Harmon: Please Get Your House In Order

This will seem silly to some, confusing to others, infuriating to a few. I don’t care. Read it anyway. Spare me your emails about editing – this is a brain dump.

State Auditor of Public Accounts Mike Harmon offers what he calls a “SAFE-House” “secure” reporting system (SAFE, according to the site, stands for Secure, Anonymous, File-Encrypted.) on his website:


HARMON SITE


SITE DETAIL

Unfortunately, it’s not remotely secure.

It’s not safe for whistleblowers.

It’s not safe for anyone communicating with the APA.

His staff is lying to him about its security and about their dedication to both security and privacy.

I’ve tested the form throughout the past several months – most recently today – in order to keep an eye on its alleged security. Turns out, depending upon the day it’s accessed — because it apparently varies (!) — his “secure” form is less secure than holding a press conference to spill the beans. It’s alarmingly transparent. I didn’t have to put in much effort to determine what was going on.

At various times, the form serves JavaScript from an HTTP connection (not even HTTPS at times, which doesn’t offer THAT much in terms of anonymity and security but would be theoretically better than HTTP) and his staff have implemented Google Analytics code ON THEIR SECURE FORMS. That means they’re tracking your IP addresses, browsing data, all kinds of other information, sharing it with Google and potentially putting you at risk for code-injection by merely using a train wreck of a form that they claim is secure.

This means you can easily be identified. Your identifying data could potentially be subject to open records requests. Your supervisor or boss could hunt you down without much effort. Even if withheld from open records requests (that’s to be debated and could be fought because I’ve done it in the past), your data would be instantly exposed to any number of people working within state government – from Harmon’s staff to the Office of the Attorney General when deciding open records appeals. It’s a legitimate risk if you wish to protect your privacy or want to safely blow the whistle on corruption. Those staff may mean well but that means nothing in practice.

I’ve tried for months to get the APA to make changes. There’s apparently no desire to improve. Not even when it comes to security, which would come at minimal expense.

Until Harmon decides to use SecureDrop or PGP/GPG encryption (at a minimum) with more secure email addresses and explicit instructions for minimizing risk, you should not trust his claimed ability to receive confidential information. Neither he nor his staff have any idea what they’re talking about. (Pro-tip: If you don’t know what Tails is or are confused about Tor? If you’ve never heard of PGP and don’t know what an SSL certificate is? You have no idea what you’re talking about. Not to mention your confusion over Google Analytics tracking, SQL injection, .asp security and JavaScript safety.)

For the past week, I’ve attempted to pass confidential information to Harmon’s staff via his Communications Director, Michael Goins, and twice explained the importance of data security. Primarily because I have a strong desire to protect my sources from retaliation. So what’d he do? Despite knowing the risk involved (he follows me on Twitter, I’ve tweeted at him repeatedly about it the past year), he directed me to use their insecure contact form or their insecure hotline. He offered no alternative, shirking his duty and longstanding position in Frankfort. Then he ran his mouth to others, disclosing both my name and the issue I’d attempted to discuss with him. Had it been the source, he would have caused them harm. Not exactly behavior deserving respect from the media or public.

That’s the kind of intellectual laziness that resulted in Tim Longmeyer, Tim Conley, Richie Farmer and Sylvia Lovely. In each of those cases, it took someone going to federal government folks to nudge action. Because state government officials were exhibiting the same disregard and sloppiness as Goins. Yes, it’s really that simple in many cases. Yes, it’s important to name names and call this junk out when it comes to state government. Incompetence is no longer an acceptable excuse.

Another staffer (withholding their name for dramatic effect, otherwise people wouldn’t return to the site at a later date. Love it or hate it, you’ll have to have some patience), upon having a brief conversation with me, rushed to speak with former colleagues (colleages. plural.) about that conversation with me. Had I not exercised discretion, that would have turned into a typical Frankfort flustercuck.

Harmon’s Executive Director, Sara Beth Gregory, is the only person who didn’t turn a blind eye. She made an effort to accept information in a more secure manner and that’s saying a lot. Unfortunately, I’d already passed information to someone physically at that point. Gregory had a reputation for protecting people when she served in the state legislature and that’s, for whatever reason (this is Frankfort! A rarity), carried over to her work at the APA. Out of several APA staffers in positions of leadership, Gregory was the only one behaving without overt recklessness. Let that sink in.

Mind you, I’m not just some homo hillbilly off the street. Not an unknown entity. The previous Auditor and some of his staff ignorantly tried to blame me for getting Harmon elected (remember when Harmon’s campaign advertised here? they were upset over that – as if it mattered). Harmon’s staff all follow me and have communicated with me for the better part of a decade in their various capacities. I’ve provided information to some of them in the past that has led to prosecution, conviction, legislative change, termination. My point is that they know me and have had positive experiences receiving trustworthy information from me for several years.

As I’ve transitioned from writing and reporting the last couple years, it’s become increasingly common for me to facilitate contact with trustworthy people in government when sources make such a request. Usually when I feel it would be unethical for me to report or too risky for a source for me to report. But particularly when something no one else in regional media can reasonably handle reporting. It’s worked quite well.

But… If *I* can’t get data to them securely?

You absolutely cannot and you should not trust Harmon’s staff until something changes.

Mike Harmon means well. I know that is 100% the case. I detest his personal politics but still know that to be demonstrably true. The actions and lack of attention to detail from his staff, however, would lead the average observer to believe they’re incompetent. It leads someone like me to believe they’re not only incompetent but intensely partisan with no real desire to stop the good old boy corruption running rampant in the Commonwealth of Kentucky.

That has to abruptly change if there’s to be any cleanup in Frankfort.

-Jake