gimme all your passwords

[avriette]

we have a civilian agency auditing our accounting software because it's been this giant fiasco for literally two years. they gave us some "checklists" and "spreadsheets" today that include things like "every host on the network, it's ip, os, purpose, admin, and 'SP'". On top of this, they want a copy (among other things) of /etc/shadow from every single Linux or Unix host we have.

While on a conference call with the assistant director (of what, I'm not sure, he's supposed to be spending eight hours a week on IT), but who happens to be my boss's boss, I read through the linux checksheet half-out-loud until I happened upon this.

I immediately said, "/etc/shadow? I am not giving them that." My boss looked at me and raised his eyebrows and said, "what?"

I gave him the page number and paragraph and he looks at it, amazed.

Blah blah blah later, call is over. I decide what I'm going to go and print out this list and circle the ones that I'm real uncomfortable with (they also want to know, for example, every single process running on the machine). Note that this is for every Linux machine on the network. Note also that we're a defense and intelligence contracting organization and the hardware in question lives behind military-secured doors.

Later today my boss asks me to come into his office, where his boss is waiting for me on speaker phone and proceeds to chew me out for twenty minutes about how it's not my call whether I give them all the passwords for everyone on the machines. That in saying it, I was being adversarial, and my tone of voice was inappropriate.

I said, well, what do you want me to say to that?

He said, basically, that "we trust them" and "if the director says to give them the data, it's not your place to say no."

Well, it is my place, because I'm the fucking sysadmin. I'm the first person you ask if you want that kind of information, and it's my job to say NO if it's inappropriate. Especially a civ organization asking for information about an accounting system that runs on a separate network. Their justification for wanting /etc/shadow is to see if there are "superfluous users." (they want /etc/passwd and /etc/group as well, so this isn't some "stupid mistake" where they asked for the wrong file)

Sorry to rant like this, only half the story is being told because this only makes sense to Unix people.

But I gotta rant somewhere. The guy is angry because he thinks I made him look bad on a conference call, like it was my decision what to give the auditors. He chose to personally tell me (rather than tell my boss, since he's so fond of quoting "chain of command" shit) because his dick is all bent out of shape, and he wants me to be very clear that these guys are to be given this data if he says so.

I ain't doing it. If someone insists I do it, I will tell them I'm not comfortable doing it, and they have the passwords, they can do it themselves. I'm not going to have THAT giant clusterfuck on my hands.

I've worked places I'd be fired for even considering giving that data to anyone, including our own staff.

[Sabre]

You have four options:

1.) Do it. Get it in writing before ANYTHING takes place however and tell them that you will need to explain the consequences of this action to <insert> before it takes place.

2.) Do it. Next report your boss and the civ's agency to anyone above them and full explain what they have just handed over.

3.) Tell them that you don't think that it is a good idea, but if they would like, you will run a password cracker on the files to see if there are any easy passwords on them. You will then report the users to <insert>

4.) Quit

Sorry that you're going through that. That's a sucky position to be in

[chicken n waffles]

i wouldn't want any part of that, either. i'd tell my boss he can have someone else hand the shit over and if/when it hits the fan, light the fire under that person's ass.

[sirwilliam]

Sorry you are in this situation. I wouldn't give it to him/them, either.

Can't say more than what has already been said/posted. Good luck.

[complacent]

You have four options:

1.) Do it. Get it in writing before ANYTHING takes place however and tell them that you will need to explain the consequences of this action to <insert> before it takes place.

2.) Do it. Next report your boss and the civ's agency to anyone above them and full explain what they have just handed over.

3.) Tell them that you don't think that it is a good idea, but if they would like, you will run a password cracker on the files to see if there are any easy passwords on them. You will then report the users to <insert>

4.) Quit

Sorry that you're going through that. That's a sucky position to be in

Julian has it right man. You'll probably have to "adapt" to what the government considers "secure".

CYA, CYA, CYA!!!! Talk to your security manager (Your office as well as your contracting office have one. Do it YESTERDAY! You can be punished/lose your clearance even if you were just "following orders". If you are officially in the clear (per security offices) than yes, hand that shit over. Get it all in writing FIRST.

I hate to use that horrid chiche, but OPSEC is EVERYONE'S responsibility. Good for you for standing up about it. Even if the task may feel a little quixotic...

[Phibs]

Yeah that's a tough situation, the security side of me definitely says hell no. The "I need a job to keep living" side of me says HERE IT IS SIR!

[BryanH]

Based on your previous conversation with this guy you don't have four options....you have one option.

Give him what he wants.

But the CYA comment is spot on. You need to email your concerns to him and in the email professionally and technically express your concerns. This is a security nightmare and you want to make damn sure that this ends up in his lap....not yours. You need to make sure that you go on record as telling him"you feel this is a bad idea" (and please use language like that) and not SOP. I would also be CC'ing everyone I know in the security office and all of my guys on the program side as well....but I know how they would react to a request like this.

But through all of this be damn sure to keep a copy of that request for information and the justification for it. It will save your ass when things come down the line.

I have been through things like this before and people got fired....I was in the clear.

OK...you do have a second option....quit.

[avriette]

Give him what he wants.

No, I can call the various numbers for the various observations we support and suggest, anonymously, that we have a security breach in IT due to a management problem. In the end, I might get fired over it, but I wouldn't lose my clearance over it, and I certainly won't have it on my head that I gave classified passwords to a civilian agency that didn't even need them.

And this is the winning answer:

i wouldn't want any part of that, either. i'd tell my boss he can have someone else hand the shit over and if/when it hits the fan, light the fire under that person's ass.

I told my boss that if it came down to it, and we even cleared it with DSS/DIA that it was okay to give these people the data, that I'd have our ISSO do it personally. In general, I own the data in Linux and Unix land, but because it's his job to be security officer for the company, I want the data to leave his hands, not mine. And if he puts up a fight and says "no way we're giving this to them," that's exactly what I wanted.

The bad news is the "quit" people are right. Everyone else in the organization, except our new Fuhrer, has seriously low morale. We have some people over his head intervening, but I think we have a lot of pussies in that neighborhood that aren't willing to fire him or demote him. We've got two people (out of a staff of eleven in seven offices) quitting by May because of this shit. It's going to get so ugly, there may eventually be no other option. And I'd just gotten to thinking, boy, I don't want to change jobs again soon if I can avoid it (those who have seen my resume know what I'm talking about).

[Phibs]

Well good luck and +1 for the above, Changing jobs is annoying!