August 18, 2010 at 3:14 pm
SanDroid (8/18/2010)
jcrawf02 (8/18/2010)
1 - from what I remember reading, Childs not only didn't give up the passwords, he installed new access points in secretive locations, in order to continue his control of the network when not in the building.What is your source for this information? There is a LOT of falsified reports about this incident. One of them stated that he refused to give up passwords for for months instead of four days. Another one stated that he offered to sell back the passwords for an undisclosed sum. Another says that he posted all the passwords of the DA offices users publicly when this was done by the Manager that caused the real problems.
This case is a perfect example of what happens when IT practices, Politics, and dishonesty colide to cover up the truth.
http://articles.sfgate.com/2008-07-24/bay-area/17171141_1_computer-network-computer-system-bosses
from the middle-ish of the article:
Childs had [...] kept his own e-mail server and had been using the modems locked in storage cabinets to create a private network, [...] had fashioned his makeshift system to run off temporary, short-term memory, a power outage - such as turning off the computer for maintenance - would mean full system failure, [...] could use them to get onto the system only at a computer in a room at the Hall of Justice that even police technology experts were unaware of [...] still worried about the modems hidden away in locked filing cabinets in public buildings around the city. Maupin told prosecutors that city officials estimate there are 1,100 such modems. Childs could still gain access to the network through any of them and create more mischief, prosecutors say.
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
August 18, 2010 at 3:29 pm
http://articles.sfgate.com/2008-07-24/bay-area/17171141_1_computer-network-computer-system-bosses
from the middle-ish of the article:
This article was written in 2008 and it's supositions about these special secret modems and thier access to the SF FibreWan did not come out in the actual trial. Read carefully it could be a description of any cheaply build FibreWan that can be administered remotely. It's all in the direction of the Spin. Does my desktop in my cube that is used to compile hotfixes for our main application while at home over the vpn equate to a "secret system used to Hijack the corporations Customs documentation application"? It could be if the right person wanted it to be.
August 19, 2010 at 5:42 am
As the full details of the story still seem unknown, the discussion on his behaviour seems to focus around 1) password sharing policies and 2) the extent to which an employee should stand up for his place of employment when faced with internal pressure
On point 1, passwords shouldn't be disclosed to those who have not been signed by a Risk or Compliance department to have them. It's reported in the thread that the city had no hard and fast rules regarding password sharing. I would have contested that industry best practice should be used if not overridden by internal policies, so in this he would have been complying with best practices. I'm also concerned that this lack of Information Security Policy was not picked up in audits of the city, and I would be interested to know if Childs had previously attempted to raise the lack of policy as an issue. Like with Health and Safety, if you know of a problem and don't try and take steps to notify your employer of the problem so that they can fix it, you should be liable.
On point 2, I think this is very similar to whistleblowing. You should uphold the law first and then the best interests of your employer. Whilst I'm not up on American Data Protection laws, Childs at least considered it in the best interests of his employer to refuse an order from his manager. Surely it should never have been taken to prosecution if this was the case. Both parties should have sought an outside opinion. What if an Information Security expert had been asked, or a lawyer consulted on the matter? Wouldn't Childs then have given up the password, or people not continued to ask for them?
August 19, 2010 at 5:57 am
He refused to give the passwords to his MANAGER.
A person's MANAGER is, by definition, the person who is the RESPONSIBLE PERSON for the tasks that you do.
In the absence of any specific policy to the contrary, that is the plain and simple rule you follow in any job in any country in any culture.
I think the guy was an idiot.
August 19, 2010 at 7:08 am
A manager is responsible for you, not the systems you have access to. They are not one and the same.
In the companies I've worked for, most of my managers have not had the same level of access I have had simply because there is no need for them to have it and access has been based on role-based policies which comply with the concept of "least required access". If they need access, they get access but these requests are always signed off by somebody. I've worked in big or financial services companies where full audit trails of requests for access are required, even of managers.
As I don't have an in-depth knowledge of the specifics of the case, I can't say whether Childs was behaving correctly or not and he may very well have stepped from the legitimate request for his a$$ being covered when he gave up sysadmin passwords to a militant refusal.
I'm just saying in general, that all requests for access should be signed off by a Risk/Compliance department, whether that person is in admin, a Head of IT, a CIO or a CEO.
August 19, 2010 at 8:20 am
If my manager asks for the password, IMHO, I am responsible for giving it to him. I might be about to be fired, and the manager has the authority to go give that to someone else. It's not a question of the manager knowing anything, but they are responsible.
If Mr. Childs felt giving the password was an issue, then I feel:
- He should give it up
- He should report it to compliance/legal/risk
- He can call the SF Chronicle and whistleblow.
I have no issue with him being principled, with him trying to protect systems. I have no problem with whistleblowing. But ultimately, it's not his decision about how to run the city networks IF the manager decides it's not. There are plenty of other ways to protect systems.
After all, the passwords can be changed again. Let a manager have them, and if it's appropriate, they can be reset to something else. If there's a security issue, let the manager take the responsibility.
August 19, 2010 at 12:52 pm
Steve Jones - Editor (8/19/2010)
If my manager asks for the password, IMHO, I am responsible for giving it to him. I might be about to be fired, and the manager has the authority to go give that to someone else. It's not a question of the manager knowing anything, but they are responsible.If Mr. Childs felt giving the password was an issue, then I feel:
- He should give it up
- He should report it to compliance/legal/risk
- He can call the SF Chronicle and whistleblow.
I have no issue with him being principled, with him trying to protect systems. I have no problem with whistleblowing. But ultimately, it's not his decision about how to run the city networks IF the manager decides it's not. There are plenty of other ways to protect systems.
After all, the passwords can be changed again. Let a manager have them, and if it's appropriate, they can be reset to something else. If there's a security issue, let the manager take the responsibility.
Absolutely, if your manager asks for something you think they're not supposed to have, you have 2 ways of dealing with it. You can start with "Sure, just get me a letter from your boss/compliance/legal/whomever-has-authority and I'll turn that right over to you" and if he/she insists on right then without that confirmation then you give it to them and immediately go to their boss/compliance/legal/whomever-has-authority immediately and report their actions.
Beyond that it isn't your responsibilty. If you feel it still isn't handled properly from that point, get your resume in order and start looking.
--------------------------------------
When you encounter a problem, if the solution isn't readily evident go back to the start and check your assumptions.
--------------------------------------
It’s unpleasantly like being drunk.
What’s so unpleasant about being drunk?
You ask a glass of water. -- Douglas Adams
August 19, 2010 at 3:28 pm
http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case/?fp=&fpid=&pf=1
It appears possible that he was doing this to hamper an audit of what he was doing on the system.
-SQLBill
August 19, 2010 at 5:27 pm
Steve Jones - Editor (8/19/2010)
If my manager asks for the password, IMHO, I am responsible for giving it to him. I might be about to be fired, and the manager has the authority to go give that to someone else. It's not a question of the manager knowing anything, but they are responsible.If Mr. Childs felt giving the password was an issue, then I feel:
- He should give it up
- He should report it to compliance/legal/risk
- He can call the SF Chronicle and whistleblow.
I don't agree with the sentence given to Childs. I don't agree with the avenue that Childs or the manager took in this case.
Both sides could have matured some.
I think what steve suggests is perfectly in line with what Childs should have done in this case.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
August 19, 2010 at 5:31 pm
Good article, and a great example to all DBA's the big difference between being security conscious and being a bottleneck to the business. It's a delicate balancing act that must be learned with experience. Always remember, that the databases you are in charge of are ultimately the property of the conpany you work for, not your personal property. So, protecting the databases from everyone else is really not your responsibility. Just remember to practice a lot of CYA too, just in case. It's easy as DBA's to sometimes confuse that.:-D
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
August 23, 2010 at 2:32 pm
There is no "one size fits all" answer to this question.
There are places I've worked where turning that password over to my manager would be an act of treason. If I hold a security clearance and I'm the DBA on a secured system just because a person holds some administrative responsibility for me does NOT mean he's been properly cleared for that system and if I turn over the password, with or without a written request, I'm still liable for violation of the official secrets act. There are ways that this is taken care of in an orderly fashion. The project manager of the project is almost certainly cleared and a copy of the passwords for non-personal accounts are kept with him.
In most places I've worked personal account passwords are not to be divulged at any time to any one under penalty of dismissal. Of course personal accounts are backed up and if properly authorized by legal, security or similar office the account can have the password changed so that it can be accessed, presumably for an audit.
Most private companies where I've worked the policy is that your project manager can, and maybe even MUST, be informed of the passwords set on all public accounts. This is not necessarily the same person who is your administrative manager who does salary reviews etc. And if you're a DBA responsible for several different systems it's possible that you have to report the password(s) including any changes to different people for each project which may include one or more servers.
If it's a private company with no written policy and no outside law, for example HIPPA, constrains your actions then the rule of thumb would be to turn them over immediately when being asked.
I would say don't follow the reason that "a court of law said X therefore that must be so" until/unless the court actions have played out in full. There are way too many cases of a local court ruling something that is later overturned on appeal for the simple fact that local standards vary on what experience a judge must have in order to be seated. A large jurisdiction like San Francisco probably requires something like a legal degree in order to sit on the bench and rule on case law but some rural counties I've lived in that's not the case.
The real rule of thumb here is that in every job I've ever taken as a DBA there's always been a clearly defined policy on security and it's your responsibility to be aware of it and to follow it to the letter. If San Francisco doesn't have one then clearly Mr. Childs is not the only one who needs to lose their job.
Viewing 11 posts - 16 through 25 (of 25 total)
You must be logged in to reply to this topic. Login to reply