Slashdot Mirror
San Francisco DA Discloses City's Passwords
snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"
Then the users will change them right back to what they were.
Where I used to work, you had to change your password every month. After you changed it three times, you could it back to the original.
So people just changed their password 4 times.
I had my doubts at first, but this makes it abundantly clear that Childs was right . More right than any of us might have imagined when this spin-doctored story first came out.
In hindsight he took totally reasonable, prudent measures to protect incompetent city officials from themselves. Who knows how they got into that situation, but I won't blame him for anything in light of this, and I sincerely hope a jury wouldn't either.
He should first collect damages himself, and then initiate a class action suit against the city on behalf of all their residents. Maybe put the DA in jail for criminal negligence - in fact I'd venture a guess that he's mentally defective enough to file the charges himself.
Why did the DA even have access to these passwords? Why were they not in hash form? Did Child's have anything to do with that part?
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
Now, how long until scan of the username/password document shows up on the court's website as a form of public disclosure??? It wouldn't surprise me if the moronic DA forgot to ask for the exhibit to be sealed...
Windows 3.1x calc: 3.11 - 3.10 = 0.00
"AH HA! See, Childs was right , he is the only competent one!"
from TFA: 'Some of the passwords would benefit from a change because they are identical to the VPN log-in name or extremely easy to guess.'
wow, bad passwords, no wonder the guy was worried, using dictionary words is like not having a password as far as hackers are concerned, same deal with identical user/pass combos. i realize they use a encrypted key along with the password, but still...
https://www.gnu.org/philosophy/free-sw.html
So who will be the first to print up and sell t-shirts to support Terry Childs? Perhaps they can also print the SF VPN usernames and passwords on the back. Design suggestions welcome.
They seem to be operating under the assumption that Childs was sniffing passwords. Which judging from the case is just stupid. Why would anyone sniff passwords that they had absolute control of? He was sniffing unencrypted messages over the network. Even sans the unrestricted power over the network, I can't imagine Childs has any use for those passwords. Or anyone else for that matter.
I attended a lecture some years ago by a Microsoft employee who was high up in their security structure.
He started his speech by asking the audience, "Passwords and policies should be made as strong and secure as possible, right?"
A show of many hands.
He said, "Wrong! It is possible for a password policy to be TOO secure. Let me give you an example. It is possible to set up a security policy in NT that requires a password of at least 8 characters, which must also be mixed case, have at least one numerical digit, and at least one non-alphanumeric character, and which will require a change of password every week."
"As soon as you implement that policy, users will write their password on a post-it note, stick it to their monitor, and replace it with a new one every week. So you see, a password policy CAN be too secure for your own good."
This is unfortunately par for our fine DA. Kamala Harris has proven herself to be an incompetent tool more often that I'd like to hear.
She has angered many San Franciscans by refusing to prosecute violent criminals, and lately, found to have been lax towards the city's worst crime of the year...the murder of a father and his two sons in the Mission by a suspected illegal alien due to the city's stupid sanctuary law.
She should be dragged out, tarred, whipped and ejected from the city, never to return.
Contrary to popular belief, life is not a bitch. It is far far worse.
If you have any other opinions you'd really like entered into the public record, have at it. I'd say there's a very good chance that this discussion will be entered as evidence by the defense.:)
If anyone is counting, add my vote for the VPN passwords' disclosure being hard evidence that the IT admin was perfectly correct.
That and the fact that the SF network stayed up while the world's hackers KNEW that the network was completely unsupervised.
Frankly, if I were looking to hire somebody, I'd be chipping into this guy's defense fund. Speaking as a real-world IT manager, I'd say this guys judgement is spot on, and his admin skills are amazing.
In my own humble opinion, then SF DA's office is full of idiots.
hanzie.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
I don't think anyone who has ever worked for the government, or even seen government in action doubted that Childs was right. I think that everyone was wondering why he'd sit in jail to bring to light something that's already obvious.
I agree with the grandparent, he's just being an ass. ;-)
He's using the word "secure" in the original question in a very narrow way. Of course a password policy must be human-centric as well as containing enough randomness to not be brute forced or attacked easily through rainbow tables.
There's education in teaching users how to select strong and yet memorable passwords, and when it's OK to write them down at least partially in your wallet or strong encrypted password store.
He's being an ass because he's asking a complex question, then telling everyone they're wrong and giving a simple smug answer. You can be right and still be an ass.
An aside is the fact that we rely on passwords too much. Dual factor authentication for internal business use is relatively cheap and easy to set up in windows and linux for login, for ssh, etc. I'm genuinely surprised more people outside of the military don't use it.
Blessed are the pessimists, for they have made backups.
Does anyone realize that the passwords would have never been given to the DA's office if it wasn't for his actions? The passwords would then not be part of public record. Do you think the person at the IT office would have made the list of passwords public if Childs left gracefully?
Someone at the the DA's office is the incompetent person in this case, but that does not validate his locking out of everyone competent enough to take care of the system (the people that would have replaced him at the IT department.)
It's government. To think like government in implementing something like VPN you have to conceive a solution that involves the user not having to do anything (other than maybe push a button) and this includes anything other than a standard login box. Second you have to implement this in a way that the user themselves can go home and implement this solution without any site help from anyone and zero technical knowledge. (you don't send an IT person to a State Employees home, that's asking from some kind of lawsuit). Fourth the solution must be as expensive as possible, support some local business (preferable if the business owner is connected politically with one of the local leaders) and require very few extra hours from the already overworked staff.
What does that result in? Hardware VPN boxes plugged into the network router, with the users computer plugged directly into the VPN box. Costs a lot, requires pre-configuration of the box but should require no site visits, idiots can usually successfully plug in boxes with phone support only and any reconfiguration likey requires the box to be brought back into the office as the VPN keys on the boxes are likely hard coded into a configuration on the VPN device. Likely a turn key solution so you have a hefty support contract and the vendor would likely assist with deployment and any reconfiguration resulting in a nice contract fee for reprogramming all the boxes.
My guess is some VPN box provider is going to be doing a service call on every box and netting themselves some nice profit under their support agreement.
His actions? You mean the ones his supervisors apparently approved of?
The fact remains that the DA's office poses a greater risk to public safety than Childs apparently has.
Personally, I think the DA ought to be brought up on terrorism charges, with far more bail than the $5 Million that Childs has been hit with.
Ship her to Gitmo, while there's still a Republican administration in office.
Turn about is fair play.
Do they even know what those "usernames" and "passwords" are for? Did they check any documentation or did they just assume that the list was a list of individual users and passwords that Childs could use to wreck havoc?
After reading the article, it seems like the list consists of Cisco VPN group names and pre-shared keys, not usernames and passwords. To someone who isn't familiar with the technology, it would look like a username and password, and I'm sure they are counting on the technological ignorance of the Judge and the general public to keep up this charade.
It will be interesting when this thing finally goes to trial. The city is probably going to end up eating its words.
My Sysadmin Blog
that's the only technology anybody in the city with a title is capable of directing.
if this is supposed to be a new economy, how come they still want my old fashioned money?
But, years ago, after leaving IT, I was doing work on my department's portion of the intranet, and we at the time were using NetObjects Fusion (No, it wasn't Cold Fusion, and tho we had Front Phage, and a few other things, we for a while had NOF). I happened to have a packet sniffer because we were in Customer Support and used it to track broadcast packets going through our portion of the test LAN.
One day, I suddenly could NOT remember my password, which sometimes happened after changing one of many of my own passwords. So, I hooked up the Lan Analyzer thingy to track my packets and look for MY OWN packets. I needed to work, and without my password I couldn't.
Shockingly, NetObjects Fusion went out and sniffed the whole fracking NETWORK, and streamed user names and user password, unencrypted. The program designers must have been novices or fools. I began to panic, since I already knew the company had in it's employ one very quiet guy whose job it was was to sit in his cubicle and look at data streams and look for IP mischief. That made me feel he had an arsenal of tools and would find my group's app running on the corporate LAN. Heart racing, armpits sweating, I went straight to my director and told him everything. He said not to worry, and we agreed I should tell IT. I did, and shortly afterward, we ditched NOF.
Apparently, IT didn't vet the program well enough, or the vendor failed to disclose it or outright lied and IT took it at that. Whatever the case, the moral is that any app can have scanners built into them even if for self-diagnostics, and any employee can intentionally or unwittingly loose a scanner onto the LAN, and end up with files they'd rather not have.
For example, I once hooked up my company laptop running a fresh, NON-IT managed SuSE distro (this was 1999) and it scoured the servers (Unix and windows) and filled up my login screen with an icon and user name of OVER *400* employees and counting. I freaked out and yanked it from the LAN and IIRC, never again hooked up a Linux box directly to a LAN without permission.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
maybe it's a bluff. Now that they've put them in the public record, they can go to the judge and say "we KNOW he has access to this username\password list, because we just made it available to him, so you can't let him out incase he uses it to damage the network". Which would be very slimy indeed, but then they're lawyers, slimey is their modus operandi.
On another note, isn't the POINT of the 8th amendment to stop bail deliberately set so high that the person being held cannot hope to post it? (which seems to be what the DA here wants)
FGD 135
They released ALL damn passwords in a public record.
Anyone (who already has physical access to this network), which could be quite many people, could have various degree of access to the network.
I'm sure hackers who already got a way to the network perimeter would like these passwords too.
The ensuing chaos will prove he was right, sadly they will make him the scapegoat for it too, none will see (or admit) Childs was right.
Patents Drive Free Software as Hurricanes Drive Construction Industry