Slashdot Mirror

← Back to Stories (view on slashdot.org)

Terry Childs Case Puts All Admins In Danger

Posted by kdawson on from the if-they-want-to-get-you dept.

snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"

4 of 498 comments (clear)

  1. Re:This seems hard to swallow by pavon · · Score: 5, Interesting

    He maintained access to a system which he had no right to access, while refusing to give the owners of that system the means to remove his access in a manner that wouldn't significantly disrupt the service.

    Still I have a hard time seeing this as a crime. If an employee won't give you the keys to your vault, then you fire them, call a locksmith and sue the ex-employee for damages. No criminal charges, just a civil liabilities. That is what should have happened to Childs, no more no less.

  2. Re:This seems hard to swallow by mabhatter654 · · Score: 5, Interesting

    he set the routers to return to default under power failure. Actually that was a really smart move, these are in city building, probably stolen all the time. The router is only worth a few bucks, access to the network from a stolen router is priceless. The "consultants" tried to unplug them and read the settings to hack in. The routers did EXACTLY what he told them to...

    The biggest problem is procedural. This is why companies have audits, why SOX auditors demand documentation and cross training in public companies. The city management ALLOWED him to become more isolated and anti-social. They routinely pulled other people off helping him and allowed him to fly solo for several years and allowed the other employees and documentation to fall painfully behind.

    They didn't realize this until a new manager with a "dotted line" to his position didn't like him and tried to summarily fire him.. Then they realized first, Childs won his job back, and second he got to be an employee you "can't fire" because he had keys nobody could take! The prosecutor was dead wrong to take on a case directly from a department manager and not from higher up the HR food chain. Now the prosecutor realizes they bet their career on some petty middle-manager pushing somebody around. They're trying to find something to pin on him so they don't get seriously censured by the court for keeping this guy in jail 7 months.

  3. IT laws are in conflict with each other by zerofoo · · Score: 5, Interesting

    I've managed networks for regulated industries like Finance, Banking, and Medical industries. All of these industries have laws regarding access controls and information security.

    SarbOx, GLBA, and HIPAA, all REQUIRE access controls on data and systems. As network admin, I can't know the CEO's password, and he can't know my password. This is essential for creating an audit trail and only allowing access to systems and data based on individual authority.

    Laws that make it a crime to withhold passwords (or access) are in direct conflict with the above mentioned laws. If you leave your job and give your "admin" password to the CEO, you could be violating the above laws since you just gave the CEO a way to rob the company, and cover his/her tracks.

    It's insanity to think that you could be committing a crime by doing your job.

    -ted

  4. Re:Too bad "being an asshole" is not a crime by Anonymous Coward · · Score: 5, Interesting

    Except from TFA -

    In this statement, the defense asserts that those present during the questioning were simply not qualified to hear the passwords. This impromptu meeting took place at the police station in the Hall of Justice, not in the DTIS offices, and Childs was brought there while in the building doing work on the FiberWAN. Those present included various members of the San Francisco Police Department, representatives from HR, and an unknown group of people on the other end of a speakerphone.

    If this is true, then his refusal to divulge the passwords becomes a lot less problematic from an ethics and security standpoint. You don't give up the master keys to a seemingly random group of people, including those that don't work in the department and some unknown others on the phone.

    To think of this another way, you might not have a problem giving up your Social Security number and debit card PIN number to a bank employee while you're in their office conducting business, but if there were a half-dozen other people in the office too, listening to the conversation, you would certainly think differently.

    Up until now, I'd been under the impression that Childs' refusal to divulge the passwords occurred during a private discussion or meeting with his boss -- not in a situation like this.