http://www.athensnews.com/issue/article.php3?story_id=25597 By Jim Phillips Athens NEWS Senior Writer 2006-08-10 The president of a consulting firm whose recommendations helped spur the firing of two Ohio University information-technology officials denied Wednesday that he had any personal stake in seeing the two men removed. Charlie Moran, of the Illinois-based Moran Technology Consultants, Inc., dismissed as groundless suggestions that IT officials Tom Reid and Todd Acheson somehow posed a threat to his company's continuing to receive lucrative contract work from OU. "It's a desperate attempt by their attorneys," said Moran, of allegations that as an OU contractor he may have had a conflict of interest in the case. "It's completely wrong." The university fired Reid and Acheson last Thursday, following release of a report by Moran's company that laid heavy responsibility on the two for allowing a series of hacker break-ins to OU computer databases. Reid was director of OU's Communication Network Services, and Acheson was the CNS Unix systems manager. Reid, and Acheson's attorney Fred Gittes, have both publicly suggested that Moran may have had a personal motivation to see the two officials fired. Before Moran was hired to investigate the computer-hacking incidents, the company worked for OU developing a request-for-proposals to install a computerized student information system at the university. Reid and Acheson reportedly raised questions about Moran's handling of this project, thus supposedly making him their enemy. Seeming to support this claim are comments on Moran's report, and on the larger computer security question, by a former associate provost for IT at OU. Doug Mann, who held the post from 1999-2003, is now executive assistant to the dean in OU's College of Osteopathic Medicine. In a June 1 memo regarding OU computer security issues, Mann stated that "Ohio University's IT security vulnerabilities have been known for decades. Concerns about security have appeared in every one of the reports prepared by various external IT consultants over the years." While Mann in the 2002-03 academic year was "ramping up a major IT security project," he recalled, that project "was derailed when then-Provost Steve Kopp eliminated the associate provost for IT position." While some OU officials continued to push for improved security, according to Mann - including, notably, Tom Reid - "the effectiveness of the CNS security effort was (and still is) limited by resources and by lack of central authority over OU's IT security." In an e-mail to OU Chief Information Officer William Sams in late June, Mann raised serious questions about the accuracy and fairness of the Moran report. He also suggested that "in the context of the Moran consulting relationship on the OU SIS project, and Tom Reid's alleged hesitance to support that project, (the report) presents an appearance of conflict of interest." Mann added that Moran "has profited from the SIS project and has the potential to profit further. Moran Technology Consulting received an unbid contract to write a security incident report in which they have recommended the dismissal of Tom Reid. The Moran report is inconsistent and is consistently biased against CNS and Tom Reid. In my professional opinion, it would be a serious mistake to undertake major disciplinary action such as dismissal against Tom Reid and Tom Acheson based on the flawed and biased Moran report." In an e-mail to OU Legal Services, Sams has acknowledged that Shawn Ostermann, chair of electrical engineering and computer science at OU, has also reviewed the Moran report and "had similar comments to Doug's." CHARLIE MORAN INSISTED that reports of his having a clash with Reid and Acheson are grossly exaggerated, and that in any case, the two were in no position to threaten his status as a contractor with OU. Moran said that when he was developing the SIS RFP, he met with Acheson to talk about any potential obstacles in the IT area to implementing the new system. During that meeting, he acknowledged, he and Acheson had a sharp disagreement over the best security tools to use at OU, with Acheson championing a software technology known as Shibboleth, and Moran arguing that it is "risky, and too new for OU." However, Moran said the disagreement was civil and professional. "Todd is a very good technical guy. I found very thoughtful comments coming out of him," Moran recalled. On the security-tech issue, he admitted, "he and I are black and white. He's a professional, I'm a professional, and we have different opinions." Moran said he met shortly thereafter with Reid, and simply passed on to him information about the security question, which Reid said he would look into. "That meeting was the first, and to my knowledge the only, time I met Tom Reid," he said. "I had no bad blood (with him). I don't know the man." He added that his firm, having developed the RFP, disqualified itself from bidding on the SIS project, and in any case is too small and specialized to consider taking on what might have been a $20 million contract. "We're a boutique consulting firm," he said. "We weren't going to bid on that. We're not big enough." And while there was a possibility that his firm might get some contract work from OU to help implement whatever SIS system it decided to buy, Moran said, neither Reid nor Acheson would have any say in that decision, and therefore posed no financial threat to his company. "Those guys are not going to have a vote on who the implementation firm is going to be," he said. Mann's comments to Sams on the Moran report go beyond the conflict-of-interest issue, however. He also alleged that the report gives a "complete misrepresentation" of the role that CNS played in a 2002-03 IT security project at OU. "This misrepresentation does not appear to be an accident, as the report takes every opportunity to cast CNS in the most negative light possible," Mann added in his memo. THE MORAN REPORT cited a number of possible steps that could have been taken to beef up OU's computer security, but were not. Mann, however, contended in his e-mail that "Most of these security steps were the responsibility of Computer Services (another IT department at OU) or other planning units, not CNS. However, in the report, Computer Services receives only the mildest of criticism, despite having free and easy access to anti-virus software and automatic Windows updates for server administration." Charlie Moran, however, reiterated a point that has also been argued by Sams - that all computer security issues at OU were, at some level, the responsibility of CNS. "Tom Reid owned security for the campus," he insisted. Reid has maintained that a perimeter firewall, which he has been faulted for not installing, might have been a bad idea for OU. Because firewalls can make Internet connectivity more sluggish, he claims, some research universities have opted not to use them. Moran dismissed this objection, calling a firewall an obvious, and relatively inexpensive, security measure for a place like OU. "Firewalls are dirt cheap," he declared, estimating that OU could have installed one for somewhere between $50,000 and $70,000. "Most schools in the country, and most corporations, and I would hope The Athens NEWS, take certain security measures including firewalls." Even if you grant Reid's point that some schools do not use firewalls, he said, most of them install some equivalent, alternative security measure. "I would say, 'OK, Tom. If you didn't put in firewalls, what did you put in their place?' There was nothing," Moran said. ACHESON, MEANWHILE, has been rounding up a host of supporters for his cause among OU employees and people who have had dealings with the university. More than a dozen support letters have been sent to the university so far, many of them taking strong issue with the Moran report's portrayal of Acheson as a prickly, aloof man whose personal style intimidated co-workers and eroded the inter-departmental cooperation needed to maintain good computer security university-wide. One writer, who works in CNS, described Acheson as "one of the few managers who consistently engaged his employees on their comments, both positive and negative, regarding projects and daily work decisions." Another writer, OU's IT communications manager Sean O'Malley, said the characterization of Acheson as hard to work with "would have been accurate five or six years ago," but hasn't been for some time. "When Acheson first joined CNS, he did have a reputation for having an abrasive manner; however, that issue was worked out long ago," O'Malley wrote. "In fact, I would say for at least the past three years, Acheson has been an excellent team player." _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Aug 10 2006 - 22:58:21 PDT