Slashdot Log In
San Francisco DA Discloses City's Passwords
Posted by
Soulskill
on Fri Jul 25, 2008 05:59 PM
from the you-sure-showed-him dept.
from the you-sure-showed-him dept.
snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"
Related Stories
[+]
News: The Inside Story On the San Francisco Network Hijacking 471 comments
snydeq writes "A source with direct knowledge of San Francisco's IT infrastructure has tipped off Paul Venezia to the real story behind Terry Childs' lockout of San Francisco's network, providing a detailed account of the city's FiberWAN, interdepartmental politics, and Terry Childs himself. Childs pleaded not guilty to charges of tampering yesterday and is being held on $5 million bail. According to the source, Childs' purview was limited to the city's FiberWAN — a network he himself built and, believing no one competent enough to touch the network but himself, guarded religiously, sharing details with no one, including routing configuration and log-in information. Childs was so concerned about the network's security that he refused even to write router and switch configurations to flash. But what may prove difficult for the prosecution in its case against Childs is that his restricted access to the network was widely known and accepted among managers and the city's other network engineers. Venezia, who has been suspicious of the official story from the start, suspects that the Childs case may be that 'of an overprotective admin who believed he was protecting the network — and by extension, the city — from other administrators whom he considered inferior, and perhaps even dangerous.' Further evidence is that fact that the network, from what Venezia understands, has been running smoothly since Childs' arrest."
[+]
IT: SF Admin Gives Up Keys To Hijacked City Network 581 comments
snydeq writes "Jailed IT admin Terry Childs relinquished his hold over San Francisco's multimillion-dollar FiberWAN, handing his administrative passwords over to San Francisco Mayor Gavin Newsom, who was 'the only person he felt he could trust.' Childs is still being held on $5 million bail for his lockout of the city's FiberWAN, a case that has been called into question since an insider came forward with details about both the network and Childs himself. The case hinges on No Service Password Recovery commands Childs allegedly configured onto several Cisco devices, as well as dial-up and DSL modems the SFPD has discovered that would allow unauthorized connections to the FiberWAN. Childs intends to 'expose the utter mismanagement, negligence, and corruption at DTIS, which if left unchecked, will in fact place the City of San Francisco in danger,' according to his motion. The Department of Telecom and IS has cut 200 of its 350 IT positions since 2000 — pressure that may have contributed to Childs' actions, according to interviews with current and former DTIS staffers. Newsom secured the passwords without first telling the DTIS that he was meeting with Childs."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Ah HA! (Score:5, Insightful)
Re:Ah HA! (Score:5, Interesting)
Why did the DA even have access to these passwords? Why were they not in hash form? Did Child's have anything to do with that part?
Parent
Re:Ah HA! (Score:5, Insightful)
My first thought. Whenever a password is stored in a form that it could be retrieved (rather than only reset), the users should be notified beforehand, otherwise it's just unethical IMO...not to mention the security issues.
Parent
Re:Ah HA! (Score:5, Insightful)
There are NO circumstances under which one user should possess another user's password; not even an Administrator. The only exception to this rule ever allowed is when the account is first created: when a one-time use password is assigned by the Administrator; however, in a world-class IT infrastructure (such as an enterprise like the city of SF can afford to implement) an application creates and assigns a random password and then communicates it to the user via secure means (with no person seeing or having access to that password).
Parent
Re:Ah HA! (Score:4, Informative)
Your comment is true, and so few IT organizations actually understand what you have said. However, these are "phase one" passwords. These particular passwords are the ones that allow a system to communicate with the network to even begin the process of authenticating a user. Any good admin must have these, as it is the admin that creates them and they cannot be changed after the fact. If you change one, you will have to go through and rebuild the certificate on the other device that is requesting access.
Interestingly, the DA is exposing the network even more than people know. Since this is essentially a defense in depth strategy, a lot of times the secondary password measures put in place (ie, authenticating the users) are weaker and more hackable. As admins know the first phase one measure is in place, the second one usually isn't as strong or monitored as well. After all, it isn't usually subject to brute force attacks.
Now San Fransisco's weakest and most sensitive set of passwords are subject to brute force attacks in a free-for-all on the internet. Since there are so many passwords published, quite possibly the attacks could be from multiple vectors to multiple edge devices. Seems the DA is either wildly incompetent (by virtue of not getting high end consulting advice on this subject) or has some legal reason to ensure the network is hacked. Either way, yikes.
Parent
RTFA (Score:5, Informative)
From the article:
So, in answer to your questions: probably because the police found them as a result of their investigation, because Childs allegedly kept them in plaintext, and yes, allegedly, Childs had plenty to do with it.
Do you have any other questions? Perhaps the article answers them.
Parent
Re:RTFA (Score:5, Interesting)
Do they even know what those "usernames" and "passwords" are for? Did they check any documentation or did they just assume that the list was a list of individual users and passwords that Childs could use to wreck havoc?
After reading the article, it seems like the list consists of Cisco VPN group names and pre-shared keys, not usernames and passwords. To someone who isn't familiar with the technology, it would look like a username and password, and I'm sure they are counting on the technological ignorance of the Judge and the general public to keep up this charade.
It will be interesting when this thing finally goes to trial. The city is probably going to end up eating its words.
Parent
Re:RTFA (Score:5, Insightful)
Parent
Re:RTFA (Score:4, Insightful)
Parent
DA is retarded (Score:4, Insightful)
Honestly the more I read about this the worse SF managers and the DA look. How dumb are they, I mean they are disproving their own case, if I were Childs' lawyer, I would ask this question to the DA in front of the jury "Just so I get this straight, because I am a simple man, you are telling us that this information was so confidential and put the city at so much risk that you publicized it yourself the same day that you made a statement about the dangers of Childs potentially releasing the information? Did you make sure the passwords and usernames were changed before doing so? Isn't it possible that the usernames alone being published could create a target point for hackers to work from? Allowing them to launch either DOS attacks if lockouts are set on thes accounts or to continually work on cracking passwords if no lockout is set? Do you even have the technical knowledge to understand the details of this case without you yourself putting the city at risk like you 'allege' my client has? If Childs put the city at risk by having it on his computer and deserves jail time, what punishment should you get for filing it into the court records? Didn't security concerns worry you? Where is the confirmation the passwords were updated or the account deactivated before you entered sensitive information with the court?"
This is out of a comic stripe, SF is run by idiots. Childs is not the problem it is those that let him control everything so long as he did their work for them. Those are the people who should be on trial. It is a retarded DA that is 1). Putting city systems are risk for a prosecution and 2). Given the defense more ammunition.
Parent
The reason for password disclosure (Score:5, Informative)
The username/password combos were apparently functioning sets. The DA is saying they found them on Child's own computer. The DA is all in a tizzy because Child's could then use these accounts to sneak into the system and cause mischief without getting tracked back.
Right. The only guy in the world with God level access to this network needs fake usernames/passwords so he can 'cause mischief'?
Give me a fucking break. I can think of many reasons for him to have those combos on his personal system.
Apparently the less than brilliant DA's office is unaware that the GOD level admin has the ability to do anything at all on the network and REMOVE ALL TRACES IN THE LOGS afterwards. It's trivial, when you're the one who runs the tattletales.
Dear DA office: IF YOU LOOK HARD YOU'LL UNDOUBTEDLY FIND EVIDENCE TRACY EAVESDROPPING ON THE NETWORK SNIFFING AND ATTEMPTING TO ILLEGALLY PENETRATE THE SYSTEM. IT'S PART OF HIS JOB, MORONS. IF YOU KEEP BRINGING THIS CRAP UP, YOU'LL ONLY LOOK STUPIDER.
Keep this up, and Nifong will have company in the 'worlds dumbest DA's club'
Parent
Re:The reason for password disclosure (Score:5, Insightful)
from TFA --
The username/password combos were apparently functioning sets. The DA is saying they found them on Child's own computer. The DA is all in a tizzy because Child's could then use these accounts to sneak into the system and cause mischief without getting tracked back.
Right. The only guy in the world with God level access to this network needs fake usernames/passwords so he can 'cause mischief'?
Give me a fucking break. I can think of many reasons for him to have those combos on his personal system.
They should have (but maybe do not) procedures for suspicious accounts. If they don't Childs should have created and documented one.
He's got accounts so he can log in with a lower level of access and see what's accessible
More reasonable, but 150 of them? That doesn't seem plausible.
These are usernames/password combos that he sniffed off the network, during routine security testing.
Possibly, but why did he need to keep a copy of the password file? If his goal was to uncover security vulnerabilities, it isn't necessary to keep the credentials uncovered.
These are people with accounts that have had some kind of trouble, and he's got them so he can attempt to diagnose problems linked to user level access.
It is not standard nor best practice to ask a user for their password, ever. If you need to access their account, you use admin privs to change their password, do whatever needs to be done, then ask the user to change it themselves when you no longer need access to their account.
It's a list of post-it pad's he's seen while walking around at work, and he'd been planning to inform the users to change their passwords.
You need the user's name for that. Not their login ID and password. Also, the number of passwords in the file makes this implausible.
They're the output list of a password security checker.
I think this one is redundant. While it is best practice to examine the security of your own network, it is not common nor reasonable to keep an archive of usernames/passwords uncovered.
Apparently the less than brilliant DA's office is unaware that the GOD level admin has the ability to do anything at all on the network and REMOVE ALL TRACES IN THE LOGS afterwards. It's trivial, when you're the one who runs the tattletales.
Dear DA office: IF YOU LOOK HARD YOU'LL UNDOUBTEDLY FIND EVIDENCE TRACY EAVESDROPPING ON THE NETWORK SNIFFING AND ATTEMPTING TO ILLEGALLY PENETRATE THE SYSTEM. IT'S PART OF HIS JOB, MORONS. IF YOU KEEP BRINGING THIS CRAP UP, YOU'LL ONLY LOOK STUPIDER.
Keep this up, and Nifong will have company in the 'worlds dumbest DA's club'
I think you should examine the well-documented, published, and logical security & administration best practices. Keeping a password list on a PC is a great way to compromise your network. If it turns out that these are, indeed, valid user security credentials, Childs doesn't appear to know the first thing about information security.
Parent
Re:The reason for password disclosure (Score:5, Insightful)
It is not standard nor best practice to ask a user for their password, ever. If you need to access their account, you use admin privs to change their password, do whatever needs to be done, then ask the user to change it themselves when you no longer need access to their account.
Actually that IS standard practice...but for desktop techs, not admins. I often have to admonish people for this, but it's quite a common practice to get the user's password so as to facilitate service. It certainly isn't a best practice, but it's a common one and in most cases it inconveniences the user far less.
Parent
Re:The reason for password disclosure (Score:5, Insightful)
Please, no biometrics. I can change my password/smart card/whatever else quite easily, but I can never change my iris or fingerprints or what have you.
Parent
Re:The reason for password disclosure (Score:4, Insightful)
7. Cisco PCF files w/ the group names, etc, filled in.
That's probably what this is, and the increasingly desperate prosecutor is trying to find things that can be used to dazzle the jury.
Parent
Dang! (Score:5, Insightful)
AH HA! See, Childs was right , he is the only competent one!
Dang! You beat me to posting about it.
Wasn't part of Childs' point that password security in the S.F. government was lax and that divulging the big one in a way that would spread it around was dangerous to the network?
Given that the configurations on the routers weren't saved, the first guy to use that password on them had better be DARNED careful to get them recorded before changing anything or he's likely to break the network big time. So handing it to an administrator, who will hand it to several people, any of whom might leak it, could cause the net to come crashing down.
If all they'll let him do for a handoff is hand off the passwords, I can see how a prima donna BOFH would want to hand the big one directly to his successor, who would then spend the next week carefully recording the configs as-running before making changes or sharing the password with less-skilled delegates.
Not that it's right. But looks to me like the city is making his point for him - which his lawyer should use in a counter-argument at the bail hearing. B-)
Parent
Re:Ah HA! (Score:4, Interesting)
"AH HA! See, Childs was right , he is the only competent one!"
from TFA: 'Some of the passwords would benefit from a change because they are identical to the VPN log-in name or extremely easy to guess.'
wow, bad passwords, no wonder the guy was worried, using dictionary words is like not having a password as far as hackers are concerned, same deal with identical user/pass combos. i realize they use a encrypted key along with the password, but still...
Parent
Re:Ah HA! (Score:5, Insightful)
Bad IT policy, or bad users? IT is sadly not as much a dictatorship as we'd like. If enough users whine, it ends up being policy that passwords get lax. These users "are too important to have to come up with complex passwords incorporating at least 3 different character types in 8 or more characters"
Make password policies too complex, users just write them down. Frying pan, fire...welcome to IT.
Parent
Re:Ah HA! (Score:5, Interesting)
If you have any other opinions you'd really like entered into the public record, have at it. I'd say there's a very good chance that this discussion will be entered as evidence by the defense.:)
If anyone is counting, add my vote for the VPN passwords' disclosure being hard evidence that the IT admin was perfectly correct.
That and the fact that the SF network stayed up while the world's hackers KNEW that the network was completely unsupervised.
Frankly, if I were looking to hire somebody, I'd be chipping into this guy's defense fund. Speaking as a real-world IT manager, I'd say this guys judgement is spot on, and his admin skills are amazing.
In my own humble opinion, then SF DA's office is full of idiots.
hanzie.
Parent
Re:Ah HA! (Score:5, Insightful)
Childs' defense attorney has got to be happy about this.
"Your Honor.. I would like to direct the Court's attention to Exhibit A; the mere existence of which proves our case..."
Parent
Suddenly Childs seems quite normal (Score:5, Funny)
Re:Suddenly Childs seems quite normal (Score:4, Insightful)
Sounds more like he should have gotten a reward or a medal or something. It's funny, but this is a case of a citizen protecting a government from itself, not the other way around.
Parent
Re:Suddenly Childs seems quite normal (Score:5, Insightful)
> ...he didn't really have the authority to do that...
You don't know what he did. You only know what the aforementioned "fuckwits" allege that he did.
Parent
Re:Suddenly Childs seems quite normal (Score:5, Insightful)
But his supervisors and everyone in his department knew he was the only one -the 'go to' guy- that really had the in-depth knowledge to figure out problems and make stuff work. If they let him do that without objection or questioning his reasons, they gave their tacit approval to allow him to operate in the fashion that he did.
Parent
Re:Suddenly Childs seems quite normal (Score:4, Insightful)
If this is the level of fuckwittage he had to deal with while in his job I'm not surprised he locked others out.
As you are well aware, bureaucracy is ruled mostly by idiots. They are put into places of power with the bureaucracy for precisely this reason. Their idiocy makes them less threatening. Once arriving there, being idiots, they are suspicious of anyone smarter. They especially do not like their own idiocy shoved in their face with the constant superior intellect of those who may happen to come along. Now these idiots can do stupid things, like enter passwords into public record or fire talented sys admins, but they will not get in trouble. Why? Because its better to do the wrong thing because you are stupid than it is to do the right thing that some idiot made against the rules one time.
Parent
IN A COURT EXHIBIT?!?!?!? (Score:3, Interesting)
I had my doubts at first, but this makes it abundantly clear that Childs was right . More right than any of us might have imagined when this spin-doctored story first came out.
In hindsight he took totally reasonable, prudent measures to protect incompetent city officials from themselves. Who knows how they got into that situation, but I won't blame him for anything in light of this, and I sincerely hope a jury wouldn't either.
He should first collect damages himself, and then initiate a class action suit against the city on behalf of all their residents. Maybe put the DA in jail for criminal negligence - in fact I'd venture a guess that he's mentally defective enough to file the charges himself.
The real question is... (Score:4, Funny)
Re: (Score:3, Interesting)
top 5 list (Score:3, Funny)
The top 5:
password
admin
root
guest
t3rrych1lds1337haxx0r
Being paranoid doesn't mean you're wrong (Score:5, Insightful)
Re:Being paranoid doesn't mean you're wrong (Score:4, Interesting)
I don't think anyone who has ever worked for the government, or even seen government in action doubted that Childs was right. I think that everyone was wondering why he'd sit in jail to bring to light something that's already obvious.
Parent
"Free Terry Childs" T-Shirts (Score:3, Interesting)
Re:"Free Terry Childs" T-Shirts (Score:4, Insightful)
Huh? What? It's not his network. He's not some kind of hero. Yeah, there are other idiots in the world, but seriously, anyone seeing Childs as some kind of champion of security is sadly, sorely mistaken.
what more proof do you need? this action demonstrates he was right. it's not "his" network but I'm pretty sure he was in charge of its security. he tried to keep it secure, for what are now obvious reasons, and he got thrown in jail for it.
Parent
There is bright future... (Score:3, Funny)
I can see that there is a bright future in the cluestick market...
I'd love to see the list... (Score:3, Insightful)
This is the tip of the iceberg (Score:5, Interesting)
This is unfortunately par for our fine DA. Kamala Harris has proven herself to be an incompetent tool more often that I'd like to hear.
She has angered many San Franciscans by refusing to prosecute violent criminals, and lately, found to have been lax towards the city's worst crime of the year...the murder of a father and his two sons in the Mission by a suspected illegal alien due to the city's stupid sanctuary law.
She should be dragged out, tarred, whipped and ejected from the city, never to return.
Another interesting thing came out in the filing. (Score:5, Insightful)
According TFA, the thing about his not saving the configs to flash is a CLAIM by the city, not something confirmed by Childs.
So how do they KNOW that, if they don't have the passwords? Did they try rebooting some network boxes and have them not come up? (If so, how is it that the net is still running...)
This is looking more and more like a pointy-haired-boss SNAFU than logic-bomb job-insurance/revenge sabotage.
Re:Another interesting thing came out in the filin (Score:5, Informative)
Not having the config in flash need not make the device a brick.
Parent
These are group passwords in IPSEC profiles (Score:5, Informative)
From the referenced article - "The passwords are so-called "phase one" passwords, and must be combined with a second password to access the network, the source said. " 99% chance they are using some form of Cisco device as their VPN concentrator (most like a VPN3030, ASA or 7200 series router). If they are these passwords (one per group) are in what is called a pcf file in every employees computer that is allowed to connect. Heck, if you use a Cisco vpn it is on your computer in the following location - C:\Program Files\Cisco Systems\VPN Client\Profiles . The group pass is encrypted with weak encryption that is commonly cracked to allow linux laptops to connect using vpnc. You can do it on the web here - http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode [uni-kl.de]
The thing is, this group password's primary use is to segregate users into different buckets. E.G contractors may have on password, with different authentication methods, while permanent employees are in a different bucket, with their own authentication methods. The key thing, is that once this first password is provided, the end user still has to provide a unique username and password to gain access. So in effect, having the group password alone is meaningless.
On top of that, I frankly would not be surprised or peeved if a network engineer had possession of PCF files for the network he is responsible for. What is next? Is the DA going to try to prosecute him for having diagrams and configs of the network he is managing on his laptop?
For everyone who thinks Childs was right (Score:5, Interesting)
Someone at the the DA's office is the incompetent person in this case, but that does not validate his locking out of everyone competent enough to take care of the system (the people that would have replaced him at the IT department.)
Re:For everyone who thinks Childs was right (Score:4, Insightful)
The fact that the passwords could be harvested in the first place is problematic. I'm a SysAdmin and I should never have access to anyone else's passwords.
Passwords should be encrypted and non-visible. This is standard practice.
Parent
His lawyer needs to jump on this (Score:4, Insightful)
"Your honor, my client did not feel comfortable giving sensitive system passwords to idiots. I'd like to enter prosecution's boneheaded public filing as Exhibit A."
Passwords can be TOO strong. (Score:5, Interesting)
He started his speech by asking the audience, "Passwords and policies should be made as strong and secure as possible, right?"
A show of many hands.
He said, "Wrong! It is possible for a password policy to be TOO secure. Let me give you an example. It is possible to set up a security policy in NT that requires a password of at least 8 characters, which must also be mixed case, have at least one numerical digit, and at least one non-alphanumeric character, and which will require a change of password every week."
"As soon as you implement that policy, users will write their password on a post-it note, stick it to their monitor, and replace it with a new one every week. So you see, a password policy CAN be too secure for your own good."
Parent
Re:An idiot playing a semantic game. (Score:5, Informative)
Parent
Re:An idiot playing a semantic game. (Score:4, Interesting)
I agree with the grandparent, he's just being an ass. ;-)
He's using the word "secure" in the original question in a very narrow way. Of course a password policy must be human-centric as well as containing enough randomness to not be brute forced or attacked easily through rainbow tables.
There's education in teaching users how to select strong and yet memorable passwords, and when it's OK to write them down at least partially in your wallet or strong encrypted password store.
He's being an ass because he's asking a complex question, then telling everyone they're wrong and giving a simple smug answer. You can be right and still be an ass.
An aside is the fact that we rely on passwords too much. Dual factor authentication for internal business use is relatively cheap and easy to set up in windows and linux for login, for ssh, etc. I'm genuinely surprised more people outside of the military don't use it.
Parent
Re:Then the users will change them right back (Score:5, Funny)
Parent
Re:Then the users will change them right back (Score:5, Funny)
It was perhaps the only time in my life I actually knew what it meant to "be at a loss for words"
I can believe it. I imagine I would have stared at him blankly for just long enough to realize he wasn't kidding before I had an aneurysm.
Parent
Re:Then the users will change them right back (Score:5, Interesting)
Are you sure this guy hadn't called support to have his password reset? Because "password" sounds like something they might reset it to, and unlikely for someone to forget.
Parent
Network not destroyed (Score:4, Insightful)
It'll be fun to see what happens, now that he's been removed from the loop.
Parent
Re:NEVERMIND! (Score:5, Interesting)
It's government. To think like government in implementing something like VPN you have to conceive a solution that involves the user not having to do anything (other than maybe push a button) and this includes anything other than a standard login box. Second you have to implement this in a way that the user themselves can go home and implement this solution without any site help from anyone and zero technical knowledge. (you don't send an IT person to a State Employees home, that's asking from some kind of lawsuit). Fourth the solution must be as expensive as possible, support some local business (preferable if the business owner is connected politically with one of the local leaders) and require very few extra hours from the already overworked staff.
What does that result in? Hardware VPN boxes plugged into the network router, with the users computer plugged directly into the VPN box. Costs a lot, requires pre-configuration of the box but should require no site visits, idiots can usually successfully plug in boxes with phone support only and any reconfiguration likey requires the box to be brought back into the office as the VPN keys on the boxes are likely hard coded into a configuration on the VPN device. Likely a turn key solution so you have a hefty support contract and the vendor would likely assist with deployment and any reconfiguration resulting in a nice contract fee for reprogramming all the boxes.
My guess is some VPN box provider is going to be doing a service call on every box and netting themselves some nice profit under their support agreement.
Parent