The criminal, digital divide

So after I wrote about the San Francisco network hostage situation yesterday, I started thinking a bit more about this situation. Based on all the data I've found in the press, it certainly appears that Terry Childs changed the passwords on some number of network devices within the city's network. If there's more to this story (such as the rumors that he was a DBA and this was an Oracle sabotage job), then we mo

So after I wrote about the San Francisco network hostage situation yesterday, I started thinking a bit more about this situation. Based on all the data I've found in the press, it certainly appears that Terry Childs changed the passwords on some number of network devices within the city's network. If there's more to this story (such as the rumors that he was a DBA and this was an Oracle sabotage job), then we move into a completely different ballpark. As it stands now, using the information publicly available, what Childs has done could be considered a juvenile prank, not an attempt to sabotage the network and cause real damage.

Again, we're assuming here, but even if we remove the specifics and make this a hypothetical case, there are many, many miles between changing the passwords on the core and edge switches and, say, dropping a dozen databases.

Unfortunately, to the public at large, there isn't much of a difference. To a normal computer user, the phrases "he maliciously altered the AAA mechanisms in the city's network to prevent access" and "he issued queries damaging to city data repositories" are basically the same thing. Of course, they're miles apart in damage done, but to folks who struggle with spyware and anti-virus tools (and sit on juries) they might as well be the same thing.

In a comment on my previous post on this issue, a user name 'der golem' summed it up nicely:

"Okay, I won't pretend I understand everything you wrote here, but there is something really alluring and provocative about tech speak."

"Alluring" might not have been the word I would have chosen, but the point is that the law deals with common crimes like theft with offense levels. There's petty larceny and grand larceny, for instance. What Childs did may actually violate any number of other laws, possibly even anti-terrorism laws since it involves a city government. If all he did was change those passwords, then it's likely that he'll be charged with crimes that don't match the events, simply because the case centers around a computer network.

Sten, another commenter on that post, had another point of view (and one that's quite common):

"Entelleghent [sic] mangers always love exaggerating the actual proportions - it's a management trick they call "risk management" - you pretend to have a huge problem; if the problem is small and solved fast - you're a genius hero; if the problem turned out to be complex - you can say 'I told you so'"

This is definitely true -- underpromising and over-delivering aren't bad things, necessarily, but for city government officials to do so publicly, while the man accused of the crimes is in jail isn't really appropriate.

Again, this is all speculation and hypotheticals since I don't have enough information on the specifics of the Childs case to come to any meaningful conclusion. I would love to have more information on this case, however. If anyone has anything more detailed than what's been released to the press, I'd love to hear it.

Given the facts known, Childs certainly did something he shouldn't have, but unless he dropped a logic bomb in the network, it's barely a bump in the road.

If you really wanted to make a point and mess up the network, there are many better ways to do it. You could place a box near the core somewhere that randomly swaps bits in the datastream. That would certainly cause problems, but would also be discovered quickly.

Better yet, write a few database queries that randomly swap numbers and letters in various database fields. If that script started out slow and then grew in scope over days and weeks, it's likely that by the time the problem was discovered, most of the backups would already be tainted, and anything using that database would be basically unusable. For a municipal government, the data loss and time required to fix that problem would be significant, to be sure. Most or all criminal and tax records would be compromised and chaos would ensue. Interestingly, I wrote about this very scenario several years ago. The cost to fix problems like that would carry a heavy pricetag, indeed. Maybe even millions of dollars.

Don't get me wrong -- I'm not defending Childs' actions in any way, shape, or form, I'm just pointing out that there's a world of difference between letting the air out of a car's tires and wiring a bomb to the ignition switch.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies