Could the Childs case put all network admins in danger?

If Childs is convicted of some charges actually brought against him, any network admin could go to jail for doing their job

Later this week, San Francisco's infamous network admin Terry Childs will appear in court after his last hearing date was postponed for two weeks at the request of the San Francisco District Attorney. This hearing is fairly critical to the DA's case, as it will essentially determine the viability of the case going forward. If the court sides with Childs at this hearing, the case is over before it even begins.

To clarify exactly what's going on here, I figured I'd take a look at the four charges that the DA has brought against Childs. The first charge is "disrupting or denying computer services." Counts 2 through 4 involve "providing a means of accessing a computer, computer system, or computer network in violation of section 502." There's one such count each for each of the three modems in his workspace or otherwise under his control. Two of these modems were actual analog modems, and the third was a DSL modem connected to the Internet.

What's interesting here isn't the charges themselves, but the charges that are missing. Namely, the charge of sabotage, computer tampering, or the like. Apparently the very allegation that's kept him in jail for seven months wasn't strong enough to be presented to the court as a charge.

So let's look at the charges that have been presented. The first, "disrupting or denying computer services," describes a DoS situation whereby an individual has knowingly and purposefully caused an outage or disruption of a computer service.

Had the San Francisco FiberWAN gone down due to to Childs' actions, this would certainly apply. However, it did not. In my mind, this charge is wholly inaccurate as it relates to my knowledge of the case.

I suppose the validity of this charge depends on your definition of "services," however. Generally speaking, this section of the penal code was developed to be used in cases where a bad actor intentionally attacked a Web site or other resource with the goal of taking the site or resource down. Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN; it prevented the network from being modified or extended for that period of time. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.

The other three charges focus on the modems. Childs has stated that the modem presented in count 2 was connected to a computer running What's Up Gold and was used to page him on his city-issued pager when a problem was detected. At the risk of stating the obvious, nearly every single network in existence has a setup similar to this, whether it's a physical modem or an e-mail-to-SMS gateway or something similar. This is as common to network administration as routers and switches.

The second modem, or count 3, was a DSL modem connected to an ISP. Childs has stated that this modem predates his employment with the city. He inherited this modem, and it was used to test VPN connections and any number of other resources. Again, this is an extremely common scenario, found in networks all over the world. Childs states that this circuit was not connected to the FiberWAN.

The third modem, or count 4, is slightly murkier, but not significantly so. Childs states that this modem was used to communicate with the city's disaster recovery site located on the other side of the country. As you might expect for a large city sitting on a seismic fault line, San Francisco operates an emergency datacenter on the East Coast. According to Childs, this last modem was used to communicate with that site, with the assumption that the data networks would be down but analog communications might still be viable. This isn't as common a usage, but is in no way odd or otherwise questionable.

Childs' explanations for his actions that led to Counts 2, 3, and 4 are backed up by his former assistant, Glacier Ybanez, who has also stated that the modems referenced in counts 3 and 4 were used for exactly the purposes stated by Childs. That leaves the What's Up Gold modem, which is a nonissue to anyone with an inkling of experience in networking.

These are the charges that the San Francisco DA has brought against Childs. Everything else -- the claims of sabotage, the network diagrams found at his house, etc, are now nonexistent, legally speaking. If Childs is convicted of one or more crimes, they will be related to these four charges.

If Childs is convicted, it's not a stretch to think that this precedent will carry over to other cases. Say you're a network administrator and someone wants to get you fired. All they have to do is point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.

In fact, if Childs is convicted of the first count for withholding passwords, it could be argued that if any network administrator fat-fingers an AAA (authentication, authorization, and accounting) configuration in a router, rendering it inaccessible for management but otherwise functioning normally, that admin has committed the same crime, albeit through negligence. Of course, you could push that too and argue about the admin's state of mind at the time.

Similarly, if Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime." You might as well start arresting carpenters for carrying hammers and saws because they could be used as weapons.

If nothing else about this case worries you, that should. As Bruce Schneier said in a recent interview with IDG News Service reporter Robert McMillan, "A lot of stuff sys admins do is based on trust; the difference between someone in your house who is a burglar and a cleaning person is trust."

Copyright © 2009 IDG Communications, Inc.