That could have been avoided -- should have been, in fact. But once it looked like there was a security breach, the OIT did the right thing by going public with the news.

Now it's time to do something else right: Document everything.

Yes, that does sound pretty dull. But it would have avoided lots of the wrong kind of excitement. For those who haven't followed the story, on Feb. 15, the OIT announced that the Cain & Abel password-recovery tool had been discovered on a server during a security sweep. Cain & Abel has been used by attackers in the past, and OIT officials feared the worst. They notified the public, warned potential victims, called in the FBI and launched an investigation.

They also reportedly placed OIT employee Douglas A. Oliver on leave. He later told Computerworld that he'd installed Cain & Abel as part of a security test. Oliver said last week that he has been cleared to return to work April 25.

According to Oliver, in early February, OIT security testers using Cain & Abel and other tools discovered a slew of problems on state servers: DNS cache poisoning, unencrypted administrative password files, still-active accounts for ex-employees and a SQL Slammer worm infestation.