topic Re: Florida "state" password in Industry News

Florida "state" password

rslade — Mon, 09 Oct 2023 09:43:43 GMT

OK, simply by mentioning that this would come out of Florida I'm already at risk of being banned for making a political post, so I won't go too deeply into the background of this story (which is messy in the extreme). Suffice it to say that a state employee has been arrested because she sent a message on a system which implied that she had to be misusing an account and password.

However, it turns out that there is, in fact, only one login and password, it is used by 1700 users ... and it's also posted online for anyone to find and use ...

Re: Florida "state" password

dcontesti — Sun, 13 Dec 2020 08:34:04 GMT

Don't think it's a political post. It simply highlights some very BAD security practices that all of us have had to content with and have sometimes lost the battle (which may be the case here).

This really deserves an award. Let's call it the "Oh Come On Now" award.

keep smiling

Re: Florida "state" password

JKWiniger — Sun, 13 Dec 2020 16:35:38 GMT

This is just a mess on so many different levels. On the state side, I would say it's just lazy to share one password and for it to be public, no words. As for the woman, just because I forget to lock my front door does not give you the right to enter my house. I think the message that she sent was just adding to problems that were being had at the time and did not help matters any. Besides from the legal issues here I think it's also an ethical issue.

John-

Re: Florida "state" password

Startzc — Fri, 18 Dec 2020 19:19:37 GMT

Sounds to me like a case even the least experienced public defender could win against the state. They obviously wont be able to prove they did anything to protect the system in question and have no mechanism for nonrepudiation if everyone used the same account.

Makes me wonder what information was used to justify the search warrant in the first place. Or maybe they just made sure to bring the request to a completely IT illiterate judge. I will definitely be watching to see how this one plays out. Whether she did it or not, the outcome could have far reaching implications for state and local IT professionals and employees in general.

Re: Florida "state" password

JKWiniger — Fri, 18 Dec 2020 20:26:09 GMT

@Startzc So if you leave your door wide open and I go in and take something you are saying this would be your fault for not securing your door and not mine for going where I clearly knew I should not be going?

Lack of security does not give anyone permission!

John-

Re: Florida "state" password

Startzc — Fri, 18 Dec 2020 20:35:23 GMT

I see you're one of "those" people. I'm not going to dignify you're idiotic and incorrect comparison with a response that you a.) will never understand, and b.) won't listen to anyway.

Re: Florida "state" password

JKWiniger — Fri, 18 Dec 2020 20:55:03 GMT

@Startzc Please do! If you have a valid reason why it is a bad comparison I am all ears, hearing other people's ideas are how we learn. If you simply have nothing to say then please don't make comments you will not explain. And if I will not understand your response consider giving it some thought and finding a way to state it so anyone can understand it. Communication skills are very important.

John-

Re: Florida "state" password

tmekelburg1 — Fri, 18 Dec 2020 21:02:50 GMT

@Startzc wrote:

Makes me wonder what information was used to justify the search warrant in the first place.

They traced the IPV6 address to her house. Whether good intentioned or not, she accessed the State Emergency-Responder system and sent an unauthorized message. And don't come on here calling people idiots just because you disagree with their opinion. Eloquently state your objection and move on.

Re: Florida "state" password

AndreaMoore — Fri, 18 Dec 2020 21:10:27 GMT

And don't come on here calling people idiots just because you disagree with their opinion. Eloquently state your objection and move on.

Per posted Community usage guidelines please keep conversation respectful - see rule #4. https://community.isc2.org/t5/Welcome/ISC-Community-Usage-Policy-Guidelines-Updated-October-2020/m-p/38340

Re: Florida "state" password

Startzc — Sat, 19 Dec 2020 00:20:33 GMT

First, I didn't call anyone anything. Second, why should I be required to eloquently reply to a comment that made a lot of assumptions and was completely unsubstantiated by any opinions or facts?

Re: Florida "state" password

denbesten — Sat, 19 Dec 2020 07:08:19 GMT

@Startzc wrote:
... why should I be required to eloquently reply...?

It is not required to be eloquent. What is required is to be respectful. To participate on this community, one is required to follow the rules set forth by is owners and to which @AndreaMoore (thier official representative) earlier provided a link.

As for the topic at hand, no need to wonder about the justification. The article Rob provided contains a link to the affidavit for the search warrant which enumerates the probable cause resulting in the warrant's issuance. It also makes clear the Affiant's intent to search her computing devices to develop the requisite evidence (or in your vernacular, "non-repudiation").

AFAIK, no charges have been issued, so I am not yet able to speculate how easily either party may prevail.

Re: Florida "state" password

rslade — Sat, 19 Dec 2020 17:56:18 GMT

I'm *SO* glad that my initial post has engendered such thoughtful discourse and
high quality debate.

(I *told* you the story was a mess. Somehow it seems to create additional messes
...)

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

Re: Florida "state" password

ericgeater — Mon, 21 Dec 2020 18:29:25 GMT

I'm just glad the argument flared and died.

So what're the three legs of this broken-leg stool? The system must be

Secure
Easily Accessible
Always available

Insert the obligatory "you can only pick two", and the password is solarwinds123