I though that this piece of the absurd theater had come to an appropriately bizarre ending when Terry Childs gave up his passwords to the mayor of San Francisco, but I was wrong. Today we find out that the SF DA has made a bunch of usernames and passwords available to the public (ht: jamessmith24):
The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city’s virtual private network.The passwords were filed this week as Exhibit A in a court document arguing against a reduction in US$5 million bail in the case of Terry Childs, who is accused of holding the city’s network hostage by refusing to give up administrative networking passwords. Childs was arrested July 12 on charges of computer tampering and is being held in the county jail.
Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive.
The passwords, discovered on Childs’ computer, pose an “imminent threat” to the city’s computer network, according to the court filing. Childs could use the names and passwords to “impersonate any of the legitimate users in the City by using their password to gain access to the system,” the motion against the bail reduction states.
Although the DA’s office did not say what the passwords were used for, a source familiar with the situation said that they are for logging into the city’s virtual private network, and that this type of information is something that a network administrator like Childs would be expected to have.
Posting these passwords in public creates a security risk, although the passwords are not enough to give a criminal access to the city’s VPN. The passwords are so-called “phase one” passwords, and must be combined with a second password to access the network, the source said.
I’m not going to pretend to be a security expert, but even if these area only “phase one” passwords, I would think that it would give hackers a nice leg up on their work. Why do I get the feeling that the “phase two” password is just NT authentication?
Of course, even the most half-assed IT department would have required that all users change their passwords once the whole Terry Childs drama began, so everything should be alright, right?