IT Career Advice: Passwords Make Bad Hostages

By Donald Sears  |  Posted 2008-07-23

Who benefits when one of your staff holds the keys to your systems and doesn't want to let them go? Apparently, your company's vendors.

Terry Childs, a technology worker for the city of San Francisco, had been sitting in jail for the past week for changing passwords and was withholding them from his employers. Childs had been unwilling to give up passwords to what appears to be network systems--in this case, Cisco products. Cisco seemed to be getting some decent coin out of this debacle trying to decode the passwords-as-hostages, and rightly so (though some pro bono work here might have been a friendly press moment for the infrastructure giant, but revenue times are tough, man).

As reported from Phillip Matier and Andrew Ross of the San Francisco Chronicle:

Childs - whom some have described as a friendly, hard worker at the city Technology Department, and others have labeled an over-the-top control freak - has been sitting in jail since July 13 on $5 million bail, after being arrested for reconfiguring key passwords in the city's computer system.

A team of code crackers brought in from Cisco Systems had been working around the clock to try to decipher Childs' codes, but with only marginal success.

"It wasn't cheap and I just couldn't see us keep spending that kind of money," [San Francisco Mayor Gavin] Newsom said.

Funny thing here is that the mayor of San Francisco comes out the hero (and saves the city money from Cisco). Childs went directly to the mayor to negotiate. Childs' lawyer, as reported by the San Francisco Chronicle, called the mayor's office out of the blue to negotiate for the passwords. The mayor obliged, and in effect, saved San Francisco. Newsom! Newsom! Newsom!

I kind of wish Childs had called Barry Bonds, just to get him some hero press.

This entertaining but embarrassing piece of news illustrates the challenge of centralizing trust in one employee, and the consequences of a situation when that one employee doesn't want to cooperate, feels slighted or just wants to be heard. Fact is, we don't know yet what this guy's gripe was at work. Doesn't really matter. His name is all over the press. The $5 million price tag on bail should tell you something. Then again, we are talking about holding a city's system hostage. Bad idea.

What's with city IT workers and Cisco these days, anyway? This is no way to stay employed in IT or get a new gig somewhere else.

But as an organization (hey, IT managers, I am speaking to you), don't entrust one person to be the holder of critical-system passwords and not have a contingency process and technology in place to handle. This just means your employer's name is going to be all over the press, and maybe your name too. This isn't to say that rogue employees who prove to be difficult will not pop up. In many small or midlevel organizations, it's not financially feasible to employ a second network or system administrator. It's too expensive. But having backup and shared root password responsibilities is essential, and there is some password management technology out there that could help.

As Larry Seltzer rightly points out, what if you fell through a manhole?

I wonder how many security vendors are lining up to meet the city's IT department in the coming weeks.

Rocket Fuel