By Trevor Bach
By Francisco Alvarado
By Trevor Bach
By Michael E. Miller
By Allie Conti
By David Villano
By Jose D. Duran
By Michael E. Miller
Feigenbaum and other county programmers also warned that an intruder with an inexpensive flash drive -- a high-capacity memory chip the size of a cigarette lighter that plugs into a computer -- could even copy the entire SPIRIT program code in about two minutes, then eventually locate the database user ID and password in the code and proceed to hack the system from a remote computer. Though it would be more difficult to access the database from outside the county's network, it wouldn't be impossible. "Hackers wouldn't even consider it hacking," programmer Johnny Hoben says dismissively.
In January 2001, Accenture (the Andersen spin-off) finally turned over daily responsibilities for SPIRIT to the county's tech department programmers. Much of the county team's work consisted of upgrading the program so it would run properly with newer versions of FileNet and Oracle. Consultants Tom James and Tom McGovern remained on as project managers, while Ruvin again extended Accenture's contract (the eighth extension since 1993) with the mandate to expand SPIRIT to include misdemeanor criminal records, which are still paper-based. But there was no mention of the database security issue or Feigenbaum's proposed solution from the year before.
As Ruvin continued to renew the contracts of James, McGovern, and Accenture, the county programmers began to wonder if the consultants were actually tails wagging the clerk. It was in the consultants' interest, they reasoned, to ignore the security problems; acknowledging them could jeopardize their contracts and hurt efforts to market the application outside of Miami-Dade.
Ruvin readily acknowledges he has a contract with Accenture to sell SPIRIT to other U.S. court systems. "Accenture owns the code, but we [the clerk of courts office] own the application," he explains. "My thought was that we would earn royalties, that we would be the flagship for this. That we would earn a royalty of a quarter of a million dollars for every clerk's office or court system that would adopt it. And that I would take that money and put it in a revolving fund for the next technology application so that we'd be able to do similar projects in, say, the family court or the juvenile court."
The programmers, however, believe that Ruvin's plan to generate income by marketing SPIRIT is at the crux of the seeming reluctance to remedy the security problems. In addition to resale potential being damaged by news of a flawed product, so much rewriting of the code would be required to fix the problems that the county tech department could claim partial ownership. That would cut into Accenture's and the clerk's share of proceeds from future sales. Ruvin dismisses the notion that his ability to assess the project objectively could be compromised by his financial interest in it. "We really think this is the most secure system," he says, insisting that he and James are not downplaying the security flaws.
Frustrated that Ruvin and James were not committed to addressing the most serious security issue -- the vulnerable database -- the alarmed programmers decided to go public. They contacted New Times. The resulting story, "Tamper Tantrum" (August 19), quoted Byron Jones and Johnny Hoben describing how it was possible to delete a traffic case or change a serious DUI citation to a minor infraction -- and do so without detection.
Fallout came fast and hard. On August 23, just two business days after the article appeared, tech department director Ruben Lopez kicked SPIRIT team leader Masood Hussaini off the project. He then moved to intimidate and silence the outspoken programmers who worked for Hussaini. One by one, Jones, Hoben, and Galego (and a fourth programmer who was not quoted in the article) were presented with a memo from the county manager's office that forbade anyone but department directors and public-information officers to speak to the media on behalf of the county. They were ordered to sign the document.
Although the programmers had spoken out as concerned employees and taxpayers, not "on behalf of the county," the chilling intent of the memo took effect. Tech department employees who had previously been willing to talk with New Times are now reluctant to do so. "There's an effort to cover up wrongdoing here," says one staffer who requested anonymity for fear of reprisal. "I don't think they should be able to use those policy rules to aid that coverup."
Part of the alleged coverup includes portraying the county programmers as potential criminals, and their leader, Masood Hussaini, as a bad manager. Hussaini rejects the mismanagement charge. "That's not true," he says. "I have a perfect performance record as a manager."
Because the clerk of the courts is an elected position, the office is independent from the rest of county government. The clerk manages his office's budget with oversight from the judges and administrators on the Executive Policy Committee. Since 1998 Harvey Ruvin has renewed Tom James's annual contract seven times. According to records, James billed about $91,000 from late 1998 through 1999; that figure swelled to about $160,000 over the past year (from July 2003 to July 2004).
Throughout his contract, one of James's responsibilities as the clerk's chief information officer has been to approve invoices from Accenture. From August 2003 to August 2004, Accenture billed about $1.7 million, a rate of about $20,000 per month per programmer. (Six Accenture employees remain on the project as consultants.)