Local Aberdeen businessman Matt Deilke went before the Brown County Commission Tuesday and asked for IT director Paul Sivertsen’s head. Deilke questioned the reliability of Sivertsen and the Brown County Fair’s online ticketing system that he designed and put in his name, SivTechEvent.com, on GoDaddy’s server instead of the county’s. The Aberdeen American News reported on Deilke’s comments. Deilke himself recorded his complete statement to the board and shares it with us on YouTube:
Deilke questioned the quality and reliability of the ticket sales reports. He noted that the county treasurer saw numbers change from report to report without explanation. Deilke said that Commissioner Sutton told the county treasurer not to question Sivertsen’s financial reports when preparing the sales tax reports.
In his most important statement of his testimony, Deilke said, “We are now at the point where $127,300 in ticket sales that we know of went through an online ordering system with zero, zero oversight from anyone but Paul Sivertsen in IT, who has shown on many occasions to be less than transparent and honest.” I have to agree: the idea that six figures could move through any county office without more than one set of eyes checking that cash flow is incredible.
Deilke reinforced the inappropriateness of Sivertsen’s apparent lack of transparency by citing the Code of Ethics of the Association of Information Technology Professionals, which states in part that IT professionals shall not “misrepresent or withhold information concerning the capabilities of equipment, software or systems” nor “misrepresent or withhold information that is germane to the situation.”
Citing US Bank’s statement that they could have provided similar services without added expense within the context of their current relationship with the county, Deilke said that Sivertsen spent a year developing a system “at the taxpayers expense that was a flop for nothing, costing us tens of thousands of dollars, all because he chose to lie and say he contacted our credit card providers when he did not.”
Deilke said that Commissioner Sutton’s long-standing friendship with Sivertsen warrants his recusing himself from further county decisions relating to Sivertsen’s work for the county. Offered a chance to respond at this point in Deilke’s statement, neither Sutton nor any other commissioner did.
Deilke reminded the commission of their willingness to overlook Sivertsen’s double-billing of the county for a couple of computers and to hire Sivertsen on a 3–2 vote just two months after that double-billing was in the news.
Deilke asked the commissioners to fire Sivertsen. No commissioner spoke up. Commissioner Rachel Kippley, who joined Commissioner Tom Fischbach in voting against hiring Siversten last December, said she’s not ready to make a motion on the idea of firing Sivertsen, but she said to Deilke, “I do want to do some digging on the things you’ve brought to light.”
We’ll see at upcoming meetings just how much digging Commissioner Kippley does and what action such digging warrants.
There is the obvious question of how this matter of ticket sales figures into the firing of the fair manager. It is another case of the abject cronyism and predilection for malfeasance and misfeasance that has become the operating principle for anyone involved with the South Dakota GOP.
I, too, thought of Karla Pfeiffer when reading this posting. It was apparent from the video that there was tension between Pfeiffer and the Commission. Reading the KDLT-TV story (http://www.kdlt.com/news/local-news/Brown-County-Fair-Manager-Fired-After-5-Months-On-The-Job/34911160), among others, makes me wonder what the Commission is really doing. As was noted elsewhere on this blog, Pfeiffer was the third Fair manager in four years.
I’m glad you wrote this post Cory. I read through the story twice on the GOP Press Release Blog, and it was so poorly written that I couldn’t understand what was going on. At least over here you know how to write a story that the reader is more knowledgeable after reading it rather than just 5 minutes older and confused.
“Commisioner Sutton told the county treasurer not to question Sivertsen’s financial reports when preparing the sales tax reports.”
What? What! That statement alone tells me something fishy is going on. And no commissioners other than the new one said a word? This stinks. Are the citizens of the county getting upset? I hope so.
Good work Cory.
Wow, as an IT person myself, and one that has some experience in doing contract work, this was very difficult to watch. If even half of what I saw is true this guy is a real piece of work and should absolutely have all employment and contracts with them severed. How the heck does someone get away with this type of stuff? This guy made bank ripping the county off and apparently nobody thought to raise a red flag when they saw that much money flowing to him?
To make matters worse, I hope people didn’t actually put credit card information on that site! That site is not running over an encrypted connection by default, and even if you force it the certificate is not valid for that site. This is very bad work and it potentially exposed any data that was provided to the site…
Unbelievable.
Sorry, flooding you comments, but for fun I decided to see what comes up with the brown.sd.us website – If you load that page secure it is using a certificate assigned to aktualieserungsantrag-post.de … What in the **** is that? .de is the Top Level Domain for the Federal Republic of Germany. Why would that certificate be installed on a brown.sd.us server? Does this same guy run that too?
Nate, thanks for taking a hard look at the site! May I forward your observations to our county commission? They might appreciate an outside IT security assessment. I have no idea how Brown County would be using a German certificate, but I would assume that the IT director could explain that.
Once again, this is just fun… I’m trying to put this in English, and I’m just touching a few things here.
I found a reference to that certificate here : http://pastebin.com/CLXFyKrB
This is a list of sites that were apparently targeted by a group called Fallag Becem or Fallaga Team. Where did this list come from?
The list appears to be generated by a DNS server. (A DNS Server is a name server, it changes the .com you type in your browser to the actual IP address of the server that hosts it so that you can view a page)
This specific DNS server is hosted on the same server that hosts the actual web sites for brown county. All of the items in the list above are found on this DNS server. First, I don’t even know why this DNS server is running because nothing I checked in my spot check seems to even use it. This server is NOT authoritative for the domain, so when you type in brown.sd.us you do not actually query this server, it appears that query is sent to other servers run by the SD government.
Regardless of why this server even exists, the fact that these records were able to be pulled shows that this server has not been properly secured. There is no excuse for this. Further indications that this server has not been secured properly can be found by the obvious certificate issued to a German domain that is present on this server.
You will also find on this list:
http://browncountyfairgrounds.com
http://browncountylandfill.com
http://browncountylandfill.org
http://brown.sd.us
Along with 300+ other sites.
There are other actual web sites sites hosted on this same server such as jimriveroutfitters.com (which happens to be the name that comes up if I do a reverse lookup on the IP address itself, turning the IP address into a domain name, reverse of what you usually do.)
So, who controls this server, I hope it’s not actually a county server, it seemed that they thought they had one. I wonder what the county is paying for this shared space that has apparently been targeted due to very poor security practices.
Yes, you can forward.
Thanks, R! The Aberdeen paper did a reasonable job of reporting the presentation, but it left out some details from Deilke’s presentation that seemed important.
One thing the paper mentioned that I didn’t is that the county apparently turned down Deilke for copier bid that the county rejected in favor of “a vendor that Sivertsen recommended.” Deilke could be cheesed about that, but his presentation seems like an awful lot of work to go to over one contract out of surely many available around town.
By the way, at today’s Brown County Republicans’ luncheon, an attendee recognized Commissioner Kippley for saying she would dig into this matter, and the audience mostly applauded. That applause suggests that the issue is not partisan (and I hear Deilke is a Republican as well).
Nate K I truly appreciate the effort of you and of course the author of this article are putting in. I was also thrilled with the extra research and linking of materials I presented as well as information I did not yet touch upon. Nate please contact me through Facebook and I will give you my phone number as I would like to further discuss your findings.
Now to touch upon the so called bid I didn’t win. The paper is printing a correction, or so I’m told, on that. I was there previously but it was to inquire how to be put ON the bid process. In fact I never put in a bid on this purchase. Truth be told I wasn’t really interested in bidding evident by the fact that in 9 years I have submitted quotes to the county twice but only after individual department heads approached me about doing so. I was really there to point out lies Paul Sivertsen told to commissioners and in the meeting previously about a machine I had sold to the register of deeds about 6 months prior.
Part two of the bid being referenced here is that the rep on this sale was former commissioner Mike Wiese who was the swing vote that was needed to hire Paul in December. Also worth noting that according to Paul and the city attorney based on what they said was needed an extra $2000 of unneeded accessories were purchased with this machine and based on a quick search I did they over paid by $1200 on the copier itself.
Matt! Thanks for that clarification! I’m glad to see the paper will clarify that matter, since it seemed to be the only detail that might lead cynics to question your motives. With that error corrected, the story as it stands is pretty much concerned citizen, with no evident ulterior motive, pointing out bad business/info-security practices on the part of the county. Matt, would you like to forward Nate’s comments to Commissioner Kippley yourself, or shall I forward those comments to her in the morning?
Cory, assuming you have both of our email addresses you can email mine to Matt.
Cory, I think it would be best to come from you as it shows that others are getting actively involved. To answer the rumor you heard, yes I am a republican.
It appears they are all hosted at GoDaddy. They have 3 large data centers in the phoenix area: http://184.168.47.225.ipaddress.com/
I’ve seen the ssl issue before with Godaddy if they aren’t explicitly disabling encrypted connections. It won’t be long for ssl to be required once google offers a free cert issuing service. You wouldn’t catch me buying a ticket from there, but not seeing the actual order form I’m not sure if the checkout is through a 3rd party or if the info is collected on a form on the site. Many sites redirect to payment services like paypal, but then you are looking at more costs which I would expect would be reported on so that probably isn’t likely unless someone can confirm that. You aren’t going to be taking online payments without someone taking a cut so I’d be curious to know that info if I lived in Brown County, especially if you have a current financial relationship that would allow for such payments to be received at no cost. There are apis out there that can allow a user to process payments with encryption, but that can still leave the step between your machine and the hosting server open for capturing that vital data. A scan doesn’t show any iframes so they aren’t pulling in a 3rd party form, but that could be removed now that sales are closed. Either way, that site could be created in a weekend, even if the form got a little complex.
Definitely shady to say the least.
The ticket site does appear to be on GoDaddy – and your right, some of the transaction details could have taken place on a 3rd party server that is secure – but even in it’s current state the web site is capable of collecting information with no indication that I can see that it linked to another party. I hope that any CC transactions were done using a 3rd party page.
As for the other sites (ie. brown.sd.us) that server does not appear to be go daddy. http://66.35.110.130.ipaddress.com/
So, is that IP and server located at the government building that this guy uses rent free or is that something that is at the telecom’s data center? Is that the resource being used to host other sites a government resource or one that just happens to host the government pages?
Sharing servers is not uncommon, but if that server is a county resource there are some questions to be answered. Regardless, this server is likely privately managed (not manged by a company by Go Daddy) and evidence shows that it has been managed poorly.
That appears to be a server at the local ISP. I think I would be more upset had they been using a county server in the first place. There is no reason for a county the size of Brown county to be running their own web server. I’d even question the utilization of a full time employee for IT over a managed service provider at a fraction of the cost.
Possibily, or an IP that is assigned to the connection at the Gov’t building from that ISP.
I agree with the MSP part – But I think he was hired to try and save money from the “MSP” setup they had before that was milking them. You are right though, real MSP would be able to provide the services they need at no more than the cost of an employee (or less) and with more resources available when needed.
Now choosing the right MSP can be a challange in itself, as there are a lot of crappy providers out there that overcharge for underperformance – a lot of providers that don’t know how to do the job the right way and just exist to collect payments while they hire zero talant monkeys that would not now how to handle the things we have already uncovered here…
Sorry, that turned into a rant didnt it. :)
This sheds a little more light.
http://cloud-computing.tmcnet.com/news/2014/10/27/8087314.htm