Slashdot Mirror
Terry Childs Case Puts All Admins In Danger
snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
Thankfully I'm stealing my neighbor's wifi, so I don't have to worry about being caught with a modem.
There's no -1 for "I don't get it."
If you don't like what someone does, but strictly speaking it's not really illegal, then find something else they did, (something that maybe a lot of people do and get left alone for) that has some silly, overly-broad definitions you can twist, and soak him for that instead. (ether as substitute punishment for the former that you can't make stick, or just plain in retaliation for doing something you didn't like)
As usual, the legal system that makes me sick to my stomach some days.
I work for the Department of Redundancy Department.
Section 502(c) states in part
OK, "knowingly" makes sense, but "without permission"? The man was the network administrator; he was authorized to make decisions about how the network is accessed, it goes along with the job. Who was he to get permission from, himself? If he made bad decisions, by all means dismiss him, but prosecuting him is unreasonable.
And since they dropped the most serious charge, can we admit his 8th amendment rights were stomped and pissed-upon by the 5 million dollar bail requirement?
that's the point really. His keeping the passwords is really no different than a VP keeping a laptop or company automobile. There are several civil steps that need to be gone through before "keeping" something you were previously entitled to have and protect becomes "criminal".
Consider the case of loaning a car to your long term SO for many years, then the relationship goes south and you show up with the cops to take back the car she's had for several years. Yes, you can get it back, but the cops will tell you to get a judgment first and won't just let you take it. In the same way the new manager saw a "rogue" employee that was cut off, isolated, and anti-social and first tried to illegally fire him. When that didn't work, then he started harassing about the passwords and created a situation with the prosecutor to get the passwords or throw the guy in jail... a leap of about 6 other legal processes.
Like has been said before.. modems and back doors in your office or home office (if expected to work from home/call in) are quite common for admins. VPN access to servers for when they crash is common. Those don't really figure into the "criminal" part because they didn't ASK if he had them and didn't ASK him to return them... packing his cardboard box on the way out the door is not formally "asking". As far as wiping the configs, that was paranoid overkill, but considering how often city office property gets stolen, wiping the config keeps thieves from getting the network settings to the whole thing which is more valuable than any one office of downtime due to power failure.
"keys to the kingdom" passwords are quite common.. I'm the only person at my 1000 person company with ALL of a certain server's passwords plus some network ones. There's a small number of people I would release those to... if I was pre-accused of malicious intention before I even left I'd probably handle the transaction thru a lawyer.
Like he predicted, when the city hired consultants (again not thru a legal means, just some random company to "fix it") and they started breaking stuff they didn't understand isn't his problem... Remember he was accused of "damages" even though the manager had no cause to make that ... they only poor performance he demonstrated was being disgruntled. Assuming he was doing damage and calling the cops is bordering on criminal filing a false report.
The proper course of action would have been for the DA to sue him in small claims court for the password. Make a valid case and allow him his grievance before a judge, then honor the ruling. Then a judge would have thrown him in jail until he talked for contempt... there's no time limit on contempt, so no need to file other charges! Frankly they're not a good lawyer if they didn't think of the simplest legal thing first.
He maintained access to a system which he had no right to access, while refusing to give the owners of that system the means to remove his access in a manner that wouldn't significantly disrupt the service.
Still I have a hard time seeing this as a crime. If an employee won't give you the keys to your vault, then you fire them, call a locksmith and sue the ex-employee for damages. No criminal charges, just a civil liabilities. That is what should have happened to Childs, no more no less.
I can't believe this megomaniacal prima dona is now somehow the posterboy of the IT people. There were ways for this nutbar to get out of the quandary while still saving his ass. Instead, he holds a network [b]that does not belong to him[/b] for ransom.
Well, it's just like 1st Amendment cases involving pornography, marching down the street in neo-Nazi uniforms or hooded bedsheets, or the like. You have to fight the idiots who would deny basic rights or make a mockery of law unilaterally, even when they go after the dirtbags. Letting them ignore the law when they beat down the unpopular is just giving them a free pass to do the same to you in the future, when it strikes their fancy.
If a job's not worth doing, it's not worth doing right.
While I haven't been in this specific situation(ie. jail), I have been in a similar situation.
At a previous employer(this is one of the reasons I no longer work there) my supervisor demanded that I give him all my passwords. I asked him why he needed them I could give him any specific access he needed on demand.
When I was hired I was given a number of NDAs to sign one of them specifically covered the process I used to connect to various remote systems, and the passwords I used. My supervisor(with no IT or technical background of course) continued with his demands for all my passwords, for days. After repeatedly trying to explain that even if I was to give him my passwords, without understanding how you use various access levels to accomplish tasks, he could end up causing massive problems.
In an attempt to meet these demands, I asked for a signed release from the specific NDA that covered my passwords and process. He informed me that he did not have that authority, so I asked him how I could honour my NDA if I gave him information I was not permitted to give anyone. BTW my supervisor did have his own passwords, and had a process to have new ones created.
Long story short, I refused and then a few days later I arranged to transfer to a different department. With this case as a guide I would legally have been wrong no matter what I did, glad I'm out of IT right now.
(If anyone cares, I later found out the reason my supervisor wanted my passwords was that his id/passwords had been burned through lack of use and using the wrong passwords. And he did not want his supervisor to find out he had had no access for weeks. His supervisor would have been notified if anyone requested a password reset or new ID.)
he set the routers to return to default under power failure. Actually that was a really smart move, these are in city building, probably stolen all the time. The router is only worth a few bucks, access to the network from a stolen router is priceless. The "consultants" tried to unplug them and read the settings to hack in. The routers did EXACTLY what he told them to...
The biggest problem is procedural. This is why companies have audits, why SOX auditors demand documentation and cross training in public companies. The city management ALLOWED him to become more isolated and anti-social. They routinely pulled other people off helping him and allowed him to fly solo for several years and allowed the other employees and documentation to fall painfully behind.
They didn't realize this until a new manager with a "dotted line" to his position didn't like him and tried to summarily fire him.. Then they realized first, Childs won his job back, and second he got to be an employee you "can't fire" because he had keys nobody could take! The prosecutor was dead wrong to take on a case directly from a department manager and not from higher up the HR food chain. Now the prosecutor realizes they bet their career on some petty middle-manager pushing somebody around. They're trying to find something to pin on him so they don't get seriously censured by the court for keeping this guy in jail 7 months.
I've managed networks for regulated industries like Finance, Banking, and Medical industries. All of these industries have laws regarding access controls and information security.
SarbOx, GLBA, and HIPAA, all REQUIRE access controls on data and systems. As network admin, I can't know the CEO's password, and he can't know my password. This is essential for creating an audit trail and only allowing access to systems and data based on individual authority.
Laws that make it a crime to withhold passwords (or access) are in direct conflict with the above mentioned laws. If you leave your job and give your "admin" password to the CEO, you could be violating the above laws since you just gave the CEO a way to rob the company, and cover his/her tracks.
It's insanity to think that you could be committing a crime by doing your job.
-ted
No. Wrong. Incorrect.
He used the Cisco IOS command "no service password-recovery." Normally, with physical access to the router and a reboot, you can gain access to the router configuration file. "no service password-recovery" turns that function off.
HOWEVER, it DOES NOT WIPE THE CONFIGURATION FILE. It simply makes it impossible to gain console access to the router unless you swap out the flash memory. When you reboot the router, the magic key combination doesn't work, the router boots up, and all is as it was before.
Sigh.
doctorcisco
He has a right to speedy trial (as per the Constitution). This is a right that defendants can and do exercise some times. Basically your attorney tells the court that you want to exercise your right to speedy trial and the judge tells the prosecution "Ok, get your shit ready, this moves forward soon." In California, the speedy trial statue is 60 days. Judges can set a shorter date, if there's good reason to do so, ie prosecution isn't gathering new evidence, just stonewalling. So, if his attorney pushed that, he'd have already gone to trial. However, it is also often not done. The defense often wants time to prepare a case, in particular if the prosecution has a good case and the defense needs time to poke holes in it. After all, you don't want to push for speedy trial if it means you won't be ready and you are just going to lose.
So the reason this hasn't gone to trial is almost certainly the decisions of his lawyer. Had the government really had zero case, a speedy trial motion would have been filed and granted and they'd have already lost. You don't see this very often because those cases are usually dropped. A DA would much rather drop a weak case they are going to lose than go to trial and lose it.
Passwords are not property, the city should have gotten them before firing him. Once they let him go they had no reasonable expectation that he would give them any "knowledge" which is all that the passwords are.
Sorry. I'm a lawyer and you're only partly right. Passwords may not be "property" but it can still be potentially harmful to withhold them. If a plaintiff could prove harm or even better, immediate irreparable injury, a court would say give 'em up or go to jail, go directly to jail, do not pass go, do not collect two hundred dollars.
Those are my principles, and if you don't like them... well, I have others.
Except from TFA -
"By withholding information about the configuration, he stole from his employer on the way out."
I don't know about this Terry Child fellow or anything to do with what he's alleged to have done. But that is one bat-shit insane sentence.
Are you saying that an individual cannot just quit his or her job and walk out the door? And if they do should rot in jail and be stripped of all possessions? On the basis of a private companies say-so? WTF?? Who the fuck modded this bullshit up??
They fired him, he walked...but he's forever beholden to them and every employer he's ever worked for because he holds some knowledge about their network?
What a fucked up world you live in, sorry but you're a little fascist, any individual, from the CEO to the Janitor has every right to leave a position and never look back, if the world implemented your policy we'd all be too terrified to work for anyone! Some HR schmuck wants to fuck with you after you leave, HE DIDNT TELL US SOMETHING WE NEED PUT HIM IN JAIL AND STRIP HIM OF HIS POSSESSIONS! Jafiwam demands it!
You the only IT person for a small company and want to quit? TO BAD! Don't dare walk out the door, if you do according to Jafiwam the little fascist you deserve to rot in jail and have all your possessions stripped away from you. Oops didn't document what that script does, STEALING! JAIL FOR YOU. Didn't tell them about that Cronjob before you left? STEALING! Didn't document that object properly, didn't let them know about that revision, didn't pass on that message? STEALING, STEALING, STEALING!
Didn't write a 2000 page manifesto brain dumping every tiny little bit of trivia and knowledge that you have about their business, STEALING!
The idiocy is truly unbelievable around here sometimes.
He was sprung with a surprise secret audit, and claims he caught the auditor taking a hard-drive, at which point he confronted her. At which point she locked herself in, and called the CIO.
On July 9, 2008 and at all relevant times, Richard Robinson was the Chief Operations Officer of DTIS [the San Francisco Technology Information Services Department]. Defendant unwittingly found himself at a meeting with Robinson in a room at the police station at the Hall of Justice. Present at that meeting were Lt. Greg Yee and Vitus Leung from the City's Human Resources Dept. Waiting outside the room but joining the meeting midway was Inspector Ramsey. The meeting was unorthodox and short on civilities. Defendant was told that he was being reassigned and was asked to disclose the FiberWAN passwords in addition to other passwords. There was no advance notice to defendant of this request. The surrounding circumstances of this request were unnerving and troubling to defendant at best. He resisted this surprise request to disclose the passwords to the FiberWAN, telling Robinson that no one was qualified to have the passwords. Under the pressure of the situation, defendant gave password information that could not be validated. During this exchange wherein defendant was questioned regarding the passwords, a speakerphone was on the desk in meeting room and people were listening in on the other end of the phone connection in a different part of the City.
Would you have given over the root passwords for your network and servers in those circumstances? Especially since you're likely to take the blame and/or get sued if some monkey screws something up and then blames it on you.
As you say, a civil action would have been more than adequate to recover them - he only wanted to hand them over in secure fashion to someone qualified to know them. He did hand them over the Mayor, "the only person he felt he could trust," a few days later, after he was already in jail.
OK, Childs had a bit of a God complex, but after years designing something that intricate, and being the only 24/7/365 support for a few years due to budget cuts, it's understandable. They've basically charged him for having the tools, access and knowledge to actually do his job.
Ironically, after claiming he was the one threatening the network, the city put the list of vpn passwords they found in his house into evidence unredacted, thus compromising half of the vpn 2-factor security for the entire network, forcing them to reset them all 2 days later; locking everybody out of the vpn access entirely. This was the first network outage since they imprisoned Childs, and was directly caused by the incompetence of the city technical management.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.