STATE OF NEW MEXICO SEVENTH JUDICIAL DISTRICT COUNTY OF SIERRA STATE OF NEW MEXICO, ex rel.

DEBORAH TOOMEY, an individual, Plaintiff, No. D-0721-CV2009-98 vs. HON. WILLIAM SANCHEZ CITY OF TRUTH OR CONSEQUENCES, et al., Defendants.

SECOND AFFIDAVIT OF GOUTHUM KARADI COMES NOW Gouthum Karadi and states as follows: 1. On December 5, 2011, upon the Courts order of November 28, 2011,

plaintiff Deborah Toomey and I met with defendant City to determine if audit logs existed, and to produce audit logs described in the Berna Garcia November 10, 2011, affidavit if, in fact, they existed. 2. We were met at the Citys Utility Department by City Manager Juan

Fuentes and City IT Specialist Bob Hupp. 3. City Manager Fuentes at first insisted that we produce the audit log

SECOND AFFIDAVIT OF GOUTHUM KARADI Toomey v. City of Truth or Consequences D-0721-CV2009-98

Page 1

Ms. Toomey requested. Ms. Toomey responded that the audit logs described by Ms. Garcia in the November 10, 2011, affidavit were the requested audit logs and the Court ordered the production of the two audit logs so described. Upon further insistence from Mr. Fuentes that they first produce the audit log she requested, Ms. Toomey remarked again the Court ordered the production of the two audit logs described in the November 10, 2011, affidavit, which are the audit logs she requested under IPRA, and she was not willing to play semantics as to what she requested, repeating firmly, I want these audit logs and pointing to the November 10, 2011, Garcia affidavit she brought with her. 4. I requested Ms. Toomey to step outside as the situation was quickly

becoming heated. We discussed that I would follow the procedures in the letters from ADG and do my best to discover with whatever cooperation I could get from City: a. Capabilities of the software. b. Capabilities of the personnel. c. Software environment. d. Overall security, privacy, and stability posture. 5. Ms. Toomey agreed this was the best approach, and upon re-entry to

the Utility Department office we commenced.

SECOND AFFIDAVIT OF GOUTHUM KARADI Toomey v. City of Truth or Consequences D-0721-CV2009-98

Page 2

6.

I was not allowed actual access to the computer system to produce the

audit logs. Instead, Mr. Fuentes seated himself at the computer console, and I instructed Mr. Fuentes to perform the following, as enumerated in the ADG January 4, 2010 letter: a. From the System Administration Menu, chose option #10, Export Data for SS/WP. b. Select SYSAUD. c. Hit F6 to select all fields. d. Hit F1. Select file type csv. Leave the default file name of SYSAUD. e. Hit F1. 7. In less than three minutes time, the System Master Audit Log was

rendered from the database into an unredacted CSV file and was copied onto a new unopened USB drive purchased that day from Wal-Mart in Truth or Consequences, NM. 8. No ODBC drivers or other components were required to be installed.

Saving the file into a CSV format for viewing in Microsoft Excel or other spreadsheet program was an existing option within UBS. 9. Mr. Hupp then suggested that he could open the SYSAUD.csv file

SECOND AFFIDAVIT OF GOUTHUM KARADI Toomey v. City of Truth or Consequences D-0721-CV2009-98

Page 3

and redact the confidential information utilizing Excel, although a decision had to be made as to how much data would be included. Mr. Hupp explained that all logs since the installation of the software in 2001 were available. Mr. Fuentes stated that the dates from Ms. Toomeys initial request dated 21 May 2008 for five years previous would be used. Mr. Hupp offered that that he would do so with a subset of the initial file for proof of concept for speed;14 MB of the approximately 28 MB. 10. Ms. Toomey stated at this point that she would return in

approximately 90 minutes, and left the premises. 11. Mr. Hupp also left the room with the USB drive containing the

SYSAUD.csv file and returned approximately 45 minutes later stating the redaction took approximately 15 minutes. 12. I noted the SYSAUD.csv file was now approximately half the size in

megabytes from its original size. 13. After Ms. Toomey left, Mr. Fuentes again broached the subject of

producing an audit log consistent with Ms. Toomeys IPRA request. I explained to Mr. Fuentes that the IPRA request was not only consistent and exactly what Ms. Toomey requested years prior but consistent with audit logging as a whole. Mr. Fuentes became quite insistent, until I finally asked him what he was trying to get me to say. Mr. Fuentes, responded, Nothing. I then added firmly, I do this for
SECOND AFFIDAVIT OF GOUTHUM KARADI Toomey v. City of Truth or Consequences D-0721-CV2009-98

Page 4

a living all day every day and I know when I am being needled. Please do not do so. 14. Consistent with the November 10, 2011, Berna Garcia affidavit, I

requested to examine the Application Audit Log, a non-electronic log. Mr. Fuentes asked Magdalena, another city employee, where the log was, referring to the printout of the November 10, 2011 Garcia affidavit. The employee replied that she was unaware of any such logs. 15. Since Mr. Fuentes did not allow me access to the computer console, I

requested he go through the menus as I observed. I noted that Mr. Hupps claim that they would have to run reports on all 10 individually since the ADG report doesnt list the operating accessing the record was incorrect. The SYSAUD.csv file clearly indicates the operator under the field ID who, and there was no need to run reports on all 10 operators individually. 16. I also requested from Mr. Hupp for a copy of the UBS

user/instructional manuals. Mr. Hupp copied the electronic files onto the USB drive. He also explained that they had once printed out the files, and expressed in binders it was approximately 3 feet wide. 17. I am aware that Ms. Toomey had previously requested under IPRA for

the user/instructional manuals, and received a response they dont exist. This
SECOND AFFIDAVIT OF GOUTHUM KARADI Toomey v. City of Truth or Consequences D-0721-CV2009-98

Page 5

was clearly untrue since it was produced on December 5, 2011. 18. In closing discussion with Mr. Fuentes, he asked, So, you have been

involved with this entire process from the beginning? To which I responded, I have known Ms. Toomey since we worked at Microsoft Corporation in Redmond, Washington. She was an expert in Personally Identifiable Information (PII) due to her management of the creation of the xBox live datacenters-which use Microsoft Passport and have never gone downunlike the Playstation. She asked me to consult on this project which he can see from the earlier emails to Mr. Jost, President of ADG, where I respectfully request the information. If you read you will see that these are the audit logs and that the City could have handled this whole thing differently before you arrived, in my professional assessment. In my personal opinion, which is of no moment, I do this because I believe that information is power and that it must be handled and protected judiciously-which is why I was in the US Army. 19. Ms. Toomey returned and approved the subset as a good faith

reproduction of the redacted logs. 20. Through the process I requested and discovered: a. Standard information platform:
SECOND AFFIDAVIT OF GOUTHUM KARADI Toomey v. City of Truth or Consequences D-0721-CV2009-98

Page 6

i. VMWare VSphere virtualization. ii. Microsoft Windows Server 2003 SP2. iii. Microsoft Windows 7 Enterprise. iv. Microsoft Office 2010. v. Progress Version 9 Database. vi. ADG UBS Software. b. The manuals from ADG UBS which Mr. Hupp said he would save as ASCII (text) files which I could peruse at my leisure. 21. Mr. Hupp meets the requirements of a Tier 2 to Tier 3 Information

Systems Administration and demonstrated his awareness of: a. Overall data process and portability. He knows how to move data into and out of different formats using Industry Standard Best Practices. b. Up-to-date software knowledge and capabilities. He updates software to the latest security updates from Windows Update as well as uses advanced techniques such as software virtualization. 22. From the engaged process, deeper conclusions are also accessible,

including Mr. Hupps specific knowledge that UBS is capable of rendering the audit log into a CSV file and that redaction can be accomplished utilizing
SECOND AFFIDAVIT OF GOUTHUM KARADI Toomey v. City of Truth or Consequences D-0721-CV2009-98

Page 7

electronic tools, rather than the esoteric and non-technological manual process he describes and demonstrates in his undated justification of $15,000 fee. 23. A general lack of security and information processes was observed.

There was neither identification check for entering secure areas nor a visitors log detailing entry and exit. In my professional opinion, the highly sensitive information of social security numbers is at risk of compromise through antiquated processes and a general lack of security awareness. 24. The SYSAUD.csv file produced on December 5, 2011, is responsive

to the IPRA requests of May 21, May 28 and July 9, 2008, for the Utility Department audit log that details the date, time, whom accessed and what record was accessed for all personally identifiable information. 25. 26. 27. 28. The audit log took 3 minutes to render and transfer to the USB drive. Mr. Hupp took 15 minutes to electronically redact the audit log. The Citys claim that the audit log does not exist is false. The Citys claim that the production of the audit log was

burdensome and would require the non-technological and cumbersome process of more than 1,300 man hours was knowingly false.

SECOND AFFIDAVIT OF GOUTHUM KARADI Toomey v. City of Truth or Consequences D-0721-CV2009-98

Page 8

I affirm under penalty of perjury under the laws of the State of New Mexico that the foregoing is true and correct. DATED: January 6, 2012

SECOND AFFIDAVIT OF GOUTHUM KARADI Toomey v. City of Truth or Consequences D-0721-CV2009-98

Page 9