There aren’t a lot of details yet, but Mr. Childs does appear to have the City of SF by the short hairs, with control over most of the network. Next time your boss comes looking for answers about why we have to have separation of duty, this incident should be his suggested reading.

What was it about the city’s network that allowed this to happen? What sort of authentication schema are they working with that he locked it down so hard that security experts with physical access can’t break it? Are they just waiting to take some downtime to replace or reset equipment? Why aren’t they letting the system crash and restoring from backup? I guess the average reader wouldn’t care about those details, but I am curious why this ends up being such a big deal, resetting the password in most systems should be a fairly task.

Another aspect I’m curious about is the concern over a possible backdoor data bomb; is this something that ‘officials’ are concerned with, did Childs make a threat or did the idea come from someplace else? If they didn’t find a remote contol device in his home, chances are there’s nothing, since most people who commit this sort of crime don’t hide it that well. He might always be the exception though. Again, why can’t the city let the bomb hit and restore from backup?

I don’t think this is having quite the outcome Mr. Childs predicted. He’s going to end up out of a job and in jail for a while. I hope he cooperates soon and minimizes his own pain, not to mention the city’s.

Show Notes:

Network Security Podcast, Episode 112, July 15, 2008

Time: 50:00

There don’t seem to be a lot of (read any) security updates related to this upgrade, though there are a lot of usability updates. I’ll have to check out ‘gears’ when I have some extra time to spare.

Even if the iPhone hadn’t come out, the MotoQ had to go. After 16 months, the extended battery took a dump. I hope the iPhone batteries last more than 16 months, I know my iPod has so far.

This is a long one, by the way. That always seems to happen when Michael and I get together to talk.

• Colin Dixon | http://www.cs.washington.edu/homes/ckd/
• Andrew Hay | http://www.andrewhay.ca/
• Martin McKeay | www.mckeay.net
• Michael Santarcangelo | www.securitycatalyst.com & www.intothebreach.com

As an interesting side note, Thomas Ptacek points out that Dan could have made a lot of money by selling this to Tipping Point or someone else. He didn’t and he put his reputation on the line to organize the vendors to patch this issue in a coordinated manner. Kudo’s to Dan and his team for taking the high road. Now we just have to wait until Black Hat to find out the real details of the vulnerability. I bet that’ll be a crowded talk.

Rich was able to get an interview in anticipation of today’s announcement and you can hear about it straight from Dan himself. There are not a lot of technical details concerning the vulnerability in the interview and every effort is being made to give us as much time to patch before reverse engineering gives the bad guys the secret sauce to make this a weaponized vulnerability.

Check the show notes for the CERT advisory and additional information.

Network Security Podcasdt, Episode 111, July 8, 2008

I’ve helped organize both of the RSA Bloggers meetups, paid for a round of drinks at the first Shmoocon meetup and will quite likely be producing either streaming audio or video (with audio of course) from Defcon this year. It’s going to be a fun event and will have a very different feel from the meetup at RSA. There will be some of the same characters of course, but the crowd at Defcon is younger, more energetic and a little less … refined might be a good word for it. But not any less intellegent or knowledgable, for certain.

I’ll post more information as it becomes available. If you’re already planning on going, contact Mubix to let him get an accurate headcount. If you can offer up some of your company’s money to help buy drinks, contact him even sooner!

There are a few features that TMP offers that I really need. The first is opening up URL’s I type in in a new tab rather than in the current window by default. There’s probably a way to get FF3 to exhibit this behavior without TMP, but I’ve never been able to work right. Another feature is the ability to automatically reload a particular tab on a regular basis. I have a couple of stats windows I keep open that I want to reload every 15 minutes, like my blog stat and podcast stat pages. Neither of these features is absolutely necessary, but it makes my browsing experience more enjoyable.

Now to upgrade the kids computer and the other household laptop. It’s a bit scary that we’ve got more computers than people in our household. But I guess that’s part of what happens when you’re a computer geek.