 |
 | |
| | 
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
 ·Comcast
| Re: Bow Before Me said by r81984  :How can they not find the router??? It is not that hard. The city itself is about 232 square miles. This router could be literally anywhere in or beneath it. They would probably have to trace back every single piece of network cable laid to try and find this thing.
»en.wikipedia.org/wiki/San_Franci···lifornia
--
"At the moment of conception." | |
|
| | | 
balazone
60 billion
Premium
join:2002-04-01
Wheeling, WV
·Comcast Formerly ..
| Re: Bow Before Me The device will have a MAC address, do a manufacture lookup on it and see what it is (assuming the MAC was not changed) you now have an idea what you are looking for. Also, that MAC address will be associated with a switch port, just trace it from there. | |
|
| | | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| Re: Bow Before Me said by balazone :The device will have a MAC address, do a manufacture lookup on it and see what it is (assuming the MAC was not changed) you now have an idea what you are looking for. Also, that MAC address will be associated with a switch port, just trace it from there. I would assume that the difficulty in finding the thing would probably mean that the perp did a pretty good job in hiding it.
I wonder how many IT operations track the MAC addresses used enterprise-wide.
--
"At the moment of conception." | |
|
| | | | | 
Tzale
Proud Libertarian Conservative
Premium
join:2004-01-06
Sweden
 ·Verizon FIOS
·Optimum Online
| Re: Bow Before Me said by pnh102 :said by balazone :The device will have a MAC address, do a manufacture lookup on it and see what it is (assuming the MAC was not changed) you now have an idea what you are looking for. Also, that MAC address will be associated with a switch port, just trace it from there. I would assume that the difficulty in finding the thing would probably mean that the perp did a pretty good job in hiding it. I wonder how many IT operations track the MAC addresses used enterprise-wide. I know of companies with thousands of employees and dozens of offices who do it.
--
Neoconservatives (G.W.B) are not true conservatives. A conservative believes in defending the Constitution. First they ignore you, then they laugh at you, then they fight you, then you win. - RON PAUL 2008 | |
|
| | | | | patcat88
join:2002-04-05
Jamaica, NY
| said by pnh102 :said by balazone :The device will have a MAC address, do a manufacture lookup on it and see what it is (assuming the MAC was not changed) you now have an idea what you are looking for. Also, that MAC address will be associated with a switch port, just trace it from there. I would assume that the difficulty in finding the thing would probably mean that the perp did a pretty good job in hiding it. I wonder how many IT operations track the MAC addresses used enterprise-wide. Suspended ceiling, or hidden in a wall. Surly they can figure out which switch its coming from if they know it's MAC address by trial and error.
Now if they don't know its MAC address, and it can't be located by a port scan or they dont know how to make the device spit out traffic, oh man, oh man, they will never find it. | |
|
| | | | 
hmeister
@bellsouth.net
| More to it?? There has to be more here than just a terminal server and where to find it. I am in agreement that it seems a bit steep for the amount of money but perhaps there are costs associated with checking every switchstack and router in their system to determine if there was any additional potential issues. Bottom line looks to be the usual hand holding a corp. or gov. is going to do just to make sure they crossed all the T's and dotted all the I's. Maby they would have been better off to not terminate him?
H. | |
|
| | | | jc100
join:2002-04-10
| Re: Bow Before Me Um.... if this guy was a net admin, my guess is he spoofed the MAC ID.... It's easy to clone or set a fake one. Makes it really hard to track back to a fake Mac ID. I guess you could cross reference EVERY router on the network with one listed via each mac.. That'll take you a while.
This guy was no dummy. He made mistakes, as he got caught, but certainly no dummy. If he was smart, he'd bargain his way to a reduced or light as hell sentence for disclosing what he knows. If they crack the pass and find the router, he loses the card that might get him out of jail and simply probation. | |
|
| | | mdurkin
join:1999-08-11
San Bruno, CA
| It's around ~46 sq miles of land according to your wikipedia link. And it can't be just anywhere in the city, the fiber network isn't laid on every square inch of land. You can also find it by combining looking at physical networking cables and logical information from the other routers and switches, like following routes and ARP table entries. It's silly to say they can't find it if they can talk to it over their own network. | |
|
| | | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| Re: Bow Before Me said by mdurkin :It's silly to say they can't find it if they can talk to it over their own network. But again, this is exactly what is happening.
I am sure that this device can be found; it is only a matter of time. But I find it laughable that some of the armchair IT "experts" here claim to be able to find such a device in "minutes" when the boots on the ground can't seem to find it in days.
It almost sounds like a typical Hollywood plot cliche in which the "experts" don't really know anything, but the children that no one listens to actually do know something.
--
"At the moment of conception." | |
|
| | | |
| | | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| Re: Bow Before Me said by r81984 :The router cannot just be anywhere. Even it if was wireless you still could easily find it. Clearly this is not the case.
--
"At the moment of conception." | |
|
| | | | | 
r81984
Fair and Balanced
Premium
join:2001-11-14
St John'S, NL | Re: Bow Before Me Clearly you have no idea what you are talking about and should not be commenting.
--
»www.ryanoneill.us | |
|
| | | | | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| Re: Bow Before Me said by r81984 :Clearly you have no idea what you are talking about and should not be commenting. I don't see you finding this router either.
Tell you what. Go to San Francisco and offer your services for whatever price you want. If you manage to find the router in, say, 24 hours, then you can brag that you are super Mr. IT Guy and I will cease commenting on this topic.
Until then, you're just a semi-anonymous nobody.
--
"At the moment of conception." | |
|
| | | | | | jc100
join:2002-04-10
| Clearly and sadly I would venture to you say you're wrong and PNH is a bit right (amazing). Do you NOT realize this guy probably spoofed the MAC ID. Therefore, these consultants are going to be left cross referencing EVERY router on the network to their specific mac ids to find which math. Then, when they find one that doesn't they will then have to isolate it's location. Much harder than say if it was using a registered MAC ID which would allow them to pin point its locale. | |
|
| | | | | | | |
| | | | cmaenginsb
Premium,MVM
join:2001-03-19
Palmdale, CA
| said by r81984 :The router cannot just be anywhere. Even it if was wireless you still could easily find it. They can quickly see what port it is connected to by its mac address. Then they just have to trace the wire from that port. I used to work at a large university network. It would have taken less then 15 seconds up to a few minutes to find the port it was plugged into. Also they would not even have to physically go to the port, they could deactive the switches port virtually. So really it would might only take about 20 seconds to deactivate the router. If they pay me $182,000, I will go do it for them right now. And if you didn't have the mac address or ip address? If the parts of network supported DHCP with no type of authentication so anyone can hook anything into it?
I also know SF IT is not the sharpest tools in the shed. | |
|
| | | | |
r81984
Fair and Balanced
Premium
join:2001-11-14
St John'S, NL | Re: Bow Before Me Then how do they know it exists???
--
»www.ryanoneill.us | |
|
| | | 
StreetSpirit
Premium
join:2002-08-13
Roslyn, NY
·Optimum Online
 ·Verizon Online DSL
| said by pnh102 :said by r81984 :How can they not find the router??? It is not that hard. The city itself is about 232 square miles. This router could be literally anywhere in or beneath it. They would probably have to trace back every single piece of network cable laid to try and find this thing. » en.wikipedia.org/wiki/San_Franci···lifornia Now you're simply being disingenuous. Trace the device MAC address to the port and you have an approximate location of where the thing is. And as someone mentioned, assuming the MAC was not spoofed, you also have an idea of the manufacturer of the device. Now couple that with the statement that, "the city says they've already spent $182,000 to Cisco contractors" and someone isn't being honest. 200 grand to Cisco contractors and you're telling me they can't find a router on the network? Oh kay. | |
|
| | | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| Re: Bow Before Me said by StreetSpirit :Trace the device MAC address to the port and you have an approximate location of where the thing is. And as someone mentioned, assuming the MAC was not spoofed, you also have an idea of the manufacturer of the device. And you think they didn't try this already?
--
"At the moment of conception." | |
|
| | | | | |
| | | | | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| Re: Bow Before Me said by r81984 :They said the know IP and can get to the login page. If it cannot be found on the network then why can they get to the login page. Do you think that the network can magically connect you to the device without knowing where it is? See this is your first problem.
The network "knows" where the device is.
The IT people for the City of San Francisco don't.
--
"At the moment of conception." | |
|
| | | | | | | patcat88
join:2002-04-05
Jamaica, NY
| Re: Bow Before Me said by pnh102 :The IT people for the City of San Francisco don't. Time to fire incompetent staff. | |
|
| | | | | | | | 
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ
| Re: Bow Before Me said by patcat88 :said by pnh102 :The IT people for the City of San Francisco don't. Time to fire incompetent staff. Look what happened the last time they tried that!!! | |
|
| | | 
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC | traceroute to the terminal server will reveal the router connected to that network segment. Then on each far-side segment of that last router, the arp -a command will reveal which one services that machine.
Cisco charged them $185K for that? | |
|
| | | |
idjk
@embarqhsd.net
| Re: Bow Before Me You find this 1 I use #2, who knows what this guy built- seems he was pissed and took some thought and time doing this all.
I don't know IT -but should there be a system map in a file that shows all the equipment locations, if so maybe he deleted or encrypted it. | |
|
| | 
NOCMan
Verizon Fios User
Premium
join:2004-09-30
Flower Mound, TX
| all that to do
reboot
ctrl+break
confreg 0x2142
reboot
allow to boot skip setup sequence
enable
copy start run
conf t
password blablalba
no shut the interfaces
confreg 0x2102
wr mem
reboot
There they have the sequence to fix all their routers. | |
|
| | | unixwolf
join:2007-05-04
Flower Mound, TX | Re: Bow Before Me Thats what I would have done. | |
|
| | | tantivy
join:2007-03-17
Palo Alto, CA
·SONIC.NET
1 edit | said by NOCMan :all that to do reboot ctrl+break confreg 0x2142 reboot allow to boot skip setup sequence enable copy start run conf t password blablalba no shut the interfaces confreg 0x2102 wr mem reboot There they have the sequence to fix all their routers. Not if 'no service password-recovery' was set. If so, then the startup-config cannot be recovered, and the procedure above will reset the router/switch to factory defaults.
»www.cisco.com/en/US/docs/ios/12_···pwd.html | |
|
| fox7
join:2001-02-12
Culver City, CA
| said by kapil :For I Am Root  Stephan Root!!!!! | |
|
| 
stromi
join:2000-06-11
Englishtown, NJ
clubs:
| San Francisco obviously lacks IT talent, but more so, IT mgmt.
With a little Change Management, layered over a wee-bit of seperation of duties, this situation could never have arisen.
I'm not taking a position on the Admin, not enough info, but I am positive management- from his supervisor up to the CIO should be fired.
There is no excuse for the lack of management. None. | |
|
SilverSurfer
join:2007-08-19 | IT Malfeasance Then Vs. Now At least the admin's actions are tangible with proven monetary damages. Compare this to when Mitnick was taken down for the damages the feds dreamed up and attributed equally fable-like monetary damages. | |
|
| 
Camelot One
Premium,MVM
join:2001-11-21
Sarasota, FL
clubs:
| Re: IT Malfeasance Then Vs. Now Proven damages? They are claiming a million, but $800,000 of that is just "Earmarked" for future issues. As an IT professional, I am all for punishing the jerk, but keep the numbers real so that the whole thing doesn't turn into a joke.
--
Intel Q6600 @3400Mhz/GA-EP35-DS3P/2x 2048Mb G.Skill/Seagate 750.10/EVGA 8800GT's SLI/Silverstone 850W/Custom water cooler | |
|
sousademiami
join:2003-02-04
Hialeah, FL | Me thinks... It's waterboarding time!
--
OASAASLLS | |
|
| Pentaxian
Premium
join:2008-01-23
West Milford, NJ | Re: Me thinks... this guy is awesome.. | |
|
jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
1 edit | $1M for cleanup or for change? The city is going to have to spend some money to institute proper policies and procedures. This $1M for cleanup is the result of not doing what they should have done to begin with. | |
|
| rbedard
Premium
join:2007-06-19
Scotts Valley, CA | Re: $1M for cleanup or for change? Exactly. | |
|
| |
Joe12345678
join:2003-07-22
Des Plaines, IL
| He is a scapegoat and his law suit will cost the city more He is a scapegoat
»weblog.infoworld.com/venezia/arc···376.html
An insider claims that the power outage that Terry Childs was accused of using to sabotage the San Francisco network was not a planned outage.
TAGS: Problems, San Francisco's FiberWAN, Terry Childs
If you've been following the Terry Childs case to any degree, you probably know that one of the key allegations keeping him in prison on $5 million bail is that he had willfully planned to cause the network to fail during a planned power outage at the DTIS One Market Plaza Datacenter on July 19th. According to credible information I've recently received, that power outage was only going to affect the cubes and offices in that building, but not the datacenter itself.
Thus, there never was a plan to power down the network core. Thus, there's no way that Childs could have tried to engineer the failure of the network during this planned power outage, since the network core would not have lost power.
[ Follow the Terry Childs saga with InfoWorld special report: Terry Childs: Admin gone rogue. ]
The evidence supporting this claim comes from someone certainly in a position to know: Ramon Pabros, the DTIS Datacenter Supervisor himself. Pabros has been employed by San Francisco's DTIS for a surprising 41 years. He's been the Datacenter Supervisor since 1984. He's been running datacenters for the City of San Francisco since Ronald Reagan's first term, the introduction of the Macintosh, and the second season of The A-Team. It's probably safe to say that he knows what he's doing.
According to my source, he will testify to the fact that he discussed the power outage with Childs several weeks before the outage, and at least 10 days before Childs' arrest. He will also state that Childs specifically asked for confirmation that the datacenter itself would not be affected, and was reassured that it would not lose power.
With this statement, the City's allegations that Childs planned to cause the failure of the FiberWAN basically collapse.
Now, I'm admittedly a stranger to San Francisco politics, and am certainly not a lawyer, but if the DA was going to make these accusations against Childs, shouldn't they have talked to Pabros? If the OMP Datacenter was not going to lose power on that date, then this charge against Childs is essentially the same as charging someone with planning to burgle a store that doesn't exist.
But then again, this is the same DA's office that placed valid group usernames and passwords into the public record, and an IT department that ran public, unprotected websites containing internal emails, core network details, as well as usernames and passwords.
I suppose I really shouldn't be surprised at all.
UPDATE: It appears that Pabros has just announced he will be retiring, effective next Wednesday. I can't help but wonder if one event has anything to do with the other. I do know that there have been a number of odd layoffs from San Francisco's DTIS in the past two weeks.
Posted by Paul Venezia on September 8, 2008 08:48 AM | |
|
| SilverSurfer
join:2007-08-19
| Re: He is a scapegoat and his law suit will cost the city more said by Joe12345678 :He is a scapegoat [...] Regardless, the fact remains someone is going to go down for this incident, and, clearly, it won't be Pabros or anyone else your blogger thinks is responsible. | |
|
| |
keyboard5684
join:2001-08-01
Youngsville, PA
 ·Teliax VOIP
 ·WestPAnet Inc.
·WestPAnet Inc. CA..
|  Common, happened to me!
I quit because he was an asshole. Yelled at everyone, horrible, for 4 years I worked there until I had enough.
In the end it was found that it was not my job to keep the network and servers doing anything after I quit. They had to hire someone else to do that and if they were incompetent then so be it. They could not find Cisco consultants competent, Avaya, Unix, RF engineers, nobody that could handle it all. And I bite it.
Still cost me $10,000 and future jobs (I am still unemployed almost 9 months later). This comes back to judges not understanding what is going on and company executives not understanding what is going on.
I think my case is different than this guy but we really do not know the real story, we just know the juicy bits and pieces.
Anybody looking for a good sysadmin? | |
|
|
See 7 replies to this post |
|
swhitney2003
I can't drive 55.
Premium
join:2003-06-13
NH
clubs:  | Hide and seek? Would anyone like to play a game? | |
|
| halfelite
join:2007-09-11
| Re: Hide and seek? For all the know someone moved the device from its present location to a differnt one that is not listed. Although the part about not being able to login because they dont know the username and passwords, sounds like they have enough information to block it from accessing anything on the network. | |
|
tomkb
Premium
join:2000-11-15
Avon, OH
clubs:
·RoadRunner Cable
| policies and procedures I'm willing to bet this boils down to a lack of documentation, policies, procedures. That's why they can't find this "router". How does knowing the username and password have anything to do with anything. Simply unplug it, oh but wait, you don't know where it is because it looks like all the rest. | |
|
|
Dogfather
Premium
join:2007-12-26
Laguna Hills, CA
1 edit | Couldn't have happened to a nicer town Since SF gov't leaders seem to not have respect for the rule of law, they're total hypocrites complaining about this rouge IT guy. | |
|
ztmike
Mark for moderation
Premium
join:2001-08-02
Michigan City, IN | Just wait. Just wait till someone gets enough balls/brain power to hack the power grid..
--
ZZPERFORMANCE | |
|
nc1165
join:2001-04-10
Delray Beach, FL | eBay! Anybody want to buy a password? | |
|
LinuxNerd
@swbell.net | This is... This is fucking hilarious!  | |
|
|
| patcat88
join:2002-04-05
Jamaica, NY
| Re: There's a lot more to this story then meets the eye. said by KrK :There's always three sides to every story. We keep hearing the SF side in the media. Wonder if we'll get to hear his side, and then figure the truth is in the middle somewhere. This is the USSR, default gag order under threat of siberian death camp. | |
|
moby866
Premium
join:2000-10-07
Above you | I laugh Remember when IT was supposed to save money? | |
|
d50man
join:2002-08-27
Hickory, NC | NO respect for his Boss If his boss doesn't have the skills or know how to get back into the network his boss should be canned too.
If its not broken don't try to fix it.
you might accidentally trigger the anti hacker booby traps left behind by the admin. | |
|
playboy2000
join:2005-05-30
Calgary, AB
·TELUS
| not so easy The router could actually be anywhere and in a carrier grade network things are hard enough to find even with good record keeping (never mind a deliberate attempt to hide something). It could be connected over a dialup link or a T1 with a vpn into any number of legitimate network access points and proxys that are never connected long enough to get flagged.
--
The views expressed herein are that of my own and not necessarily that of my employer or any associated entities. | |
|
Unit649
I B U, Who U B?
Premium
join:2000-01-22
Stockton, CA
·Comcast
| I bet they have been robbed blind. If they can't tell where it is, or that it was there, I wonder a lot of things.
Like how much hardware has been carted out by people and they don't know about it. Computers and other stuff too. It sounds to me like they aren't tracking stuff very well, does it?
Man, I'm really confident about the security of anything that transits that network, aren't you? Wow. If I was an employee, I'd be checking my credit reports. | |
|
ff2366
join:2008-02-08
Mason, OH
·Cincinnati Bell
| Fools We all know that network security is for not if someone has access to a copper port and a lick of intelligence. This box is hid under a desk somewhere and the money being spent isn't in technology - but manpower to trace every port and confirm the validity of the device hanging off that port. I think companies would be shocked if they knew of the number of rogue devices hooked to their backbone - this fool simply got caught. | |
|
| patcat88
join:2002-04-05
Jamaica, NY | Re: Fools I place a 1U torrent server under my desk with 4TB of content | |
|
vasta
join:2003-04-07
Orlando, FL | t so this guy who gained access placed a router somewhere? if so, why not just beat the shit out of the guy till he gives up the location? surly they still do that these days? | |
|
|
|
|
San Fran Still Recovering From Rogue IT Admin
Bow Before Me
