|
|
http://www.athensnews.com/issue/article.php3?story_id=25597
By Jim Phillips
Athens NEWS Senior Writer
2006-08-10
The president of a consulting firm whose recommendations helped spur the
firing of two Ohio University information-technology officials denied
Wednesday that he had any personal stake in seeing the two men removed.
Charlie Moran, of the Illinois-based Moran Technology Consultants, Inc.,
dismissed as groundless suggestions that IT officials Tom Reid and Todd
Acheson somehow posed a threat to his company's continuing to receive
lucrative contract work from OU.
"It's a desperate attempt by their attorneys," said Moran, of allegations
that as an OU contractor he may have had a conflict of interest in the
case. "It's completely wrong."
The university fired Reid and Acheson last Thursday, following release of
a report by Moran's company that laid heavy responsibility on the two for
allowing a series of hacker break-ins to OU computer databases.
Reid was director of OU's Communication Network Services, and Acheson was
the CNS Unix systems manager. Reid, and Acheson's attorney Fred Gittes,
have both publicly suggested that Moran may have had a personal motivation
to see the two officials fired.
Before Moran was hired to investigate the computer-hacking incidents, the
company worked for OU developing a request-for-proposals to install a
computerized student information system at the university. Reid and
Acheson reportedly raised questions about Moran's handling of this
project, thus supposedly making him their enemy.
Seeming to support this claim are comments on Moran's report, and on the
larger computer security question, by a former associate provost for IT at
OU. Doug Mann, who held the post from 1999-2003, is now executive
assistant to the dean in OU's College of Osteopathic Medicine.
In a June 1 memo regarding OU computer security issues, Mann stated that
"Ohio University's IT security vulnerabilities have been known for
decades. Concerns about security have appeared in every one of the reports
prepared by various external IT consultants over the years."
While Mann in the 2002-03 academic year was "ramping up a major IT
security project," he recalled, that project "was derailed when
then-Provost Steve Kopp eliminated the associate provost for IT position."
While some OU officials continued to push for improved security, according
to Mann - including, notably, Tom Reid - "the effectiveness of the CNS
security effort was (and still is) limited by resources and by lack of
central authority over OU's IT security."
In an e-mail to OU Chief Information Officer William Sams in late June,
Mann raised serious questions about the accuracy and fairness of the Moran
report. He also suggested that "in the context of the Moran consulting
relationship on the OU SIS project, and Tom Reid's alleged hesitance to
support that project, (the report) presents an appearance of conflict of
interest."
Mann added that Moran "has profited from the SIS project and has the
potential to profit further. Moran Technology Consulting received an unbid
contract to write a security incident report in which they have
recommended the dismissal of Tom Reid. The Moran report is inconsistent
and is consistently biased against CNS and Tom Reid. In my professional
opinion, it would be a serious mistake to undertake major disciplinary
action such as dismissal against Tom Reid and Tom Acheson based on the
flawed and biased Moran report."
In an e-mail to OU Legal Services, Sams has acknowledged that Shawn
Ostermann, chair of electrical engineering and computer science at OU, has
also reviewed the Moran report and "had similar comments to Doug's."
CHARLIE MORAN INSISTED that reports of his having a clash with Reid and
Acheson are grossly exaggerated, and that in any case, the two were in no
position to threaten his status as a contractor with OU.
Moran said that when he was developing the SIS RFP, he met with Acheson to
talk about any potential obstacles in the IT area to implementing the new
system.
During that meeting, he acknowledged, he and Acheson had a sharp
disagreement over the best security tools to use at OU, with Acheson
championing a software technology known as Shibboleth, and Moran arguing
that it is "risky, and too new for OU."
However, Moran said the disagreement was civil and professional.
"Todd is a very good technical guy. I found very thoughtful comments
coming out of him," Moran recalled. On the security-tech issue, he
admitted, "he and I are black and white. He's a professional, I'm a
professional, and we have different opinions."
Moran said he met shortly thereafter with Reid, and simply passed on to
him information about the security question, which Reid said he would look
into.
"That meeting was the first, and to my knowledge the only, time I met Tom
Reid," he said. "I had no bad blood (with him). I don't know the man."
He added that his firm, having developed the RFP, disqualified itself from
bidding on the SIS project, and in any case is too small and specialized
to consider taking on what might have been a $20 million contract.
"We're a boutique consulting firm," he said. "We weren't going to bid on
that. We're not big enough."
And while there was a possibility that his firm might get some contract
work from OU to help implement whatever SIS system it decided to buy,
Moran said, neither Reid nor Acheson would have any say in that decision,
and therefore posed no financial threat to his company. "Those guys are
not going to have a vote on who the implementation firm is going to be,"
he said.
Mann's comments to Sams on the Moran report go beyond the
conflict-of-interest issue, however. He also alleged that the report gives
a "complete misrepresentation" of the role that CNS played in a 2002-03 IT
security project at OU.
"This misrepresentation does not appear to be an accident, as the report
takes every opportunity to cast CNS in the most negative light possible,"
Mann added in his memo.
THE MORAN REPORT cited a number of possible steps that could have been
taken to beef up OU's computer security, but were not. Mann, however,
contended in his e-mail that "Most of these security steps were the
responsibility of Computer Services (another IT department at OU) or other
planning units, not CNS. However, in the report, Computer Services
receives only the mildest of criticism, despite having free and easy
access to anti-virus software and automatic Windows updates for server
administration."
Charlie Moran, however, reiterated a point that has also been argued by
Sams - that all computer security issues at OU were, at some level, the
responsibility of CNS.
"Tom Reid owned security for the campus," he insisted.
Reid has maintained that a perimeter firewall, which he has been faulted
for not installing, might have been a bad idea for OU. Because firewalls
can make Internet connectivity more sluggish, he claims, some research
universities have opted not to use them.
Moran dismissed this objection, calling a firewall an obvious, and
relatively inexpensive, security measure for a place like OU.
"Firewalls are dirt cheap," he declared, estimating that OU could have
installed one for somewhere between $50,000 and $70,000. "Most schools in
the country, and most corporations, and I would hope The Athens NEWS, take
certain security measures including firewalls."
Even if you grant Reid's point that some schools do not use firewalls, he
said, most of them install some equivalent, alternative security measure.
"I would say, 'OK, Tom. If you didn't put in firewalls, what did you put
in their place?' There was nothing," Moran said.
ACHESON, MEANWHILE, has been rounding up a host of supporters for his
cause among OU employees and people who have had dealings with the
university.
More than a dozen support letters have been sent to the university so far,
many of them taking strong issue with the Moran report's portrayal of
Acheson as a prickly, aloof man whose personal style intimidated
co-workers and eroded the inter-departmental cooperation needed to
maintain good computer security university-wide.
One writer, who works in CNS, described Acheson as "one of the few
managers who consistently engaged his employees on their comments, both
positive and negative, regarding projects and daily work decisions."
Another writer, OU's IT communications manager Sean O'Malley, said the
characterization of Acheson as hard to work with "would have been accurate
five or six years ago," but hasn't been for some time.
"When Acheson first joined CNS, he did have a reputation for having an
abrasive manner; however, that issue was worked out long ago," O'Malley
wrote. "In fact, I would say for at least the past three years, Acheson
has been an excellent team player."
_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org