By December, 2012, it was declared a success:
This appears to be an intentional form of "advertisement":
The most recent reports are shown above, and the earliest ones are here:
The details of each report are available, including the username, time, User Agent, and IP address. Here's the first report, which appears to be the administrator testing the system on Feb. 15, 2012. (I redacted the last portion of the IP address.)
Here's another report from two weeks later, on another device (also redacted).
Most of the reports are anonymous in the sense that the user's name is not visible, but the other information such as IP, user agent, and time could be used to deduce the user's identity.
Click an item, and click "Details" to see far too much information about it, including the precise latitude, longitude, and device used to make the report:
I wonder if the people making these reports know that so much information is being published about them.
This may not be illegal, but it seems unwise. I can imagine stalkers, angry neighbors, and other people with ill intentions using this information for harm.
from: Sam Bowne <firstname.lastname@example.org%gt;
to: LPD@longviewtexas.gov, CityManager@longviewtexas.gov, email@example.com, firstname.lastname@example.org
date: Sun, Oct 12, 2014 at 12:17 PM
subject: Security Problem in CitySend System: Exposure of Private Data
I am Sam Bowne, an instructor in Computer Networking and Information Techology at City College San Francisco.
I found this page today with Google, and I think you should block it from public access:
That page shows every report into the "CitySend" system, reporting issues like illegally parked cars. The details of every report are visible, including the exact time and IP address, like this:
According to this page, the reports can be made anonymously:
However, exposing the IP address of the reporter could lead to identifying them, rendering the report non-anonymous.
The "Track a Request" page also leaks information unwisely. The map is here:
Clicking a dot leads to this:
The Address indicates the location accurately enough to resolve the problem. However, the Latitude, Longitude, and Device are also listed, which can be used to invade the privacy of the reporter. Suppose an angry neighbor wants to retaliate, or the person reporting the problem happened to be in an embarrassing location when reporting--why is the exact location of their device published for the world to see?
Also, your site uses Drupal 6.30, which is ten months out of date. The current version is 6.3.3:
If you wish to contact me, I am:
Sam Bowne email@example.com
But I certainly cannot recommend taking such unnecessary risks with private data, and I imagine that they will be forced to improve this system sooner or later.
They protected one of the pages that expose IP addresses so that they require a password for access:
I did find another problem, and warned them so they can fix it.
But the really big problem is now the Drupal update. The Drupal project published this exceedingly scary statement on Oct. 29, 2014:
Drupal warns unpatched users: Assume your site was hacked
So the Longview police would appear to have an incident response process to perform.
Hopefully they will continue to improve their security, and I'll update this article if I learn more.