July 15, 2008

Terry Childs and the San Francisco FiberWAN computer network

S.F. officials locked out of computer network
A disgruntled city computer engineer has virtually commandeered San Franciscos new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.

Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the citys new FiberWAN Wide Area Network, where records such as officials e-mails, city payroll files, confidential law enforcement documents and jail inmates bookings are stored.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didnt work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.

He was taken into custody Sunday. City officials said late Monday that they had made some headway into cracking his pass codes and regaining access to the system.

Childs has worked for the city for about five years. One official with knowledge of the case said he had been disciplined on the job in recent months for poor performance and that his supervisors had tried to fire him.

“They werent able to do it – this was kind of his insurance policy,” said the official, speaking on condition of anonymity because the attempted firing was a personnel matter.

This isn’t particularly housing related – ok, it’s not at all housing related. I just thought it was amusing.

Comments (15) -- Posted by: burbed @ 8:42 pm

15 Responses to “Terry Childs and the San Francisco FiberWAN computer network”

  1. madhaus Says:

    This is the housing equivalent of putting a lien on the county recorder’s office.

  2. nomadic Says:

    pwned!

  3. Trader Joe Says:

    He makes a base salary of 126k and lives in Pittsburg. Your tax dollars at work.

  4. Hmmmmm Says:

    Fantastic. Do you think he will still have his job when he gets out?

    I guess they just have to wait for the next password reset cycle. Be sure and include a number and character and it can’t be one your ten previous passwords or closely resemble them in anyway.

  5. jake2climb Says:

    anyone seen a pic of this dude? there is a court rendering but it’s lame.

  6. WillowGlenner Says:

    Childs, who works in the Department of Technology at a base salary of just over $126,000,

    These government payrolls are way out of hand. This guy is a WAN ADMINISTRATOR. That is a standard IT position, not a R&D engineering position in the valley. This job should be paid at about 90K. They also get benefits like retirement accts that nobody working in private industry gets. These 100K jobs for police and fire have to go, too.

  7. Ididurmamma Says:

    Picture’s here. (video)
    http://cbs5.com/crime/san.francisco.hacker.2.773648.html

  8. Jeana Pieralde Says:

    “Password Policy…
    As such, all County employees (including contractors, vendors, and temporary staff with access to County systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
    All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis”
    “Do not share County passwords with anyone, including administrative assistants or secretaries.

    All passwords are to be treated as sensitive, confidential County information.

    Here is a list of things to avoid:…
    –Telling your boss your password.
    –Talking about a password in front of others.
    –Telling your co-workers your passwordwhile on vacation.”

    http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf

  9. Herb Tong Says:

    “Employee Handbook
    City and County of San Francisco …
    You may not willfully or knowingly disclose any confidential or privileged
    information unless you are required to do so by law.”

    http://www.sfgov.org/site/uploadedfiles/sfdhr/employee_services/CCSF_Employee_Handbook.pdf

  10. Rich Robinson Says:

    California Civil Code
    “1798.81.5
    (a) It is the intent of the Legislature to ensure that
    personal information about California residents is protected.[…]
    (b) A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

    http://www.leginfo.ca.gov/cgi-bin/waisgate?WAISdocID=60110116169+1+0+0&WAISaction=retrieve

  11. James Ramsey Says:

    “The main purpose of an information security policy is to inform users, staff and managers of their obligatory requirements for protecting technology and information assets….

    2. Policy Scope
    This policy applies to employees, contractors, consultants, temporaries, and other workers at the County, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by the County.

    3. Policy Description
    Management is committed to protecting the County’s employees, partners, and the organization from illegal or damaging actions by individuals by intentional or unintentional means….

    Security and Proprietary Information…
    Employees should take all necessary steps to prevent unauthorized access to this information.

    — Authorized users are assigned accounts for their specific use based on their defined needs. Users are responsible for the security of their accounts. Passwords are provided to enable users to keep their account secure. Users are not authorized to share their passwords. Users must change their password every 90 days. System administrators are to change their account passwords at least every 45 days….

    b. Private or Confidential Data. Some data collected and maintained by the County are protected from public disclosure through various privacy and confidentiality statutes, and thus, are not available under existing public information laws. Examples of private or confidential information include:
    • Passwords…
    Only County personnel with a designated need-to-know are authorized access to private or confidential information. The information owner retains classification authority, but County managers are authorized to approve or disapprove both access and distribution requests. When in doubt, however, managers must always obtain Department information owner consent before granting access or releasing information.

    7. Definitions
    Access – Making information available to only those individuals with a business need to know – requires authorization by the Information Owner and signed Ethics and Responsible Use and Non-Disclosure Agreements….

    Information Owner – The Department Head and/or designee assigned responsibility under State or federal law or County policy for specific data, including classification, protection and assigning access….

    Employees and Authorized Users
    Each employee and authorized user is responsible for understanding and adhering to County information security policies as well as appropriate organizational policies. They are responsible for protection of County informational assets for which they are entrusted and using them for their intended purposes….”

    http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf

    The DTIS Department Head is Chris Vein. Chris Vein was not the person requesting the password from Terry Childs.

  12. Tony Maupin Says:

    “It can no longer be maintained that a ‘diligent’ worker is one who blindly follows his or her employer’s orders regardless of the potential consequences.”
    –California Supreme Court, 1984

    “An employer’s statement that a claimant was “insubordinate” is not enough, in and of itself, to support a finding of discharge for misconduct. The employer’s statement is a conclusion, derived from his or her perception of what transpired, and represents only one viewpoint. The acts which led to the separation, and the claimant’s reason for doing (or not doing) the acts will determine if insubordination exists in that separation.”
    Misconduct MC 255 …
    Insubordination …
    A. Disobeying Orders …
    c. Whether the Claimant is Justified in Disobeying
    As discussed above, noncompliance with an employer’s order is justified if the order is unreasonable or unlawful. Noncompliance is also justified, according to Title 22, Section 1256-36, if the claimant:
    1. Reasonably and in good faith believes compliance would result in a violation of the law. …
    3. Has a reasonable and good faith doubt of the authority of the individual issuing the order. …
    C. Exceeding Authority
    When a claimant was discharged for allegedly exceeding authority, the following factors need to be considered.
    1. The Job’s Inherent Authority
    Every job carries certain authority, which is created by the agreement of hire, whether oral or written, between the employee and the employer. The agreement will outline the parameters of the employee’s authority and provide for any necessary emergency or contingency lines of authority. If the claimant must hold a license or certificate to work, such as a registered nurse or real estate salesperson, certain fundamental limits are already established concerning the amount of authority that the employee may take upon himself or herself in the absence of supervision. …
    2. Employer’s Failure to Limit Authority
    Authority to take action may also be created by failure of the employer to limit or to object to unauthorized or undesirable conduct….”

    http://www.edd.ca.gov/UIBDG/Misconduct_MC_255.htm

  13. burbed Says:

    Uh, let the record note that the last few comments were all from the same IP address.

  14. bluoz Says:

    Terry Childs gets most charges dropped…

    Infoworlds Paul Venezia is going to have a field day with this

    Very few people have been questioning the San Francisco city hall press releases since this story began over a year ago, but now even the Chronicle is sheepishly admitting they might hav…

  15. Deb Rub Says:

    Uh let the record note that the author of the above Burbed article is a horse’s arse. There more sophomoric inaccuracies in that article than are ever seen in news reports. What a stupid reporter and what a stupid site.


Leave a Reply

Please be nice. No name calling, no personal attacks, no racist stuff, no baiting, etc. Let's be nice to each other in the true Bay Area spirit! (Comments may be edited/removed without notice.)