Fullerton v FFFF – Expert Response

You may have seen the City of Fullerton via their attorney Kim Barlow throwing around words like “thieves” and “hackers” in regards to the current litigation they initiated against us here at FFFF. You may have also seen the Fullerton Observer Pravda parroting their nonsense with their own “expert”.

In response we’ve decided to publish the bulk our tech expert’s declaration as submitted to the court for easy reading right here on the blog (CV, footnotes, et in link). We hope this helps clear up a lot of the BS being bandied around to baffle the masses by City Hall and their water carriers.

Please allow us to present the stellar work by John Bambenek.

John Bambenek

Enjoy:

I. INTRODUCTION

I, JOHN BAMBENEK, hereby declare as follows:

1. The facts stated in this Declaration are true and correct of my own personal knowledge, except for those matters expressly stated on information and belief, which matters I believe to be true. If called as a witness, I could and would competently testify thereto.

2. I am filing this declaration in support of the Defendants Friends for Fullerton’s Future, Joshua Ferguson, and David Curlee’s Opposition to OSC re Preliminary Injunction sought by the City of Fullerton (“City”).

3. I have reviewed the following pleadings and documents filed in this case:

  • Complaint for (1) Violation of Comprehensive Computer Data Access and Fraud Act (Cal. Pen. Code § 502 et seq.); (2) Violation of the Computer Fraud and Abuse Act (18 U.S.C. et seq.); (3) Violation of Cal. Gov’t Code § 6204 et seq; Conversion; Trespass to Chattels; and (6) Conspiracy (filed by the City on October 24, 2019);
  • Ex Parte Application for Temporary Restraining Order and Order to Show Cause as to why a Preliminary Injunction should not be issued; Memorandum of Points and Authorities (filed by the City on October 24, 2019);
  • Declaration of Matthew Strebe and attached exhibits (filed by the City on October 24, 2019);
  • Declaration of Mea Klein and attached exhibits (filed by the City on October 24, 2019);
  • Declaration of Steve Lee (filed by the City on October 24, 2019);
  • Declaration of Bruce Lindsay (filed by the City on October 24, 2019);
  • Opposition to Plaintiff’s Ex Parte Application for an Unconstitutional Prior Restraint (filed by Defendants on October 25, 2019);
  • Transcript of the October 25, 2019 Hearing on Plaintiff’s Ex Parte Application;
  • Supplemental Memorandum of Points and Authorities in Support of Plaintiff’s
  • Motion for Preliminary Injunction (filed by Defendants on November 1, 2019);
  • Supplemental Declaration of Matthew Strebe (filed by Defendants on November 1, 2019);
  • Supplemental Declaration of Mea Klein (filed by Defendants on November 1, 2019);
  • Declaration of Christopher Tennyson (filed by Defendants on November 1, 2019);
  • Declaration of Mike Rice (filed by Defendants on November 1, 2019);
  • Declaration of Marni Rice (filed by Defendants on November 1, 2019); and
  • Declaration of Ivy Tsai (filed by Defendants on November 1, 2019);

4. Based on my expertise and claims made in the declarations filed by the City (as set out in paragraph 3, above), I have reached the following conclusions:

  1. The City’s declarations do NOT substantiate any evidence of unauthorized access or “hacking” as those terms are typically defined;
  2. The use of a VPN or Tor is common among a wide variety of users, including journalists;
  3. The attribution of VPN traffic, Tor traffic, and other “foreign IP addresses” to Mr. Ferguson and Mr. Curlee is, at best, deeply flawed.

5. For purposes of this declaration and to aid the Court in its understanding of the issues presented in this case, I have created a Dropbox folder to simulate the underlying circumstances that gave rise to this case. I do not have any access to the documents that are at issue in this case, and do not have the ability to reconstruct the exact configuration or access the Dropbox account at issue since it has since been modified and is no longer available through its original link, www.cityoffullerton.com/outbox. However, my reconstruction is consistent with information provided by the City in its declarations and the websites and information associated with this case.

II. QUALIFICATIONS AND BACKGROUND

6. I am President of Bambenek Consulting, LTD, a cybersecurity investigation and intelligence firm in Champaign, Illinois. I have worked 20 years in cybersecurity and consult with a wide range of law enforcement entities both in the United States and abroad on matters related to cybercrime or hostile nation-state activity. A true and correct copy of my curriculum vitae is attached as Exhibit A, and is incorporated by reference herein as if set forth in full.

7. I have been an adjunct lecturer in the Department of Computer Science and the School of Information Sciences at the University of Illinois teaching courses on digital forensics and cybersecurity. I am additionally an instructor at Parkland College also teaching a course on networking.

8. I am a co-author and helped design a digital forensics curriculum with the Information Trust Institute at the University of Illinois that lead to the create of interdisciplinary CS and Law courses on digital forensics and investigation.

9. Additionally, I have advised and continue to advise individuals on privacy and how to protect their information and privacy against hostile governments, abusive ex-partners, and variety of threat groups that target typically disadvantaged individuals and groups. I recently spoke at a conference discussing mobile malware attacks attributed to the Chinese government against Uighur Muslims and Tibetans .

10. I have assisted in law enforcement investigations including cases involving the 2016 presidential election including activity that helped retrieve some documents stolen by the Russian Government from the Democratic Congressional Campaign Committee. Most recently, I was the expert witness in Obeidallah v. Anglin, 2:17-CS-00720 (S. D. Ohio) where I testified in matters related to cryptocurrency and financial assets in a civil litigation matter.

11. I additionally provide auditing and consulting for a variety of companies, including law firms, on data protection and obligations around data security to comply with regulation or privilege.

12. I speak at conferences all over the world on matters relating to cybercrime investigation and threat intelligence and how to attribute malicious activity to individuals using technical information and metadata.

III. ANALYSIS

A. The City’s Declarations Provide No Evidence of “Hacking” or Unauthorized Access.

13. Dropbox is a web-based, file sharing application that allows individuals or organizations to store documents for their own use, share them with specific e-mail addresses (accounts are tied to e-mail address in Dropbox), or to make them available globally, worldwide, and without any access control.

14. These settings are under the complete control of the owner of the files. In the web interface, there is a “share” button that allows file owners to either share their files or keep them confidential however they may see fit. For example, if a user wishes to share a file, via Dropbox, with their attorney for review, the user could send an email from the web interface to the attorney’s specific email address. Below is an example of a screenshot of the interface demonstrating this capability, which was created in a simulated folder created for this declaration:

15. Dropbox provides a variety of security settings and access limitations, which could expire a link at a given time, prevent downloads, and determine who has access. A screenshot of the possible access restrictions for the fictional folder used as an example in paragraph 9, is below:

16. It appears from the City’s declarations that the City set its folder permissions to intentionally allow anyone with the link can view it. When you select this level of access, Dropbox makes clear that “Anyone with this link can view the folder.” A screenshot of how this would appear to the creator of the folder or the administrator of the account appears below:

17. This means that the City created the URL (or internet address for the Dropbox account) and mere knowledge of that URL is sufficient for access. Anyone with knowledge of the URL would have access would only have to go to that website to find that the entire folder contents are available and visible, including any and all subfolders that are stored therein. An example of how that would appear to a user who enters the URL of an unrestricted Dropbox account appears below:

18. The City’s administrator for its Dropbox account could have also changed the global access restrictions so as to prevent information from being disclosed outside of various groups. An example of these global settings can be seen in this screenshot:

19. While explanations of the configuration of the City’s Dropbox security settings are notably absent from its declaration, there are no allegations in the City’s declarations that I have reviewed that even allege that there was any access or password restrictions on the City’s Dropbox account. This confirms that the set up I have described in the preceding paragraphs was the manner in which the City’s Dropbox account was configured and that anyone with knowledge of the URL could see and access the folders contained therein.

20. As the City set the configurations on its Dropbox account so anyone with the URL could access the folders, subfolders, (and by extension the content contained therein), they themselves made this information available to anyone, anywhere in the world to download at any time and for any reason.

21. Compounding these problems, the City then expressly changed its URL (or the address of its Dropbox) to www.cityoffullerton.com/outbox, making it appear that the Dropbox account was an ordinary part of the City’s website.

22. Accessing a typical Dropbox account would require someone to go to www.dropbox.com and enter their login credentials, including a user name/email address and a password. An example of this can be seen in the following screenshot:

23. However, the City’s Dropbox was intentionally changed from this routine configuration, leaving no conspicuous way for the average user to know that the webpage housing the files was anything other than the City’s website.

24. From my review of the City’s website, the City also uses this configuration for various other types of disclosable public records and information. For example, information about the City’s meetings, including agenda and minutes, is available through the City’s website, by going to www.cityoffullerton.com, then clicking on the “Government” link, then on the “City Clerk” link, and then on the “Meetings and Agendas” link. However, this directs the user to the City’s Granicus account, which is a software platform used to manage government meeting data, including the storage and public access of agendas, minutes, and recordings of public meetings. The City uses OpenGov, another cloud-based software program, to manage and provide public access to its financial data. This is available directly through the City’s website by searching for “budget” in the website’s search feature, and clicking on the first link “City Budget”, and then clicking on link “OpenGov,” where the City directs users for information. There is no statement by the City in contained in any of these links or on any of these webpages which provide “express authorization” as to which links or files can be accessed by the public because the presumption is that information on a City website is public.

25. I have also reviewed the emails and communications described in and attached to the City’s declarations, but found no reference to any use restriction or admonishment until the City’s July 2019 correspondence to Kelly Aviles advising that accessing the Dropbox account was no longer authorized. Nor are there even any “terms of use” on the Plaintiff’s website to indicate such a restriction, even though that would not necessarily be sufficient to notify visitors that information on a public agency’s website was not intended for public access.

26. In my professional capacity as someone who evaluates security configurations of organizations with privileged and confidential information, I would have rated such a setup at an extremely high risk and priority for immediate change. The use of Dropbox to share confidential information or privileged communications is simply an unacceptable risk. Its use in this way can accurately be assessed as gross negligence.

27. This is particularly problematic for certain uses that are bound to keep information confidential. For example, attorneys have a duty of confidentiality, requiring them to take reasonable steps to maintain client information. (See California Rules of Professional Conduct, Rule 1.6; Cal. Bus. & Prof. Code § 6068.) This set up would be insufficient to ensure that confidential information is maintained. (See, e.g., https://www.americanbar.org/groups/business_law/publications/ blt/2017/09/01_kohut/; http://www.abajournal.com/magazine/article/ethics_secure_ client_communications/?utm_source=maestro&utm_medium=email&utm_campaign=tech_monthly; https://www.calbar.ca.gov/Portals/0/documents/ethics/Opinions/2010-179-Interim-No-08-0002- PAW.pdf; https://www.sdcba.org/index.cfm?pg=Legal-Ethics-Opinion-2012-1.)

28. Similarly, Dropbox provides information on the appropriate use of its platform for HIPAA-related information, which requires specific configurations and access restrictions. It appears from Plaintiff’s declarations that the City failed to follow any of these steps to protect the information they stored on their Dropbox which they claim is confidential. In fact, the steps they did take removed what little security is typically available in a default configuration.

29. Typically, “hacking” refers to the use of some tool or technique that defeats defenses in a computer system. A password cracking program may try to guess the password for an account. A tool may attempt to exploit a vulnerability to get access to the underlying database of a website. Malware (or colloquially, a “computer virus”) may be installed on a victim machine to give access to information. There is no evidence that any tool, vulnerability, technique, or manipulation of a computer system occurred by the Defendants in this case, nor does the City allege that there was any such action.

30. In the terms of the Computer Fraud and Abuse Act and its related state statute, the specific formulation is “exceeding access” or “unauthorized access” of a protected computer system. In this case, the Defendant could not have exceeded or acquired unauthorized access. The computer system (Dropbox) gave Defendants and the public exactly the access that the City set in the first place.

That may have been a mistake on the City’s part, but the system worked exactly how it was designed with the exact settings it was given.

31. In light of the above and in the absence of other evidence not yet in the record, I conclude that the city had no technical restrictions on accessing the data so a computer system was not subverted to access the information. I further conclude there was no stated access restrictions, so no “administrative” access controls were subverted either.

B. VPN Use is Common and Appropriate

32. A VPN is an encryption-based technology to keep one’s network traffic secure.

33. The City and its “expert” appear to infer that its use demonstrates an ill intent or conscious of guilt. Use of a VPN says nothing about the propriety of the actions taken while using a VPN. There are a wide variety of use cases for this tool and like all tools, it can be used for good or for ill.

34. Journalists use VPNs. The Global Investigative Journalism Network recommends the use of VPNs for journalists . This is especially true for investigative journalists who are looking into government misconduct (like the kind uncovered and alleged by the journalist in this case). This is because governments often retaliate against those journalists and impose “personal costs” (such as losing one’s job) as a price for uncovering misconduct. Ironically, the City’s actions in retaliation for the reporting done by Defendants in this case is exactly the kind of case study for why this advice exists.

35. The FBI recommends that political campaigns use VPNs in light of election manipulation attempts, the Electronic Frontier Foundation produces a guide on personal VPNs designed for journalists, activists, LGBTQ persons, academic researchers, and others. A personal VPN might be used by a victim of a domestic abuses to make them harder to stalk.

36. A VPN is used often in business for secure access to corporate networks. A VPN can be used in academic to access University resources while remote. A VPN can be used to access video content, circumvent censorship, or to protect the confidentiality of someone who may be facing threats.

37. I, too, use several VPNs, one to access corporate files securely on untrusted networks, one to access campus resources provided for faculty and students only, and a personal VPN to watch “American” Netflix while overseas.

C. Attribution of VPN and Tor traffic is deeply flawed

38. There at no statements in Mr. Strebe’s declarations authenticating the logs attached as Exhibit A. The logs contain a table of information. The eighth column has no header but is populated with names from time to time (e.g. Tor, PureVPN, etc). There is no information about what this is, how it was gathered, or how it can be reproduced.

39. I created a Dropbox business account to compare the format of the logs that Dropbox itself generated. An example of what I saw in my experimental logs is below:

40. There appear to be key differences in the formats of the logs I obtained from the Dropbox account I created and the logs attached to Mr. Strebe’s declarations. For example, there is no corresponding column provided by Dropbox that maps to the 7th (“Region”) and 8th (untitled) columns in the logs attached as Exhibit A to Mr. Strebe’s original declaration. In Mr. Strebe’s supplemental declaration, the 8th untitled column is no longer included.

41. Also of note is that the logs I accessed from Dropbox using the account I created, unauthenticated users were logged, but only 1st and 2nd octet of the IP address were logged, the other half of the IP address was obscured (i.e. instead of seeing 12.24.36.48, what was produced shows 12.24.XXX.XXX).

42. While the City’s declarations do not state how the logs attached to Mr. Strebe’s declarations were generated, the discrepancies raise serious questions about the integrity and authentication of the logs attached to Mr. Strebe’s declarations, as they appear to have been manipulated or modified by the “expert,” compromising the integrity of the evidence.

43. Even presuming that these logs are authentic, and the information contained therein is accurate, there are serious flaws in the City’s analysis of what they purportedly show.

44. Several entries allege Mr. Ferguson’s account was logged into Dropbox and accessed city records purportedly from PureVPN (12/28/2017, 12/30/2017, and 3/29/2018 from Oslo and 10/26/2018, 10/27/2018, 10/30/2018, and 11/06/2018 from the Netherlands). There are no log entries produced by the City that indicate other occasions of Mr. Ferguson account accessing the City’s Dropbox. There are no logs at all indicating Mr. Curlee’s purported access.

45. Plaintiff then uses these brief occurrences to conclude that all access via PureVPN to Plaintiff’s Dropbox must be from Ferguson, Curlee, or their “unnamed associates.” (Strebe Dec., ¶ 40).

46. The City then reaches even farther to suggest all accesses via Tor must also be from the Defendants despite the complete and utter lack of evidence for that conclusion in their own exhibits. (See Strebe Dec., ¶ 60.)

47. The City and Mr. Strebe, undaunted by a complete lack of evidence and unhindered by any respect for appropriate investigative reasoning, then decide all access from foreign IPs otherwise unattributed must also be from the Defendants. (See Strebe Dec., ¶ 51.)

48. The only indication Plaintiff’s give for such reasoning is that some of the access attributed to Tor, PureVPN, or other “foreign” IP addresses was for documents responsive to records requests made by the Plaintiff that no one else would know. But this is a conclusion, not evidence. Nor is such a conclusion warranted based on the purported Dropbox logs.

49. PureVPN, according to Crunchbase has $15.7 million in revenue. Assuming that is correct, and based on the listed monthly cost of service (before discount) at $10.95/month , this would equate to approximately 120,000 PureVPN users. It defies credulity that Plaintiff could have eliminated all but 2 of those users from this activity.

50. According to the Tor Project, there are currently around 1.75 million active daily tor users . While there was at least some limited activity that Plaintiff could attribute to Defendant Ferguson via PureVPN, there is no activity over Tor that contains metadata implicating the Defendants.

51. The City and its “expert” stated there was a foreign access to Dropbox content on August 23, 2017. (See Strebe Dec., ¶ 37.) They argued this was “likely an authorized user” but provide absolutely no evidence for that conclusion. Who is the authorized user? How do they know its authorized? The ambiguity on that point stands in stark contrast to the certainty they express previously about all PureVPN, foreign VPN, and Tor traffic must be the Defendants.

52. Mr. Strebe also makes liberal use of printouts from a website myip.ms. This is not a forensically sound way to attribute IP addresses. There is no documentation as to how myip.ms works or where it gets its information, which makes it use questionable, at best.

IV. CONCLUSION

53. The evidence presented by the City in no way supports any allegation of “unauthorized access” or “exceeding access” of any computer system. The evidence shows that the City itself placed this information on the internet without access control allowing anyone full permission to download the content. The access logs, even if authenticated, do not substantiate, in the absence of other corroborating evidence, that all Tor, VPN, and foreign traffic belongs to the Defendants. Nor is Mr. Ferguson’s use of PureVPN a sufficient or even suggestive data point to implicate guilt.

I declare under penalty of perjury under the laws of the State of California that the foregoing is true and correct and that this declaration was executed on November 7, 2019, at Chula Vista, California.

Fullerton v FFFF in the News

OCR- Top of the Fold

Today we were Front Page, Above the Fold in the Sunday edition of the Orange County Register [HERE]. The article was good overall and addressed many of the issues surrounding the ludicrous case the City has lodged against us.

This comes on the heals of several articles which have been written by The Voice of OC [HERE], [HERE], [HERE], [HERE] & [HERE] as they have been on the ball and running hard with this story. The Voice is local, fact-based journalism at it’s finest.

We got some good coverage of the story over at ShadowProof [HERE] which itself was picked up by the paper the Florida Oracle [HERE].

The Orange Juice Blog brilliantly took the city to task for being not just incompetent but downright evil [HERE].

The FullertonRag showed their support for dropping this case [HERE] in a perfect example of understanding that we don’t all need to get along in this fine town on all things to align on principles of utmost importance.

Then of course we have the great write-up by the Reporters Committee for Freedom of the Press [HERE]. It should be noted that this influential group also filed an amicus brief on our behalf in the appellate court supporting the striking down of the unconstitutional prior restraint issued against us by the trial court.

A lot has happened since the city took us to court a little over two weeks ago and it’s not over yet. Other reporting groups, First Amendment organizations and journalists have reached out for comment and we are fully expecting more news in the days to follow leading up the trial on 21 November.

Nearly all of those articles have been objective fact based or on our side for obvious reasons. However – If you’re concerned about having a Fair and Balanced view on this lawsuit you can check out the city’s side of things by heading over to the Fullerton Observer Pravda where they’re doing a bang up job reporting all the news that City Hall sees free to print.

We’ll keep you updated and post more stories both here and to Facebook as they appear so if we miss one please leave it in the comments or tag us on FB.

Fullerton Observer Acts as an Arm of the State, Actively Helps Pursue FFFF as Criminals

Pravda
Fullerton Observer in their Native Russian

In a twist worthy of Pravda, the Fullerton Observer has gone all-in with being an arm of the state. Sharon Kennedy retained a computer expert to help the city in their lawsuit against us, a rival news organization here in the City of Fullerton. That “expert” has now written a declaration for the city in their lawsuit against us evil “hackers”.

Sharon Kennedy’s own contracted “expert” is now working in cahoots with the city. In a terrible look for local journalism Kennedy has literally retained somebody to help the government attack the First Amendment. From his declaration (emphasis added):

I was retained by the newspaper, Fullerton Observer, to analyze the expert declaration of Matthew Strebe submitted by the City of Fullerton and provide an independent opinion on whether a connection could be made between the City of Fullerton’s Dropbox account and the Defendants associated with Friends for Fullerton’s Future Blog, including named defendants Joshua Ferguson and David Curlee. I reviewed the Declaration of Matthew Strebe, summarizing his forensic analysis of the incident involving the City of Fullerton’s private records.”

The Reporters Committee for Freedom of the Press came to our aid, as have multiple other outlets. Meanwhile the Observer is the only, I repeat THE ONLY, media outlet to openly support the City in attempting to limit the first amendment to whatever the government wants it to say.

It’s not often you get to see a journalistic outlet try and tank a rival at the behest of government – well, not often outside of Mother #Russia anyways. Yet, here we have the Fullerton Observer helping attack us with “expert” testimony while simultaneously claiming on every article their desire to “Protect local journalism”.

Thankfully while Fullerton Pravda…. I mean the Observer was carrying City Hall’s water we went ahead and found our own expert who concluded the following [Linked HERE]:

“The evidence presented by the City in no way supports any allegation of “unauthorized access” or “exceeding access” of any computer system. The evidence shows that the City itself placed this information on the internet without access control allowing anyone full permission to download the content. The access logs, even if authenticated, do not substantiate, in the absence of other corroborating evidence, that all Tor, VPN, and foreign traffic belongs to the Defendants. Nor is Mr. Ferguson’s use of PureVPN a sufficient or even suggestive data point to implicate guilt.”

This case just keeps getting crazier by the day. I knew Sharon Kennedy and her Observer had issues with this blog but I never expected her to literally contract somebody who then attacks us in court at behest of the city’s ludicrous and defamatory allegations.

Joshua Speaks about Fullerton v FFFF Lawsuit

Joshua Voice of OC
Photo by JULIE LEOPO, Voice of OC

I’ve been pretty quiet since the City of Fullerton decided to sue me, David Curlee and this blog. We were under a Temporary Restraining Order (TRO) so knowing what I could and could not post was up for legal debate. Yet at the same time the TRO was active, the City Attorney, Kim Barlow, was out in the open calling us hackers and thieves to our friends, neighbors and the world at large.  Yay illegal prior restraints in violation of the 1st Amendment.

The basic issue here is that City Hall screwed up and then decided to smear and scapegoat us to cover their own bureaucratic hindquarters.

To this end they hired some experts to bloviate about BS in an attempt to confuse people and obscure the truth about what is actually being alleged against us and City Council bought it hook, line and sinker.

The ink on the City’s Press Release hit-piece was barely dry before The Fullerton Observer uncritically reprinted it and in an effort to attempt cover the story they brought in their own “expert” who copy and pasted the City’s nonsense in order to paint us as hackers and villains with malicious intentions and evil schemes.

But now I’ll tell you what is actually being alleged; The City is alleging that we went to it’s website and clicked links.

That’s it.

All of their preening about VPNs/TOR, link hashes, network security – All Of It – is a smokescreen. Despite the nonsense about needing to delay the lawsuit to secure the city’s network, the city never alleges that the their network was ever breached or hacked.

The real meat and substance of their argument and allegations is that we “exceeded authorized access” and are therefore “thieves” and “hackers” under the Computer Fraud and Abuse Act as well as the California Comprehensive Computer Data Access and Fraud Act.

We allegedly “exceeded access” because they say we went to a link on the city’s own website, a link they themselves claim that they told us about, and allegedly clicked on files and folders they put there for the whole world to see plain as day. The argument is that we should have known better and shouldn’t have clicked on the files they put on the internet at the website they told us about. That is literally their allegations. That’s it.

We’re apparently supposed to have known what a $1Million+/year worth of government employees & lawyers didn’t know – that some files the city put online shouldn’t have been accessible from the city’s own website.

To bypass the obvious First Amendment issues in this lawsuit and to obtain their TRO the city made the claim that we accessed files that contain privileged medical records of police and their families, etc.

This is why they claim to have needed the prior restraint against us publishing data – to mitigate financial risks to the city. But there is no evidence this blog has published any such information made in the city’s grand accusations. Information, mind you, that the City themselves claim to have put on the internet for the entire world to access. By their logic we shouldn’t be allowed to do as journalists what they themselves have already admitted to doing as incompetents.

The City is trying to unring a bell here and blaming those who allegedly heard it instead of admitting they caused the commotion when they bonked their own heads.

Even if what the city alleges is true, that we allegedly went to the city’s own website and clicked links, the liability and financial risks to the city are of their own doing by their own admissions. It is not the responsibility of journalists or even the public to safeguard the city’s corruption and secrecy after the city itself has put it on display for the entire world.

To call the allegation that we went to their website and clicked links “hacking” and “stealing” is absurd. To demand myself, David Curlee, my former co-worker, this blog at large and unnamed Does 1-50 turn over our entire digital lives (phones, computers, hard drives, flash drives, CDs/DVDs, etc) to the city to cure this alleged link clicking is ludicrous on top of the absurd. And frankly it’s insulting and malicious.

Fullerton is rotten to the core when it actively buries misconduct by employees and officers but attacks bloggers & journalists for revealing truths. That our council would vote 5-0 to pursue this lawsuit and then vote 4-1 to continue it says a lot about our supposed leadership.

Thankfully the TRO was stayed by the Appellate Court and we are free to resume publishing. This is going to continue at least until 21 November and we’ll keep you posted as to the status of this ridiculous lawsuit.

Meanwhile I’m now out of a job thanks to this lawsuit while bills and attorney fees stack up. A good friend and all around great guy, Erik Wehn, set up a GoFundMe account and I’ll incur his wrath if I don’t mention it [HERE] so there it is and thank you to all of the people who have supported myself and this blog financially, emotionally and spiritually in these trying times. Sincerely thank you.

Fullerton v FFFF – Appeals Court Rules in Favor of FFFF

Stay of TRO

The Court of Appeals has issued a STAY on the Temporary Restraining Order issued against myself, David Curlee and this blog regarding publishing of information allegedly obtained through the city’s Dropbox:

“That portion of respondent court’s October 25, 2019 order cited above (paragraphs (1)(j) and (1)(k)) is STAYED pending further order of this court.”

Paragraphs (1)(j) and (1)(k) are as follows:

(j) Selling, publishing, distributing, disclosing or otherwise using any of the information or documents obtained from the City Dropbox folders and files listed at Exhibit A, without the City’s permission, or a valid court order; and

(k) Conspiring with third parties to sell, publish, distribute, disclose or otherwise use any of the information or documents obtained from the City Dropbox folders and files listed at Exhibit A, without the City’s permission, or a valid court order.

This means that the prior restraint against us has been struck down. The court also granted the amicus application from Reporters Committee for Freedom of the Press.

Read the ruling [Here]

Reporters Committee on Press Freedom Files Amicus Supporting FFFF

On Sunday, 03 November 2019, the Reporters Committee on Press Freedom released an article [HERE] outlining their read on the case against us. They see the overreach and concern to journalists being posed by Fullerton’s read on the law.

“The prior restraint sought here is, of course, concerning. But this is the first case we’re aware of where the computer crime laws have been misused so brazenly against members of the news media. First, the conduct alleged — accessing publicly available documents over the public internet — is clearly not hacking. A court finding that accessing publicly available documents over the public internet constitutes hacking would pose serious concerns for data journalists.”

Two days later, 05 Nov, the same day the City Council voted 4-1 to continue the lawsuit against this blog and two of your humble friends, the RCPF filed an amicus brief supporting us in our appeals court effort to overturn the Temporary Restraining Order issued against us.

You can read the entire RCFP Amicus Brief [HERE]. Some highlights are as follows.

The allegations:

“The essence of the City’s allegations in this case is that bloggers reporting on newsworthy matters of clear public interest (namely, potential government misconduct) violated federal and state hacking laws by accessing information that was made available online by the City to all the world. The City claims it is entitled not only to an extraordinary prior restraint on publication but also damages, in part for claims against the City for breach of confidentiality caused by the City’s own cybersecurity lapses.”

This was not hacking:

“If Amicus’s reading of the declaration of the City’s information technology expert is correct, one did not even need a username or password to access files in the Dropbox account maintained by the City, in which it commingled allegedly sensitive and privileged information with material that it affirmatively invited public records requesters to download.”

The theft from a “house” analogy doesn’t work:

“A public website, including the Dropbox account here, is not like a “house.” When an entity chooses to make information available to the public on the internet, without a technical access restriction like a password, that information can legally be accessed by anyone.”

VPNs/TOR are industry practice:

“It is true that the use of a VPN and Tor serves to protect user anonymity, and that “even some journalists routinely use” them. Id. Indeed, the use of such services is not only commonplace among journalists—it is a recommended industry practice.”

“Everyone should be using encrypted services and applications to protect their communications. In fact, in 2017, the American Bar Association’s Committee on Ethics and Legal Responsibility recommended that lawyers use “high level encryption” or other “strong protective measures” to protect sensitive client information.”

Read the whole thing, it’s worth it. We’ll bring more updates as they happen.

City of Fullerton Is Suing Me And This Blog

You may have already seen the story and/or press release from the City of Fullerton articulating their lawsuit against myself, Friends for Fullerton’s Future and others.

You can read the Voice of OC’s write up on this lawsuit from the city [HERE]:

“Fullerton city attorneys are heading into Orange County Superior Court Friday to ask a judge for a temporary restraining order against resident Joshua Ferguson and a local blog to keep them from deleting city records they obtained and also asking a judge to appoint someone to comb through electronic devices for the records.”

That lawsuit from the city is retaliation for a Public Records Lawsuit I filed against the city last week which was written up by the Voice of OC [HERE]:

“Fullerton residents may soon find out exactly how former City Manager Joe Felz was given a ride home by Fullerton police officers after hitting a tree and trying to flee the scene following drinking on election night in 2016, after resident Joshua Ferguson filed a lawsuit against the city to produce police body camera footage from that night.”

I will have more details in the near future but our current response is HERE]:

“The basic purpose of the First Amendment is to prevent the government from imposing prior restraints against the press. “Regardless of how beneficent-sounding the purposes of controlling the press might be,” the Court has “remain[ed] intensely skeptical about those measures that would allow government to insinuate itself into the editorial rooms of this Nation’s press.” (Nebraska Press, 427 U.S. at 560-561.)

“Consistent with that principle, over the last 75 years, the United States Supreme Court repeatedly has struck down prior restraints that limited the press’ right to report about court proceedings. The Court has made clear that a prior restraint may be contemplated only in the rarest circumstances, such as where necessary to prevent the dissemination of information about troop movements during wartime, Near, 283 U.S. at 716, or to “suppress[] information that would set in motion a nuclear
holocaust.” (New York Times, 403 U.S. at 726 (Brennan, J., concurring).)

“This case does not come close to presenting such extraordinary circumstances. Thus, the City cannot prevail as a matter of law, regardless of how the records were originally obtained. The City’s requests are flatly unconstitutional in and Defendants, therefore, respectfully request this Court denying the City’s request in its entirely.”

More to come as these two cases play out in court.

New Lawsuit Against Fullerton Alleges Police Misconduct & Cover-Ups

 

A lot has happened in Fullerton over the last several years and while my involvement has waned ever since the City threatened me civilly and criminally because I happen to be associated with this blog, and this blog published embarrassing things City Hall would rather hide from the people, I have remained committed to finding the truth and speaking up against the vapid and self-serving corruption of our council majority & the city hall they oversee.

In my capacity as a chronic malcontent these last few years I have made numerous records requests looking for information and many of those requests have been ignored, delayed or denied owing to dubious legal claims or just outright misrepresentations of the law. As such I have opted to sue the city of Fullerton for violations of the California Public Records Act.

The now filed Petition for Writ of Mandate alleges that the City of Fullerton has violated the CPRA in regards to my records requests related to no less than 5 separate issues.

Back when I first started filing requests, specifically for the body worn camera and dash cam videos of the Joe Felz DUI incident, the city was able to hide behind a lack of enforceable disclosure laws as SB1421 was not yet the law of the land. Cities did/do this because they know it takes a lot of time, effort and commitment to make them comply with disclosure laws.

Here in Fullerton the arrogance got so bad that they didn’t even try to hide their disdain for the public and transparency. At one point after claiming the Felz video was exempt from disclosure owing to the non-existent sham investigation, City Attorney Gregory Palmer asserted to me; “If you are dissatisfied with the response you have remedies”.

“You have remedies”

Skip ahead a few years and it turns out I DO have remedies and I have opted to act upon them. Hence this lawsuit.

For those interested, the lawsuit reads as follows (after the jump, emphasis in original, exhibits in the Writ link above):

(more…)

Our Response to the City of Fullerton

Kick Rocks

For those of you watching, waiting and counting the days – today is 20 days since we published the second cease and desist letter we received from the City of Fullerton concerning our reporting on local matters of public interest.

20 days is significant as that was the deadline the city gave us for their laundry list of demands.

While we wait to see if the city is going to follow through with their threats we will continue to keep on keeping on.

For now though, feel free to read our response to the City of Fullerton [PDF HERE]: (more…)