Slashdot Mirror
Terry Childs Case Puts All Admins In Danger
snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
On second thought, I'd be in for a long stint.
Never mind.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Thankfully I'm stealing my neighbor's wifi, so I don't have to worry about being caught with a modem.
There's no -1 for "I don't get it."
'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
It still beats having to wear a suit to work.
First, this story sounds very one-sided and has quite a bit of sensationalism. Ok, a lot. I'm sure they can charge him with something to the effect of unauthorized access to a government computer system. Nobody's going to be pointing out modems as tools of a crime. That's like saying having a car means you're a bankrobber because bankrobbers use getaway cars.
If you don't like what someone does, but strictly speaking it's not really illegal, then find something else they did, (something that maybe a lot of people do and get left alone for) that has some silly, overly-broad definitions you can twist, and soak him for that instead. (ether as substitute punishment for the former that you can't make stick, or just plain in retaliation for doing something you didn't like)
As usual, the legal system that makes me sick to my stomach some days.
I work for the Department of Redundancy Department.
This is a classic
Karma: Non-Heinous
For some outspoken person in the courtroom to just ask the judge and prosecuters if they even have rudimentary knowledge of network administration and the tools common for such a profession.
So will I now be eligible for lawsuit since I have multiple means of accessing my businesses networks?
I haven't seen pinstripes on a prisoner since the Three Stooges.
What?
Of course they wouldn't do that.
They'd use that fact as leverage to extract whatever they want from you first.
Wow...7 months and the charge is dropped? That smacks of injustice, but IANAL.
I don't know what Venezia's background is...It would be interesting to hear from NewYorkCountryLawyer on this and the RAMBUS decision.
So not only did he withhold passwords.
And have modems attached to computers.
But it's going to take 250,000$ to fix.
Can the defense claim insanity on behalf of the prosecution, 'cause I think we've just hit bat country!
Section 502(c) states in part
OK, "knowingly" makes sense, but "without permission"? The man was the network administrator; he was authorized to make decisions about how the network is accessed, it goes along with the job. Who was he to get permission from, himself? If he made bad decisions, by all means dismiss him, but prosecuting him is unreasonable.
And since they dropped the most serious charge, can we admit his 8th amendment rights were stomped and pissed-upon by the 5 million dollar bail requirement?
I can't believe this megomaniacal prima dona is now somehow the posterboy of the IT people. There were ways for this nutbar to get out of the quandary while still saving his ass. Instead, he holds a network [b]that does not belong to him[/b] for ransom.
The world's burning. Moped Jesus spotted on I50. Details at 11.
FTFA:
no, it didn't. The manager hired contractors to try to prove Childs was causing "harm". They couldn't crack the password, and when they unplugged the routers the settings were wiped and needed to be uploaded. They didn't have those either. The manager CHOOSE to break 2-3 offices and make the problem worse. That wouldn't hold up on Judge Judy, let alone actual court.
While I haven't been in this specific situation(ie. jail), I have been in a similar situation.
At a previous employer(this is one of the reasons I no longer work there) my supervisor demanded that I give him all my passwords. I asked him why he needed them I could give him any specific access he needed on demand.
When I was hired I was given a number of NDAs to sign one of them specifically covered the process I used to connect to various remote systems, and the passwords I used. My supervisor(with no IT or technical background of course) continued with his demands for all my passwords, for days. After repeatedly trying to explain that even if I was to give him my passwords, without understanding how you use various access levels to accomplish tasks, he could end up causing massive problems.
In an attempt to meet these demands, I asked for a signed release from the specific NDA that covered my passwords and process. He informed me that he did not have that authority, so I asked him how I could honour my NDA if I gave him information I was not permitted to give anyone. BTW my supervisor did have his own passwords, and had a process to have new ones created.
Long story short, I refused and then a few days later I arranged to transfer to a different department. With this case as a guide I would legally have been wrong no matter what I did, glad I'm out of IT right now.
(If anyone cares, I later found out the reason my supervisor wanted my passwords was that his id/passwords had been burned through lack of use and using the wrong passwords. And he did not want his supervisor to find out he had had no access for weeks. His supervisor would have been notified if anyone requested a password reset or new ID.)
Free Terry Childs!
Me lost me cookie at the disco.
First, I'll remind everyone that the code 502 in question is only applicable in California.
The phrasing of the law at the root of this discussion is, "Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section."
What I imagine the prosecution will argue is that Terry Childs had no right or explicit permission to configure remote access. The defense will likely counter with the fact that as their Systems Administrator he had implied permission as part of his job's duties. Depending on the outcome, this might trigger Systems Administrators to seek contracts shielding themselves from such risks, or seeking express, written permission for everything they do. Of course, considering how badly companies abuse their employees, and how many employees are naive enough to not protect themselves legally, it will likely just be ignored and we'll see more cases like this.
where the most pedestrian news is given the most ridiculous fear-driven spin, made front page in breathless write up, and a bunch of yammering legal ignorants wlll ape right along
and then these same people will ridicule stereotypes outside their domain who supposedly fall for propaganda and hysteria all the time
take a look in the mirror friend
no, slashdot, this case does not set the precedent you believe it does
CONTEXT. its a magical concept. consider it some time
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I posted this in response to the Groklaw Summarizes the Lori Drew Verdict article, but it's 100% valid here as well:
Look, the fact is, if The Man wants to get you, The Man will get you. It doesn't matter what the laws are, exactly - they'll find something to hit you with.
That was true before the Lori Drew trial (Terry Childs charges), and it's true now. The precedents set by this case in no way make being on the internet (owning a modem) one bit more "risky". If you don't do anything to bring down the wrath of The Man, you'll be fine. And if you do, you're screwed, online or off.
The citys also runs the jail system so that speeds that part up out side of a city things likely do not go that fast.
Is it common for router startup configs to be left blank like that?
Then you will never truly achieve 'BOFH' status, Grasshopper.
Open your mind, and the lusers files! It can be beau coup fun!
Transcend your permissions, and make backups of your PHB's pR0n folder-blackmail can be sooo fun!
Become One with the database, there is more exploitable info there than you have time to exploit!
Achieve One-ness with the Network, and your C*O's password-the benefits can be multi-million$'s if played right
Go forth in the world, and achieve greatness! Be Bold!, Be Brutal!, Be Unforgiving(log everything), and Exploit it!....It is the American(USA) Way[tm].
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
It seems to me that he has no legal standing. IANAL, but if his supervisor tells him to give them the passwords, it is not his place to decide who it is 'safe' to give them to and who is not safe. That is his employers decision.
His colored past aside, he could be a very upstanding citizen and he would still be completely in the wrong for not releasing the information that his employer tells him to. He gained that information in the employee of the city and that information is the city's property.
In my opinion, he has some sort of conflict with his employer and he's using the passwords to leverage grief against them, not trying to protect the fiber network.
That said, the charges about the modems seem a bit far fetched as it sounds like they were there for perfectly legitimate reasons. Hopefully he has documentation to back his claims up that they were job related. I don't think they'll be to forgiving given his past record.
I've managed networks for regulated industries like Finance, Banking, and Medical industries. All of these industries have laws regarding access controls and information security.
SarbOx, GLBA, and HIPAA, all REQUIRE access controls on data and systems. As network admin, I can't know the CEO's password, and he can't know my password. This is essential for creating an audit trail and only allowing access to systems and data based on individual authority.
Laws that make it a crime to withhold passwords (or access) are in direct conflict with the above mentioned laws. If you leave your job and give your "admin" password to the CEO, you could be violating the above laws since you just gave the CEO a way to rob the company, and cover his/her tracks.
It's insanity to think that you could be committing a crime by doing your job.
-ted
Count 1: disrupting or denying computer services is moot
Joey: It's a moo point ... like a cows opinion, doesn't matter ... it's moo.
Rachel: You mean a moot point ?
Joey: No...no, a moo point
Just because you are the administrator of something, doesn't mean you can do whatever you like with it, or that you have full decision making powers over it. Your employer, contractor, whatever ultimately gets to decide how things work. For example you might feel that SSH is the best way to access servers remotely. However your company might not like that, they want to monitor the traffic, so they insist on telnet over VPN only. You can argue with them, but if the ultimately say "This is the way it's going to be," you don't have the right to just go behind their backs.
You can look at it somewhat similarly to a bank's relationship to your money. When you deposit your money at the bank, you make them the custodian of it, the administrator of your account. However, you aren't giving it over to them to keep, it's still your money. They can do with it only what you allow. They couldn't for example, take your money out of an FDIC insured savings account and stick it in to an uninsured investment account. Even if they made you money doing so, it still wouldn't be ok if you didn't tell them that was what you wanted. They administer your accounts yes, but in the way you specify.
I'm not defending the city here, but just because he was the network administrator didn't give him the right to add access as he saw fit. Many companies (and government entities) have very strict rules on how access can be had to systems. The rules are often stupid, and often somewhat counterproductive, but it is their right to have those rules. You don't get to decide that you don't like them.
So if there was a "no modems" policy, or if the policy said "Any new access has to be approved by the board of whatever," then he wasn't doing what he was supposed to. Doesn't matter if they were to make his job easier, you don't get to skate policy just because of that.
So what if Childs is an asshole, it's his right as an American to be one.
Boo-hoo if the SF IT dept risk management plan couldn't handle a rogue employee refusing to give up the password.
It's a pretty dangerous precedent if people can be legally forced to disclose information against their will.
Isn't that what the 5th amendment was for?
Prosecutor: ...Yes
Does your mother have AIDS? YOU MUST ANSWER
Witness:
Prosecutor:
BURN HER AT THE STAKE!!!!
Yay Mcarthyism
Sounds kind of like the "possession of criminal tools" charges so many cases have added on, when said "tools" are ANYTHING used to commit the crime. Always seemed to me just a way for prosecutors to add an extra set of random charges for extending a sentence, or extra bargaining room for a plea.
--- It's not my fault this post looks redundant. I just type too slow.
No. Wrong. Incorrect.
He used the Cisco IOS command "no service password-recovery." Normally, with physical access to the router and a reboot, you can gain access to the router configuration file. "no service password-recovery" turns that function off.
HOWEVER, it DOES NOT WIPE THE CONFIGURATION FILE. It simply makes it impossible to gain console access to the router unless you swap out the flash memory. When you reboot the router, the magic key combination doesn't work, the router boots up, and all is as it was before.
Sigh.
doctorcisco
We need a united labor union for IT. Somebody needs to start it. This union should provide legal assistance to its member, in return for its dues. Only that the serious, prolonged abuse of IT staff everywhere will be stopped.
New Economic Perspectives
He has a right to speedy trial (as per the Constitution). This is a right that defendants can and do exercise some times. Basically your attorney tells the court that you want to exercise your right to speedy trial and the judge tells the prosecution "Ok, get your shit ready, this moves forward soon." In California, the speedy trial statue is 60 days. Judges can set a shorter date, if there's good reason to do so, ie prosecution isn't gathering new evidence, just stonewalling. So, if his attorney pushed that, he'd have already gone to trial. However, it is also often not done. The defense often wants time to prepare a case, in particular if the prosecution has a good case and the defense needs time to poke holes in it. After all, you don't want to push for speedy trial if it means you won't be ready and you are just going to lose.
So the reason this hasn't gone to trial is almost certainly the decisions of his lawyer. Had the government really had zero case, a speedy trial motion would have been filed and granted and they'd have already lost. You don't see this very often because those cases are usually dropped. A DA would much rather drop a weak case they are going to lose than go to trial and lose it.
Look, the fact is, if The Man wants to get you, The Man will get you. It doesn't matter what the laws are, exactly - they'll find something to hit you with.
Admins could always get some insurance, unionize or something similar. The whole 9 yards, set policy, set code of ethics, when to have a nationwide walkout, etc...
(Yeah, I know that won't happen anytime soon, heck, the whole thing will most likely fall apart with a Linux/Mac/Windows fight in about 15 mins, but it's a nice idea)
wish I had mod points but I wholeheartedly agree with this statement.
After skimming TFA and googling for more information on this, all I see is that Childs appears to have abused his technological powers as a network administrator.
No network administrator is going to be at risk for anything as long as they play nice and don't pull crap like bringing a city's network activity to a screeching halt just because they're pissed off or whatever.
Sure, you can be as paranoid as you want about security, but there is no reason why an entire city's network activity should be cut off, nor should there ever be any reason to refuse restore it. Well, okay, in recent years in the US, maybe there could be reason, but this is not the case with what Childs did.
The only problem I have that prevents me from being completely against Childs right now is that I don't know what "Section 502" is that charges 2-4 mention, so I don't know if he was actually in violation of that at all.
Unrelatedly, I'm new here and I have a question: How long before I make a habit of noticing fantastic-looking headlines and immediately checking for a kdawson story?
Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
That was a lousy troll there, AC. Next time try a little bit harder on the troll and less on the Obama-bashing. Since you couldn't Bush-bash anymore, you tried an Obama-bash which only makes you look racist.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Knowingly and without permission
provides or assists in providing
a means of accessing a computer, computer system, or computer network
in violation of this section.
The section lists the rules, but he has to knowingly provide access, In other words, he has to do it intentionally.
More importantly, the rules are No Hacking data, phreaking, DOS, release virus, general black hattery... Or providing the tools to do it. No one would say a modem is a hacking tool would they? More so than a gigabit network?
http://law.onecle.com/california/penal/502.html
employment contracts are legal slavery, network use contracts doubly so.
You can get fired for just doing your job, it has happened to me two times. If you don't give them your passwords, they will use spyware to capture your keystrokes and steal your password and spy on your computer usage as well.
Even if when you use the Internet for research and development on programming web sites that are "fair use" they are used against you as surfing during work hours even if your manager told you to visit those web sites to learn new skills and find new technology to improve the programs you are responsible for. Meanwhile managers surf MSN, stock quotes, eBay, and so do coworkers and it is never counted against them.
When a manager is vague on what they want, and don't hand over meeting notes or descriptions of what they want the program to do, it is a "communication issue" with the programmer, not the manager, and the programmer is being a bad employee again.
The programmer does his best to make the program do what the managers want, even without the information needed. But it is not good enough, and sent back for a rewrite with a vague description to make it less like Outlook but more like a four windowed item list sorted by ID. When you ask which ID, they refuse to tell you if it is an employee ID, a matter ID, a client ID, a workgroup ID. Then you ask what you want in the data columns and rows, which they don't understand what a row and column are or what data means. So you say pieces of information on the up and down positions, and then they get mad at you for dumbing it down for them. The programmer is annoying the manager and project leader (who all have no programming or technical experience) and talking down to them. Another communication issue.
Since they know my passwords, they checked into the server to check my source code, and then scribbled all over it with gibberish and checked it back in. Forcing me to revert the changes and it looks like I was the one who did the wrecking of code because the managers used my password for various things that they got via spyware on my system.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
It's a computerized terror phone.
And this article? It's the libertarian wet-dream of someone who never went to law school. It's not like having ONE MORE silly interpretation of the law is going to make it any easier for the cops to arrest you. Not when a cop already has a thousand possibilities for that already.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
I'm as strong of an Obama supporter as they come, but nothing in that comment was directed at Obama, nor was it racist. "The man" can mean corporations was well as the government.
Actually, he may be an 'asshole' with more integrity than you understand. One strict interpretation of Sarbanes Oxley elements (albeit probably not intended) does prohibit such a disclosure in the context of systems affecting revenue(and networks he administrated did fall in that category), and would place the city in non-compliance. The reality is that the SOX rules that were supposed to govern shared accounts have really created some seriously misguided ambiguity. Unfortunately, what seems logical and intuitively right also seems to be directly at odds with compliance law. It's a cluster fsck with some inodes over-subscribed by politicians who can't count or add. To make matters worse you can have NDA crap that is pathetically written that imposes post employment disclosure prohibition that further complicates the issue. Without reading his NDAs I don't know exactly what he was facing but in over 20 years of consulting I have seen some real idiocy on paper mandated by lawyers, and in fact I have walked away from gigs where the paperwork was so contradictory at inception that it was impossible to comply with one doc without violating another. I backed out and walked away, no harm no foul. In short, I would say that the manager tried a heavy hand when proper direct pressure was more appropriate. A demand to seal and vault global enterprise credentials (root/enable/etc) could have been complied with, and a subsequent de-vault for documented appropriate cause would have complied with SOX where a demand for direct unauditable disclosure violates several SOX auditing factors.
Tony: Hi Mike, how ya doin'? How was Joilet?
Mike: Oh, it was bad. Thursday night they'd serve a wicked pepper steak.
Tony: Can't be as bad as the cabbage roll at the Terra-Phelavo penn.
Steve: Or that oatmeal at the Cook County slammer.
Tony: Well, they're all pretty bad.
The Terry Childs case reminds me of 24. A corrupt government analyst exerts pressure on a techie to give up a password, which is promptly used for illegal activity. Then the innocent techie gets fucked and Jack Bauered. Yeah. Give the password to any boss figure who asks. That cannot go wrong.
A NYC lawyer blogs. http://www.chuangblog.com/
I expect he will be able to find more than one Cisco certified security professional who will point out that devices with limited or no physical security can and should be configured with "no service password-recovery". Proper administrative policies would have had version control archiving router and switch configurations, thereby completely alleviating the impact of disabling break key recognition.
I don't call it secure until at the very least, I can't break in without extraordinary measures.
Have such a direct effect on the laws across the world?
I very much doubt that him being convicted would have any effect my me being charged with the same thing here in Australia.
Someone needs to tell those yanks that U.S. != World :-P
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
The civil judge can - and will - demand the keys. He will find you in comptenpt. He will put you in jail. For no set term. He just might be able to set the per diem for your stay in the Roach Motel.
If modems are made illegal, could ssh be made so, too? Basically this is a case where a person who has discretionary authority to act in a responsible manner to complete his job duties, granted to him by his position, being charged with not relinquishing that authority when he was terminated on grounds that had nothing to do with the performance -or lack thereof- of his job. He should have been relieved -or re-assigned- when he engaged in the sexual harassment of a female employee. If that had happened, we wouldn't be talking about the failure of both the prosecutor or the court to understand complex technical issues for which they have no understanding.
Sig this!
Note the differences in how we dealt with Iraq and North Korea.
It's a simple fact on the ground.
Reconciling that with nuclear non-proliferation is a difficult proposition requiring Kissingeresq levels of weaseling and hair splitting.
Iran appears unconvinced. India and Pakistan remember hearing threats but things appear to be working out otherwise.
Libya on the other hand was apparently impressed enough by America's irritation after 9/11 to publicly give up all chemical and nuclear weapons programs and invite the UN in.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
In UK/NZ/Australia - poaching laws go way back.
Fisheries and Games inspectors have a lto of power - including search you appear to be fishing so we will check your catch.
If what you have done is illegal and goes before a magistrate they can take your fishing ear - including rods, tackle, boat & car (if you were using them when fishing).
And any bank robber dumb enough to use their own car on a job would probably find it first impounded as evidence and 2nd seized and sold when they were convicted.
The Singularity is closer than you think
Quant
Amazing.. it appears you didn't even look at the post you replied to.
"By withholding information about the configuration, he stole from his employer on the way out."
I don't know about this Terry Child fellow or anything to do with what he's alleged to have done. But that is one bat-shit insane sentence.
Are you saying that an individual cannot just quit his or her job and walk out the door? And if they do should rot in jail and be stripped of all possessions? On the basis of a private companies say-so? WTF?? Who the fuck modded this bullshit up??
They fired him, he walked...but he's forever beholden to them and every employer he's ever worked for because he holds some knowledge about their network?
What a fucked up world you live in, sorry but you're a little fascist, any individual, from the CEO to the Janitor has every right to leave a position and never look back, if the world implemented your policy we'd all be too terrified to work for anyone! Some HR schmuck wants to fuck with you after you leave, HE DIDNT TELL US SOMETHING WE NEED PUT HIM IN JAIL AND STRIP HIM OF HIS POSSESSIONS! Jafiwam demands it!
You the only IT person for a small company and want to quit? TO BAD! Don't dare walk out the door, if you do according to Jafiwam the little fascist you deserve to rot in jail and have all your possessions stripped away from you. Oops didn't document what that script does, STEALING! JAIL FOR YOU. Didn't tell them about that Cronjob before you left? STEALING! Didn't document that object properly, didn't let them know about that revision, didn't pass on that message? STEALING, STEALING, STEALING!
Didn't write a 2000 page manifesto brain dumping every tiny little bit of trivia and knowledge that you have about their business, STEALING!
The idiocy is truly unbelievable around here sometimes.
Get them approved in writing by senior management. If you don't, it really does look suspicious.
Would you mean, perhaps, administrative policies that from all of this, it would appear to have been Childs job to implement? Not entirely sure why he wouldn't have also locked that down and denied people access to it the same way as he did in general, but alrighty then.
And they seem very sympathetic to Childs. I'm not, and I'm not.
The servers, any batch files, init configuration, passwords, were all property of the city, either physically or as work done for hire. I don't see any problem with Childs being penalized for his (seemingly quite arrogant) withholding of that information. It doesn't matter if his employer would promptly crash the system permanently with that info; it's theirs, not his. His boss says to hand over the passwords, he needs to hand over the passwords.
If I hired a guy to work on my machine, and he locked something important down with a password and then wouldn't tell me, damn right he's getting sued.
That said, childs shouldn't be getting serious, long-term jailtime. I would think it should just be contempt of court: Sit in jail until you are willing to talk. He wasn't "hacking".
Like the Tron guy (you know the guy who made his own budget tron suit). http://www.tronguy.net/images/headshot.jpg I think I would be cool with Terry if he wasn't such a putz or a-hole and he had a tron suit on or something nutty when they brought him to jail. Overall, he gives people the sysadmin stereotype they all want - hostile, paranoid and a jerk, so it got a lot of play in the media. It is frustrating because many of us fight this stereotype constantly and make huge gains only to have a Terry Childs attitude reinforce the negative stereotype of a sysadmin who does not have a sense of who and what he is working for. Yet, even with all of that, I think if he could get in a Tron suit of some sort, I would give him another shot and it could twist the stereotype into a crazy geek rather than an asshole geek.
Wow - stated quite well. Mod up on this please.
So the system is set up with a huge, fixable flaw. So, fix it. But no, they'd rather lynch someone. Why aren't they also suing Cisco for having put such a nasty flawed feature in their products?
No, the system was set up as intended using a well-known, well-understood security feature. It will not "brick" the hardware. Please feel free to re-read the post you replied to and, for further insight, do some basic Googling. It is a lack of understanding that is the cornerstone of this whole fiasco.
Comment removed based on user account deletion
Terry Childs held something at ransom or rendered useless that didn't belong to him.
What was the ransom he demanded? How was a network with zero downtime rendered useless?
The code, hardware, and configuration all belong to his employer. By withholding information about the configuration, he stole from his employer on the way out.
They had the configuration. They could pull out the flash card with the configuration on it and put it in a new router and it would work great. Of course, without the passwords, they couldn't log in to see it, change it, or any of that, but that didn't prevent it from being 100% operational, as well as being something that could be backed up, replaced, and all that without problem.
He fucked himself and he deserves what he is getting.
He was fired, then after being fired, was asked to fulfill an obligation to an organization he no longer had an obligation to. He may not have been professional. He may have been an ass. But he did nothing illegal, let alone criminal. If they threw people in jail just for being asses, I'd nominate you to be at the front of the line.
Learn to love Alaska
Seriously... why?
Oh but when a REAL crim of the century Madof steals billions, 1000s of lawyers say NOTHING and let him live life of luxury, yet steal a coke from a 711 and bang to jail , which yields the lawyers MORE FEES thru representation.
Why not throw every senator and politician in jail then for withholding contractual secrets and state secrets from the public which PAYS their salary.
Jails arent for knee jerk 'im here to piss you off' punishment because I have more power.
Its to protect the public mainly from more harm.
Liberty freedom are no1, not dicks in suits.
So if my laptop gets lost or broken, I cannot go to my insurance company and ask for $250,000. Its a crime.
Why is that not a crime for lawyers/prosecutors?
Its IS a real CRIME! in REAL peoples eyes.
Liberty freedom are no1, not dicks in suits.
unlike Zimbabwe, LA cannot print $$$, they can tho offer IOUs as tax returns, where in retaliation, companies/people can pay their due taxes with those IOUs.
By the time he gets out he wont get any money out of the state, but I hope he can sue individuals for money, just like OJ was.
Liberty freedom are no1, not dicks in suits.
Oh dear me. Childs was in a position of responsibility. That means he had a duty to act responsibly, even when asked not to. If my manager asked me for my password, and I turned it over to her, *I* will have broken the rules and *I* will be in trouble. Given that I can do an awful lot of damage with *my* password, there are good reasons for this.
[FUCK BETA]
"then just about every network administrator in the world could be charged with the same "crime" "
Somebody want to tell Mr. Venezia that US law doesn't cover the whole world? Maybe he should get a passport and travel a bit, or at least read wikipedia and discover there are other countries out there beyond the US borders that have their own jurisdictions.
Heck even Bush occasionally admitted the USA couldn't just invade everywhere.
One strict interpretation of Sarbanes Oxley elements...and would place the city in non-compliance
If you knew what you were talking about, you would know that the Sarbanes-Oxley Act only applies to U.S. public companies and their accounting firms.
Slashdot - The great and glorious cluster fuck of Internet wisdom.
No, seriously, in Soviet Russia, most people in the ghulags had been convicted on charges of doing black market.
Thing is, everybody was doing black market.
Terry Childs did not render anything useless. By withholding the passwords he rendered morons who didn't know shit about shit useless and they threw a tantrum.
The problem he has now, is the same problem that any admin with the level morons that he had to deal with has.
He will not be able to convince any jury of his inocence as only other admins are his peers. And the jury won't be other admins.
His employers hired consultants who didn't know what to do (save writing invoices) and therefore broke what they didn't understand.
If said consultants were worth their salt so to say, they would have talked to Childs about his network structure and how things were configured. With this knowledge they could have determined what would happen when they did what they did.
Not only should compensation be paid to Childs, but the people who accused him should be thrown into prison.
It's about the responsibility given to you when you were hired to do the job.. It would be the same thing if you had keys to the building, company credit cards and cell phone.. If you quit, you would give them all back.. If fired you would be asked for them.. If you quit with the keys to the building, never to return, there would be a cost involved in changing the locks.. If you used your keys to enter the building after quitting there would be criminal charges involved..
Being fired is not fun.. but relinquishing the responsibility you had is part of being professional.. and giving up that responsibility does not ONLY mean your absence as an employee. Whoever was to take over the responsibilities he had should have been given the passwords, the minute he was told that he would not be working there anymore, just as if he were giving up his key to the building... It's kind of like making a clean break with a girlfreind.. make sure she has ALL her stuff, so you don't have to deal with it anymore.
waiting for ad.doubleclick.net
Or he was performing his job of maintaining system security by refusing to give up the system root passwords to an unknown number of people listening in on a speakerphone. That's not holding anything for ransom, it's being responsible. He gave the passwords up directly to the mayor - IE no middlemen.
Double check the storyline - he brought this up months before the shit hit the fan & was shot down with "their's no one we can spare to learn this shit - take care of it". He was fucking told to be God. Now their whining because he didn't magically make the documentation appear with no help and no time. The story specifically indicates that people assigned to work with him were routinely yanked away to cover other shitstorms.
Bluntly, his manager tried to fire him & when it failed he sandbagged him with an unreasonable request and has escalated that into criminal proceedings. Yes, in secure environments, verbal requests for passwords are unreasonable. Note that the charges related to not handing over the passwords aren't included in the formal charges being brought against him. That's a fairly good indicator that the DA understands that this is a cluster fuck of egos. The supervisor's ego was bruised when his firing got overturned & he's gone way outside the box to get back at Childs.
Was Childs following best practices? I would say no since there wasn't a sealed list of the passwords in a vault somewhere. On the other hand, the rest of the city wasn't exactly following best practices either.
Since when have geographical boundaries *ever* been an obstacle to the US enforcing its laws wherever it pleases?
The society for a thought-free internet welcomes you.
What if your job responsibilities include developing security policy and protocols?
What happens if management wants you to violate those and provide open access to untrustworthy or unqualified people?
Would they have you arrested for following the policy and protocols they agreed to?
I can't help but wonder what impact this could have for all honest and qualified administrators.
They're using their grammar skills there.
And gray.
The Missouri DOC uses "state grays", which are a medium gray color.
Much easier on the eyes than day-glo orange.
This all boils down to does the admin have the role of saving the institution from itself or not.
If the admin has this role, it's tyranny of the one. (The asshole admin syndrome.)
If the admin does not have this role, it's stupidity of the top.
Even AS an admin, I would rather let the collection of top managers (who could be educated, or could get other resources) rule over the mid-to-low level asshole that thinks he's protecting something other than his own pride by withholding or not doing shit.
There were lots and lots of ways to provide passwords after being asked in the conference call that would have been secure. Simply saying "hold on, let me email them to you" to the top guy there (and then doing it) would have mitigated any real responsibility. Childs chose to not just do what they wanted in a more secured CYA way, he chose not to do it at all. That crossed the line into hubris, not responsibility.
So screw him. Let him rot. He COULD have just said "here they are, oh, by the way, I quit. When your shit is screwed up because you damaged it, let me know and I will work on contract basis for $1k per hour" and then walked with his reputation to find another job. Instead, he chose to fight a stupid battle and now he'll be unhirable a lot of places. Have fun pumping gas moron.
The thing that is odd to me is that if someone locked any of us out of our own boxes and refused to give us access, we'd all be spitting tacks.
Childs locks an entire city out of their own boxes and I'm reading "Hey, the boxes didn't crash, so no harm done!" Do you guys really believe that? Would you defend someone who locked you out of your own system, even if they said it was for your own good? Would you say "Hey, the box is still up, so it's fine that I'm locked out!"? I really don't think you would.
I just can't defend the guy. He was an ass, he caused his own problems when he could EASILY have avoided them just by not being an ass, he admits that he caused his own problems and that it wasn't worth it (in the last Childs slashdot article linked) and frankly if he did this crap to ANY of the guys defending him here, they'd be the first ones demanding his head.
Yes, his managers could have handled this better and probably were asses as well. The boss being an ass-hat doesn't cancel out Child's ass-hattery.
Oh well. It's easier to grandstand and defend him when you aren't the one affected I suppose.
Personally I pity his coworkers who now have his huge undocumented mess to deal with. As far as I am concerned, you could take his entire admin style and write it up as a counter-example of what to never, ever do or allow to happen to your systems.
Evan Reynolds evanthx@hotmail.com
Two peanuts crossed the street. One was assaulted.
It seems to me that the amount/type of bonds is set based a variety of aspects, but high among those is the type of case and the arguments presented by the prosecutor as to whether the defendant is a risk or not...
I'm pretty sure that by now, a lot of managers, supervisors, CEOs and other various suits of the corporate genus are rubbing their hands together Monty Burns style, thinking they've finally found a way to control these pesky tech types and keep their sys admins under leash. But they should be very careful about sending them to jail for being protective of the passwords whose very security is paramount to getting the job done. They're already overworked, underpaid and given nowhere near the respect they deserve - if it should become a criminal offense to hold on to passwords with little to no defense or legal recourse against the corporate juggernauts, the suits will suddenly discover that the employee pool has suddenly dried up and no one wants to be their lapdo- I mean loyal employees anymore...
There are lots of cases wherein providing the information requested can get you in a lot of trouble in itself. As mentioned in other threads, there are many companies where the sysadmin-level and supervisory-level passwords are kept segregated, mainly because giving any one person (even your boss) gives too much ability to perpetuate fraud.
In other situations - and this one may have been more of a concern in this case - it's a case of the blame game. You leave the passwords with somebody who's not supposed to happen and/or is incompetent. They fuck things up royally, and then blame it on a malicious act by you. Blame-my-predecessor is a pretty common game, hence see the fairly popular three envelopes joke. The end result of that could be the same as or worse than how things ended up now, depending on the level of (in)competency of the person who now has access (imagine that they lack enough knowledge to screw things up while royally, but have enough to wipe out or tamper with logs leaving false evidence).
Sounds like the guy had a bad attitude yes, but it also sounds like that made the perfect excuse for an opportunistic manager to rake him over the coals post-firing.
My own practice is to keep a secure document with access procedures (passwords/keys/etc), and generally if I leave a company I still provide some support afterwards.
I've never been canned (although I have been downsized in an understandable situation where a company was going downhill) by wrathful management though, so I'm not sure how that would play out. Even with a list of passwords, there are still VPN's, SSH keys, and many other access levels that would have to be revoked to lock out my accounts properly, but I suppose setting my shell to /bin/false would do well enough in most cases, though there might be 100+ servers to go over in this regard.
As someone else stated this guy has balls. Having the config in memory and not writing to flash? Yeah that confirms it. No way I'd have the guts to run a router like that. You take power and power backup systems for granted, but there is always a chance at failure. I'd think that the last thing you would want after an extended power failure and all the problems that come with it is to have all your routers defaulted.
isn't the long and short of it really "why do you care who has the passwords to a place that just fired you?" if my place of employment fired me they can have any password they want. go for it, screw something up, i don't care, i don't work there anymore. his real problem was making the job more than a job. he's only the superhero of the network in his mind.
Giving up the passwords to "unauthorized" people, even if ordered to do so by someone authorized, is a crime. He should be in jail if he did do what they asked on the conference call.
Learn to love Alaska
There is a lot of false information floating out there. Take this SFGate article for example:
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/14/BAOS11P1M5.DTL
"A disgruntled city computer engineer has virtually commandeered San Francisco's new multi million-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday."
How, exactly, did he alter the network from jail?
"Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said."
He was the network administrator, so he was entitled to access to the system. If the city's IT policy did not require him to document important passwords, then he has done nothing wrong. They threatened to arrest him, for what could only ever be a CIVIL infraction.
As others have discussed, the demand for the passwords came during an impromptu meeting where the people present had no business hearing the passwords. He has no responsibility to give out passwords to random people. After this ambush, he felt he could not trust the people around him and stated he would give the passwords only to the Mayor--basically the equivalent of the CEO. Again, he has done nothing wrong.
"One official with knowledge of the case said he had been disciplined on the job in recent months for poor performance and that his supervisors had tried to fire him. "They weren't able to do it - this was kind of his insurance policy," said the official, speaking on condition of anonymity because the attempted firing was a personnel matter."
A city official revealed confidential information to the press, knowing that it was illegal to do so (hence the anonymity) and insinuating that Mr. Childs had an ulterior motive. Smells fishy.
They knew that he had done nothing wrong, and that at best they had a CIVIL complaint. They went hunting and found three modems in his office. They used that to arrest him on CRIMINAL CHARGES. After that:
"Officials also said they feared that although Childs is in jail, he may have enabled a third party to access the system by telephone or other electronic device and order the destruction of hundreds of thousands of sensitive documents. Authorities have searched Childs' home and car for a device that could be used in such an attack, but so far no such evidence has been found."
WTF? They claimed he had setup three modems and used that to Justify searching his house. On this alone they are permitted to search his home and car? What we find out 7 months later:
"One was set up to dial out to Childs' pager any time a problem popped up on the city's network. The second was a DSL modem that had been set up even before Childs was hired at DTIS, used to connect to the Internet and test access to the city's network. The third was for emergency use only, designed to connect city computers to a disaster recovery site so that the city's network could be up and running in the event of an emergency."
This is a personal vendetta by Management at the City.
If this had happened at a large corporation, do you think the Police would have agreed and searched his house? Do you think the DA would have even charged him with anything? Would the judge have set a $5 million dollar bail??
I hope Mr. Childs wins and counter sues the city.
It's interesting how laws are written so broadly that they cover routine, legitimate acts. What makes activity criminal, apparently, is whether the government likes you this week.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
Judge: "Mr. Childs, why didn't you give the city the passwords they requested?"
Childs: "Uh... because I couldn't remember them!"
Judge: "Charges dismissed."
I've abandoned my search for truth; now I'm just looking for some useful delusions.
It would be the same thing if you had keys to the building, company credit cards and cell phone.. If you quit, you would give them all back.. If fired you would be asked for them.
Ah, but the question that Childs asked is, "Who am I authorized to give the keys to?" Should he just give them to Bob the Janitor, or someone who actually has the authority to take them. He clearly had a breach of trust with his supervisor, and possibly the CIO (if that wasn't his supervisor). After the secret audit, and him reacting reasonably to someone unauthorized removing equipment he was responsible for, the expectation that he should relinquish sensitive information to them is laughable. So he picked someone with sufficient authority (although not necessarily qualifications) to hand the information to.
I don't see what he did wrong. Perhaps he handled it poorly, but that's a different thing altogether.
Sure I'm paranoid, but am I paranoid enough?
I'm sorry, but this article is "the sky is falling" type reporting that AP, Reuters, and CNN do. These three orginizations reported that we had captured Osama Bin Laden.
The complaint is that he put these modems in a locked room with no authorization, and against municipal law. If I have a modem on my companies network to allow RAS, you better believe my boss approved it. He had violated many of his legal responsibilities. He set routers up with passwords only he knew, which would be nuked clear if normal console password recovery attempts were made, and locked some of these up behind doors only he had the key to.
What if he got hit by a bus? We had a guy die on us a few years back. Procedure had him put his passwords in a locked cabinet inside a locked and secured room. The city has it's own provisions for such possibilities. Laws. He admits to not following.
If you take any of these charges on the summary, they look innocent. But dig into the complain which was in another ./ post, then this guy really looks guilty.
What happened to the right to remain silent?
His papers, notes, and files are all property of the company, and IANAL, but I don't see how they can force him to talk without offering immunity.
While the cases are not exactly the same, the community response was. Most admins thought that he was right and that he did not do anything wrong and that he would eventually win in court. He didn't.
Thirteen years later his conviction for hacking into the company's systems expunged, but that is a big chunk of time to pay.
Anyhow ... his milage may differ, but I won't bet on it.
I already waste enough time posting. No, I'm not going to search out every tiny little thing. Maybe you could just tell me? Without having to resort to a search yourself, of course. You did say it was well known. Perhaps it is, to Cisco networking specialists, which obviously I am not.
Yes I did read the post. I don't know how hard it is to change out the flash memory in those things. I was envisioning some special tool to open up the box, then some kind of special, proprietary, hard to find chip, like an EEPROM BIOS in a DIP form. In short, something that couldn't just be done in a few minutes. But if it's a common type of flash memory (CF? SD?), then it's all much easier than I was thinking.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
it's not bricking the hardware. Locking out the firmware is a good idea. Once you swap out the firmware chip, then you have to reset the firmware.. lose the settings so an unauthorized person has a nice router, but not any info about YOUR network, security achieved. At worst you need to do a call out if some office wannabe geek tries to fix it.
No offense mate but you dont know what you are talking about. Believe it or not most other countries dont care about your laws.
In fact, most other country admins sit back and laugh at the poor Americans and their endless litigation.
Seriously though.. get a grip of your judicial system its out of control. While this kind thing might hamstring American admins, those of us with a more reasonable law system will just feel sorry for you guys.
I love getting emails form American lawyers... I always respond to them TBP (thepiratebay.org) style.
I already waste enough time posting. No, I'm not going to search out every tiny little thing.
Have you ever considered a career in local or even national news? You seem to have an aptitude for it; not willing to let things like easily researched facts get in the way of your chance to write about the subject.
Ok, 502 is referring to the California Penal Code, 502 which is all about computer hacking. I just read the entire thing. The law is pretty clear on how this guy can be charged and PROTECTS administrators that operate with in the scope. Just because an admin has a modem or some other device (it could be a satellite uplink/downlink, or DSL modem, or a direct Network-over-Radio connection) to connect to their employer network does not mean they are breaking the law, in fact, most of the time, it is protected under the law. Read the Penal Code! http://nsi.org/Library/Compsec/computerlaw/Californ.txt
The "Obama has you by the nut sack" and "he may as well be betting in vegas with tax payer cash." portraying two negative stereotypes of African-Americans. Grabbing someone by the nut sack and gambling money away. If you cannot see that, you are blind.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
"Would you mean, perhaps, administrative policies that from all of this, it would appear to have been Childs job to implement?"
Yes, I think that is a fair conclusion. If it wasn't his responsibility to account for these archival processes then it sure should have been somebody's (like maybe his manager who locked himself out?). In any case, the problem was a lot bigger than his refusal to disclose IMHO.
Maybe im missing something here? Shouldn't all admins have signed an NDA specifically prohibiting him from releasing the passwords? He shouldn't even be talking about what servers they are. I had an NDA that ran on for 1 1/2 years after I left a certain Job. If he left the company/city tough luck its a management oversight.Its their job to go changing all the passwords even if its going rescue mode for each server. There are reasons why you dont have a top admin hold on to all the passwords. But the moment you fire him, your on your own.