Just wanted to link to some (months old) updates on the Terry Childs case, the SF Net Admin who locked the city out of the network. ComputerWorld has two updates, one from July and another in August where 3 of the 4 charges against Childs were dropped.
Why am I bothering? Because this is a big deal, even if many people fall quite easily into the black or white sides on this topic and even if the conclusion of this case will slide into history quietly with no fanfare.
Have you ever been in charge of a privileged account? Or built a system or network that your job is to secure and protect? And then ever have someone ask you for that password, or to bastardize that account setup, or allow someone inferior to access, modify, or change the requirements of your setup in a way that decreases the stability and/or security? It’s not a fun to position to be in, especially in the constantly-on worlds of stability and security. I’ve never been and likely never will be in a position as huge as Terry, but on much smaller scales I have felt the pangs of frustration when other business units diminish my work because they make their own decisions, and so on.
Just today I was asked to give over an account password to a SQL DBA. This account is intended to be used in only one place and considered sensitive to the point that only admins on my level have access to it, and even then we forget the password after setting it. But now I’m put into a position where another set of eyes gets to see the password and store it to his leisure (and have it transmitted to him probably via internal email). And to have that account and password stored in a second system beyond the intended use. My initial reaction is that of concern, and it is frustrating to build up security only to have it dropped back down for whatever reasons.
Yes, an admin probably should defer to the actual owners of the system (business or political), or look out for the better good of the whole (usually a business and the customers). But sociologically it is a deep topic, and in terms of security a very weighty one. Do you set a precedent that access is shared out? That you never divulge the secrets? That you divulge the secrets when compelled? That you deny there are certain admins and rock stars in a business that truly do have godlike abilities and the value would be diminished if you limit that? And so on…
It really winds up being a series of problems with no real solution once you look at the various extremes. This is one aspect of why I think “risk management” is the rising star these days. Which extreme is the least risky and least costly/likely?
This is going to end up being bigger than people think. This will set a president. There was no policy in place ( San Francisco error ) . They have placed him in jail with a bond higher than a murderer, stripped him of all rights including speedy trial. Then dropped 3 of four charges, did not reduce bond. They want him to pleed out guilty to the last one so there can be no civil suit. Otherwise, they say they can keep him forever.
IT and Network people beware. If they can do this to him, you could be next.
I agree, this is a horrible case of mis-management, mis-representation, and a gigantic violation of Terry’s rights. Laughably enough SF is short on funding now and as soon as they cut Terry free, they’ll be even shorter. Now to the speedy trial “violation”, it’s not a violation. Terry is appealing charges and that has added to his current stay in jail. Is it slower than it needs to be? Absolutely. Is there a reason? Yes, that reason would be that everyone that’s involved in the case that isn’t Terry Childs doesn’t understand the technology, the terms, and probably even the charges. So everything needs to be examined, re-examined, examined again by someone else, translated into “normal” english, and examined once again.
Terry should be free, if even only on bail/bond. If I was fired from a job, then they called me to ask for information I’d probably be less than forthcoming as well.