San Francisco DA Discloses City's Passwords

snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"

Ah HA!

[clang_jangle]

AH HA! See, Childs was right , he is the only competent one!

Re:Ah HA!

[_Sprocket_]

Childs' defense attorney has got to be happy about this.

"Your Honor.. I would like to direct the Court's attention to Exhibit A; the mere existence of which proves our case..."

Re:Ah HA!

[crath]

Therefore, it should be his job to keep this document so that he can provide the users(of the proper departments) with their proper access credentials.

There are NO circumstances under which one user should possess another user's password; not even an Administrator. The only exception to this rule ever allowed is when the account is first created: when a one-time use password is assigned by the Administrator; however, in a world-class IT infrastructure (such as an enterprise like the city of SF can afford to implement) an application creates and assigns a random password and then communicates it to the user via secure means (with no person seeing or having access to that password).

Dang!

[Ungrounded+Lightning]

AH HA! See, Childs was right , he is the only competent one!

Dang! You beat me to posting about it.

Wasn't part of Childs' point that password security in the S.F. government was lax and that divulging the big one in a way that would spread it around was dangerous to the network?

Given that the configurations on the routers weren't saved, the first guy to use that password on them had better be DARNED careful to get them recorded before changing anything or he's likely to break the network big time. So handing it to an administrator, who will hand it to several people, any of whom might leak it, could cause the net to come crashing down.

If all they'll let him do for a handoff is hand off the passwords, I can see how a prima donna BOFH would want to hand the big one directly to his successor, who would then spend the next week carefully recording the configs as-running before making changes or sharing the password with less-skilled delegates.

Not that it's right. But looks to me like the city is making his point for him - which his lawyer should use in a counter-argument at the bail hearing. B-)

Re:Suddenly Childs seems quite normal

[actionbastard]

"...because he didn't really have the authority to do that..."
But his supervisors and everyone in his department knew he was the only one -the 'go to' guy- that really had the in-depth knowledge to figure out problems and make stuff work. If they let him do that without objection or questioning his reasons, they gave their tacit approval to allow him to operate in the fashion that he did.