informa
/
Analytics
Quick Hits

San Francisco Password-Hijacker Found Guilty

Terry Childs faces five-year prison sentence for locking out city bosses from network
In a bizarre case that put the spotlight on the perils of unmonitored IT administrative rights, former City of San Francisco network engineer Terry Childs was found guilty yesterday of felony computer-tampering charges after locking out city administrators from the network by controlling the passwords.

Childs, 45, faces a five-year sentence in state prison, according to reports, in part due to the $200,000 price tag the jury concluded he cost the city for refusing to give up the passwords. But he is reportedly expected to get credit for time served, which is nearly two years since his July 2008 arrest. Childs will be sentenced on June 14.

About a week after his arrest, Childs finally gave up his passwords after changing all of the city's network passwords so only he could access the network -- which contains email, payroll, law enforcement, and inmate booking files, apps, and data. He did so after learning he was going to be laid off from his job of 10 years with the city.

Prosecutors in the case said Childs took the unusual action of locking out his supervisors from the network because he was upset about their questioning his security clearance after learning he had a previous robbery conviction on his record.

Childs' attorney says his client wouldn't surrender the passwords initially because his bosses asked for them over an unsecured phone line. "All they had to do was ask him (for the passwords) in a secure and professional way, consistent with policy and standards," the defense attorney told the jury, according to an SFGate.com report.

Experts say both Childs and the city made mistakes. "Whether you view Terry Childs as an IT folk hero, egomaniac, disgruntled employee, or all of the above, we're forced to ask whether the crime fits the punishment. I have little sympathy for any of the players in this drama, but it would be a mistake to view Childs as a cybercriminal," says Michael Maloof, CTO for TriGeo Network Security.

While Childs' insubordination was grounds for his termination, he didn't demand a ransom or interrupt city services, Maloof notes. "It was not an act of domestic terrorism or grand theft, but the lack of self-interest doesn't absolve him of responsibility. He may ultimately be applauded as the city's lone network infrastructure defender, or pitied as paranoid and delusional, and the truth is probably somewhere in the middle," he says.

Richi Jennings, an independent security analyst, says the City of San Francisco's management failed in allowing one employee to "own the keys to the kingdom" and for not understanding the technology to begin with. "Childs is widely seen as a hero for doing more with less, but that becomes part of the problem because he sees it as his baby and gets protective," Jennings says.

The prosecutor said in the trial that Childs had basically sabotaged some network equipment: "So that if they were rebooted, they'd lose their configuration," Jennings says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5