Psychology of the internal hacker
Filed in archive Security by Scott Wilson on July 23, 2008
New developments are emerging this morning in the case of the IT engineer who allegedly shanghaied San Francisco's high speed fiber network by installing his own backdoor passwords in the system and was arrested last week. In a low-key, one-on-one visit to the imprisoned engineer's cell, San Francisco Mayor Gavin Newsom was able to talk the engineer into providing the actual password he used to lock down the system-the previous passwords the man had supplied to police and city IT staff having been fake.
The article in SF Gate which reveals certain details of the episode and the engineer which make it apparent that I was absolutely wrong about the level of drama when I first posted on this subject; this is the plot of a multi-million dollar Hollywood techno-thriller
.
At the same time, it sounds as if I may have been on to something when I posited motivations provided more by ego than evil. The engineer, whose name is Terry Childs, is described by his lawyer as "...the only person in that department capable of running that system," a description she surely received from her client rather than anyone in the technology department. Childs' is attempting to portray himself as the one competent man in the department, without whom everything would disintegrate, and the message is that he was justified in everything he did, including providing incorrect passwords to the police, for the good of the city.
The funny thing is that this isn't a rare attitude in IT staff. You see it every day on Slashdot or other places where techs hang out. None of them feel replaceable; indeed, some truly are not. But their mistake, and Childs, is in thinking that this is simply an expression of their innate genius and the stupidity of everyone around them. In fact, it's simply bad system design, and frequently a sign of those very techs doing their own jobs poorly. The best techs are not irreplaceable; quite the contrary, in fact, they restructure the work they do so it is easier, more automated, simple enough that anyone could do it. Those like Childs, who hide their supposed genius behind obfuscation and mystery, are frequently the least knowledgeable of the lot... while appearing to layman as the most expert.
This is something for CIOs to guard against in IT departments, for reasons such as the current incident as well as more mundane difficulties that can arise. Those techs turn themselves into a single point of failure, something most of them would tell you was a bad thing... if it referred to anything other than themselves. If you have anyone who thinks they are indispensable, it's time to take a hard look at their performance and methods. You may head off a situation where one of your techs decides that he or she is more responsible for the "good" of the organization than you are, and begins to cut you and other lesser staffers out of the loop.
The article in SF Gate which reveals certain details of the episode and the engineer which make it apparent that I was absolutely wrong about the level of drama when I first posted on this subject; this is the plot of a multi-million dollar Hollywood techno-thriller
.At the same time, it sounds as if I may have been on to something when I posited motivations provided more by ego than evil. The engineer, whose name is Terry Childs, is described by his lawyer as "...the only person in that department capable of running that system," a description she surely received from her client rather than anyone in the technology department. Childs' is attempting to portray himself as the one competent man in the department, without whom everything would disintegrate, and the message is that he was justified in everything he did, including providing incorrect passwords to the police, for the good of the city.
The funny thing is that this isn't a rare attitude in IT staff. You see it every day on Slashdot or other places where techs hang out. None of them feel replaceable; indeed, some truly are not. But their mistake, and Childs, is in thinking that this is simply an expression of their innate genius and the stupidity of everyone around them. In fact, it's simply bad system design, and frequently a sign of those very techs doing their own jobs poorly. The best techs are not irreplaceable; quite the contrary, in fact, they restructure the work they do so it is easier, more automated, simple enough that anyone could do it. Those like Childs, who hide their supposed genius behind obfuscation and mystery, are frequently the least knowledgeable of the lot... while appearing to layman as the most expert.
This is something for CIOs to guard against in IT departments, for reasons such as the current incident as well as more mundane difficulties that can arise. Those techs turn themselves into a single point of failure, something most of them would tell you was a bad thing... if it referred to anything other than themselves. If you have anyone who thinks they are indispensable, it's time to take a hard look at their performance and methods. You may head off a situation where one of your techs decides that he or she is more responsible for the "good" of the organization than you are, and begins to cut you and other lesser staffers out of the loop.
Permalink: Psychology of the internal hacker
Tags:
security breach San+Francisco hacker 2007 psychology+internal internal+hacker book+yours
Trackback: http://www.creative-weblogging.com/cgi-bin/mt-tb.pl/129631
