Slashdot Mirror
San Francisco DA Discloses City's Passwords
snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"
AH HA! See, Childs was right , he is the only competent one!
Caveat Utilitor
If this is the level of fuckwittage he had to deal with while in his job I'm not surprised he locked others out.
Then the users will change them right back to what they were.
Where I used to work, you had to change your password every month. After you changed it three times, you could it back to the original.
So people just changed their password 4 times.
I had my doubts at first, but this makes it abundantly clear that Childs was right . More right than any of us might have imagined when this spin-doctored story first came out.
In hindsight he took totally reasonable, prudent measures to protect incompetent city officials from themselves. Who knows how they got into that situation, but I won't blame him for anything in light of this, and I sincerely hope a jury wouldn't either.
He should first collect damages himself, and then initiate a class action suit against the city on behalf of all their residents. Maybe put the DA in jail for criminal negligence - in fact I'd venture a guess that he's mentally defective enough to file the charges himself.
Does anyone have a torrent of these alleged usernames and passwords?
... that Childs made the right decision after all. The prosecution is making his case for him!
At least the VPN codes shouldn't be that important. What possible damage can somone do VPNing into a network that has probably been completely obliterated by now?
The top 5:
password
admin
root
guest
t3rrych1lds1337haxx0r
AH HA! See, Childs was right , he is the only competent one!
Dang! You beat me to posting about it.
Wasn't part of Childs' point that password security in the S.F. government was lax and that divulging the big one in a way that would spread it around was dangerous to the network?
Given that the configurations on the routers weren't saved, the first guy to use that password on them had better be DARNED careful to get them recorded before changing anything or he's likely to break the network big time. So handing it to an administrator, who will hand it to several people, any of whom might leak it, could cause the net to come crashing down.
If all they'll let him do for a handoff is hand off the passwords, I can see how a prima donna BOFH would want to hand the big one directly to his successor, who would then spend the next week carefully recording the configs as-running before making changes or sharing the password with less-skilled delegates.
Not that it's right. But looks to me like the city is making his point for him - which his lawyer should use in a counter-argument at the bail hearing. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Even if the sysadmin referred to as 'Childs' was a paranoid schizophrenic, does not mean he wasn't right.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
So who will be the first to print up and sell t-shirts to support Terry Childs? Perhaps they can also print the SF VPN usernames and passwords on the back. Design suggestions welcome.
I can see that there is a bright future in the cluestick market...
They seem to be operating under the assumption that Childs was sniffing passwords. Which judging from the case is just stupid. Why would anyone sniff passwords that they had absolute control of? He was sniffing unencrypted messages over the network. Even sans the unrestricted power over the network, I can't imagine Childs has any use for those passwords. Or anyone else for that matter.
Because noone knows wtf they are talking about? Certainly the issue can be contained immediately by cutting VPN access as was mentioned, but even entering in new credentials for everyone wouldn't take that long... oh wait the configuring of each remote client? What does that mean, typing in the new password for these people with VPN access to their network? I deal with VPNs all the time, if they don't have a client they can manage and one that needs personal configuration because the password was compromised, they don't have the right client...even a web based sslvpn would be an improvement from what they are using
...or not using.
Walk with Music;
He gave up his only bargaining chip, and he's still locked up.
What?
I attended a lecture some years ago by a Microsoft employee who was high up in their security structure.
He started his speech by asking the audience, "Passwords and policies should be made as strong and secure as possible, right?"
A show of many hands.
He said, "Wrong! It is possible for a password policy to be TOO secure. Let me give you an example. It is possible to set up a security policy in NT that requires a password of at least 8 characters, which must also be mixed case, have at least one numerical digit, and at least one non-alphanumeric character, and which will require a change of password every week."
"As soon as you implement that policy, users will write their password on a post-it note, stick it to their monitor, and replace it with a new one every week. So you see, a password policy CAN be too secure for your own good."
I've got to say voyeuristically looking at other people's passwords can be pretty entertaining sometimes. I know I've had a few passwords I wouldn't care to have other people know.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
This is unfortunately par for our fine DA. Kamala Harris has proven herself to be an incompetent tool more often that I'd like to hear.
She has angered many San Franciscans by refusing to prosecute violent criminals, and lately, found to have been lax towards the city's worst crime of the year...the murder of a father and his two sons in the Mission by a suspected illegal alien due to the city's stupid sanctuary law.
She should be dragged out, tarred, whipped and ejected from the city, never to return.
Contrary to popular belief, life is not a bitch. It is far far worse.
that has more sense than San Francisco: Louisiana!
"I don't know, therefore Aliens" Wafflebox1
The DA both PROVED they where wrong in locking him up, AND completely and utterly ruined their case.....all i can say is WOW.
"Slashdot, where telling the truth is overrated but lying is insightful."
One way hash passwords have been around FOREVER. I can't believe how stupid this is.
According TFA, the thing about his not saving the configs to flash is a CLAIM by the city, not something confirmed by Childs.
So how do they KNOW that, if they don't have the passwords? Did they try rebooting some network boxes and have them not come up? (If so, how is it that the net is still running...)
This is looking more and more like a pointy-haired-boss SNAFU than logic-bomb job-insurance/revenge sabotage.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
... to help you weed out useful comments dammit.
Read radical news here
are belong to us. Or something like that. its only slightly funny to me any more. A Simpsons reference is always more appropriate.
And then you reset their password and make then pick a new one.
Password policies shouldn't be draconian. For instance, changing them frequently isn't likely to help much. I'd rather people have a secure password that they don't write on paper, and keep for a year, rather than force them to change their password every two months and encourage users to write their password down so they remember it.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Read TFA... I think they were the VPN Group passwords, i.e. the PSK for the IPSec connection. They still would have to auth after they connected.
Strange they would have a different password per user, unless they were hardware VPN clients.
My account details are on there. I hope no one breaks my account or
46487 466780 252994 376409 96920 39622 205366 244315 622115 512361 668040 63608 259203 955314 811176 652718 166330 23922
It'll be fun to see what happens, now that he's been removed from the loop.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Clearly posting this in the Entertainment category was a perfect fit.
Not only is it true that the IT people there are incompetent, but so are the SFPD and the attorneys in the case.
Next thing you know they'll be surprised when they find out the real problem is somebody else has been stealing them blind every time they leave the cash registers in the parking ticket division unlocked while they go to lunch ...
-- Tigger warning: This post may contain tiggers! --
No, he wasn't an asshole. He had a very good point that has just gone over your head. To elucidate, if you add too many requirements to user's passwords they can't remember them and need to write them down. Once you get to that point, the passwords aren't strong any more and you've created a security hole by trying to avoid one. There's a limit on how much you can expect the average user to remember when it comes to passwords; go past that and their passwords get less, not more secure.
Good, inexpensive web hosting
Posting these passwords in public creates a security risk, although the passwords are not enough to give a criminal access to the city's VPN. The passwords are so-called "phase one" passwords, and must be combined with a second password to access the network, the source said.
In other words, they have published the group authentication details.
Once the public has had a chance to view the evidence, the network's security will be reduced. But a third party needs also an individual personal username and password to login.
Changing all these authentication details on their VPN concentrator and then on each and every VPN client, is an administrative nightmare.
Some VPN clients may be other routers/concentrators (departments that need secure channels with other office branches)
Employees of the city may have VPN clients installed on multiple computers (i.e. workstations and laptops).
Typing something different when they login is not what it is done. The VPN client will have to be reconfigured after the credentials are changed on the server, in order to log back in, so it's (NUMBER OF WORKSTATIONS, Routers, etc) not merely (NUMBER OF PEOPLE).
I voted for Harvey Dent.
My Debian based router uses OpenVPN that uses certificates for authentication. It can also use a RADIUS server to verify the actual user.
Since it's just few users I don't bother with the RADIUS server and each user have his / her own certificate that is unique. So if the person is no longer around I can just disable that certificate in the router. In corporate world nothing should be deleted so least I can show in my router that the certificate is indeed disabled as opposed to simply delete it.
Wooo Hoo!!! Cashed.. or uhm cached credentials.. I can see crackers using their patterns for decryption schemes. Also, who knows if these passwords are used elsewhere.
From the referenced article - "The passwords are so-called "phase one" passwords, and must be combined with a second password to access the network, the source said. " 99% chance they are using some form of Cisco device as their VPN concentrator (most like a VPN3030, ASA or 7200 series router). If they are these passwords (one per group) are in what is called a pcf file in every employees computer that is allowed to connect. Heck, if you use a Cisco vpn it is on your computer in the following location - C:\Program Files\Cisco Systems\VPN Client\Profiles . The group pass is encrypted with weak encryption that is commonly cracked to allow linux laptops to connect using vpnc. You can do it on the web here - http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
The thing is, this group password's primary use is to segregate users into different buckets. E.G contractors may have on password, with different authentication methods, while permanent employees are in a different bucket, with their own authentication methods. The key thing, is that once this first password is provided, the end user still has to provide a unique username and password to gain access. So in effect, having the group password alone is meaningless.
On top of that, I frankly would not be surprised or peeved if a network engineer had possession of PCF files for the network he is responsible for. What is next? Is the DA going to try to prosecute him for having diagrams and configs of the network he is managing on his laptop?
Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
From the article:
So, in answer to your questions: probably because the police found them as a result of their investigation, because Childs allegedly kept them in plaintext, and yes, allegedly, Childs had plenty to do with it.
Do you have any other questions? Perhaps the article answers them.
Are you adequate?
I agree with the grandparent, he's just being an ass. ;-)
He's using the word "secure" in the original question in a very narrow way. Of course a password policy must be human-centric as well as containing enough randomness to not be brute forced or attacked easily through rainbow tables.
There's education in teaching users how to select strong and yet memorable passwords, and when it's OK to write them down at least partially in your wallet or strong encrypted password store.
He's being an ass because he's asking a complex question, then telling everyone they're wrong and giving a simple smug answer. You can be right and still be an ass.
An aside is the fact that we rely on passwords too much. Dual factor authentication for internal business use is relatively cheap and easy to set up in windows and linux for login, for ssh, etc. I'm genuinely surprised more people outside of the military don't use it.
Blessed are the pessimists, for they have made backups.
Information wants to be freeeeeeee like dirt and hippies and gay pride parades!!!!
Does anyone realize that the passwords would have never been given to the DA's office if it wasn't for his actions? The passwords would then not be part of public record. Do you think the person at the IT office would have made the list of passwords public if Childs left gracefully?
Someone at the the DA's office is the incompetent person in this case, but that does not validate his locking out of everyone competent enough to take care of the system (the people that would have replaced him at the IT department.)
Sadly, "peers" doesn't mean what we wish it did, and one of the questions during voir dire will almost certainly be "have you ever worked as a network administrator before?" with an affirmative answer as grounds for dismissal from the jury pool.
If I have been able to see further than others, it is because I bought a pair of binoculars.
The username/password combos were apparently functioning sets. The DA is saying they found them on Child's own computer. The DA is all in a tizzy because Child's could then use these accounts to sneak into the system and cause mischief without getting tracked back.
Right. The only guy in the world with God level access to this network needs fake usernames/passwords so he can 'cause mischief'?
Give me a fucking break. I can think of many reasons for him to have those combos on his personal system.
Apparently the less than brilliant DA's office is unaware that the GOD level admin has the ability to do anything at all on the network and REMOVE ALL TRACES IN THE LOGS afterwards. It's trivial, when you're the one who runs the tattletales.
Dear DA office: IF YOU LOOK HARD YOU'LL UNDOUBTEDLY FIND EVIDENCE TRACY EAVESDROPPING ON THE NETWORK SNIFFING AND ATTEMPTING TO ILLEGALLY PENETRATE THE SYSTEM. IT'S PART OF HIS JOB, MORONS. IF YOU KEEP BRINGING THIS CRAP UP, YOU'LL ONLY LOOK STUPIDER.
Keep this up, and Nifong will have company in the 'worlds dumbest DA's club'
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Of course thats because he will retire to a nice tropical island when he gets his settlement from the city!
If you install S/KEY or OPIE on your UNIX or Linux box to manage logins, you will be presented with a random challenge string. You then plug that challenge string and your (relatively simple) password into a one-time pad password calculator, which tells you what to type into the login prompt. Voila: An easy-to-remember password that cannot be cracked by simple lookup tables. As close to perfectly secure as you're likely to get (meeting the criteria in the actual question) without being complex for the user.
Post-it notes aren't a bad solution, if the physical area is secure against unauthorized access, so long as the user is aware of the fact that their account is communal within that area. Which, for a private office, isn't a fatal problem. The cleaners are still a potential vulnerability, but the cleaners have far easier access to all of your personal notes, which are likely to have far more valuable information than your account.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Note to moderators: I'm not calling anyone on this forum an ass.. Please read the context before moderating. The ass in question is a security trainer. I know how such people work and think, as I am one.. I might also be an ass, but that's a seperate issue ;-)
Blessed are the pessimists, for they have made backups.
So long as they keep all the lawyers and police officers off the jury, it should be fair.
Wonder how long before they release the ATM pin numbers and SS numbers for the jury, though ...
-- Tigger warning: This post may contain tiggers! --
I think what AC was saying is if policies are such that you must write your passwords down, then the policies themselves are not very secure.
Passwords and policies should be as strong and secure as possible. Depending on what you mean by strong and secure.
A unique way to learn a language: http://languageloom.com
His actions? You mean the ones his supervisors apparently approved of?
The fact remains that the DA's office poses a greater risk to public safety than Childs apparently has.
Personally, I think the DA ought to be brought up on terrorism charges, with far more bail than the $5 Million that Childs has been hit with.
Ship her to Gitmo, while there's still a Republican administration in office.
Turn about is fair play.
We need to get some real IT guys on the jury not PHB IT guys.
If he can rightfully SUE and win BIG, then this will be
CHILD's PLAY!
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
I've run networks where the router config did not fit into the flash. It had to be loaded from an external server.
Not having the config in flash need not make the device a brick.
Nullius in verba
Software one time password generators are cool, but smartcards are more secure, more functional, and more convenient for the end user. ;-)
Smartcards at minimum store a private key and use public key crypto on the card itself for authentication. You can use this in PAM for login and single sign on through local authenticators, LDAP, or Kerberos. You can use it as a RSA ssh key for remote login, as a client side SSL cert, as your credentials for S/MIME, etc..
The largest deployment at the moment is the US military, with their CAC system.
Check out http://www.opensc-project.org/ and http://www.linuxnet.com/ for some of the linux oriented projects. Fedora is also leading the charge in the linux world through integration to their directory services and crypto consolidation. However, you can get it to work everywhere with some general geekery.
Blessed are the pessimists, for they have made backups.
I worked for a company that had *exactly* that policy.
My way of remembering passwords was to pick a word, take two consecutive letters of that word, represent them as their phonetic equivalents (A = alpha, B = bravo, etc.) and separate them with a symbol (I used "%" every month).
Next month, take the next two letters in the word, when I got to the end, I'd use the first two letters again. By that time, the "no repeats" buffer had overflowed.
Easy to remember, easy to create, never had any trouble.
The password was revealed to be 1..2..3...4
cue..
that's the only technology anybody in the city with a title is capable of directing.
if this is supposed to be a new economy, how come they still want my old fashioned money?
But, years ago, after leaving IT, I was doing work on my department's portion of the intranet, and we at the time were using NetObjects Fusion (No, it wasn't Cold Fusion, and tho we had Front Phage, and a few other things, we for a while had NOF). I happened to have a packet sniffer because we were in Customer Support and used it to track broadcast packets going through our portion of the test LAN.
One day, I suddenly could NOT remember my password, which sometimes happened after changing one of many of my own passwords. So, I hooked up the Lan Analyzer thingy to track my packets and look for MY OWN packets. I needed to work, and without my password I couldn't.
Shockingly, NetObjects Fusion went out and sniffed the whole fracking NETWORK, and streamed user names and user password, unencrypted. The program designers must have been novices or fools. I began to panic, since I already knew the company had in it's employ one very quiet guy whose job it was was to sit in his cubicle and look at data streams and look for IP mischief. That made me feel he had an arsenal of tools and would find my group's app running on the corporate LAN. Heart racing, armpits sweating, I went straight to my director and told him everything. He said not to worry, and we agreed I should tell IT. I did, and shortly afterward, we ditched NOF.
Apparently, IT didn't vet the program well enough, or the vendor failed to disclose it or outright lied and IT took it at that. Whatever the case, the moral is that any app can have scanners built into them even if for self-diagnostics, and any employee can intentionally or unwittingly loose a scanner onto the LAN, and end up with files they'd rather not have.
For example, I once hooked up my company laptop running a fresh, NON-IT managed SuSE distro (this was 1999) and it scoured the servers (Unix and windows) and filled up my login screen with an icon and user name of OVER *400* employees and counting. I freaked out and yanked it from the LAN and IIRC, never again hooked up a Linux box directly to a LAN without permission.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
UID: TChilds Pwd: All your switches are belong to me
Yeah, I knew of the military system - I was a contractor for the US navy (SPAWAR) when they first introduced it. Nice idea, but the implementation at the time was lousy. I hope they've improved. You're right that smartcards are superior, especially if a lot of work can be decentralized. Wish they'd be used more. Readers aren't very common (yet). That and the problem of generating strong enough keys are the two main reasons the Mondo smartcard never took off in England as an alternative to credit/debit cards, despite better security and better privacy.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
to help the City of San Francisco look stupid.
"Not an actor, but he plays one on TV."
Decades ago, NCSU used to do that crap for access to the academic mainframe ("ACS"). Guess what? Almost every programmable calculator on campus (in an engineering school that's a lot of them) had the pad routine on it. (at least many of those in my circle did.) I recall at least one TN3270(?) macro for calculating the pad and filling it in. So, the challenge was next to useless.
(BTW, with appropriate access to ACS one could rewrite their transcripts. So the people you want to keep out the most are local to the system and thus aware of the pad -- and the ability to answer it.)
Why do you assume it went over my head?
So, what you say is that being actually able to grasp the subject of a case is not only not a reason to be part of the jury but actually a reason to be removed from it?
What should I base my judgement on if I don't even have the foggiest idea what's being tried? Whose tie looks better on him?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
For scoring my comment "redundant" even though it was one of the first few to appear here.
Maybe try reading the post time in the future?
Note I didn't say uncommon, I said narrow. The referenced speaker is "clubbing baby seals" as one of my professors liked to call it. He asked a simple question with an obvious answer, and then reframed the question to make his (non-obvious) answer correct. Some would see it as a good way of getting people to challenge their assumptions, I see it as being a dick and abusing your authority.
A much better way to frame the topic is to discuss specific ways that passwords can be attacked and thus more or less secure, ways to make secure passwords that humans can remember, ways to securely manage passwords without simply remembering them, not "do you think passwords should be secure? You're wrong, I'm right. Ha ha ha!" That's clubbing baby seals, and it's a crappy way to interact with your audience.
BTW, I work as an security consultant and trainer, and am very acutely aware of what passes for security in most companies and the US government.
Blessed are the pessimists, for they have made backups.
Except Kamala Harris ran unopposed.
Look, okay, in in SF we're screwed up. Maybe it's a magnetic field or something.
My filter was set too high. I did not see the post that was a reply to.
I was saying don't put PHB who mange IT and don't know much about it in the jury but put the real IT techs, admins and so on in there.
Idiot, moron, twit, retard, incompetant, tool, growup, fucktwit, iqof45
isn't this exactly the kind of mismanagement and ignorance that the sysadmin was trying to protect against?
The DA is an idiot. So are the rest of them.
They're using their grammar skills there.
the first article I read regarding this talked about a "new security officer" that was hired.
Personally I don't think much of security officers,usually they A/R's without any real abilities,they know just enough to be dangerous,and usually arrogant POS's.
I think Childs wouldn't give any thing up to the new employee till he got a feel of this person's true ability.But the person just went over his head and started spreading doom and gloom till Mr. Childs was arrested.
I yet to see this new security officer's name mentioned,gee wonder why that is....
can you say "defamation of character" ??
In a properly designed system the pad calculator would include a private key shared with the auth server and create the password using the data presented and the private key.
I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
Well since the Constitution grants him the right of discovery, if that was the only copy, all Childs has to do is file a motion to see the evidence against him to obtain those usernames and passwords, plus because they were entered into a court record, if he or a friend were to launch an attack or whatever, he would have reasonable doubt given that any court clerk, judge, DA, case officer, police officer, citizen/group/reporter filing open record request, etc. can now see it. Better still if the system were hacked while he was in jail he could use it as defense saying "Hey, when I was running things the network remained secure, but as soon as I was removed it was compromised so how can the DA suggest to the jury that I was somehow putting the network at undo risk? The facts suggest otherwise. Just imagine how cool it would be to read on /. that this happened? Hum?
Honestly the more I read about this the worse SF managers and the DA look. How dumb are they, I mean they are disproving their own case, if I were Childs' lawyer, I would ask this question to the DA in front of the jury "Just so I get this straight, because I am a simple man, you are telling us that this information was so confidential and put the city at so much risk that you publicized it yourself the same day that you made a statement about the dangers of Childs potentially releasing the information? Did you make sure the passwords and usernames were changed before doing so? Isn't it possible that the usernames alone being published could create a target point for hackers to work from? Allowing them to launch either DOS attacks if lockouts are set on thes accounts or to continually work on cracking passwords if no lockout is set? Do you even have the technical knowledge to understand the details of this case without you yourself putting the city at risk like you 'allege' my client has? If Childs put the city at risk by having it on his computer and deserves jail time, what punishment should you get for filing it into the court records? Didn't security concerns worry you? Where is the confirmation the passwords were updated or the account deactivated before you entered sensitive information with the court?"
This is out of a comic stripe, SF is run by idiots. Childs is not the problem it is those that let him control everything so long as he did their work for them. Those are the people who should be on trial. It is a retarded DA that is 1). Putting city systems are risk for a prosecution and 2). Given the defense more ammunition.
Respect the Constitution
"Your honor, my client did not feel comfortable giving sensitive system passwords to idiots. I'd like to enter prosecution's boneheaded public filing as Exhibit A."
They released ALL damn passwords in a public record.
Anyone (who already has physical access to this network), which could be quite many people, could have various degree of access to the network.
I'm sure hackers who already got a way to the network perimeter would like these passwords too.
The ensuing chaos will prove he was right, sadly they will make him the scapegoat for it too, none will see (or admit) Childs was right.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Note I didn't say uncommon, I said narrow. The referenced speaker is "clubbing baby seals" as one of my professors liked to call it. He asked a simple question with an obvious answer, and then reframed the question to make his (non-obvious) answer correct.
The obvious answer is obviously wrong, because there is no limit on how strong and secure one can make one's passwords and policies (e.g. 500 characters from base64 in equal amounts without patterns changed every 10 minutes). The limit has always been the usability of the resulting system, which seems to be forgotten all too often.
Pre-shared X.509 certs, plus an optional pre-shared transport access key.
That said, incredibly, I've seen some sysadmins email OpenVPN certificate/key pairs around. :-( In both cases, people who considered themselves security experts...
If you aren't already using it, check OpenVPN out, it's wonderful.
you had me at #!
"Strong and secure" has more variables then simply "long and random". That was the presenters point, and I'm not arguing with it. I'm just saying the rhetorical methods he used to make it are mean-spirited, in an "I'm better-then-you" kind of way.
The obvious answer is right, passwords should be as secure as possible, but secure must take into account the ease of use for the human as well as length, character set, and randomness.
Once again, I'm not disagreeing with the point the presenter made, just saying the way he made it makes him kind of a jerk.
Blessed are the pessimists, for they have made backups.
Maybe if you don't have to write them down they are to weak. The real issue isn't how secure the password is but how well the password is secured. Obviously a sticky note on the monitor is not enough, as well as a biometric that locks you out for 2 weeks because you cut your finger is too much, somewhere between the two extremes will be the appropriate sweet-spot for any given situation. What most people are confused about is thinking a weaker password being kept in the mind vault is more secure than a stronger password kept in a physical vault; the reality is the mind vault is subject to vulnerabilities than a physical container isn't.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Or its old friend, "ytrewq".
But there is the ever popular "qpwoeiruty"
But I prefer "qwertie"
I am very small, utmostly microscopic.
afaik the network is currently up and running thanks to Childs
and muni-wifi would be open (not VPN) so it takes almost no administration (at least zero security)
and btw, what do commies have to do with anything?
------ no thanks... I've quit
I was getting ready to post about dual factor systems in response to your post and then I read your last lines. I guess I'll just second what you said; despite the tin-hatters objections about physical security, an access card with 1 (one) password for nearly everything is far more secure- both physically AND bitwise- than my folded-up post-it that contained all seventeen UN/passwords that I needed in order to do my job. I'm now down to 7 or 8 passwords, but they are used infrequently. In fact, some of them are used so infrequently that I need to reauthenticate the account via email when I do need it, so I don't know why I even write the passwords down.
Anyways, my point to the paranoid among you:
-You will not need to write down your 7-10 digit numerical password if that is the only one you use, and you use it often
-If you lose your card, it is useless without the password
-You cannot brute-force the military CAC card login; it has a 3-strikes policy*
-etc.
*I should mention that the 3-strikes wrong password policy is a great way to get back at the assholes who leave their WinXP workstations logged in with their CAC still in the card reader ("this workstation can only be logged out by user Stupid.Ass or an administrator"). Remove card, insert card. Type nonsense, press enter. Repeat two more times. Instant 15-minute support call to get access back.
No offense, but I've stopped responding to AC's.
No. Not as strong as possible, as strong as practical. The security trainer was showing that it's possible to make your policy so strong it was impractical, and that's what weakened the passwords.
Good, inexpensive web hosting
... My first thought was that they were probably there so that when a user complains about a forgotten password they could be reminded of what it was, rather than changing it to something else that will be easily forgotten. I've been in plenty of places where the same users constantly can't login because of "system issues" when it's really a forgotten password.
That being said, I don't keep user passwords on-hand, but if I did they would be in a secure encrypted file.
The obvious answer is right, passwords should be as secure as possible, but secure must take into account the ease of use for the human as well as length, character set, and randomness.
I think you're confusing how secure a password is and how secured a password is. IOW, how hard a password is to guess and how it is stored when it is not used. Machines have no trouble using 512-, 1024- or 2048-bit secret keys let alone much shorter passwords, so in that vein, how long a secret key would you consider to be as secure as possible?
Well, some smartass came around and marked THAT one as redundant, too. Just to prove he/she could, I guess.
Yeah, do we really need the redundant moderation anyways?
Just think if those icons had gotten loose!! You would have had some serious explaining to do. I always encrypt my icons with md5.
When he said that they'll screw everything up, and refused to give them access, they put him in jail. Give them access (Just to say I told you so). When they screw it up, they'll still blame him for the problem.
1. Any network guy who refuses to give his supervisors the passwords to the equipment should at least be fired forthwith and blacklisted from ever working as a network administrator ever again, no matter how incompetent he thinks his managers are.
2. The fact that his managers even allowed this to happen in the first place is prima facie evidence IMO that they ARE raving incompetents.
3. The DA is introducing into evidence as examples of "bad dealing" things that are part and parcel of being a network engineer. You network engineers out there need to be very worried.
Back when I started in this business many moons ago, when knowing what VTAM, TCAM, SNA, and SDLC were, and knowing how to interpret Burroughs Poll and Select protocol was important, I was in a position to do sort of what this guy did, but I went out of my way to try to make sure my fellow workers and also managers knew what was up.
In my last position, we engineers weren't even allowed to change the router and switch passwords. A security group did it and disseminated the new passwords via our managers.
Please reference the title of this thread. We're way out in the weeds now, and arguing about semantics.
Here's how I see it, and you're welcome to disagree.
It appears you're defining secure as simply strength, which includes randomness, length, and character set.
I'm defining secure as, well, secure, taking in account at minimum both strength and human usability factors.
Security == strength + usability.
Strength is a subclass of secure.
Length is a subclass of strong.
Randomness is a subclass of strong.
Character set is a subclass of strong.
Human usability is a subclass of secure.
Memorability is a subclass of human usability.
Length is a subclass of memorability.
Randomness is a subclass of memorability.
There is overlap the characteristics of strength and usability, which is why password policies are hard to get "right".
It's all semantics. I disagree with your assertion that putting secure in the past tense for human usability factors makes sense, but at least you're defining your words. ;-)
This whole discussion started by saying that a instructor who was making a valid point through using poorly defined terms was being a dick.
I think in this thread I have sufficiently made my point, you're welcome to have the last word if you like, but I'm done here.
Blessed are the pessimists, for they have made backups.
... if they can't get through the tubes!
at first i thought he was a nutjob, but judging from the EXTREMELY STUPID act D.A. just did, i think that the admin was totally right.
unbelievable. disclosing all passwords to a VPN that contains sensitive information.
it doesnt make any difference whether it is not accessible via internet. because there are A LOT of employees that can access that vpn and use those passwords. and its all the worse if they shut down the vpn until they change passwords - it will mean service disruption for many people due to work slowing down in whichever department that uses that vpn.
no sir. if there is anyone that should be prosecuted, its that STUPID d.a.. i really mean it. really unbelievable.
Read radical news here
What a dick method for getting the last word.
Sometimes, life itself is sarcasm...