 |  |  |  |  |  |  |  |
SF Password Hijack Highlights Importance of Process in City, State IT
Claiming he was protecting San Francisco city government's computer system from incompetent coworkers, computer engineer Terry Childs changed the system's passwords and then for more than a week refused to give them to anyone, even after being arrested.
Childs was under four felony counts for blocking administrative access to the computers that handle 60 percent of the city's data systems, including law enforcement, payroll, and jail records. He was arrested July 13, and refused to give the passwords to anyone until July 21, with his attorney claiming his coworkers had, with both malice and incompetence, damaged the computer system and putting it in jeopardy. At that point, he agreed to give the passwords only to mayor Gavin Newsom.
According to a statement from his attorney Erin Crane, "He was the only person in that department capable of running that system. There have been no established policies in place to even dictate who would be the appropriate person to hand over the password to."
Bad grammar aside, what's wrong with this picture?
First, there's the aspect of not having processes and chain of command in place to take care of this problem. Second is the aspect of a single person having a password to any computer system, industry or government. Regardless of whether an organization needs to answer to constituents or stockholders, it's foolish to put that level of control in the hands of one person. Criminal activity aside, what if Childs had been hit by a bus? At least Newsom was able to go to the jail and retrieve the passwords from him.
Yet it's not unusual for computer people in government jobs to have a great deal of power with little oversight -- and sometimes disastrous consequences. Former Arkansas governor and Republican presidential candidate Mike Huckabee reportedly ordered the destruction of a number of hard disks when he left office, though he was exonerated of any crime. Canyon County, Idaho, IT department employee Marcus Young was kept on the payroll for more than a year while investigators tried to determine whether he had child pornography on county systems -- their care no doubt related to the fact that he was the son of the county prosecutor at the time. And Ron Harris, a computer programmer for the Nevada Gaming Control Board, reportedly stole thousands of dollars from casinos by programming "back doors" into gaming machines.
It's a challenge because a password that's too freely available is as bad as no password at all -- especially if, as Childs' attorney contends, his coworkers were incompetent. (Though if that's the case, perhaps he should have worked on that problem? Typically governments have "whistleblower" laws in place that protect employees from disclosing such issues.) At the same time, as in the rest of government, it's important to have checks and balances.
Childs was under four felony counts for blocking administrative access to the computers that handle 60 percent of the city's data systems, including law enforcement, payroll, and jail records. He was arrested July 13, and refused to give the passwords to anyone until July 21, with his attorney claiming his coworkers had, with both malice and incompetence, damaged the computer system and putting it in jeopardy. At that point, he agreed to give the passwords only to mayor Gavin Newsom.
According to a statement from his attorney Erin Crane, "He was the only person in that department capable of running that system. There have been no established policies in place to even dictate who would be the appropriate person to hand over the password to."
Bad grammar aside, what's wrong with this picture?
First, there's the aspect of not having processes and chain of command in place to take care of this problem. Second is the aspect of a single person having a password to any computer system, industry or government. Regardless of whether an organization needs to answer to constituents or stockholders, it's foolish to put that level of control in the hands of one person. Criminal activity aside, what if Childs had been hit by a bus? At least Newsom was able to go to the jail and retrieve the passwords from him.
Yet it's not unusual for computer people in government jobs to have a great deal of power with little oversight -- and sometimes disastrous consequences. Former Arkansas governor and Republican presidential candidate Mike Huckabee reportedly ordered the destruction of a number of hard disks when he left office, though he was exonerated of any crime. Canyon County, Idaho, IT department employee Marcus Young was kept on the payroll for more than a year while investigators tried to determine whether he had child pornography on county systems -- their care no doubt related to the fact that he was the son of the county prosecutor at the time. And Ron Harris, a computer programmer for the Nevada Gaming Control Board, reportedly stole thousands of dollars from casinos by programming "back doors" into gaming machines.
It's a challenge because a password that's too freely available is as bad as no password at all -- especially if, as Childs' attorney contends, his coworkers were incompetent. (Though if that's the case, perhaps he should have worked on that problem? Typically governments have "whistleblower" laws in place that protect employees from disclosing such issues.) At the same time, as in the rest of government, it's important to have checks and balances.
Similar Threads
- dropdownlist for country,state and city (JavaScript / DHTML / AJAX)
- Enter Zip and auto populate City and State (ASP)
- Two DropDownlist Problem regarding State and city (C#)
- State and City Database (Existing Scripts)
- Where can I get a state and city database? (Existing Scripts)
| Thread Tools | Search this Thread |
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for government, password, security
access adobe antivirus apple blackhat blogging botnet broadband browser business censorship china conspiticy copyright crime cybercrime daniweb data database dataloss ddos development dns domains email encryption exploit facebook firefox fraud gambling google government hack hacker hacking hardware idtheft internet iphone ipod kaspersky law legal linux mac malware mcafee mckinnon media michaelknight microsoft mobile nasa network news obama os password patch paypal pdf phishing politics privacy report research rural scam search security sex socialmedia socialnetworking software spam spyware sql survey symantec terrorism trademark trends trojan twitter typo-squatting uk usb virus vista vulnerability warning web webmail wifi windows windows7 worm xp zeroday
