In Lancaster, last week, the county coroner was brought to court in handcuffs. A grand jury indicted Dr. Gary Kirchner, charging him with giving out his account name and password for a county Web site that contained confidential police 911 information. What kind of information? Names of accident victims and police informants, medical conditions, witness accounts, autopsy reports and not-yet-substantiated accusations. The site was the access point for real-time data generated and used by firefighters, ambulance crews and other emergency responders.
And who did the coroner allegedly give his password to? Newspaper reporters. Now there's a trusting user.
Wait, it gets scarier. According to the grand jury, the reporters said Kirchner gave them the password because he didn't want to be bothered with their phone calls asking for details about homicides, fatal accidents and suspicious deaths.
The reporters weren't charged with illegally accessing the Web site, because they testified under immunity from prosecution. Kirchner has denied the charges against him.
But the grand jury report quotes e-mails and computer forensic evidence that paint an ugly portrait of the coroner (who apparently ignored security policies and gave away his password within weeks of taking office in 2004) and the reporters (who ignored "authorized personnel only" warnings and accessed confidential information hundreds of times over an 18-month period).
And where was IT all this time? Not noticing, mostly. Eventually, an IT staffer checked Web site logs and discovered that the site was accessed more than 50 times in two weeks from computers at a newspaper office. But that was only after one reporter mentioned in a news report that some information came from the Web site, and a reporter from a competing newspaper called the county to find out why he didn't have access.
That's when a supervisor realized there had been a security breach, a police investigation began, logs were checked, passwords were changed, and the grand jury went to work.
Until then, everyone apparently assumed that because users were trusted with the information on the emergency 911 Web site, they could be trusted to keep it secure. Now there's a trusting IT department.
That trust was misplaced. And not just trust in the coroner. After the reporters' intrusion was discovered, logs were scrutinized more carefully. In 2006, four emergency responders were prosecuted for giving out their passwords, and two other people were arrested for accessing the site.
According to the grand jury report, the results of those password leaks weren't trivial. In one incident, a 911 caller reported suspicious drug activity in his neighborhood. His name was supposed to be kept confidential. Because of the password leaks, it wasn't. "That caller's name was made known on the streets, and the caller was severely beaten in retaliation," the grand jury report said.
We want to trust our users. We have to trust them, mostly -- we can't afford to watch them every second. And most of them are worthy of that trust.
But some aren't.
Trusting is nice. It's sociable. It's convenient.
Don't do it.
We have the technology to control network access to confidential information. Beyond passwords, we can limit users' access with IP address whitelists and blacklists. We can use VPNs. We can scan logs after the fact, looking for IP addresses that don't belong. We can't catch every breach, but we likely can discover some accounts that have been compromised -- and some users who can't be trusted.
Yes, that gets ugly and unpleasant. So does what comes after: the why, the how-bad and the what-to-do-now.
But the alternative is a lot uglier. The results could be lost business and exposed customer information.
Or -- as they're learning in Lancaster -- assaults and handcuffs.