+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 27
  1. Senior Member
    Join Date
    Nov 2015
    Posts
    249

    Certifications
    Deplorable Trump Voter and pro-American Racist
    #1

    Default So whatever happened to Terry Childs?

    A while back, I came across the story of Terry Childs, a CCIE #14018 who ran San Francisco's WAN. I read quite a few articles about the incident, each contributed various pieces of the story.

    Do I think he was overzealous in protecting "his" network? Yes.

    Did he cause denial or interruption of service? No.

    Did he deserve 4 years in jail? No.

    The city of San Francisco made a big deal out of how they spent $1,000,000 or so trying to get the network back. Well, no one forced them to, so it is on them for that. They should have just made a deal with Childs.

    I think when he was getting reassigned he should have just gone to the new job, the FiberWAN was no longer his problem, so who cares what happens to it.

    Anyway, I haven't been able to find any news on him or the case since he got out of jail in 2011. Anyone know anything?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,851

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #2
    I referenced his case earlier this year when working on my MSISA capstone covering insider threat. This was an extremely unfortunate situation handled awfully by all parties involved. I am also curious what he's been up to.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #3
    Terry Childs was a rouge megalomaniac who got what he deserved. It has nothing to do with the incompentence of the San Francisco IT management - that is another matter.
    Reply With Quote Quote  

  5. Senior Member alan2308's Avatar
    Join Date
    Apr 2010
    Location
    Ann Arbor, MI
    Posts
    1,809

    Certifications
    CCNA, CCNA Sec, MCSA 2008, MCSA 2012, CISSP
    #4
    Quote Originally Posted by fmitawaps View Post
    The city of San Francisco made a big deal out of how they spent $1,000,000 or so trying to get the network back. Well, no one forced them to, so it is on them for that. They should have just made a deal with Childs.
    How would you feel if it were a company issued laptop he refused to return? How about a company issued car? You don't make a deal with a criminal who stole from you.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Nov 2015
    Posts
    249

    Certifications
    Deplorable Trump Voter and pro-American Racist
    #5
    Well that's just it -- he didn't steal anything. In fact, according to some of the reports on the story, he brought in hardware of his own to secure the network to his standards. I never read anything about him asking for money to give up the passwords, or set any other conditions on it.

    So what do you think he stole? Access to the routers? He kept access limited to himself, so only he could administer them, if you want to call that stealing.

    Based on what I read in 10 or so different articles and reports, I think he had 2 thoughts:

    1. Only he was capable of properly handling the network, so he made himself the lone admin.
    2. He thought that by being the only one in control, he would be indispensable and therefore have job security.

    Who knows the actual truth, this is all second hand information, but it is the best I could find.

    I think, given the situation, the city should have offered him some sort of cash payment to just go away quietly and give up control, but they wanted to be all hard about it and handled it incorrectly.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #6
    There is no dispute that he did not disclose the passwords to the network which he was hired to administer. That infrastructure was not his to kidnap and hold hostage.

    So if you brought your car into the mechanic and they decided to change the ignition codes when they were upgrading it, you think it would be ok for them to decide to charge you whatever they wanted to disclose the new codes? Or you hired a contractor to install a new door and he installs a lock that only he has a key.
    Reply With Quote Quote  

  8. Senior Member wd40's Avatar
    Join Date
    May 2007
    Location
    Bahrain
    Posts
    912

    Certifications
    CISA, eJPT, CompTIA x 6, MCP, MCTS
    #7
    I think the main thing us until they have access to the network they have no way to know what he is doing.

    maybe he set up something to spy on some organizations, or setup a logical time bomb, or sold access to the network to criminals.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Feb 2015
    Posts
    202
    #8
    I think the answer is that he was all of the above.

    Sounds like the guy was a zealot. He cared too much and couldn't let his job go. As a senior admin, especially in security, you feel like you stand on a mountain shouting at the world and no one listens. So you go off the rails because you can't separate things.
    Reply With Quote Quote  

  10. Woohoo! It's over 1000!
    Join Date
    Aug 2015
    Location
    Australia
    Posts
    1,683

    Certifications
    Linux+, ACSA, ACTC, ACSP, MCSA:7, MCTS, ITIL F, Prince2 Pract, AgilePM Practitioner, VCP-DCV 5/6, Storage+, CCNA R+S/Sec/CyberOps, Sec+, CEH, CASP
    #9
    Quote Originally Posted by Chinook View Post
    I think the answer is that he was all of the above.

    Sounds like the guy was a zealot. He cared too much and couldn't let his job go. As a senior admin, especially in security, you feel like you stand on a mountain shouting at the world and no one listens. So you go off the rails because you can't separate things.
    Even good people can do really damaging things.

    Which is why management needs to understand what their underlings are doing and what their risk is. It seems crazy to allow him to accrue that much power. One story I read said that he basically designed the whole network, despite working under an Network Architect.

    To go back to the laptop or car analogy, it's like they had a pile of laptops or cars and no record of how many or who had them or where they were or how they were being used. Very poor oversight.
    Last edited by OctalDump; 11-11-2015 at 03:18 AM.
    2017 Goals - Something Cisco, Something Linux, Agile PM
    Reply With Quote Quote  

  11. Senior Member alan2308's Avatar
    Join Date
    Apr 2010
    Location
    Ann Arbor, MI
    Posts
    1,809

    Certifications
    CCNA, CCNA Sec, MCSA 2008, MCSA 2012, CISSP
    #10
    Quote Originally Posted by fmitawaps View Post
    So what do you think he stole? Access to the routers? He kept access limited to himself, so only he could administer them, if you want to call that stealing.
    Sorry, if you don't own the network, you don't get to make that choice. He was asked to turn the passwords over, and refused. It is exactly the same situation as it would be if he refused to return a company car. I'm not sure why you seem to think that the passwords were his and his alone.
    Reply With Quote Quote  

  12. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #11
    I heard he got out of the game and started doing commercials for men's deodorant and bath products.
    Reply With Quote Quote  

  13. TWX
    TWX is offline
    Seńor Member TWX's Avatar
    Join Date
    Oct 2015
    Posts
    255

    Certifications
    A+
    #12
    Yeah, if an employee or contractor won't disclose login credentials when asked by a legitimate authority then lawyers will get involved. It's literally as simple as that.

    Personally, I don't want to take care of a network that only I can take care of. First, no company would ever accept that premise, so any thoughts of being indispensable would be only in my head. Certainly, it may cost that entity a pretty penny to bring in others, or they might even decide to scrap and rebuild, but either way, from their perspective I would not be indispensable. Second, if I am considered indispensable by the employer then I am also unpromotable. I could never advance because I could never leave the job that I am currently doing to move up in the company and probably would not really make more money.
    Reply With Quote Quote  

  14. Senior Member Mike-Mike's Avatar
    Join Date
    Aug 2010
    Location
    Louisville, KY
    Posts
    1,848

    Certifications
    CISSP, HDI-SCA, ITIL V3 Foundations, A+, Network+, Security+, MCP, MCDST, CCENT, CCNA, Project+, CCNA Security, MCTS: Windows 7 Config, CEH, CHFI
    #13
    Quote Originally Posted by phoeneous View Post
    I heard he got out of the game and started doing commercials for men's deodorant and bath products.
    that was pretty good
    Reply With Quote Quote  

  15. Junior Member
    Join Date
    Nov 2015
    Posts
    17

    Certifications
    GCIA
    #14
    Thanks for sharing this story.
    I was thinking, just like nuclear weapons require authorizations from at least 2 different parties,
    are there network devices for sensitive areas that are protected in the same way?
    For example, would they require permission from more than one person to make changes?
    Reply With Quote Quote  

  16. Woohoo! It's over 1000!
    Join Date
    Aug 2015
    Location
    Australia
    Posts
    1,683

    Certifications
    Linux+, ACSA, ACTC, ACSP, MCSA:7, MCTS, ITIL F, Prince2 Pract, AgilePM Practitioner, VCP-DCV 5/6, Storage+, CCNA R+S/Sec/CyberOps, Sec+, CEH, CASP
    #15
    Quote Originally Posted by kiam View Post
    Thanks for sharing this story.
    I was thinking, just like nuclear weapons require authorizations from at least 2 different parties,
    are there network devices for sensitive areas that are protected in the same way?
    For example, would they require permission from more than one person to make changes?
    Certainly from a process point of view, this is what change (configuration) management is all about. That is something that the city really should have had in place to prevent this mess.
    From a technical point of view? One way to bolt it on is via multifactor authentication systems where different parties hold different factors. You can also achieve a similar end with cryptography, where multiple keys are used.
    2017 Goals - Something Cisco, Something Linux, Agile PM
    Reply With Quote Quote  

  17. Stayed at a Holiday Inn.. the_Grinch's Avatar
    Join Date
    May 2007
    Posts
    3,849

    Certifications
    BS-CST CISSP GMON MPSC Security+ XRY 1+2+3 XAMN AAA AA CMFF CCO CCPA
    #16
    Originally, I was on this guys side, but after reading the case you see him for what he was. He was a vindictive network administrator who probably is suffering from some form a mental health issue.

    PEOPLE v. CHILDS | FindLaw

    That is an outline of the case and it is clear that his concern was never the security of the network. His concern was ultimately to keep his job and to do whatever he wanted.

    California Penal Code - PEN § 502 | FindLaw

    It is pretty clear that he broke the law and any ethos a true security professional would have followed. He also threw best practice out the window and then burned it when it hit the ground. Shame on his supervisors for allowing it to go that far. They could have and should have reigned him in long before the issue arose.

    In my opinion, which a jury and an appeals court appear to have agreed, he clearly broke the law and received the justice that is to be expected by breaking the law.
    WIP:
    MS in Legal Studies - Drexel University
    Mobile Forensics
    Kotlin
    Python
    Reply With Quote Quote  

  18. Junior Member Registered Member
    Join Date
    Nov 2016
    Posts
    2
    #17

    Default This is Terry Childs

    To all of you who support me, thank you.

    To all of you talking trash, "middle fingers up!"

    RE: SF


    Preface:
    There was not so much as a single dropped packet - no data loss whatsoever between 7/9/2008 and 7/21/2008. This is documented unchallenged fact.


    I genuinely believe I did not commit a crime in San Francisco, at the very minimum I had no intention to commit a crime. I had no idea my actions that day constituted any kind of violation of 502.




    What happened:


    I designed and built a fairly nice system for the folks over in San Francisco. It was a 10gig redundant core with 6509-Es, BXL's, and redundant fiber rings with MPLS, MPLS L3 VPNs, Cisco 3750's redundant in some cases, which would fail over at layers 1-3 automatically. I tested this down to bare metal and had it working flawlessly. They still run everything on it to this date, E911, Sheriff, SFPD, all services are active on the system, unchanged accept for new connections.


    When I originally built out the five 6509-E core and the first eight 3750's - of 32 total, I had put the system on TACACS. Four months into the project I was in my managers office (Herb Tong) and casually mentioned the Fiberwan was on TACACS, he became really excited and ordered me to take it off immediately. He said we cannot have our other engineers having access and making a mistake in the configurations affecting the reputation of the Fiberwan. Since our customers had a choice, they could keep their T1's or connect to the new network, the stability of the Fiberwan was crucial. I took it off TACACS as he told me to do.


    The project was near completion 98%, on 7/9/2008. On that morning we completed a major milestone for the SFPD. We had migrated all their services off legacy T1 connections on to high speed fiber connectivity. Afterward one of the IT SFPD folks said he needed to talk to me upstairs. I thought it was about the change control we had just completed. It was not, I was blindsided with a bunch of folks in a room and an open conference line. It turns out 21 people were listening in on the conference call besides the folks in the room.


    When I say the project was 98% complete, I mean the project was still in engineering, and I was about ready to turn it over to operations.


    While in the room the folks demanded my user id and password over and over. They never asked for access to the system, they never asked me to just reactivate TACACS. I started getting the idea they wanted to be able to log into the system as me. This concerned me deeply. Also the published policy at the time was to "keep all passwords confidential". I requested to have my union representation, and was denied. I requested to have an attorney, and was again denied. I did not give my password and was suspended. Two days later I was arrested. On 7/21/2008 I turned over my user id and password to the Mayor, because he was the CEO of the city and at that point I did not feel he would do anything nefarious to the network.


    During my trial the DA called the CSO of Cisco Jon Stewart to testify. His testimony was that if he was in that room with an open conference call running with 21 people listening, he would be sitting there in orange like Terry Childs.


    I still have my CCIE and obviously cisco felt i did nothing wrong. I have been a CCIE for over 11 years now.


    I work for a small ISP as network administrator.
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    May 2006
    Posts
    2,029

    Certifications
    CISSP, CCSP, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #18
    Good for you man. Ive read some articles about you. But none mentioned any open conference lines amd people listening. I'd do the same if there were 20 people listing.

    Welcome to the forum by the way. Im sure you can contribute plenty from your experiences.
    Reply With Quote Quote  

  20. Junior Member Registered Member
    Join Date
    Nov 2016
    Posts
    2
    #19

    Default To: TheForce

    Thanks man,

    I will check in from time to time.

    Thanks again
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Oct 2016
    Location
    NJ
    Posts
    352

    Certifications
    CCNP R&S, CCNA(Security/Data Center), PCNSE 7, MCITP: Exchange 2010
    #20
    Quote Originally Posted by frisco View Post

    I still have my CCIE and obviously cisco felt i did nothing wrong. I have been a CCIE for over 11 years now.
    Same CCIE #? It didn't expire?

    Btw, if that's really you, you got a raw deal, in my opinion. 5 million dollars bond was absolutely disgraceful.
    Last edited by MitM; 11-05-2016 at 05:26 AM.
    Reply With Quote Quote  

  22. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,727

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #21
    @MitM - I think he was in jail for a few years. It probably expired but he re-certified. Once you get a CCIE number, it never changes even if it expires and you re-earn it.

    @Terry - If that situation would have happened to me and I was being taken into a room with management asking for those local credentials, I would have probably just asked them to sign a disclosure saying that they are taking responsibility for the network as of X/X/X date and you could not be held responsible for any misconfigurations or outages made directly with those credentials and had them sign it.

    Some of the stuff you admitted to in court probably hurt you the most. i.e. about disabling the core switches' console ports the day before you were put on leave, disabling password recovery on the switches, not saving any configs to flash so that a reload would wipe the device, not providing or leaving backups of the configs, etc. In hindsight, if you were concerned about someone taking the credentials and making changes pretending to be you, it would have been better to just hand them over to the police the second you were arrested. That way there would have been a record that you handed them over showing you were being cooperative and it would have been documented so any changes to the network after would not have been your responsibility.


    The stuff about the terminal servers you put in I definitely could see a legitimate reason for doing that and the threats and intimidation to staff could have been malicious co-workers. The stuff you admitted to in court obviously hurt your case and made it impossible to appeal the conviction. If your manager Tong ordered you to do all that but there's no email or paper trail to back it up, it was going to look bad for you.

    Well... glad to hear you're moving on with your life. Wish the best for you in the future.
    Last edited by Iristheangel; 11-05-2016 at 06:08 AM.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Oct 2016
    Location
    NJ
    Posts
    352

    Certifications
    CCNP R&S, CCNA(Security/Data Center), PCNSE 7, MCITP: Exchange 2010
    #22
    Quote Originally Posted by Iristheangel View Post
    I think he was in jail for a few years. It probably expired but he re-certified. Once you get a CCIE number, it never changes even if it expires and you re-earn it.
    Didn't know that last part, interesting. I only asked the question because I was wondering if Cisco gave him a pass on the cert expiring while he was in prison
    Reply With Quote Quote  

  24. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,727

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #23
    No. Cisco typically doesn't give passes for people going to jail and they don't typically run regular background checks to see if someone has misrepresented the program or done something unbecoming of the CCIE program.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Apr 2015
    Posts
    717

    Certifications
    CCNA R&S, Security+, Network+, Linux Essentials
    #24
    Quote Originally Posted by Iristheangel View Post
    @Terry - If that situation would have happened to me and I was being taken into a room with management asking for those local credentials, I would have probably just asked them to sign a disclosure saying that they are taking responsibility for the network as of X/X/X date and you could not be held responsible for any misconfigurations or outages made directly with those credentials and had them sign it.

    You can ask them to sign a disclosure all you want, but what would you have done if they refused to accommodate your request? According to him(if it really is him), they refused his request to union representation and to a lawyer.


    He said he got "blindsided" with that meeting, I prefer the term "rail-roaded". I've been rail-roaded one time when I was in the military and it's not a pleasant experience. If someone has their sights on you and they want to steam-roll over the top of you, they're not going to be in the mood to negotiate or acquiesce to your suggestions. They want what they want, how they want, when they want it, and anything else, no matter how reasonable, is going to be seen as non-cooperation.


    If those facts are all true, I find it highly suspicious that this all occurred after they completed a major milestone for SFPD. It makes me wonder if there was a SFPD control freak that didn't like the access that Terry had, wanted more control himself, or what not, and then decided to stir up a witch hunt instead of trying to resolve at a lower level.


    I worked with a guy once who used to be a manager for a large corporation. He told me once that there was a woman that would accuse other male managers of sexual harassment and they would end up getting fired or relocated and then she would end up in their position. It was her way of climbing the corporate ladder.


    When I read Frisco's post it eerily reminded me of that story my old coworker told me. It kind of makes me wonder if there was not something like that going on behind the scenes(regardless of whether the person was male or female.) After all, a room full of people and a conference call of 21 people does not materialize out of thin air.


    It sounds like either some events leading up to that point got omitted from the story, like several smaller meetings, or he truly did get rail-roaded with that meeting.
    Reply With Quote Quote  

  26. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,727

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #25
    It's possible if it were just one meeting and everything was on the up-and-up, that he was blindsided but there seems to be a lot of layers according to the official court documentation: PEOPLE v. CHILDS | FindLaw

    Give that a good read. It's a interesting one. According to the court docs, it looks like prior to the meeting, management asked the union if they would like to be present and they declined saying that matter of getting passwords wasn't a union matter.

    One of the jury members happens to be a CCIE and explains in this article why he voted to convict: Terry Childs juror explains why he voted to convict | Computerworld

    Obviously this is a complex case with a lot of context and some of the situation behind how the network was set up (i.e. no configs saved to flash which would cause a hard disruption to the network in the event of a power outage, turning off password recovery, limiting access to the switched from all but one IP, disabling console a day before he left, etc) probably also invoked a little nervousness from his management. I know I would be more than nervous if I walked into a network like that.

    That's not to say Terry doesn't deserve another chance or anything like that. I think after he handed over the passwords, he should have gotten bail but they let him rot in prison. I think he did his time and should be able to have a life after all is said and done.
    Last edited by Iristheangel; 11-05-2016 at 04:08 PM.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks