'Hijacked' SF passwords made public

Only days after the city of San Francisco regained control of its computer network after an alleged hijacking, a new vulnerability has come to light--this time brought on by the city itself.

The San Francisco district attorney's office has apparently made public nearly 150 usernames and passwords used by city officials to gain access to the city's network. The list was submitted to the court as Exhibit A in a case against Terry Childs, a 43-year-old network administrator for the city who was arrested July 13 on four felony charges of tampering with the city's computer network.

Co-workers accused Childs of setting a "time bomb" that would sabotage the network the next time it went down, either for maintenance or due to a power outage.

Childs had effectively taken the city's network hostage by locking administrators out and refusing to give up the passwords needed to regain access. In a secret meeting with Mayor Gavin Newsom earlier this week, the San Francisco Chronicle reported that Childs handed them over directly to the mayor.

Later in the week, the DA's office reportedly filed a court document to argue against a reduction of the $5 million bail set for Childs, who is being held in the county jail. Exhibit A of the document contained the usernames and passwords used by nearly 150 employees to get into the city's virtual private network. And despite saying the passwords pose an "imminent threat" to the city's computer network, they are now of public record.

A source tells InfoWorld that a second password is needed to gain access to the VPN. Still, giving up these so-called phase one passwords is hardly recommended security policy.

And here I thought we San Franciscans were supposed to be good with this computer stuff.

[mliddekee]

Something is fishy with this whole Childs/SF story. I don't think we're getting the whole picture. If the DA's office is stupid enough to make a list of passwords public record then it sounds like this Childs guy might have been right in the first place that the city was a danger to itself.

[Imalittleteapot]

Maybe the city was a danger to itself. Oh well, it wasn't his problem. In his own best interest he should of stayed out of it. Plus, when the city did shoot itself in the foot it could have finally change procedures. Sometimes, you just can't help because people don't want help and there's nothing you can do other then get dragged down with them. Try to help if you can but never let someone that won't listen drag you down with them. Sometimes you just gotta watch em shoot themselves in the foot and say I told you so.

[firestarter]

this is why child didn't feel that people were worthy of the password and thanks to this DA he was just proved him right. How did he become DA and do such a stupid thing like this.

[n3td3v]

Where are the publicly available passwords???

[ralfthedog]

Re: Where are the publicly available passwords???

User Name: user1
Password: wordpass1

User Name user2
Password wordpass2

....

[SlimGem]

What does it matter now? I'm sure they are disabled. Aren't they?

[gremont2007]

no engo la clave keys para instalar el norton...me podras con ello

[anthonysmission]

Making UN's and PW's public isn't a good thing!

Anthony Kraudelt
1332 Kruger Ave
Erie, PA 16509

[anon8mizer]

For most users, even if you need a second password (a one time password, or OTP, from a security token or whatever) to log into the SF VPN, the first password they use is still the same password they use for other personal sites, like their banks, amazon, or whatever. So knowing these users IDs and first passwords is a great thing for an ID thief.

[Astinsan]

My favorite place to look for passwords... under keyboards. on sticky notes... bottom of desk... side of desk drawers...

if it is a password for a privileged account it could bring down everything. I have seen this over and over again... for big companies... in charge of your atm cards... checking account numbers... drivers license numbers... (obviously retail)

Look what happened to Egghead, TJ Max, whoever else... I guarentee they could of stopped it but because someone with clout didn't want to change his/her password it didn't happen.

[DavoRider]

I once guessed the password of an employee on my third try. He had a large collection of soda cans on his desk, which led me to guess "dietcoke".

[toomath]

er, mlidekee, the only reason the DA was in a position to (stupidly, yes) release those passwords was BECAUSE childs held them hostage and engaged in criminal activities...let's put the blame where it belongs.

I'd also point out that the DA was never one of the people childs complained about, he was pissed off at his supervisors.

I've worked with guys like this before. Sometimes they can be great workers--obsessed with their jobs, strong sense of ownership. But one webmaster I worked with went off in childs' direction, convinced everyone but him was incompetent, delusions of grandeur, told everyone he won the Medal of Honor (yeah, he didn't. Sort of easy to check, too.). Bragged about secret "back doors" and such. I always wondered where he ended up and what damage he might have done. This childs story brought back memories.

[DavoRider]

Typical San Francisco politics. Sadly, The City seems incapable of electing competent officials. Kamila Harris is just another example of this.

[chlimouj]

toomath:

[CNET editors' note: personal attack deleted]. The DA did not have to submit into evidence a list of usernames and passwords. Those were not the passwords that Childs was holding "hostage." It was just superuser-level passwords that Childs did not disclose. What possible legal argument could the DA have been trying to make based on user-level passwords that required them to be submitted as evidence? There is just no excuse for incompetence to that degree.

Ultimately, Childs did the right thing. He disclosed the passwords to the highest authority in the city, the mayor. The difference between Childs and the guy you're thinking of is that Childs was surrounded by idiot administrators, whereas your guy was surrounded by idiot users, [CNET editors' note: personal attack deleted].

[Michichael]

Ok, this is hilarious. This guy was a NETWORK ENGINEER. NOT A SYSTEMS ADMINISTRATOR.

He never had access to the Active Directory, user names, passwords, or any of that. He managed the ROUTERS AND SWITCHES that kept the backbone up. He had no access to the servers whatsoever other than by packet sniffing hashes. They want to prove he hacked them, get IDS logs, not the UN/PW list. This is just reaffirming the case that Child's didn't do anything wrong. He held the passwords to all the routers/switches by design. When they demanded the passwords without a security policy or procedures in place, Child's didn't think they had the authorization to. They grew super paranoid and arrested him. In his place I'd do the same damn thing: These bozos are going to break something you've spent 5 years working on and don't even have the authorization or documented paper trail to demonstrate that they have authority to request these passwords, why would you give it to them?

He wasn't fired. If they fire him, he'd give them the passwords, I guarantee it. He gave it to the Mayor and told him "Ok, good luck. It's on record that you have the authority, being the mayor. When they **** it up, it's not my fault."

Now they're like "Crap, we broke something. Lets circulate a story of how it's configured as a time bomb. The court will eat it up, it's like a Hollywood hacker film, they don't know the difference. Then we'll just testify as experts and cover up our own ineptitude."

Get a real engineer, or better yet a information security specialist (aka hacker) to testify. Hell, *I* would chew them up and spit them out.

[vintagegeek]

The more you hear on this case the more you feel Childs might have some valid points. "Trust No One"...oooh where have I seen that phrase before. Time to bring in some top-notch 3rd party experts to document the who what where of this network. But don't let the DA's office see it. They sound a bit loosy goosy.

[Serenity3000]

His name is Nick and he's MY network administrator. From the description alone, its GOTTA be him. Especially the delusions of grandeur. You also forgot "likely to sneak off and burn on on their lunch break" and "chews his nails until they're bleeding!"

:D