Some observations on the next round of motions in the Terry Childs case

The latest filing by the City of San Francisco in the Terry Childs matter features more technical inaccuracies and raises many more questions

Yesterday, I was talking with Bob MacMillan about the new information from the San Francisco DA's office. He wrote a piece based on some of this information. One of the key elements of his story is the new claim by the prosecution that Childs has a "terminal server" on the network that they discovered a few weeks ago. They claim that although they've detected its presence, they cannot physically locate it. They do believe it is located at the 1011 Turk St. location, however. They support this claim with a Windows cmd window screenshot that shows the results of a telnet session to what appears to be a device running Cisco IOS. They do not state whether the device was discovered from within the network or from the outside.

I've been trying to figure out the set of circumstances that would prevent anyone who had access to the network devices from physically locating this device. I'm not having too much luck. If you can telnet to it, you can easily locate the switch and port that it is connected to. From there, it should be pretty straightforward to physically find the device, especially since it appears to be a Cisco router or switch and not a PC. But even though the DA's office presented this as evidence that Childs could still gain access to the network through this device, and they specifically call it a terminal server and specifically state that Childs could gain remote access in this way, they have no idea what it actually is. From what I can see, it's a device running Cisco IOS that was accessed via telnet. I could generate an identical screenshot to the one entered into evidence in about five minutes using an elderly Cisco 2924-XL Ethernet switch -- a device that's certainly not a terminal server. It's completely unclear to me how they could have possibly come to the conclusion that this is a "terminal server" -- the evidence presented to the court certainly does not support that theory.

[ Follow the Terry Childs saga with InfoWorld's special report: Terry Childs: Admin gone rogue. ]

Also, the prosecution continues to blur the terminology. They continue to use the term "modem" indiscriminately, including a reference to a "VPN modem" in one section that appears to be a reference to a VPN concentrator. They then claim that this VPN "modem" provided sufficient remote access capabilities to allow admins to work on the network remotely, completely ignoring the fact that if the network is down, the only way to get into the routers and switches is by dialing into the attached modems, since the VPN connection would not be functional. VPN and non-PPP router dial-in access are two completely different things, and serve two completely different purposes. Emergency remote dial-in is the main purpose of the AUX port on Cisco routers and switches, after all.

Technically speaking, this document is simply chock-full of technical errors. Whether or not these originated from the DA's office or the consulting companies that have cost the city $1 million, I don't know, but there's definitely a breakdown somewhere. To have this level of misinformation repeatedly presented to the courts is either terribly embarrassing or terribly misleading or both.

There are also statements in the filing that point out that the network devices were only accessible from certain places within the network. They claim this as another example of malfeasance on the part of Childs, saying "Thus, even possessing the passwords were [sic] not enough to regain control of the network, but one had to know where to go to communicate with the network's core devices." Using ACLs to protect against intrusion is standard operating procedure. This is what access-classes on VTYs are for. They then claim that this was a "single point of failure," yet in the next paragraph, they claim that four or five other locations had the same access.

The prosecution also calls attention to two 32GB flash drives that are apparently missing. They found packaging for these flash drives in his home, and claim that Childs was seen using the flash drives within the DTIS offices in the days prior to his arrest. To date, Childs has not produced these drives or offered any information as to their contents or whereabouts. The prosecution claims that Childs had FTP access to one or more servers and they believe that he downloaded data from the city's network onto those drives. If Childs had FTP access, then there are logs of his actions. If he filled up two 32GB flash drives with data from the city network via FTP, then those logs will be large and will show exactly what he downloaded. No mention of these logs appears in the filing.

The prosecution's repeated claims that Childs should remain in prison due to the fact that the City's network has still not been secured is a double-edged sword. They state that if Childs is released, he poses a threat to the network due to the fact that there may still be undiscovered remote-access devices present on the network. By that same statement, the network is then an unsecured "crime scene." The city has published usernames and passwords that could be used or could have been used to gain access to the network, and only just recently took down a wide-open Web site containing even more sensitive information. They claim there are modems present on the network that would let "anyone" log in. If "anyone" can log in, then there's really no way they can prove that Childs was responsible for anything pertaining to the network device configuration or anything else on the network, aside from perhaps physical devices. If I know my Law and Order, the first thing you do with a crime scene is secure it to prevent outside tampering. This crime scene has never been secured.

Childs actions prior to his arrest are very curious and certainly suspicious. It seems that he saw the writing on the wall and was preparing to end his tenure with DTIS in some way, but his motivation and plans are still unclear. I am certainly not a lawyer, and I cannot really comment on some aspects of the case, but the one thing I have noted since the beginning of this situation is that the technical basis for this case is extremely weak, and that problem is compounded with every filing by the City.

If Childs is guilty, then he should be tried and punished -- but the evidence convicting him had better be technically valid. From what I've seen so far, there's an awful lot of smoke, but no fire.


Copyright © 2008 IDG Communications, Inc.