SF Admin Gives Up Keys To Hijacked City Network 581
snydeq writes "Jailed IT admin Terry Childs relinquished his hold over San Francisco's multimillion-dollar FiberWAN, handing his administrative passwords over to San Francisco Mayor Gavin Newsom, who was 'the only person he felt he could trust.' Childs is still being held on $5 million bail for his lockout of the city's FiberWAN, a case that has been called into question since an insider came forward with details about both the network and Childs himself. The case hinges on No Service Password Recovery commands Childs allegedly configured onto several Cisco devices, as well as dial-up and DSL modems the SFPD has discovered that would allow unauthorized connections to the FiberWAN. Childs intends to 'expose the utter mismanagement, negligence, and corruption at DTIS, which if left unchecked, will in fact place the City of San Francisco in danger,' according to his motion. The Department of Telecom and IS has cut 200 of its 350 IT positions since 2000 — pressure that may have contributed to Childs' actions, according to interviews with current and former DTIS staffers. Newsom secured the passwords without first telling the DTIS that he was meeting with Childs."
Ooo! Danger! (Score:2, Informative)
will in fact place the City of San Francisco in danger
Well, there's already enough danger thanks to Mayor Gavin Newsom's policies.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/21/BA5C11SK2S.DTL&type=printable [sfgate.com]
It never occurred to this brain dead megabozo that when you say "Come one come all to our sanctuary. We'll hide you!" that there will be bad people to take advantage of that? A complete and utter tool.
Re:Do I understand this correctly? (Score:5, Informative)
Most folks aren't familiar with WAN management, so they probably still don't get what you're saying.
People: Installing backdoors in a WAN saves you a 1+ (sometimes much more than 1+) hour trip somewhere to check a stat or reset a device. Installing backdoors in a LAN is lazy. In other words, the difference is geography. As a WAN manager if you don't have what's called an "out of band" management plan, you're an idiot. (Or you have a micro-sized WAN.) It's also not something that's left secretly, it's planned and secured like any other WAN exposure.
Good luck!
-Matt
Re:why do that, the fool (Score:3, Informative)
The person who received the password is the only one that Childs trusts. Why? Why was he allowed to give himself such complete and solitary access over the network? Why did his management or his co-workers never question this? Was this arrangement by his design, or specifically by his management?
At first I thought the guy was just screwed up, but I keep asking "who benefits" out of this whole situation.
Childs won't benefit. He won't be able to land a job in his preferred field if or when he's out of jail. Not turning over the password raises questions about the network's accessibility. Turning it over to the Mayor as a matter of trust implies that Childs may have some additional information on those in charge that will raise even further questions.
If there is something other than just an insane ego behind this, I think it's being done to raise awareness to others about the network and it's management.
Re:'the only person he felt he could trust.' (Score:4, Informative)
You must be new here.
Some of us keep the fact that we are married, and have children, a secret.
Oops!
Re:End of the days (Score:2, Informative)
As an anonymouse with just a wee bit of inside information on the situation at DTIS, I have to say that we are going to have to wait and see what (and just how much) of the very dirty laundry gets aired as this moves along. Without any comment on Childs' sanity, or reasonability, it is a fairly well known fact that on the management side of things, SF has plenty of troubles and dysfunction in re not only DTIS, but the city bureaucracy overall right now. If he does expose "the utter mismanagement, negligence, and corruption" that he has seen, then at the very least were in for a good court circus act.
Re:'the only person he felt he could trust.' (Score:5, Informative)
the more recent article points out he did not do ANY harm after being fired. The "backdoors" were pointed to a pager. The no recover setting would have been to protect the network settings from stolen hardware wiht physical access... because we all know equipment NEVER goes missing from city offices. Sounds like he was overly paranoid but other than not coughing up the password, did NO wrong.
In fact, the fact that there was nobody in the department that could identify what he did, and the police had to go to outside people seems to scream that he's innocent of all of the charges.
As far as the password.. they fired him! No plans made to cover his tasks, or to continue admin services... just give them the password... who knows what they'd accuse him of in 3 months because they don't know what they're doing. Waiting until he's FIRED to ask for documentation is too late... if he's a "criminal" for not giving the info up, they are even more so for not following good security practices and not having this info BEFORE they needed to let him go.
Re:Protecting his reputation? (Score:1, Informative)
Why is it that everyone thinks they know his psychological profile and motives, and assume he is guilty when pretty much all we really know about the case is wild media speculation.
"Just following orders" isn't an excuse, sometimes you have to do the right thing instead.
This looks his way of being a "royal pain" in order to get past middle management and get to talk to someone in charge.
Personally I would much rather hire someone like him who appears to be trying to do a good job serving his customers(the city) instead of some asshole(parent poster) who obeys his bosses every whim so long they promise to shield him from jail time.
Re:Live Free or Die Hard (Score:5, Informative)
he NEVER attacked, nor have they claimed he did. They arrested him and charged him the same day they fired him and he wouldn't give up the password. Then started spewing to the press he "might have" created back doors (lines calling his on-call pager) and sabotaged equipment (not restoring the configs on power cycle to protect the network).. which is already being determined as built-in (but rarely used) features being used correctly. So far the ONLY WRONGDOING they have is refusal to give up the password.
They ARRESTED and managed to get $5M bail for not giving up a password... period.. the rest is misinformation, lack of job skill by his boss, or outright LIES. No wonder he didn't give it up sooner!
Missing an important word... (Score:3, Informative)
Second, this man is in no way justified in what he did. Threatening the infrastructure of a city (especially one as large as SF) is inexcusable.
You're missing an important word here. It's not "this man is in no way justified in what he did", it's "this man would be in no way justified in what he is alleged to have done". There are two completely different stories being promulgated here. In one story, Childs set up boobytraps and backdoors in the system and threatened the infrastructure of the city. In the other story, Childs made an error in judgement in the configuration of the routers, and refused to give the password to people he was not sure were authorized to have it.
Where the truth is between these extremes, I don't know, but at this point he is only alleged to have threatened the infrastructure of the city... and after what happened in Intel vs. Randal Schwartz I think it's important to keep that word in mind.
So what's the problem? (Score:2, Informative)
Did anyone else think this when they read the article?
reboot the router
press break during boot
confreg 2142
put in new password or nuke the startup
confreg 2102
reload router
What am I missing? It's easy to root a Cisco router if you have physical access to it.
Re:meaning no disrespect to the guy... (Score:3, Informative)
True. Professionals also don't tell professionals from other fields how to do their jobs.
What other field? These are all IT jobs, I'm not talking about putting the accountants in charge of the firewalls. I'm not even suggesting you rotate the programmers and the admins, those are distinct fields. But if a Linux expert can't get up to speed on managing AD, or a Windows expert can't get up to speed on running Cisco firewalls, then they're both entirely too specialized to be truly useful to an organization.
You obviously haven't served
12 year veteran of the USNR. Served in both Gulf Wars. Left as an IT1 (Information Systems Technician 1st Class). When I was a Leading Petty Officer for my division, I would routinely rotate guys from one workcenter to another, to make sure they knew the systems in each one. Additionally, to be promoted in the Navy, you have to be certified that you know how all of the systems on your ship/unit/station work together. So I don't know which branch you were in, but in the Navy at least cross training is taken very seriously.
To reiterate: just because something is hard to do, doesn't mean it's not worthwhile.
Re:'the only person he felt he could trust.' (Score:3, Informative)
The key word is "distribute". It's OK to have them as the one person who knows everything - after all, that's the kind of knowledge you can only acquire by living it - but not OK to have them as the only person who knows anything. If trust is the issue, then ensuring that there are enough other people who know the important things without any one person knowing enough to do damage will meet the requirement of distributed knowledge. If it's a question of taming their ego, then it's enough to ensure they're aware that replacing them would not be impossible - making them feel like they're viewed as a corporate drone will make them feel thoroughly underappreciated and probably bring about their early departure, which you don't want.
Re:meaning no disrespect to the guy... (Score:3, Informative)
Just a guess, but I'm thinking your computer systems officer or whatever you had wasn't rotated annually to the radio shop to expand his horizons.
Um, the Commo WAS my division officer. My work centers included LAN support, WAN support, satellite comms, crypto, radio comms, desktop support, and myriad other C4I systems. So not only were the computer guys also the radio guys, the jobs were considered to be interchangeable and everyone was expected to fill all of those roles, as needed. Sure, we had guys who were better at some jobs than others, and when we went to GQ the best guys were at their assigned stations. But short of that, everyone was expected to work in different work centers on a regular basis.
Not to mention that the officers were rotated in their jobs even more often than the enlisted, and much more drastically. My first division officer started working with us as an ensign; by the time he made lieutenant, he had served as the ship's legal officer, the damage control officer, and the assistant navigator. He managed to learn all of those roles just fine.
And no, there were no civilian contractors working with us, except for rarely training on new systems. The Navy doesn't get the luxury of the Air Force in contracting out all of their jobs to the lowest bidder, sailors are expected to work for a living.
Re:'the only person he felt he could trust.' (Score:5, Informative)
That is a quote from a psalm that was made into a song.
Not any more insane than quoting Aerosmith.
Re:So what's the problem? (Score:4, Informative)
No, because we all read the part about where he disabled the ability [cisco.com] to do exactly what you suggested he do.
Re:'the only person he felt he could trust.' (Score:3, Informative)
"To this date, with medication I still am hazy on if computer viruses can infect human beings"
They can not. Science fiction writers have written stories about such possibilities in the future - but such a future is still many decades off. Don't worry about that.
Comment removed (Score:2, Informative)
Re:Ooo! Danger! (Score:2, Informative)
Cities including Los Angeles, Chicago, New York, Boston, Houston, Philadelphia, Seattle, the entire state of Alaska, all of DC and quite a few others also have sanctuary laws.
Besides, the fact that someone is here illegally has little to do with the chances of them being an insane homicidal murderer.