My main concern on the Childs matter is that the case against Childs may be built around a profound lack of understanding of the technology involved. To those outside of IT, a statement in court that the defendant "was watching everything on the network, including information regarding city government, the police, and private emails between government officials" sounds extremely sinister. However, the reality of that statement is far more likely to be that the defendant operated an IDS on the network for security purposes. Nobody in IT would think twice about it, but a jury packed with people that have no real concept of how computers and networks function, much less how large networks are built and maintained might have a different view, regardless of reality.
Recently, I received a very well written email regarding the Childs' case. The author wishes to remain anonymous and his words are his own, though they do channel the vast majority of the emails I've received on this subject. I thought it quite well put.
--
I have been working on computers since before the P.C. was invented. I have also been engineering networks since the thick net days. I'm not saying I agree with what he did, but a lot of it looks like a dedicated (slightly paranoid) admin who did not want anybody to screw up what he considered to be his baby.
1. The only access to the core devices was from a terminal at the Hall of Justice. - Hmmmm…. I need to have an access point to get the core of a city-wide network that is being de-centralized. Where can I put it that is safe. Maybe at the police department? It would take some big brass ones to break in there and try to access the core….
2. He photographed the individual that was removing devices from desks in an unannounced, after-hours audit. - If I am rubbing people the wrong way at work, I am going to want evidence of what was happening if I get drug in front of a review board.
3. He had the routers set to self-destruct on a reboot. - No, he was just overly paranoid. You and I both know you cant remember the configs for the routers in our heads. He has them somewhere so that he can reload them. I am pretty sure that in the past few months he has had to reload at least one device and I can bet he didn’t do it by hand. Not sure why he wont tell them where he keeps them though.
4. All of his data was stored on encrypted devices. - So is mine. Not because I'm hiding anything, but because it is a requirement from central IT. The drives are encrypted. Big whoop. Generate the override key on the servers and get the data (He wasn't a server admin so I am assuming some other admin has the ability to override the keys)
5. Access points at other locations - If you de-centralize a system, you have to have the ability to manage the physical network inside each logical network. You need a way to get in and fix it.
6. He had an IDS that monitored the network. - Hell, I've got hundreds of IDS systems. And yes, one is set to look for other IDS systems that may be trying to probe the device at the core. Security doesn’t stop at the border. If you are decentralizing the process, you need to make sure that the admins of the resulting networks do not start playing with what is left of the central network. If they do, and make a mistake, it can affect everybody. Seen it happen to many times.
7. The request to keep bail mentions he accessed another network the day before he was fired. Funny how it didn’t point out that the investigator in the original filing said it was so he could perform 'requested maintenance' on a system at the Sherriff's Office.
8. He has password lists of other users. - I have them from when I originally generate a password for a new system. And I will admit, I even have a some of the problem users passwords so when they lock themselves out of a system each Monday I can get them back in.
9. He had diagrams and configs of the network at his house. - I'm sure if you dug through my stuff you would get a great lesson in the evolution of networking. When I design a complicated network, I am proud of it. I always keep copies. (plus I work to much and don’t clean out my home office very often)
10. Why are they making such a big deal about the pager? If I had an admin that didn’t have pager notification on the status of devices I would probably fire him. And he better have access from home. I'm not paying a 2 hour travel bonus for a fix that should take 5 minutes. (and I'm not driving 2 hours to fix something that takes 5 minutes to fix either)
--
To me, this is the central thrust of the case, so far. Childs may very well be guilty of something, but if he is, I want to be completely sure that his crime is an actual crime, and not a overhyped fabrication. To see a prosecutor pointing to his pack of matches and declaring him an arsonist, so to speak, would do no good for IT in general.
This case will set precedents, if it ever gets to trial. It would be a sad day indeed if network admins could be arrested for using 'no service password-recovery'. Actually, it could get worse -- if his security measures are the very petard that he's hoisted upon, then the ramifications for security professionals everywhere may be severe.
Childs is innocent until proven guilty, and if there is viable, accurate, and non-hyperbolic proof that he intended to cause the failure of the network, then he should be convicted. Just don't send him up for trying to secure it.