I’ve checked and can’t find a thread about this. In any event, I’ve a questions that should be answerable in General Questions.
The city of San Francisco has been shut out of access to it’s computer system for the last week or so. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/17/BAK111QRPB.DTL
Terry Childs, a computer engineer for the city, helped to build the system, and locked out everyone by supposedly changing the passwords for all system administrators. So, we have a rogue expert who holds the city hostage.
I really don’t care, in this thread, to understand many of the issues about why he did this, or other things except to have someone tell me why the city can’t have some expert come in a get access to the system. That’s all I want to know here.
With the ability to crack/hack systems, I find it hard to believe that access can’t be gained.
Is it a legal thing. They don’t want to gain access because they’d rather make a case against the guy?
If I were in the City’s shoes, first thing I’d consider was a system rollback or restore from a safe time. Since it’s safe to say the City has physical access to the system, I don’t see how a software tweak can leave them helpless.
Uh, any idea how they’d be able to do that when they can’t even log on to the machine?
Still, couldn’t they mount the drives from a different machine and change the passwords from there? Or is it not that easy to do so in Windows(assuming that the machines are even Windows)?
Seems to me they could hire the kind of data-recovery folks that find deleted & wiped child porn on perps’ computers (among other things). I assume any and all passwords are childsplay for those guys.
Given that they presumably have physical access to the machines, it seems reasonable that they should be able to root them at will. But I’m guessing this is actually a software issue – they have some custom application for which he changed all the passwords, and they don’t have a backup. (Or the backup is useless.)
If the passwords are stored using strong cryptographical methods, then retrieving them would win you a Fields medal(mathematics’ version of the Nobel Prize).
It’s not really the computer system as in servers and applications etc., it’s their fiber wan, which probably means switches/routers, etc. is where the passwords were changed.
System is running but the other admins are locked out.
Doesn’t say what kind of network it is or what they are using for authentication. If they are using a TACACS+ or or RADIUS server then it may be tricky to hack in depending on how they have it set up. If it’s simply a Microsoft Domain then there are ways to hack the servers, though it would mean they’d have to take the system down to do so…and that may be their issue. If it’s some UNIX variant…well, again, it depends on how they have it set up and how they are doing the authentication. Nothing is hack proof, especially if you have physical access…though if the guy is REALLY vicious there are ways to really fuck people over, no doubt.
What I find incredible is that there are no back door accounts and that one guy essentially had full access to the system but no one else does…or that if this wasn’t the case, that no one else was paying attention while he went in and got rid of every back door and alternative administration account. Even on a government network that is…well, pretty incredible.
I didn’t see where they said that in the article (I only skimmed it though), but if that’s the case it’s even easier, as hardware infrastructure is easily hackable if you have physical access…so I’m unsure what the problem is. Unless they are total idiots they should be able to either hack in during reboot or simply burn the thing down and rebuild with their most current config files. It generally takes me no more than 15 minutes to do a password reset on, say, a CISCO router…and it happens all the time. And that assumes they aren’t using something like CISCO Works (or whatever vendor they are using) or HP Openview with command access.
I can’t see what the problem is then, unless the problem is that they do not want to take down the network for a few hours…obviously taking down the core or access control infrastructure could have a pretty profound impact on network access, depending on how fault tolerant their network is. Still…it SHOULD just be a matter of hacking into the individual routers or switches, at least based on what you seem to be saying the problem is.
That’s likely it. If nothing’s actually malfunctioning in any major fashion, it’s probably better to leave it alone rather than disrupt things, and see if they can get the uber-password out of Childs, which will allow them to fix things without taking the network down.
That’s what I was thinking. They can leave it running, if something happens requiring access they can do a reset or whatever other method at that point and hopefully, while they wait, the guy gives them the password.
The only other thought is that they are worried the guy left a time bomb triggered by resetting/rebooting any of the network hardware. I’m not a network guy so I don’t know how possible this is.
I’m not clear on what the guy did, either. I’m seeing a lot of references to the FiberWAN network system, but I don’t know what that is. I mean, I know what fiber is, and I know what a WAN is, but the useage “FiberWAN” makes it sound like a specific network product. I can’t turn up any hits for “FiberWAN” that aren’t related to this story. Anybody know anything about that?
I’m also seeing some accusations that he installed software which allows SF City data to be intercepted by third parties.
My guess is that they could reset the hardware to factory settings or replace the hardware, or if we’re talking servers, restore the drives from backup. But, then you’d potentially remove the evidence of his wrongdoing, and remove the ability to see who else got their hands on your data. So, maybe – and I’m just guessing here – he’s set up a clever, if evil trap. “Sure, you can get the system back in an hour, but you’ll never know what I was up to then…”
I can’t see what he could do to the code in the infrastructure to be honest. Oh, you could probably write something to wipe out the running config, maybe even the equivalent of the IOS (or whatever they are using), but neither of those would be fatal…assuming they actually have decent backups of the latest configs and something like a SmartNet contract (which I can pretty much guarantee they do if they are SF city).
You guys are most likely right though…my guess is the issue isn’t if the CAN hack the system but if they can get the down time (and the administrative balls) to do so. There are a few things I can think of to lock a system out, but none that could lock it out permanently short of nuking it down to bedrock and daring someone to rebuild it all from scratch.
Why do they have to log on to the machine? If you have physical access, you can yank out one system and put in another, or yank out data drives and mount them elsewhere where his passwords aren’t a factor.
Yes, yes, I know – there could be other password protected features, but physical access is the key. Replace the boot procedure to use a different copy of the OS and you’ve wiped out his modifications.
I feel sorry for the IT Dept if they aren’t properly backed up, but this should be a lesson for them.
This might be part of it too. I saw a reference to this guy copyrighting some of his previous work. He seems to have the concept that setting up a system is sort of intellectual property. So, maybe he set up this killer system, didn’t get the money he wanted or got pissed, then killed the backups and locked everyone out. They can use the system but can’t get access to his “intellectual property” unless they give him what he wants. He turned the network infrastructure into a proprietary system. Again, all these are my WAGs, though.