Slashdot Mirror
Terry Childs Case Puts All Admins In Danger
snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
He maintained access to a system which he had no right to access, while refusing to give the owners of that system the means to remove his access in a manner that wouldn't significantly disrupt the service.
Still I have a hard time seeing this as a crime. If an employee won't give you the keys to your vault, then you fire them, call a locksmith and sue the ex-employee for damages. No criminal charges, just a civil liabilities. That is what should have happened to Childs, no more no less.
he set the routers to return to default under power failure. Actually that was a really smart move, these are in city building, probably stolen all the time. The router is only worth a few bucks, access to the network from a stolen router is priceless. The "consultants" tried to unplug them and read the settings to hack in. The routers did EXACTLY what he told them to...
The biggest problem is procedural. This is why companies have audits, why SOX auditors demand documentation and cross training in public companies. The city management ALLOWED him to become more isolated and anti-social. They routinely pulled other people off helping him and allowed him to fly solo for several years and allowed the other employees and documentation to fall painfully behind.
They didn't realize this until a new manager with a "dotted line" to his position didn't like him and tried to summarily fire him.. Then they realized first, Childs won his job back, and second he got to be an employee you "can't fire" because he had keys nobody could take! The prosecutor was dead wrong to take on a case directly from a department manager and not from higher up the HR food chain. Now the prosecutor realizes they bet their career on some petty middle-manager pushing somebody around. They're trying to find something to pin on him so they don't get seriously censured by the court for keeping this guy in jail 7 months.
The other possible outcome is that they'll say that he had permission to configure access, but when that privilege was renounced, that he should have removed remote access... in which case, I question how they would ever expect to let anyone go if they would have to go through such trouble each and every time?
The truth is that often enough, companies don't change passwords, or at least not all of them, when a Systems Administrator leaves. Even in very small shops, it is very difficult to keep track of all the places passwords might be hiding, where remote access might left enabled. For other employees, it isn't as tough, they might have access to one or two systems, but for an SA? You might never be able to lock them out completely, and simply rely on trust, morals, and the law. For instance, an SA might have set up a router just to test new IOS releases on, test, etc. Nobody else would have used it other than that SA, and nobody else would have known of it of it or thought of it. Such a router could be on the network for years without being noticed. Such issues will only become more apparent with "VM Sprawl", where you might have thousands of virtual machines. Without strict auditing, and even with it, you'll easily miss a stray virtual machine floating out there.
The point is, once you give someone access to your network and your systems, to the level that a CTO, Senior Systems Administrator, or Network Administrator might have access, you can't ever be certain of locking them out of your systems, and you shouldn't be able to punish them for not remembering to lock themselves out -- only because it is too easy to make such mistakes or to have such oversight.
Personally, whenever I've left a job, I've done my best to forget everything possible that was specific about their configuration. I'd rather not remember the IP addresses of their machines, their passwords, or anything else -- there is too much liability.
Passwords are not property, the city should have gotten them before firing him. Once they let him go they had no reasonable expectation that he would give them any "knowledge" which is all that the passwords are.
I've managed networks for regulated industries like Finance, Banking, and Medical industries. All of these industries have laws regarding access controls and information security.
SarbOx, GLBA, and HIPAA, all REQUIRE access controls on data and systems. As network admin, I can't know the CEO's password, and he can't know my password. This is essential for creating an audit trail and only allowing access to systems and data based on individual authority.
Laws that make it a crime to withhold passwords (or access) are in direct conflict with the above mentioned laws. If you leave your job and give your "admin" password to the CEO, you could be violating the above laws since you just gave the CEO a way to rob the company, and cover his/her tracks.
It's insanity to think that you could be committing a crime by doing your job.
-ted
While I agree that what's happening to him is likely unjust, I would like to point out something...
However, he cannot be prosecuted on the basis of actions he took at the time he had permission to take them.
I have to call bullshit here. Ex post facto laws are explicitly unconstitutional but that doesn't prevent government from passing laws which have ex post facto effects. To anyone who claims that there isn't a distinction, I must say that you obviously are not a lawyer. A good example is CERCLA: The Comprehensive Environmental Response, Compensation, and Liability Act. If you dumped hazardous waste somewhere 50 years ago, hazardous waste which at the time was legal to dump where you dumped it, when you dumped it, you are NOT protected from legal action by the government. You WILL be held financially responsible for getting that mess cleaned up. Now in the case of CERCLA, I'd say that while it's harsh, it's necessary & justifiable. (Probably not so much so with the prosecution's case against Terry Childs).
Except from TFA -
I have servers that I set up 10 years ago for small businesses and I'm probably the only one with the passwords assuming they are still running (486 and Pentium II machines running either Netware 3.something or some dos app). I get calls every once in a while from companies I haven't done business with in over 5 years asking me if I could remember the pass words to the servers.
I generally type everything out and put it in a sealed envelope within a binder with all the server specs, applications, network diagrams and so on. The problem is that someone has either decided they didn't need it and tossed it or whoever replaced me did something with it and it can't be found anymore. Most of the times, someone changed them and they aren't the same anymore. I think one situation occurred where a company raided an office because a manager was embezzling and the cops never returned the binder. Management leaves or whatever. Sometimes they need it only for data recovery or some sort of migration to a newer system and sometimes they are still using the crap but need to change something.
Filing the "keys to the kingdom" with the management doesn't always work well so check that they are still there and still current every once in a while.
If a salesman is fired, is he breaking the law if he refuses to work for free advising his old company about their customers (Who else do they buy from, What are their priorities, etc)? If a engineer leaves, does he have to produce detailed schematics for anything the company owns?
If the admin followed the rules he was employed under (assuming the company has a password policy) then I can't see why a password should be treated better than the job related knowledge required in most careers.
Sorry. I'm a lawyer and you're only partly right. Passwords may not be "property" but it can still be potentially harmful to withhold them. If a plaintiff could prove harm or even better, immediate irreparable injury, a court would say give 'em up or go to jail, go directly to jail, do not pass go, do not collect two hundred dollars.
Why should I be under any obligation to do something for an organisation that is no longer my employer to prevent harm from coming to them? Sure, if it's my job I have to do what they ask me to, and if my negligence causes them harm then I could be in trouble. But if I'm no longer under contract, why should I do anything? Why, in fact, can I not say, "Oh, those passwords? Well, when I left my job with you they were no longer useful to me so I destroyed my copies of them, as security best practices dictate I should do with any confidential information I no longer require?"