The documents claimed that he had installed sniffers on the network, but of course there are sniffers on most large networks, installed by their administrators.
One statement made in the original affidavit for Childs' arrest warrant claimed that Childs' pager went off after he had surrendered it to DTIS officials, and that the page was "sent from one of the routers on the network." This was portrayed as proof that Childs had remote access to the network and was thus a danger. This was a key fact in the arrest warrant, even though it's far more likely that this page was from the network monitoring application What's Up Gold, which Childs used to keep tabs on the network. In fact, Childs states that at least one of the modems found in his workspace existed for just that purpose. This is an extremely common form of network monitoring, and not a subversive action.
Throughout the court documents, the city offers very little of technical substance relative to Childs' actions. To those unfamiliar with the intricacies of network architecture and administration, many of their claims would seem to be clear evidence of wrongdoing, but in reality, are common practice in networks the world over.
A claim that could backfire. In another twist to this case, the city may have undermined its case against Childs. In the court document opposing Childs' bail motion, the city claims that Childs had "installed three modems that were connected to the FiberWAN networks, two in the locked room he maintained and a third in a locked cabinet near his cubicle. Cisco engineers have indicated that the types of modems the Defendant installed bypass logging, auditing, and security measures of a secured network. Further, anyone can gain access to the network by dialing into these unsecured modems, risking the security of the network." The city also claimed that Childs could have access to more than 1,100 other devices, including routers, switches, and modems, and possibly wireless access points.
But if "anyone can gain access" to the network, and none of these actions could be logged or audited, then it's entirely possible that "anyone" -- not necessarily Childs -- could have accessed the network at any time and made any number of changes to network devices, before Childs' arrest or while he was in jail.
Where Terry Childs seems to have gone off course
As questionable as many of the city's claims are, many of Terry Childs' actions also raise legitimate red flags.
For example, the city's court filings claim that police found an ID badge and access card of one of Childs' colleagues in his house, and that Childs had lists of usernames and passwords of other city employees, including his direct supervisor, Herb Tong. Childs' having these materials is difficult to justify, if true. The city's statements on Childs' network configurations indicate that his approach to network security bordered on raw paranoia.
From all accounts, Childs believed San Francisco's FiberWAN network was his baby, and that refusing to allow others to access the inner sanctum was in the best interests of the city, the citizens, and perhaps most important, himself. That belief may have led him astray.
No clear winner, but a clear loser: San Francisco
Despite all the uncertainties and questionable claims one thing has become apparent: There was obviously a tremendous lack of oversight in San Francisco's IT department. There was also a lack of support for DTIS employees, and with staffing reductions, it seems that they were operating with less staff than they needed, and less skilled staff as well. This is the likely cause of Childs' position as the sole administrator to the FiberWAN network.
Only Childs knows for sure, but those who claim to know him indicate that Childs put up with political games, staff reductions, incompetent coworkers, and a hostile work environment for as long as he could, and then tried to get away from it as best he could. He very well may have been insubordinate in doing so, but based on the public evidence so far, it is hard to believe that he actually intended to orchestrate the destruction of the city network.
A former county supervisor and the current systems manager for San Francisco's human resources department provided affidavits in Childs' bail hearing, supporting Childs. "All he wanted to do is protect the system," wrote former supervisor Ben Hom. "I do not believe he would do anything to compromise the safety and performance of the network to which he has dedicated his life," wrote HR systems manager Peter Stokes.
What's happened since indicates that Childs' apparent concerns about the city damaging the network if it had access may not have been so far off base.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.