SF Reveals Usernames And Password To City Network In Accidental Effort To Prove Terry Childs' Case For Him

from the that-would-be-an-oops dept

In the ongoing lawsuit against the disgruntled city of San Francisco tech worker, Terry Childs, who held the city's network somewhat hostage for a few days (before finally coughing up the admin password to Mayor Newsom), the San Francisco DA has now entered into evidence approximately 150 usernames and passwords of individuals who log into the city's network via a VPN from home. City officials don't seem too concerned that they're revealing the usernames and passwords, even though that would appear to be a huge security violation.

From the description, it sounds like the system uses two-factor authentication, so beyond username and password, users also have to enter in a second code (perhaps provided by an RSA key or something like that). However, that still doesn't mean that revealing the usernames and passwords was smart. It's still a tremendous security violation. It's hard to see why they couldn't have submitted that as evidence that needed to be kept secret, given the nature of it. Also, it would seem that revealing all this info actually does much more to help Childs' case: he claims he was keeping the admin password secret because city officials weren't very good with security, and would have compromised the system. And, indeed, it appears that's what they've now done.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    GeneralEmergency (profile), Jul 25th, 2008 @ 7:25pm

    Ahh Mike....

    What's it like to have a job where, every damn day you get to Bitch Slap the Stupid into next week?

    Seriously. We all want to know.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Dimitri, Jul 25th, 2008 @ 8:11pm

    Well...

    I believe I read in another article that these plaintext passwords were found on Terry Child's computer after it was confiscated. But, while he may have opened the door, they have definitely walked through it.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    wasnt me, Jul 25th, 2008 @ 9:50pm

    this is starting to look like one of those RIAA cases.

    here is more info from CW http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110758

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    bobbknight, Jul 25th, 2008 @ 11:29pm

    It Would Be Hard

    I would find it very hard to convict Terry Childs of any crime or of any civil suit at this point.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    John, Jul 26th, 2008 @ 6:31am

    Typical managerial style behaviour!

    Hi, I had to laugh at this one, in fact tears are streaming down my face as I write.
    These fools who run companies, or work as civil servants, are generally introverted humourless idiots who are dedicated only to perpetuating their own systems. There is little commonsense, and almost zero inspirational or creative thinking.
    I cannot for the life of me imagine why passwords etc would be revealed publicly for any case, let alone one where the accused is being 'nailed' for a similar act.
    Like bobbknight says, it might have just blown the prosecutions case by proving how unimportant security is. I bet the defence lawyer got a good laugh out of it.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    R3d Jack, Jul 26th, 2008 @ 9:57am

    Let's start a pool...

    Whoever comes closest to the guessing the number of those 150 users who bothered to *change* their passwords within 24 hours after they were revealed wins. I'm taking 3. Or maybe the DA got an injunction prohibiting them from changing their passwords until after the trial?

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Nick (profile), Jul 26th, 2008 @ 12:04pm

    This reminds me of the the scene in Ghostbusters where the EPA guy shuts off the power (not understanding the consequences) and release the ghost.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Chuck, Jul 26th, 2008 @ 12:44pm

    Let's hope that before the information was released the city administrators had stopped the VPN and then made each and every person who needed a password to physically come to the office get a new username and password, plus justify the VPN use from home.

    My two cents worth

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Carl, Jul 26th, 2008 @ 2:12pm

    Another witch hunt by the locals....

    At some point someone in this case is going to have to wake up and smell the coffee. The type of systems, networks and infrastructure that this admin was responsible for are no different than any other large company or city's/municipality's networks anywhere else. They are very complicated requiring specialized knowledge, experience, and skill.

    So what do we have here, after much personal investigation into the matter this is what I find...

    The admin established security protocol and everything was fine - until users started to bark. The real problem here is control, who has it and who feels a lack thereof. This is a common problem in the IT work environment and this case may help to bring the problem into focus a bit. The problem of non-technical employees requesting/demanding access to resources that they do not currently have or need. This is by design and is the way things should be. The ultimate IT sin? Providing the Administrator's Username & Password to ANY unauthorized person - even if that means law enforcement.

    Security policy is established early on and is adhered to strictly - no exceptions. A title does not automatically grant security clearance to anyone in any environment. This is important stuff because we are not talking about mom's recipe or your girlfriend's diary. We are talking about highly secure, private and often sensitive data that is not meant to be seen by just anyone. These systems are no different in relation to this argument than highly secured (one should hope) government and Department of Defense networks. They deserve the same treatment and respect thereof; a strict and enforced security policy. The administrator, or individual(s) in charge of that system should also be afforded the respect of the users to lay off the "entitled" BS.

    Administrators are unsung heroes tasked, on a day-to-day basis, to keep businesses running smoothly; protecting them from constant dangers and multi-tasking in ways that most people don't or won't acknowledge. Admins often have to perform "magic" to comply with very often unrealistic and down-right ridiculous requests from users, managers and most off all...CEO's and presidents.

    Every bit of work that is performed anywhere in the world by admins and support technicians takes planning, engineering, development and testing to get right. It doesn't happen in days but more often weeks and months. That is the nature of IT work - plain and simple.

    It does not surprise me then to read that this admin was determined to prevent "lamens," or users, from potentially compromising any of the systems he was responsible for maintaining. Especially when it is government employees he is dealing with!

    Take a moment to reflect: Think of what would happen to the economic world if all of the Administrators (read: people who know what they are doing) in the world Unionized! Think about it. Cases like these are the kind that spur workers into forming unions that can protect them and stand up to the unrealistic demands society often places on its workers - especially the societal "infrastructure" workers such as this admin.

    People like this defendant wear 17 hats a day to most peoples' one or two. They are expected to perform miracles that even Scotty would be hard pressed to pull off.
    As an IT Director for a company that provides small to large businesses end-to-end network, user and systems support solutions (read:contracted IT Administration), I am deeply disturbed by the lack of reason and logic taking place in this case.

    This was a very funny development yes - and every bit ironic. It is also a very sad statement concerning the "lamen's" place in the technical world.

    There are reasons why Administrators do the things they do; why they seem "arrogant", "power-mad", even belligerent at times. It is because they know what they are doing....the rest do not. Don't take it personally - it is what it is.

    The fact that this solitary individual holds the keys to the kingdom, however, is rather unsettling to me. That is a simple management issue though and should have been handled internally - nothing to make a case over.

    Ultimately a multi-tiered system of administrators and key holders is the industry accepted and standard method of maintaining unbiased, secure and intelligent control of a network or system. As far as control goes - it sounds to me like a lot of people working within the network are just a little too upset about some "geek" having more influence, power and control over the city than they do. This is as it should be where IT systems are concerned. Let the professionals do their jobs. I can only assume the defendant holds the Administrator position because he earned it and knows what he is doing - which is a lot more than any of the users of that network can say I would bet.

    I certainly would not higher a cop to do this Administrator's job anymore than I would higher a chemist to patrol our streets.

    We are talking about our government though so it is not surprising to see these developments in this case. Suffice it to say, IT technicians, PC support persons, engineers, network admins, programmers, etc....have very difficult jobs to do. By many estimates and statistics that are publicly available, these are some of the most demanding and stressful jobs on the planet. I salute the defendant and wish him luck. Indeed, I fear the outcome of this case as anything other than complete exoneration would set a very dangerous precedent.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Howard_NYC, Jul 26th, 2008 @ 3:37pm

    MBAs know best...

    beancounters pick up an MBA, get their CPA, and suddenyl understand all, know all, and best of all, can browbeat everyone into surrendering safety margin... rember the power outage...? 60 million people in the dark?

    site: nameless corporation

    before: three flashlights, three sets of overage batteries

    during: cigarette lighters -- my buddy described it as a flashback to a Pink Floyd concert -- as well laptops carried around for illumination...

    after: three flashlights and no batteries

    IT-nerd: we need new batteries for the flashlights... we need more flashlights...

    beancounter: just make due... how often does the Eastern Seaboard get blacked out?


    *S*I*G*H*

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Jul 26th, 2008 @ 9:47pm

    Re: good movie

    Moron! Do you think *anyone* reading this blog wants. or needs, to pay for movies on the internet. Get a clue, doofus.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Jul 27th, 2008 @ 8:18am

    How many of the outed users have been using the same password and/or username for their email, banking, etc. as the city VPN? It's likely more than half, so all you city workers out there change them all and send a nice letter to the DA (Dumb Arse?) expressing concern over the lackadaisical and irresponsible handling of user data.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jul 27th, 2008 @ 10:01am

    blogspam

    What's up with the spam.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jul 27th, 2008 @ 8:46pm

    outside

    The question for me is how many of those users are also using the same password for all of their personal accounts outside of work. They probably just made 150 people excellent targets for identity theft.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jul 27th, 2008 @ 10:42pm

    Re: Another witch hunt by the locals....

    Very well put, though stuff like "I certainly would not higher a cop to do this Administrator's job anymore than I would higher a chemist to patrol our streets" really messes up your delivery.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Liquid, Jul 28th, 2008 @ 5:56am

    Re: Another witch hunt by the locals....

    Very well put Carl. You are very right. The average user (i.e. lamens) does not understand what we in the IT profession have to deal with on a day to day basis. The choices that we make are what makes or breaks our career with a company(s). The demands put on us by the users, and the people in management are really strenuous. When something goes wrong it doesn't matter who asked for it or demanded it we are always the ones to blame. The users automatically assume that the network will be there, and that they can do what ever they want on it just like at home.

    Your point on IT Union(s) is a good one as long as it is understood that you must maintain a certain level of knowledge. You must also continue learning, because lets face it once you get to a point in your career you stop paying attention to certain things that you don't deem important to your job function, and just leave it up to either the new generation of IT Pro's or the people that follow certain things. If there isn't any standards set in place for something of this nature then you will have sub-par IT Managers, Admins, and Techs out there that do not understand new technology as it comes out.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Liquid, Jul 28th, 2008 @ 6:03am

    Re:

    You would think that they would have a security policy in place that would limit the time, and use of password. The better question would be how well trained are the users on security. How many of them have their passwords on a sticky note taped to their monitor or hidden under their keyboard? It doesn't matter at that point of someone gives out that users password, because they all ready have by doing either one of those things. Also another question would what kind of passwords are they using?

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Nick (profile), Jul 29th, 2008 @ 9:01am

    Putt's Law: Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand.
    http://en.wikipedia.org/wiki/Archibald_Putt

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Jeana Pieralde, Aug 14th, 2008 @ 6:27pm

    Terry was the VPN administrator.

    It should probably be mentioned in this thread that the passwords which were found on Terry Childs' computer and which the assistant district attorney made public were for VPN access. Terry Childs was the administrator of the MPLS VPN WAN. It was his job to manage the VPN, including creating the access keys. No surprise that he had the passwords and in no way is it evidence of a crime.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    peymanpich, Jan 11th, 2009 @ 5:06pm

    free vpn

    lol

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This