Nevada Network Security: Good Enough for Government Work

Declan McCullagh has a hilarious story today about the crack team that Nevada’s governor has providing his office with computer security:

If you ever wanted to be Nevada’s governor for a day, it doesn’t seem to be that hard.

In what could be a whopping security hole, Nevada has posted the password to the gubernatorial e-mail account on its official state Web site. It appears in a Microsoft Word file giving step-by-step instructions on how aides should send out the governor’s weekly e-mail updates, which has, as a second file shows, 13,105 subscribers.

The Outlook username is, by the way, “governor” and the password is “kennyc”. We should note at this point that the former Nevada governor, a Republican, is Kenny C. Guinn, which hardly says much about password security.

That’s like President Bush’s Secret Service codename being “peanutguy77.” I hope the governor’s home computer has better security than this – he could be the target of identity theft. Oh, wait – I suppose to worry about that you would have to be someone with an identity someone else would actually want. Which does not appear to be the case here:

The current governor of Nevada is Jim A. Gibbons, also a Republican, happens to be widely disliked. His approval rating of 28 percent accomplishes the rare feat of being below President Bush’s. It doesn’t help, we assume, that Gibbons is facing an FBI probe over possible illegal gifts.

I do congratulate the CNET team for their admirable restraint while investigating this story:

For the record, we didn’t try sending fake gubernatorial mail with the “kennyc” password (or “jimmya” either), so we don’t know whether it actually works or whether it’s been changed for the new administration. Although the listserv’s administration interface is publicly-accessible, there might be a firewall that limits connections to the Outlook server, for all we know. Because other accidentally-public documents on the site continue to list the “kennyc” password, though, we wouldn’t be surprised if the password remained the same.

We did, however, briefly consider that a message titled “Governor_eAlert_07.19.07: Why I am resigning in disgrace” or “Governor_eAlert_07.20.07: Why I am switching to the Libertarian Party,” would be more interesting than the run-of-the-mill actual titles like Economic Development Funding Paying Immediate and Long-term Benefits.

It must have been very tempting. For some background on the market’s role in providing privacy and security, particularly in the electronic world, check us out here.