Terry Childs
What
do you do if you are a system administrator, or a database
administrator, and your nontechnical supervisor wants the root password?
Terry Childs was a Cisco-certified Internetwork Expert (CCIE)
working for San Francisco; he was the only one with the router
passwords for the city's "fiberWAN" network. He even configured the city's routers to resist attempts at password recovery.
He was suspended for insubordination on July 9, 2008,
apparently for refusing to turn over router passwords. He
did indeed resist turning over passwords for a couple weeks. However,
he had at least some legitimate reasons. Unfortunately, the crime for
which he was charged, "disruption or denial of a computer service",
applies to much of the daily life of network administrators; the way
the law was applied to Childs, it might apply to anyone making a
mistake on the job.
Furthermore, the city network was never in fact disrupted. And Childs did eventually turn over the password.
There are GOOD
reasons for limiting access to such passwords on a need-to-know basis,
BUT refusing to turn them over might be going pretty far. Especially when this locks the owners of the system out.
However,
there are some mitigating factors, including the fact that there was an
open speakerphone call in progress at the time Childs was asked for the
passwords. We do not know if Childs was given another chance to turn
over the passwords, or told to turn them over privately to his
immediate supervisor, or to create another account, though Childs could
certainly have offered any of these and did not. There were allegations
at the trial that Childs
knew he was expected to turn over the passwords, after the
confrontation, but did not do so. However, it is not entirely
implausible that if
Childs had turned over the passwords at the initial conference, he might have been prosecuted for doing so.
At the trial, Childs claimed he was only asked (by his supervisors and by the police) for his username and password, not
for access to the systems in question (which he could have granted by
creating another account). Other accounts claim that Childs clearly
knew what his supervisors wanted, and refused to give it to him.
Most accounts describe the July 9 meeting as a "confrontation",
ultimately as much due to poor San Francisco management as Childs'
behavior.
Note that the password in question was not a personal password, but
rather an administrative password for a set of Cisco routers. The
routers had been configured so as to be difficult to update without the
password.
He was arrested by SF police on Saturday, July 12, 2008 on four
counts of computer tampering. He was never granted reasonable bail, and he
remained in prison through his April 27, 2010 conviction. (He was released in May 2011.)
He refused to give the police valid passwords at his arrest
(such refusal without having the opportunity to consult with a lawyer
is protected by the 5th Amendment, although it is not clear whether he continued to refuse).
He did give the passwords to then-mayor Gavin Newsom of SF, on July 21, 2008, while
in prison.
It seems likely that Childs would have had opportunities to
negotiate with his supervisors for the handover of the passwords
between the July 9 confrontation and his arrest, though he was suspended.
At no point did Childs do anything to damage the network, and the network was never
down at any time.
Childs had some past history: he committed a burglary at age 17 and
spent 4 years in prison. This has no official bearing on the present case, but may have greatly influenced the judge's decision to deny reasonable bail.
The city's main claim is that Childs was arrested because he placed
the city systems in jeopardy. However:
- Refusal to share passwords is complicated to see as a criminal act.
After all, Childs could always quit. Or, for that matter, die. The
city's legal position appears to have been that by refusing to hand over
passwords, Childs was guilty of "denying access".
- The city knowingly created and encouraged the environment in
which
Childs was the only one with the passwords.
- No working systems were ever at risk.
The biggest concern to computing professionals are the denial of bail and the fact that San Francisco
then created a
laundry list of criminal allegations against Childs that in fact are
standard practices:
- Childs knew several other people's passwords. (A list of 150 such
was found in Child's house, and entered into evidence at his bail
hearing without redacting the
passwords themselves.)
- He had network sniffers in place
- He had "back-door" access to the routers, through several
modems
(three in the final criminal count). But these were pretty clearly for
emergency access.
- Routers were configured to resist password recovery (this is
standard practice when the physical security of the device is in
question).
- Configurations were not written to flash memory (same as 4)
- Childs' pager was sent a page by one of the routers (duh)
Regarding the first point here, the city later sued Childs for
damages. A large part of the damages had to do with changing the
passwords discovered in Childs' home. But the primary reason to change
the passwords was that the state published the password list in court documents.
Childs seems to have been "security-conscious to the point of paranoia".
But most good computer-security people are!
Child's bail was set at $5 million. In opposing bail reduction for Childs, the city's attorneys wrote in
July 2008:
In the training room locked by the
Defendant, they discovered two modems that allowed access to the City's
network from unauthorized
locations. A further analysis of the network by Principle Security
Consultant Anthony Maupin determined that the Defendant had configured
multiple Cisco network devices with a command that erases
all configurations and data in the event somone tried to recover the
password. Further, the Defendant had created his own private network
that bypassed all City monitoring and security systems. He had programs
that monitored and detected any intrusions
and notified the Defendant if others were monitoring or trying to
access his information. The Defendant had implemented his own email server
and had multiple remote access systems, some which [sic] were hidden in
locked storage cabinets and connected to modems. This permitted the
Defendant to access the City's network infrastructure undetected. An
additional modem was discovered in a locked cabinet near his cubicle
that was connected to a phone line and had access to the network.
... There are over 1100 different devices, routers, switches, modems,
etc, scattered throughout the city's offices that the Defendant
may have configured and even locked with his own passwords. ...
there is a serious threat to the City's network system if the Defendant
was out of custody without the City having full control over all the
1100 devices as the Defendant may have access any of these devices
[sic].
The final four charges (pretty close to the original, but none of the
tantalizing allegations of the bail-reduction motion making it in): one
of "disrupting or denying computer services" (by not revealing the
passwords) and three of "providing a means of accessing a computer,
computer system, or computer network" (one for each of the three
modems).
The latter three charges were finally dropped on August 21, 2009, over a year later. Bail remained at $5
million, even though the state's original argument against bail
reduction was based on the three dropped charges and the idea that the
"unauthorized" modems might mean that Childs had other
backdoors into the city network. Also, San Francisco had plenty of time to
tighten up security. It is possible that the three dropped
"unauthorized modem" charges were dropped because of the impossibility
of proving that they were in fact unauthorized, though that is to some
extent exactly the defense's point.
Typically, bail for a single murder is set at about $1 million.
Jerry Sandusky, the Penn State coach accused of raping children, at one
point had bail set at $250,000 (for ~10 vicims). That is probably
less than 1 year's salary; Child's bail was probably about 50 years'
salary. Ultimately, the refusal of the courts to consider bail was
perhaps the most unsettling part of the case.
Childs was charged with "disrupting or denying computer services".
However,
- He did not disrupt any computer services
- He did eventually
reveal the correct password
- He
could have been charged under the same law had he revealed the password
when first asked, given the full circumstances surrounding that
confrontation.
Note that in the first "disrupting or denying computer services"
charge, no computer services were actually disrupted. The only thing
denied was the password.
He did configure the
network in a manner that made it difficult for coworkers to
reconfiguring it. Was this about prudence, or job security? He
apparently did not
face day-to-day clear lines of authority; he definitely was not asked
to make the master passwords available to supervisors until the Dispute.
There were no charges of network tampering; these appeared in court documents
in
July and August 2008 but were dropped. ("Network tampering" appears to
have been
replaced by the three modem charges.)
The modems were all apparently legitimate: the first was to dial
Childs' pager if there was a problem (through the "What's Up Gold" monitoring package),
the
second was to allow immediate dialin access to some SF networks
(not apparently the FiberWAN), and in addition was apparently installed
before Childs was hired, and the third was to provide an alternative
communications paths to emergency services across the San Andreas
fault. (See http://www.infoworld.com/d/data-management/could-childs-case-put-all-network-admins-in-danger-979)
If there was any additional illegitimate
purpose, it does not appear to be documented anywhere in any filings to
date.
It is indeed possible that Childs decided not to have configurations
written to flash memory for "job security"; ie so that, if there was a
problem, he would be irreplaceable. Alternatively, it could have been
because Childs was having conflicts with management and wanted them to
know they couldn't work without him.
Creating a system that could not be modified except by him can
certainly be seen as malicious. However, San Francisco's contribution
to the situation, and the city's long-standing acceptance of the
situation, are contributory.
The formal allegation against Childs did not
spell out any specific evidence
of intent
to disrupt the network (though it did not have to). There is
considerable evidence, though, that Childs did indeed intend to give
himself "job security" by making sure no one else could manage the
network.
One possible reason Childs was denied reasonable bail is the fact
that a
search of his residence just before his arrest turned up some 9mm
ammunition, and Childs had in 1985 been convicted of a felony: armed
robbery (with a knife). Possession of
ammunition by a convicted felon
is illegal in California (and many other states). Also, the fact
that
Childs had $10,000 in cash in his house was interpreted by the police
as evidence that he was a flight risk. Finally, Childs lied to his
supervisors when he said he had no past felony convictions, and lied
again on the day of his management confrontation when he said his
fiberWAN password no longer worked. Both of these are perhaps
understandable, and in principle they shouldn't matter, but one doesn't
know.
It does seem likely, however, that a big part of the reason Childs
remained in jail is that the City keeps raising the specter that he
could break in. But if he could, even a few months later, let alone
close to two years, then so could anyone else, and the City's security
is just plain negligent.
One plausible charge against Childs is the allegation that he
configured the routers not to store their configurations, and that this
was done in order that if the network crashed, only he could ressurect
it. From the arrest-warrant affidavit of
police officer James Ramsay:
Mr Maupin [the city's security
consultant] was also able to determine and validate that Mr Childs had,
in fact, intentionally configured multiple Cisco network devices with a
command that erases all configuration and data in the event that
someone tries to restore administrative access or tries to perform
disaster recovery. This command was created for military applications
that require the deployment of network devices in areas that may have
the possibility of hostile forces that could get physical access to
network devices.
Officer Ramsay also was the one to tell Childs initially that failure
to divulge the passwords was "a denial of service as defined under
Penal Code violation Section 502(c)(5)". This claim remains farfetched,
at face value, given the lack of clear authority within DTIS, although
it might apply if Childs had withheld the password with malicious intent.
Note that the quoted line "this command was created for military
applications ..." is both misleading and a bit of a stretch. It seems
likelier that the command was suggested
for military applications, but even if it was created for that, so was GPS.
As for the configuration-to-erase claim, Childs' attorneys claimed in
his bail-reduction motion that one of his colleagues, Carl Sian,
intentionally kept (as for study) computer viruses, and later spread
one to Childs (possibly accidentally). Somewhat later, Childs'
supervisor Herb Tong made some technically inappropriate changes to the
fiberWAN system. In light of those events, Childs may very well have
felt that the "hardened" configuration of the routers was appropriate.
The early case documents are back online at http://www.infoworld.com/d/data-management/terry-childs-case-in-its-own-words-928.
Overall, it seems to me that people who work in very structured
environments have no sympathy for Childs; he clearly broke the rules.
Partly that is not the point; just about everyone agrees his firing was
legitimate.
Here are a couple comments from one of the jurors, Jason Chilton, who, like Childs, was a CCIE.
The questions were, first, did the defendant know he caused a
disruption or a denial of computer service. It was rather easy for us to
answer, "Yes there was a denial of service." And that service was the
ability to administer the routers and switches of the FiberWAN.
Is refusing to turn over a password really a denial of service? It seems more like a denial of potential
service. Is refusing to turn over passwords a denial of a "computer
service", given that all routing and software continued to run
properly? Do software developers face denial-of-service charges if they
withhold certain notes as to how an application works? What about
network administrators who quit without completing certain
network-architecture documentation that the employer asks for?
That
was the first aspect of it, the second aspect was the denial to an
authorized user. And for us that's what we really had to spend the most
time on, defining who an authorized user was. Because that wasn't one of
the definitions given to us.
From blogs.sfweekly.com/thesnitch/2010/08/terry_childs_sentenced_hacker.php:
It almost seemed like paranoia. Especially after he found out there
would be some organizational changes, I believe the security he was
putting in place wasn't to prevent attackers but to prevent people from
getting rid of him. He would be needed because no one
else could take care of this network. It was so secure, only he could
have access.
On August 6, 2010, Childs was sentenced to four years in prison. This is an extraordinary sentence
if you believe the case was the result of a workplace misunderstanding.