posted on Friday, July 25, 2008 9:52 AM
by
Lou Michels
Yet Again, In San Francisco
I have singled out the City of San Francisco on a couple of occasions for its wacky, California-style employment situations. But now the Bay City has given us a lesson that is truly instructive.
It's been a rough couple of weeks in San Francisco, principally due to the actions of one Terry Childs. Mr. Childs is a mid-level computer network administrator for the city. Shortly after some real or imagined slight at the hands of his employers, Mr. Childs effectively shut down SF's wide-area network, which contained records ranging from jail inmate bookings to emails from city officials to city payroll files to confidential law enforcement documents, and a host of other data generally considered essential to the running of a modern nanny state. Childs did this simply by setting up a mechanism that gave him exclusive access to the system and then passwording it, and refusing to give anyone else the password. If you remember Jurassic Park, think of him as the fat guy who was stealing the dinosaur eggs and shut down the entire facility network for the dinosaur park to cover his getaway. Fortunately, the results here were not quite so dramatic. At least, no lawyers were eaten.
And Childs wasn't doing it to cover up anything. In fact, he apparently was quite open about what he had done and was promptly arrested and tossed in the slammer. There was no record of his booking, of course, but I suspect that the City wasn’t going to lose track of him.
Childs, who is still in jail, gave up the password on July 21 only after SF Mayor Newsome made an in-person visit to meet with him. Hizzoner later reported that the still San Francisco city employee (I guess even this doesn’t get you summarily fired in CA) got "a bit maniacal" during his tenure. Whatever that means, I suspect the remark again reflects the reticence of all California employers to say anything bad about an employee for fear of litigation down the road. Likewise, the Chief Administrative Officer of the city said that SF was attempting to implement best practices to prevent exactly this problem from occurring, but that "it appears that he [Childs] was rebelling against them." It appears he was rebelling? No one can say they rush to conclusions in the Bay Area, that’s for sure.
Some commentators have noted that the executive team in San Francisco is lucky they're not in the private sector. Allowing such a slipshod and sloppy operation, in which a single individual can effectively shut down your entire computer system, almost certainly would have triggered a federal SEC investigation and could have resulted in criminal charges filed against the CEO under Sarbanes Oxley.
And of course, the city faces the ongoing nightmare of not knowing what viruses, booby traps, data bombs, or other mechanisms Childs might have left in place. It may be a long time before the city’s IT managers can look around and believe that they have complete control over their system.
What is it the nuns used to say in Latin class? "Quis custodiat ipsos custodes?" Well, part of the answer is not to let one of the guardians have the keys to the entire kingdom.
Addendum--In an effort to thwart Mr. Childs from getting bail reduced, the city disclosed in its memo to the court some 150 passwords for access to its systems that were discovered on Childs' computer. Presumably these have all been reset and the VPN system at issue reconfigured, yet another cost resulting from the city's lax security practices.