Slashdot Mirror
San Francisco DA Discloses City's Passwords
snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"
AH HA! See, Childs was right , he is the only competent one!
Caveat Utilitor
... that Childs made the right decision after all. The prosecution is making his case for him!
At least the VPN codes shouldn't be that important. What possible damage can somone do VPNing into a network that has probably been completely obliterated by now?
AH HA! See, Childs was right , he is the only competent one!
Dang! You beat me to posting about it.
Wasn't part of Childs' point that password security in the S.F. government was lax and that divulging the big one in a way that would spread it around was dangerous to the network?
Given that the configurations on the routers weren't saved, the first guy to use that password on them had better be DARNED careful to get them recorded before changing anything or he's likely to break the network big time. So handing it to an administrator, who will hand it to several people, any of whom might leak it, could cause the net to come crashing down.
If all they'll let him do for a handoff is hand off the passwords, I can see how a prima donna BOFH would want to hand the big one directly to his successor, who would then spend the next week carefully recording the configs as-running before making changes or sharing the password with less-skilled delegates.
Not that it's right. But looks to me like the city is making his point for him - which his lawyer should use in a counter-argument at the bail hearing. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Even if the sysadmin referred to as 'Childs' was a paranoid schizophrenic, does not mean he wasn't right.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Yeah. It must've been a tough call, though, because he didn't really have the authority to do that, but on the other hand, if he hadn't, the buffoons running that department would caused the city even more grief.
Sounds more like he should have gotten a reward or a medal or something. It's funny, but this is a case of a citizen protecting a government from itself, not the other way around.
The higher the technology, the sharper that two-edged sword.
I've got to say voyeuristically looking at other people's passwords can be pretty entertaining sometimes. I know I've had a few passwords I wouldn't care to have other people know.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
According TFA, the thing about his not saving the configs to flash is a CLAIM by the city, not something confirmed by Childs.
So how do they KNOW that, if they don't have the passwords? Did they try rebooting some network boxes and have them not come up? (If so, how is it that the net is still running...)
This is looking more and more like a pointy-haired-boss SNAFU than logic-bomb job-insurance/revenge sabotage.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Huh? What? It's not his network. He's not some kind of hero. Yeah, there are other idiots in the world, but seriously, anyone seeing Childs as some kind of champion of security is sadly, sorely mistaken.
It'll be fun to see what happens, now that he's been removed from the loop.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Clearly posting this in the Entertainment category was a perfect fit.
> ...he didn't really have the authority to do that...
You don't know what he did. You only know what the aforementioned "fuckwits" allege that he did.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Huh? What? It's not his network. He's not some kind of hero. Yeah, there are other idiots in the world, but seriously, anyone seeing Childs as some kind of champion of security is sadly, sorely mistaken.
what more proof do you need? this action demonstrates he was right. it's not "his" network but I'm pretty sure he was in charge of its security. he tried to keep it secure, for what are now obvious reasons, and he got thrown in jail for it.
Stop Computers/Cars Analogies on S
The fact that the passwords could be harvested in the first place is problematic. I'm a SysAdmin and I should never have access to anyone else's passwords.
Passwords should be encrypted and non-visible. This is standard practice.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
If this is the level of fuckwittage he had to deal with while in his job I'm not surprised he locked others out.
As you are well aware, bureaucracy is ruled mostly by idiots. They are put into places of power with the bureaucracy for precisely this reason. Their idiocy makes them less threatening. Once arriving there, being idiots, they are suspicious of anyone smarter. They especially do not like their own idiocy shoved in their face with the constant superior intellect of those who may happen to come along. Now these idiots can do stupid things, like enter passwords into public record or fire talented sys admins, but they will not get in trouble. Why? Because its better to do the wrong thing because you are stupid than it is to do the right thing that some idiot made against the rules one time.
Just callin' it like I see it.
If you install S/KEY or OPIE on your UNIX or Linux box to manage logins, you will be presented with a random challenge string. You then plug that challenge string and your (relatively simple) password into a one-time pad password calculator, which tells you what to type into the login prompt. Voila: An easy-to-remember password that cannot be cracked by simple lookup tables. As close to perfectly secure as you're likely to get (meeting the criteria in the actual question) without being complex for the user.
Post-it notes aren't a bad solution, if the physical area is secure against unauthorized access, so long as the user is aware of the fact that their account is communal within that area. Which, for a private office, isn't a fatal problem. The cleaners are still a potential vulnerability, but the cleaners have far easier access to all of your personal notes, which are likely to have far more valuable information than your account.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Huh? What? It's not his network. He's not some kind of hero. Yeah, there are other idiots in the world, but seriously, anyone seeing Childs as some kind of champion of security is sadly, sorely mistaken.
Way to back that up with cold hard reasoning. Oh wait, you didn't. On second look, I can see that you just spewed an emotional appeal meant to make you look righteous and perhaps glean some karma from the deal. Here, let me give a counter-argument with the same level of "insight" (and with exclamation points and the obligatory "Period." ending to boot):
Chids is a champion of security! Anyone who thinks otherwise is sorely mistaken! He was trying to help because of all the idiots he is dealing with. Period.
Just callin' it like I see it.
"...because he didn't really have the authority to do that..."
But his supervisors and everyone in his department knew he was the only one -the 'go to' guy- that really had the in-depth knowledge to figure out problems and make stuff work. If they let him do that without objection or questioning his reasons, they gave their tacit approval to allow him to operate in the fashion that he did.
Sig this!
I wouldn't be too sure about that. He did a good job of running the network without issues. Just he got paranoid about his job.
Just they won't hire him as the main network guy but will use him for experience long as the company keeps good record of the routers and passwords that is accessible by other network admins and audit those passwords every month.
Why are these introduced in a bail hearing? Is he going to sell them to buy a plane ticket to a non-extradition country? Could he use a network access password to arrange travel as a third party and avoid prosecution?
These login/passwords were found on his office computer. How the hell do you think he is going to access this computer even if he is free on bail? Something tells me he will have a very hard time obtaining this data.
Every mans' island needs an ocean; choose your ocean carefully.
No a real SysAdmin doesn't violate good security practices by installing password crackers and checking people's passwords. Those SysAdmins should be instantly fired.
A good SysAdmin has password rules in place to make people select good passwords to begin with.
Our standard policy is 3 character types, 8 characters or more, and can't repeat last 12 passwords.
"I don't know a sysadmin alive that doesn't have that kind of work material on their home computers."
If their was a SysAdmin working for me that had password lists of my users on his home computer, not only would I fire him, I'd press charges.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
They aren't worried about releasing him on bail with what they know Child's knows. They are worried about what they don't know that he knows. Perhaps the copy of the password file found on his office PC is not the only copy? How could you know that he doesn't have it on a USB key in a safe deposit box or something along those lines. I wouldn't want him where I couldn't keep an eye on him until everything he had access to (and probably everything I didn't think he had access to) had undergone a complete audit.
Eagles may soar, but weasels don't get sucked into jet engines.
from TFA --
The username/password combos were apparently functioning sets. The DA is saying they found them on Child's own computer. The DA is all in a tizzy because Child's could then use these accounts to sneak into the system and cause mischief without getting tracked back.
Right. The only guy in the world with God level access to this network needs fake usernames/passwords so he can 'cause mischief'?
Give me a fucking break. I can think of many reasons for him to have those combos on his personal system.
They should have (but maybe do not) procedures for suspicious accounts. If they don't Childs should have created and documented one.
He's got accounts so he can log in with a lower level of access and see what's accessible
More reasonable, but 150 of them? That doesn't seem plausible.
These are usernames/password combos that he sniffed off the network, during routine security testing.
Possibly, but why did he need to keep a copy of the password file? If his goal was to uncover security vulnerabilities, it isn't necessary to keep the credentials uncovered.
These are people with accounts that have had some kind of trouble, and he's got them so he can attempt to diagnose problems linked to user level access.
It is not standard nor best practice to ask a user for their password, ever. If you need to access their account, you use admin privs to change their password, do whatever needs to be done, then ask the user to change it themselves when you no longer need access to their account.
It's a list of post-it pad's he's seen while walking around at work, and he'd been planning to inform the users to change their passwords.
You need the user's name for that. Not their login ID and password. Also, the number of passwords in the file makes this implausible.
They're the output list of a password security checker.
I think this one is redundant. While it is best practice to examine the security of your own network, it is not common nor reasonable to keep an archive of usernames/passwords uncovered.
Apparently the less than brilliant DA's office is unaware that the GOD level admin has the ability to do anything at all on the network and REMOVE ALL TRACES IN THE LOGS afterwards. It's trivial, when you're the one who runs the tattletales.
Dear DA office: IF YOU LOOK HARD YOU'LL UNDOUBTEDLY FIND EVIDENCE TRACY EAVESDROPPING ON THE NETWORK SNIFFING AND ATTEMPTING TO ILLEGALLY PENETRATE THE SYSTEM. IT'S PART OF HIS JOB, MORONS. IF YOU KEEP BRINGING THIS CRAP UP, YOU'LL ONLY LOOK STUPIDER.
Keep this up, and Nifong will have company in the 'worlds dumbest DA's club'
I think you should examine the well-documented, published, and logical security & administration best practices. Keeping a password list on a PC is a great way to compromise your network. If it turns out that these are, indeed, valid user security credentials, Childs doesn't appear to know the first thing about information security.
Eagles may soar, but weasels don't get sucked into jet engines.
It is not standard nor best practice to ask a user for their password, ever. If you need to access their account, you use admin privs to change their password, do whatever needs to be done, then ask the user to change it themselves when you no longer need access to their account.
Actually that IS standard practice...but for desktop techs, not admins. I often have to admonish people for this, but it's quite a common practice to get the user's password so as to facilitate service. It certainly isn't a best practice, but it's a common one and in most cases it inconveniences the user far less.
No a real SysAdmin doesn't violate good security practices by installing password crackers and checking people's passwords. Those SysAdmins should be instantly fired.
Dude, your pompous, self-righteous attitude makes me believe that you're either a pointy-haired management clown, or what guys in my group call a "Barney". Either way, what you define as a "real" admin is, IMO, an absurd projection of what your anal retentive imagination thinks an admin should be.
Our standard policy is 3 character types, 8 characters or more, and can't repeat last 12 passwords.
Pfft. Big whoop. I'm supposed to be impressed? You can still have weak passwords with that scheme.
If their was a SysAdmin working for me that had password lists of my users on his home computer, not only would I fire him, I'd press charges.
Har, har. Press charges? For what? If the word "security" is mentioned in any way in an admin's job description that will provide cover for use of legitimate security accessment methods like pen-testing, which, ohbytheway, includes password cracking. At most, you could use it as grounds for dismissal if there is a stated company policy prohibiting its use. But charges? Tch, only if you can prove the passwords were used for malicious intent. It's called mens rea. Look it up sometime, whydontcha?
JFC, "It's been 1 hour, 20minutes since you last successfully posted a comment" are any other poor AC's waiting this long between posts, or is it just me /. hates?!
and yet another reason why username/password is one of the poorest "security" measures in place for any level of access to sensitive systems. I am certain of one thing, system admins the world over will look back on our primitive username/passwords and laugh. Just another argument for RSA SecurID or biometrics or smart cards.
"skate the web"
7. Cisco PCF files w/ the group names, etc, filled in.
That's probably what this is, and the increasingly desperate prosecutor is trying to find things that can be used to dazzle the jury.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
The problem is the jury will be filled with people who are clueless about computers, as the DA will remove anyone who has even the slightest knowledge of network security.
Not really "jury of your peers", but everyone unofficially agrees juries composed of dumbasses make trials nice and quick. Anyways...
As for Kamela's dumbass move? Prosecutors in the USA enjoy virtual immunity, even something as stupid as she did won't result in any repercussions - at least in the court systems - once script kiddies get a hold of the passwords, it ought to be fun.
To put it in perspective, the media whore Nifong - who intentionally and maliciously continued the prosecution on the innocent duke team got a whopping day in jail and a minor fine. Yes, there are also civil remedies, but civil remedies sort of pale in comparison to the power a prosecutor can wield via the court system - namely that of imprisonment and even death.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
See the problem with what you are saying is that you are assuming he is guilty. While that may seem obvious to you and I, that is not, nor should be, how the court views things. His bail is obviously being set because of fears he could do more instead of fears he will flee his prosecution which is the intent. If they fear he may commit more crimes they should place him in prison without bail and state as much. As it is they are just playing with the law to get what they want without asking for it directly.
Jury selection cuts both ways - while Kamala can drop every juror that has some technical knowledge, the defense can drop anyone who can't program their VCR or turn on a computer.
My Sysadmin Blog
Well since the Constitution grants him the right of discovery, if that was the only copy, all Childs has to do is file a motion to see the evidence against him to obtain those usernames and passwords, plus because they were entered into a court record, if he or a friend were to launch an attack or whatever, he would have reasonable doubt given that any court clerk, judge, DA, case officer, police officer, citizen/group/reporter filing open record request, etc. can now see it. Better still if the system were hacked while he was in jail he could use it as defense saying "Hey, when I was running things the network remained secure, but as soon as I was removed it was compromised so how can the DA suggest to the jury that I was somehow putting the network at undo risk? The facts suggest otherwise. Just imagine how cool it would be to read on /. that this happened? Hum?
Honestly the more I read about this the worse SF managers and the DA look. How dumb are they, I mean they are disproving their own case, if I were Childs' lawyer, I would ask this question to the DA in front of the jury "Just so I get this straight, because I am a simple man, you are telling us that this information was so confidential and put the city at so much risk that you publicized it yourself the same day that you made a statement about the dangers of Childs potentially releasing the information? Did you make sure the passwords and usernames were changed before doing so? Isn't it possible that the usernames alone being published could create a target point for hackers to work from? Allowing them to launch either DOS attacks if lockouts are set on thes accounts or to continually work on cracking passwords if no lockout is set? Do you even have the technical knowledge to understand the details of this case without you yourself putting the city at risk like you 'allege' my client has? If Childs put the city at risk by having it on his computer and deserves jail time, what punishment should you get for filing it into the court records? Didn't security concerns worry you? Where is the confirmation the passwords were updated or the account deactivated before you entered sensitive information with the court?"
This is out of a comic stripe, SF is run by idiots. Childs is not the problem it is those that let him control everything so long as he did their work for them. Those are the people who should be on trial. It is a retarded DA that is 1). Putting city systems are risk for a prosecution and 2). Given the defense more ammunition.
Respect the Constitution
"Your honor, my client did not feel comfortable giving sensitive system passwords to idiots. I'd like to enter prosecution's boneheaded public filing as Exhibit A."
His assets, at, IIRC $244,000 pale in comparison to what was spent on the defense ($3 million?)
As for disbarment? Big deal. He conspired with the DNA lab to illegally conceal exculpatory evidence in the case via a malicious prosecution because allegedly "he thought it would be great advertising for his re-election."
His actions in that case also cast a shadow on every successful prosecution and undermined the legal system (rightfully so IMHO)
I personally don't care about that particular case, but it clearly shows the level of immunity prosecutors possess. Near the end, everyone knew what he did, why he did it, everyone despised his actions, but his punishment was still a sick pathetic joke.
I don't consider disbarment a punishment in cases of malicious prosecutorial misconduct - a disbarment should be a given in cases such as this. Felony charges and hard time should be "punishment"
Oh... and Nifong can get his license back in 2012.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Please, no biometrics. I can change my password/smart card/whatever else quite easily, but I can never change my iris or fingerprints or what have you.
>>bureaucracy is ruled mostly by idiots
There is a common saying wrt management/bureaucracy/gov't jobs:
"In a Hierarchy Every Employee Tends to Rise to His Level of Incompetence"
And the corollary:
"In time, every post tends to be occupied by an employee who is incompetent to carry out his duties; work is accomplished by those employees who have not yet reached their level of incompetence"
This is known as the Peter Principle. It is a deviously simple concept with far-ranging consequences: Every employee will eventually be promoted to a position ONE level above their competency. And they will stay there instead of being demoted or fired; that's just the way it works.
I have worked for the state and fed gov't for the past 7 years and I can attest to the profound accuracy of the Peter Principle. What you need to remember when dealing with superiors is that the higher people get promoted, the greater the chance that you are dealing with someone who is genuinely incompetent. They may not be a bad person, but they are no longer qualified to hold their job. So don't take things too personally when you are ordered shut down the company's most profitable center or paint cartoon bulldogs on fighter jets.
Stay in school and eat lots of fiber and someday you, too, will be promoted one level above your competence.
-b
No offense, but I've stopped responding to AC's.
Please reference the title of this thread. We're way out in the weeds now, and arguing about semantics.
Here's how I see it, and you're welcome to disagree.
It appears you're defining secure as simply strength, which includes randomness, length, and character set.
I'm defining secure as, well, secure, taking in account at minimum both strength and human usability factors.
Security == strength + usability.
Strength is a subclass of secure.
Length is a subclass of strong.
Randomness is a subclass of strong.
Character set is a subclass of strong.
Human usability is a subclass of secure.
Memorability is a subclass of human usability.
Length is a subclass of memorability.
Randomness is a subclass of memorability.
There is overlap the characteristics of strength and usability, which is why password policies are hard to get "right".
It's all semantics. I disagree with your assertion that putting secure in the past tense for human usability factors makes sense, but at least you're defining your words. ;-)
This whole discussion started by saying that a instructor who was making a valid point through using poorly defined terms was being a dick.
I think in this thread I have sufficiently made my point, you're welcome to have the last word if you like, but I'm done here.
Blessed are the pessimists, for they have made backups.