LAPD Exposes Login To Data Harvesting Software During Interview With CNN

from the as-secure-as-Darth-Helmet's-luggage dept

The Los Angeles Police Department has obtained tons of data over the past several years and that amount of data increases exponentially every year. In addition to its criminal databases, it also collects thousands of license plate time-and-location data points every day and has deployed other forms of surveillance (like Stingray devices), gathering even more data surreptitiously.

Of course, the LAPD feels it can be trusted with all of this data. It claims to have controls in place to prevent unauthorized access to information related to non-criminal Los Angeles citizens. Working with Palantir, the LAPD has instant access to a vast amount of gathered data -- a database so impressive it spent a bit of time bragging about it to a CNN reporter. (via Lowering the Bar)

The CNN video shows LAPD Sergeant Jason O'Brien using Palantir to search for data on a burglary suspect."After searching over a hundred million datapoints, Palantir displayed an impressive web of information," said CNN reporter Rachel Crane. Palantir's interface resembles a web search engine with datasets labeled People, Vehicles, Locations, Crime, Arrests, FIs (Field Interview Reports), Citations, Bulletins, Tips, and Everything (view screenshot). The video also shows Sergeant O'Brien accessing the LAPD's automatic license plate reader database to map the past locations of the burglary suspect, which go back as far as March 2011.
With all this information come strict controls, or so the LAPD would like you to believe.
Captain Romero told CNN that the LAPD "cannot just go searching for you or anyone else without a reason because we have a lot of data for people who have done nothing."
And yet, during this same CNN taping, the LAPD shows just how careless it is about protecting data. Written on a whiteboard for anyone to see is the login and password to its CAMS (Computer Analysis Mapping System) training system.


While this may be training access only and wholly separated from the actual system and its hundreds of millions of datapoints, it's still not a good idea to leave logins and passwords publicly displayed. Sure, whoever wrote it probably thought no one but cops undergoing training would ever see it (along with the filepath to the CAMS data), but the person or persons OKing the interview should have made a sweep of anything the camera might see. It's simply lousy operational security and it's the sort of thing you never want to see an entity with access to "hundreds of millions of datapoints" do.
Even if additional steps are needed to complete an internet based attack, information on the whiteboard certainly peals [sic] back one layer of security blocking the way to private data. Above all else, the LAPD keeping a password—any password—on an office whiteboard in plain sight is deeply troubling. Haphazardly allowing CNN to film the password for a national news broadcast is more troubling still... [T]he whiteboard depicted in the CNN video casts doubt upon the LAPD's ability to keep its data private.
Freedom du Jour points out that the LAPD's negligent attitude towards security has been encountered before. Documents acquired by the EFF and ACLU showed that officers were given the following name and password to log into their ALPR terminals.
Name: LAPD
Password: [blank]
Two years later, the LAPD decided the system might need a password.
Name: LAPD
Password: LAPD
These are the people who claim they can ensure hundreds of millions of datapoints won't be accessed without authorization, thanks to policies and strong statements given to credulous CNN reporters. But this shows that the LAPD's security measures border on nonexistent and its interest in protecting the data of Los Angeles citizens is minimal.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    RadioactiveSmurf (profile), Jul 8th, 2014 @ 9:26am

    Give them a break. The changed the username and password from the default

    Name: admin
    Password: admin

    to the much more secure

    Name: LAPD
    Password: LAPD

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Michael, Jul 8th, 2014 @ 10:05am

    Login: GUEST

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    S. T. Stone, Jul 8th, 2014 @ 10:10am

    Maybe we can sneak the Master Control Unit into the LAPD system and just let it run amok.

    Couldn't be any worse, right?

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jul 8th, 2014 @ 10:10am

    So change it again.

    Try "1234".

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Michael, Jul 8th, 2014 @ 10:14am

    Let's be very clear here.

    For the training password for their COMS system, they have the user id: "training" and the password "comsstudent".

    I think the most important question we need to ask is: Why the f*** did you need to write that down on the whiteboard? LAPD officers can't remember that if you tell them?

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Vidiot (profile), Jul 8th, 2014 @ 10:17am

    Not that this mitigates blame, but... I have no doubt that someone... a line producer or video editor... spotted this chestnut and allowed it to remain. Prevailing attitude: "Not my job to blur it, unless you ask me specifically."

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Trevor, Jul 8th, 2014 @ 10:22am

    Luggage

    [King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
    Roland: One.
    Dark Helmet: One.
    Colonel Sandurz: One.
    Roland: Two.
    Dark Helmet: Two.
    Colonel Sandurz: Two.
    Roland: Three.
    Dark Helmet: Three.
    Colonel Sandurz: Three.
    Roland: Four.
    Dark Helmet: Four.
    Colonel Sandurz: Four.
    Roland: Five.
    Dark Helmet: Five.
    Colonel Sandurz: Five.
    Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

    ...

    President Skroob: Did it work? Where's the king?
    Dark Helmet: It worked, sir. We have the combination.
    President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
    Colonel Sandurz: 1-2-3-4-5
    President Skroob: 1-2-3-4-5?
    Colonel Sandurz: Yes!
    President Skroob: That's amazing. I've got the same combination on my luggage.
    Dark Helmet, Colonel Sandurz: [looks at each other]

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jul 8th, 2014 @ 10:27am

    Training person is a moron too

    Who writes "Cdrive/programfiles/" when describing file locations... extremely non-technical people.

    Furthermore, who uses "carriage return" to describe hitting the enter key these days?

    This training session was clearly designed for morons by morons.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jul 8th, 2014 @ 10:30am

    Re: Training person is a moron too

    ok, i take back the carriage return part - looking more closely, i see they're uses an escape sequence &??newline& to represent the CR in an expression (can't read the ?? part)

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Mason Wheeler (profile), Jul 8th, 2014 @ 10:30am

    Re:

    I don't know about the LAPD specifically, but a lot of police departments have an official policy of not hiring very intelligent officers (as in literally if you score above a certain amount on an IQ test--and sometimes the cutoff is below 100--you don't get the job) because smart people might end up doing something dangerous like thinking for themselves rather than following orders.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Michael, Jul 8th, 2014 @ 10:34am

    Re: Re:

    I know.

    The latest excuse I heard was that people with higher IQ's tend to quit the jobs after shorter periods of time. Talk about misidentifying a symptom as the problem.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Berenerd (profile), Jul 8th, 2014 @ 10:44am

    Re: So change it again.

    That is the same password I have on my luggage!

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Berenerd (profile), Jul 8th, 2014 @ 10:47am

    Re: Training person is a moron too

    Obviously you have not taken many Microsoft or Cisco training classes over the years

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Berenerd (profile), Jul 8th, 2014 @ 10:51am

    Lets be fair...

    They are cops, not IT security gurus. I mean, I had a job working with a branch of state police where the Shift head told me after being reported for the 5th time setting up his laptop to automatically log him in (getting around the windows policies because we had to give him admin access) that people who are going to break in his car will most likely steal the shotgun that is bolted and locked into the floor than the laptop sitting on the front seat booted up and running.

    Yeah...that happened. Another one also wanted me to sign a contract that I wouldn't steal any of his pirated software.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Matt Goff (profile), Jul 8th, 2014 @ 11:06am

    Don't Cheapen Real Security Screw-ups

    Who cares? I have run IT training many times where I put the shared login up on a whiteboard. It's pretty standard practice to have an isolated training instance and to load dummy data so you don't have to worry about specific user rights.

    Save all the hate for real security screw-ups. Piling on to this one just looks like petty cop-hating.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    PRMan, Jul 8th, 2014 @ 11:09am

    Re:

    This is clearly a classroom setting. It's a non-story from a security standpoint. But from a 4th Amendment standpoint it still is.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Michael, Jul 8th, 2014 @ 11:16am

    Re: Re:

    It's a non-story from a security standpoint

    Given their lack of technical savvy, why do you assume their training environment does not contain actual information? I have seen plenty of data breaches that involved training and testing environments that were simply subsets of production databases.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Michael, Jul 8th, 2014 @ 11:20am

    Re: Don't Cheapen Real Security Screw-ups

    First, why do you assume that their training environment is all dummy data?

    Second, assuming that a bad security practice is acceptable because you engage in it takes a special kind of narcissism.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Matt Goff (profile), Jul 8th, 2014 @ 11:51am

    Re: Re: Don't Cheapen Real Security Screw-ups

    Michael, name calling isn't very productive. It's an easy thing to do while cloaked in the anonymity of the internet (and while disregarding Techdirt's request to use your real name), but I wonder if you would speak to someone like that in person.

    Back to the LAPD: Why do you assume it isn't dummy data? In addition to leading classes, I have also attended dozens and NEVER ONCE has the training system had real data. We don't even use real data in our dev environments-- only UAT and production have real data. AFAIK, this is industry standard. If they have real data on a training instance, THAT is the REAL mistake.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    John Fenderson (profile), Jul 8th, 2014 @ 11:55am

    Re: Re:

    "It's a non-story from a security standpoint."

    Not true. There are two fairly major security issues here. First, "training systems" and "production systems" are frequently the exact same system, but with special accounts used for training purposes. Having a login to a training account makes it easier to to obtain logins to production accounts or to the database itself.

    Second, and more worrying, it exhibits a cavalier attitude to security that more than likely permeates the entire organization. Security conscious people do not relax their standards because "training". Security is a matter of overall habit, not something that is conditionally applied.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Michael, Jul 8th, 2014 @ 12:05pm

    Re: Re: Re: Don't Cheapen Real Security Screw-ups

    First, my name is actually Michael.

    Second, I was not name calling. Bad security practice is bad security practice. Writing down a username and password combination is simply bad practice - it is insecure. It is particularly insecure to do it somewhere that a CNN camera is going to be. Using the rational that you have done it as evidence that it is ok is narcissistic.

    As far as the dummy data? I am glad to hear you have only worked in environments in which training data is not at least partially actual data. It is also absolutely bad practice. I can let you know that after working in the legal and IT departments of software companies, major multi-media companies, health care companies, government contractors, and a state motor vehicle department, the only place I have seen this ALWAYS followed is at a couple of software companies.

    If you live in the united states, I can almost guarantee that you have personal information stored in training and test environments.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Jul 8th, 2014 @ 12:08pm

    your data is safe

    No one got unauthorised access to our database
    Right, they got a valid username and password so they are authorised

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    That One Guy (profile), Jul 8th, 2014 @ 12:25pm

    Re: Re: Re:

    Actually I could totally believe that, much like Mason notes above, the smart ones are likely to actually think about what they're being asked/ordered to do, and assuming they're not sadists and/or sociopaths, that is likely to lead to them quitting(since reporting corrupt cops to corrupt cops isn't likely to help, and they'd know it).

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Matt Goff (profile), Jul 8th, 2014 @ 12:33pm

    Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

    First, in my opinion you're not in keeping with the spirit of the "real name" request (and, in my opinion, you know this).

    Second, you called me "a special kind of narcissist." Technically you only implied it, I suppose.

    Shared training credentials leaking via the CNN report is a total red herring. There are so, so, so many reasons not to have training accounts on production systems and to not have real data on training instances that anyone who does this (company prohibition or no) is lazy and unprofessional. The bonus is, if this is done, there's no reason to worry about training credentials being revealed.

    Really, what's the alternative? Create unique training accounts and high-entropy passwords for every user for every class? How will these credentials be transmitted to the user? If it's in writing, you know some third party would eventually get their hands on that and blow it out of proportion too (even if these unique accounts were deleted at the end of the training session since the bias on the internet seems to be to assume that everyone who is not you is a complete moron).

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    John Fenderson (profile), Jul 8th, 2014 @ 12:33pm

    Re: Re: Re: Don't Cheapen Real Security Screw-ups

    I don't see where he engaged in name-calling.

    "It's an easy thing to do while cloaked in the anonymity of the internet"

    If the internet has shown us anything, it's that it's equally easy to do when you are using your real name. Anonymity doesn't enter into it.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jul 8th, 2014 @ 2:44pm

    Re: Re:

    Yep, saw a documentary about a guy who wanted to be a cop and both his town and state refused him for being too smart, that he would get bored.

    Thankfully in my Canadian province, cops need to take 3 years of college before even hitting the academy (even have to take Calc I) and even then it doesn't mean they'll become a cop. 3/4 of them end up in private security(they can't have guns here).

    Only problem is we have an overload of private security these days, the other day I saw this obviously roid'd agent with an all black suit with SECURITY in what must have been 64 inches font in white in the back IN A SUPERMARKET.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Jul 8th, 2014 @ 4:05pm

    Re:

    Maybe someone in management told him that he wasn't paid to think and he gave them what they wanted?

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Jul 8th, 2014 @ 6:51pm

    Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

    ... anonymity...

    Yo! FENDERSON!!

    Where does Techdirt have a "'real name' request" or "request to use your real name" ? Is there something like that in the account signup process? 'Cause I've never seen that--otoh, I've never bothered to get an account here, either.

    If there actually was some kind of "real name policy" here, I think I might be philosophically opposed. Further, I kinda, sorta, just suspect Masnick might be philosophically opposed, too.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    slander (profile), Jul 8th, 2014 @ 7:14pm

    Re:

    No way... it can't be. Jesus Christ, that is just Babytown frolics.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Jane, Jul 8th, 2014 @ 7:55pm

    Re: Re: Re: Don't Cheapen Real Security Screw-ups

    I agree. Not once have I been in a training class with 'real' data. This isn't that awesome of a story.

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    orbitalinsertion (profile), Jul 8th, 2014 @ 8:31pm

    You don't show login credentials, regardless if they are for practice, and in a supposedly isolated training environment. First off, you are now training people wrong, second, never assume that "isolated environment" is as isolated as your wishful thinking would have it.

    But what i find is more important is the passwords mentioned at the bottom of the article. Not only do they suck, but this is a shared login? No way to track who did what and when. Utter and complete bullshit. Probably by design.

    And they aren't IT gurus? They don't have to be, they just need to be reasonably educated users, but that is too hard for them, and apparently their apologists. But let's roll with the "not IT gurus": How the hell cam you reasonably expect them to do anything legally or in the proper fashion while they are pursuing their favorite new bugaboo, "cyber"crime?

    Look, if the cops aren't good at what they are doing, you don't defend them, you replace them, if they refuse to be educated. They'll nail you for any ridiculous (even perceived or made up) infraction if they don't like the way you look. But rules or sensible behavior for cops? Oh my, no.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    jsf (profile), Jul 9th, 2014 @ 7:30am

    Re: Re: Re: Don't Cheapen Real Security Screw-ups

    The only time I have seen training systems that used dummy data were third party training. Every internal training system I have seen has always been a full or partial clone of a production system. In fact the training system is almost never a separate system just for training. Usually it is a test or development environment. Hell I have even seen training done on a production system.

    Sure best practice would be to have a separate training system with dummy data, but most of the world doesn't work that way because management just see's it as a extra unnecessary cost. Much like electronic/software security in general.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    John Fenderson (profile), Jul 9th, 2014 @ 8:26am

    Re: Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

    Huh? What does Techdirt's policies have to do with anything? I was talking about the notion that making people use their real names (which is impossible to do anyway) will stop them from being assholes. It doesn't.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Ed, Jul 9th, 2014 @ 9:57am

    Re: Re:

    "...but a lot of police departments have an official policy of not hiring very intelligent officers."


    Yep, its true. Tested for LASD, scored very high,like top 1%, background in network security, university degree. Denied.

    Just saying...

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Jul 9th, 2014 @ 11:13am

    Maybe the first thing he should have taught them is how to create a secure password /log-in , It makes sense from a training stand point to teach the new guys who may not be tech savvy how to create a better more secure password, just my opinion .. leading and training by example and teaching good habits would be considered a better alternative dummy data or not.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Michael, Jul 9th, 2014 @ 12:07pm

    Re: Re: Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

    I can assure you.
    I am an asshole in person too.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Jul 9th, 2014 @ 12:50pm

    Re: Re: Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

    What does Techdirt's policies have to do with anything?

    Did you actually read the comments of the person, this soi-disant "Matt Goff", to whom you were replying? (He made these weird claims.)

    Or is actually reading comments too much like actually reading court opinions?

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Jul 9th, 2014 @ 10:36pm

    Re:

    Or maybe the Central Scrutinizer?

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    Ninja (profile), Jul 10th, 2014 @ 5:03am

    My cat provides better passwords than that. Seriously LAPD?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.