Slashdot Log In
Disgruntled Engineer Hijacks San Francisco's Computer System
Posted by
timothy
on Tue Jul 15, 2008 07:51 AM
from the wait-'til-he-turns-off-the-earthquake-preventor dept.
from the wait-'til-he-turns-off-the-earthquake-preventor dept.
ceswiedler writes "A disgruntled software engineer has hijacked San Francisco's new multimillion-dollar municipal computer system. When the Department of Technology tried to fire him, he disabled all administrative passwords other than his own. He was taken into custody but has so far refused to provide the password, and the department has yet to regain admin access on their own. They're worried that he or an associate might be able to destroy hundreds of thousands of sensitive documents, including emails, payroll information, and law enforcement documents."
Related Stories
[+]
The Inside Story On the San Francisco Network Hijacking 471 comments
snydeq writes "A source with direct knowledge of San Francisco's IT infrastructure has tipped off Paul Venezia to the real story behind Terry Childs' lockout of San Francisco's network, providing a detailed account of the city's FiberWAN, interdepartmental politics, and Terry Childs himself. Childs pleaded not guilty to charges of tampering yesterday and is being held on $5 million bail. According to the source, Childs' purview was limited to the city's FiberWAN — a network he himself built and, believing no one competent enough to touch the network but himself, guarded religiously, sharing details with no one, including routing configuration and log-in information. Childs was so concerned about the network's security that he refused even to write router and switch configurations to flash. But what may prove difficult for the prosecution in its case against Childs is that his restricted access to the network was widely known and accepted among managers and the city's other network engineers. Venezia, who has been suspicious of the official story from the start, suspects that the Childs case may be that 'of an overprotective admin who believed he was protecting the network — and by extension, the city — from other administrators whom he considered inferior, and perhaps even dangerous.' Further evidence is that fact that the network, from what Venezia understands, has been running smoothly since Childs' arrest."
[+]
IT: SF Admin Gives Up Keys To Hijacked City Network 581 comments
snydeq writes "Jailed IT admin Terry Childs relinquished his hold over San Francisco's multimillion-dollar FiberWAN, handing his administrative passwords over to San Francisco Mayor Gavin Newsom, who was 'the only person he felt he could trust.' Childs is still being held on $5 million bail for his lockout of the city's FiberWAN, a case that has been called into question since an insider came forward with details about both the network and Childs himself. The case hinges on No Service Password Recovery commands Childs allegedly configured onto several Cisco devices, as well as dial-up and DSL modems the SFPD has discovered that would allow unauthorized connections to the FiberWAN. Childs intends to 'expose the utter mismanagement, negligence, and corruption at DTIS, which if left unchecked, will in fact place the City of San Francisco in danger,' according to his motion. The Department of Telecom and IS has cut 200 of its 350 IT positions since 2000 — pressure that may have contributed to Childs' actions, according to interviews with current and former DTIS staffers. Newsom secured the passwords without first telling the DTIS that he was meeting with Childs."
[+]
Your Rights Online: 3 of 4 Charges Against Terry Childs Dropped 189 comments
phantomfive writes "Terry Childs, who was arrested nearly a year ago for refusing to turn over the passwords to San Francisco's FiberWAN network, has been cleared of three of the four charges against him. The dropped charges referred to the attachment of modems to the network; the remaining charge is for refusing to turn over the password. The prosecutor has vowed to appeal, to have the charges reinstated. We have the original story, and the story where Childs tells his side, for those who want a refresher."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Backups? (Score:5, Funny)
Re:Backups? (Score:5, Insightful)
Parent
Re:Backups? (Score:5, Insightful)
Parent
Re:Backups? (Score:5, Insightful)
That gets you into the operating system. Once you are there, what do you do? SQL databases can/should use passwords.
Web servers can/should use passwords.
Payroll systems MUST use passwords, with all data encrypted.
The above (and others) are where the problem lies, and no single user reboot will fix this.
Parent
Re:Backups? (Score:5, Interesting)
If the data is not encrypted it doesn't matter if the SQL DB uses passwords or not. Same for the webserver and other stuff.
I've patched programs stored in a DB without knowing the DB admin password, just by hexediting the DB files. Didn't have to wait for the vendor's developers in the USA to get back to us
As long as you have read access to the unencrypted data you have enough access - even if it means changing the drives and reloading the data.
Parent
Re:Backups? (Score:5, Informative)
Pretty much all Unix systems are hackable with local access.
I'm guessing either the entire file system is encrypted, or the problem is getting into an application that's running under the OS. Most times the OS isn't the final gakekeeper in high security; the application itself may run everything encrypted, and may very well have no easy way to restore access if a password is lost.
Parent
Re:Backups? (Score:5, Insightful)
(windows systems too.. I mean it is a muni we're talking about..)
But yes.. physical access to a device trumps all. It's probably something like they only have -one- guy that knows what he's doing.. and he just went from being fired to Fed-pound-you-Penn
Parent
Re:Backups? (Score:5, Interesting)
Typically corrupted data is worse than destroyed data.
At least when the data is gone, the problem is a lot more obvious.
Imagine if the payrolls have been tampered with (payroll files are mentioned in the article) rather than destroyed. And the law (and other) documents have had the word "not" randomly removed in 0.5% of the occurrences
Parent
Re:ha (Score:5, Insightful)
Of course, if we all had wings, we'd fly. Then reality sets in. Can't change the past.
I'm sure he was plenty stable until he became disgruntled, otherwise he wouldn't have ended up with the admin passwords, no?
Parent
Re:Backups? (Score:5, Funny)
We're at 204. Pay up.
Parent
This is why... (Score:5, Insightful)
...you disable his account *before* you tell him he's fired.
Re:This is why... (Score:5, Insightful)
Parent
Re:This is why... (Score:5, Insightful)
Parent
Re:This is why... (Score:5, Informative)
Private as in privacy, no. But private as in private property? Yes. If they don't allow someone to gather their things before they leave they could be looking at serious legal troubles.
No, it's pretty common practice. They can directly escort you out of the building without your personal property and they have a reasonable amount of time to gather up your stuff and get it back to you.
Things like car keys, wallet, jacket, briefcase, etc. yes. They'll escort you to your desk to pick those up. But gathering your pictures, books, etc. Nope. They'll do it for you or have you come back at a later date.
Parent
Re:This is why... (Score:5, Interesting)
He's a municipal employee. I don't know about San Francisco, but where I live, state or local government employee means union member, which in turn means he's very difficult to fire, except for the most egregious offenses. He's probably had an extensive disciplinary history to reach this point, which means he had ample time to see it coming and set this all up in advance.
Parent
Re:This is why... (Score:5, Interesting)
I would not be so sure. For it to be theft (in the UK at least) there has to be "an intention to permanently deprive"
Without this it is not theft. This is why someone who takes a car for a joyride is charged with "Taking without the owners consent" and not theft for example.
Therefore if it is not the employers intention to permanently deprive the ex-employee of their possessions then it is not theft, and they are in the clear.
Parent
Re:This is why... (Score:5, Interesting)
The employee is usually taken to one of the front meeting rooms under the pretense of an "important staff meeting". As soon as they leave their desk, someone swoops in and piles everything not owned by the company into a box, and takes it to reception. The employee gets their dismissal meeting from their direct boss with someone from HR present, and then they're taken to reception, given their box of stuff, and told to GTFO.
Network Operations gets the call to reset the ex-employee's password so they can't get in through the VPN (have to keep their account so someone can answer their email, etc), and work goes on.
The last thing the ex-employee gets to see on the way out is the hot receptionist. Could be worse.
Sorry for posting anonymously, but I don't feel like getting laid off if someone from work happens to recognize my username.
Parent
Read the Article - He wasn't fired. (Score:5, Informative)
Parent
Re:Read the Article - He wasn't fired. (Score:5, Interesting)
I've seen this sort of problem...it's really deadly. If you have somebody who has the keys to the entire computer system, is fully willing to snoop into people's personal data, and also is willing to really do some nasty things, you're in a bad situation. If you're going to fire him, do it fast and without warning...he absolutely can't know it's coming. With someone like that, you can't even discuss the issue via email with any other colleagues (i.e., he's probably reading your emails quite regularly).
If he has any time to stew about things, then odds are he'll setup a variety of back-doors or other ways he can royally mess things up. In the situation I've seen, the boss knew the sysadmin was screwing around...though there was no hard proof, the sysadmin also knew that he was essentially caught. But in his position, he basically had the office by the balls. It's a stalemate...unless you're willing to dump the guy and completely sanitize/overhaul anything he's touched on the network. And of course, who knows how much personal data he's copied off-site in the meantime.
Gotta post as A/C for this one...
Parent
Re:Read the Article - He wasn't fired. (Score:5, Funny)
Well, if they had nothing to hide then they have nothing to worry about right?
Parent
Re:This is why... (Score:5, Funny)
Parent
Re:This is why... (Score:5, Funny)
Unless they are totally incompetent
They couldn't event successfully fire the guy.
-- Firefox isn't as as great as people claim it is.
Parent
Folks can see the writing on the wall (Score:5, Interesting)
Firing someone for poor performance (as opposed to firing someone for a single unacceptable action) takes time....and MUCH coordination...at least everywhere that I have worked.
In a decently managed environment, the employee knows in advance that his management views his/her performance as unacceptable since the manager has discussed it with the employee and laid out a plan for improvement. Even an average employee could see the writing on the wall weeks/months in advance...but this individual was also using his administrative access to monitor related email messages.
If his group comprised even a moderately-sized MIS group, you could pull his admin responsibilities and transfer him to a role with lesser rights during the period of performance review and monitoring...but this individual was most likely hired to do this very specific job...and there may not have been another position in to which he could transition naturally...even temporarily.
My question - where are the backup tapes? Pull the tapes from a date prior to his manipulation of the system. Presumably, it should not be that long ago if they were ensuring that at least one other admin had routine access to the system. In such a case, they should have known within 24 hours that he had done something. If, on the other hand, he was a one man show, then I think that they are screwed until he gives up his password...which he will. Mark my word.
Parent
Re:RTFA (Score:5, Funny)
What do you recommend they do next time, use a crystal ball or ouija board to predict who's going to pull such a stunt?
Minority Report for system administration activities? Sweet! ;-)
Parent
Dennis Nedry? (Score:5, Funny)
Next thing you know, we'll have some dinosaurs on the Presidio.
Countdown... (Score:5, Insightful)
Idiotic new law in 5...4...3...
Got to love damage assessments (Score:5, Interesting)
Especially when it makes a crime a Felony. That is one of the four felonies charged to him. The other three are all related to tampering with a computer network.
While this guy is obviously an idiot for thinking he could blackmail a government entity I am quite pleased the security on the system is sufficient to make it hard to get into when strong security is put into place. In other words, nothing annoys me more than so called secured systems having some means of password decryption, let alone the ones that allow admins to see them plain text.
what is going to interest me is how many years they will attempt to land on him. Just how offensive to society is this type of crime versus murder or rape. It seems that every new crime invented by the government gets stronger penalties than existing ones; if only to make it appear more valid. After all the penalty wouldn't be so severe if it were not really a crime now would it?
Re:Got to love damage assessments (Score:5, Interesting)
Parent
Job Posting (Score:5, Funny)
Large municipal department of technology seeking software engineer for a multimillion-dollar computer system. At least 5 years of previous experience required. Must be able to gain administrative access to a system where the password is not known. Hiring immediately!
I smell a rat (Score:5, Insightful)
"At a news conference announcing Childs' arrest, District Attorney Kamala Harris was tightlipped about what his motive may have been."
I think there's more going on here than we're being told.
What no golden handshake... (Score:5, Insightful)
That director over there, he gets a golden handshake as he goes out the door... You want to keep him sweet because he knows where all your dirty secrets are and could cause all sorts of trouble for your operation.
The sysadmin, youre going to kick out the door becuase hes blue colar... Oh, wait a minute... He really does know where all your dirty secrets are and really can bring your operation to its knees. In fact hes far more dangerous going out the door than the exec... pity you didnt think of that.
Execs are heaved out the door all the time for being incompetent, but its done with kid gloves because theyre deemed to be potentially damaging... And they wear a suit.
Word of advice: if youre sacking somebody who can bring your operation to a grinding halt, make sure you you keep them sweet, regardless of the job they do for your organisation. Its simple business.
Unpatch windows (Score:5, Funny)
Thats why you run unpatched windows, it will take only 4 minutes to get access.
on any Linux system you can: (Score:5, Informative)
in
root:$2$3bJ7DS4R$rV45lDlqNsfDRntfO1NCk0:14069:0:::::
look exactly like this:
root::14069:0:::::
this and you can log in to root without any password
maybe other *nixes are close enough to do the same (BSD or solaris)
on ubuntu the root shadow is a little differrent since it is disabled with an asterisk:
root:*:14069:0:::::
just remove the asterisk
Motive and Salary (Score:5, Interesting)
Seems kind of funny that the article reports the DA is "tightlipped" about his motive. Makes me wonder if he is 'disgruntled' for a reason that would embarrass the agency if it got out.
Also pretty funny that they go into great detail about his salary, which seems kind of low to me for the area or at least average. Sounds like they are trying to make him seem unsympathetic in the public eye.
Technical background (Score:5, Informative)
For those who wonder what kind of working environment DTIS has:
PeopleSofts HRMS 8.x application software.
PeopleTools 8.4x, PeopleCode, SQL, SQR, COBOL, Application Engine, Oracle and HP/UNIX.
IBM hosts and DB2
Microsoft SQL Server 2000
Just look for open positions and you know what they are running.
Re:I had a dream... (Score:5, Insightful)
No, not all of us do. Especially those of us who don't do things that get ourselves fired.
Parent
Re:I had a dream... (Score:5, Funny)
I've been in a position to do this (I was still rooted from home in three systems, and though they changed the passwords, they didn't kick active sessions) and all I did was change the MOTD to "When firing a user with root access, make sure to abort existing sessions."
Professionalism is key if you expect to be trusted with access to big sexy systems.
Parent
Re:I had a dream... (Score:5, Funny)
[...] trusted with access to big sexy systems.
Mmm, fat chicks... <drool>
Parent
Re:I had a dream... (Score:5, Informative)
Parent
Re:I had a dream... (Score:5, Interesting)
Talking of what people want to do to their employer... There was this large semi state-owned telecomms company (and a much-hated monopoly for very long in our dear country) that I contracted at. This happened after I moved to another job, but I still had contact with a lot of ex-coworkers. Allegedly a middle management type was sacked, and a few days afterwards he came in again (no idea how he got past various access controls) to (literally) make a stink: he had several shopping bags containing excrement (human, apparently, though it probably was not all his own), which he managed to smear across his own as well as his ex-boss' desk and office wall before being apprehended. Now the office building was one of these modern new agey glass and concrete monstrosities and consisted of 4 floors of open plan desks, with a large opening down the center the same shape and size as the huge lobby and indoor garden on the ground floor - thus no way to contain the "spill".
Apparently, this is one of the more widespread fantasies employees at that place have.
Not to give anyone any ideas or anything....
Parent
I did it too, on a smaller scale (Score:5, Interesting)
I didn't actually intend to. This was about 15 years ago. I got hired to take care of payroll at a warehouse, which was a completely paper-based process. I suggested that I could transfer the whole operation onto a computer and be more efficient. They said go ahead, but for security be sure to password protect it.
It ended up taking me only a couple of hours to do what had been an all-day job, and naively I told them this and suggested that there were other areas of operation in the plant I could similarly improve. Instead, the next day they canned me - they wouldn't say why, only "It just isn't working out."
The day after that I was glumly poking through the classifieds when I got the call
"Hi, how are you doing?"
"Well, I'm unemployed. That doesn't help."
"Ah, yes... well. Say, you know your payroll system? It's password protected."
"Yes, I know. You asked me to do that." A little bubble of joy started in my chest.
"Well, could you tell me what the password is?"
"I could... but I don't work for you any more, do I?" Then I hung up.
Oh, all the raw data was still available on paper, but I'll bet it took them weeks to straighten it all out completely.
Parent
Re:I had a dream... (Score:5, Interesting)
Parent
Re:Frankly (Score:5, Insightful)
Parent
Re:Frankly (Score:5, Insightful)
A reputation, based on people with a serious ideological axe to grind. Blind faith in the market producing magical efficiency gains is contrary to everything I have seen during my professional life, both in the public and private sector. From my perspective, I have never seen one bit of evidence to show there is any truth to it outside the imaginations of Tory politicians.
Furthermore, people like you who are so besotted with 'market forces' did attempt to introduce them to public services in the UK, and it has been an unmitigated disaster. The inability of internal prices to truly reflect the quality of services has resulted in huge waste, massive bureaucracy and a decline of standards. Now, the ideologues are at it again trying to push for a new round of 'targets' in the NHS. They never learn.
Parent
Re:Frankly (Score:5, Insightful)
In the scenario you descibre, the streets would become choked with dirty, unsafe buses and traffic would grind to a halt. This, in fact, happens.
Like so many market fundamentalists, you just can't see how easily your ideology falls flat on its face in the real world, or you would've seen the flaw in your own argument.
You are essentially laying all inefficiency at the feet of the 'state' - i.e. any actor that isn't an entrepreneur - and then using that as 'proof' that the entrepreneur is more efficient. This is what people smarter than you refer to as 'circular logic'.
Perhaps, when you've grown up, experienced the real world a bit and stopped reading Ayn Rands bullshit, you might get a clue.
Parent
Re:Just hack *his* hack (Score:5, Insightful)
If you need a recognized code of ethics to tell you that sabotaging your ex-employer's system isn't right, then no code of ethics can help you. Unfortunately this guy screws it up for all of the honest techs who work hard to earn the trust which they need for doing their jobs.
Parent
Re:Apparently they dont have other competent engin (Score:5, Funny)
Number one rule in IT. If i have PHYSICAL access to a system i can get in. Some way, some how.
Government Agency rule number one: If I have PHYSICAL access to a criminal, I can get information. Some way, some how.
Parent
TERRORISM?! (Score:5, Insightful)
Get fucked, asshole. The last thing this country needs is for butthurt pussies to define another ordinary crime as "terrorism" because they think a particular perp should be punished more "as an example" or because they're afraid.
This is not terrorism. It's an act of sabotage by one individual (who should undergo a psych eval) who should be prosecuted to the extent of the law, and to a lesser extent it's a failure of leadership for his bosses.
Parent
he confused it with the terrorist business plan (Score:5, Funny)
Step 1: make bomb
Step 2: go to spice market
Step 3: asplode self and random shoppers
Step 4: Prophet
Parent
Re:I bow to his guts (Score:5, Insightful)
Parent