A Password Worth Millions in San Francisco

It’s a classic suspense story – Man finds city job in computers. Man works there for 5 years. Man has a huge amount of data responsibility. Man is threatened to be fired. Man creates a password granting him exclusive access to the city IT system.

This Story Is Actually True…

Terry Childs, a 43-year-old computer network administrator has been charged with 4 counts of computer tampering and is on $5 million bail. He was working for the Department of Technology where he had direct access to officials’ e-mails, payroll, confidential documents and jail inmates’ bookings. When he understood that his job was at risk, he started tracking administrator’s comments on his job performance by setting up a tracing system. Then Terry Childs brought San Francisco’s multi-million dollar computer network to its knees by altering password access and preventing top administrators rights to the network.

And It Gets Better

The only person with the password is Terry Childs himself. And he is not telling.

Password security doesn’t have to be limited to tales of horror hacking. Sometimes your password, or in this case the San Francisco’s Department of Technology’s passwords, can be stolen/changed by the guy you share a coffee with every morning. But the question is – could this have been prevented (giving Terry less or no access to other’s passwords) and more importantly, will it be prevented in the future?

15 responses to “A Password Worth Millions in San Francisco

  1. That’s it, this blog is beyond boring. I could read this with more details in a free newspaper while commuting.

    Bashing a very good competitor (Clipperz.) Making entries on “who’s who”. Talking about common passwords anybody’s mum would know.

    You will not gain respect this way.

    (And I guess this post will magically disappear.)

  2. @Alecco
    No, of course your comment, or this post, won’t magically disappear. :)

    Well, we’ve been trying to try new things. What would you prefer to read?

  3. @Alecco

    About Clipperz, I agree: Clipperz is a good competitor. In fact, I don’t criticized Clipperz itself, but its definition of Zero-Knowledge Web Application. IMHO that is a dangerious concept. Do you think that should be more honest towards people say nothing about it?

  4. Note: I’ve been subscribed to this blog and followed your quite interesting start-up for a while.

    My point above was the only technical post in ages (ever?) is just attacking zero-knowledge applications, Clipperz in particular. (I don’t agree with that post, or its logic, but that’s not the point here.)

    Your product looks interesting but your happy-feel-good/holier-than-thou PR just turned me off.

    Maybe I’m just a grumpy privacy aware techie user and mom ‘n pops actually do like this PR. (IMHO you could have it both ways with a bit of balancing.)


  5. BTW sorry for the harsh tone on the first post. My coffee quota wasn’t filled up yet and I had/have high hopes for you :)

  6. @Alecco
    Glad you’ve been following us – thanks! We actually had a lot of internal debate on the Zero Knowledge post. Both Francesco and I are against the definition — he felt it was important to open up a discussion, while I was afraid (since it’s closely related to Clipperz) that it would create a negative backlash. In the end, we took the chance since we both feel very strongly about it.

    On the lack of technical posts recently. Yes, that’s true. I think what you’re seeing are our growing pains.

    I used to write the blog on my own, back when it was just Francesco and I. Now we’re opening up the blog to our employees to contribute to. They have varying levels of technical knowledge, or ability to write in English (we’re in Italy) and it’s turning out to be an interesting experiment.

    That said, if things are swaying too much in one direction, then I’ll try and get some of the more technical and/or product-centric posts written that are on the to-do lists. Louise is now studying about potential perils of using Passpack (or other sensitive sites) on public computers. Let’s see what she comes up with.

    On coffee – no problem. I can’t even *see* in the morning without at least two cups (that’s espresso – straight up).

    Cheers to you!

  7. (offtopic) … and I am still puzzled why you cannot have the user’s password computed on the client as a one-way function of his passphrase….

  8. @Tara

    I can only dream of living in Italy and having those glorious espressos every morning!


  9. @anonymous

    They do. That’s the 2nd part, the “packed” thing.

    I guess it’s tricky not to have a system user, it probably simplifies fending off bots and abusers. Yep… “For security purposes, we need to be able to track down anyone who attempts to abuse the system.”
    (I hope this isn’t outdated.)

  10. @anonymous
    I’m not sure exactly what you mean, but judging by @Alecco’s reply I think you’re asking why we have a separate Packing Key (encryption key) and don’t just use the password to encrypt data straight way?

    If so, it’s a fairly simple answer. By separating the authentication credentials (user id and pass), from the encryption key we have more flexibility to manage the account without going anywhere near the data.

    For example, we can offer support, manage sharing or accept OpenID as an authenticator.

    Not really sure how the auto-login post ties into this – help?

  11. Alecco’s comments were a bit harsh, however, I understand his sentements, as I was suprised to read some of the recent posts which appear to be general chatter rather than about specific information about Passpack. Maybe you need 2 feeds, one for Passpack and maybe a ‘Passpack Lounge’, and let readers decide what they wish to subsctibe to.
    I subscribe to keep up to date with this excellent product, and if I want news or chatter I go elswhere.

  12. I did *not* ask why you have a passphrase (aka “packing key”).

    What I ask is why on earth do you bother your users to remember a password? Why can’t the password be a one-way function of the passphrase (e.g. password=Hash(username,passphrase)) ???

    If you would do this, there would be no need for users to remember a password, too – a big usability advantage, don’t you think?

    At the same time, if the password was to be calculated on the client (the code is there already) there would be no more “exposure” of the “packing passphrase/key” than there is already.

    So please tell me, why on earth do you require users to choose and remember a password in addition to the “packing key/passphrase” ?

  13. @Reedy
    I like Passpack Lounge. I’ll see if I can’t get this set up either using the categories (each one has it’s own feed) or I’ll look into opening a separate blog. Give me a few days to figure out what is the best way to handle it. Thanks for the feedback (you too @Alecco) – it really helps to keep us oriented.

    Keeping the login credentials and Packing Key separate is a design decision.

    In the future we’ll allow OpenID to substitute the User/Pass combination. This sounds like it would meet your needs. I don’t have a release date for that though yet, sorry.

  14. A password of the form Hash(userid,passphrase) would not really violate the design principle of “keeping the login credentials and Packing Key separate”, don’t you agree? I would, however, increase the usability of passpack by orders of magnitude.

    Also, I do not see where the problem is if you want to substitute such a password with an alternative method (e.g. OpenID coming from outside, or yourself acting as OpenID provider). These things are orthogonal (unless I miss some important detail).

    “This sounds like it would meet your needs.”

    I would like to know more about *how* passpack works *why* it works the way it works ;)

    I am afraid that I still do not see why you require your users to choose and remember a password. There must be a real reason, right?

  15. Back to the topic of this post, you might want to check recent updates to the story again. There was significant misinformation on the original reports, and certainly too much hype and scaremongering.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s