The most striking fact about the San Francisco network lock out case has been the absence of details that would allow an informed outsider to say “Oh, that’s what’s going on.” We’ve been left mostly with vague accounts from spokespeople.
But one thing must be true of this incident: Administrative controls in San Francisco government IT were inadequate. You don’t need to imagine a rogue administrator; whether this is such a case or not, in order to know that better controls are necessary. What if Terry Childs had fallen through a manhole, been hit by a car, or ate some bad tomatoes. If critical information exists only in the brain of one person, that person is a disaster waiting to happen.
I had early exposure to this problem. A week or two before I got laid off from my first job (writing a 4GL product), my boss quizzed me about how well-documented my work was, and he actually asked, “What if you fell through a manhole?” Lucky for him, perhaps not so lucky for me, I had done an excellent job documenting.
IT in a large organization like, for example, a major city government, must be more organized than that. It’s clear from the incomplete reports I’ve read that Terry Childs, the jailed SF admin at the center of the story, was in charge of the city government FiberWAN. He designed and maintained all the FiberWAN routes. He was the only one who had the administrative credentials for it and, for a time, nobody cared. After all, the FiberWAN ran well and Childs was pretty much always available if there was a problem.
If, in fact, the situation existed for months or even longer where Childs was the sole effective administrator of the WAN, with no backup in personnel or documentation, then it’s his superiors’ fault for letting the situation develop so badly. I’ve read some talk about how maybe Childs had been listening in on privileged communications, and I suppose he would be in a position to do so. But the news we’re getting is almost exclusively from prosecutors and other city officials with no interest in giving Childs’ side of the story. You have to be somewhat suspicious of the news.
On the subject of passwords specifically, there are products available to manage access control in such a way that no one person gets this sort of exclusive control. CA Access Control is one example, although it seems focused on host systems. If the credentials in question are over Cisco equipment, as may be the case here, I’m not sure what access control options there are. But at the very worst, there should have been manual human procedures to follow to provide some level of redundancy and division of control.
Of course, if Childs has passwords and is refusing to divulge them, or wants to negotiate for their release, then he should divulge them immediately. It’s a bit perplexing to think that anything good could happen for him out of the sort of blackmail that is being described in the press. This means that either Childs is more than a little nuts or we’re not getting the whole story (or both). But since that story comes from those who are prosecuting him, why should we expect it to be complete?
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack