LAPD Exposes Login To Data Harvesting Software During Interview With CNN

from the as-secure-as-Darth-Helmet's-luggage dept

The Los Angeles Police Department has obtained tons of data over the past several years and that amount of data increases exponentially every year. In addition to its criminal databases, it also collects thousands of license plate time-and-location data points every day and has deployed other forms of surveillance (like Stingray devices), gathering even more data surreptitiously.

Of course, the LAPD feels it can be trusted with all of this data. It claims to have controls in place to prevent unauthorized access to information related to non-criminal Los Angeles citizens. Working with Palantir, the LAPD has instant access to a vast amount of gathered data — a database so impressive it spent a bit of time bragging about it to a CNN reporter. (via Lowering the Bar)

The CNN video shows LAPD Sergeant Jason O’Brien using Palantir to search for data on a burglary suspect.”After searching over a hundred million datapoints, Palantir displayed an impressive web of information,” said CNN reporter Rachel Crane. Palantir’s interface resembles a web search engine with datasets labeled People, Vehicles, Locations, Crime, Arrests, FIs (Field Interview Reports), Citations, Bulletins, Tips, and Everything (view screenshot). The video also shows Sergeant O’Brien accessing the LAPD’s automatic license plate reader database to map the past locations of the burglary suspect, which go back as far as March 2011.

With all this information come strict controls, or so the LAPD would like you to believe.

Captain Romero told CNN that the LAPD “cannot just go searching for you or anyone else without a reason because we have a lot of data for people who have done nothing.”

And yet, during this same CNN taping, the LAPD shows just how careless it is about protecting data. Written on a whiteboard for anyone to see is the login and password to its CAMS (Computer Analysis Mapping System) training system.


While this may be training access only and wholly separated from the actual system and its hundreds of millions of datapoints, it’s still not a good idea to leave logins and passwords publicly displayed. Sure, whoever wrote it probably thought no one but cops undergoing training would ever see it (along with the filepath to the CAMS data), but the person or persons OKing the interview should have made a sweep of anything the camera might see. It’s simply lousy operational security and it’s the sort of thing you never want to see an entity with access to “hundreds of millions of datapoints” do.

Even if additional steps are needed to complete an internet based attack, information on the whiteboard certainly peals [sic] back one layer of security blocking the way to private data. Above all else, the LAPD keeping a password—any password—on an office whiteboard in plain sight is deeply troubling. Haphazardly allowing CNN to film the password for a national news broadcast is more troubling still… [T]he whiteboard depicted in the CNN video casts doubt upon the LAPD’s ability to keep its data private.

Freedom du Jour points out that the LAPD’s negligent attitude towards security has been encountered before. Documents acquired by the EFF and ACLU showed that officers were given the following name and password to log into their ALPR terminals.

Name: LAPD
Password: [blank]

Two years later, the LAPD decided the system might need a password.

Name: LAPD
Password: LAPD

These are the people who claim they can ensure hundreds of millions of datapoints won’t be accessed without authorization, thanks to policies and strong statements given to credulous CNN reporters. But this shows that the LAPD’s security measures border on nonexistent and its interest in protecting the data of Los Angeles citizens is minimal.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “LAPD Exposes Login To Data Harvesting Software During Interview With CNN”

Subscribe: RSS Leave a comment
39 Comments
Mason Wheeler (profile) says:

Re: Re:

I don’t know about the LAPD specifically, but a lot of police departments have an official policy of not hiring very intelligent officers (as in literally if you score above a certain amount on an IQ test–and sometimes the cutoff is below 100–you don’t get the job) because smart people might end up doing something dangerous like thinking for themselves rather than following orders.

That One Guy (profile) says:

Re: Re: Re: Re:

Actually I could totally believe that, much like Mason notes above, the smart ones are likely to actually think about what they’re being asked/ordered to do, and assuming they’re not sadists and/or sociopaths, that is likely to lead to them quitting(since reporting corrupt cops to corrupt cops isn’t likely to help, and they’d know it).

Anonymous Coward says:

Re: Re: Re:

Yep, saw a documentary about a guy who wanted to be a cop and both his town and state refused him for being too smart, that he would get bored.

Thankfully in my Canadian province, cops need to take 3 years of college before even hitting the academy (even have to take Calc I) and even then it doesn’t mean they’ll become a cop. 3/4 of them end up in private security(they can’t have guns here).

Only problem is we have an overload of private security these days, the other day I saw this obviously roid’d agent with an all black suit with SECURITY in what must have been 64 inches font in white in the back IN A SUPERMARKET.

John Fenderson (profile) says:

Re: Re: Re:

“It’s a non-story from a security standpoint.”

Not true. There are two fairly major security issues here. First, “training systems” and “production systems” are frequently the exact same system, but with special accounts used for training purposes. Having a login to a training account makes it easier to to obtain logins to production accounts or to the database itself.

Second, and more worrying, it exhibits a cavalier attitude to security that more than likely permeates the entire organization. Security conscious people do not relax their standards because “training”. Security is a matter of overall habit, not something that is conditionally applied.

Trevor says:

Luggage

[King Roland has given in to Dark Helmet’s threats, and is telling him the combination to the “air shield”]
Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!

President Skroob: Did it work? Where’s the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What’s the combination?
Colonel Sandurz: 1-2-3-4-5
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That’s amazing. I’ve got the same combination on my luggage.
Dark Helmet, Colonel Sandurz: [looks at each other]

Berenerd (profile) says:

Lets be fair...

They are cops, not IT security gurus. I mean, I had a job working with a branch of state police where the Shift head told me after being reported for the 5th time setting up his laptop to automatically log him in (getting around the windows policies because we had to give him admin access) that people who are going to break in his car will most likely steal the shotgun that is bolted and locked into the floor than the laptop sitting on the front seat booted up and running.

Yeah…that happened. Another one also wanted me to sign a contract that I wouldn’t steal any of his pirated software.

Matt Goff (profile) says:

Don't Cheapen Real Security Screw-ups

Who cares? I have run IT training many times where I put the shared login up on a whiteboard. It’s pretty standard practice to have an isolated training instance and to load dummy data so you don’t have to worry about specific user rights.

Save all the hate for real security screw-ups. Piling on to this one just looks like petty cop-hating.

Matt Goff (profile) says:

Re: Re: Don't Cheapen Real Security Screw-ups

Michael, name calling isn’t very productive. It’s an easy thing to do while cloaked in the anonymity of the internet (and while disregarding Techdirt’s request to use your real name), but I wonder if you would speak to someone like that in person.

Back to the LAPD: Why do you assume it isn’t dummy data? In addition to leading classes, I have also attended dozens and NEVER ONCE has the training system had real data. We don’t even use real data in our dev environments– only UAT and production have real data. AFAIK, this is industry standard. If they have real data on a training instance, THAT is the REAL mistake.

Michael (profile) says:

Re: Re: Re: Don't Cheapen Real Security Screw-ups

First, my name is actually Michael.

Second, I was not name calling. Bad security practice is bad security practice. Writing down a username and password combination is simply bad practice – it is insecure. It is particularly insecure to do it somewhere that a CNN camera is going to be. Using the rational that you have done it as evidence that it is ok is narcissistic.

As far as the dummy data? I am glad to hear you have only worked in environments in which training data is not at least partially actual data. It is also absolutely bad practice. I can let you know that after working in the legal and IT departments of software companies, major multi-media companies, health care companies, government contractors, and a state motor vehicle department, the only place I have seen this ALWAYS followed is at a couple of software companies.

If you live in the united states, I can almost guarantee that you have personal information stored in training and test environments.

Matt Goff (profile) says:

Re: Re: Re:2 Don't Cheapen Real Security Screw-ups

First, in my opinion you’re not in keeping with the spirit of the “real name” request (and, in my opinion, you know this).

Second, you called me “a special kind of narcissist.” Technically you only implied it, I suppose.

Shared training credentials leaking via the CNN report is a total red herring. There are so, so, so many reasons not to have training accounts on production systems and to not have real data on training instances that anyone who does this (company prohibition or no) is lazy and unprofessional. The bonus is, if this is done, there’s no reason to worry about training credentials being revealed.

Really, what’s the alternative? Create unique training accounts and high-entropy passwords for every user for every class? How will these credentials be transmitted to the user? If it’s in writing, you know some third party would eventually get their hands on that and blow it out of proportion too (even if these unique accounts were deleted at the end of the training session since the bias on the internet seems to be to assume that everyone who is not you is a complete moron).

John Fenderson (profile) says:

Re: Re: Re: Don't Cheapen Real Security Screw-ups

I don’t see where he engaged in name-calling.

“It’s an easy thing to do while cloaked in the anonymity of the internet”

If the internet has shown us anything, it’s that it’s equally easy to do when you are using your real name. Anonymity doesn’t enter into it.

Anonymous Coward says:

Re: Re: Re:2 Don't Cheapen Real Security Screw-ups

… anonymity…

Yo! FENDERSON!!

Where does Techdirt have a “‘real name’ request” or “request to use your real name” ? Is there something like that in the account signup process? ‘Cause I’ve never seen that–otoh, I’ve never bothered to get an account here, either.

If there actually was some kind of “real name policy” here, I think I might be philosophically opposed. Further, I kinda, sorta, just suspect Masnick might be philosophically opposed, too.

Anonymous Coward says:

Re: Re: Re:4 Don't Cheapen Real Security Screw-ups

What does Techdirt’s policies have to do with anything?

Did you actually read the comments of the person, this soi-disant “Matt Goff”, to whom you were replying? (He made these weird claims.)

Or is actually reading comments too much like actually reading court opinions?

jsf (profile) says:

Re: Re: Re: Don't Cheapen Real Security Screw-ups

The only time I have seen training systems that used dummy data were third party training. Every internal training system I have seen has always been a full or partial clone of a production system. In fact the training system is almost never a separate system just for training. Usually it is a test or development environment. Hell I have even seen training done on a production system.

Sure best practice would be to have a separate training system with dummy data, but most of the world doesn’t work that way because management just see’s it as a extra unnecessary cost. Much like electronic/software security in general.

orbitalinsertion (profile) says:

You don’t show login credentials, regardless if they are for practice, and in a supposedly isolated training environment. First off, you are now training people wrong, second, never assume that “isolated environment” is as isolated as your wishful thinking would have it.

But what i find is more important is the passwords mentioned at the bottom of the article. Not only do they suck, but this is a shared login? No way to track who did what and when. Utter and complete bullshit. Probably by design.

And they aren’t IT gurus? They don’t have to be, they just need to be reasonably educated users, but that is too hard for them, and apparently their apologists. But let’s roll with the “not IT gurus”: How the hell cam you reasonably expect them to do anything legally or in the proper fashion while they are pursuing their favorite new bugaboo, “cyber”crime?

Look, if the cops aren’t good at what they are doing, you don’t defend them, you replace them, if they refuse to be educated. They’ll nail you for any ridiculous (even perceived or made up) infraction if they don’t like the way you look. But rules or sensible behavior for cops? Oh my, no.

Anonymous Coward says:

Maybe the first thing he should have taught them is how to create a secure password /log-in , It makes sense from a training stand point to teach the new guys who may not be tech savvy how to create a better more secure password, just my opinion .. leading and training by example and teaching good habits would be considered a better alternative dummy data or not.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...