Note: [04/22/08] base64 Encoding Is Easily Decoded
http://www.toastedspam.com/decode64
…
E-Mail To Scott Futrell – GCPS Chief Information Officer
—– Original Message —–
From: “M. Weingarten” <mweingarten@earthlink.net>
To: <Scott_Futrell@gwinnett.k12.ga.us>
Cc: <Jorge_Gomez@Gwinnett.k12.ga.us>; <Sloan_Roach@Gwinnett.k12.ga.us>; <Harry_Reamer@Gwinnett.k12.ga.us>; <hayes1@us.ibm.com>
Sent: Wednesday, March 19, 2008 5:12 PM
Subject: Re: E-Mail Tracking And Privacy Policy Concerns
Mr. Futrell et al.:
One question: Are e-mail messages that are currently being sent via your “Go
Gwinnett Portal ” being formatted in the exact same manner as the one in
question that I sent to you for review? Any changes to formatting at all
since I received the one in question on 03/13/2008? Meaning, should the same
or similar process occur again could I expect to find a message formatted
utilizing 1×1 pixel transparent images?
As you might have been able to determine by reading the content of the
message in question I have always been an active participant in my
children’s education. Many e-mail messages have been exchanged between my
computers and GCPS’. With my youngest being in first grade many more will
follow. I would like to know what to expect.
With respects to these comments found within your report:
…”Mr. Weingarten stated that a file triggered an SSL error that the
certificate was invalid. There is not enough information to determine what
he is referencing but copies of the public certificates are listed below and
they are valid. GCPS does use some internal self signed certificates which
an external user would not be able to validate.”…
I can assure you all of this:
- An automated invalid certificate error was launched from Verisign.
- The certificate error was saved as a file. If I’m not mistaken it’s a DLL,
but I don’t have it handy to review.
- I performed several “Alt+Print Screen” functions to capture the events via
images.
- A 1Mb file download was initiated automatically from Verisign. Upon
completion of the download I was offered the opportunity to save the file
which I did. The file was also found within my cache.
03/13/08 10:28:14 AM 00:12:30 Outlook Express HTTP connection MSIMN.EXE
crl.verisign.com 1587 HTTP Outbound TCP 166 bytes 1.1 Mb 1094
I’ve conducted business online since 1991 when I purchased an IBM PS/1 which
came bundled with a communications program which if I’m not mistaken was
called Promenade. In 1985 IBM Atlanta trained me to install IBM XT (maybe
AT? 8088 processors I believe…) workstations for my employer that we
networked into a mainframe based in St. Louis. I currently conduct business
with associates all over the world and have to respond to dozens of messages
each day. I’m nearly positive that I’ve never experienced a situation like
this before via e-mail. Via the web, yes,… but not via e-mail. This was an
extraordinarily unusual event.
Mr. Futrell, since you copied a number of GCPS employees, many of whom I’m
not familiar with, I would like to take the opportunity to address my recent
dealings with the school system. Every last incident was initiated by GCPS,
I don’t have the time nor desire to pick fights with the school system for
sport. Logic, reason and timing would also suggest that my methods resulted
in the newly instituted e-mail disclaimer found on each GCPS message. I’d
suspect that I wouldn’t win a popularity contest around the office. But, if
the facts were presented to an unbiased, neutral party, I’d be willing to
bet that party would be of the opinion that children will be safer and the
county school system stronger for my efforts, although I’d also be willing
to wager that most GCPS officials wouldn’t share that sentiment.
- Had school buses not abandoned our entire neighborhood on three separate
occasions I would not have pursued the transportation issue…
- Had there been policy to reference or viable contact information available
I would have been able to handle the situation on my own….
- Had anyone in Transportation, Administration or Operations been willing to
work with me I would not have had to take the issue to the extremes that I
ultimately found necessary…
…All of this being said, I knew that if the issue was pressed that someone
within GCPS, even if it were legal counsel, would eventually see the issue
from my perspective. If I were wrong I’m sure that GCPS would not feel
compelled to make changes.
- Had my firewall not lit up like a Christmas tree and Verisign security
warnings not begun popping up all over my screen, I would not have pursued
this e-mail issue…
But as confident as I was that eventually someone would see the
transportation issue from my perspective, I’m equally or more confident that
someone would see this e-mail issue from my perspective if it were forced
on. I sincerely hope that it is not. If I never seen the inside of the GCPS
boardroom again it’ll be too soon.
If trying to keep children safe, parents properly informed, and my business
computers secure makes me the bad guy, well so be it I guess.
Thanks -
Martin Weingarten
mweingarten@earthlink.net
—– Original Message —–
From: <Scott_Futrell@gwinnett.k12.ga.us>
To: “M. Weingarten” <mweingarten@earthlink.net>
Cc: <Jorge_Gomez@Gwinnett.k12.ga.us>; <Sloan_Roach@Gwinnett.k12.ga.us>;
<Harry_Reamer@Gwinnett.k12.ga.us>; <hayes1@us.ibm.com>
Sent: Tuesday, March 18, 2008 3:23 PM
Subject: E-Mail Tracking And Privacy Policy Concerns
Mr. Weingarten;
We have reviewed your concerns and the documents you sent to us. I am
attaching the formal Security Incident report for your information.
Normally we do not provide this detailed information, but since you seemed
concerned, I wanted to let you see the level of detail we go through and
the capabilities we have for a full forensic analysis, when needed.
While the report will provide the details, the bottom line is that the
attached file you and your firewall were concerned about is a normal
industry standard gif used by email engines to format the beginning
location of the email. This is a common practice in the industry. Actually
when viewed it is a (-). So, your concern about anything being captured
from your computer, is in fact, not an issue. As of this time, we are not,
and do not plan to capture any information beyond normal network telecom
traffic information.
Your second issue raised was a concern that we do not show or post a
privacy statement on our web site. There is no public law, policy or
practice that requires a privacy notice to be posted on web sites. We will
review the industry practices to determine if it would be good policy to
post one, however the disclosure statement provided on all outgoing email
also serves as notification of the intent of the district. We do not
collect information as to who visits our Web site at this time, however in
the future, it may be a set of data that could contain information that
could be of analytical use to the district, so this is not something that I
would rule out if the school district determined either a business,
educational or security need in the future.
I hope this answers the questions posed.
regards;
Scott Futrell
Chief Information Officer
Gwinnett County Public Schools
scott_futrell@gwinnett.k12.ga.us (Embedded image moved
to file: pic02865.gif) (See attached file: Issue Report(Email
Tracking via Transparent images).doc)
Make it Happen:
“Greatness is not where we stand; but in what direction we are moving.
We must sail sometimes with the wind, sometimes against it
-
But sail we must, not drift, nor lay at
anchor.”
Oliver Wendell Holmes
————————————————————————————————
NOTE: Email is provided to employees for the instructional and
administrative needs of the district. E-mail correspondence to/from
a district e-mail account may be considered public information and
subject to release under Georgia laws or pursuant to subpoena.
————————————————————————————————
E-Mail Reply From Scott Futrell – GCPS Chief Information Officer
—– Original Message —–
From: <Scott_Futrell@gwinnett.k12.ga.us>
To: “M. Weingarten” <mweingarten@earthlink.net>
Cc: <Jorge_Gomez@Gwinnett.k12.ga.us>; <Sloan_Roach@Gwinnett.k12.ga.us>; <Harry_Reamer@Gwinnett.k12.ga.us>; <hayes1@us.ibm.com>
Sent: Tuesday, March 18, 2008 3:23 PM
Subject: E-Mail Tracking And Privacy Policy Concerns
Mr. Weingarten;
We have reviewed your concerns and the documents you sent to us. I am
attaching the formal Security Incident report for your information.
Normally we do not provide this detailed information, but since you seemed
concerned, I wanted to let you see the level of detail we go through and
the capabilities we have for a full forensic analysis, when needed.
While the report will provide the details, the bottom line is that the
attached file you and your firewall were concerned about is a normal
industry standard gif used by email engines to format the beginning
location of the email. This is a common practice in the industry. Actually
when viewed it is a (-). So, your concern about anything being captured
from your computer, is in fact, not an issue. As of this time, we are not,
and do not plan to capture any information beyond normal network telecom
traffic information.
Your second issue raised was a concern that we do not show or post a
privacy statement on our web site. There is no public law, policy or
practice that requires a privacy notice to be posted on web sites. We will
review the industry practices to determine if it would be good policy to
post one, however the disclosure statement provided on all outgoing email
also serves as notification of the intent of the district. We do not
collect information as to who visits our Web site at this time, however in
the future, it may be a set of data that could contain information that
could be of analytical use to the district, so this is not something that I
would rule out if the school district determined either a business,
educational or security need in the future.
I hope this answers the questions posed.
regards;
Scott Futrell
Chief Information Officer
Gwinnett County Public Schools
scott_futrell@gwinnett.k12.ga.us (Embedded image moved
to file: pic02865.gif) (See attached file: Issue Report(Email
Tracking via Transparent images).doc)
Make it Happen:
“Greatness is not where we stand; but in what direction we are moving.
We must sail sometimes with the wind, sometimes against it
-
But sail we must, not drift, nor lay at
anchor.”
Oliver Wendell Holmes
————————————————————————————————
NOTE: Email is provided to employees for the instructional and
administrative needs of the district. E-mail correspondence to/from
a district e-mail account may be considered public information and
subject to release under Georgia laws or pursuant to subpoena.
————————————————————————————————
E-Mail To Scott Futrell – GCPS Chief Information Officer
Note: It has been requested that details surrounding the circumstances of this meeting with Mr. Futrell be provided.
I arrived at the GCPS ISC and registered as a speaker outside the boardroom for the 6:30 PM public session. I spoke when called and summarized my concerns outlined below before the full board. I asked the board if they were aware of a GCPS privacy policy and the reply was “no.” Mr. Wilbanks then instructed me to speak with Mr. Futrell, the GCPS CIO. Mr. Futrell ushered me to the back of the boardroom and asked that I provide details. I did and he expressed concern over what I had described. He asked that I forward a copy of the e-mail message in question to him the following day for he and his “forensics” team to review. I specifically asked if he would report his findings back to me by way of reply e-mail and he shook my hand and assured me that he would.
—– Original Message —–
From: M. Weingarten
To: scott_futrell@gwinnett.k12.ga.us
Sent: Friday, March 14, 2008 8:58 AM
Subject: E-Mail Tracking And Privacy Policy Concerns
Mr. Futrell -
Thank you very much for taking time to speak with me at last night’s GCPS BOE meeting. We discussed two topics, e-mail tracking via transparent images and a GCPS privacy policy, or the lack thereof.
E-mail tracking:
As I stated before the board last night, I opened an e-mail yesterday (copy attached for review) at which point it became clear that transparent images were embedded within message.
The images that were of concern are:
https://go.gwinnett.k2.ga.us/icons/ecblank.gif
https://go.gwinnett.k2.ga.us/minoresln01/icons/ecblank.gif
My firewalls are configured to automatically archive all logs daily. As you can see from the two entries that I provided (there are many more) these were very active files as of approximately 10:30 AM yesterday when I opened the message to view.
03/13/08 10:27:41 AM 00:01:08 Outlook Express HTTP connection MSIMN.EXE go.gwinnett.k12.ga.us 45 HTTPS Outbound TCP 307 bytes 2790 bytes 1089
03/13/08 10:28:14 AM 00:12:30 Outlook Express HTTP connection MSIMN.EXE crl.verisign.com 1587 HTTP Outbound TCP 166 bytes 1.1 Mb 1094
Additionally, the file(s) triggered an SSL error stating that the certificate was invalid. I saved this as a file on another computer. What makes these images particularly offensive is the fact that they are transparent to the recipient viewing the message as they surreptitiously report information.
Curiously, as I checked again last night and then again this morning, the files no longer seem to exist.
03/13/08 11:00:40 PM 00:00:02 Browser HTTPS connection MSIE.EXE go.gwinnett.k2.ga.us 0 HTTPS Outbound TCP 0 bytes 0 bytes 1418
03/14/08 07:23:57 AM 00:00:00 Browser HTTPS connection MSIE.EXE go.gwinnett.k2.ga.us 0 HTTPS Outbound TCP 0 bytes 0 bytes 1435
Could not connect to remote server
You tried to access the address https://go.gwinnett.k2.ga.us/icons/ecblank.gif, which is currently unavailable. Please make sure that the Web address (URL) is correctly spelled and punctuated, then try reloading the page.
What happened to the files?
As we discussed, these image files can be used to track messages and collect personal data from the recipient’s computer. Information such as date and times viewed, number of times viewed, IP address, operating system, etc. If by no other means, this information is collected on raw server logs which can easily be used to correlate and track. In the instance of the https://go.gwinnett.k2.ga.us/minoresln01/icons/ecblank.gif image, one could specifically determine that the message originated from Minor Elementary.
Privacy Policy:
We also discussed the fact that GCPS does not maintain a privacy policy. The example I used to convey this point to you was the Georgia Department of Education website found at http://www.doe.k12.ga.us. They prominently display the link to their privacy policy in the lower left-hand corner of each page and maintain their privacy policy at the following URL: http://www.doe.k12.ga.us/privacypolicy.htm
I was very surprised to hear that you and GCPS do not maintain a privacy policy. As discussed, anyone who visits the GCPS website at the very least has date, time, IP address, browser and referrer information stored on raw server logs which can be utilized for any number of uses such as determining progression throughout the website, and from what previous website they arrived. Do you not believe that this should be disclosed to the public? Here is the portion of the GA DOE privacy policy that addresses these issues:
The GaDOE also collects certain information about your computer hardware and software. This information may include: your IP address, browser type, operating system, domain name, access times and referring website addresses. This information is used for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of the GaDOE.
Obviously the issue of disclosing e-mail message tracking is of a paramount concern as well.
Thank you very much again, I’ll look forward to your reply.
Martin Weingarten
mweingarten@earthlink.net
Possible GCPS E-Mail Web Bug Discovered
The actual file that can be used to collect private information: https://go.gwinnett.k2.ga.us/icons/ecblank.gif
The HTML tag Gwinnett County Public Schools uses within their e-mail correspondence that can be used to collect private information from recipients: <IMG height=1 alt=”" src=”https://go.gwinnett.k12.ga.us/icons/ecblank.gif” width=1 border=0> which truncates to <IMG height=3D1 alt=3D”"=20 src=3D”https://go.gwinnett.k12.ga.us/icons/ecblank.gif” width=3D1=20 border=3D0> in Microsoft Outlook Express …and without a posted privacy policy to be found on their website: http://www.gwinnett.k12.ga.us
The actual GCPS HTML tags discovered embedded within e-mail correspondence:
<IMG height=1 alt=”" src=”https://go.gwinnett.k12.ga.us/icons/ecblank.gif” width=1 border=0>
<IMG height=1 alt=”" src=”https://go.gwinnett.k12.ga.us/minoresln01/icons/ecblank.gif” width=1 border=0>
The tag that the FTC uses as an example of a web bug:
<IMG WIDTH=1 HEIGHT=1 border=0 SRC=”http://media.preferences.com/”>
FTC example URL (PDF): http://www.ftc.gov/bcp/workshops/profiling/comments/wbfaq.pdf
More information from the FTC regarding e-mail web bugs: http://www.google.com/search?q=+site%3Awww.ftc.gov+email+web+bug+site%3A.gov&btnG=Search
