Followup: San Fran Network Guru Coughs Up Key for Mayor

Last week I wrote about Terry Childs, the jailed network administrator for the City of San Francisco who, if the press is to be believed, went nutty, changed the admin passwords, and then locked everyone out of administration of city systems.  It was the cyber equivalent of swallowing the key.

In a twist to this story, Childs remained silent, vowing only to disclose the true passwords to Gavin Newsom, the young mayor of San Francisco.  In a secret jailhouse meeting between Childs and Mayor Newsom, the true passwords were disclosed, and Mayor Newsom then passed the information to the current staff in the Department of Technology.  Access has now been restored to those admins who had been locked out.

From the SFGate here:

The San Francisco computer engineer accused of withholding access codes to the city’s network surrendered the password during an unusual jailhouse visit by Mayor Gavin Newsom.

Newsom came away with the access codes Monday night after talking with Terry Childs, 43, of Pittsburg, who has been held since July 13 on four felony counts stemming from what prosecutors describe as an effort to block administrative access to the network that handles 60 percent of the city’s information, including sensitive law enforcement, payroll and jail booking records.

Ron Vinson, the chief administrative officer for the Technology Department, said Newsom hadn’t told him about the jail visit in advance. “But we are glad he was successful in getting the codes, since no one else has been able to,” he said, adding that officials expected to have full control of the computer network soon and to generate new passwords for administrators.

In my post last week, I speculated that there was much more to this story than was being reported in the press.  And apparently, I was right.  According to the rest of today’s article in the SFGate, Childs locked the network in an effort to prevent unauthorized malicious tampering by his coworkers, and he says he intends to prove this in court.  And as there was no one else above Childs in a CIO position, he was not authorized to disclose the passwords to anyone else.  Only the Mayor had the authority to ask for and receive the passwords.

Childs’ Defense attorney, Erin Crane said of her client:

Childs had been the victim of a “bad faith” effort to force him out of his post by incompetent city officials whose meddling was jeopardizing the network Childs had built. At one point, she said, Childs discovered that the network was at risk of being infected with a computer virus introduced by a colleague.

“Mr. Childs had good reason to be protective of the password,” Crane said. “His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it … and shown complete indifference to maintaining it themselves.

“He was the only person in that department capable of running that system,” Crane said. “There have been no established policies in place to even dictate who would be the appropriate person to hand over the password to.”

“Mr. Childs intends to not only disprove those charges, but also expose the utter mismanagement, negligence and corruption at (the Technology Department) which, if left unchecked, will in fact place the city of San Francisco in danger.”

I hope Terry Childs has the cash to continue his defense.  He will certainly need it.  He may also wish to consider claiming whistleblower status in order to preserve his job, if that is even still an option.

One thing is clear, however.  The fact that Childs was able to do this proves that San Francisco is not following best practices for computer security, as is required of them by the Department of Homeland Security.  And if San Francisco is ignoring cyber requirements for securing critical infrastructure, it begs the question-  What else is San Francisco ignoring that DHS is requiring them to maintain, such as evacuation plans and disaster recovery operations?  Given that San Francisco is prone to natural disasters, will they have the same level of preparedness that New Orleans did?