I've finally received some information from the city's court filing opposing the reduction in bail for Terry Childs. It's a frankly disturbing account of events and scenarios.
First, according to the city, Childs did configure some number of routers and switches with 'no service password-recovery', which would prevent anyone from recovering the passwords on those devices without losing the IOS image and configuration. In addition, he also removed the startup configuration from some number of devices, leaving them operational via the running config, but that would be lost during a power outage or reboot. If this is true, and this was done on the core network gear, then Childs was definitely up to no good -- nobody does that.
Much ado has been made of modems (some of it by me, today), but the court document only discusses a few modems in his work area. It does reference "1100 different devices, routers, switches, modems, etc scattered throughout the city's offices". This is far, far more likely than 1,100 modems, but is still an enormous number of devices that the city apparently doesn't know about, or lost track of. It's incredible to me that any infrastructure of any size could have 1,100 unknown "routers, switches, modems, etc" that only one employee knows about or has access to.
[ Follow the Terry Childs saga with InfoWorld special report: Terry Childs: Admin gone rogue. ]
This document also outlines various methods that Childs could have used to gain access to the FiberWAN, including "wireless access devices to different departments". These are not actually detailed, but are alluded to as being found as references found during forensic analysis.
It's odd the way this document uses common terminology. They describe "access points" throughout the document, but I don't believe they mean wireless access points, rather, individual ports or subnets on the network. My prior speculation that this was the secondary information provided to Mayor Newsom on Monday appears to be correct -- they had to connect to the network from a specific subnet or IP address.
There are also references to a terabyte of information stored on various encrypted storage devices. The city has not been able to gain access to this information, however. I'm assuming that the total size of these devices is one terabyte, not that there's a terabyte of actual information there.
Also, inexplicably, the city discusses the fact that lists of usernames and passwords were found in Childs' work area and home. Not only do they discuss these lists, but they entered them into evidence unredacted. These are not user account logins and passwords, but rather what appear to be a list of VPN group names, passwords, and associated subnets -- a document that anyone who built a VPN concentrator would have. By themselves, they would not be enough to allow anyone to access the network via VPN, but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.
The city also maintains that Childs had more usernames and passwords, including the password of his supervisor. He also apparently had installed sniffers on the network (as had been reported earlier) but no real detail is given.
The city also claims to have found network diagrams, configurations, and other documents regarding the FiberWAN at Childs' home, along with a 9mm clip and .45 caliber ammunition. They do not mention finding any firearms, however. The fact that he had documentation isn't really relevant to me; it was his job, after all.
There's more in these documents, and I'll do a followup post tomorrow with more information. Suffice it to say, this document provides a morsel of information, but leaves large numbers of questions unanswered. Perhaps the most important one for me is how do you protect a crime scene, when that crime scene is a crucial network -- a network that the police are actively using while trying to investigate this case?
For instance, they can claim that the configurations were not saved to flash, but how can they really prove that?