The Washington Post has an excellent article today regarding the City of San Francisco/Terry Childs debacle. Its findings appear to confirm suspicions regarding both Mr. Childs' true intentions as well as the City's outright ineptitude.
First, the findings on Mr. Childs, straight from the Post:
Terry Childs, 43, was arrested July 13 at his suburban home, where police found $10,000 in cash, diagrams of the city-county computer network, a co-worker's access card, a loaded 9mm magazine and several loose .45-caliber rounds. Under the user name Maggot617, he hijacked the system and refused to turn over passwords for the network, which superiors belatedly discovered only he controlled.
Childs compromised more than 1,100 devices and created unauthorized network doorways, allowing him unfettered and undetectable access. He collected pages of user names and passwords, including his supervisor's, to use their network log-ons. And he downloaded thousands of gigabytes of city data -- possibly privileged information, such as police reports and e-mails -- to a personal encrypted storage device. Experts still aren't sure what data the device contains.
Childs, as it turns out, carried a list of convictions, including aggravated burglary, aggravated robbery and theft, according to court documents. He also served four years in the Kansas state prison. Childs kept this from his employment application, court documents note.
Based on this last paragraph alone, Childs had as much business being a network engineer as a pedophile has running a day care center. What is truly amazing is that the City did not do a thorough background check on him prior to hiring him! This appalling lack of due diligence makes one wonder if it was a miscue, or does the City not check the backgrounds of people it hires for positions of great trust?
It also pretty much invalidates the positive comments I have received on this blogsite rearding Mr. Childs' character. Character is best defined as what you do when no one is looking. Based on that criteria alone, Mr. Childs fails miserably.
While Childs needs to head for the stockade (apparently having his "I did it for the good of the City!" excuse shredded like so much waste paper), the people who decided Childs' criminal record was only germane to the California state line need a career change.
"It was like we had control of the house, but we were unsure of which rooms he had access to," said Ron Vinson, chief administrative officer for San Francisco city and county's Department of Technology. "We didn't know to what extent he had access or if there were potential vulnerabilities in the system."
Vinson said San Francisco will probably expand its employee background checks to cross state lines.
You think? Mr. Vinson clearly states the obvious. And if Mr. Vinson personally decided that IT background checks stopped at the California state line, he needs to go herd goats for a living.
As I mentioned before: hacking IT, be it from inside or outside, isn't funny anymore. It isn't cute, and it needs to carry the appropriate weight in prosecution and punishment. Let Mr. Childs' actions serve as a cautionary tale for anyone who seeks to prove his or her worth by taking control of sensitive systems. You have a beef, handle it some other way. Go to an elected official. Or do the honorable thing, report it and quit if no one listens. Mr. Childs used the username maggot617 -- an appropriate metaphor.
Now how many other cities, counties, school districts, states, NGOs, and the feds have failed to check the backgrounds of its database administrators, network engineers, developers, possibly even its own computer security people? How many other San Franciscos are lurking out there? Let's hear from you.
And how many of you do regularly scheduled background checks on employees you already have?