Slashdot Mirror
Terry Childs Case Puts All Admins In Danger
snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
On second thought, I'd be in for a long stint.
Never mind.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Thankfully I'm stealing my neighbor's wifi, so I don't have to worry about being caught with a modem.
There's no -1 for "I don't get it."
'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
It still beats having to wear a suit to work.
First, this story sounds very one-sided and has quite a bit of sensationalism. Ok, a lot. I'm sure they can charge him with something to the effect of unauthorized access to a government computer system. Nobody's going to be pointing out modems as tools of a crime. That's like saying having a car means you're a bankrobber because bankrobbers use getaway cars.
If you don't like what someone does, but strictly speaking it's not really illegal, then find something else they did, (something that maybe a lot of people do and get left alone for) that has some silly, overly-broad definitions you can twist, and soak him for that instead. (ether as substitute punishment for the former that you can't make stick, or just plain in retaliation for doing something you didn't like)
As usual, the legal system that makes me sick to my stomach some days.
I work for the Department of Redundancy Department.
This is a classic
Karma: Non-Heinous
Of course they wouldn't do that.
They'd use that fact as leverage to extract whatever they want from you first.
So not only did he withhold passwords.
And have modems attached to computers.
But it's going to take 250,000$ to fix.
Can the defense claim insanity on behalf of the prosecution, 'cause I think we've just hit bat country!
Section 502(c) states in part
OK, "knowingly" makes sense, but "without permission"? The man was the network administrator; he was authorized to make decisions about how the network is accessed, it goes along with the job. Who was he to get permission from, himself? If he made bad decisions, by all means dismiss him, but prosecuting him is unreasonable.
And since they dropped the most serious charge, can we admit his 8th amendment rights were stomped and pissed-upon by the 5 million dollar bail requirement?
FTFA:
I can't believe this megomaniacal prima dona is now somehow the posterboy of the IT people. There were ways for this nutbar to get out of the quandary while still saving his ass. Instead, he holds a network [b]that does not belong to him[/b] for ransom.
Well, it's just like 1st Amendment cases involving pornography, marching down the street in neo-Nazi uniforms or hooded bedsheets, or the like. You have to fight the idiots who would deny basic rights or make a mockery of law unilaterally, even when they go after the dirtbags. Letting them ignore the law when they beat down the unpopular is just giving them a free pass to do the same to you in the future, when it strikes their fancy.
If a job's not worth doing, it's not worth doing right.
While I haven't been in this specific situation(ie. jail), I have been in a similar situation.
At a previous employer(this is one of the reasons I no longer work there) my supervisor demanded that I give him all my passwords. I asked him why he needed them I could give him any specific access he needed on demand.
When I was hired I was given a number of NDAs to sign one of them specifically covered the process I used to connect to various remote systems, and the passwords I used. My supervisor(with no IT or technical background of course) continued with his demands for all my passwords, for days. After repeatedly trying to explain that even if I was to give him my passwords, without understanding how you use various access levels to accomplish tasks, he could end up causing massive problems.
In an attempt to meet these demands, I asked for a signed release from the specific NDA that covered my passwords and process. He informed me that he did not have that authority, so I asked him how I could honour my NDA if I gave him information I was not permitted to give anyone. BTW my supervisor did have his own passwords, and had a process to have new ones created.
Long story short, I refused and then a few days later I arranged to transfer to a different department. With this case as a guide I would legally have been wrong no matter what I did, glad I'm out of IT right now.
(If anyone cares, I later found out the reason my supervisor wanted my passwords was that his id/passwords had been burned through lack of use and using the wrong passwords. And he did not want his supervisor to find out he had had no access for weeks. His supervisor would have been notified if anyone requested a password reset or new ID.)
Those damn IT people and their correct usage of HTML tags on a tech website, always holding BBCode tags hostage for ransom...
First, I'll remind everyone that the code 502 in question is only applicable in California.
The phrasing of the law at the root of this discussion is, "Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section."
What I imagine the prosecution will argue is that Terry Childs had no right or explicit permission to configure remote access. The defense will likely counter with the fact that as their Systems Administrator he had implied permission as part of his job's duties. Depending on the outcome, this might trigger Systems Administrators to seek contracts shielding themselves from such risks, or seeking express, written permission for everything they do. Of course, considering how badly companies abuse their employees, and how many employees are naive enough to not protect themselves legally, it will likely just be ignored and we'll see more cases like this.
During voir dire the lawyers probably asked if any of them were network professionals and dismissed those that were.
The court wants only the presented evidence and facts to enter the case, not the external, uncontrolled ideas of some hacker ranting in the jury room. When I served on jury duty, the judge made it plain that in that case the law was only what he told us it was. We weren't to consider things from outside of the courtroom.
It's kind of like designing code. He's trying to minimize external dependencies.
That said, it still seems pretty stupid.
John
I've managed networks for regulated industries like Finance, Banking, and Medical industries. All of these industries have laws regarding access controls and information security.
SarbOx, GLBA, and HIPAA, all REQUIRE access controls on data and systems. As network admin, I can't know the CEO's password, and he can't know my password. This is essential for creating an audit trail and only allowing access to systems and data based on individual authority.
Laws that make it a crime to withhold passwords (or access) are in direct conflict with the above mentioned laws. If you leave your job and give your "admin" password to the CEO, you could be violating the above laws since you just gave the CEO a way to rob the company, and cover his/her tracks.
It's insanity to think that you could be committing a crime by doing your job.
-ted
Count 1: disrupting or denying computer services is moot
Joey: It's a moo point ... like a cows opinion, doesn't matter ... it's moo.
Rachel: You mean a moot point ?
Joey: No...no, a moo point
Free Terry Childs with purchase!
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
*Free Terry Childs must be of equal or lesser value to that of purchased Terry Childs. Must be a California resident to claim prize. Valid only while supplies last.
do not read this line twice.
No. Wrong. Incorrect.
He used the Cisco IOS command "no service password-recovery." Normally, with physical access to the router and a reboot, you can gain access to the router configuration file. "no service password-recovery" turns that function off.
HOWEVER, it DOES NOT WIPE THE CONFIGURATION FILE. It simply makes it impossible to gain console access to the router unless you swap out the flash memory. When you reboot the router, the magic key combination doesn't work, the router boots up, and all is as it was before.
Sigh.
doctorcisco
He has a right to speedy trial (as per the Constitution). This is a right that defendants can and do exercise some times. Basically your attorney tells the court that you want to exercise your right to speedy trial and the judge tells the prosecution "Ok, get your shit ready, this moves forward soon." In California, the speedy trial statue is 60 days. Judges can set a shorter date, if there's good reason to do so, ie prosecution isn't gathering new evidence, just stonewalling. So, if his attorney pushed that, he'd have already gone to trial. However, it is also often not done. The defense often wants time to prepare a case, in particular if the prosecution has a good case and the defense needs time to poke holes in it. After all, you don't want to push for speedy trial if it means you won't be ready and you are just going to lose.
So the reason this hasn't gone to trial is almost certainly the decisions of his lawyer. Had the government really had zero case, a speedy trial motion would have been filed and granted and they'd have already lost. You don't see this very often because those cases are usually dropped. A DA would much rather drop a weak case they are going to lose than go to trial and lose it.
Tony: Hi Mike, how ya doin'? How was Joilet?
Mike: Oh, it was bad. Thursday night they'd serve a wicked pepper steak.
Tony: Can't be as bad as the cabbage roll at the Terra-Phelavo penn.
Steve: Or that oatmeal at the Cook County slammer.
Tony: Well, they're all pretty bad.
"Warning: This Product Attracts Every Other Piece of Matter in the Universe, Including the Products of Other Manufacturers, with a Force Proportional to the Product of the Masses and Inversely Proportional to the Distance Between Them."
The Terry Childs case reminds me of 24. A corrupt government analyst exerts pressure on a techie to give up a password, which is promptly used for illegal activity. Then the innocent techie gets fucked and Jack Bauered. Yeah. Give the password to any boss figure who asks. That cannot go wrong.
A NYC lawyer blogs. http://www.chuangblog.com/
I expect he will be able to find more than one Cisco certified security professional who will point out that devices with limited or no physical security can and should be configured with "no service password-recovery". Proper administrative policies would have had version control archiving router and switch configurations, thereby completely alleviating the impact of disabling break key recognition.
I don't call it secure until at the very least, I can't break in without extraordinary measures.
How does that get rated "interesing". Par is the Latin word for equal (still used with that spelling for things like golf), and peer is the modern English derivative. The Romans came somewhat before the British Peerage.
I assume British Peers they are called that because they are expected to treat each other as equals, even if they have contempt for the poor suckers.
"By withholding information about the configuration, he stole from his employer on the way out."
I don't know about this Terry Child fellow or anything to do with what he's alleged to have done. But that is one bat-shit insane sentence.
Are you saying that an individual cannot just quit his or her job and walk out the door? And if they do should rot in jail and be stripped of all possessions? On the basis of a private companies say-so? WTF?? Who the fuck modded this bullshit up??
They fired him, he walked...but he's forever beholden to them and every employer he's ever worked for because he holds some knowledge about their network?
What a fucked up world you live in, sorry but you're a little fascist, any individual, from the CEO to the Janitor has every right to leave a position and never look back, if the world implemented your policy we'd all be too terrified to work for anyone! Some HR schmuck wants to fuck with you after you leave, HE DIDNT TELL US SOMETHING WE NEED PUT HIM IN JAIL AND STRIP HIM OF HIS POSSESSIONS! Jafiwam demands it!
You the only IT person for a small company and want to quit? TO BAD! Don't dare walk out the door, if you do according to Jafiwam the little fascist you deserve to rot in jail and have all your possessions stripped away from you. Oops didn't document what that script does, STEALING! JAIL FOR YOU. Didn't tell them about that Cronjob before you left? STEALING! Didn't document that object properly, didn't let them know about that revision, didn't pass on that message? STEALING, STEALING, STEALING!
Didn't write a 2000 page manifesto brain dumping every tiny little bit of trivia and knowledge that you have about their business, STEALING!
The idiocy is truly unbelievable around here sometimes.
Comment removed based on user account deletion
Terry Childs held something at ransom or rendered useless that didn't belong to him.
What was the ransom he demanded? How was a network with zero downtime rendered useless?
The code, hardware, and configuration all belong to his employer. By withholding information about the configuration, he stole from his employer on the way out.
They had the configuration. They could pull out the flash card with the configuration on it and put it in a new router and it would work great. Of course, without the passwords, they couldn't log in to see it, change it, or any of that, but that didn't prevent it from being 100% operational, as well as being something that could be backed up, replaced, and all that without problem.
He fucked himself and he deserves what he is getting.
He was fired, then after being fired, was asked to fulfill an obligation to an organization he no longer had an obligation to. He may not have been professional. He may have been an ass. But he did nothing illegal, let alone criminal. If they threw people in jail just for being asses, I'd nominate you to be at the front of the line.
Learn to love Alaska
No network administrator is going to be at risk for anything as long as they play nice and don't pull crap like bringing a city's network activity to a screeching halt just because they're pissed off or whatever.
If that was the case, then Terry Childs wouldn't be under arrest. Despite the impression you may have gotten, he didn't bring the "network activity to a screeching halt" - it carried on working perfectly, and I think even the city eventually admitted this. (You've probably been reading misleading news reports based on equally misleading press releases by the city.)