SF Reveals Usernames And Password To City Network In Accidental Effort To Prove Terry Childs' Case For Him

from the that-would-be-an-oops dept

Fri, Jul 25th 2008 6:32pm — Mike Masnick

In the ongoing lawsuit against the disgruntled city of San Francisco tech worker, Terry Childs, who held the city's network somewhat hostage for a few days (before finally coughing up the admin password to Mayor Newsom), the San Francisco DA has now entered into evidence approximately 150 usernames and passwords of individuals who log into the city's network via a VPN from home. City officials don't seem too concerned that they're revealing the usernames and passwords, even though that would appear to be a huge security violation.

From the description, it sounds like the system uses two-factor authentication, so beyond username and password, users also have to enter in a second code (perhaps provided by an RSA key or something like that). However, that still doesn't mean that revealing the usernames and passwords was smart. It's still a tremendous security violation. It's hard to see why they couldn't have submitted that as evidence that needed to be kept secret, given the nature of it. Also, it would seem that revealing all this info actually does much more to help Childs' case: he claims he was keeping the admin password secret because city officials weren't very good with security, and would have compromised the system. And, indeed, it appears that's what they've now done.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: passwords, san francisco, terry childs

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

GeneralEmergency (profile), 25 Jul 2008 @ 7:25pm

Ahh Mike....
What's it like to have a job where, every damn day you get to Bitch Slap the Stupid into next week?

Seriously. We all want to know.
[ link to this | view in chronology ]
Dimitri, 25 Jul 2008 @ 8:11pm

Well...
I believe I read in another article that these plaintext passwords were found on Terry Child's computer after it was confiscated. But, while he may have opened the door, they have definitely walked through it.
[ link to this | view in chronology ]
wasnt me, 25 Jul 2008 @ 9:50pm

this is starting to look like one of those RIAA cases.

here is more info from CW http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110758
[ link to this | view in chronology ]
bobbknight, 25 Jul 2008 @ 11:29pm

It Would Be Hard
I would find it very hard to convict Terry Childs of any crime or of any civil suit at this point.
[ link to this | view in chronology ]
John, 26 Jul 2008 @ 6:31am

Typical managerial style behaviour!
Hi, I had to laugh at this one, in fact tears are streaming down my face as I write.
These fools who run companies, or work as civil servants, are generally introverted humourless idiots who are dedicated only to perpetuating their own systems. There is little commonsense, and almost zero inspirational or creative thinking.
I cannot for the life of me imagine why passwords etc would be revealed publicly for any case, let alone one where the accused is being 'nailed' for a similar act.
Like bobbknight says, it might have just blown the prosecutions case by proving how unimportant security is. I bet the defence lawyer got a good laugh out of it.
[ link to this | view in chronology ]
R3d Jack, 26 Jul 2008 @ 9:57am

Let's start a pool...
Whoever comes closest to the guessing the number of those 150 users who bothered to *change* their passwords within 24 hours after they were revealed wins. I'm taking 3. Or maybe the DA got an injunction prohibiting them from changing their passwords until after the trial?
[ link to this | view in chronology ]
Nick (profile), 26 Jul 2008 @ 12:04pm

This reminds me of the the scene in Ghostbusters where the EPA guy shuts off the power (not understanding the consequences) and release the ghost.
[ link to this | view in chronology ]
Chuck, 26 Jul 2008 @ 12:44pm

Let's hope that before the information was released the city administrators had stopped the VPN and then made each and every person who needed a password to physically come to the office get a new username and password, plus justify the VPN use from home.

My two cents worth
[ link to this | view in chronology ]
Carl, 26 Jul 2008 @ 2:12pm

Another witch hunt by the locals....
At some point someone in this case is going to have to wake up and smell the coffee. The type of systems, networks and infrastructure that this admin was responsible for are no different than any other large company or city's/municipality's networks anywhere else. They are very complicated requiring specialized knowledge, experience, and skill.

So what do we have here, after much personal investigation into the matter this is what I find...

The admin established security protocol and everything was fine - until users started to bark. The real problem here is control, who has it and who feels a lack thereof. This is a common problem in the IT work environment and this case may help to bring the problem into focus a bit. The problem of non-technical employees requesting/demanding access to resources that they do not currently have or need. This is by design and is the way things should be. The ultimate IT sin? Providing the Administrator's Username & Password to ANY unauthorized person - even if that means law enforcement.

Security policy is established early on and is adhered to strictly - no exceptions. A title does not automatically grant security clearance to anyone in any environment. This is important stuff because we are not talking about mom's recipe or your girlfriend's diary. We are talking about highly secure, private and often sensitive data that is not meant to be seen by just anyone. These systems are no different in relation to this argument than highly secured (one should hope) government and Department of Defense networks. They deserve the same treatment and respect thereof; a strict and enforced security policy. The administrator, or individual(s) in charge of that system should also be afforded the respect of the users to lay off the "entitled" BS.

Administrators are unsung heroes tasked, on a day-to-day basis, to keep businesses running smoothly; protecting them from constant dangers and multi-tasking in ways that most people don't or won't acknowledge. Admins often have to perform "magic" to comply with very often unrealistic and down-right ridiculous requests from users, managers and most off all...CEO's and presidents.

Every bit of work that is performed anywhere in the world by admins and support technicians takes planning, engineering, development and testing to get right. It doesn't happen in days but more often weeks and months. That is the nature of IT work - plain and simple.

It does not surprise me then to read that this admin was determined to prevent "lamens," or users, from potentially compromising any of the systems he was responsible for maintaining. Especially when it is government employees he is dealing with!

Take a moment to reflect: Think of what would happen to the economic world if all of the Administrators (read: people who know what they are doing) in the world Unionized! Think about it. Cases like these are the kind that spur workers into forming unions that can protect them and stand up to the unrealistic demands society often places on its workers - especially the societal "infrastructure" workers such as this admin.

People like this defendant wear 17 hats a day to most peoples' one or two. They are expected to perform miracles that even Scotty would be hard pressed to pull off.
As an IT Director for a company that provides small to large businesses end-to-end network, user and systems support solutions (read:contracted IT Administration), I am deeply disturbed by the lack of reason and logic taking place in this case.

This was a very funny development yes - and every bit ironic. It is also a very sad statement concerning the "lamen's" place in the technical world.

There are reasons why Administrators do the things they do; why they seem "arrogant", "power-mad", even belligerent at times. It is because they know what they are doing....the rest do not. Don't take it personally - it is what it is.

The fact that this solitary individual holds the keys to the kingdom, however, is rather unsettling to me. That is a simple management issue though and should have been handled internally - nothing to make a case over.

Ultimately a multi-tiered system of administrators and key holders is the industry accepted and standard method of maintaining unbiased, secure and intelligent control of a network or system. As far as control goes - it sounds to me like a lot of people working within the network are just a little too upset about some "geek" having more influence, power and control over the city than they do. This is as it should be where IT systems are concerned. Let the professionals do their jobs. I can only assume the defendant holds the Administrator position because he earned it and knows what he is doing - which is a lot more than any of the users of that network can say I would bet.

I certainly would not higher a cop to do this Administrator's job anymore than I would higher a chemist to patrol our streets.

We are talking about our government though so it is not surprising to see these developments in this case. Suffice it to say, IT technicians, PC support persons, engineers, network admins, programmers, etc....have very difficult jobs to do. By many estimates and statistics that are publicly available, these are some of the most demanding and stressful jobs on the planet. I salute the defendant and wish him luck. Indeed, I fear the outcome of this case as anything other than complete exoneration would set a very dangerous precedent.
[ link to this | view in chronology ]
- Anonymous Coward, 27 Jul 2008 @ 10:42pm
  
  Re: Another witch hunt by the locals....
  Very well put, though stuff like "I certainly would not higher a cop to do this Administrator's job anymore than I would higher a chemist to patrol our streets" really messes up your delivery.
  [ link to this | view in chronology ]
- Liquid, 28 Jul 2008 @ 5:56am
  
  Re: Another witch hunt by the locals....
  Very well put Carl. You are very right. The average user (i.e. lamens) does not understand what we in the IT profession have to deal with on a day to day basis. The choices that we make are what makes or breaks our career with a company(s). The demands put on us by the users, and the people in management are really strenuous. When something goes wrong it doesn't matter who asked for it or demanded it we are always the ones to blame. The users automatically assume that the network will be there, and that they can do what ever they want on it just like at home.
  
  Your point on IT Union(s) is a good one as long as it is understood that you must maintain a certain level of knowledge. You must also continue learning, because lets face it once you get to a point in your career you stop paying attention to certain things that you don't deem important to your job function, and just leave it up to either the new generation of IT Pro's or the people that follow certain things. If there isn't any standards set in place for something of this nature then you will have sub-par IT Managers, Admins, and Techs out there that do not understand new technology as it comes out.
  [ link to this | view in chronology ]
Howard_NYC, 26 Jul 2008 @ 3:37pm

MBAs know best...
beancounters pick up an MBA, get their CPA, and suddenyl understand all, know all, and best of all, can browbeat everyone into surrendering safety margin... rember the power outage...? 60 million people in the dark?

site: nameless corporation

before: three flashlights, three sets of overage batteries

during: cigarette lighters -- my buddy described it as a flashback to a Pink Floyd concert -- as well laptops carried around for illumination...

after: three flashlights and no batteries

IT-nerd: we need new batteries for the flashlights... we need more flashlights...

beancounter: just make due... how often does the Eastern Seaboard get blacked out?

*S*I*G*H*
[ link to this | view in chronology ]
Anonymous Coward, 26 Jul 2008 @ 9:47pm

Re: good movie
Moron! Do you think *anyone* reading this blog wants. or needs, to pay for movies on the internet. Get a clue, doofus.
[ link to this | view in chronology ]
Anonymous Coward, 27 Jul 2008 @ 8:18am

How many of the outed users have been using the same password and/or username for their email, banking, etc. as the city VPN? It's likely more than half, so all you city workers out there change them all and send a nice letter to the DA (Dumb Arse?) expressing concern over the lackadaisical and irresponsible handling of user data.
[ link to this | view in chronology ]
- Liquid, 28 Jul 2008 @ 6:03am
  
  Re:
  You would think that they would have a security policy in place that would limit the time, and use of password. The better question would be how well trained are the users on security. How many of them have their passwords on a sticky note taped to their monitor or hidden under their keyboard? It doesn't matter at that point of someone gives out that users password, because they all ready have by doing either one of those things. Also another question would what kind of passwords are they using?
  [ link to this | view in chronology ]
Anonymous Coward, 27 Jul 2008 @ 10:01am

blogspam
What's up with the spam.
[ link to this | view in chronology ]
Anonymous Coward, 27 Jul 2008 @ 8:46pm

outside
The question for me is how many of those users are also using the same password for all of their personal accounts outside of work. They probably just made 150 people excellent targets for identity theft.
[ link to this | view in chronology ]
Nick (profile), 29 Jul 2008 @ 9:01am

Putt's Law: Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand.
http://en.wikipedia.org/wiki/Archibald_Putt
[ link to this | view in chronology ]
Jeana Pieralde, 14 Aug 2008 @ 6:27pm

Terry was the VPN administrator.
It should probably be mentioned in this thread that the passwords which were found on Terry Childs' computer and which the assistant district attorney made public were for VPN access. Terry Childs was the administrator of the MPLS VPN WAN. It was his job to manage the VPN, including creating the access keys. No surprise that he had the passwords and in no way is it evidence of a crime.
[ link to this | view in chronology ]
peymanpich, 11 Jan 2009 @ 5:06pm

free vpn
lol
[ link to this | view in chronology ]