News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Scott McPherson's picture
Scott McPherson

Tiptoeing Through Minefields

More posts | Read bio

August 11, 2008 - 12:06 P.M.

How many of you do background checks on your IT employees?

21 comments

The Washington Post has an excellent article today regarding the City of San Francisco/Terry Childs debacle.  Its findings appear to confirm suspicions regarding both Mr. Childs' true intentions as well as the City's outright ineptitude.

First, the findings on Mr. Childs, straight from the Post: 

Terry Childs, 43, was arrested July 13 at his suburban home, where police found $10,000 in cash, diagrams of the city-county computer network, a co-worker's access card, a loaded 9mm magazine and several loose .45-caliber rounds. Under the user name Maggot617, he hijacked the system and refused to turn over passwords for the network, which superiors belatedly discovered only he controlled.

Childs compromised more than 1,100 devices and created unauthorized network doorways, allowing him unfettered and undetectable access. He collected pages of user names and passwords, including his supervisor's, to use their network log-ons. And he downloaded thousands of gigabytes of city data -- possibly privileged information, such as police reports and e-mails -- to a personal encrypted storage device. Experts still aren't sure what data the device contains.

Childs, as it turns out, carried a list of convictions, including aggravated burglary, aggravated robbery and theft, according to court documents. He also served four years in the Kansas state prison. Childs kept this from his employment application, court documents note.

Based on this last paragraph alone, Childs had as much business being a network engineer as a pedophile has running a day care center.  What is truly amazing is that the City did not do a thorough background check on him prior to hiring him!  This appalling lack of due diligence makes one wonder if it was a miscue, or does the City not check the backgrounds of people it hires for positions of great trust?

It also pretty much invalidates the positive comments I have received on this blogsite rearding Mr. Childs' character.  Character is best defined as what you do when no one is looking.  Based on that criteria alone, Mr. Childs fails miserably. 

While Childs needs to head for the stockade (apparently having his "I did it for the good of the City!" excuse shredded like so much waste paper), the people who decided Childs' criminal record was only germane to the California state line need a career change.

"It was like we had control of the house, but we were unsure of which rooms he had access to," said Ron Vinson, chief administrative officer for San Francisco city and county's Department of Technology. "We didn't know to what extent he had access or if there were potential vulnerabilities in the system."

Vinson said San Francisco will probably expand its employee background checks to cross state lines.

You think? Mr. Vinson clearly states the obvious.  And if Mr. Vinson personally decided that IT background checks stopped at the California state line, he needs to go herd goats for a living.

As I mentioned before:  hacking IT, be it from inside or outside, isn't funny anymore.  It isn't cute, and it needs to carry the appropriate weight in prosecution and punishment. Let Mr. Childs' actions serve as a cautionary tale for anyone who seeks to prove his or her worth by taking control of sensitive systems. You have a beef, handle it some other way.  Go to an elected official.  Or do the honorable thing, report it and quit if no one listens.  Mr. Childs used the username maggot617 -- an appropriate metaphor. 

Now how many other cities, counties, school districts, states, NGOs, and the feds have failed to check the backgrounds of its database administrators, network engineers, developers, possibly even its own computer security people?  How many other San Franciscos are lurking out there?  Let's hear from you.

And how many of you do regularly scheduled background checks on employees you already have? 

What People Are Saying

Add new comment

This is the same guy who suggested waterboarding

Submitted by maggot617 on August 14, 2008 - 4:14 A.M.

in his last post:
http://blogs.computerworld.com/situations_where_waterboarding_is_appropriate
and just read his bio, what a creep.

Reply | Report this comment

Background Checks

Submitted by Andrew on August 11, 2008 - 10:38 P.M.

In today’s world where a great majority of information is stored and accessible by networks it is totally irresponsible not to have background checks run on IT personnel prior to hiring.
The IT people are the networks first line of defense. It is their knowledge that secures your network, if you can not depend on your IT people who can you depend on?
With above in mind it is only logical to know who you have managing your network and the sensitive information stored therein.

Reply | Report this comment

The city was paying him to control the network.

Submitted by Rich Robinson on August 11, 2008 - 7:34 P.M.

"Let Mr. Childs' actions serve as a cautionary tale for anyone who seeks to prove his or her worth by taking control of sensitive systems."

This statement misses the point that Terry Childs did not have to *take* control of the network because he already had sole control of the network and had had it for years. The city determined that he was qualified for the position and the city hired and authorized him to control the network and thus he had explicit permission to control the network as the city continued paying him to control the network from 2003 through 2008.

Reply | Report this comment

The city was wrong.

Submitted by Scott McPherson on August 12, 2008 - 9:26 A.M.

Rich,
He did not have explicit permission to do as he pleased. I certainly hope you do not think that because you may have the keys to an office, you can do as you please with it.

To begin with, the City was wrong to have hired him. The City was wrong to have vested so much control in the hands of a convicted felon. And when Childs changed all the user IDs and passwords, he did indeed take control of the network.

I cannot see how you can disagree with any of that. His changed User IDs and passwords were technically City property. Someone who refuses to hand over City property is a thief, even if that property is intellectual property. He abused his privileges and it is growingly apparent he acted with malice.
Scott

Reply | Report this comment

It was Terry Childs' job to

Submitted by Rich Robinson on August 12, 2008 - 1:45 P.M.

It was Terry Childs' job to change the password on the routers. He was the network administrator. Changing passwords periodically is a "best practice" recommended throughout the computer, network and information security industry. It is also a practice included in the security policy framework which DTIS Deputy Director Rich Robinson has stated should be used as the starting point for the City's information security policy. Childs would have been remiss had he not been changing passwords. He claims that he did so every two months. Clearly, in continuing to follow best practices he was not "taking control" of the network but rather continuing the control he had had for some time.

He absolutely did have explicit permission from the City to take the action of changing passwords in the routers - in fact, he was being paid to do so.

The issue of the password itself is largely irrelevant because all Cisco routers can be easily reset by anyone with physical access - and a password can not prevent the resetting of the router. The City had the option all along, to simply walk over and reset the routers and have full administrative control of them. The routers would then need to be reconfigured. The City chose not to do so because, by their own admission, they were ignorant of how to configure the routers for the network which they had designed (actually former city Network Architect Archie Lee) five years prior.

The two persons, DTIS Deputy Director Rich Robinson (no relation) and the newly appointed Network Security Manager Jeana Pieralde, who pressured Terry for the password did not meet the minimum qualifications set by the City itself to manage the network. Terry Childs did meet the requirements set by the City. It was the opinion of the qualified administrator of the network, that those persons who were not qualified to administer the network posed a threat to the system. By setting the minimum qualifications for the position, it would appear that the City shared that opinion - that persons who did not meet the qualifications were not suited to the position of administering the network.

Terry Childs took no action which prevented the City from administering the network: he did not quit his job; the network remained functional and despite claims by City officials that he had rendered it insecure it remained secure throughout the ordeal. While he remained employed to administer the network, the city had one person, and apparently only one person who was qualified and capable of administering the network. At no time did Terry Childs take any action that changed that situation which had existed for years. It was Rich Robinson who reassigned and suspended Terry Childs on July 9th, 2008 who removed the sole person qualified to administer the network which belongs to the City and County of San Francisco, not to Rich Robinson. Rich Robinson was not acting in the City's best interests but rather he jeopardized a critical system by removing the sole employee who met the minimum qualifications set by the city to manage the network.

Terry Childs did not refuse to disclose the passwords to the City, rather he refused to disclose the passwords to Rich Robinson and Jeana Pieralde - neither of whom "own" the network, neither of whom met the minimum qualifications set by the City for administering the network. Terry Childs voluntarily gave the passwords to the Mayor (his "ultimate boss" as Terry described him).

Neither abuse of privileges nor malice on Terry's part is required in this scenario. What is required is a series of absolute failures on the part of DTIS management: in failing to adopt a security policy (which internal and external (tax-payer funded!) audits and reviews have been recommending repeatedly since at least 1996); in failing to adhere to established industry best practices; in failing to replace former city Network Architect Archie Lee in a timely fashion; in laying off every employee other than Terry Childs who met the City's minimum qualifications to manage the network and who could have reconfigured the routers ; and in failing to address the situation when Terry Childs filed informal and subsequently formal complaints about DTIS management in early June of 2008.

Perhaps Rich Robinson and Jeana Pieralde, in their ignorance of the network, didn't know what questions to ask of Terry specifically to elicit answers which would allow them to gain control of the routers (remember that even after Terry gave the password to the Mayor, Cisco engineers were unable to figure out how or where to use the password without further information from Terry.) If they asked the wrong questions and Terry gave correct answers to their wrong questions, is that criminal?

Does California Penal Code subsection 502 (cited in the only charges against Terry) which relates specifically to "Unauthorized access to computers, computer systems and computer data" have any relevance in a situation where the employee was authorized to set passwords and then may or may not have truthfully answered questions which may or may not have actually been the correct questions to gain both the password -- and -- procedure, instructions, knowledge needed to gain administrative control of the routers?

Can an employee be jailed for failing to educate an employer on how to do the employee's job???

Is a government employee who is qualified and assigned to manage a network, (as an example lets say a network controlling nuclear missile launch systems) a criminal if the employee refuses to turn over control of that network to persons whom he knows are not qualified to run that network?

Reply | Report this comment

That is not his decision to make....

Submitted by Scott McPherson on August 12, 2008 - 5:04 P.M.

If his superiors instruct him to give them the information, he is expected to follow orders and give the information. To do otherwise is insubordinate at best and criminal (surprise!) at worst.

Wrong is wrong. Trying to justify an action, or set of actions because the person thinks his superiors are idiots is not justification for criminal action. Quite simply, it is not his decision to make.
Scott

Reply | Report this comment

Re: That is not his decision to make....

Submitted by Randy Grein on August 13, 2008 - 2:37 A.M.

Scott,
You're batting .000 on this one - give it over, get your facts straight and while you're at it take a few classes in workplace ethics.

There are many situations that REQUIRE insubordination to serve the real owners - uncovering fraud, dangerous incompetence or other inappropriate actions that leave the organization open to serious loss or risk. It is unfortunate that such service is almost always rewarded with firing or worse, but by your standards anyone could ignore ill advised or illegal actions with the "I was only following orders" defense.

You should know by now the situation was far murkier than originally portrayed and the City has clearly lied about a number of basic facts in the case. Was Terry right to refuse to hand over passwords except to the mayor? I certainly don't have enough evidence to say for sure, but given the keystone cop routine he was put through I'd say the chances are good that he was correct. Following established policies and procedures is ALWAYS the correct choice, although it is apparently no protection from imprisonment.

Reply | Report this comment

He was a CONVICTED FELON...

Submitted by Scott McPherson on August 13, 2008 - 8:40 A.M.

and as such, should NEVER HAVE BEEN HIRED. And "workplace ethics" do not include the activities he engaged in.

No manager will agree with you. Neither will anyone in authority.
Scott

Reply | Report this comment

"he should never have been

Submitted by Brian Cox on August 14, 2008 - 3:25 A.M.

"he should never have been hired" is no grounds for arrest...

Reply | Report this comment

He should never have been...

Submitted by LateNIghtLarry on August 19, 2008 - 4:41 P.M.

If the city's application for employment asked specifically if he had ever been convicted of a felony, and he either answered "no" or didn't answer, then he was guilty of falsifying his application. That is, by itself, grounds for termination.

I know that if he had falsified a federal job application, he could have been subject to criminal prosecution. I don't know if California or the City of San Francisco have similar statutes.

Reply | Report this comment

Related Posts

Newsom intervenes; Dolly vindicates blog
Situations where waterboarding is appropriate
S.F. net.admin holds city to ransom
WTF FTW LOL@ITBW!!1! (and Flash Portal)

Today's Top Stories

Elgan: The wireless carrier coup must be stopped
Vista Ultimate users fume, rant over Windows 7 deals
Judge temporarily dismisses MySpace cyberbully case
Mozilla slates first Firefox 3.5 patch
SJVN: London Stock Exchange to abandon failed Windows platform
Say no to SQL? Anti-database movement gains steam
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.