. A story about a pervert cop at Fullerton High School that FPD and City Hall wanted kept secret. The city has never disputed those stories, or others – they’ve just demanded we remove the truth from this site while defaming us as thieves and hackers.

Your tax dollars are being used to punish us not because we allegedly clicked links and thus broke a federal law in the process. We’re being sued because we, yet again, embarrassed Fullerton PD by pointing out corruption and malfeasance and my records requests, if fulfilled as required by law, would embarrass them further. They’re using your money and the courts to intimidate and attempt to silence us because we again stepped out of line. We got in the way of the Blue Wall of Silence and both those in uniform and those in charge at City Hall are too self-interested and too cowardly to stand up for what is right. Too worried about their pensions, campaign dollars and cronyism to be ethical. They preach integrity and practice treachery.

Sadly the tale of Paul Irish is just another in a long line of such stories. A story of the government using it’s weight to silence dissent. A story about government arrogance crushing a voice even when it comes in the form of an officer talking about the things the Police Department hypocritically displays on their own walls. Ethics used during times of convenience are no ethics at all.

Fullerton v. FFFF – New Judge, New Court Dates

OC Superior Court in Santa Ana

Things just keep on moving in the legal battles between us and Fullerton.

Yesterday the Hon. Judge Lee ruled that our two cases, Joshua Ferguson v. Fullerton and Fullerton v. FFFF, Joshua Ferguson, et al are related in response to our request for such a ruling.

As such we will no longer be gracing Judge Lee’s courtroom in Department C31 on 27 February 2019.

Currently we have a Status Conference regarding the City suing us on 12 Dec & a Case Management Conference on my Writ of Mandate case on 16 Dec in front of the Hon. Judge James Crandall in Department C33.

OC Superior Court Related Cases Dec2019

For context we argued, and the city opposed, the point that these two cases are related owing to them involving the same parties and general facts:

“[T]he two actions are based on similar claims, arise from the same transactions and events, and require the determination of substantially identical questions of law and fact. The CPRA lawsuit alleges that the City has improperly withheld records it claims are confidential or exempt from disclosure. The City’s lawsuit claims that in the process of responding to Defendants’ CPRA requests, it placed confidential or exempt information on its website, www.cityoffullerton.com/outbox. In both cases, the City has the burden to show that the documents are confidential.”

We’re of the opinion that the city’s case against myself and this blog is retaliatory owing to the fact that the city waited months to file their case and only did so AFTER I filed my Public Records lawsuit.

The city claims they waited to “secure their network” which is utter nonsense considering their own experts, in their own declaration, stated that the city needed approximately 30 days for the company Glass Box to fix their network (not Dropbox) vulnerability. Yet the city sent their original Cease & Desist email on 14 June, their letter to our attorney Kelly Aviles on 17 July and then they waited an additional 99 days to file their lawsuit against us on 24 Oct.

That’s a lot more than the 30 days recommended by Glass Box and sure is convenient timing. It’s even more convenient that the City had to vote “again” on 19 November “in an effort to clarify any Brown Act violations” when they refused to report out about their alleged vote back in September that Whitaker denies even took place.

I will be very surprised it the city does not attempt to appeal this decision to link the cases.

Fullerton v FFFF – Fullerton’s Small Loss & Big Costs

OC Superior Court in Santa Ana

Yesterday Kimberly Barlow with Jones & Mayer, on behalf of the City of Fullerton, asked the Hon. Richard Y. Lee to change the Temporary Restraining Order (TRO) against myself and this blog. An exhibit to said TRO was NOT INCLUDED when the Judge signed the original order and Jones & Mayer wanted to substitute the list of files we were originally told we couldn’t publish, share or delete with a shiny new list that allegedly only included private records. Read about that issue in our previous post [HERE].

The judge denied Ms. Barlow’s ex parte request. While Judge Lee agreed he had authority to change the TRO, he wasn’t going to do so as he didn’t believe it was necessarily the “clerical error” Fullerton’s attorney was claiming. Chalk up yet another loss for Jones & Mayer.

During the hearing Ms. Barlow took umbrage with our opposition paperwork, specifically the part about costs. Here’s the relevant part from our opposition (emphasis added, linked [HERE]):

Finally, filing of the anti-SLAPP motion by the Defendants within a week of the date this lawsuit was filed, halts proceedings so that Defendants and the Court are not burdened by the time and ever-increasing costs incurred in response to a frivolous lawsuit.

Yet, at present, the Defendants have been required to incur the expense of filing multiple briefs, a writ petition, numerous objections, last week’s court appearance, and are now must oppose on the City’s ex parte request to reconsider a restraining order, a request this Court has already rejected. Currently, Defendants have incurred nearly $100,000 in legal fees, which despite the pending SLAPP motion, are continuing to increase.This is exactly the point of SLAPP suits: To discourage public participation by running up litigation expenses, even though the City’s suit is completely meritless.

Ms. Barlow didn’t understand how it could possibly cost so much to fight her nonsense. She claimed it couldn’t cost so much to fight a TRO that in her words had no effect because the exhibit listing the files had been left off.

How could it cost so much? Gee. I wonder.

Perhaps if the City Attorney didn’t co-mingle everything up to and including billable hours she would understand how every time our attorney responds to the City’s paperwork, filings, declarations (alone totaling 21 and counting with 4 declarations from Strebe, 3 from Klein and so on and so forth), it costs money. There are more pages in those declarations than the first two Harry Potter novels combined. Plus every time our attorney has to read an email, field a phone call, talk to media on our behalf and show up to court, it costs us money. Every time the City does something, she informs us, which costs us money. And on and on.

We’re a month into this process, with three months to go before the anti-SLAPP motion, and we’re already staring down $100k. Imagine the bill when the dust settles. If our ONE attorney is racking up billable hours responding to the city’s filings, one can only imagine the costs being incurred over at Jones & Mayer in creating all of that paper they’re attempting to bury us under each day.

Yesterday, three weeks after getting it, Ms. Barlow went to court to argue that the TRO she demanded, received and then we had stayed, is incomplete. This mistake, which Barlow blames on the court, led to that hearing. Her appearance as well as our attorney’s appearance is costing billable hours and somebody is going to have to pay the piper.

We’re betting it’ll be the taxpayers.

As always we’ll keep you posted as to the details of this case as they happen.

Who’s Full of it? Whitaker or the City Attorney?

Bruce Whitaker Voice of OC

We’ve made it onto the Voice of OC again. The newest story [HERE] revolves around a fundamental problem with government secrecy – you never know who’s telling the truth after something nefarious happens.

According to City Attorney The Other Dick Jones™, the City Council voted in closed session back on 17 September to sue us for allegedly clicking links.

Council Member Bruce Whitaker, mind you, claims that no such vote happened back in September.

Only one of them can be telling the truth and with history as our guide we know where to place our bets.

To bolster their claims of a vote in September the City “cured” their illegal Brown Act violation two weeks ago on 05 November by allegedly re-voting to sue us 4-1 (Whitaker dissenting). But did they ever actually vote back in September or is that just a ruse being cooked up to make their case against us look less retaliatory?

Fullerton Stopped Us From Publishing Public Records

OCR- Top of the Fold

Fullerton is headed back to court tomorrow to try and fix what it claims is a “clerical error” in their Temporary Restraining Order (TRO) against us here at FFFF. The TRO that’s already in front of the Court of Appeals and has mostly been stayed. The meat here is that the City Attorney did not incorporate into the TRO the list of files we’re alleged to have “hacked” by clicking links the city gave out to the world.

To try and fix their mistake, the City’s attorneys are running back to court to get the TRO fixed. This is all a part of their quest to search our digital lives to see if we have files they themselves admit they put on the internet.

For those just catching up, the core of the city’s illegal SLAPP case is that the public can only access information on the City’s website that the City has sent you a link and express permission to access/download.

This is preposterous and amounts to me calling you, dear reader, a “thief” and “hacker” if you click the “Contact” link on this page without me giving you express permission to click it despite me inviting you onto this page. This idiocy, if allowed to stand in court, will break the internet as we know it.

But in true Fullerton fashion it gets better.

You see, when the city was rushing to stomp on our First Amendment rights (despite Jan Flory expecting that to get struck down and Bruce Whitaker claiming there was no vote to do so at all), they couldn’t even be bothered to check their work. This is the list of files in question according to the City and the files we were restrained (gagged) from publishing or sharing:

TROed Public Records

Those red arrows are files that the City claims are public records disclosed as part of records requests according to the declaration of Mea Klein. You can likely spot other obvious public records on your own.

In other words – the city got a court to stop us from publishing and sharing records they themselves claim are public. Files the clerk’s office released to members of the public.

Let us contrast that with the City’s argument where they claim we should have known which files/folders on the city’s Dropbox account were public versus private before allegedly accessing anything. The City Attorney, as evidenced by this exhibit of their own creation, can’t discern public from allegedly private files. They not only admit to co-mingling files they have a legal duty to keep confidential with documents they have a legal duty to share with the public but they did it again in their TRO against us.

Allow me to repeat this very important point:

At the behest of our City Council, the City Attorney actually convinced a court to restrain us from publishing and sharing things they themselves admit are public records.

One might expect a little more due diligence when working to step on the First Amendment. We’ll see what the judge says tomorrow regarding this TRO update and we’ll keep you posted as this case continues.

Jan Flory Knowingly Voted Against the 1st Amendment

JanFlory-Official

It’s not often that a sitting politician admits to violating the rights of the people but we’re seeing a lot of firsts here in Fullerton lately and the issue of ethics is no different.

Let us start by reminding the class that councilwoman Jan Flory is only currently on council because Ahmad Zahra sold out in record time and put her there. Despite Zahra’s peacocking and preening as a man of ethics and great concern for the Constitution and voting rights – he showed us early on that he’s an empty suit.

Now in an amusing twist of events it turns out that not only did Zahra and the council vote to kick our 1st Amendment rights in the teeth – his appointee Flory knew that what they were doing wasn’t going to hold up in the courts.

In a recent article [HERE] in the Voice of OC, Councilwoman Jan Flory said the following (emphasis added):

Councilwoman Jan Flory said while she respects the First Amendment, the privacy of city employees is also at stake. Like Whitaker, she said she couldn’t speak about the legal advice given to the Council during closed session.

I think that First Amendment rights trump everything else, but I believe that Kim Barlow has done a good job in that the city also wants to protect Mr. Ferguson’s First Amendment rights,” said Flory in a Nov. 8 phone interview.

She said the First Amendment isn’t the core issue.

“That’s not what’s at issue here. What’s at issue is he (Ferguson) obtained records that are private,” Flory said. “Or have some implications concerning the confidentiality of our city employees as well as members of the public.”

Flory also expected the publication gag order to get blocked, at least temporarily, she said.

“Was I shocked by it? No, not at all,” Flory said.

So Jan Flory, as a lawyer, expected the gag order to get blocked?

On what grounds could it possibly be blocked? On 1st Amendment grounds, perhaps?

Why? Because the gag order against publishing was and is an illegal prior restraint against the 1st Amendment and as a lawyer Jan Flory might be familiar with this particular point.

Now according to The Other Dick Jones™ at the last council meeting the entire council, Flory included, voted for this 1st Amendment violating gag order back in September despite Flory expecting it to be shot down.

There you have it folks.

Jan Flory “thinks that First Amendment rights trump everything else” but that didn’t stop her from voting to put the boot of government on the throat of OUR 1st Amendment rights when it suited the CYA needs of the city.

While fully expecting the courts to slap the city’s illegal SLAPP lawsuit/TRO – she voted against the 1st Amendment on 17 September 2019 and then did it again on 05 November 2019. I’m sorry Jan, but your postulating about the importance of the 1st Amendment is meaningless when you yourself voted against Freedom of the Press not once but twice.

You care about the 1st Amendment?

SureJan

Fullerton v FFFF – Expert Response

You may have seen the City of Fullerton via their attorney Kim Barlow throwing around words like “thieves” and “hackers” in regards to the current litigation they initiated against us here at FFFF. You may have also seen the Fullerton Observer Pravda parroting their nonsense with their own “expert”.

In response we’ve decided to publish the bulk our tech expert’s declaration as submitted to the court for easy reading right here on the blog (CV, footnotes, et in link). We hope this helps clear up a lot of the BS being bandied around to baffle the masses by City Hall and their water carriers.

Please allow us to present the stellar work by John Bambenek.

John Bambenek

Enjoy:

I. INTRODUCTION

I, JOHN BAMBENEK, hereby declare as follows:

1. The facts stated in this Declaration are true and correct of my own personal knowledge, except for those matters expressly stated on information and belief, which matters I believe to be true. If called as a witness, I could and would competently testify thereto.

2. I am filing this declaration in support of the Defendants Friends for Fullerton’s Future, Joshua Ferguson, and David Curlee’s Opposition to OSC re Preliminary Injunction sought by the City of Fullerton (“City”).

3. I have reviewed the following pleadings and documents filed in this case:

  • Complaint for (1) Violation of Comprehensive Computer Data Access and Fraud Act (Cal. Pen. Code § 502 et seq.); (2) Violation of the Computer Fraud and Abuse Act (18 U.S.C. et seq.); (3) Violation of Cal. Gov’t Code § 6204 et seq; Conversion; Trespass to Chattels; and (6) Conspiracy (filed by the City on October 24, 2019);
  • Ex Parte Application for Temporary Restraining Order and Order to Show Cause as to why a Preliminary Injunction should not be issued; Memorandum of Points and Authorities (filed by the City on October 24, 2019);
  • Declaration of Matthew Strebe and attached exhibits (filed by the City on October 24, 2019);
  • Declaration of Mea Klein and attached exhibits (filed by the City on October 24, 2019);
  • Declaration of Steve Lee (filed by the City on October 24, 2019);
  • Declaration of Bruce Lindsay (filed by the City on October 24, 2019);
  • Opposition to Plaintiff’s Ex Parte Application for an Unconstitutional Prior Restraint (filed by Defendants on October 25, 2019);
  • Transcript of the October 25, 2019 Hearing on Plaintiff’s Ex Parte Application;
  • Supplemental Memorandum of Points and Authorities in Support of Plaintiff’s
  • Motion for Preliminary Injunction (filed by Defendants on November 1, 2019);
  • Supplemental Declaration of Matthew Strebe (filed by Defendants on November 1, 2019);
  • Supplemental Declaration of Mea Klein (filed by Defendants on November 1, 2019);
  • Declaration of Christopher Tennyson (filed by Defendants on November 1, 2019);
  • Declaration of Mike Rice (filed by Defendants on November 1, 2019);
  • Declaration of Marni Rice (filed by Defendants on November 1, 2019); and
  • Declaration of Ivy Tsai (filed by Defendants on November 1, 2019);

4. Based on my expertise and claims made in the declarations filed by the City (as set out in paragraph 3, above), I have reached the following conclusions:

  1. The City’s declarations do NOT substantiate any evidence of unauthorized access or “hacking” as those terms are typically defined;
  2. The use of a VPN or Tor is common among a wide variety of users, including journalists;
  3. The attribution of VPN traffic, Tor traffic, and other “foreign IP addresses” to Mr. Ferguson and Mr. Curlee is, at best, deeply flawed.

5. For purposes of this declaration and to aid the Court in its understanding of the issues presented in this case, I have created a Dropbox folder to simulate the underlying circumstances that gave rise to this case. I do not have any access to the documents that are at issue in this case, and do not have the ability to reconstruct the exact configuration or access the Dropbox account at issue since it has since been modified and is no longer available through its original link, www.cityoffullerton.com/outbox. However, my reconstruction is consistent with information provided by the City in its declarations and the websites and information associated with this case.

II. QUALIFICATIONS AND BACKGROUND

6. I am President of Bambenek Consulting, LTD, a cybersecurity investigation and intelligence firm in Champaign, Illinois. I have worked 20 years in cybersecurity and consult with a wide range of law enforcement entities both in the United States and abroad on matters related to cybercrime or hostile nation-state activity. A true and correct copy of my curriculum vitae is attached as Exhibit A, and is incorporated by reference herein as if set forth in full.

7. I have been an adjunct lecturer in the Department of Computer Science and the School of Information Sciences at the University of Illinois teaching courses on digital forensics and cybersecurity. I am additionally an instructor at Parkland College also teaching a course on networking.

8. I am a co-author and helped design a digital forensics curriculum with the Information Trust Institute at the University of Illinois that lead to the create of interdisciplinary CS and Law courses on digital forensics and investigation.

9. Additionally, I have advised and continue to advise individuals on privacy and how to protect their information and privacy against hostile governments, abusive ex-partners, and variety of threat groups that target typically disadvantaged individuals and groups. I recently spoke at a conference discussing mobile malware attacks attributed to the Chinese government against Uighur Muslims and Tibetans .

10. I have assisted in law enforcement investigations including cases involving the 2016 presidential election including activity that helped retrieve some documents stolen by the Russian Government from the Democratic Congressional Campaign Committee. Most recently, I was the expert witness in Obeidallah v. Anglin, 2:17-CS-00720 (S. D. Ohio) where I testified in matters related to cryptocurrency and financial assets in a civil litigation matter.

11. I additionally provide auditing and consulting for a variety of companies, including law firms, on data protection and obligations around data security to comply with regulation or privilege.

12. I speak at conferences all over the world on matters relating to cybercrime investigation and threat intelligence and how to attribute malicious activity to individuals using technical information and metadata.

III. ANALYSIS

A. The City’s Declarations Provide No Evidence of “Hacking” or Unauthorized Access.

13. Dropbox is a web-based, file sharing application that allows individuals or organizations to store documents for their own use, share them with specific e-mail addresses (accounts are tied to e-mail address in Dropbox), or to make them available globally, worldwide, and without any access control.

14. These settings are under the complete control of the owner of the files. In the web interface, there is a “share” button that allows file owners to either share their files or keep them confidential however they may see fit. For example, if a user wishes to share a file, via Dropbox, with their attorney for review, the user could send an email from the web interface to the attorney’s specific email address. Below is an example of a screenshot of the interface demonstrating this capability, which was created in a simulated folder created for this declaration:

15. Dropbox provides a variety of security settings and access limitations, which could expire a link at a given time, prevent downloads, and determine who has access. A screenshot of the possible access restrictions for the fictional folder used as an example in paragraph 9, is below:

16. It appears from the City’s declarations that the City set its folder permissions to intentionally allow anyone with the link can view it. When you select this level of access, Dropbox makes clear that “Anyone with this link can view the folder.” A screenshot of how this would appear to the creator of the folder or the administrator of the account appears below:

17. This means that the City created the URL (or internet address for the Dropbox account) and mere knowledge of that URL is sufficient for access. Anyone with knowledge of the URL would have access would only have to go to that website to find that the entire folder contents are available and visible, including any and all subfolders that are stored therein. An example of how that would appear to a user who enters the URL of an unrestricted Dropbox account appears below:

18. The City’s administrator for its Dropbox account could have also changed the global access restrictions so as to prevent information from being disclosed outside of various groups. An example of these global settings can be seen in this screenshot:

19. While explanations of the configuration of the City’s Dropbox security settings are notably absent from its declaration, there are no allegations in the City’s declarations that I have reviewed that even allege that there was any access or password restrictions on the City’s Dropbox account. This confirms that the set up I have described in the preceding paragraphs was the manner in which the City’s Dropbox account was configured and that anyone with knowledge of the URL could see and access the folders contained therein.

20. As the City set the configurations on its Dropbox account so anyone with the URL could access the folders, subfolders, (and by extension the content contained therein), they themselves made this information available to anyone, anywhere in the world to download at any time and for any reason.

21. Compounding these problems, the City then expressly changed its URL (or the address of its Dropbox) to www.cityoffullerton.com/outbox, making it appear that the Dropbox account was an ordinary part of the City’s website.

22. Accessing a typical Dropbox account would require someone to go to www.dropbox.com and enter their login credentials, including a user name/email address and a password. An example of this can be seen in the following screenshot:

23. However, the City’s Dropbox was intentionally changed from this routine configuration, leaving no conspicuous way for the average user to know that the webpage housing the files was anything other than the City’s website.

24. From my review of the City’s website, the City also uses this configuration for various other types of disclosable public records and information. For example, information about the City’s meetings, including agenda and minutes, is available through the City’s website, by going to www.cityoffullerton.com, then clicking on the “Government” link, then on the “City Clerk” link, and then on the “Meetings and Agendas” link. However, this directs the user to the City’s Granicus account, which is a software platform used to manage government meeting data, including the storage and public access of agendas, minutes, and recordings of public meetings. The City uses OpenGov, another cloud-based software program, to manage and provide public access to its financial data. This is available directly through the City’s website by searching for “budget” in the website’s search feature, and clicking on the first link “City Budget”, and then clicking on link “OpenGov,” where the City directs users for information. There is no statement by the City in contained in any of these links or on any of these webpages which provide “express authorization” as to which links or files can be accessed by the public because the presumption is that information on a City website is public.

25. I have also reviewed the emails and communications described in and attached to the City’s declarations, but found no reference to any use restriction or admonishment until the City’s July 2019 correspondence to Kelly Aviles advising that accessing the Dropbox account was no longer authorized. Nor are there even any “terms of use” on the Plaintiff’s website to indicate such a restriction, even though that would not necessarily be sufficient to notify visitors that information on a public agency’s website was not intended for public access.

26. In my professional capacity as someone who evaluates security configurations of organizations with privileged and confidential information, I would have rated such a setup at an extremely high risk and priority for immediate change. The use of Dropbox to share confidential information or privileged communications is simply an unacceptable risk. Its use in this way can accurately be assessed as gross negligence.

27. This is particularly problematic for certain uses that are bound to keep information confidential. For example, attorneys have a duty of confidentiality, requiring them to take reasonable steps to maintain client information. (See California Rules of Professional Conduct, Rule 1.6; Cal. Bus. & Prof. Code § 6068.) This set up would be insufficient to ensure that confidential information is maintained. (See, e.g., https://www.americanbar.org/groups/business_law/publications/ blt/2017/09/01_kohut/; http://www.abajournal.com/magazine/article/ethics_secure_ client_communications/?utm_source=maestro&utm_medium=email&utm_campaign=tech_monthly; https://www.calbar.ca.gov/Portals/0/documents/ethics/Opinions/2010-179-Interim-No-08-0002- PAW.pdf; https://www.sdcba.org/index.cfm?pg=Legal-Ethics-Opinion-2012-1.)

28. Similarly, Dropbox provides information on the appropriate use of its platform for HIPAA-related information, which requires specific configurations and access restrictions. It appears from Plaintiff’s declarations that the City failed to follow any of these steps to protect the information they stored on their Dropbox which they claim is confidential. In fact, the steps they did take removed what little security is typically available in a default configuration.

29. Typically, “hacking” refers to the use of some tool or technique that defeats defenses in a computer system. A password cracking program may try to guess the password for an account. A tool may attempt to exploit a vulnerability to get access to the underlying database of a website. Malware (or colloquially, a “computer virus”) may be installed on a victim machine to give access to information. There is no evidence that any tool, vulnerability, technique, or manipulation of a computer system occurred by the Defendants in this case, nor does the City allege that there was any such action.

30. In the terms of the Computer Fraud and Abuse Act and its related state statute, the specific formulation is “exceeding access” or “unauthorized access” of a protected computer system. In this case, the Defendant could not have exceeded or acquired unauthorized access. The computer system (Dropbox) gave Defendants and the public exactly the access that the City set in the first place.

That may have been a mistake on the City’s part, but the system worked exactly how it was designed with the exact settings it was given.

31. In light of the above and in the absence of other evidence not yet in the record, I conclude that the city had no technical restrictions on accessing the data so a computer system was not subverted to access the information. I further conclude there was no stated access restrictions, so no “administrative” access controls were subverted either.

B. VPN Use is Common and Appropriate

32. A VPN is an encryption-based technology to keep one’s network traffic secure.

33. The City and its “expert” appear to infer that its use demonstrates an ill intent or conscious of guilt. Use of a VPN says nothing about the propriety of the actions taken while using a VPN. There are a wide variety of use cases for this tool and like all tools, it can be used for good or for ill.

34. Journalists use VPNs. The Global Investigative Journalism Network recommends the use of VPNs for journalists . This is especially true for investigative journalists who are looking into government misconduct (like the kind uncovered and alleged by the journalist in this case). This is because governments often retaliate against those journalists and impose “personal costs” (such as losing one’s job) as a price for uncovering misconduct. Ironically, the City’s actions in retaliation for the reporting done by Defendants in this case is exactly the kind of case study for why this advice exists.

35. The FBI recommends that political campaigns use VPNs in light of election manipulation attempts, the Electronic Frontier Foundation produces a guide on personal VPNs designed for journalists, activists, LGBTQ persons, academic researchers, and others. A personal VPN might be used by a victim of a domestic abuses to make them harder to stalk.

36. A VPN is used often in business for secure access to corporate networks. A VPN can be used in academic to access University resources while remote. A VPN can be used to access video content, circumvent censorship, or to protect the confidentiality of someone who may be facing threats.

37. I, too, use several VPNs, one to access corporate files securely on untrusted networks, one to access campus resources provided for faculty and students only, and a personal VPN to watch “American” Netflix while overseas.

C. Attribution of VPN and Tor traffic is deeply flawed

38. There at no statements in Mr. Strebe’s declarations authenticating the logs attached as Exhibit A. The logs contain a table of information. The eighth column has no header but is populated with names from time to time (e.g. Tor, PureVPN, etc). There is no information about what this is, how it was gathered, or how it can be reproduced.

39. I created a Dropbox business account to compare the format of the logs that Dropbox itself generated. An example of what I saw in my experimental logs is below:

40. There appear to be key differences in the formats of the logs I obtained from the Dropbox account I created and the logs attached to Mr. Strebe’s declarations. For example, there is no corresponding column provided by Dropbox that maps to the 7th (“Region”) and 8th (untitled) columns in the logs attached as Exhibit A to Mr. Strebe’s original declaration. In Mr. Strebe’s supplemental declaration, the 8th untitled column is no longer included.

41. Also of note is that the logs I accessed from Dropbox using the account I created, unauthenticated users were logged, but only 1st and 2nd octet of the IP address were logged, the other half of the IP address was obscured (i.e. instead of seeing 12.24.36.48, what was produced shows 12.24.XXX.XXX).

42. While the City’s declarations do not state how the logs attached to Mr. Strebe’s declarations were generated, the discrepancies raise serious questions about the integrity and authentication of the logs attached to Mr. Strebe’s declarations, as they appear to have been manipulated or modified by the “expert,” compromising the integrity of the evidence.

43. Even presuming that these logs are authentic, and the information contained therein is accurate, there are serious flaws in the City’s analysis of what they purportedly show.

44. Several entries allege Mr. Ferguson’s account was logged into Dropbox and accessed city records purportedly from PureVPN (12/28/2017, 12/30/2017, and 3/29/2018 from Oslo and 10/26/2018, 10/27/2018, 10/30/2018, and 11/06/2018 from the Netherlands). There are no log entries produced by the City that indicate other occasions of Mr. Ferguson account accessing the City’s Dropbox. There are no logs at all indicating Mr. Curlee’s purported access.

45. Plaintiff then uses these brief occurrences to conclude that all access via PureVPN to Plaintiff’s Dropbox must be from Ferguson, Curlee, or their “unnamed associates.” (Strebe Dec., ¶ 40).

46. The City then reaches even farther to suggest all accesses via Tor must also be from the Defendants despite the complete and utter lack of evidence for that conclusion in their own exhibits. (See Strebe Dec., ¶ 60.)

47. The City and Mr. Strebe, undaunted by a complete lack of evidence and unhindered by any respect for appropriate investigative reasoning, then decide all access from foreign IPs otherwise unattributed must also be from the Defendants. (See Strebe Dec., ¶ 51.)

48. The only indication Plaintiff’s give for such reasoning is that some of the access attributed to Tor, PureVPN, or other “foreign” IP addresses was for documents responsive to records requests made by the Plaintiff that no one else would know. But this is a conclusion, not evidence. Nor is such a conclusion warranted based on the purported Dropbox logs.

49. PureVPN, according to Crunchbase has $15.7 million in revenue. Assuming that is correct, and based on the listed monthly cost of service (before discount) at $10.95/month , this would equate to approximately 120,000 PureVPN users. It defies credulity that Plaintiff could have eliminated all but 2 of those users from this activity.

50. According to the Tor Project, there are currently around 1.75 million active daily tor users . While there was at least some limited activity that Plaintiff could attribute to Defendant Ferguson via PureVPN, there is no activity over Tor that contains metadata implicating the Defendants.

51. The City and its “expert” stated there was a foreign access to Dropbox content on August 23, 2017. (See Strebe Dec., ¶ 37.) They argued this was “likely an authorized user” but provide absolutely no evidence for that conclusion. Who is the authorized user? How do they know its authorized? The ambiguity on that point stands in stark contrast to the certainty they express previously about all PureVPN, foreign VPN, and Tor traffic must be the Defendants.

52. Mr. Strebe also makes liberal use of printouts from a website myip.ms. This is not a forensically sound way to attribute IP addresses. There is no documentation as to how myip.ms works or where it gets its information, which makes it use questionable, at best.

IV. CONCLUSION

53. The evidence presented by the City in no way supports any allegation of “unauthorized access” or “exceeding access” of any computer system. The evidence shows that the City itself placed this information on the internet without access control allowing anyone full permission to download the content. The access logs, even if authenticated, do not substantiate, in the absence of other corroborating evidence, that all Tor, VPN, and foreign traffic belongs to the Defendants. Nor is Mr. Ferguson’s use of PureVPN a sufficient or even suggestive data point to implicate guilt.

I declare under penalty of perjury under the laws of the State of California that the foregoing is true and correct and that this declaration was executed on November 7, 2019, at Chula Vista, California.

Fullerton v FFFF in the News

OCR- Top of the Fold

Today we were Front Page, Above the Fold in the Sunday edition of the Orange County Register [HERE]. The article was good overall and addressed many of the issues surrounding the ludicrous case the City has lodged against us.

This comes on the heals of several articles which have been written by The Voice of OC [HERE], [HERE], [HERE], [HERE] & [HERE] as they have been on the ball and running hard with this story. The Voice is local, fact-based journalism at it’s finest.

We got some good coverage of the story over at ShadowProof [HERE] which itself was picked up by the paper the Florida Oracle [HERE].

The Orange Juice Blog brilliantly took the city to task for being not just incompetent but downright evil [HERE].

The FullertonRag showed their support for dropping this case [HERE] in a perfect example of understanding that we don’t all need to get along in this fine town on all things to align on principles of utmost importance.

Then of course we have the great write-up by the Reporters Committee for Freedom of the Press [HERE]. It should be noted that this influential group also filed an amicus brief on our behalf in the appellate court supporting the striking down of the unconstitutional prior restraint issued against us by the trial court.

A lot has happened since the city took us to court a little over two weeks ago and it’s not over yet. Other reporting groups, First Amendment organizations and journalists have reached out for comment and we are fully expecting more news in the days to follow leading up the trial on 21 November.

Nearly all of those articles have been objective fact based or on our side for obvious reasons. However – If you’re concerned about having a Fair and Balanced view on this lawsuit you can check out the city’s side of things by heading over to the Fullerton Observer Pravda where they’re doing a bang up job reporting all the news that City Hall sees free to print.

We’ll keep you updated and post more stories both here and to Facebook as they appear so if we miss one please leave it in the comments or tag us on FB.

Fullerton Observer Acts as an Arm of the State, Actively Helps Pursue FFFF as Criminals

Pravda
Fullerton Observer in their Native Russian

In a twist worthy of Pravda, the Fullerton Observer has gone all-in with being an arm of the state. Sharon Kennedy retained a computer expert to help the city in their lawsuit against us, a rival news organization here in the City of Fullerton. That “expert” has now written a declaration for the city in their lawsuit against us evil “hackers”.

Sharon Kennedy’s own contracted “expert” is now working in cahoots with the city. In a terrible look for local journalism Kennedy has literally retained somebody to help the government attack the First Amendment. From his declaration (emphasis added):

I was retained by the newspaper, Fullerton Observer, to analyze the expert declaration of Matthew Strebe submitted by the City of Fullerton and provide an independent opinion on whether a connection could be made between the City of Fullerton’s Dropbox account and the Defendants associated with Friends for Fullerton’s Future Blog, including named defendants Joshua Ferguson and David Curlee. I reviewed the Declaration of Matthew Strebe, summarizing his forensic analysis of the incident involving the City of Fullerton’s private records.”

The Reporters Committee for Freedom of the Press came to our aid, as have multiple other outlets. Meanwhile the Observer is the only, I repeat THE ONLY, media outlet to openly support the City in attempting to limit the first amendment to whatever the government wants it to say.

It’s not often you get to see a journalistic outlet try and tank a rival at the behest of government – well, not often outside of Mother #Russia anyways. Yet, here we have the Fullerton Observer helping attack us with “expert” testimony while simultaneously claiming on every article their desire to “Protect local journalism”.

Thankfully while Fullerton Pravda…. I mean the Observer was carrying City Hall’s water we went ahead and found our own expert who concluded the following [Linked HERE]:

“The evidence presented by the City in no way supports any allegation of “unauthorized access” or “exceeding access” of any computer system. The evidence shows that the City itself placed this information on the internet without access control allowing anyone full permission to download the content. The access logs, even if authenticated, do not substantiate, in the absence of other corroborating evidence, that all Tor, VPN, and foreign traffic belongs to the Defendants. Nor is Mr. Ferguson’s use of PureVPN a sufficient or even suggestive data point to implicate guilt.”

This case just keeps getting crazier by the day. I knew Sharon Kennedy and her Observer had issues with this blog but I never expected her to literally contract somebody who then attacks us in court at behest of the city’s ludicrous and defamatory allegations.

Joshua Speaks about Fullerton v FFFF Lawsuit

Joshua Voice of OC
Photo by JULIE LEOPO, Voice of OC

I’ve been pretty quiet since the City of Fullerton decided to sue me, David Curlee and this blog. We were under a Temporary Restraining Order (TRO) so knowing what I could and could not post was up for legal debate. Yet at the same time the TRO was active, the City Attorney, Kim Barlow, was out in the open calling us hackers and thieves to our friends, neighbors and the world at large.  Yay illegal prior restraints in violation of the 1st Amendment.

The basic issue here is that City Hall screwed up and then decided to smear and scapegoat us to cover their own bureaucratic hindquarters.

To this end they hired some experts to bloviate about BS in an attempt to confuse people and obscure the truth about what is actually being alleged against us and City Council bought it hook, line and sinker.

The ink on the City’s Press Release hit-piece was barely dry before The Fullerton Observer uncritically reprinted it and in an effort to attempt cover the story they brought in their own “expert” who copy and pasted the City’s nonsense in order to paint us as hackers and villains with malicious intentions and evil schemes.

But now I’ll tell you what is actually being alleged; The City is alleging that we went to it’s website and clicked links.

That’s it.

All of their preening about VPNs/TOR, link hashes, network security – All Of It – is a smokescreen. Despite the nonsense about needing to delay the lawsuit to secure the city’s network, the city never alleges that the their network was ever breached or hacked.

The real meat and substance of their argument and allegations is that we “exceeded authorized access” and are therefore “thieves” and “hackers” under the Computer Fraud and Abuse Act as well as the California Comprehensive Computer Data Access and Fraud Act.

We allegedly “exceeded access” because they say we went to a link on the city’s own website, a link they themselves claim that they told us about, and allegedly clicked on files and folders they put there for the whole world to see plain as day. The argument is that we should have known better and shouldn’t have clicked on the files they put on the internet at the website they told us about. That is literally their allegations. That’s it.

We’re apparently supposed to have known what a $1Million+/year worth of government employees & lawyers didn’t know – that some files the city put online shouldn’t have been accessible from the city’s own website.

To bypass the obvious First Amendment issues in this lawsuit and to obtain their TRO the city made the claim that we accessed files that contain privileged medical records of police and their families, etc.

This is why they claim to have needed the prior restraint against us publishing data – to mitigate financial risks to the city. But there is no evidence this blog has published any such information made in the city’s grand accusations. Information, mind you, that the City themselves claim to have put on the internet for the entire world to access. By their logic we shouldn’t be allowed to do as journalists what they themselves have already admitted to doing as incompetents.

The City is trying to unring a bell here and blaming those who allegedly heard it instead of admitting they caused the commotion when they bonked their own heads.

Even if what the city alleges is true, that we allegedly went to the city’s own website and clicked links, the liability and financial risks to the city are of their own doing by their own admissions. It is not the responsibility of journalists or even the public to safeguard the city’s corruption and secrecy after the city itself has put it on display for the entire world.

To call the allegation that we went to their website and clicked links “hacking” and “stealing” is absurd. To demand myself, David Curlee, my former co-worker, this blog at large and unnamed Does 1-50 turn over our entire digital lives (phones, computers, hard drives, flash drives, CDs/DVDs, etc) to the city to cure this alleged link clicking is ludicrous on top of the absurd. And frankly it’s insulting and malicious.

Fullerton is rotten to the core when it actively buries misconduct by employees and officers but attacks bloggers & journalists for revealing truths. That our council would vote 5-0 to pursue this lawsuit and then vote 4-1 to continue it says a lot about our supposed leadership.

Thankfully the TRO was stayed by the Appellate Court and we are free to resume publishing. This is going to continue at least until 21 November and we’ll keep you posted as to the status of this ridiculous lawsuit.

Meanwhile I’m now out of a job thanks to this lawsuit while bills and attorney fees stack up. A good friend and all around great guy, Erik Wehn, set up a GoFundMe account and I’ll incur his wrath if I don’t mention it [HERE] so there it is and thank you to all of the people who have supported myself and this blog financially, emotionally and spiritually in these trying times. Sincerely thank you.