I've been half-following the case. Childs was asked to divulge
administrative passwords in a room full of people who were not authorized to
have them (for instance, HR was there) in addition to there being a
conference call with other unknown - and hence unknown authorization status
- persons. Divulging the passwords would have been against all normal
common-sense security practices. Speaking of practices, the city lacked
clearly defined policies.
That said, he chose defiance instead of a more reasonable approach. In that
situation I would have said that I'd provide the passwords to my manager
In reality, both sides are at fault.
BTW, the DOS that he was convicted of was solely to administrive services.
The rough equivalent of disabling the SST or QSECOFR ID on the iSeries.
There was no user downtime and no lost user productivity.
This stands in direct contrast to the later SF City IT screw up where VPN
IDs & passwords were disseminated in clear text, prompting the city to turn
off VPN services until passwords could be reset. And while the VPN DOS
incident did result in user downtime (as well as being a data breach), no
criminal charges have been filed nor are any planned and the employee
responsible has not been fired.
Childs was belligerent and the City chose to make an example of him.
On Tue, May 4, 2010 at 12:34 PM, sjl <sjl_abc@xxxxxxxxxxx> wrote:
Over my career, I have had to deal with many guys like this:
This is the Non-Technical Discussion about the AS400 / iSeries
(Midrange-NonTech) mailing list
To post a message email: Midrange-NonTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
or email: Midrange-NonTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives