LAPD Exposes Login To Data Harvesting Software During Interview With CNN
from the as-secure-as-Darth-Helmet's-luggage dept
The Los Angeles Police Department has obtained tons of data over the past several years and that amount of data increases exponentially every year. In addition to its criminal databases, it also collects thousands of license plate time-and-location data points every day and has deployed other forms of surveillance (like Stingray devices), gathering even more data surreptitiously.
Of course, the LAPD feels it can be trusted with all of this data. It claims to have controls in place to prevent unauthorized access to information related to non-criminal Los Angeles citizens. Working with Palantir, the LAPD has instant access to a vast amount of gathered data -- a database so impressive it spent a bit of time bragging about it to a CNN reporter. (via Lowering the Bar)
The CNN video shows LAPD Sergeant Jason O'Brien using Palantir to search for data on a burglary suspect."After searching over a hundred million datapoints, Palantir displayed an impressive web of information," said CNN reporter Rachel Crane. Palantir's interface resembles a web search engine with datasets labeled People, Vehicles, Locations, Crime, Arrests, FIs (Field Interview Reports), Citations, Bulletins, Tips, and Everything (view screenshot). The video also shows Sergeant O'Brien accessing the LAPD's automatic license plate reader database to map the past locations of the burglary suspect, which go back as far as March 2011.With all this information come strict controls, or so the LAPD would like you to believe.
Captain Romero told CNN that the LAPD "cannot just go searching for you or anyone else without a reason because we have a lot of data for people who have done nothing."And yet, during this same CNN taping, the LAPD shows just how careless it is about protecting data. Written on a whiteboard for anyone to see is the login and password to its CAMS (Computer Analysis Mapping System) training system.
While this may be training access only and wholly separated from the actual system and its hundreds of millions of datapoints, it's still not a good idea to leave logins and passwords publicly displayed. Sure, whoever wrote it probably thought no one but cops undergoing training would ever see it (along with the filepath to the CAMS data), but the person or persons OKing the interview should have made a sweep of anything the camera might see. It's simply lousy operational security and it's the sort of thing you never want to see an entity with access to "hundreds of millions of datapoints" do.
Even if additional steps are needed to complete an internet based attack, information on the whiteboard certainly peals [sic] back one layer of security blocking the way to private data. Above all else, the LAPD keeping a password—any password—on an office whiteboard in plain sight is deeply troubling. Haphazardly allowing CNN to film the password for a national news broadcast is more troubling still... [T]he whiteboard depicted in the CNN video casts doubt upon the LAPD's ability to keep its data private.Freedom du Jour points out that the LAPD's negligent attitude towards security has been encountered before. Documents acquired by the EFF and ACLU showed that officers were given the following name and password to log into their ALPR terminals.
Name: LAPDTwo years later, the LAPD decided the system might need a password.
Password: [blank]
Name: LAPDThese are the people who claim they can ensure hundreds of millions of datapoints won't be accessed without authorization, thanks to policies and strong statements given to credulous CNN reporters. But this shows that the LAPD's security measures border on nonexistent and its interest in protecting the data of Los Angeles citizens is minimal.
Password: LAPD
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cnn, lapd, los angeles police department, passwords, privacy, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Name: admin
Password: admin
to the much more secure
Name: LAPD
Password: LAPD
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Couldn't be any worse, right?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
So change it again.
[ link to this | view in chronology ]
Re: So change it again.
[ link to this | view in chronology ]
For the training password for their COMS system, they have the user id: "training" and the password "comsstudent".
I think the most important question we need to ask is: Why the f*** did you need to write that down on the whiteboard? LAPD officers can't remember that if you tell them?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The latest excuse I heard was that people with higher IQ's tend to quit the jobs after shorter periods of time. Talk about misidentifying a symptom as the problem.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Thankfully in my Canadian province, cops need to take 3 years of college before even hitting the academy (even have to take Calc I) and even then it doesn't mean they'll become a cop. 3/4 of them end up in private security(they can't have guns here).
Only problem is we have an overload of private security these days, the other day I saw this obviously roid'd agent with an all black suit with SECURITY in what must have been 64 inches font in white in the back IN A SUPERMARKET.
[ link to this | view in chronology ]
Re: Re:
Yep, its true. Tested for LASD, scored very high,like top 1%, background in network security, university degree. Denied.
Just saying...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Given their lack of technical savvy, why do you assume their training environment does not contain actual information? I have seen plenty of data breaches that involved training and testing environments that were simply subsets of production databases.
[ link to this | view in chronology ]
Re: Re:
Not true. There are two fairly major security issues here. First, "training systems" and "production systems" are frequently the exact same system, but with special accounts used for training purposes. Having a login to a training account makes it easier to to obtain logins to production accounts or to the database itself.
Second, and more worrying, it exhibits a cavalier attitude to security that more than likely permeates the entire organization. Security conscious people do not relax their standards because "training". Security is a matter of overall habit, not something that is conditionally applied.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Luggage
Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
...
President Skroob: Did it work? Where's the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
Colonel Sandurz: 1-2-3-4-5
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.
Dark Helmet, Colonel Sandurz: [looks at each other]
[ link to this | view in chronology ]
Training person is a moron too
Furthermore, who uses "carriage return" to describe hitting the enter key these days?
This training session was clearly designed for morons by morons.
[ link to this | view in chronology ]
Re: Training person is a moron too
[ link to this | view in chronology ]
Re: Training person is a moron too
[ link to this | view in chronology ]
Lets be fair...
Yeah...that happened. Another one also wanted me to sign a contract that I wouldn't steal any of his pirated software.
[ link to this | view in chronology ]
Don't Cheapen Real Security Screw-ups
Save all the hate for real security screw-ups. Piling on to this one just looks like petty cop-hating.
[ link to this | view in chronology ]
Re: Don't Cheapen Real Security Screw-ups
Second, assuming that a bad security practice is acceptable because you engage in it takes a special kind of narcissism.
[ link to this | view in chronology ]
Re: Re: Don't Cheapen Real Security Screw-ups
Back to the LAPD: Why do you assume it isn't dummy data? In addition to leading classes, I have also attended dozens and NEVER ONCE has the training system had real data. We don't even use real data in our dev environments-- only UAT and production have real data. AFAIK, this is industry standard. If they have real data on a training instance, THAT is the REAL mistake.
[ link to this | view in chronology ]
Re: Re: Re: Don't Cheapen Real Security Screw-ups
Second, I was not name calling. Bad security practice is bad security practice. Writing down a username and password combination is simply bad practice - it is insecure. It is particularly insecure to do it somewhere that a CNN camera is going to be. Using the rational that you have done it as evidence that it is ok is narcissistic.
As far as the dummy data? I am glad to hear you have only worked in environments in which training data is not at least partially actual data. It is also absolutely bad practice. I can let you know that after working in the legal and IT departments of software companies, major multi-media companies, health care companies, government contractors, and a state motor vehicle department, the only place I have seen this ALWAYS followed is at a couple of software companies.
If you live in the united states, I can almost guarantee that you have personal information stored in training and test environments.
[ link to this | view in chronology ]
Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups
Second, you called me "a special kind of narcissist." Technically you only implied it, I suppose.
Shared training credentials leaking via the CNN report is a total red herring. There are so, so, so many reasons not to have training accounts on production systems and to not have real data on training instances that anyone who does this (company prohibition or no) is lazy and unprofessional. The bonus is, if this is done, there's no reason to worry about training credentials being revealed.
Really, what's the alternative? Create unique training accounts and high-entropy passwords for every user for every class? How will these credentials be transmitted to the user? If it's in writing, you know some third party would eventually get their hands on that and blow it out of proportion too (even if these unique accounts were deleted at the end of the training session since the bias on the internet seems to be to assume that everyone who is not you is a complete moron).
[ link to this | view in chronology ]
Re: Re: Re: Don't Cheapen Real Security Screw-ups
"It's an easy thing to do while cloaked in the anonymity of the internet"
If the internet has shown us anything, it's that it's equally easy to do when you are using your real name. Anonymity doesn't enter into it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups
Yo! FENDERSON!!
Where does Techdirt have a "'real name' request" or "request to use your real name" ? Is there something like that in the account signup process? 'Cause I've never seen that--otoh, I've never bothered to get an account here, either.
If there actually was some kind of "real name policy" here, I think I might be philosophically opposed. Further, I kinda, sorta, just suspect Masnick might be philosophically opposed, too.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups
I am an asshole in person too.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups
Did you actually read the comments of the person, this soi-disant "Matt Goff", to whom you were replying? (He made these weird claims.)
Or is actually reading comments too much like actually reading court opinions?
[ link to this | view in chronology ]
Re: Re: Re: Don't Cheapen Real Security Screw-ups
[ link to this | view in chronology ]
Re: Re: Re: Don't Cheapen Real Security Screw-ups
Sure best practice would be to have a separate training system with dummy data, but most of the world doesn't work that way because management just see's it as a extra unnecessary cost. Much like electronic/software security in general.
[ link to this | view in chronology ]
your data is safe
Right, they got a valid username and password so they are authorised
[ link to this | view in chronology ]
But what i find is more important is the passwords mentioned at the bottom of the article. Not only do they suck, but this is a shared login? No way to track who did what and when. Utter and complete bullshit. Probably by design.
And they aren't IT gurus? They don't have to be, they just need to be reasonably educated users, but that is too hard for them, and apparently their apologists. But let's roll with the "not IT gurus": How the hell cam you reasonably expect them to do anything legally or in the proper fashion while they are pursuing their favorite new bugaboo, "cyber"crime?
Look, if the cops aren't good at what they are doing, you don't defend them, you replace them, if they refuse to be educated. They'll nail you for any ridiculous (even perceived or made up) infraction if they don't like the way you look. But rules or sensible behavior for cops? Oh my, no.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]