SF Password Hijack Highlights Importance of Process in City, State IT

slfisher 0 Tallied Votes 403 Views Share

Claiming he was protecting San Francisco city government's computer system from incompetent coworkers, computer engineer Terry Childs changed the system's passwords and then for more than a week refused to give them to anyone, even after being arrested.

Childs was under four felony counts for blocking administrative access to the computers that handle 60 percent of the city's data systems, including law enforcement, payroll, and jail records. He was arrested July 13, and refused to give the passwords to anyone until July 21, with his attorney claiming his coworkers had, with both malice and incompetence, damaged the computer system and putting it in jeopardy. At that point, he agreed to give the passwords only to mayor Gavin Newsom.

According to a statement from his attorney Erin Crane, "He was the only person in that department capable of running that system. There have been no established policies in place to even dictate who would be the appropriate person to hand over the password to."

Bad grammar aside, what's wrong with this picture?

First, there's the aspect of not having processes and chain of command in place to take care of this problem. Second is the aspect of a single person having a password to any computer system, industry or government. Regardless of whether an organization needs to answer to constituents or stockholders, it's foolish to put that level of control in the hands of one person. Criminal activity aside, what if Childs had been hit by a bus? At least Newsom was able to go to the jail and retrieve the passwords from him.

Yet it's not unusual for computer people in government jobs to have a great deal of power with little oversight -- and sometimes disastrous consequences. Former Arkansas governor and Republican presidential candidate Mike Huckabee reportedly ordered the destruction of a number of hard disks when he left office, though he was exonerated of any crime. Canyon County, Idaho, IT department employee Marcus Young was kept on the payroll for more than a year while investigators tried to determine whether he had child pornography on county systems -- their care no doubt related to the fact that he was the son of the county prosecutor at the time. And Ron Harris, a computer programmer for the Nevada Gaming Control Board, reportedly stole thousands of dollars from casinos by programming "back doors" into gaming machines.

It's a challenge because a password that's too freely available is as bad as no password at all -- especially if, as Childs' attorney contends, his coworkers were incompetent. (Though if that's the case, perhaps he should have worked on that problem? Typically governments have "whistleblower" laws in place that protect employees from disclosing such issues.) At the same time, as in the rest of government, it's important to have checks and balances.

slfisher 0 Posting Whiz

Clarification: Childs was holding passwords to the network routers.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.