SF Reveals Usernames And Password To City Network In Accidental Effort To Prove Terry Childs' Case For Him
from the that-would-be-an-oops dept
In the ongoing lawsuit against the disgruntled city of San Francisco tech worker, Terry Childs, who held the city's network somewhat hostage for a few days (before finally coughing up the admin password to Mayor Newsom), the San Francisco DA has now entered into evidence approximately 150 usernames and passwords of individuals who log into the city's network via a VPN from home. City officials don't seem too concerned that they're revealing the usernames and passwords, even though that would appear to be a huge security violation.From the description, it sounds like the system uses two-factor authentication, so beyond username and password, users also have to enter in a second code (perhaps provided by an RSA key or something like that). However, that still doesn't mean that revealing the usernames and passwords was smart. It's still a tremendous security violation. It's hard to see why they couldn't have submitted that as evidence that needed to be kept secret, given the nature of it. Also, it would seem that revealing all this info actually does much more to help Childs' case: he claims he was keeping the admin password secret because city officials weren't very good with security, and would have compromised the system. And, indeed, it appears that's what they've now done.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: passwords, san francisco, terry childs
Reader Comments
Subscribe: RSS
View by: Time | Thread
Ahh Mike....
Seriously. We all want to know.
[ link to this | view in thread ]
Well...
[ link to this | view in thread ]
here is more info from CW http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110758
[ link to this | view in thread ]
It Would Be Hard
[ link to this | view in thread ]
Typical managerial style behaviour!
These fools who run companies, or work as civil servants, are generally introverted humourless idiots who are dedicated only to perpetuating their own systems. There is little commonsense, and almost zero inspirational or creative thinking.
I cannot for the life of me imagine why passwords etc would be revealed publicly for any case, let alone one where the accused is being 'nailed' for a similar act.
Like bobbknight says, it might have just blown the prosecutions case by proving how unimportant security is. I bet the defence lawyer got a good laugh out of it.
[ link to this | view in thread ]
Let's start a pool...
[ link to this | view in thread ]
[ link to this | view in thread ]
My two cents worth
[ link to this | view in thread ]
Another witch hunt by the locals....
So what do we have here, after much personal investigation into the matter this is what I find...
The admin established security protocol and everything was fine - until users started to bark. The real problem here is control, who has it and who feels a lack thereof. This is a common problem in the IT work environment and this case may help to bring the problem into focus a bit. The problem of non-technical employees requesting/demanding access to resources that they do not currently have or need. This is by design and is the way things should be. The ultimate IT sin? Providing the Administrator's Username & Password to ANY unauthorized person - even if that means law enforcement.
Security policy is established early on and is adhered to strictly - no exceptions. A title does not automatically grant security clearance to anyone in any environment. This is important stuff because we are not talking about mom's recipe or your girlfriend's diary. We are talking about highly secure, private and often sensitive data that is not meant to be seen by just anyone. These systems are no different in relation to this argument than highly secured (one should hope) government and Department of Defense networks. They deserve the same treatment and respect thereof; a strict and enforced security policy. The administrator, or individual(s) in charge of that system should also be afforded the respect of the users to lay off the "entitled" BS.
Administrators are unsung heroes tasked, on a day-to-day basis, to keep businesses running smoothly; protecting them from constant dangers and multi-tasking in ways that most people don't or won't acknowledge. Admins often have to perform "magic" to comply with very often unrealistic and down-right ridiculous requests from users, managers and most off all...CEO's and presidents.
Every bit of work that is performed anywhere in the world by admins and support technicians takes planning, engineering, development and testing to get right. It doesn't happen in days but more often weeks and months. That is the nature of IT work - plain and simple.
It does not surprise me then to read that this admin was determined to prevent "lamens," or users, from potentially compromising any of the systems he was responsible for maintaining. Especially when it is government employees he is dealing with!
Take a moment to reflect: Think of what would happen to the economic world if all of the Administrators (read: people who know what they are doing) in the world Unionized! Think about it. Cases like these are the kind that spur workers into forming unions that can protect them and stand up to the unrealistic demands society often places on its workers - especially the societal "infrastructure" workers such as this admin.
People like this defendant wear 17 hats a day to most peoples' one or two. They are expected to perform miracles that even Scotty would be hard pressed to pull off.
As an IT Director for a company that provides small to large businesses end-to-end network, user and systems support solutions (read:contracted IT Administration), I am deeply disturbed by the lack of reason and logic taking place in this case.
This was a very funny development yes - and every bit ironic. It is also a very sad statement concerning the "lamen's" place in the technical world.
There are reasons why Administrators do the things they do; why they seem "arrogant", "power-mad", even belligerent at times. It is because they know what they are doing....the rest do not. Don't take it personally - it is what it is.
The fact that this solitary individual holds the keys to the kingdom, however, is rather unsettling to me. That is a simple management issue though and should have been handled internally - nothing to make a case over.
Ultimately a multi-tiered system of administrators and key holders is the industry accepted and standard method of maintaining unbiased, secure and intelligent control of a network or system. As far as control goes - it sounds to me like a lot of people working within the network are just a little too upset about some "geek" having more influence, power and control over the city than they do. This is as it should be where IT systems are concerned. Let the professionals do their jobs. I can only assume the defendant holds the Administrator position because he earned it and knows what he is doing - which is a lot more than any of the users of that network can say I would bet.
I certainly would not higher a cop to do this Administrator's job anymore than I would higher a chemist to patrol our streets.
We are talking about our government though so it is not surprising to see these developments in this case. Suffice it to say, IT technicians, PC support persons, engineers, network admins, programmers, etc....have very difficult jobs to do. By many estimates and statistics that are publicly available, these are some of the most demanding and stressful jobs on the planet. I salute the defendant and wish him luck. Indeed, I fear the outcome of this case as anything other than complete exoneration would set a very dangerous precedent.
[ link to this | view in thread ]
MBAs know best...
site: nameless corporation
before: three flashlights, three sets of overage batteries
during: cigarette lighters -- my buddy described it as a flashback to a Pink Floyd concert -- as well laptops carried around for illumination...
after: three flashlights and no batteries
IT-nerd: we need new batteries for the flashlights... we need more flashlights...
beancounter: just make due... how often does the Eastern Seaboard get blacked out?
*S*I*G*H*
[ link to this | view in thread ]
Re: good movie
[ link to this | view in thread ]
[ link to this | view in thread ]
blogspam
[ link to this | view in thread ]
outside
[ link to this | view in thread ]
Re: Another witch hunt by the locals....
[ link to this | view in thread ]
Re: Another witch hunt by the locals....
Your point on IT Union(s) is a good one as long as it is understood that you must maintain a certain level of knowledge. You must also continue learning, because lets face it once you get to a point in your career you stop paying attention to certain things that you don't deem important to your job function, and just leave it up to either the new generation of IT Pro's or the people that follow certain things. If there isn't any standards set in place for something of this nature then you will have sub-par IT Managers, Admins, and Techs out there that do not understand new technology as it comes out.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
http://en.wikipedia.org/wiki/Archibald_Putt
[ link to this | view in thread ]
Terry was the VPN administrator.
[ link to this | view in thread ]
free vpn
[ link to this | view in thread ]