San Francisco Prosecutor Exposes City Passwords

The Terry Childs case has already seen the drama of a city allegedly locked out of its own computer network and a secret jailhouse meeting between the defendant and San Francisco's flashy mayor. Now it seems that prosecutor Conrad Del Rosario has made public more than 100 secret VPN usernames and passwords that may currently be used by various officials and departments.

Childs, a San Francisco Department of Technology (DOT) senior network engineer who was the sole system administrator for the City's FiberWAN network, was arrested July 12 and charged with four felony counts of computer network tampering and a fifth charge of criminal damages caused. He has plead not guilty to the charges.

Childs, accused of locking out co-workers and superiors from the portion of the city network he administered, divulged passwords and information for accessing the FiberWAN network's core devices in a secretly arranged jailhouse meeting with San Francisco Mayor Gavin Newsom late Monday. Still, a motion filed by his attorney to have Childs released from jail or to have his $5 million bail reduced was denied Wednesday in San Francisco Superior Court.

In an opposition filing to that motion, Del Rosario included as "Exhibit A" a list of VPN subnet addresses and 137 associated group usernames and passwords that were found on Childs' computers, according to the prosecution.

That list is described in Del Rosario's motion as coming from "files forensically obtained from the Defendant's computers, he had pages of usernames and passwords."

Del Rosario characterizes Childs' possession of the list as an "imminent threat" in the context of arguing against his release from jail:

"This poses an imminent threat because even if the network was under control of the city, the Defendant could impersonate any of the legitimate users in the City by using their password to gain access into the system."

The prosecution's court filings are a matter of public record. Copies have been obtained by several media outlets, including ChannelWeb.

The Exhibit A list includes usernames that seem to be associated with San Francisco's mayor's office and district attorney's office, police and sheriff's departments, and a host of city agencies, departments and commissions.

Two group usernames and passwords contain the term "pubdef." Following his arrest, Childs was originally appointed public defender Mark Jacobs, a city employee. Jacobs recused himself early on, however, citing a conflict of interest revolving around the proximity of Childs' alleged tampering activities to networked systems containing Jacobs' own sensitive data.

It wasn't clear late Friday whether the subnet addresses and username/password combinations were active. Calls to the district attorney's office and the DOT hadn't been returned at press time.

A former colleague of Childs' who has emerged to defend him at court appearances, ex-DOT chief operating officer Dana Hom, said if the prosecutor really did release sensitive VPN data, "it's another example of the bumbling that's going on at the city of San Francisco."

Hom said the passwords could be changed relatively easily but re-configuring the subnet addresses would be laborious and costly work.