Slashdot Mirror
SF Admin Gives Up Keys To Hijacked City Network
snydeq writes "Jailed IT admin Terry Childs relinquished his hold over San Francisco's multimillion-dollar FiberWAN, handing his administrative passwords over to San Francisco Mayor Gavin Newsom, who was 'the only person he felt he could trust.' Childs is still being held on $5 million bail for his lockout of the city's FiberWAN, a case that has been called into question since an insider came forward with details about both the network and Childs himself. The case hinges on No Service Password Recovery commands Childs allegedly configured onto several Cisco devices, as well as dial-up and DSL modems the SFPD has discovered that would allow unauthorized connections to the FiberWAN. Childs intends to 'expose the utter mismanagement, negligence, and corruption at DTIS, which if left unchecked, will in fact place the City of San Francisco in danger,' according to his motion. The Department of Telecom and IS has cut 200 of its 350 IT positions since 2000 — pressure that may have contributed to Childs' actions, according to interviews with current and former DTIS staffers. Newsom secured the passwords without first telling the DTIS that he was meeting with Childs."
I guess Newsom is an MCSE/CCNA and therefore is trusted.
This story has a real obvious 'bad guy' in Childs.
Arrogant, supposedly unstable, egotistical.
But there are odd, contrary, little pieces of this tale that intrigue me.
I'd like to see some comprehensive treatment of this tragicomedy written a year from now, when the dust has settled, and Childs' side of the story can be heard as well.
You can't talk about Wikipedia's flaws on Wikipedia
No, instead, he's a paranoid monomaniacal prima donna. If it is was me, I'd rather be a white cat-stroking schemer bent on world domination, because the former demonstrates a sick mind.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Did anyone else wonder why a SourceForge administrator had the keys to a city's network.
I will not mourn that which I never had to lose. - Unknown
He was just too embarrassed by the password - ibonkedmymom.
Help a man when he is in trouble and he will remember you when he is in trouble again.
"Childs intends to 'expose the utter mismanagement, negligence, and corruption at DTIS, which if left unchecked, will in fact place the City of San Francisco in danger,' according to his motion."
The fact that one employee had complete control over the network should be enough of a sign. Of course this is management, so they're all likely still confused on what's going on and need to have another meeting.
If he believes that the Mayor is going to be reconfiguring the routers he certainly is a nutjob!
simon
How is not doing your job criminal exactly? Grounds for dismissal, sure, but jail?
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
Anyone having spent that much effort creating a network - and succeeding - would become paranoid and protective of it. I challenge anyone to invest so much in any project and then happily see it messed up by people who are less competent.
However the situation is still messed up, the City should never have allowed one person to take on so much responsibility, and at the first sign that he was becoming indispensable, they should have moved him to another project.
If someone is essential for a project, replace him as soon as you can...
In fact the whole story is a good case study for outsourcing - a small, competent network firm would have done as good a job, and treated the incompetent managers simply as clients, not bosses.
The blame lies squarely with the City, not Childs.
My blog
So...I certainly don't know if this guy is crazy or not, but there are a few things that I am surprised the /. crowd really hasn't bothered with.
1. The problems between IT and Management are so bad across the board that there is a famous cartoon relating these problems. This famous cartoon spawned the "PHB" reference. So...to listen to an IT guy complain of incompetent management shouldn't be a surprise at all. Please everyone, raise your hand if you have been handed complete and utter bullshit requirements or policies that some "PHB" without a technical clue has demanded that you implement. Now...raise your hand if you were stupid enough to EVER give them administrative rights over ANYTHING.
2. The media has a fucking field day with "evil hackers". This is so bad that the world "hacker" now means criminal and hordes of geeks wimpering and moaning about how the media stole the word. So...the media reporting on yet another "evil hacker holding city hostage" should be taken with a grain of salt. Sensationalist crap reported by people that have less than 0 IT understanding to the masses who also have less than 0 IT understanding. Million to one odds says that if they actually reported the more technical facts of this case the ratings would be near 0 and this story would have never gotten to be so high profile.
3. He did give the password to the person at the top of the chain of responsibility for this. Which to me sounds like the most appropriate thing to do. If you are so concerned that everyone is an incompetent fool then your only option is to go straight to the top. Imagine how much trouble this guy would be in if he gave out these passwords to a bunch of corrupt and incompetent folks who did bring the city down? At least this way everything continued functioning.
Finally...and most concerning to me is a quote from the article.
But without access to either Childs' passwords or the backup configuration files, administrators would have to essentially re-configure their entire network, an error-prone and time-consuming possibility, Chase said. "It's basically like playing 3D chess," he said. "In that situation, you're stuck interviewing everybody at every site getting anecdotal stories of who's connected to what. And then you're guaranteed to miss something."
Really...so basically these people didn't document ANYTHING. Because config files or not, rebulding your network if you bothered to document things isn't all that hard, it's just time consuming. But straight from their man there they would be stuck interviewing people for anecdotal stories becaues they were too incompetent to bother documenting the network. Nevermind that they seem to have cut their IT staff from 350 to 100 over the last few years. So it sounds like their IT staff was just the favored bucket to take money from, which is hardly new thinking these days. It amuses me to no end when companies/governments treat their IT staff like overpaid housekeeping, largely unneccessary drains on budgets, and an unimportant support function and then scream bloody murder when the shit hits the fan.
The only change I can believe in is what I find in my couch cushions.
I think sometimes people need to see the bigger picture. In my youth, I thought that becoming indispensable meant I was a valuable employee, and I had job security. But I had an epiphany at 2am one morning when I was fixing a problem. I COULD be the only one to fix this problem and be stuck fixing these problems forever. Or I could trust someone else and train them to fix these problems. Could my company find it easier to replace me? Sure, but it's just a job; I'll get other ones. The lost time I could have spent at 2am doing other things (like at home with my family) was worth the compromise. Any of you who missed out on anything because you were at work know what I mean.
Well, there's spam egg sausage and spam, that's not got much spam in it.
"Save the network. Save the world."
Hey dreamchaser, this is your boss. I need write access to the email archives. The SEC has been poking around and, well, you know how it goes.
PS - get back to work.
Do you even lift?
These aren't the 'roids you're looking for.
Obviously, you have never met the Aristocrats.
Let's try this one instead:
You're responsible for maintaining a nuclear reactor. Your manager, who has no idea how to actually runs the reactor comes in and demands to be given all of the necessary keys and passwords to the reactor. The reactor is currently working flawlessly, and there is no obvious reason for your manager to need access to the system.
Do you:
A. realize that this could be very bad for the company, and protect the company by refusing to turn over access to an unqualified person?
B. turn over access to the access to an unqualified person, and just hope that they don't do anything which results in anyone's death, or your working 16hr shifts for the next 3 months straight.
I would argue that choosing "B" could be criminally negligent, and that A is the better choice, however, he should also immediately go to HR and explain why he's violating the order.
In this particular case, he might've saved the city of San Francisco millions of dollars in lost productivity from someone getting access who had no clue what they were doing.
Build it, and they will come^Hplain.
Most folks aren't familiar with WAN management, so they probably still don't get what you're saying.
People: Installing backdoors in a WAN saves you a 1+ (sometimes much more than 1+) hour trip somewhere to check a stat or reset a device. Installing backdoors in a LAN is lazy. In other words, the difference is geography. As a WAN manager if you don't have what's called an "out of band" management plan, you're an idiot. (Or you have a micro-sized WAN.) It's also not something that's left secretly, it's planned and secured like any other WAN exposure.
Good luck!
-Matt
unconstitutional state law.
We should be able to work this out. Maybe we can just agree that you get to keep your handguns and I get to get married.
# (/.);;
- : float -> float -> float =
To have someone ELSE give the "key to the city" to the mayor?
Being indispensable in one role will prevent you from being promoted. I was up for a coveted project but it was assigned to a less qualified person because I was too indispensable in my current project. Lest you think management was just letting me down softly, they had me train the person who was assigned the coveted project. That's right. They had me train the person who took the good job, and had me stay on my less-good project because I was really good at my current project.
I'm now trying to become a manager on the other project. They'll probably say that I don't have any experience in the field and promote the person who has it now, but we'll see.
A NYC lawyer blogs. http://www.chuangblog.com/
"Your mental illness is not real."
Mine is very real. I doubt you've ever spent 6 months in a hospital trying to tell people that human beings are being infected by a computer virus. (note: the computer virus was real, and i was the only person who could actually get it off the machines, because it was infecting the BIOS and had 'symptoms' like going to the desktop in the middle of a full screen video game, that other people dismissed as being 'real')
To this date, with medication I still am hazy on if computer viruses can infect human beings, on a bad day, i look for malware in every OS on every computer i have, with every tool available to me, including many useful FOSS tools like dban which allows complete erasure of the drive...
"You are the product of a society that is unable to deal with stress and disappointment."
I'll give you that, but you've never gone 6 days unwilling to eat food or drink tap water because it's poisoned, luckily this symptom has been dealt with with medication.
you've probably never hidden in a basement with aluminum covering you to block the mind control waves either. related to this is using a FM radio from the 1980's and 3 cell phones, wrapped in aluminum foil to see if they really block broadcaster waves. While you're still slightly concerned about the type of high energy particles that can go through entire mountains...
"Have you ever looked at mental illness in other countries. It is tiny compared to the USA."
That may be, in a rural environment, telling people about stuff i was worried about every day and shit my family would likely instead of taking me to a doctor, that they couldn't afford would just humor me, and try to keep me eating foods and drinking water. Also, I would likely die at a much younger age, because of the lack of medical treatment overall. Not being treated by doctors is not the same as 'not having mental illness.'
"You embody the problem with the world today. A lack of conviction and discipline that has spread like wildfire."
Except my mental illness is real, my doctor even increased my medicines last week, because he though i was having too many symptoms with just 1 medication.
"Go on with your drug induced normality. You will not be mourned."
If only the drugs actually caused normality. Mine do not, i still have paranoid thoughts ever single day, they're random and unpredictable, and medication only does so much. I don't hear voices, i don't 'see things' that other people don't see, i don't walk around calling people names that i don't recognize, as if i was in a dream, and i don't wind up in a hospital writing notes about everything that i'm worried about thinking that magically if i write it a system administrator of the universe (it's all just a simulation in a computer after all) would be able to deal with the problems if i simply wrote enough notes...
I have 4 boxes of various paperwork including my 'note' writing phase.
you sir, have never been mentally ill so you know not what it is like. you've never been convinced, with you were in a hospital that another mental patient could read your mind, and control you for not looking at the pictures of their family when they asked you nicely to look at the photos.
https://www.gnu.org/philosophy/free-sw.html
the more recent article points out he did not do ANY harm after being fired. The "backdoors" were pointed to a pager. The no recover setting would have been to protect the network settings from stolen hardware wiht physical access... because we all know equipment NEVER goes missing from city offices. Sounds like he was overly paranoid but other than not coughing up the password, did NO wrong.
In fact, the fact that there was nobody in the department that could identify what he did, and the police had to go to outside people seems to scream that he's innocent of all of the charges.
As far as the password.. they fired him! No plans made to cover his tasks, or to continue admin services... just give them the password... who knows what they'd accuse him of in 3 months because they don't know what they're doing. Waiting until he's FIRED to ask for documentation is too late... if he's a "criminal" for not giving the info up, they are even more so for not following good security practices and not having this info BEFORE they needed to let him go.
Let me reply -- I've been there, done that. Not all that, but a little of that.
Back in 1992, I had a urethane or polyester exposure (I'm not sure which). That gave me hyper allergies, so the doctor put me on prednisone, which in 1/10 cases, causes psychosis.
He forgot to mention the possible side effects. But that didn't stop me from getting paranoia.
In my case, I was afraid that someone was putting something in my food to control me. Retrospectively, I think that my brain was essentially diagnosing its own problems, and trying to get me to modify my diet (ummm, could us neurons have a little more of that prednisone please? Or maybe we don't want it after all...)
Now, my mom just tried to keep me eating good food, and eventually the symptoms went away as the withdrawal effects went away. But it alerted me to the facts that (1) people of high IQ and high-stress jobs are highly likely to get a mental illness (2) I am susceptible, at the very least.
But my uncle, who works in psychology, mentioned that if you find yourself susceptible to mental illness, it is advantageous to get a lower-stress, more physical job. If need be, take up running (not all out, just 1/2 to 1 hr a day), gardening (pulling weeds is very therapeutic, I find), or a more physical job, or become a high school gym teacher. Also, avoid those situations that tend to make you more paranoid -- give yourself a break; and avoid those habits which you rationally know are insane. He calls this good mental hygiene.
Based on experience, I think he's right.
I'm right now an aerospace/ocean engineer by training, and a layout tech for a prestress concrete company by trade. I don't keep a computer or a TV at home, and use the computer minimally aside from that. If I absolutely need web access outside of my work computer, I go to a library.
I also cultivate a strong relationship with my wife, with my kids, and with Christ, praying as most Christians do. Although my prayers do get answers, I mean that in the sense that most strong Christians do, as well. When I've not been sure what to do, and I've prayed for God to close all the doors except the one he wants me doing, I've trusted him for that, and He's done it (as my wife, who is quite mentally stable, can affirm).
Last of all, needless to say, I'd say give up any weapons, and any hope of defending yourself against anything even through other means. Pray, and ask Christ to defend you. But as a potentially mentally ill person, if you're going to defend yourself, you're in trouble anyhow. So give that one up, and put your trust in God as your defender: "You who dwell in the shelter of the Lord, who abide in His shadow for Life; say to the Lord 'my refuge, my rock in whom I trust'. And he will raise you up on eagle's wings, bear you on the breath of dawn, and make you to shine like the sun, and hold you in the palm of His hand."
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
he NEVER attacked, nor have they claimed he did. They arrested him and charged him the same day they fired him and he wouldn't give up the password. Then started spewing to the press he "might have" created back doors (lines calling his on-call pager) and sabotaged equipment (not restoring the configs on power cycle to protect the network).. which is already being determined as built-in (but rarely used) features being used correctly. So far the ONLY WRONGDOING they have is refusal to give up the password.
They ARRESTED and managed to get $5M bail for not giving up a password... period.. the rest is misinformation, lack of job skill by his boss, or outright LIES. No wonder he didn't give it up sooner!
"You who dwell in the shelter of the Lord, who abide in His shadow for Life; say to the Lord 'my refuge, my rock in whom I trust'. And he will raise you up on eagle's wings, bear you on the breath of dawn, and make you to shine like the sun, and hold you in the palm of His hand."
And that, I am afraid, is not something that sounds sane at all.. but each to his own.