Computer Genius siezes control of San Francisco

[CaptainChewbacca]

Well, not quite, but nearly

A disgruntled computer engineer is accused of sabotaging San Francisco's multi-million-dollar computer system, which stores city records such as e-mails, payroll files, and law enforcement documents.

Terry Childs, 43, Pittsburg, Calif., was being held Tuesday on $5 million bail. The computer network administrator has been charged with four counts of computer tampering, the San Francisco Chronicle reported.

Childs, who works in the city Department of Technology, allegedly created a password that gave him exclusive access to the city's new FiberWAN (wide area network), authorities told the newspaper. He has refused to divulge the password, leaving other system administrators locked out.

Undoing Childs' alleged tampering could cost millions of dollars, city officials said. In the meantime, the system is operating, even though administrators have limited or no access.

Childs, who has worked for the city for about five years, had been disciplined in recent months for poor job performance, and supervisors had tried to fire him, the newspaper reported.

On the one hand, this guy is a dick, but on the other its really impressive one person in a mid-level job is able to do this sort of thing. I'm not sure if he's a BAMF, or a Classhole.

[Darth Wong]

If he's a network admin, he has quite a bit more than "mid-level" access to the system.

[Starglider]

On the one hand, this guy is a dick, but on the other its really impressive one person in a mid-level job is able to do this sort of thing.

Far more likely that it's the idiocy/incompetence of his colleagues and superiors, together with the typical civil service broken procedures and a fair seasoning of media hype.

I'm not sure if he's a BAMF, or a Classhole.

Most likely just a jerk.

[Solauren]

Millions of dollars to fix this?

Oh, please.

Call the people that wrote the software, and ask for the backdoor program or code. I mean, seriously, there are speciality programs that only cost a few thousand dollars written for just this sort of situtation.

[phongn]

Millions of dollars to fix this?

It depends on how you account for lost productivity and whatnot.

Call the people that wrote the software, and ask for the backdoor program or code. I mean, seriously, there are speciality programs that only cost a few thousand dollars written for just this sort of situtation.

Are you actually being serious?

[Solauren]

Millions of dollars to fix this?

It depends on how you account for lost productivity and whatnot.

Call the people that wrote the software, and ask for the backdoor program or code. I mean, seriously, there are speciality programs that only cost a few thousand dollars written for just this sort of situtation.

Are you actually being serious?

Yes, perfectly.

Having written several programs with password capability for work, I always either write a program or backdoor access method.

Why? Incase some idiot locks up the whole system, either by intent or by accident.

Do you have any idea what it's like to have a senior government offical screaming he can't get into a program, because he forgot his own password? I do.

The only question is, have the systems been custom written, or over the shelf? If they are over the shelf, then the odds of a legitimate backdoor tool are kinda low. If it's custom written, the original programmers should have a way to get back in.

[phongn]

Yes, perfectly.

Having written several programs with password capability for work, I always either write a program or backdoor access method.

The vast majority of systems don't have this. This may well be a dangerous security hole as well.

EDIT: There could be some sort of password reset function, sure, but there's usually systems in place to ensure only the recipient gets that password.

Do you have any idea what it's like to have a senior government offical screaming he can't get into a program, because he forgot his own password? I do.

There's a difference between a user-account in a particular piece of software and what is apparently root access to an entire network.

The only question is, have the systems been custom written, or over the shelf? If they are over the shelf, then the odds of a legitimate backdoor tool are kinda low. If it's custom written, the original programmers should have a way to get back in.

The term is "off the shelf." Also, if the data in question was encrypted, there may simply not be a way to recover it short of retrieving any passwords or keys from that asshole.

[The Duchess of Zeon]

Go after the weak link in the chain with rubber hoses?

[The Kernel]

Funny, for some reason this made me think of this guy:

[Darth Wong]

The only question is, have the systems been custom written, or over the shelf? If they are over the shelf, then the odds of a legitimate backdoor tool are kinda low. If it's custom written, the original programmers should have a way to get back in.

Frankly, if I hired a programmer to write a secure piece of software and then found out that he deliberately left a vulnerability open for himself to exploit, I would consider that breach of contract.

[Beowulf]

If he's a network admin, he has quite a bit more than "mid-level" access to the system.

It's not mid-level access, but rather in a mid-level position in the governmental hierarchy. I mean, I'm near the bottom of the totem pole, but I've got access to a domain admin account at work.

[phongn]

Go after the weak link in the chain with rubber hoses?

Depending on how he implemented things, even that might not work (he could be using PKI, for example, and then delete his keys)

[The Kernel]

The only question is, have the systems been custom written, or over the shelf? If they are over the shelf, then the odds of a legitimate backdoor tool are kinda low. If it's custom written, the original programmers should have a way to get back in.

Frankly, if I hired a programmer to write a secure piece of software and then found out that he deliberately left a vulnerability open for himself to exploit, I would consider that breach of contract.

Anyone who hires a contractor to write a secure system and then checks in and builds the code without the architect doing a code review is stupid anyway. Secure systems require things like ethical hacks, line-by-line code reviews and other best practices.

If some guy were to try this at my company it would have been detected long before it ever reached the production system.

[The Yosemite Bear]

The only question is, have the systems been custom written, or over the shelf? If they are over the shelf, then the odds of a legitimate backdoor tool are kinda low. If it's custom written, the original programmers should have a way to get back in.

Frankly, if I hired a programmer to write a secure piece of software and then found out that he deliberately left a vulnerability open for himself to exploit, I would consider that breach of contract.

Anyone who hires a contractor to write a secure system and then checks in and builds the code without the architect doing a code review is stupid anyway. Secure systems require things like ethical hacks, line-by-line code reviews and other best practices.

If some guy were to try this at my company it would have been detected long before it ever reached the production system.

unless of course he worked for Diebold....

[phongn]

If some guy were to try this at my company it would have been detected long before it ever reached the production system.

Depending on what happened, I wonder if he did shenanigans like drop administrator rights for everyone else upon termination. At least he didn't actually take down the systems.

[cosmicalstorm]

Couldnt some federal agency (NSA, FBI) that specializes in computer crime help out?

[phongn]

Couldnt some federal agency (NSA, FBI) that specializes in computer crime help out?

Maybe.

[Solauren]

A more detailed explaination of what I mean.

Anyone that creates a program that uses any kind of password system or encryption, should know how it works and how to defeat it. The first if obvious, the second not so much.

Occasionally, you'll come across sections in a End User Liscence Agreement stating that the original authors may have the ability to, and then a list of things, including access your passwords. This probably doesn't happen very often in commerical applications.

Alot of programmers, depending on the type of customized work they are doing will ask 'Do you want me to but in a security backdoor so if something goes wrong, I can come in, sit down at the server, and still get in to fix things?' or 'Do you want me to make a seperate set of administrator tools that would not be on your network that would let you bypass security to fix problems.'

Quite frankly, I'd be surprised if this wasn't wide spread. It can save alot of time and money.


A perfect example of what I mean;
One of the databases I have built for work has user levels and passwords, etc. There is even a lovely tool built in for the unit manager to go in and go 'okay, Bob is no longer in this unit, therefore he doesn't need access to this database'. They revoke his access, and Bob can't get into the database anymore.

It also has the capability to give him back his access.

I have, on numerous occasions, been called to say 'Um, guess what? I forgot my password...' by the managers. The people that can and are supposed to be able to change the user passwords.

Now, by any definitition, the database is secure. You can't get to the directory unless you have network access to that section of the server hard drive, you need the client package to get in, and you need your own password to get in. And even if you log in, you can only modify your own work. You can't touch anyone elses. Managers can't even edit a users work.

It was REQUESTED that I (or my replacement should I leave the company) have a way to bypass all the security that was built in. There have been a few instances of someone leaving the company all together and not transferring there access in software to other people, and so forth. This was in addition to my log in to the database, in case someone left and changed user access levels and passwords on the way out.

So, I built it. I can now plug into that database, and do what needs to be done in the backend. No one else can, because no one else has the required interface. My unit manager has a copy on a CD in case I leave and forget to transfer.

This is the same for several other programs I've written for work, as well as one I'm currently writing.

So really, the existence of 'all powerful' user administration tools depends on the company. They may even sell them as a seperate software package.

So, that's why the supposed difficulty of this, I find hard to believe.

The parent company of the software, custom or not, should be able to go 'okay, he changed everyone's password? We'll have someone there in a few hours to fix it.'

Go in, shut down the server, plug in a different hard drive, boot the system, copy the User Password ID files off the server, delete them from the server, replace with a default copy. Re-enter id's manually.

Do this on a Friday night when everyone has gone home. Pay 1 guy a day's overtime to type everything back in, and monday morning, no one will notice the difference.

[Uraniun235]

Solauren's posts read like dialogue out of WarGames.

[Phantasee]

Solauren's posts read like dialogue out of WarGames.

I was going to say the exact same thing.

Convenience usually comes at the cost of security.

[bilateralrope]

Solauren, since you deliberately put a backdoor into your system, how do you ensure that your employees can be trusted not make use of it if they have some grudge against whoever you sold the software to ?
Even after those employees have stopped working for you.

How do you go about showing that your security solution is better than the other guys ?

If there aren't any known holes, you could just tell everyone what your algorithm and/or code it (probably under an NDA) so they can look for the holes themselves. But since you already know of a big security hole, that isn't an option.

In fact, saying that your solution is secure may run you into trouble with false advertising laws.

[Darth Wong]

A more detailed explaination of what I mean.

Anyone that creates a program that uses any kind of password system or encryption, should know how it works and how to defeat it. The first if obvious, the second not so much.

Any competent person who creates a password or encryption system should ensure that there is no practical way to defeat it.

Alot of programmers, depending on the type of customized work they are doing will ask 'Do you want me to but in a security backdoor so if something goes wrong, I can come in, sit down at the server, and still get in to fix things?' or 'Do you want me to make a seperate set of administrator tools that would not be on your network that would let you bypass security to fix problems.'

Quite frankly, I'd be surprised if this wasn't wide spread. It can save alot of time and money.

Any customer who said "Yes, I want my password system to be a complete sham because there's a wide-open back door waiting to be exploited" would have to be quite stupid. Perhaps while he's paying for your services, he can also hire a security company to install a spectacular security system on his house, but only on the front door. The back door will be left open at all times.

[Durandal]

Anyone who hires a contractor to write a secure system and then checks in and builds the code without the architect doing a code review is stupid anyway. Secure systems require things like ethical hacks, line-by-line code reviews and other best practices.

If some guy were to try this at my company it would have been detected long before it ever reached the production system.

It's easy to say, but check out the Underhanded C Contest entries. It's dedicated to producing C code that looks totally valid but has a flaw that allows exploitation, and even if that flaw is uncovered, looks like an innocent mistake. The winners are all downright brilliant. Check out 2007's winner, which is described as a "beautifully spiteful bug".

[Solauren]

Let me run this a different way, while trying to get to the same point.

PKZIP. Large scale commerical software. Hell, a version is built into Microsoft Windows now.

When you password protect a Zip file, you can no longer unzip it. You can view the Zip's contents, but you can't do anything else.

There are programs out there that will copy a zip file, and in the process, deliberately remove the password from the copy.

Oh no! PKZIP has a security vulnerability!

I wouldn't be surprised if someone has made a program that will unzip the original file, and then tell you what the password is. (Note: I've never actually found one that does that)

What I'm talking about, or trying to say, is the same idea. Someone will know how to defeat any system, either through an accidental security hole, deliberate security backdoor, or because they know the system at the code level, and understand how it works, and know, or can figure out, a way to defeat it.

Hell, Durandal also just pointed out how freaking easy it is for a good programmer to put in a security hole that no one may ever notice. It's so easy, and common, they hold contests for it!


Oh, and as a note;
If a security hole is deliberate, and the client and the programmer knows about it, it's not a hole, it's a 'backdoor'.

If just the programmer knows about it, it's called breach of contract.

[Solauren]

Any customer who said "Yes, I want my password system to be a complete sham because there's a wide-open back door waiting to be exploited" would have to be quite stupid. Perhaps while he's paying for your services, he can also hire a security company to install a spectacular security system on his house, but only on the front door. The back door will be left open at all times.

That's not entirely accurate, but I do see where you are going with it.

Any programmer / company that wants repeat business or referrals and a good reputation will explain the security set up to a client, in detail. Including 'now then, with all that said, if you want, we can make the program so that, worse case scenario and everyone is locked out, we would be able to get it. If you don't want that, we can make sure to not include this feature.'

Example: Microsoft Access. It's possible to make a MS-Access database that you can not get into the back end and modify the components of the database at all. This is beyond passwords and encrpyption. It's part of the individual database files start up routine.

There is also a way to bypass the start up routine using the commerical interface (but not the free runtime version most end users get), and a way to disable the bypass as well. (I know of no legal way to disable it).

You can also, when making a database, make it so you can't link the tables into another file without a password.

However, the start up routine and link passwords are optional. You discuss them with the clients before building the database.

You would honestly be surprised how many people I've built databases for, both at work, and freelancing, that they say 'oh, that's good, if someoen screws up, you'll be able to get in and fix it.'