August 18, 2010 at 12:05 am
Sharing passwords with the project owner/executive sponsor (in case of an under-development project) and/or with the Executive team (for production systems) in a sealed envelope to be kept in a fire-safe is a standard practice that most units use. This has been proven to work and be of use at one point or the other, and I therefore believe that this should at least become part of the "Business Continuity Plan" that many organizations follow. Of course, you can have security around that as well (eg. a 3 part system - one member of the exec has access to only one part of the password - and the CEO is the only member besides the administrator who has the full password. Banks follow this system sometimes - where they require multiple signatures from the board members to withdraw money in an organization's name.)
Thanks & Regards,
Nakul Vachhrajani.
http://nakulvachhrajani.com
Follow me on
Twitter: @sqltwins
August 18, 2010 at 12:41 am
the four year sentence is outrageous - he did give the passwords up, and in the meantime everything continued to function, no harm was done except to the dignity of the mayor and senior management
August 18, 2010 at 5:58 am
I think you make an excellent point here in stating; "Don't start to assume the system you manage is really yours.". That's a good piece of advice because in fact, in most all cases, the system is not "yours" and I believe in an axiom my Father taught me and my brothers many years ago...
"In business, people have every right to be stupid and fail".
If the company you work for is not taking the proper precautions, or setting the right policies - then leave. Don't try to correct the world - especially the business world because business is usually a self-correcting proposition. (OK, let's ignore government bailouts...) If you run your business poorly, or indeed stupidly, you have every right to fail and hopefully learn a lesson - that's how most lessons are learned.
Terry Childs should not be admired or honored for what he is doing. It has gone too far and any trace of "prudence" has long since evaporated. He is now behaving like some cranky kid wanting to take his ball and go home - only the ball isn't his to take.
As much as we data management professionals should all learn from what Childs did, and has done, it would also be nice if our employers study his case and learn too - though I doubt that will happen.
August 18, 2010 at 6:07 am
I agree the 4 year sentence is rather harsh, especially since we're looking for a new network admin here :-P. Even though Terry here is obviously a bit nuts, I've found network admins to be a bit of a crazy bunch anyway.
August 18, 2010 at 6:35 am
The sentence is a bit extreme, but his password actions had nothing to do with security. He was making demands and holding the passwords hostage to try to force the issue. I don't think that counts as principled behavior.
If I remember correctly there was a comtempt of court issue here because he was ordered to release them.
...
-- FORTRAN manual for Xerox Computers --
August 18, 2010 at 6:39 am
He stole a valuable organizational asset.
He caused the organization extensive expenses to correct the problem he caused.
He caused the taxpayers to pay for all of that.
The dumb $hit got what he asked for.
If it encourages other system admins and dbas to be more professional and more reasonable in their actions, then some good will come of it.
August 18, 2010 at 6:52 am
Yes, the 4 year sentence is harsh; I've seen armed robbery suspects get less time. But, Childs had no right to hold his company, the city, hostage to make them see things his way. If you and your employer cannot agree on how to do your job then you have to make a choice. Stay on the job under the company's conditions or go find another job.
August 18, 2010 at 7:00 am
Lots of feelings spilling out here, but the facts are this:
* This was a public network with peoples personal and private record and data on it. It falls under a differant set of rules from Private or Corporate networks.
* The person asking for the passwords to gain control of the Network was not certified or authorized to recieve them. This is also against the law.
IMHO: This guy went to jail for doing his job. His manager got to spend $900,000 dollars to try to hack a network he never was autherized to access.
I would sleep better at night if more persons treated the public sector networks and storage devices that our personal data resides on like this.
August 18, 2010 at 11:02 am
1 - from what I remember reading, Childs not only didn't give up the passwords, he installed new access points in secretive locations, in order to continue his control of the network when not in the building. He was not 'just doing his job'.
2 - the four-year sentence includes time served in county, he's got another six months or something before he's out.
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
August 18, 2010 at 12:24 pm
jcrawf02 (8/18/2010)
1 - from what I remember reading, Childs not only didn't give up the passwords, he installed new access points in secretive locations, in order to continue his control of the network when not in the building.
What is your source for this information? There is a LOT of falsified reports about this incident. One of them stated that he refused to give up passwords for for months instead of four days. Another one stated that he offered to sell back the passwords for an undisclosed sum. Another says that he posted all the passwords of the DA offices users publicly when this was done by the Manager that caused the real problems.
This case is a perfect example of what happens when IT practices, Politics, and dishonesty colide to cover up the truth.
August 18, 2010 at 1:27 pm
I don't think we completely know what happened. That would be limited to a few people, but I think most reports agree he did not disclose passwords when asked, and not that day.
I think there were mistakes on both sides, but ultimately I feel that Mr. Childs did not own the systems, nor did his duty to protect security extend to the limits he took it to.
August 18, 2010 at 1:29 pm
SanDroid (8/18/2010)
Lots of feelings spilling out here, but the facts are this:* The person asking for the passwords to gain control of the Network was not certified or authorized to recieve them. This is also against the law.
IMHO: This guy went to jail for doing his job. His manager got to spend $900,000 dollars to try to hack a network he never was autherized to access.
The main basis for the mans defense was this very point.
He was convicted in a court of law after making that defense.
There are miscarriages of justice, I'll grant you, but the burden of proof is now on the convicted party to prove that.
Until then, I would say his defense was not found to be correct in a court of law.
I'm not aware of any public bias against network admins that would cause them to say, "Jail that admin!" on general principles.
August 18, 2010 at 2:16 pm
Steve Jones - Editor (8/18/2010)
I don't think we completely know what happened. That would be limited to a few people
I agree. How about this quote from a member of the Jury that tried the case that is a CCIE:
Chilton: It was really hard for us to get through that part. We said, "OK, what policies may there have been that defined an authorized user?" Well, the city didn't have any procedures. There was no policy that was formally adopted that people were supposed to follow. It was this amorphous thing.
My point is this. Terry did not act like he owned the network. He acted like he was protecting the public trust. Unfortunately for him, the public decided that his actions were not justified.
Viewing 15 posts - 1 through 15 (of 25 total)
You must be logged in to reply to this topic. Login to reply