Slashdot Mirror

← Back to Stories (view on slashdot.org)

San Francisco DA Discloses City's Passwords

Posted by Soulskill on from the you-sure-showed-him dept.

snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"

5 of 333 comments (clear)

  1. Re:this guy will never work in IT again by TRRosen · · Score: 0, Flamebait

    Didn't read the whole post did ya?

  2. Re:Ah HA! by CrazedWalrus · · Score: 1, Flamebait

    IIRC a Slashdot article a day or two ago, it said that Childs gave the passwords to the Mayor. I'd guess that's how they wound up with the DA.

    I guess they don't teach politicians good IT security policy. Color me surprised.

  3. Re:The reason for password disclosure by grasshoppa · · Score: 0, Flamebait

    GOD level access, huh? Think a little highly of ourselves, do we?

    Wait, is that you, Childs?

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
  4. Re:Password sniffing by drinkypoo · · Score: 0, Flamebait

    Why would anyone sniff passwords that they had absolute control of?

    That's a very stupid question.

    You sniff them to see if they are sniffable.

    Passwords normally aren't stored in plaintext, so you can't just check the passwords against your dictionary to see if they are bad. He might also have been testing to see if, or gathering evidence to prove that, the VPN system they were using was inherently insecure. There are in fact several other reasons I could come up with, but I think we can already see that you are not competent to contribute to this conversation, and that anyone who would hire you as a network administrator is an idiot, too.

    "Unrestricted power" is a myth. Many of us don't want to know your passwords, and the system is designed in such a fashion that we're not supposed to be able to know what they are (without installing keyloggers or something) so that you don't have to worry about us impersonating you.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Re:Ah HA! by Anonymous+Cowpat · · Score: 0, Flamebait

    For all we know, the password Childs gave to the Mayor was the password to some sort of password vault or truecrypt volume on his work PC, in which they have magically found this list. The whole case reaks of spin, lies, bluff, double bluff and FUD. Perhaps we hould stop going to see the media circus on this one and wait until the end of the show.
    (Yeah, ok I live in Britain, where law enforcement will happily shoot an unarmed man on the tube and then feed the public at least 3 lies about the incident in 24 hours, which the press rapidly lap up. Where the press also spent 3 weeks in a shocked daze that the Portugese police wouldn't tell them every detail of on ongoing inquiry like the British police do. Forgive me if I'm cynical about the one-sided information that law enforcement types tend to give the press about an investigation long before the fat lady has even arrived at the opera house.)

    --
    FGD 135