On July 13, the network administrator for the city and county of San Fransisco, one Terry Childs, was arrested on suspicions that he had violated multiple provisions of California Penal Code §502(c). Specifically, Mr. Childs is alleged (PDF) to have violated both sections (5) and (6) on two separate occasions each.
Childs was carted off to jail where he refused to turn over the user IDs and passwords in his possession to anyone but the San Francisco mayor, Gavin Newsom. Newsom met with Childs on July 23, and succeeded in acquiring some (but not all) of the information officials needed to regain control of the city's FiberWAN network.
This much, we know, but the district attorney (DA) and Terry's defense team don't agree on much else. We'll touch on Child's history and background momentarily, but the various legal beagles involved in these proceedings present two very different versions of the same events. As a result, the case has begun to resemble an episode of As the World Turns instead of a criminal investigation; only a lack of resurrections, unplanned pregnancies, and wild accusations of infidelity separate the two. Tease apart the two sides, and here's what you get.
Childs didn't just oversee San Francisco's network, he was responsible for its architecture and design. He was extremely proud of his work, and applied for a copyright on the network's configuration on the grounds that it represented an instance of technical artistry. He is a Cisco Certified Internetwork Expert (CCIE), which makes him a member of a very elite group; as of September 9, there were just 17,840 CCIEs worldwide. By all accounts, this is a man who is very, very, good at what he does.
Unfortunately, he also has a criminal record, thanks to a 1983 conviction of aggravated burglary and robbery. Childs, then 18, served four years in prison, and was charged in 1995 with criminal possession of a firearm. In 1996 he graduated from Friends University and began his networking career at Kinkos in 1998. He has been employed at the Department for Telecommunication and Information Services (DTIS) since 2003.
According to the DA's office (PDF), Terry Childs is a rogue employee who presents a clear and present danger to the network infrastructure of both the city and county of San Francisco. In a filing arguing against reducing Childs' bail, the administrator is painted as a man who had been fighting with employees at work, had resisted certain changes in security policies and procedures, and who ultimately put himself in a position to destroy the city's FiberWAN with the touch of a button, should he desire to do so.
Childs is alleged to have installed illicit computers for the purpose of interfacing with the network, had "taken over" a training room and built himself a network rack, and had sole control over numerous administrative procedures, including creating and changing passwords, adding/deleting users, or "any other standard configurations relating to the function of routers or network-specific servers on the system." Childs had also manually configured certain routers in the core network to store all configuration data in memory only. Power down such equipment (or attempt to reset it) and all necessary configuration data is wiped.
There are other accusations, including arguments that Childs intended to take the entire FiberWAN offline during a planned power outage on July 19, and statements alleging that the network was essentially booby-trapped. If anyone attempted to recover a password, the DA's filing states," the system would automatically erase files, causing a system failure."
No one contests that the network admin refused to hand over login/password information when ordered to do so by his superiors, or the fact that a large amount of unknown encrypted data and extensive network configuration information was found at his home. The sum total of the accusations, in fact, successfully portray Childs as a mentally unbalanced man with an axe to grind; a digital disgruntled employee, if you will. The defense, however, has a different interpretation.
According to the defense (PDF), Childs is an incredibly skilled member of his field, with a deep sense of pride in the network he has constructed (and no wish to damage it). The fact that Childs had unauthorized access to the network is not contested, but of the three systems found, one of them couldn't receive calls and merely paged Childs in the event of a network failure. The second system could be dialed into, but, according to Terry, was meant for emergency situations only, when he might need immediate access to the system. Given the fact that the man owns a home in Pittsburgh and apparently spends a good bit of time there, this precaution makes a certain degree of sense.
If Child's attorneys are correct and/or representing their client's viewpoint correctly, Terry believed he was the only person qualified to maintain the network, and that the problems that it had suffered over the years were caused by coworkers and supervisors who "maliciously damaged the system themselves, hindered his ability to maintain it, resulting in unnecessary delay, and show[ed] complete indifference to maintaining it themselves."
Knowing whether or not these claims are objectively true could tell us some interesting things about Child's perception of his own importance, but the defense's next statement is considerably more interesting. "There have been no established policies in place to even dictate who would be the appropriate person to hand over the password to." The defense admits that Childs was the only person with administrative control, but states "It was widely known within DTIS that he has always been the only person… with the password and the only full system administrator."
The claims of mismanagement and false allegations continue. DTIS is alleged to have "no written policy related to the setting of passwords and what persons are allowed to have them, or to the installation of modems." Furthermore, "There is no evidence whatsoever that Mr. Childs enabled a third party to access and destroy records. There is no evidence that he took, altered, or deleted city documents."
Oh, and that planned power outage on July 19? It turns out that Childs met with Ramon Pabros, the DTIS Datacenter Supervisor before he was suspended. Pabros met with Childs some ten days before his arrest. In that meeting, Childs stressed the importance of not cutting power to the datacenter, at which point Pabros reassured him that only offices and cubicles would be affected.
Taken in total, the defense argues that Terry Childs felt alienated and isolated by his coworkers and supervisors, and was increasingly left out of the decision-making process. Nevertheless, he continued to fulfill his central duty to maintain FiberWAN and never threatened the network in any way.
The city claims it is still in the process of trying to locate a mysterious "terminal server" Childs apparently connected to the network as some sort of remote-access insurance policy, as well as some 1,100 modems Childs apparently installed (boggle at that for a moment). According to investigators, they briefly found a login page claiming that the server in question belonged to Terry S. Childs, but are as yet unable to locate the server either physically or virtually. As Paul Venezia at Infoworld points out, however, the DA's office continues to garble its technology terminology to the point where it's not always clear what they are claiming. Venezia has followed the case extensively since Childs was first arrested; I'd recommend his coverage to anyone wanting in-depth information.
Conclusion (for now)
The defense's motion to reduce bail pokes a number of holes in the DA's case, and indeed, raises the question of whether or not Terry Childs has actually done anything illegal. By all accounts he's abrasive and a tad paranoid in his dealings with coworkers—even the defense refers to his "odd suspicions"—but it's not hard to see how many of these actions might be taken by an employee with a strong sense of ownership coupled with the (possibly true) knowledge that he's the only engineer qualified to maintain his own design. It's also noteworthy that despite his apparent ability to crash FiberWAN any time he chose, Childs never attempted to do so, even in the period of time between his suspension from work (July 9) and arrest (July 13).
The network administrator's actions could be viewed as attempts to make himself important and necessary to the core functionality of FiberWAN rather than an attempt to effectively destroy the system. This is undoubtedly against DTIS policy, written or unwritten, but there's a certain uneasy truth here. There are any number of network administrators who, if they wished, could potentially cause just as much damage to the existing infrastructure of their company or organization. Being the gatekeeper of a network requires that one be invested with the keys, and while companies can take steps to reduce the risk or damage of a network administrator gone wild, there's no way to entirely prevent that possibility.
If this case goes forward, it's going to inevitably shine a very bright light on the security practices and policies of the city of San Francisco as well as on Terry Childs himself. If the defense is right, and written policies in the alleged areas did not exist, that might be scrutiny the DTIS is anything but eager to embrace.
Book a few starlet guest appearances for the 2009 fall season, and we'll be all set.
Further readingPaul Venezia: "Infoworld Special Report: Terry Childs Admin gone rogue"Bill Schreier (CTO, Director of IT for Seattle, WA) "A Taxpayer Network Lock Out"Posted on