computerwoche.de

Archiv

Trouble in homicide: a network detective story

21.11.2006
Several years ago I found myself working for a major metropolitan police department, mainly building specialty databases. All the databases were stored on a single PC in the division office. It wasn't the best way to do it, but it worked. And it provided the illusion of security.

One day the Chief of Police, "Walter Voutie," announced that the city had allocated money for an actual network. I was pleased -- until the Chief announced that he was hiring an outside contractor (let's call it "Lacy Systems") to install the network and to provide an experienced network administrator. Chief Voutie joked that if any of us were any good at computers, we wouldn't be working for the Department. At least he smiled when he said it. I guess our two master's degrees, six bachelor's degrees, and multiple certifications didn't impress him.

Finally the network went up, and "Harry," the new network administrator, appeared. Harry was completing his last year of night school. As far as I could tell, he still hadn't taken any networking classes. I sat there steaming, with my degree and my network certifications -- apparently "unqualified" only because I didn't work for a hot-shot contractor.

At least I had plenty to keep me busy. I got all my databases moved and user accounts set up. Then, two weeks later, I got a panicked call from the sergeant in Homicide. No one could access the databases they needed, derailing several ongoing operations. When I checked, I couldn't get in either, and I was supposed to be administering those databases.

I called Harry, but he didn't answer his phone. I tried paging him. After 30 minutes I walked down to his office. No sign of him. Meanwhile the sergeant at Homicide was calling every 10 minutes. Officers were in the field without information they needed. I paged Harry again, and again, and again. After an hour and a half, I decided to take matters into my own hands, and started trying to hack the password for the Administrator's account. It wasn't his wife's name, it wasn't his daughter's name, or his dog's name either. In desperation, I hit Enter without a password, and suddenly I was in. Yes. Our network expert had never even set a password on the Administrator account.

Now that I had access, I looked at the permissions Harry had set for the Homicide division. What a mess! I spent half an hour resetting all the access information using proper syntax and removing reserved characters. While I was at it, I upgraded my own account to give me more access in the future.