cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Florida "state" password

OK, simply by mentioning that this would come out of Florida I'm already at risk of being banned for making a political post, so I won't go too deeply into the background of this story (which is messy in the extreme).  Suffice it to say that a state employee has been arrested because she sent a message on a system which implied that she had to be misusing an account and password.

 

However, it turns out that there is, in fact, only one login and password, it is used by 1700 users ... and it's also posted online for anyone to find and use ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
12 Replies
dcontesti
Community Champion

Don't think it's a political post.  It simply highlights some very BAD security practices that all of us have had to content with and have sometimes lost the battle (which may be the case here).

 

This really deserves an award.  Let's call it the "Oh Come On Now" award.

 

keep smiling

 

d

 

JKWiniger
Community Champion

This is just a mess on so many different levels. On the state side, I would say it's just lazy to share one password and for it to be public, no words. As for the woman, just because I forget to lock my front door does not give you the right to enter my house. I think the message that she sent was just adding to problems that were being had at the time and did not help matters any. Besides from the legal issues here I think it's also an ethical issue.

 

John-

Startzc
Newcomer III

Sounds to me like a case even the least experienced public defender could win against the state. They obviously wont be able to prove they did anything to protect the system in question and have no mechanism for nonrepudiation if everyone used the same account. 

 

Makes me wonder what information was used to justify the search warrant in the first place. Or maybe they just made sure to bring the request to a completely IT illiterate judge. I will definitely be watching to see how this one plays out. Whether she did it or not, the outcome could have far reaching implications for state and local IT professionals and employees in general.

JKWiniger
Community Champion

@Startzc So if you leave your door wide open and I go in and take something you are saying this would be your fault for not securing your door and not mine for going where I clearly knew I should not be going?

 

Lack of security does not give anyone permission!

 

John-

Startzc
Newcomer III

I see you're one of "those" people. I'm not going to dignify you're idiotic and incorrect comparison with a response that you a.) will never understand, and b.) won't listen to anyway.
JKWiniger
Community Champion

@Startzc Please do! If you have a valid reason why it is a bad comparison I am all ears, hearing other people's ideas are how we learn. If you simply have nothing to say then please don't make comments you will not explain. And if I will not understand your response consider giving it some thought and finding a way to state it so anyone can understand it. Communication skills are very important.

 

John-

tmekelburg1
Community Champion


@Startzc wrote:

 

Makes me wonder what information was used to justify the search warrant in the first place.

They traced the IPV6 address to her house. Whether good intentioned or not, she accessed the State Emergency-Responder system and sent an unauthorized message. And don't come on here calling people idiots just because you disagree with their opinion. Eloquently state your objection and move on. 

AndreaMoore
Community Manager

 And don't come on here calling people idiots just because you disagree with their opinion. Eloquently state your objection and move on. 


 Per posted Community usage guidelines please keep conversation respectful - see rule #4. https://community.isc2.org/t5/Welcome/ISC-Community-Usage-Policy-Guidelines-Updated-October-2020/m-p... 




ISC2 Community Manager
Startzc
Newcomer III

First, I didn't call anyone anything. Second, why should I be required to eloquently reply to a comment that made a lot of assumptions and was completely unsubstantiated by any opinions or facts?