Where San Francisco seems to have made dubious claims

Once Childs was arrested, the claims against him began to mushroom. Many don't hold up to scrutiny.

Exaggerated claims of jeopardized systems. The city's legal justification for the arrest was the fact that Childs refused to give the passwords to DTIS officials, which effectively locked them out of administering their own network. But in the press reports that soon surfaced, statements ascribed to city officials made it appear that some or all of the data on the network was in jeopardy, including e-mail, 311 service (the one-stop phone number for residents to get help on city services), and law-enforcement applications. But these services do not appear to have ever been jeopardized. And Childs' influence over this network did not appear to extend to these services, only to the network itself.

Also during the bail motion proceedings, the city provided new documents that it claimed showed Childs was a threat to others and the city network. To back up these claims, the city offered evidence collected from Childs' computers, including a document labeled Exhibit A, which was an unredacted list of 150 VPN groupnames and passwords.

Access to VPN data portrayed as malicious. The portrayal of the VPN information suggested that Childs should not have had this documentation, even though he was the city's lead network admin and apparently had to maintain these lists as part of his job. But entering the VPN information into the court records made them public—the San Francisco district attorney's office committed a significant security breach, opening up VPN access to anyone who cared to look at the document. Although the passwords alone were not enough to provide complete access to the city networks, they did constitute one part of the VPN's two-phase authentication configuration.

Nearly two days after the DA's office divulged these passwords to the public, DTIS changed all the passwords, locking everyone out of the city VPN services until they had reconfigured their client to the new passwords. Ironically, this was the first time the city network failed since Childs' arrest.

Contradictions over FiberWAN device access. Also, until these court filings on the bail issue, the city had claimed it could not access the FiberWAN network's devices. But four days before that bail hearing, the city claimed it had scheduled a power outage at the 1 Market Street datacenter. That power outage would have affected routers and switches running the FiberWAN network. In the court filing four days later, the city contended that Childs had "booby-trapped" the network to collapse during this power outage by not writing the device configurations to flash on some number of routers. A local news report stated that "experts caught the problem in time and transferred data to permanent files, [Assistant DA Conrad] del Rosario said."

This statement contradicts the city's stance that it had no access to these routers, as there is no way it could have written those configurations to flash, or save them anywhere, on July 19 if it could not access the devices. By the city's own admission, it did not have that access until after midnight on July 21, two days after this shutdown was scheduled.

Other news reports have stated that the city cancelled the shutdown when it learned that the network had been "booby-trapped." But again, without the passwords, the city could not have known the state of those routers, nor could it have known whether the configurations were saved to flash memory.

The city also highlighted the fact that Childs had a copy of the datacenter shutdown memo in his workspace, and presented this as evidence that he had planned to cause the network to fail. Given Childs' 24/7 support responsibilities, it's far more likely that he had the memo because it was sent to him because he had those duties.

Common practices portrayed as nefarious. The documents filed by the city in opposition to Childs' bail reduction contained many vague references and claims of nefarious actions. But to those with experience in network administration, many of these activities seem like common practice.

For example, the documents portrayed the fact that Childs had configured some number of routers to disable password recovery as a subversive action, when it's common to use that function to secure routers and switches that cannot be physically secured.

They also stated that Childs had several modems in his workspace, hooked up to computers, and that Childs used these modems to access the network remotely without logging or auditing. It seems much more likely, however, that they were used as dialup/dial-back access for Childs to perform emergency work during off-hours.

The documents claimed that he had installed sniffers on the network, but of course there are sniffers on most large networks, installed by their administrators. For years, Cisco has manufactured sniffers specifically designed to be placed within network cores, and the use of such devices is not just common, they're almost mandatory as a best practice.

One statement made in the original affidavit for Childs' arrest warrant claimed that Childs' pager went off after he had surrendered it to DTIS officials, and that the page was "sent from one of the routers on the network." This was portrayed as proof that Childs had remote access to the network and was thus a danger. This was a key fact in the arrest warrant, even though it's far more likely that this page was from the network monitoring application What's Up Gold, which Childs stated that he used to keep tabs on the network. In fact, Childs states that at least one of the modems found in his workspace existed for just that purpose. This is an extremely common form of network monitoring, and not a subversive action.

Throughout the court documents, the city offers very little of technical substance relative to Childs' actions. To those unfamiliar with the intricacies of network architecture and administration, many of their claims would seem to be clear evidence of wrongdoing, but in reality, are common practice in networks the world over.

A claim that could backfire. In another twist to this case, the city may have undermined its case against Childs. In the court document opposing Childs' bail motion, the city claims that Childs had "installed three modems that were connected to the FiberWAN networks, two in the locked room he maintained and a third in a locked cabinet near his cubicle. Cisco engineers have indicated that the types of modems the Defendant installed bypass logging, auditing, and security measures of a secured network. Further, anyone can gain access to the network by dialing into these unsecured modems, risking the security of the network." The city also claimed that Childs could have access to more than 1,100 other devices, including routers, switches, and modems, and possibly wireless access points.

But if "anyone can gain access" to the network, and none of these actions could be logged or audited, then it's entirely possible that "anyone"—not necessarily Childs—could have accessed the network at any time and made any number of changes to network devices, before Childs' arrest or while he was in jail.