What if You Fell Through a Manhole?

 
 
By Larry Seltzer  |  Posted 2008-07-20 Email Print this article Print
 
 
 
 
 
 
 

Having only one person with critical knowledge in an organization is an inherently dangerous situation. You don't need malice for it to blow up.

The most striking fact about the San Francisco network lock out case has been the absence of details that would allow an informed outsider to say "Oh, that's what's going on." We've been left mostly with vague accounts from spokespeople.

But one thing must be true of this incident: Administrative controls in San Francisco government IT were inadequate. You don't need to imagine a rogue administrator; whether this is such a case or not, in order to know that better controls are necessary. What if Terry Childs had fallen through a manhole, been hit by a car, or ate some bad tomatoes. If critical information exists only in the brain of one person, that person is a disaster waiting to happen.

I had early exposure to this problem. A week or two before I got laid off from my first job (writing a 4GL product), my boss quizzed me about how well-documented my work was, and he actually asked, "What if you fell through a manhole?" Lucky for him, perhaps not so lucky for me, I had done an excellent job documenting.

IT in a large organization like, for example, a major city government, must be more organized than that. It's clear from the incomplete reports I've read that Terry Childs, the jailed SF admin at the center of the story, was in charge of the city government FiberWAN. He designed and maintained all the FiberWAN routes. He was the only one who had the administrative credentials for it and, for a time, nobody cared. After all, the FiberWAN ran well and Childs was pretty much always available if there was a problem.

If, in fact, the situation existed for months or even longer where Childs was the sole effective administrator of the WAN, with no backup in personnel or documentation, then it's his superiors' fault for letting the situation develop so badly. I've read some talk about how maybe Childs had been listening in on privileged communications, and I suppose he would be in a position to do so. But the news we're getting is almost exclusively from prosecutors and other city officials with no interest in giving Childs' side of the story. You have to be somewhat suspicious of the news.

On the subject of passwords specifically, there are products available to manage access control in such a way that no one person gets this sort of exclusive control. CA Access Control is one example, although it seems focused on host systems. If the credentials in question are over Cisco equipment, as may be the case here, I'm not sure what access control options there are. But at the very worst, there should have been manual human procedures to follow to provide some level of redundancy and division of control.

Of course, if Childs has passwords and is refusing to divulge them, or wants to negotiate for their release, then he should divulge them immediately. It's a bit perplexing to think that anything good could happen for him out of the sort of blackmail that is being described in the press. This means that either Childs is more than a little nuts or we're not getting the whole story (or both). But since that story comes from those who are prosecuting him, why should we expect it to be complete?

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack

 

 

 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel