So whatever happened to Terry Childs?

A while back, I came across the story of Terry Childs, a CCIE #14018 who ran San Francisco's WAN. I read quite a few articles about the incident, each contributed various pieces of the story.

Do I think he was overzealous in protecting "his" network? Yes.

Did he cause denial or interruption of service? No.

Did he deserve 4 years in jail? No.

The city of San Francisco made a big deal out of how they spent $1,000,000 or so trying to get the network back. Well, no one forced them to, so it is on them for that. They should have just made a deal with Childs.

I think when he was getting reassigned he should have just gone to the new job, the FiberWAN was no longer his problem, so who cares what happens to it.

Anyway, I haven't been able to find any news on him or the case since he got out of jail in 2011. Anyone know anything?

Find more posts tagged with

Comments

cyberguypr

I referenced his case earlier this year when working on my MSISA capstone covering insider threat. This was an extremely unfortunate situation handled awfully by all parties involved. I am also curious what he's been up to.

paul78

Terry Childs was a rouge megalomaniac who got what he deserved. It has nothing to do with the incompentence of the San Francisco IT management - that is another matter.

alan2308

fmitawaps wrote: »

The city of San Francisco made a big deal out of how they spent $1,000,000 or so trying to get the network back. Well, no one forced them to, so it is on them for that. They should have just made a deal with Childs.

How would you feel if it were a company issued laptop he refused to return? How about a company issued car? You don't make a deal with a criminal who stole from you.

fmitawaps

Well that's just it -- he didn't steal anything. In fact, according to some of the reports on the story, he brought in hardware of his own to secure the network to his standards. I never read anything about him asking for money to give up the passwords, or set any other conditions on it.

So what do you think he stole? Access to the routers? He kept access limited to himself, so only he could administer them, if you want to call that stealing.

Based on what I read in 10 or so different articles and reports, I think he had 2 thoughts:

1. Only he was capable of properly handling the network, so he made himself the lone admin.
2. He thought that by being the only one in control, he would be indispensable and therefore have job security.

Who knows the actual truth, this is all second hand information, but it is the best I could find.

I think, given the situation, the city should have offered him some sort of cash payment to just go away quietly and give up control, but they wanted to be all hard about it and handled it incorrectly.

paul78

There is no dispute that he did not disclose the passwords to the network which he was hired to administer. That infrastructure was not his to kidnap and hold hostage.

So if you brought your car into the mechanic and they decided to change the ignition codes when they were upgrading it, you think it would be ok for them to decide to charge you whatever they wanted to disclose the new codes? Or you hired a contractor to install a new door and he installs a lock that only he has a key.

wd40

I think the main thing us until they have access to the network they have no way to know what he is doing.

maybe he set up something to spy on some organizations, or setup a logical time bomb, or sold access to the network to criminals.

Chinook

I think the answer is that he was all of the above.

Sounds like the guy was a zealot. He cared too much and couldn't let his job go. As a senior admin, especially in security, you feel like you stand on a mountain shouting at the world and no one listens. So you go off the rails because you can't separate things.

OctalDump

Chinook wrote: »

I think the answer is that he was all of the above.

Sounds like the guy was a zealot. He cared too much and couldn't let his job go. As a senior admin, especially in security, you feel like you stand on a mountain shouting at the world and no one listens. So you go off the rails because you can't separate things.

Even good people can do really damaging things.

Which is why management needs to understand what their underlings are doing and what their risk is. It seems crazy to allow him to accrue that much power. One story I read said that he basically designed the whole network, despite working under an Network Architect.

To go back to the laptop or car analogy, it's like they had a pile of laptops or cars and no record of how many or who had them or where they were or how they were being used. Very poor oversight.

alan2308

fmitawaps wrote: »

So what do you think he stole? Access to the routers? He kept access limited to himself, so only he could administer them, if you want to call that stealing.

Sorry, if you don't own the network, you don't get to make that choice. He was asked to turn the passwords over, and refused. It is exactly the same situation as it would be if he refused to return a company car. I'm not sure why you seem to think that the passwords were his and his alone.

TWX

Yeah, if an employee or contractor won't disclose login credentials when asked by a legitimate authority then lawyers will get involved. It's literally as simple as that.

Personally, I don't want to take care of a network that only I can take care of. First, no company would ever accept that premise, so any thoughts of being indispensable would be only in my head. Certainly, it may cost that entity a pretty penny to bring in others, or they might even decide to scrap and rebuild, but either way, from their perspective I would not be indispensable. Second, if I am considered indispensable by the employer then I am also unpromotable. I could never advance because I could never leave the job that I am currently doing to move up in the company and probably would not really make more money.

Mike-Mike

phoeneous wrote: »

I heard he got out of the game and started doing commercials for men's deodorant and bath products.

that was pretty good

kiam

Thanks for sharing this story.
I was thinking, just like nuclear weapons require authorizations from at least 2 different parties,
are there network devices for sensitive areas that are protected in the same way?
For example, would they require permission from more than one person to make changes?

OctalDump

kiam wrote: »

Thanks for sharing this story.
I was thinking, just like nuclear weapons require authorizations from at least 2 different parties,
are there network devices for sensitive areas that are protected in the same way?
For example, would they require permission from more than one person to make changes?

Certainly from a process point of view, this is what change (configuration) management is all about. That is something that the city really should have had in place to prevent this mess.
From a technical point of view? One way to bolt it on is via multifactor authentication systems where different parties hold different factors. You can also achieve a similar end with cryptography, where multiple keys are used.

the_Grinch

Originally, I was on this guys side, but after reading the case you see him for what he was. He was a vindictive network administrator who probably is suffering from some form a mental health issue.

PEOPLE v. CHILDS | FindLaw

That is an outline of the case and it is clear that his concern was never the security of the network. His concern was ultimately to keep his job and to do whatever he wanted.

California Penal Code - PEN § 502 | FindLaw

It is pretty clear that he broke the law and any ethos a true security professional would have followed. He also threw best practice out the window and then burned it when it hit the ground. Shame on his supervisors for allowing it to go that far. They could have and should have reigned him in long before the issue arose.

In my opinion, which a jury and an appeals court appear to have agreed, he clearly broke the law and received the justice that is to be expected by breaking the law.

frisco

To all of you who support me, thank you.

To all of you talking trash, "middle fingers up!"

RE: SF

Preface:
There was not so much as a single dropped packet - no data loss whatsoever between 7/9/2008 and 7/21/2008. This is documented unchallenged fact.

I genuinely believe I did not commit a crime in San Francisco, at the very minimum I had no intention to commit a crime. I had no idea my actions that day constituted any kind of violation of 502.

What happened:

I designed and built a fairly nice system for the folks over in San Francisco. It was a 10gig redundant core with 6509-Es, BXL's, and redundant fiber rings with MPLS, MPLS L3 VPNs, Cisco 3750's redundant in some cases, which would fail over at layers 1-3 automatically. I tested this down to bare metal and had it working flawlessly. They still run everything on it to this date, E911, Sheriff, SFPD, all services are active on the system, unchanged accept for new connections.

When I originally built out the five 6509-E core and the first eight 3750's - of 32 total, I had put the system on TACACS. Four months into the project I was in my managers office (Herb Tong) and casually mentioned the Fiberwan was on TACACS, he became really excited and ordered me to take it off immediately. He said we cannot have our other engineers having access and making a mistake in the configurations affecting the reputation of the Fiberwan. Since our customers had a choice, they could keep their T1's or connect to the new network, the stability of the Fiberwan was crucial. I took it off TACACS as he told me to do.

The project was near completion 98%, on 7/9/2008. On that morning we completed a major milestone for the SFPD. We had migrated all their services off legacy T1 connections on to high speed fiber connectivity. Afterward one of the IT SFPD folks said he needed to talk to me upstairs. I thought it was about the change control we had just completed. It was not, I was blindsided with a bunch of folks in a room and an open conference line. It turns out 21 people were listening in on the conference call besides the folks in the room.

When I say the project was 98% complete, I mean the project was still in engineering, and I was about ready to turn it over to operations.

While in the room the folks demanded my user id and password over and over. They never asked for access to the system, they never asked me to just reactivate TACACS. I started getting the idea they wanted to be able to log into the system as me. This concerned me deeply. Also the published policy at the time was to "keep all passwords confidential". I requested to have my union representation, and was denied. I requested to have an attorney, and was again denied. I did not give my password and was suspended. Two days later I was arrested. On 7/21/2008 I turned over my user id and password to the Mayor, because he was the CEO of the city and at that point I did not feel he would do anything nefarious to the network.

During my trial the DA called the CSO of Cisco Jon Stewart to testify. His testimony was that if he was in that room with an open conference call running with 21 people listening, he would be sitting there in orange like Terry Childs.

I still have my CCIE and obviously cisco felt i did nothing wrong. I have been a CCIE for over 11 years now.

I work for a small ISP as network administrator.

TheFORCE

Good for you man. Ive read some articles about you. But none mentioned any open conference lines amd people listening. I'd do the same if there were 20 people listing.

Welcome to the forum by the way. Im sure you can contribute plenty from your experiences.

frisco

Thanks man,

I will check in from time to time.

Thanks again

MitM

frisco wrote: »

I still have my CCIE and obviously cisco felt i did nothing wrong. I have been a CCIE for over 11 years now.

Same CCIE #? It didn't expire?

Btw, if that's really you, you got a raw deal, in my opinion. 5 million dollars bond was absolutely disgraceful.

Iristheangel

@MitM - I think he was in jail for a few years. It probably expired but he re-certified. Once you get a CCIE number, it never changes even if it expires and you re-earn it.

@Terry - If that situation would have happened to me and I was being taken into a room with management asking for those local credentials, I would have probably just asked them to sign a disclosure saying that they are taking responsibility for the network as of X/X/X date and you could not be held responsible for any misconfigurations or outages made directly with those credentials and had them sign it.

Some of the stuff you admitted to in court probably hurt you the most. i.e. about disabling the core switches' console ports the day before you were put on leave, disabling password recovery on the switches, not saving any configs to flash so that a reload would wipe the device, not providing or leaving backups of the configs, etc. In hindsight, if you were concerned about someone taking the credentials and making changes pretending to be you, it would have been better to just hand them over to the police the second you were arrested. That way there would have been a record that you handed them over showing you were being cooperative and it would have been documented so any changes to the network after would not have been your responsibility.

The stuff about the terminal servers you put in I definitely could see a legitimate reason for doing that and the threats and intimidation to staff could have been malicious co-workers. The stuff you admitted to in court obviously hurt your case and made it impossible to appeal the conviction. If your manager Tong ordered you to do all that but there's no email or paper trail to back it up, it was going to look bad for you.

Well... glad to hear you're moving on with your life. Wish the best for you in the future.

MitM

Iristheangel wrote: »

I think he was in jail for a few years. It probably expired but he re-certified. Once you get a CCIE number, it never changes even if it expires and you re-earn it.

Didn't know that last part, interesting. I only asked the question because I was wondering if Cisco gave him a pass on the cert expiring while he was in prison

Iristheangel

No. Cisco typically doesn't give passes for people going to jail and they don't typically run regular background checks to see if someone has misrepresented the program or done something unbecoming of the CCIE program.

thomas_

Iristheangel wrote: »

@Terry - If that situation would have happened to me and I was being taken into a room with management asking for those local credentials, I would have probably just asked them to sign a disclosure saying that they are taking responsibility for the network as of X/X/X date and you could not be held responsible for any misconfigurations or outages made directly with those credentials and had them sign it.

You can ask them to sign a disclosure all you want, but what would you have done if they refused to accommodate your request? According to him(if it really is him), they refused his request to union representation and to a lawyer.

He said he got "blindsided" with that meeting, I prefer the term "rail-roaded". I've been rail-roaded one time when I was in the military and it's not a pleasant experience. If someone has their sights on you and they want to steam-roll over the top of you, they're not going to be in the mood to negotiate or acquiesce to your suggestions. They want what they want, how they want, when they want it, and anything else, no matter how reasonable, is going to be seen as non-cooperation.

If those facts are all true, I find it highly suspicious that this all occurred after they completed a major milestone for SFPD. It makes me wonder if there was a SFPD control freak that didn't like the access that Terry had, wanted more control himself, or what not, and then decided to stir up a witch hunt instead of trying to resolve at a lower level.

I worked with a guy once who used to be a manager for a large corporation. He told me once that there was a woman that would accuse other male managers of sexual harassment and they would end up getting fired or relocated and then she would end up in their position. It was her way of climbing the corporate ladder.

When I read Frisco's post it eerily reminded me of that story my old coworker told me. It kind of makes me wonder if there was not something like that going on behind the scenes(regardless of whether the person was male or female.) After all, a room full of people and a conference call of 21 people does not materialize out of thin air.

It sounds like either some events leading up to that point got omitted from the story, like several smaller meetings, or he truly did get rail-roaded with that meeting.

Iristheangel

It's possible if it were just one meeting and everything was on the up-and-up, that he was blindsided but there seems to be a lot of layers according to the official court documentation: PEOPLE v. CHILDS | FindLaw

Give that a good read. It's a interesting one. According to the court docs, it looks like prior to the meeting, management asked the union if they would like to be present and they declined saying that matter of getting passwords wasn't a union matter.

One of the jury members happens to be a CCIE and explains in this article why he voted to convict: Terry Childs juror explains why he voted to convict | Computerworld

Obviously this is a complex case with a lot of context and some of the situation behind how the network was set up (i.e. no configs saved to flash which would cause a hard disruption to the network in the event of a power outage, turning off password recovery, limiting access to the switched from all but one IP, disabling console a day before he left, etc) probably also invoked a little nervousness from his management. I know I would be more than nervous if I walked into a network like that.

That's not to say Terry doesn't deserve another chance or anything like that. I think after he handed over the passwords, he should have gotten bail but they let him rot in prison. I think he did his time and should be able to have a life after all is said and done.

MitM

The whole thing was handled poorly. Nobody can justify $5 million dollars bail for this case when you have murderers and rapists that most of the time don't get close to that. The amount of jail time was also absurd, in my opinion.

Other than that, he definitely has fault in a lot of this.

Iristheangel

I agree with you, MitM. If they were justifying the bail as them worrying about him having a backdoor into the network, they should have still reduced his bail after they got the credentials and had access.

ezykiller

I know Terry personally and you have no idea what you are talking about. The whole situation was blown out of proportion.

ezykiller

I know Terry personally, above id definitely him.

Iristheangel

ezykiller wrote: »

I know Terry personally and you have no idea what you are talking about. The whole situation was blown out of proportion.

Umm.. thanks random user id that just registered and posted for this thread.

cyberguypr

So how does this work new user? You just randomly googled Terry, got here, and decided to chime in? If you have any insight wouldn't it make more sense to just say whatever you have to say instead of a vague comment? Or do you expect us to take your word for the fact that the media, the courts, and the public got it all wrong? You see the hole in your logic, right?

Tekn0logy

Iristheangel wrote: »

Umm.. thanks random user id that just registered and posted for this thread.

Random user??? That's no random user! That is the one and only "Kid Katapult" https://www.youtube.com/watch?v=JpChcUUZzng

Wow, I just happened to be watching a CERT video that referenced this guy (no names mentioned...)
and somebody goes and resurrects this thread from the dead...