Thursday, July 24, 2008

On Doomsaying (Terry Childs case)

Maybe I should call it "on stupidity" and add it to my "Nobody Is That Dumb... Oh Wait" series?
Really, when I've heard about it first, I was like "ah, come on, I am sure the journalists are just mis-reporting it; nobody is that dumb in their approach to system security."
Well, they really were that dumb.
Honestly, from the "blatant disregard of common sense", this is very, very high on the list (many in security agree, some in IT disagree). This is where the words "a huge data security risk" really sound like a mild understatement.
But you know what is the most scary about this case? The fact that there are MANY organizations who manage their networks the same way: one admin with ALL the access and NONE of the monitoring.
One person + ALL access + NO accountability = you are screwed!
Also, in light of this, do you still think that "insider attacks" is some kinda security vendor propaganda? Well, go tell Terry Childs that :-) Even though some people still think that he is a good guy (more on that on Slashdot)
What also caught my attention is that some retard called his bail ($5m) "ridiculously high." Well, if he was an outside hacker, say a Romanian script kiddie, jailed for hacking SF network, would they release him for $5m? Maybe not! Now, do you get that this case is actually MUCH WORSE! Hacker might have gained access to many assets; this guy did have access.
So, think, think, think: CAN YOUR SYSADMINS "0WN" YOUR BUSINESS? (BTW, some people think that IT "owns" you already!)
Are you OK with it?
If not, do something - start logging and monitoring (and then controlling) their actions! If you think you cannot control them, then just monitor; if you think you can neither control nor monitor, then at least log them so they will know that there will be enough good evidence to let them rot in jail for many years ... Or, if you prefer an easier alternative, stop calling your business YOUR business.

UPDATE: a bit more on this from me is here, I am working on an additional piece clarifying what I said as well. Stand by! Also, thanks for arguing with me here. I will argue back tomorrow!

UPDATE: Terry Childs found guilty.

Possibly related posts:


Anonymous said...

Anton, get a grip. Your chicken little story is amusing but as we all know companies run without sane risk management all the time and are rarely held accountable in America. What makes you think anyone is "screwed"?

Ask yourself how many US soldiers have been electrocuted by Halliburton's subsidiary:

"While I had always been prepared to hear that one of my sons died by way of a firefight or a roadside bomb, I was dumbstruck to hear that my son was electrocuted while taking a shower in his living quarters," said Cheryl Harris, mother of army Staff Sergeant Ryan Maseth, who died in January.

Maseth's "burnt and smoldering" body was found under still-running, electrically charged water by a fellow soldier who kicked down the door of the bathroom at an army base in Baghdad, Harris told a hearing of the Senate Democratic policy committee.

KBR, a former subsidiary of the Halliburton energy firm which was once led by Vice President Dick Cheney, was contracted to maintain facilities at the base and had been informed of electrical problems in the building where Maseth died.

But, said Harris, KBR showed "extreme recklessness and a total disregard for public safety" by failing to fix the problem as well as others that have caused at least 13 electrocution deaths among soldiers and civilian contract workers in Iraq."

Now ask yourself who is "screwed" by one person at a small company having all access and no accountability on a network. That's how I run my home network. Big deal.

Get some perspective.

Anonymous said...

Chuvakin, you're a tool. Given the recent idiocy of the releasing of the VPN names and codes, it obviously shows that any sort of detest that Childs had against his superiors at the city were justified.

This is not a private organization. His superiors don't own the company and are NOT entitled to the data. We are, the taxpayers. And as a California taxpayer I fully support someone with the paranoia and technical skill of Terry Childs over a group of bureaucrats who release secure information to the public.

The guy was doing his job and doing it incredibly well, and keeping it out of the hands of those who, given their most recent choices, would bring potential disaster to the city.

Anonymous said...

You have 10% of the issue about 90% correct. IT side first - dealing with IT guys. Some IT guys are professionals, look at other professionals a small business deals with.
CPA - The accountant could run off with the cash, set you up for trouble with the IRS, etc.

Sales manager - This guy is also very dangerous. What happens if he goes to another company and most of the customers follow?

Engineer - People can die if he is sloppy.

Doctors, lawyers, and other professionals all carry a huge downside if they are out to get you. With all of these, a degree of trust is needed. This is no different than a computer guy. Either you trust him or you do not. Logging, monitoring, etc. as suggested does not help one penny's worth. If you thought a surgeon was a ham fisted fool, would having 4 sets of camera's in the operating room make it so you would let him remove your gall bladder?

Yes, there are some reasonable rules for dealing with the IT guy, first and foremost is view him as a professional. Second, do not use any IT based control method to control him. Instead use normal business ways to work with him similar to how you would work with a gifted sales manager.


Anton Chuvakin said...

>Sales manager - This guy is also
>very dangerous.

Very true! Monitoring is NOT only about it; it is about all who can "do manage"

>Second, do not use any IT based
>control method to control him

Why not? Please elaborate on that.. I am really curious. Does it mean we cannot use law to control lawyers? Or the point is "IT controls don't work"

Please add!

Dr Anton Chuvakin