LAPD Exposes Login To Data Harvesting Software During Interview With CNN

from the as-secure-as-Darth-Helmet's-luggage dept

The Los Angeles Police Department has obtained tons of data over the past several years and that amount of data increases exponentially every year. In addition to its criminal databases, it also collects thousands of license plate time-and-location data points every day and has deployed other forms of surveillance (like Stingray devices), gathering even more data surreptitiously.

Of course, the LAPD feels it can be trusted with all of this data. It claims to have controls in place to prevent unauthorized access to information related to non-criminal Los Angeles citizens. Working with Palantir, the LAPD has instant access to a vast amount of gathered data -- a database so impressive it spent a bit of time bragging about it to a CNN reporter. (via Lowering the Bar)

The CNN video shows LAPD Sergeant Jason O'Brien using Palantir to search for data on a burglary suspect."After searching over a hundred million datapoints, Palantir displayed an impressive web of information," said CNN reporter Rachel Crane. Palantir's interface resembles a web search engine with datasets labeled People, Vehicles, Locations, Crime, Arrests, FIs (Field Interview Reports), Citations, Bulletins, Tips, and Everything (view screenshot). The video also shows Sergeant O'Brien accessing the LAPD's automatic license plate reader database to map the past locations of the burglary suspect, which go back as far as March 2011.
With all this information come strict controls, or so the LAPD would like you to believe.
Captain Romero told CNN that the LAPD "cannot just go searching for you or anyone else without a reason because we have a lot of data for people who have done nothing."
And yet, during this same CNN taping, the LAPD shows just how careless it is about protecting data. Written on a whiteboard for anyone to see is the login and password to its CAMS (Computer Analysis Mapping System) training system.


While this may be training access only and wholly separated from the actual system and its hundreds of millions of datapoints, it's still not a good idea to leave logins and passwords publicly displayed. Sure, whoever wrote it probably thought no one but cops undergoing training would ever see it (along with the filepath to the CAMS data), but the person or persons OKing the interview should have made a sweep of anything the camera might see. It's simply lousy operational security and it's the sort of thing you never want to see an entity with access to "hundreds of millions of datapoints" do.
Even if additional steps are needed to complete an internet based attack, information on the whiteboard certainly peals [sic] back one layer of security blocking the way to private data. Above all else, the LAPD keeping a password—any password—on an office whiteboard in plain sight is deeply troubling. Haphazardly allowing CNN to film the password for a national news broadcast is more troubling still... [T]he whiteboard depicted in the CNN video casts doubt upon the LAPD's ability to keep its data private.
Freedom du Jour points out that the LAPD's negligent attitude towards security has been encountered before. Documents acquired by the EFF and ACLU showed that officers were given the following name and password to log into their ALPR terminals.
Name: LAPD
Password: [blank]
Two years later, the LAPD decided the system might need a password.
Name: LAPD
Password: LAPD
These are the people who claim they can ensure hundreds of millions of datapoints won't be accessed without authorization, thanks to policies and strong statements given to credulous CNN reporters. But this shows that the LAPD's security measures border on nonexistent and its interest in protecting the data of Los Angeles citizens is minimal.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cnn, lapd, los angeles police department, passwords, privacy, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    RadioactiveSmurf (profile), 8 Jul 2014 @ 9:26am

    Give them a break. The changed the username and password from the default

    Name: admin
    Password: admin

    to the much more secure

    Name: LAPD
    Password: LAPD

    link to this | view in chronology ]

  • identicon
    Michael, 8 Jul 2014 @ 10:05am

    Login: GUEST

    link to this | view in chronology ]

  • identicon
    S. T. Stone, 8 Jul 2014 @ 10:10am

    Maybe we can sneak the Master Control Unit into the LAPD system and just let it run amok.

    Couldn't be any worse, right?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jul 2014 @ 10:10am

    So change it again.

    Try "1234".

    link to this | view in chronology ]

  • identicon
    Michael, 8 Jul 2014 @ 10:14am

    Let's be very clear here.

    For the training password for their COMS system, they have the user id: "training" and the password "comsstudent".

    I think the most important question we need to ask is: Why the f*** did you need to write that down on the whiteboard? LAPD officers can't remember that if you tell them?

    link to this | view in chronology ]

    • icon
      Mason Wheeler (profile), 8 Jul 2014 @ 10:30am

      Re:

      I don't know about the LAPD specifically, but a lot of police departments have an official policy of not hiring very intelligent officers (as in literally if you score above a certain amount on an IQ test--and sometimes the cutoff is below 100--you don't get the job) because smart people might end up doing something dangerous like thinking for themselves rather than following orders.

      link to this | view in chronology ]

      • identicon
        Michael, 8 Jul 2014 @ 10:34am

        Re: Re:

        I know.

        The latest excuse I heard was that people with higher IQ's tend to quit the jobs after shorter periods of time. Talk about misidentifying a symptom as the problem.

        link to this | view in chronology ]

        • icon
          That One Guy (profile), 8 Jul 2014 @ 12:25pm

          Re: Re: Re:

          Actually I could totally believe that, much like Mason notes above, the smart ones are likely to actually think about what they're being asked/ordered to do, and assuming they're not sadists and/or sociopaths, that is likely to lead to them quitting(since reporting corrupt cops to corrupt cops isn't likely to help, and they'd know it).

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Jul 2014 @ 2:44pm

        Re: Re:

        Yep, saw a documentary about a guy who wanted to be a cop and both his town and state refused him for being too smart, that he would get bored.

        Thankfully in my Canadian province, cops need to take 3 years of college before even hitting the academy (even have to take Calc I) and even then it doesn't mean they'll become a cop. 3/4 of them end up in private security(they can't have guns here).

        Only problem is we have an overload of private security these days, the other day I saw this obviously roid'd agent with an all black suit with SECURITY in what must have been 64 inches font in white in the back IN A SUPERMARKET.

        link to this | view in chronology ]

      • identicon
        Ed, 9 Jul 2014 @ 9:57am

        Re: Re:

        "...but a lot of police departments have an official policy of not hiring very intelligent officers."


        Yep, its true. Tested for LASD, scored very high,like top 1%, background in network security, university degree. Denied.

        Just saying...

        link to this | view in chronology ]

    • identicon
      PRMan, 8 Jul 2014 @ 11:09am

      Re:

      This is clearly a classroom setting. It's a non-story from a security standpoint. But from a 4th Amendment standpoint it still is.

      link to this | view in chronology ]

      • identicon
        Michael, 8 Jul 2014 @ 11:16am

        Re: Re:

        It's a non-story from a security standpoint

        Given their lack of technical savvy, why do you assume their training environment does not contain actual information? I have seen plenty of data breaches that involved training and testing environments that were simply subsets of production databases.

        link to this | view in chronology ]

      • icon
        John Fenderson (profile), 8 Jul 2014 @ 11:55am

        Re: Re:

        "It's a non-story from a security standpoint."

        Not true. There are two fairly major security issues here. First, "training systems" and "production systems" are frequently the exact same system, but with special accounts used for training purposes. Having a login to a training account makes it easier to to obtain logins to production accounts or to the database itself.

        Second, and more worrying, it exhibits a cavalier attitude to security that more than likely permeates the entire organization. Security conscious people do not relax their standards because "training". Security is a matter of overall habit, not something that is conditionally applied.

        link to this | view in chronology ]

  • icon
    Vidiot (profile), 8 Jul 2014 @ 10:17am

    Not that this mitigates blame, but... I have no doubt that someone... a line producer or video editor... spotted this chestnut and allowed it to remain. Prevailing attitude: "Not my job to blur it, unless you ask me specifically."

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Jul 2014 @ 4:05pm

      Re:

      Maybe someone in management told him that he wasn't paid to think and he gave them what they wanted?

      link to this | view in chronology ]

  • identicon
    Trevor, 8 Jul 2014 @ 10:22am

    Luggage

    [King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
    Roland: One.
    Dark Helmet: One.
    Colonel Sandurz: One.
    Roland: Two.
    Dark Helmet: Two.
    Colonel Sandurz: Two.
    Roland: Three.
    Dark Helmet: Three.
    Colonel Sandurz: Three.
    Roland: Four.
    Dark Helmet: Four.
    Colonel Sandurz: Four.
    Roland: Five.
    Dark Helmet: Five.
    Colonel Sandurz: Five.
    Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

    ...

    President Skroob: Did it work? Where's the king?
    Dark Helmet: It worked, sir. We have the combination.
    President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
    Colonel Sandurz: 1-2-3-4-5
    President Skroob: 1-2-3-4-5?
    Colonel Sandurz: Yes!
    President Skroob: That's amazing. I've got the same combination on my luggage.
    Dark Helmet, Colonel Sandurz: [looks at each other]

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jul 2014 @ 10:27am

    Training person is a moron too

    Who writes "Cdrive/programfiles/" when describing file locations... extremely non-technical people.

    Furthermore, who uses "carriage return" to describe hitting the enter key these days?

    This training session was clearly designed for morons by morons.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Jul 2014 @ 10:30am

      Re: Training person is a moron too

      ok, i take back the carriage return part - looking more closely, i see they're uses an escape sequence &??newline& to represent the CR in an expression (can't read the ?? part)

      link to this | view in chronology ]

    • icon
      Berenerd (profile), 8 Jul 2014 @ 10:47am

      Re: Training person is a moron too

      Obviously you have not taken many Microsoft or Cisco training classes over the years

      link to this | view in chronology ]

  • icon
    Berenerd (profile), 8 Jul 2014 @ 10:51am

    Lets be fair...

    They are cops, not IT security gurus. I mean, I had a job working with a branch of state police where the Shift head told me after being reported for the 5th time setting up his laptop to automatically log him in (getting around the windows policies because we had to give him admin access) that people who are going to break in his car will most likely steal the shotgun that is bolted and locked into the floor than the laptop sitting on the front seat booted up and running.

    Yeah...that happened. Another one also wanted me to sign a contract that I wouldn't steal any of his pirated software.

    link to this | view in chronology ]

  • icon
    Matt Goff (profile), 8 Jul 2014 @ 11:06am

    Don't Cheapen Real Security Screw-ups

    Who cares? I have run IT training many times where I put the shared login up on a whiteboard. It's pretty standard practice to have an isolated training instance and to load dummy data so you don't have to worry about specific user rights.

    Save all the hate for real security screw-ups. Piling on to this one just looks like petty cop-hating.

    link to this | view in chronology ]

    • identicon
      Michael, 8 Jul 2014 @ 11:20am

      Re: Don't Cheapen Real Security Screw-ups

      First, why do you assume that their training environment is all dummy data?

      Second, assuming that a bad security practice is acceptable because you engage in it takes a special kind of narcissism.

      link to this | view in chronology ]

      • icon
        Matt Goff (profile), 8 Jul 2014 @ 11:51am

        Re: Re: Don't Cheapen Real Security Screw-ups

        Michael, name calling isn't very productive. It's an easy thing to do while cloaked in the anonymity of the internet (and while disregarding Techdirt's request to use your real name), but I wonder if you would speak to someone like that in person.

        Back to the LAPD: Why do you assume it isn't dummy data? In addition to leading classes, I have also attended dozens and NEVER ONCE has the training system had real data. We don't even use real data in our dev environments-- only UAT and production have real data. AFAIK, this is industry standard. If they have real data on a training instance, THAT is the REAL mistake.

        link to this | view in chronology ]

        • identicon
          Michael, 8 Jul 2014 @ 12:05pm

          Re: Re: Re: Don't Cheapen Real Security Screw-ups

          First, my name is actually Michael.

          Second, I was not name calling. Bad security practice is bad security practice. Writing down a username and password combination is simply bad practice - it is insecure. It is particularly insecure to do it somewhere that a CNN camera is going to be. Using the rational that you have done it as evidence that it is ok is narcissistic.

          As far as the dummy data? I am glad to hear you have only worked in environments in which training data is not at least partially actual data. It is also absolutely bad practice. I can let you know that after working in the legal and IT departments of software companies, major multi-media companies, health care companies, government contractors, and a state motor vehicle department, the only place I have seen this ALWAYS followed is at a couple of software companies.

          If you live in the united states, I can almost guarantee that you have personal information stored in training and test environments.

          link to this | view in chronology ]

          • icon
            Matt Goff (profile), 8 Jul 2014 @ 12:33pm

            Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

            First, in my opinion you're not in keeping with the spirit of the "real name" request (and, in my opinion, you know this).

            Second, you called me "a special kind of narcissist." Technically you only implied it, I suppose.

            Shared training credentials leaking via the CNN report is a total red herring. There are so, so, so many reasons not to have training accounts on production systems and to not have real data on training instances that anyone who does this (company prohibition or no) is lazy and unprofessional. The bonus is, if this is done, there's no reason to worry about training credentials being revealed.

            Really, what's the alternative? Create unique training accounts and high-entropy passwords for every user for every class? How will these credentials be transmitted to the user? If it's in writing, you know some third party would eventually get their hands on that and blow it out of proportion too (even if these unique accounts were deleted at the end of the training session since the bias on the internet seems to be to assume that everyone who is not you is a complete moron).

            link to this | view in chronology ]

        • icon
          John Fenderson (profile), 8 Jul 2014 @ 12:33pm

          Re: Re: Re: Don't Cheapen Real Security Screw-ups

          I don't see where he engaged in name-calling.

          "It's an easy thing to do while cloaked in the anonymity of the internet"

          If the internet has shown us anything, it's that it's equally easy to do when you are using your real name. Anonymity doesn't enter into it.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 8 Jul 2014 @ 6:51pm

            Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

            ... anonymity...

            Yo! FENDERSON!!

            Where does Techdirt have a "'real name' request" or "request to use your real name" ? Is there something like that in the account signup process? 'Cause I've never seen that--otoh, I've never bothered to get an account here, either.

            If there actually was some kind of "real name policy" here, I think I might be philosophically opposed. Further, I kinda, sorta, just suspect Masnick might be philosophically opposed, too.

            link to this | view in chronology ]

            • icon
              John Fenderson (profile), 9 Jul 2014 @ 8:26am

              Re: Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

              Huh? What does Techdirt's policies have to do with anything? I was talking about the notion that making people use their real names (which is impossible to do anyway) will stop them from being assholes. It doesn't.

              link to this | view in chronology ]

              • identicon
                Michael, 9 Jul 2014 @ 12:07pm

                Re: Re: Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

                I can assure you.
                I am an asshole in person too.

                link to this | view in chronology ]

              • identicon
                Anonymous Coward, 9 Jul 2014 @ 12:50pm

                Re: Re: Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups

                What does Techdirt's policies have to do with anything?

                Did you actually read the comments of the person, this soi-disant "Matt Goff", to whom you were replying? (He made these weird claims.)

                Or is actually reading comments too much like actually reading court opinions?

                link to this | view in chronology ]

        • identicon
          Jane, 8 Jul 2014 @ 7:55pm

          Re: Re: Re: Don't Cheapen Real Security Screw-ups

          I agree. Not once have I been in a training class with 'real' data. This isn't that awesome of a story.

          link to this | view in chronology ]

        • icon
          jsf (profile), 9 Jul 2014 @ 7:30am

          Re: Re: Re: Don't Cheapen Real Security Screw-ups

          The only time I have seen training systems that used dummy data were third party training. Every internal training system I have seen has always been a full or partial clone of a production system. In fact the training system is almost never a separate system just for training. Usually it is a test or development environment. Hell I have even seen training done on a production system.

          Sure best practice would be to have a separate training system with dummy data, but most of the world doesn't work that way because management just see's it as a extra unnecessary cost. Much like electronic/software security in general.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jul 2014 @ 12:08pm

    your data is safe

    No one got unauthorised access to our database
    Right, they got a valid username and password so they are authorised

    link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 8 Jul 2014 @ 8:31pm

    You don't show login credentials, regardless if they are for practice, and in a supposedly isolated training environment. First off, you are now training people wrong, second, never assume that "isolated environment" is as isolated as your wishful thinking would have it.

    But what i find is more important is the passwords mentioned at the bottom of the article. Not only do they suck, but this is a shared login? No way to track who did what and when. Utter and complete bullshit. Probably by design.

    And they aren't IT gurus? They don't have to be, they just need to be reasonably educated users, but that is too hard for them, and apparently their apologists. But let's roll with the "not IT gurus": How the hell cam you reasonably expect them to do anything legally or in the proper fashion while they are pursuing their favorite new bugaboo, "cyber"crime?

    Look, if the cops aren't good at what they are doing, you don't defend them, you replace them, if they refuse to be educated. They'll nail you for any ridiculous (even perceived or made up) infraction if they don't like the way you look. But rules or sensible behavior for cops? Oh my, no.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jul 2014 @ 11:13am

    Maybe the first thing he should have taught them is how to create a secure password /log-in , It makes sense from a training stand point to teach the new guys who may not be tech savvy how to create a better more secure password, just my opinion .. leading and training by example and teaching good habits would be considered a better alternative dummy data or not.

    link to this | view in chronology ]

  • icon
    Ninja (profile), 10 Jul 2014 @ 5:03am

    My cat provides better passwords than that. Seriously LAPD?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.