Terry Childs

What do you do if you are a system administrator, or a database administrator, and your nontechnical supervisor wants the root password?

Terry Childs was a Cisco-certified Internetwork Expert (CCIE) working for San Francisco; he was the only one with the router passwords for the city's "fiberWAN" network. He even configured the city's routers to resist attempts at password recovery.

He was suspended for insubordination on July 9, 2008, apparently for refusing to turn over router passwords. He did indeed resist turning over passwords for a couple weeks. However, he had at least some legitimate reasons. Unfortunately, the crime for which he was charged, "disruption or denial of a computer service", applies to much of the daily life of network administrators; the way the law was applied to Childs, it might apply to anyone making a mistake on the job.

Furthermore, the city network was never in fact disrupted. And Childs did eventually turn over the password.

There are GOOD reasons for limiting access to such passwords on a need-to-know basis, BUT refusing to turn them over might be going pretty far. Especially when this locks the owners of the system out.

However, there are some mitigating factors, including the fact that there was an open speakerphone call in progress at the time Childs was asked for the passwords. We do not know if Childs was given another chance to turn over the passwords, or told to turn them over privately to his immediate supervisor, or to create another account, though Childs could certainly have offered any of these and did not. There were allegations at the trial that Childs knew he was expected to turn over the passwords, after the confrontation, but did not do so. However, it is not entirely implausible that if Childs had turned over the passwords at the initial conference, he might have been prosecuted for doing so.

At the trial, Childs claimed he was only asked (by his supervisors and by the police) for his username and password, not for access to the systems in question (which he could have granted by creating another account). Other accounts claim that Childs clearly knew what his supervisors wanted, and refused to give it to him.

Most accounts describe the July 9 meeting as a "confrontation", ultimately as much due to poor San Francisco management as Childs' behavior.

Note that the password in question was not a personal password, but rather an administrative password for a set of Cisco routers. The routers had been configured so as to be difficult to update without the password.

He was arrested by SF police on Saturday, July 12, 2008 on four counts of computer tampering. He was never granted reasonable bail, and he remained in prison through his April 27, 2010 conviction. (He was released in May 2011.)

He refused to give the police valid passwords at his arrest (such refusal without having the opportunity to consult with a lawyer is protected by the 5th Amendment, although it is not clear whether he continued to refuse). He did give the passwords to then-mayor Gavin Newsom of SF, on July 21, 2008, while in prison.

It seems likely that Childs would have had opportunities to negotiate with his supervisors for the handover of the passwords between the July 9 confrontation and his arrest, though he was suspended.

At no point did Childs do anything to damage the network, and the network was never down at any time.

Childs had some past history: he committed a burglary at age 17 and spent 4 years in prison. This has no official bearing on the present case, but may have greatly influenced the judge's decision to deny reasonable bail.

The city's main claim is that Childs was arrested because he placed the city systems in jeopardy. However:

Refusal to share passwords is complicated to see as a criminal act. After all, Childs could always quit. Or, for that matter, die. The city's legal position appears to have been that by refusing to hand over passwords, Childs was guilty of "denying access".
The city knowingly created and encouraged the environment in which Childs was the only one with the passwords.
No working systems were ever at risk.

The biggest concern to computing professionals are the denial of bail and the fact that San Francisco then created a laundry list of criminal allegations against Childs that in fact are standard practices:

Childs knew several other people's passwords. (A list of 150 such was found in Child's house, and entered into evidence at his bail hearing without redacting the passwords themselves.)
He had network sniffers in place
He had "back-door" access to the routers, through several modems (three in the final criminal count). But these were pretty clearly for emergency access.
Routers were configured to resist password recovery (this is standard practice when the physical security of the device is in question).
Configurations were not written to flash memory (same as 4)
Childs' pager was sent a page by one of the routers (duh)

Regarding the first point here, the city later sued Childs for damages. A large part of the damages had to do with changing the passwords discovered in Childs' home. But the primary reason to change the passwords was that the state published the password list in court documents.

Childs seems to have been "security-conscious to the point of paranoia". But most good computer-security people are!

Child's bail was set at $5 million. In opposing bail reduction for Childs, the city's attorneys wrote in July 2008:

In the training room locked by the Defendant, they discovered two modems that allowed access to the City's network from unauthorized locations. A further analysis of the network by Principle Security Consultant Anthony Maupin determined that the Defendant had configured multiple Cisco network devices with a command that erases all configurations and data in the event somone tried to recover the password. Further, the Defendant had created his own private network that bypassed all City monitoring and security systems. He had programs that monitored and detected any intrusions and notified the Defendant if others were monitoring or trying to access his information. The Defendant had implemented his own email server and had multiple remote access systems, some which [sic] were hidden in locked storage cabinets and connected to modems. This permitted the Defendant to access the City's network infrastructure undetected. An additional modem was discovered in a locked cabinet near his cubicle that was connected to a phone line and had access to the network.

... There are over 1100 different devices, routers, switches, modems, etc, scattered throughout the city's offices that the Defendant may have configured and even locked with his own passwords. ... there is a serious threat to the City's network system if the Defendant was out of custody without the City having full control over all the 1100 devices as the Defendant may have access any of these devices [sic].

The final four charges (pretty close to the original, but none of the tantalizing allegations of the bail-reduction motion making it in): one of "disrupting or denying computer services" (by not revealing the passwords) and three of "providing a means of accessing a computer, computer system, or computer network" (one for each of the three modems).

The latter three charges were finally dropped on August 21, 2009, over a year later. Bail remained at $5 million, even though the state's original argument against bail reduction was based on the three dropped charges and the idea that the "unauthorized" modems might mean that Childs had other backdoors into the city network. Also, San Francisco had plenty of time to tighten up security. It is possible that the three dropped "unauthorized modem" charges were dropped because of the impossibility of proving that they were in fact unauthorized, though that is to some extent exactly the defense's point.

Typically, bail for a single murder is set at about $1 million. Jerry Sandusky, the Penn State coach accused of raping children, at one point had bail set at $250,000 (for ~10 vicims). That is probably less than 1 year's salary; Child's bail was probably about 50 years' salary. Ultimately, the refusal of the courts to consider bail was perhaps the most unsettling part of the case.

Childs was charged with "disrupting or denying computer services". However,

He did not disrupt any computer services
He did eventually reveal the correct password
He could have been charged under the same law had he revealed the password when first asked, given the full circumstances surrounding that confrontation.

Note that in the first "disrupting or denying computer services" charge, no computer services were actually disrupted. The only thing denied was the password.

He did configure the network in a manner that made it difficult for coworkers to reconfiguring it. Was this about prudence, or job security? He apparently did not face day-to-day clear lines of authority; he definitely was not asked to make the master passwords available to supervisors until the Dispute.

There were no charges of network tampering; these appeared in court documents in July and August 2008 but were dropped. ("Network tampering" appears to have been replaced by the three modem charges.)

The modems were all apparently legitimate: the first was to dial Childs' pager if there was a problem (through the "What's Up Gold" monitoring package), the second was to allow immediate dialin access to some SF networks (not apparently the FiberWAN), and in addition was apparently installed before Childs was hired, and the third was to provide an alternative communications paths to emergency services across the San Andreas fault. (See http://www.infoworld.com/d/data-management/could-childs-case-put-all-network-admins-in-danger-979)
If there was any additional illegitimate purpose, it does not appear to be documented anywhere in any filings to date.

It is indeed possible that Childs decided not to have configurations written to flash memory for "job security"; ie so that, if there was a problem, he would be irreplaceable. Alternatively, it could have been because Childs was having conflicts with management and wanted them to know they couldn't work without him.

Creating a system that could not be modified except by him can certainly be seen as malicious. However, San Francisco's contribution to the situation, and the city's long-standing acceptance of the situation, are contributory.

The formal allegation against Childs did not spell out any specific evidence of intent to disrupt the network (though it did not have to). There is considerable evidence, though, that Childs did indeed intend to give himself "job security" by making sure no one else could manage the network.

One possible reason Childs was denied reasonable bail is the fact that a search of his residence just before his arrest turned up some 9mm ammunition, and Childs had in 1985 been convicted of a felony: armed robbery (with a knife). Possession of ammunition by a convicted felon is illegal in California (and many other states). Also, the fact that Childs had $10,000 in cash in his house was interpreted by the police as evidence that he was a flight risk. Finally, Childs lied to his supervisors when he said he had no past felony convictions, and lied again on the day of his management confrontation when he said his fiberWAN password no longer worked. Both of these are perhaps understandable, and in principle they shouldn't matter, but one doesn't know.

It does seem likely, however, that a big part of the reason Childs remained in jail is that the City keeps raising the specter that he could break in. But if he could, even a few months later, let alone close to two years, then so could anyone else, and the City's security is just plain negligent.

One plausible charge against Childs is the allegation that he configured the routers not to store their configurations, and that this was done in order that if the network crashed, only he could ressurect it. From the arrest-warrant affidavit of police officer James Ramsay:

Mr Maupin [the city's security consultant] was also able to determine and validate that Mr Childs had, in fact, intentionally configured multiple Cisco network devices with a command that erases all configuration and data in the event that someone tries to restore administrative access or tries to perform disaster recovery. This command was created for military applications that require the deployment of network devices in areas that may have the possibility of hostile forces that could get physical access to network devices.

Officer Ramsay also was the one to tell Childs initially that failure to divulge the passwords was "a denial of service as defined under Penal Code violation Section 502(c)(5)". This claim remains farfetched, at face value, given the lack of clear authority within DTIS, although it might apply if Childs had withheld the password with malicious intent.

Note that the quoted line "this command was created for military applications ..." is both misleading and a bit of a stretch. It seems likelier that the command was suggested for military applications, but even if it was created for that, so was GPS.

As for the configuration-to-erase claim, Childs' attorneys claimed in his bail-reduction motion that one of his colleagues, Carl Sian, intentionally kept (as for study) computer viruses, and later spread one to Childs (possibly accidentally). Somewhat later, Childs' supervisor Herb Tong made some technically inappropriate changes to the fiberWAN system. In light of those events, Childs may very well have felt that the "hardened" configuration of the routers was appropriate.

The early case documents are back online at http://www.infoworld.com/d/data-management/terry-childs-case-in-its-own-words-928.

Overall, it seems to me that people who work in very structured environments have no sympathy for Childs; he clearly broke the rules. Partly that is not the point; just about everyone agrees his firing was legitimate.

Here are a couple comments from one of the jurors, Jason Chilton, who, like Childs, was a CCIE.

The questions were, first, did the defendant know he caused a disruption or a denial of computer service. It was rather easy for us to answer, "Yes there was a denial of service." And that service was the ability to administer the routers and switches of the FiberWAN.

Is refusing to turn over a password really a denial of service? It seems more like a denial of potential service. Is refusing to turn over passwords a denial of a "computer service", given that all routing and software continued to run properly? Do software developers face denial-of-service charges if they withhold certain notes as to how an application works? What about network administrators who quit without completing certain network-architecture documentation that the employer asks for?

That was the first aspect of it, the second aspect was the denial to an authorized user. And for us that's what we really had to spend the most time on, defining who an authorized user was. Because that wasn't one of the definitions given to us.

From blogs.sfweekly.com/thesnitch/2010/08/terry_childs_sentenced_hacker.php:

It almost seemed like paranoia. Especially after he found out there would be some organizational changes, I believe the security he was putting in place wasn't to prevent attackers but to prevent people from getting rid of him. He would be needed because no one else could take care of this network. It was so secure, only he could have access.

On August 6, 2010, Childs was sentenced to four years in prison. This is an extraordinary sentence if you believe the case was the result of a workplace misunderstanding.