3 of 4 Charges Against Terry Childs Dropped

phantomfive writes "Terry Childs, who was arrested nearly a year ago for refusing to turn over the passwords to San Francisco's FiberWAN network, has been cleared of three of the four charges against him. The dropped charges referred to the attachment of modems to the network; the remaining charge is for refusing to turn over the password. The prosecutor has vowed to appeal, to have the charges reinstated. We have the original story, and the story where Childs tells his side, for those who want a refresher."

Witch hunt

[joaommp]

Always seemed to me this was not much more than a witch hunt. Why else would them set a bail higher than for killers and rapists?

Re:Witch hunt

politics 101. pissing of the ones in power is the worst crime you can commit.

Re:Witch hunt

Exactly. Pissing of the ones in power > killing someone.

Captcha = damages

Re:Witch hunt

high bail does not mean witch hunt. Bails in US court systems are generally broken, with more minor crimes often having legally required higher bails than more major crimes.

Also, please look up the definition of "witch hunt", and of "scape goat". In a witch hunt, there would have been little to no chance of a finding fo innocence. With a scape goat, it doesn't matter whether innocence or guilt is found, only a temporary person on which to pin blame until the issue fades by the wayside and the true screw-ups can slide by without getting caught.

Re:Witch hunt

[Auraiken]

Totally agree, someone tag this story "hero".

This guy should never have had to go to jail over this garbage. They could still have had court cases in a civil fashion.

Re:Witch hunt

[joaommp]

Thank you for the correction.

(but anyway, I still think everyone got what I meant - and please don't be too harsh on a non native english speaker, which everybody here seems to assume everybody else always is.)

Re:Witch hunt

[julesh]

Why else would them set a bail higher than for killers and rapists?

AIUI, the process of setting bail includes making a judgment of how much money the accused could afford to lose. See Stack v Boyle:

"Bail is excessive when set at an amount higher than necessary to achieve a legitimate government purpose. If the purpose is to ensure a defendant's appearance at trial, and if found guilty serve the sentence, then bail may not be set higher than needed to meet those ends."

The judge setting bail must take this into account. If the judge believed that a bail of $1000 would have a serious enough financial impact on an accused that the accused would not risk losing it, then he can't set it higher. OTOH, for somebody who has the potential to earn say $80000 per annum as a consultant, obviously the figure must be higher. The only reason the type of crime is factored into the calculation is that people are more likely to run if they're facing a long-term imprisonment rather than just, say, 3 months.

Re:Witch hunt

I always piss ones in power. Oh wait, piss OFF...oh, I get it.

1M bail and 1yr in jail...?

[Manip]

I'm sorry but this guy has already had time served. Even if they do find him guilty one year in jail for what he did is far more than enough. Plus 1M bail? Is he a violent criminal? ...

This sounds like a classic story if ignorant people making decisions about technical crime and getting scared. I aim that both at the city and at the judge who set the original bail.

We need special technical trials for things like this within which both the defence and prosecution are allowed to bring in technical witnesses to put the case into perspective for non-technical people (as opposed to "HACKER! Get the pitch forks!").

Re:1M bail and 1yr in jail...?

[Seumas]

Ignorant people are afraid of the technologically savvy the same way they are afraid of science. They don't understand it, so rather than bettering their knowledge and informing themselves, they'd rather fear the worst and attack those who represent a threat (that is, those who know something they don't).

Also, why didn't the guy just say "dude, it was a complex random password and I've completely forgotten it"? They can't force you to give them a password that you've forgotten, surely? Also, is a partial "moral victory" really worth an entire year of your short life span?

Re:1M bail and 1yr in jail...?

[LordKronos]

We need special technical trials for things like this within which both the defence and prosecution are allowed to bring in technical witnesses to put the case into perspective for non-technical people

Huh? Special technical trials? Why? The current system already allows lawyers to bring in expert witnesses to explain stuff. And lawyers are allowed to do a bit of story telling during their opening and closing arguments, and they can use that opportunity to explain thing in other terms (including car analogies, if they choose).

A lot of us around here always complain about legislature creating special laws to make illegal things that are already illegal under an existing law. Let's not turn it around and start asking for special trials when the cases can already be accommodated by the existing court system.

Re:1M bail and 1yr in jail...?

[MrKaos]

This sounds like a classic story if ignorant people making decisions about technical crime and getting scared. I aim that both at the city and at the judge who set the original bail.

There is a saying, There is no such thing as a bad student only a bad teacher. If the legal system is ignorant about how 'technical crime' should be addressed it's because we, as technology professionals, have failed to lobby for the appropriate changes to be made to law to handle these cases properly.

We need special technical trials for things like this within which both the defence and prosecution are allowed to bring in technical witnesses to put the case into perspective for non-technical people (as opposed to "HACKER! Get the pitch forks!").

Why? The framework for all of these things already exist in the legal system. All this world changing technology has been unleashed over the last decade or two and Information Technology is maturing as a profession. It's a bit unrealistic to expect the legal system to make quality decisions about how the law should be adapted to handle those changes while the people responsible for delivering the technology do not get involved in educating those who can codify the law to behave reasonably.

It ridicules us to point the finger and say 'look at how ignorant they are' when in reality we should be more self critical and understand that this is the treatment we should expect if we are too apathetic to influence the legal system appropriately.

Re:1M bail and 1yr in jail...?

[joaommp]

Well, it's a new different kind of bullying.

Re:1M bail and 1yr in jail...?

[Jah-Wren+Ryel]

Huh? Special technical trials? Why? The current system already allows lawyers to bring in expert witnesses to explain stuff. And lawyers are allowed to do a bit of story telling during their opening and closing arguments, and they can use that opportunity to explain thing in other terms (including car analogies, if they choose).

Once upon a time a "jury of your peers" really meant peers, and not just the most easily swayed people in the jury pool. I'm not saying every single person on the jury needs to be a network engineer, but you can pretty much count on the prosecutor objecting to anyone in the pool with any technical expertise relevant to the case.

So, not special trials per se, but a process that rules out anyone with domain knowledge relevant to the trial is fundamentally broken. The number of really bad car analogies that get made here everyday among the relatively technically astute should be proof enough that requiring the issues to be dumbed down for an uneducated jury is not a very good way to run the system.

Re:1M bail and 1yr in jail...?

[Hurricane78]

Well, they should be afraid. Because I'm going to kick their asses for their ignorance!

(*blend to underwater lair under a volcano*)
Release the sha... what?... OK, the sea bass...

MUHAHAHAAAA

Re:1M bail and 1yr in jail...?

[Yetihehe]

There is a saying, There is no such thing as a bad student only a bad teacher.

You haven't seen some people who don't want and/or are incapable of learning the most basic scientific facts. Yes, you could spend with them 5x the normal time for normal student, but is it really worth it? We need someone to clean the streets, and really intelligent ambitious people don't really want to do it. Typical street cleaner doesn't need to know what an Ohm's law is.

Re:1M bail and 1yr in jail...?

Oh, God, don't you think we've TRIED? Forget the legal system; you can't get the ordinary person on the street to deal with the idea that computers are science, not black magic!

I've been blogging technology for ten years just trying to teach basic, basic, junior-high concepts. When you do this, you are not believed. Trying to show that computers are logical, that software is written and compiled in a practical fashion, that the user can take steps to secure themselves, hell, just showing people how to SAVE AND OPEN ONE GODDAMN FILE is an exercise in futility. They look at you like you're crazy, like you're claiming to have seen Elvis flying a UFO.

Computer science suffers in America. Duh, SCIENCE suffers in America. There is no education. We have a big farm full of dumb, superstitious animals to work with. We're lucky to get trials at all.

Re:1M bail and 1yr in jail...?

[MrKaos]

You haven't seen some people who don't want and/or are incapable of learning the most basic scientific facts.

That is irrelevant because the target audience is layers and politicians. They have to be educated or, at the very least, ambitious to be able to perform their work. They don't need all of the details, just the executive summary of the consequences and recommendations of how they should act to achieve the appropriate outcome.

You are not talking to the masses here, you are talking to a select group of people who are professionals, intelligent and used to considering things. We are talking about people who are actually interested in the risks posed to society by ill-founded decisions made law.

Re:1M bail and 1yr in jail...?

[Zombywuf]

He didn't say he'd forgotten it because he was simply doing what his job description told him to do. He was called into a room with a dozen people he didn't know, he refused to hand over the password to these people. When a single person (the mayor) who was authorized to know the password asked for it, he handed it over without hesitation.

Re:1M bail and 1yr in jail...?

[dbIII]

With respect, none of this is as complex as DNA and other forensic evidence which is handled quite well in criminal trials every day. Explaining these things is one reason why some trials take a long time.
Jury selection is another story and if a prosecutor or defence thinks they can more easily sway someone with no pre-existing knowledge on the subject then they will select accordingly.

Re:1M bail and 1yr in jail...?

[Kjella]

So, not special trials per se, but a process that rules out anyone with domain knowledge relevant to the trial is fundamentally broken. The number of really bad car analogies that get made here everyday among the relatively technically astute should be proof enough that requiring the issues to be dumbed down for an uneducated jury is not a very good way to run the system.

So in a medical misconduct trial you want 12 doctors on the jury, able to understand the medical evidence? In a copyright infringement trial, you want 12 copyright experts which inevitably have tight links to the copyright industry on the jury? I certainly don't think you'd want 12 policemen with domain knowledge on what police work involves in a trial about excessive police violence.

I'm not saying it's perfect, but it's better than any other system we've tried. Honestly, if you compare it to the 1700s when they decided this was how US trials should look like (ok, the jury system is probably older and inherited somewhere) then the people on the jury certainly weren't educated. Honestly, if you can't dumb down the essence of the case to where normal people understand it, there's something very wrong.

Re:1M bail and 1yr in jail...?

[Jah-Wren+Ryel]

a process that rules out anyone with domain knowledge relevant to the trial is fundamentally broken.

So in a medical misconduct trial you want 12 doctors on the jury...

No. Please read what I wrote more carefully and refrain from succumbing to obviously incorrect interpretations.

Re:1M bail and 1yr in jail...?

[ScrewMaster]

With respect, none of this is as complex as DNA and other forensic evidence which is handled quite well in criminal trials every day.

With equal respect, have you ever been through jury selection? I have (a number of times unfortunately: every time I move they waste a day of my time not selecting me) and the GP is correct. The system selects for the most ignorant of any issues relevant to the proceedings, and anyone who could be presumed to have knowledge of mathematics or statistics suffer the first peremptory challenges issued. Don't want someone who can see through the numbers the trial lawyers and their expert witnesses pull out of their nether regions. I'm just a software engineer, and every god damn time I was asked what I do for a living I was promptly removed from the jury. The people that were left were often very nice people (you get to know some of your potential fellow jurors in the jury pool beforehand) but not people that I would want on my jury, if I were accused of a computer crime ... especially if I were innocent. The naked fear so many individuals have of computers, and especially those who are accused of computer crimes is unnerving. Fear of the unknown is not intrinsically irrational: but fear of gaining understanding is.

All the juries I've (almost) been on are filled with people to whom a trial about computer systems is, in fact, just as unfamiliar and frightening as a trial involving DNA or other complex evidence, and might just as well be about DNA so far as their level of understanding is concerned. The idea of a technical court is not a bad one at all, particularly given the importance of sophisticated science and technology to all of us, not just those with technical backgrounds. Imagine judges with engineering or science degrees running the show in such trials. Honestly, if we had such courts the patent system probably wouldn't be broken and the RIAA would have been laughed out of court from day one. I can just see a judge who just incidentally happened to have a degree in computer science asking an RIAA attorney: "So, you're claiming that a logged IP address infallibly identifies an individual copyright infringer? Hm. Not on this planet, bucko."

Truly, in these times ignorance is not bliss, and we as a society are paying the price for allowing our adversarial system to dumb down those who judge us. Remember, our justice system was developed in much simpler times. The pace of change being what it is, it's too much to expect the law itself to always be on top of things, but it shouldn't be too much to expect our juries to really be composed of our peers.

Re:1M bail and 1yr in jail...?

[ScrewMaster]

So, not special trials per se, but a process that rules out anyone with domain knowledge relevant to the trial is fundamentally broken.

So in a medical misconduct trial you want 12 doctors on the jury, able to understand the medical evidence?

Possibly. But the GP's term "domain knowledge" can mean different things: you don't necessarily have to have specific knowledge of the particular fields involved in a trial to be a better juror. Honestly, a jury with a basic understanding of scientific method, and an adequate command of math and statistics would help a lot. Is that asking too much?

Re:1M bail and 1yr in jail...?

[ScrewMaster]

Oh, God, don't you think we've TRIED? Forget the legal system; you can't get the ordinary person on the street to deal with the idea that computers are science, not black magic!

"Any sufficiently advanced technology is indistinguishable from magic" - - Arthur C. Clarke

The problem is, a lot of people are insufficiently advanced, and are unable to make that distinction.

Re:1M bail and 1yr in jail...?

I certainly don't think you'd want 12 policemen with domain knowledge on what police work involves in a trial about excessive police violence.

You needn't worry about that, police brutality won't ever reach the courtroom.

Re:1M bail and 1yr in jail...?

[mpe]

We need special technical trials for things like this within which both the defence and prosecution are allowed to bring in technical witnesses to put the case into perspective for non-technical people (as opposed to "HACKER! Get the pitch forks!").

It's already possible to bring in such people, they are known as "expert witnesses". The issue here is more the lack of a prompt trial. Maybe what's needed is a rule along the lines that someone is automatically found "not guilty" if their trial does not start within a certain time of their being charged.

Re:1M bail and 1yr in jail...?

[dkleinsc]

That's interesting: the trial I was in had a jury with a chemist and 2 software developers. The only person booted for professional reasons was an attorney. However, this was in a county court system that put a lot of effort into making the jury pool a wider selection of people in the interests of getting a fair trial (silly concept, I know).

YMMV, but blind cynicism about what a well-run court would look like is about as useful as blind trust in the court system. If you're in an area where judges are elected, talk to the judicial candidates about your concerns regarding jury selection, and go ahead and base your vote on their answer. Yes, they may still lose/win based on TV ads that say "Judge Smith is tough on crime", but politicians actually notice when their constituents talk to them directly.

Re:1M bail and 1yr in jail...?

[Zigbigadoorlue]

We need someone to clean the streets, and really intelligent ambitious people don't really want to do it. Typical street cleaner doesn't need to know what an Ohm's law is.

And what you think the technically uninclined are pushing down the gates to get at those street cleaning jobs? Nobody "really wants" to do menial street labor.

Re:1M bail and 1yr in jail...?

[sumdumass]

Once upon a time a "jury of your peers" really meant peers, and not just the most easily swayed people in the jury pool. I'm not saying every single person on the jury needs to be a network engineer, but you can pretty much count on the prosecutor objecting to anyone in the pool with any technical expertise relevant to the case.

The issues here isn't really technical. It can much easier be explained as in a matter of general security. Let say some people who you didn't know called you into a room at your office and demanded you give them your keys to the building. Now keep in mind, you signed an agreement stating that you would only give them to a certain person in a certain department or his replacement when if that happened. Now would you give the keys to these people without knowing who they were or would you give them to the people your security contract authorized? As a matter of reference, I can appear like I belong in a building, I can appear like I am someone's replacement, but you shouldn't just take my word for it before giving me the keys. When the Mayor (the authorized person) requested the keys (passwords), he turned them over willingly without delay.

SO this doesn't need to be a complex technical matter. It's just a matter of security. Imagine those people above was the bank holding your mortgage or landlords agent and you still had no idea who they are but they wanted the keys to your house. I know a network isn't a home but the problem is with general security and not technical in general.

Re:1M bail and 1yr in jail...?

[sumdumass]

Speaking of incompetent but well meaning people on the jury, I used to work with a girl who sat on a jury trial over a murder where two boys (14 and 16) shot and killed some girl who was obsessed with one of them, enlisted the help of his mom and another friend (a 19 year old woman) who took the body to a barn across the county and caught it on fire.

This girl on the jury came into work after the first day of trial and told us they were going to fry if she had anything to do with it. I wrote a letter to the judge and defense attorney about this. She was left on the jury and the death penalty was taken off the table. I was also arrested and brought before the judge and told that if I threaten a juror it was a felony and so on before being release 5 miles away from my car with no way to get home but walking with no charges ever being filed. I was totally flabbergasted and had no idea what was going on. The jury was then sequestered.

Years later, someone else that used to work there told me she had told the judge that she only said those things because I kept telling her to convict the people. I never spoke to her directly, I was just there when she was bragging about how much power the jury had (and hence, how much power she had because of it) I guess I had the same last name (no relation) as one of the defendants and throwing me under the bus was her way of making sure they paid while she stayed out of trouble.

Re:1M bail and 1yr in jail...?

[laron]

So in a medical misconduct trial you want 12 doctors on the jury, able to understand the medical evidence? JWR was talking about that the current system would exclude any doctor (in practice probably everyone who knows the difference between Eustachian and Fallopian tubes) from the jury in such a case.

Re:1M bail and 1yr in jail...?

[ScrewMaster]

Honestly, it sounds like you should have taken that higher up the food chain. You did the right thing, and the system burned you for it. If nothing else, that sort of abuse should have been made public at the time: a quick call to a local reporter might have earned you a public apology.

Re:1M bail and 1yr in jail...?

[rpervinking]

What a crock. You and I both know that the people that Childs met on July 9th were authorized to receive those passwords. To pretend that between then and when he was arrested on July 12th he had no opportunity to meet with anyone that he could identify as authorized to receive those passwords is farce. To maintain that, once in jail, he had no idea that maybe the people he was meeting were who they were claiming to be is either paranoid fantasy or, what we both know it to be, a simple lie.

He had some axe to grind, he ground it, he got to make a grandstand play by dragging the mayor into a personal meeting with him. Congratulations. He got what he wanted. He continues to reap what he sowed. Boo hoo.

Re:1M bail and 1yr in jail...?

[sjames]

One can take peer too far either way. Certainly we can't compose juries entirely of other defendants for the same trial, but by the same token, having people who don't even understand what you're supposed to have done or what you should have done (or not done) instead isn't good either.

Perhaps a medical misconduct trial shouldn't have 12 doctors as jurors, but it shouldn't have NO doctors as jurors either. It surely shouldn't be composed of 12 illiterate professional ditch diggers who couldn't figure out how to get out of jury duty. It really shouldn't be packed with 12 people who are pissed that they've been shanghaied under threat of arrest and paid far less than minimum wage for their trouble (not to mention worried about how they're going to pay the rent now that they're missing work and/or had to hire a last minute sitter).

Re:1M bail and 1yr in jail...?

I have to disagree with your entire statement. Lawyers are busy people, a lot the local ones are my clients.

They don't have time to learn more about anything other than law.
There is no way to educate someone who doesn't have a desire to learn, or who has themselves convinced that they don't have time to learn.

Some of my clients ask for my opinion on cases, and I've been an expert witness on 2.

One good example is this one. A local kid "cracked" into his schools (completely unprotected) "teacher only" network share and looked at his grades, then told the "network administrator" (read:80year old librarian) about the security issue.

A month later, some grades were changed in this system (still unprotected to this day btw) and they threw the book at this kid.

I can access this system from the parking lot, with my cell phone.

After explaining this to the court, the prosecutor still insisted that the kid must have hacked into the system because of half of an answer to a single question,

Lawyer : "Are you suggesting that any one member of the jury could have done this easily?"
Me: "Probably not, but" >> "Thank you, no further questions."

When the expert witnesses get cut off in the middle of their explanations, how in the hell are we supposed to educate anyone?

Fyi, the kid was released because someone else went in and deleted the entire network share while he was still in jail.

Re:1M bail and 1yr in jail...?

[sjames]

One potential way to at least partially alleviate the problem would be to allow the jury to have experts to consult as well. People they can talk with informally in the jury room who aren't paid by either side. I can see problems there as well such as a persuasive expert essentially becoming a jury of one. I'm not sure what to do about that.

Re:1M bail and 1yr in jail...?

[ScrewMaster]

I had just finished typing a reply (basically I agree with you) but my damn laptop decided to click the "cancel" button for me.

Re:1M bail and 1yr in jail...?

[sumdumass]

I was young, about 19 at the time. I could have handled it different and trust me, with hindsight, I would have. I thought I was doing the right thing and it left me very scared to do anything else at the time. I'm not that way any more and I'm willing to stand up to them if nothing else but to get my chastising them onto the public record.

The country I live is is really corrupt (well it appears that way). When I was a kid, the sheriff had his house blown up by some Mob associates because he decided to close down a gambling hall and run it himself. He quit and his replacement has lost an election some 10 years later because drug dealers were complaining that they didn't touch drugs until the sheriff recruited them to do sting operations in which all traces of the drugs except those used to convict them disappeared. Evidently the sheriff was framing people in order to show results at a time people were demanding others to be tough on crime. The sheriff after that is currently serving time in federal prison for embezzlement and something else. The then 30 year tenure chief of police of the nearest town and county seat resigned without pension to avoid charges of embezzlement, improper allocations of public resources and systematic mistreatment of prisoners along with a few allegations of planting evidence made on a couple officers who resigned also.

It appears to have taken about a 8 year lapse in corruption but I was recently (2 years ago) threatened by a police officer in the lobby of the police station over wanting to file a complain for misconduct against another officer. I handled that entirely different and went to the mayor, the state and federal attorney generals office, and even called the FBI who was investigating another corrupt sheriff a county or two away. I can't really do anything to him for it because he didn't act on the threats which he kept vague and the audio to the surveillance system was somehow turned off ten minutes before I got there and turned back on a half hour after I left. The video shows anger on both out faces but he kept his back to the cameras when speaking. But I am privy to an internal disciplinary action on the officer who was order to take an anger management class on his own time and a refresher course on dealing with the public on the department's dime. I also got an apology from the deputy director of the police force and the mayor went to bat with me to make sure that no threats would be followed through with.

Re:1M bail and 1yr in jail...?

[Fulcrum+of+Evil]

You and I both know that the people that Childs met on July 9th were authorized to receive those passwords.

How did Childs know? These are people he hasn't met, and as I recall, wasn't expecting to meet.

Re:1M bail and 1yr in jail...?

[davidphogan74]

Lawyer : "Are you suggesting that any one member of the jury could have done this easily?" Me: "Probably not, but" >> "Thank you, no further questions."

When the expert witnesses get cut off in the middle of their explanations, how in the hell are we supposed to educate anyone?

Unfortunately a better answer with the method the courts use would be "I can't speculate as to their knowledge of computer systems." You have to give a non-answer to a question you can't possibly know the answer to, so the lawyer has to re-phrase the question so it's not so loaded.

Re:1M bail and 1yr in jail...?

[SanityInAnarchy]

You and I both know that the people that Childs met on July 9th were authorized to receive those passwords.

Did he know?

To pretend that between then and when he was arrested on July 12th he had no opportunity to meet with anyone that he could identify as authorized to receive those passwords is farce.

Three days? That really doesn't seem plausible to you?

To maintain that, once in jail, he had no idea that maybe the people he was meeting were who they were claiming to be is either paranoid fantasy

Paranoid, maybe, but not fantasy. Keep in mind, as a system administrator, paranoia is part of the job.

Re:1M bail and 1yr in jail...?

[paeanblack]

When the expert witnesses get cut off in the middle of their explanations, how in the hell are we supposed to educate anyone?

Competent cross-examination?

Re:1M bail and 1yr in jail...?

[DavidTC]

Most people delay their own trial. He could have had one before this point.

Of course, the reason they're delaying it is that the cost of an attorney keeps rising, so the cheap ones are working on fifty cases at once. (And you don't want to know how many cases court-appointed ones are working on.)

We need to demand that people actually are given actual representation in a timely manner.

Re:1M bail and 1yr in jail...?

[icannotthinkofaname]

"Any sufficiently advanced technology is indistinguishable from magic" - - Arthur C. Clarke

The problem is, a lot of people are insufficiently advanced, and are unable to make that distinction.

I think I get what you're saying here, but the flip-side of this is that the technology itself is not sufficiently advanced so as to be indistinguishable from magic. Humans have been building these systems from the ground up ever since we figured out how to do it. We, on our own, have created a meaningful way to read the different states of different switches. We have, in fact, organized it in a logical fashion that can be broken down into pretty much just the most complex, most adaptable cipher the world has ever seen. And we know that no form of encryption of any kind is in any way magical, not even the 1's and 0's inside the computer that we decide to interpret.

Sure, the people who want to believe that it's magic will believe it's magic, but the fact remains that, in itself, the inner workings of a computer are very, very different from magic.

Re:1M bail and 1yr in jail...?

[Alarindris]

Also, is a partial "moral victory" really worth an entire year of your short life span?

Is these times? Fuck yes.

Re:1M bail and 1yr in jail...?

Honestly, if you can't dumb down the essence of the case to where normal people understand it, there's something very wrong.

Your sig is quite in line with what you're saying. However, I'm not sure that some things CAN be "dumbed down" enough for normal people without sacrificing necessary complexity, and even if they could, such ability is a rare occurrence in the very rare intersection between "sociable" and "nerdy/geeky". Apart from anything, a lot of stuff in most (I daresay all) speciality fields are based in subtleties like context, unspoken ritual, or even good old fashioned "voodoo" (eg, "computer voodoo" is when all a computer needs is a good kick, but no-one knows why). In this case, Childs (claims he) doesn't want to give up the password because he knows what we all know - root passwords are sacrosanct, only given to those who have the experience and competence to use their power responsibly. Anyone on the jury who hasn't gone through the typical "initiation" rite of "root#: rm -rf / .. OH SHIT" wouldn't appreciate this, even if they knew it intellectually. I'm sorry if this sounds elitist, but that's how it is.

PS. I believe jury trials are originally an Middle Ages/Germanic-cum-Norman-cum-English concept, but I could be wrong about this.

Re:1M bail and 1yr in jail...?

That's called user-id karma.

Re:1M bail and 1yr in jail...?

[publiclurker]

They only have a limited number of chances to throw someone off of the jury without cause (being too smart to fool is not considered a reasonable cause). I work in a high-tech area and the jury pool always get a high number of engineers. Every time I've been selected early, I've been excused. The only times I was kept on the pool was when I was selected to fill in for a person who was excused. It was funny that when there were a lot of engineers on the jury, the case would more likely than not be settled before things went to trial. It's almost like one side or the other was hoping for a gullible jury and decided not to risk it when they was who was on the panel.

Re:1M bail and 1yr in jail...?

[Falconhell]

What a pity the facts of the case bear nor resemblance to your rant.

Is there some part of 'He was only permitted to release the passwords to the mayor' you dont understand?

Re:1M bail and 1yr in jail...?

Welcome to our Brave New World..

Re:1M bail and 1yr in jail...?

[Idiomatick]

you forgot the jury...

Re:1M bail and 1yr in jail...?

[i.r.id10t]

So... if Childs floats, the must be guilty right?

Re:1M bail and 1yr in jail...?

[Trahloc]

I'm glad that "someone else" deleted the entire share while he was in jail. I'm also glad that person didn't get caught. It's unfortunate they weren't able to have their say in court though.

Re:1M bail and 1yr in jail...?

[MrKaos]

I have to disagree with your entire statement. Lawyers are busy people, a lot the local ones are my clients.

There are many forums to conduct the business of shaping democracy. This is their *business*, ask them, show an interest in being part of the democratic process that shapes laws. I'm sure the attitude will change.

They don't have time to learn more about anything other than law.

So have you actually taken the time to formulate an effective question in you mind so you don't waste their time when you ask it. You don't have to be intimidated, everyone is busy.

There is no way to educate someone who doesn't have a desire to learn, or who has themselves convinced that they don't have time to learn.

It appears you are making excuses so you can maintain your apathy. If you don't want to do something then it's a little selfish to undermine the will of those who are prepared to make an effort.

When the expert witnesses get cut off in the middle of their explanations, how in the hell are we supposed to educate anyone?

The courts are not the most effective forum to address these issues. Even the ACLU link above has a Technology and privacy section, start there and if it is not comprehensive enough, join the aclu and expand the scope of the discussion using you expert witness qualifications.

As professionals we can either accept the responsibility that comes with our profession or we can accept the ignorant calls that are made on our behalf. Personally I believe that only by shaping the way technology laws are implemented can the I.T profession garner the respect that it should rightfully carry.

Re:1M bail and 1yr in jail...?

[Bai+jie]

I'd take that laptop to court if I were you.

Re:1M bail and 1yr in jail...?

[Actually,+I+do+RTFA]

Plus 1M bail? Is he a violent criminal? ...

Five million dollars in bail, actually. And bail is based not only on the crime, but also on the person's resources and ability to leave. It's a discouragement to skip out on the trial.

Re:1M bail and 1yr in jail...?

[arnell]

Agreed. Isn't this how it's always been? Those who are ignorant are the one's who judge others. "I don't understand it, so they must be guilty...". What a shame.

Re:1M bail and 1yr in jail...?

[GPF(BSOD)]

No, this is never how it's been. Please stop projecting your own insecurities on others.

Re:1M bail and 1yr in jail...?

Yes, you could spend with them 5x the normal time for normal student, but is it really worth it?

Yes. Certainly. Just because someone doesn't get some basic topic doesn't mean they won't get some advanced topic. Learning new, foreign concepts is difficult, and everyone should have the opportunity to succeed.

Yeah, maybe the street cleaner doesn't need to know Ohm's law is but he should still have the opportunity to learn what it is.

Re:1M bail and 1yr in jail...?

[ajlisows]

The thing is, to be reasonably technologically savvy takes quite a bit of time energy. I'd imagine most of the people on this board of spent years to decades working in a tech related field or spending a pretty good deal of time doing computer stuff as a hobby.

One of the greatest contributors to overall suspicion of tech and the tech savvy is sensationalized media claims. "New Vulnerability will allow super virus to infect 99% of all computers in the world! Super Virus will immediately destroy your computer, drain all of your bank accounts, and violently deflower your virgin daughter while you watch!"

Next in line is probably Best Buy and their Geek Squad. Someone goes to buy a new computer and they are told that unless they fork over $150 to get their computer set up by a certified Geek Squad technician, they are doomed. And no, you can't set it up yourself. It is too difficult....as is adding more RAM. You are likely to shock yourself, burn out your hard drive, and start your house on fire.

This guy stuck to his guns, and that is fine....but I think IT people would do to realize that this suspicion DOES exist and they are likely to be treated a bit differently by the non-tech group. You can take steps to try to diminish these tech/non-tech barriers. I always try to be as open as possible with everyone as far as what I am doing. Most of the time they don't care to hear it. Sometimes they sit and listen and ask intelligent questions trying to understand computers a little better. I always offer to write documentation for processes if they would feel more comfortable if I did so. I do not try to hold information back to make sure my job is secure. This has gotten me a lot of bored looks but quite a bit of respect from non-tech people. I think as a result I have even gotten some of them at least marginally interested in tech where there was zero interest before.

Re:1M bail and 1yr in jail...?

ISBN 1-4180-6733-4, Chapter 15

Re:1M bail and 1yr in jail...?

[ScrewMaster]

I think I get what you're saying here, but the flip-side of this is that the technology itself is not sufficiently advanced so as to be indistinguishable from magic.

You're assuming that merely knowing something was built by Man makes any difference. It doesn't.

To 99.999% of the population, modern technology might as well be magic! What makes something magical is when you have a complete and total lack of understanding about a phenomenon or an artifact that you encounter. Most people have no idea what makes their car run, other than the knowledge that gasoline is consumed inside and a vague awareness that some contrivance called a "piston" moves back and forth, or something. Whether it was built by hardworking assemblers in a manufacturing plant, or whisked out of thin air by a tall man in wizard's robes, or for that matter by equally hardworking gnomes in a cave deep underground makes no practical difference. They don't understand it, and that lack of understanding induces the same feelings of fear and inadequacy that our native Americans must have felt when they first encountered Europeans with boomsticks.

Why do you think the bulk of people are so upset when their electromechanical "magic" doesn't work? It's because they don't understand it, will never make the effort to understand it even if they're capable, and when you get right down to it, are at the mercy of those who do!

How do you think the average ancient Egyptian felt towards the priesthood? Pretty much how most people feel when they have to ask IT to fix their computer. They simply pray that the magic can be restored without too much damage.

Re:1M bail and 1yr in jail...?

[sam0737]

He should tell the court that his cat set the password. Don't believe? Show them a few LOLCAT photos.

Re:1M bail and 1yr in jail...?

[arnell]

You just proved my point.

Re:1M bail and 1yr in jail...?

[masonc]

Although hindsight is always brilliant, I think there was a simple way to solve his dilemma. All he had to do was write the passwords on a piece of paper, put them in a manila envelope and seal it, then right "City Network Systems Passwords - Confidential" on the outside and hand them over to the city's lawyers and get a receipt. Anyone not entitled to open the envelope and read the passwords would be guilty of a stealing information, breaking into a network or similar. There are ways to use the system to your advantage.

Re:1M bail and 1yr in jail...?

There is no such thing as a bad student only a bad teacher.

You've never taught at a state school. ;-)

Re:1M bail and 1yr in jail...?

[bsane]

All he had to do...

Except apparently he was only permitted to give the passwords to one person. What you're describing makes sense but it would have violoated the agreement he was bound to.

Maybe the people responsible for creating such procedures and threatening their employees with jail time will get a clue and start doing what you suggested.

Re:1M bail and 1yr in jail...?

[budgenator]

You do realize that there is a truck driver that knows so much about the nuclear weapons built in the 1940s and '50s that he has been invited to give presentations at Los Almos. Some people like menial labor because it give them the opportunity to think about things they are more passionate about.

Re:1M bail and 1yr in jail...?

[masonc]

Who was that person?

Re:1M bail and 1yr in jail...?

[Zombywuf]

Did any of the people authorized to know the passwords ask Childs for them without a room full of people? Or did they sit and fume for three days then have him arrested?

I know which one my money's on (as if we'd ever find out).

Re:1M bail and 1yr in jail...?

Once upon a time a "jury of your peers" really meant white landowners in the right social club,

There, fixed that for you.

Re:1M bail and 1yr in jail...?

Once upon a time your 'Peers' actually meant your betters from a commoners (thats you and me) perspective. Hence the term a peerage (i.e. inherited title).

Re:1M bail and 1yr in jail...?

Any network administrator who is paid to design and construct a complex, multi-million dollar network and knowingly retains sole knowledge and control of the administrative password(s) is absolutely not meeting his job description. What if he had been hit by a bus instead of having a falling out with his management? It's his responsibility to provide access to those passwords to others. The only person he trusts with the passwords is the Mayor of San Francisco? What kind of bullshit is that? I'd guess that Mayor McCheese is about as technical as Gavin Newsom.

Like it or not, a network administrator's direct supervisors are entitled to administrative access to any systems that the admin is responsible for maintaining. If the admin doesn't like it, he or she is free to leave their job. It sounds to me like Mr. Childs was simply very unhappy with his management and wanted to stick it to them.

Actual crime

[somanyrobots]

Shocking! The charge that sticks is the only one related to what he actually did wrong! I know the "City of San Francisco" is royally pissed, but even if they're throwing the book at him they have an obligation to stay within the bounds of fact.

I hope he's let off the hook, personally. The damage he's done to his career (who'll hire a DBA who would hijack the whole network?) is probably enough punishment even by itself. And the details of the offense (hostage-taking to avoid a pink slip) are sufficient to keep him from being hired in any field, technical or not.

Re:Actual crime

[GaryOlson]

...sufficient to keep him from being hired...

After this thorough exposure and experience with the legal profession, law firms should be recruiting him. Not to mention his arrogance and narrow focus on a crucial point of fact indicates he would fit well in with lawyers of the same personality traits.

Re:Actual crime

[dbIII]

And the details of the offense (hostage-taking to avoid a pink slip)

I'm not really sure that makes sense either but we should know soon. It really just looks like management that was so spectacularly bad that they called in the police to handle a simple workplace dispute. It should have been escalated up the chain away from these clowns to some form of adult supervision before calling in the police.
Just a bit of wild speculation here, but it will be very interesting to find out if the inexperienced "IT security" person that sparked all this off is a relative or lover of the new management that handled this all so badly. If I found a complete stranger wandering about removing hard drives containing sensitive information I would be asking rude questions, taking photos and making threats about calling the police as well. The only way you tell a surprise security audit from a robbery is by having someone known within the company follow them around to avoid STUPID situations like this. If a manager can't get anyone or do it themselves they really have to put in their notice and get a job with less responsibility.
Very wild speculation here, but wouldn't it be funny if the entire thing was revenge for making the new manager's mistress cry?

Re:Actual crime

[dbIII]

I withdraw my wild accusation. The security officer was promoted internally to the post and when she rang the CIO to complain about being caught doing what she was previously not authorised to do it doesn't mean she knew him personally. It's looking like office politics that has been mismanaged so badly that it has been allowed to escape into the legal system with some incredibly wild claims to stop it looking like an over-reaction, just triggered by an employee that wouldn't do what he was told without a reason. The secret promotion thing was just too weird, I would expect at least an email saying "your new computer security officer appointed today is X, please assist her in her work" instead of secret security audits by someone secretly assigned to the position. That shows a both a spectacular level of distrust of employees and poor management.
It really looks like he made someone angry and they decided to put him in jail in revenge.

Re:Actual crime

[Sun.Jedi]

First, switch CISSP with DBA.

Lets not forget...

1. 1. The network he was unable to attend to (because of being jailed inappropriately) ran FINE in his absence. He has skills, and previous descriptions indicate this is not a simple network.
2. 2. He stuck to his beliefs. I think this is a good quality, especially considering it cost him his freedom for a period of time.
3. 3. In spite of the negative connotations of imprisonment, I'm sure there is educational value from his situation.
4. 4. In my personal opinion, from whats been published, management screwed the pooch on this one, he did the right thing, in several situations.

I would hire him.

Re:Actual crime

[Fulcrum+of+Evil]

(who'll hire a DBA who would hijack the whole network?)

He isn't a DBA, he's in charge of the network, and I'd hire him if I had need for that level of admin. He didn't hijack the network, either - he did what he did with the knowledge and consent of his higherups, largely because his coworkers were incompetent.

Re:Actual crime

[mjwx]

2. He stuck to his beliefs. I think this is a good quality, especially considering it cost him his freedom for a period of time.

This is not a desirable quality in an employee, frequently the corporate policy is contradictory to ones own beliefs.

Re:Actual crime

[Bourbonium]

I would hire him in a heartbeat. This is exactly the kind of person I would want designing and securing my network. I'm a DBA, and we're all over the place. You can't spit ten feet on the sidewalk without hitting one without even trying. Terry Childs is a CCIE, a very exclusive certification (there are only 20,000 holders of the CCIE certification worldwide). If only there were more CCIE holders in the job market, I'd try to hire at least three of them, just in case one get's "hit by a bus." Most organizations are lucky to be able to afford even one.

Childs went above and beyond the call of duty to protect a network he was well-paid to administer. And he performed that job admirably. For what the City and County of San Francisco has done to him and his reputation, he deserves a generous legal settlement when (not if) all charges are dropped and he is released.

Re:Actual crime

[Bourbonium]

Next, switch CISSP with CCIE.

Childs is not a security professional, but a Cisco Certified Internetwork Expert, a much more exclusive technical club. Childs was highly paid for his work because it takes years of study and experience to earn that kind of certification (see http://en.wikipedia.org/wiki/Cisco_Career_Certifications). As of June 2009, there were only 20,000 CCIE holders in the entire world, and they are in great demand. According to Global Knowledge, I could pass the CISSP test in two weeks if I take their boot camp training, which costs a fraction of the tuition for the Cisco classes that Childs had to take.

Want to bet that the newly-promoted San Francisco "IT Security Officer" who caused this whole fiasco probably doesn't hold a single certification? I know the one in my department isn't certified, and he got the job only because he was friends with the ISO who took early retirement due to a Departmental re-organization.

Re:Actual crime

[Sun.Jedi]

Good catch. My brain said one thing, and my mischievous hands typed another. :D

Re:Great!

[pushf+popf]

All he needs is written authorization from the city to turn over the passwords to whoever they say. Any other refusal just makes him a dick and he belongs in jail.

As an ex-employee, it's no longer his call as to "who gets the keys"

But Why Go to the Trouble?

[mpapet]

I opined on the last story that he was playing the 'power game' from the bottom of the political strata. By most accounts he was at the top of the network knowledge, so a technically important guy. 'Network God' doesn't translate into political power and he got burned.

But what else is in the plea deal? I can't help but think there's waaaay more to the story given the political heat this guy brought on himself. Maybe the plea deal keeps him quiet?

Excelent way to link to that interview.

[MartinSchou]

Link to an old Slashdot story that then links to an archive page that doesn't even have the word Childs on it.

You have to go to page three of the archive to find the bloody interview!

Why the hell is it so difficult to provide direct links to the actual articles?

Re:Excelent way to link to that interview.

[MartinSchou]

*sigh*

Apparently that wasn't the interview either. Where the hell is that interview?

It's like watching cable news doing a circle jerk talking about how a twitter post talks about a blog post that mentions an article that refers to an interview where the reporter asks a question about something, but no one even cares about showing the relevant clip!

Re:Excelent way to link to that interview.

[drinkypoo]

It's like watching cable news doing a circle jerk talking about how a twitter post talks about a blog post that mentions an article that refers to an interview where the reporter asks a question about something, but no one even cares about showing the relevant clip!

They do that kind of thing on the news all the time. When they do, it is always a sign that they want you to blindly accept what they are telling you. They will tell you about a hundred times what the video clip shows and then finally show it to you after they've programmed you to accept their version of events.

Not saying that's what's happening here, but when someone hides the facts from me, I assume they are acting nefariously. Incompetence qualifies, if you are behaving as if you had a clue.

Re:Excelent way to link to that interview.

[Lumpy]

That's fox news, CNN and CNBC.

I dont see that happening on NPR or other reputable new sources.

People need to stop watching the Equivalent of the national Enquirer for their news.

Re:Excelent way to link to that interview.

[Zak3056]

I dont see that happening on NPR or other reputable new sources.

NPR doesn't show video clips at all. :)

All kidding aside, I think you have your blinders on. I listen to NPR for, on average, an hour a day (most of my morning and evening commutes) and while I find them to be superior to most other news outlets other than the BBC, there have been plenty of times that I've noticed them talking about something at length, before playing the source material (and sometimes they don't play the source material at all), which is the exact behavior that the GP described. I also listen to right wing talk radio, and while the entire reason that they seem to exist is to program responses into people, their methods of doing so are a bit different. Someone like Limbaugh or Hannity absolutely loves playing soundbites (original source material in this case) over, and over, and over, but they're often taken out of context or referencing a slightly (in some cases completely) different subject.

Re:Excelent way to link to that interview.

[sjames]

It's really sad that these days the best source of news on American television is a comedian who makes no attempt at journalistic integrity.

So much so that people who ARE supposed to be journalists immediatly go on the defensive when they interview him (and so make asses of themselves).

Re:Excelent way to link to that interview.

[belmolis]

NPR doesn't show video clips at all. :)

How can you tell? :)

Re:Excelent way to link to that interview.

[Bourbonium]

I'm not big fan of InfoWorld's webpage design, but I've been following this story since it broke (because it resonates with my own experience).

The easiest way is to just subscribe to the RSS feed of Paul Venizia's blog here: http://www.infoworld.com/blogs/paul-venezia. Click on the subscribe link and you'll get the whole story from a guy who has followed it more closely than anyone else, and with far greater detail than any other journalist. Paul knows his stuff, which is why he is probably the only one who's met with Childs who can speak with him as a peer (so of course, he'd be disqualified from any jury called for this case). Fortunately, all charges will probably be dropped before it ever gets that far.

Charges were not dropped...

[Anita+Coney]

I don't have to read the article to know that. If the charges were dropped, the prosecutor would not be vowing to appeal. When a judge gets rid of charges, they're dismissed. When a prosecutor voluntarily gets rid of charges, then they're dropped.

Re:Charges were not dropped...

[dbcad7]

Maybe they are going to appeal it, so they can drop them.. From what I read.., A modem set to page him for network outages.. one tied into emergency response systems, and a DSL modem hooked into the Internet to test connectivity to the city systems from outside, that was already installed prior to his employment. Sounds legit, and only makes the other IT people look incompetent and more paranoid than Childs...

I think he is going to beat the rap.. but, his obvious lack of communication skills is costing him.. he "may" get compensated later, but that's a loong way down an uncertain road."

Pathetic accusations

From TFM, it states:

Prosecutors have alleged that last year between June and July, Childs, who had been in charge of implementing the new network for the city, essentially commandeered the system, setting up his own passwords and denying access to other network administrators. They also alleged he installed devices on the network that could have caused a full system failure if power were to be shut down.

I mean, WTF? Installed devices on the network that could cause a full system failure if powere were to be shut down? I mean, LIKE A ROUTER?

Re:Pathetic accusations

[walmass]

IIRC, he allegedly changed the Cisco configs but never saved them on NVRAM. You can power-cycle Cisco devices and have a 60-second window to get in without knowing the password That was the big problem.. had he saved the configs to NVRAM, the City could have just power-cycled the devices during a maintenance window, gone in and reset the passwords. But the configs being only in volatile memory meant that if they tried that, the boxes would have lost the config, resulting in the "full system failure"--they City network would have gone down.

Re:Pathetic accusations

[asaul]

As I recall it was something to do with the routers that if they lost power, they lost configuration - something to make sure if gear was stolen then it didnt come up with any of the secure networks details.

From memory someone viewed this as him setting up some sort of timebomb instead of being good security practices, and charged him as such.

Re:Pathetic accusations

No--that is extremely bad logic and lame justification. Power does go out, and UPS's occasionally fail to come online. Those are real threats against the highly unlikely event tht a router would be stolen from a data center or a switch room. Bottom line: that is NOT good security practice. Show me one citation where this is recommended.

Re:Pathetic accusations

[baegucb]

Cisco passwords are trivial if you have physical access to the device. It's been a couple of years since I've done it, so I'm not sure if you lose the configuration using the methods I know. But if in doubt, try it on one device at a time. One of the links mentions how he gave up the password they wanted, and they promptly screwed it up. Do none of SF "network analysts" know how to backup stuff? Even using crude methods?

Re:Pathetic accusations

[_Sprocket_]

Bottom line: that is NOT good security practice. Show me one citation where this is recommended.

http://searchnetworkingchannel.techtarget.com/generic/0,295582,sid100_gci1334133,00.html

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a00801d8113.shtml

Re:Pathetic accusations

You posted links to the password recovery process, which the GP also posted. I asked for citation showing not saving the config to memory being good security practice. Still waiting...

Re:Pathetic accusations

[Fulcrum+of+Evil]

what if you disable the password reset feature on the box? Then all you can do is reset the device to factory and start plugging in config from there.

Re:Pathetic accusations

[mabhatter654]

that was the point... if anybody can grab the password, then if they have the hardware, they can add new network nodes wherever they want. City offices are stolen from all the time, it was a reasonable precaution for the overly paranoid admin to take rather than having to chase down passwords all the time. This is why he had all the VPN routers set up with a modem connection to his office!

Re:Pathetic accusations

[Trahloc]

He had the configs saved off site at a secure location and recoverable via modem, as many have mentioned. The fact that you don't think the possibility of theft is higher than the possibility of a power outage doesn't mean that's unlikely. I have a router that's been on for over 5 years without power loss, even though the building has lost power multiple times. Its also not been stolen, but I think the security guards and multiple doors with different keys help with that.

In his particular case he knew that some equipment would be in places where they could be stolen much easier than a secure room with guards. So he implemented a system that guaranteed no information could be stolen. His priority was security not convenience. On the convenience side he had a system in place that could quickly bring the device back online. As a bonus it also means that a totally different device, such as a new one after a failure, could be brought online almost as fast. So just because your willing to accept a lower level of security doesn't mean he did. If I had you and him vying for the same job to secure a network, I'd hire him in a heartbeat if I could trace your anon post back to you.

Re:Pathetic accusations

[_Sprocket_]

You posted links to the password recovery process, which the GP also posted. I asked for citation showing not saving the config to memory being good security practice. Still waiting...

The issue is what exactly was done where in what situation. I've seen the claim that he removed configurations to only allow the running config to remain active (as you're questioning). And I've seen it stated that he used "no service password-recovery" on other devices. I wouldn't find it at all out of line to use the former if the later wasn't available. They both will provide the same essential level of security - protecting credentials and configuration from physical access.

Perhaps I should have added some explanation for my links. I am specifically interested in the "no service password-recovery" command. From the first link:

Although the ability to perform this type of password recovery often proves useful to administrators, if the router's physical security cannot be guaranteed, this feature opens a vulnerability for attackers. To mitigate this threat, an administrator can disable the password recovery feature by issuing the no service password-recovery command in global configuration mode. After entering this command, the administrator is cautioned not to execute this command without another plan for password recovery, because ROMMON will no longer be accessible.

The Cisco link provides a tad bit more info on what it does. The command is also noted in Cisco's own guide to hardening IOS devices:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Re:Pathetic accusations

[Atomm]

Google DoD Router Security practices. This is standard SOP in high security networks to not save the Config in NVRAM. As the highest level of Cisco Certification, CCIE, Terry would be very aware of this practice.

Overzealous prosecutors

[MikeRT]

It's a little known fact that prosecutors cannot be sued for anything they do in court to a defendant. Prosecutors are truly the worst part of the system since they are unaccountable to the public and are rewarded for getting convictions, not enforcing the law wisely. As a profession, they are so corrupt that they make civil lawyers look sympathetic since civil lawyers are at least limiting themselves to cases where you can kinda sorta see how their client was genuinely harmed.

Re:Overzealous prosecutors

[Attila+Dimedici]

It's a little known fact that prosecutors cannot be sued for anything they do in court to a defendant. Prosecutors are truly the worst part of the system since they are unaccountable to the public and are rewarded for getting convictions, not enforcing the law wisely. As a profession, they are so corrupt that they make civil lawyers look sympathetic since civil lawyers are at least limiting themselves to cases where you can kinda sorta see how their client was genuinely harmed.

Most prosecutors answer to the District Attorney, and can be fired by the DA almost at will. The District Attorney is an elected official. In those cases where the prosecutor doesn't answer to the elected District Attorney (or essentially the same office with a different title), they answer to the elected head of the of the executive branch of whatever level of government they represent (Mayor, Governor, President, etc). If your local prosecutors are loose cannons, campaign against their boss.
The only reason that prosecutors appear to be unaccountable to the public is because the public doesn't pay enough attention to local politics/civics

Re:Overzealous prosecutors

Prosecutors can be sued, but you have to show that they were not acting in good faith. Mike Nifong, the prosecutor for the Duke "rape" case was tried and disbarred for his conduct. There's accountability, but a prosecutor has to go from being a jackass to trying to screw over justice to get a lawsuit going.

Re:Overzealous prosecutors

Only problem is, like so many people convicted of crimes, by the time they are in the system by a corrupt DA, they can no longer vote and may even possibly be limited to what they can protest (due to being in jail or whatever).

"Just change the law" or "just vote them out" doesn't work when the most affected people can't participate. Effectively, the corrupt can silence opposition at will.

Re:Overzealous prosecutors

[misexistentialist]

Local politics are easily controlled by a small number of individuals/families. In my area most candidates are chosen from the local aristocracy. The DA is the son of a former mayor, the DA's son is a state Representative, etc.

Re:Overzealous prosecutors

Campaign all you want, but nothing will ever change. Ever. Go read the comments in the IBM outsourcing article to get an idea of how fucked we are as far as changing things for the better. This trial isn't an attack against childs, it's a warning shot at other admins. I'm beyond scared andfuly in the dread category.

Re:Overzealous prosecutors

[Attila+Dimedici]

That's because only a small number of individuals/families get involved. If you were to get involved it would be easier to take control away from that "local aristocracy", than it would be to disrupt the control of a larger political area (such as state or federal).
You think because you know who controls local politics, but don't know who controls state politics that local politics is more of a closed "shop" than state politics. It isn't.
Changing things is not easy, or quick. If you want to change things, you need to be willing to spend however long it takes to do it, the people who are currently running things have a lot invested in the current setup. You are only going to change it by investing as much of yourself into it.

Re:Overzealous prosecutors

It's a little known fact that prosecutors cannot be sued for anything they do in court to a defendant.

Thankfully, this is little known, because it is false. Prosecutors can be sued for malicious prosecution, which in most jurisdictions requires a final dismissal of the action and a showing that it was brought by the prosecutor knowing that the charge was groundless. The link you supplied says that they cannot be sued in 1983 actions (a civil rights action against a state actor in federal court), which may be true as far as it goes, but it hardly represents the sole theory of liability. Also, as a profession prosecutors can be disciplined by the ethics committee--for example Mike Nifong, the prosecutor who made the rape allegations against the Duke students, presumably for political ends, was disbarred.

Re:Overzealous prosecutors

If sysadmins unionized, they could fight stuff like this collectively. The union could pay legal fees to handle Terry Childs' case. The union could also demand liability protection clauses in employment contracts and push for legislation to further protect themselves.

Unfortunately, people these days are very well trained by propaganda to hate things that are actually in their best interest, so the idea of unionizing is repulsive to most. Too bad, a strong IT union could prevent things like this.

Re:Overzealous prosecutors

[catmistake]

A prosecutor's immunity from prosecution has a purpose. Their immunity is so a prosecutor can afford to be just. It's a shame that prosecutors don't see it this way, and lack of acknowledgement of this purpose leads to the common, nay, ubiquitous practice for prosecution to charge a suspect with w, x, y, & z crimes, when the only crime committed was x. The more charges against a suspect, the more guilty they look. It's a cheat. Prosecutors, esp. elected ones, don't give a damn about justice. They care about winning, even if justice is perverted in order to secure the win.

Re:Overzealous prosecutors

[Bourbonium]

It is the public employee unions that keep the incompetent civil service managers--such as the ones who started this whole fiasco--in power. Terry Childs is a contractor, and thus is not represented by a union, and from what I observe of unions and their tactics, they are far more likely to commit criminal acts than he would ever be.

Public employee unions are driving cities, counties and states into bankruptcy with benefits packages and retirement plans that are so wildly out of proportion to anything offered in the private sector that it is not sustainable in our current economic crisis. Indeed, there are economists who claim labor unions are the primary cause of these problems. Before it filed for bankruptcy, General Motors was paying more money to their retired workforce than they paid to their active employees on the assembly lines. The City of Vallejo, California filed for bankruptcy in 2008 when a dozen of its senior police officers and fire chiefs all retired at once, and their benefits packages were so lucrative that the city treasurer regretfully informed the mayor that they could not pay the benefits and the salaries of current staff at the same time they paid their obligations to the retirees. The County of San Diego is in a similar predicament, and is trying to re-negotiate all their union contracts to avoid the same fate. For an even more egregious example, see what's happening with the newly-retired fire chief in Contra Costa County http://www.contracostatimes.com/opinion/ci_13030932.

Unions are not the answer, they are a huge part of the problem.

Re:Great!

[drinkypoo]

As an ex-employee, it's no longer his call as to "who gets the keys"

Wrong! The SOP was that he was only to turn the passwords over to the Mayor. This has been covered extensively. This requirement DOES go away if you're fired... you don't [by default] have to turn over ANY passwords! Just say "I don't work here any more, and I don't have your passwords." Meanwhile, if you do still work there, then you're still bound by the agreement you already made to follow the policies and procedures, which means he was bound to turn the passwords only over to the mayor.

In other words, the only charge not dismissed by the judge is the only one which he ever should have been accused of (if any) and he has a solid defense against it. We shall see how it plays out, but it is not nearly as cut and dried as you imagine or pretend.

what was this about?

What led up to this? This didn't happen for no reason. This wasn't just an ex-con with a temper, nor was it a disgruntled employee wishing revenge. Terry Childs would not have brought this on himself merely for revenge, he's way too smart for that. He was there to protect the network, to keep it running and safe. That must have been a factor.

One of the quoted articles says that the city owned the passwords to the network, so Childs was obligated to provide them on command. The moral of the story is, get your commands in writing and follow the chain of command.

Re:what was this about?

[eosp]

Remember, when asked for the passwords the first time it was over a teleconference with a large group of people whom he did not know. I don't care who's on the other line and what they're threatening; you don't give passwords in such a situation. That is why he wanted to speak with the mayor.

Re:what was this about?

[Atomm]

This is why I view the management of SF's IT departments as incompetent. They don't even know their own policies. I really hope Terry wins this, then goes on to sue to City. The people of SF deserve to pay for allowing such incompetence to continue.

Re:what was this about?

[Locke2005]

The moral of the story is, get your commands in writing and follow the chain of command. Much easier said than done. I've worked for managers that refused to discuss issues via email, precisely because they didn't want a written record of what was said. The best advice I can give to someone caught in a similar situation is: start sending out resumes.

Remaining charge?

[Vellmont]

The article doesn't specify what the actual remaining charge is, only that it's about not revealing the network passwords.

Can someone explain how not revealing a password is actually illegal? Contempt of court?

He did everything by the book

[dbIII]

Here's a chunk of the SF password policy, shamelessly taken from a post by Jeana Pieralde at http://www.burbed.com/2008/07/15/terry-childs-and-the-san-francisco-fiberwan-computer-network/

"Password Policy"
As such, all County employees (including contractors, vendors, and temporary staff with access to County systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis"
"Do not share County passwords with anyone, including administrative assistants or secretaries.

All passwords are to be treated as sensitive, confidential County information.

Here is a list of things to avoid
-Telling your boss your password.
-Talking about a password in front of others.
-Telling your co-workers your passwordwhile on vacation."

http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf

So announcing it at a meeting was right out.
The person that should have taken this all into hand and resulted in a normal dismissal instead of an arrest is Chris Vein. He was originally an accountant but many CIOs are and some manage to pick up management skills and familiarity with technology along the way.
Here is what http://blogs.zdnet.com/BTL/?p=4692 says about him:

San Francisco's CIO Chris Vein calls himself an "accidental CIO." His background includes working in and around the White House during Reagan, Bush and Clinton administrations. For the city of San Francisco, Vein's political background has turned out to be an important asset.

It's still possible he got there by merit, but it starting to look like a political appointment. On his linkedin page he describes himself as "Delivering strong and effective leadership", which often means someone that fires people for no good reason to show they are "strong" but maybe I've just seen too many bastards in action that like that word. These things may give an insight or maybe not, but the end result of getting the police involved in a workplace dispute demonstrates to me that he is not paticularly effective, let alone the situation where there was only one person that could do the job. BTW San Francisco, do you have your free WiFi from 2006 yet? If not you now know the name of the guy that was in charge of delivering it.

Re:He did everything by the book

[ScrewMaster]

The person that should have taken this all into hand and resulted in a normal dismissal instead of an arrest is Chris Vein.

Of course, had he actually been a good manager, there probably would have been no need for any of this, much less a dismissal.

Re:He did everything by the book

[Jim+Hall]

On his linkedin page he describes himself as "Delivering strong and effective leadership", which often means someone that fires people for no good reason to show they are "strong" but maybe I've just seen too many bastards in action that like that word.

I'm not defending this person at all, but I wanted to disagree with you on this point. I'm a senior IT manager, and I would describe myself as delivering strong and effective leadership. What strong and effective leadership means to me is helping people to reach the next level (where interested) and achieve their personal goals, while matching the right skills in the right people to the right problems. I bring people together, and have proven myself particularly effective in getting opposite sides to come together to make a decision that everyone believes in, or at least supports (the two are not always connected.)

It's all about good leadership, which often balances out to communication (particularly "listening" and "coaching/mentoring.")

I suspect it's as you mention in your comment: you've seen too many bad bosses fire people, then describe themselves as "strong and effective." Certainly the position requires making the tough decisions when someone isn't working out, or when you're in a budget contraction, but being "strong and effective" isn't about firing people.

Re:He did everything by the book

[dbIII]

I'm mostly commenting on poor managers that describe themselves this way while others will describe them very differently. There is often a desire to be seen to make a change and look "strong" and the easiest way for an incompetant manager to do this is to fire someone and pointlessly incur disruption and costs. They get the implication of force and not the concept of good management.

One more bit

[dbIII]

From http://www.linkedin.com/pub/chris-vein/7/110/71b you can see that Chris Vein was a senior advisor at the White House after only three years in the workforce! I do not think such a rise is possible by merit or desirable in an honest government.
I hope this case looks deeply at the motivations behind getting the police involved. I'm also extremely curious as to what the $1million that has to be spent to repair the "damage" is required for and hope the defence and judge push hard for an explanation of this unusual claim

Re:One more bit

[ScrewMaster]

I'm also extremely curious as to what the $1million that has to be spent to repair the "damage" is required for and hope the defence and judge push hard for an explanation of this unusual claim

It's a bullshit claim, I'm sure. Such things are always vastly inflated so as to make law enforcement believe that a serious crime was committed. The old Bell System did that when a couple of (ahem!) "hackers" released some supposedly confidential internal documents back in the early eighties (if I remember correctly.) They were claimed to be worth some insane amount of money, when it turned out that anyone could order them for a couple of bucks. There's also a degree of ass-covering involved in situations like this. Now, when you get right down to it, this sounds more like a matter of bad policies enforced by poor management, leavened by politics. The end result is as expected, but the fact that cops got into the mix is just unconscionable.

Although, if Childs is correct about the level of incompetence in that particular IT department, it may well turn out that that million dollars is a lowball figure. Never underestimate the power of the truly stupid to cause damage far beyond their pay grade, given the opportunity.

Plea? What plea?

[Bacon+Bits]

The defense made a motion challenging the evidence and the judge agreed that there was not sufficient evidence to support 3 of the 4 charges. There was no plea here. The court threw out the state's allegations for lack of evidence. There was no evidence because what he did was probably not sufficient as a matter of law (a matter of fact would probably have been decided by a jury). The charges were merely trumped up. Fabricated. Lies.

And yet they still kept this man in jail for a year awaiting trial for a ridiculous amount of bail money for a non-violent crime.

Re:Great!

[pushf+popf]

As an ex-employee, it's no longer his call as to "who gets the keys"

Wrong! The SOP was that he was only to turn the passwords over to the Mayor. This has been covered extensively. This requirement DOES go away if you're fired... you don't [by default] have to turn over ANY passwords! Just say "I don't work here any more, and I don't have your passwords." Meanwhile, if you do still work there, then you're still bound by the agreement you already made to follow the policies and procedures, which means he was bound to turn the passwords only over to the mayor. I'll give passwords to anybody who can produce written authorization from any executive, officer or elected official with the authority to do so.

"SOP" is completely meaningless unless it's law or a written policy authorized by the City, that the employee signed.

If the Mayor wants the passwords, that's fine with me. In fact, assuming it was just a few logins, I'd even give it to him for free, regardless of whetehr I was still an employee or not. In fact, if they want to pay for my services, I'll happily root all their servers and routers and tell them what the new passwords are.

. OTOH, I guess that explains why I'm not in jail and have more business than I can handle. The first rule of successfully working with others is "Don't be an asshole."

some of the routers where in a place with little s

[Joe+The+Dragon]

some of the routers where in a place with little security and that is where you may want to use that config.

The lesson to be learned

[raybob]

for sys/net admins is to keep in the back of your mind that your actions can be scrutinized somewhere down the line, even if you are the most conscientious, morally upright employee.

If you work in an environment where you are the key technical resource, and others don't have the chops to safely manage the systems you designed/built, you still need to be sure that you put mechanisms in place to track access first, and then you need to provide equivalent access as agreed with management, to other administrators. Since you have the tracking mechanisms there, you can unravel who did what if there is an issue.

I know that it's hard to do this if you work in a hostile environment, or one where people are defensive about their jobs. This is especially true if you are the lead or only techie with the skillset to safely operate in the environment. But without being too paranoid about it, try to inform management as to what you're doing occassionally, track access of yourself & others (if you exclude yourself by using other means of authentication or access, you won't have a leg to stand on, since your actions weren't logged and you could have 'hidden' them).

Try to foster a trust environment with your peers, help them along in becoming competent while giving them access appropriate to their skillset (but make sure others know they are accountable for their actions), and you would improve your chances at exonerating yourself if the PHB's ever start pointing the accusing finger at you.

Why isn't he turning over the passwords?

[Henry+V+.009]

That's the one thing that confuses me. He still hasn't turned over any passwords, right? Why not?

Re:Why isn't he turning over the passwords?

[treat]

That's the one thing that confuses me. He still hasn't turned over any passwords, right? Why not?

I don't know whether he is. But if he is supposed to, who is he supposed to turn them over to, and would this be legal?

Re:Why isn't he turning over the passwords?

[dbIII]

He gave them to the Mayor in person not long after imprisonment. That would be approximately a year ago.

Re:Why isn't he turning over the passwords?

[anonicon]

Wrong. He turned over the correct passwords to the Mayor of San Francisco when the Mayor visited him in jail (sorry, I read it but can't find the story link now). As soon as he turned over the passwords, someone who wasn't in jail promptly botched the network.

Re:Why isn't he turning over the passwords?

[Auraiken]

He's innocent. Handing over the passwords at this point would be like saying they were right.

Re:Why isn't he turning over the passwords?

[Henry+V+.009]

I looked up the story. It's sort of bizarre. Unless he had no supervisor and reported directly to the mayor, he didn't have much justification for not turning over the passwords at the get-go.

Re:Why isn't he turning over the passwords?

[phantomfive]

According to another poster, it was against standard policy to give your password to your boss. Apparently he was only supposed to turn the passwords over to the mayor, and no one else. In any case, if someone requests your password, you should only give it after they request it in writing, then you have evidence of the event in case something happens.

He should have offered his resignation ...

[Zero__Kelvin]

"All he needs is written authorization from the city to turn over the passwords to whoever they say. Any other refusal just makes him a dick and he belongs in jail."

Bullshit. A skilled system administrator can get root / Administrator access so long as they have access to the machine, so the benefits of giving the password up are far outweighed by the benefits of following industry standard security practices. All too often incompetent upper management needs to be protected from it's own incompetence. You can't make it my job to keep a system running smoothly and simultaneously let any incompetent idiot have root access to it. You can write me a note for the teacher all day, I'm not going to accept it. I'm going to explain to them that they can have the passwords in exactly one manner, and that is concurrent to my resignation. If they want them that bad, they get both. That is where Childs went wrong, but he may well have had the best of intentions.

All of that being said, jail for this guy is absurd, as anyone who actually reads the article and reads Childs' explanation would almost necessarily conclude the same.

Re:He should have offered his resignation ...

[Sun.Jedi]

A skilled system administrator can get root / Administrator access so long as they have access to the machine

I challange your usage of the word, "skilled"." The hardest part is reading.

Owait ... this is /., I see your point now. :P

Re:He should have offered his resignation ...

[ka8zrt]

Ya know... that is not always the case. Or to use your vernacular, with emphasis... BULLSHIT! I have administered systems which were secure enough that they would not boot up into single user mode and grant access without the root password, and the drives were secured in such a way that not even pulling the drive and putting it in another system would help... the boot loader required a password to decrypt the filesystem. Given that this machine was up for like 10 years last I knew, when it was finally taken out of commission... reboots were rare. As for exploiting holes in remote access routes, such as through sendmail, http, etc... the only active routes into the system were for Kerberos (e.g. ports like kerberos, kpasswd, and klogin) and considered at the time to be secure short of the resources of the likes of NSA, CIA or DOD.

Now in the particulars of this case, Child's practice of not committing configurations to NVRAM complicates the problem, and makes it even more impossible for the passwords to be recovered. Ever spent some time configuring a router, holding off on the saving to NVRAM to test the configuration, and then lost power? If the scripts to configure the routers were some place only he knew (such as on a USB key, or hidden away some place on a 300GB drive, perhaps in an encrypted file), it was no problem for him if a unit rebooted. But try to reboot to gain access... guess what, you just lost what you were looking to find. And since we are talking about a router, even if he had committed the configuration (and associated password) to NVRAM, how would having physical access help you? Most routers I have seen, the best you can do is to reset to factory defaults with a little magic button, and provide no way to boot off of other media and still access the configuration on the switch. Nor can you pull the drive and put it in another PC and go that route. As someone who helped write the firmware for networking gear, I know. Only those of us who did that work even had a clue on how to get at a shell like environment to get at the stored configuration. But again, we are bitten by the lack of writing to non-volatile storage in this case. And if you are going to try to brute force a password... it would not help if the password for the console access is "KGToNBhChA2ayofcVL1voA". Granted, using such a password on quite a few switches/routers would be stupid, unless you scripted that access (something I have done). But then there are the countermeasures against such brute force attacks, such as delaying login re-attempts for 5-15 seconds, locking accounts after so many failed logins, etc.

So, with all this said, someone needing to try to gain access to some machines had better either hope they have the configurations stored someplace off the switch to enable restoration, or hope that they only have to assume a position of humility (e.g. the mayor asking Childs) in having to ask for the administrator password which has hopefully not been locked down. Because, if that is not the case, they are going to soon be assuming the same position a ex-LEO or child rapist is said to be forced to assume in prison...

Oh... and as for resigning (can one say he was really given a chance to do so properly) and giving the passwords to someone who was not supposed to get them, he could quite possibly be held responsible for the resulting damages if it was contrary to procedures. And given that this has all the appearances of being one pissing match of a turf war... I would be very afraid that that would be the case were I in his position, and as such, the case is IMO totally absurd, and perhaps just has some folks wanting to make a name for themselves...

Re:He should have offered his resignation ...

And since we are talking about a router, even if he had committed the configuration (and associated password) to NVRAM, how would having physical access help you? Most routers I have seen, the best you can do is to reset to factory defaults with a little magic button, and provide no way to boot off of other media and still access the configuration on the switch.

Maybe you should stop playing with 100$ routers and giving the rest of the IT professionals a bad name.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml

Idiot.

Re:He should have offered his resignation ...

[metaforest]

Oh... and as for resigning (can one say he was really given a chance to do so properly) and giving the passwords to someone who was not supposed to get them, he could quite possibly be held responsible for the resulting damages if it was contrary to procedures. And given that this has all the appearances of being one pissing match of a turf war... I would be very afraid that that would be the case were I in his position, and as such, the case is IMO totally absurd, and perhaps just has some folks wanting to make a name for themselves...

This kind of situation came up for me a couple of years ago. I was sysadmin for a number of mission critical systems. I was laid off. Following procedure I relinquished all passwords for root and sysop access to the machines. A few days later the CEO contacted me and demanded that I provide the password for one particular machine they could not access, or I would be sued. I told her that I no longer remembered ANY password for their systems. I asserted that the password in question was in the file I relinquished, and any further discussion of the issue would be through my attorney... [EOF][HUP]

Re:He should have offered his resignation ...

[Migity]

Granted, using such a password on quite a few switches/routers would be stupid, unless you scripted that access (something I have done).

Dude, TACACS and if you're too cheap RADIUS.

Cruel and unusual?

[tufa.king.nerdy]

I'm not sure how him being in jail is any different from being held hostage. They're waiting on a ransom. If I went around and changed all the server passwords at work, I think they would have to not only prove it was me, but also that I was being malicious before I'd spend that much time in jail. I'd probably just get fired for being a lousy employee before it got this far. MPO is that the City of SanFran should be responsible for hiring someone to fulfill their duties. It sounds like they did to me, but he's being held against his will because of it. If they had a problem with him, they should have fired him and moved on. Another issue I have is him being held over a password. Other than the obvious, what's the difference between that password and his own gmail password? Is this leading up to some sort of password ownership? COSF is the government. While they may have no interest in someone's WoW password, this sounds like it's going in the wrong direction to me.

Re:Cruel and unusual?

[ScrewMaster]

COSF is the government. While they may have no interest in someone's WoW password, this sounds like it's going in the wrong direction to me.

They went in the wrong direction a looooong time ago.

Re:Cruel and unusual?

No, they're still sliding into the ocean -- definitely the right direction for them.

Re:Great!

[GodfatherofSoul]

So, by that logic if I horde a bunch of my company's hardware and get fired for it, I don't have to return it since I'm no longer an employee? Your argument is flawed.

Re:Great!

[Ma8thew]

No, because that's stealing.

Re:Great!

[ka8zrt]

Written authorization from the city? Does this mean that some idiot department manager in the sanitation department should be able to write up some letter, hand it to him, and get the passwords? I doubt it, but that would still be fulfilling what you wrote. At a minimum, it would have to be someone in his chain of command, and if the SOP at the time was to only turn them over to the mayor, then he would almost certainly be legally liable even if he turned them over to say the DA. While IANAL, I have in the past been the owner of those "golden passwords" and had very through lawyers advise me of this in the past when I have left previous employers, and any lawyers he speaks to are no doubt advising him of the same. He cannot be expected to know changes in policy, and if the DA (who may or may not be elected in SFO) or some city councilman was not in that group before... well...

I will say this... First, if all it takes is the mayor asking for them and receiving them, then at a minimum the mayor is being something I cannot say politely here, if not perhaps negligent., if that is all it took to regain control of the network. And secondly, having worked at places such as CompuServe (which carried high security DOD traffic over our network when I was there), if there was not a policy of putting critical (non-personal) passwords in a sealed and clearly labeled envelope, which was locked in a secure safe (such as the mayor's office), then someone was at least a fool. We called this the "incase you are hit by a bus" envelope, because sometimes, folks are hit by a bus or BART train. Crap happens, and if I had been such a person and they had needed one of my golden passwords which only I knew... well, they could get it. And each time I changed it, I put the new one into sealed envelope, put what the password was for (e.g. "Kerberos Server"), along with my name, date, and who could access it (e.g. "CEO, President, EVP of Operations") and took a trip upstairs to put it in the corporate admin's safe. And the old envelope was retrieved, verified to be secure, and shredded.

Re:Great!

You failed to realize that in fact he stated that he would give the passwords to the mayor, which he did.

Skipping and whistling a happy tune

There is a saying, There is no such thing as a bad student only a bad teacher.

Bullshit. An instant's reflection shows it for nonsense. Of course there are bad students. That's why there are GRADES; maybe you've heard of those. The same teacher taught those in class who got excellent grades, and those who got terrible grades. Sure, there are good and bad teachers, but that doesn't mean there are not good and bad students. I think the saying you are looking for is "there are no stupid questions, only stupid answers." That one is intellectually honest and pithy.

The mark of a really good student is one who doesn't need a teacher. He can, like, go forth and study and ask and learn. You read a book, you learn stuff. Repeat as desired and as necessary.

And you are wrong when you say that it is technology's job to teach the legal system. It is the fucking legal system's job to learn technology. The legal system is the 800 pound gorilla, but it serves the people. It has a solemn duty to inform itself as necessary for any given case. Both before deciding to bring the fucking case to court, and during prosecution.

Preliminary Summary

[Tablizer]

It appears that Terry Childs is being made the scapegoat of bad policies and procedures. The correct thing to do is to fire those who made the policies and procedures, and learn from those mistakes.

In fact, since humans make mistakes, merely require them to give a public apology. Those who've made prior mistakes are often more careful than those who've made none.
     

This is crazy!

[samuX]

i did not know about this case so i went up looking back to all the story and trying to figure out what happened i've runned across these two that explain a bit http://www.infoworld.com/d/adventures-in-it/why-san-franciscos-network-admin-went-rogue-286?page=0,0 http://www.infoworld.com/d/data-management/childs-attempt-protect-network-password-gone-awry-978 What i'm now missing is what were his duties in the contract and who he had to provide those passwords. this document http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf cited in some post here is only about personal passwords and not system ones. So a sysadmin keeps an eye on security, he's asked by his boss in front of unauthorized people to reveal those passwords, in a improvised meeting in a place outside the place where he works. he refuse to say those passwords, he's suspended for unsubordination and some days later he's arrested, and he's still in prison He can only be guilt of being an asshole or too paranoid but since he was the only one responsible for the whole SF Wan who wouldn't have been ? you really would have give away your passwords knowing that if the day after the network would have been down it would have been your only responsability ? - "B....bbbut i gave the password to my boss!" - "Nice work! now you are fired and you'll be charged for the problem you caused with your inefficency" no really.. this story is crazy i really hope he will be released soon but then what about his lost job ? what about the loss in credibility he has to suffer due to ignorance of news that portrayed him as digital version of bin laden ?

Re:This is crazy!

[mabhatter654]

the point was that the manager wasn't properly trained to have those passwords, and had already accused him of "hacking" and disrupting the network in the few days between demanding the passwords in a meeting and calling the cops. Childs was fucked over if he turned them over because if anything broke it would have been "Childs" fault for not turning the password over, then for not leaving instructions to use the password, then for not describing the configuration, then for doing something "off-script" from what a different Cisco admin might do.... especially when you have a contractor interested making $$$ accusing the "old guy" of doing it wrong (we all know how often that happens!)

Re:This is crazy!

[Bourbonium]

Did you even read that security policy? It covers both personal account passwords AND system passwords (e.g. Page 32, Paragraph 4.1 "root" "enable" "NT Admin" "Application Administrator Accounts" ..."user-level passwords" AND "system-level passwords"). It is in many ways quite similar to the security policy I have to follow (and enforce) as a LAN admin across the Bay from San Francisco.

But I agree with you, Terry Childs is the victim here, and the whole case is crazy.

It's been a year already?

[synthesizerpatel]

Really the classic bit of this story is how the prosecutors included a list of usernames and passwords in their court filing which couldn't have been a better home-run for the defense in terms of 'See what happens when you give the passwords out to these idiots?'.

A year of his life gone though.. This should be a cautionary tale for any IT person.. When things get so bad that you're angry and not making good decisions.. just quit. Find somewhere else, relax. A job at burger king is better than going to prison.

Re:It's been a year already?

[mrchaotica]

This should be a cautionary tale for any IT person.. When things get so bad that you're angry and not making good decisions.. just quit.

The trouble is, he was making good decisions! In fact, "just quitting" really would have been malicious (if he didn't disclose the passwords) or negligent (if he did disclose them). The only correct course of action was the one he took!

The real lesson of this "cautionary tale" is that if you value your freedom, it is not safe to be a government IT administrator at all.

responsibility

[celle]

You do realize that SF has to get Childs on something don't you. Otherwise Childs could sue SF farther into bankruptcy than the entire state of CA currently is for wrongful prosecution, imprisonment, etc. Not to mention possible criminal prosecution for the SF officials involved if they lose. This whole thing smells.

Re:responsibility

[Fulcrum+of+Evil]

Otherwise Childs could sue SF farther into bankruptcy

Farther into BK - I like that.

Re:responsibility

[mrchaotica]

Otherwise Childs could sue SF farther into bankruptcy than the entire state of CA currently is for wrongful prosecution, imprisonment, etc. Not to mention possible criminal prosecution for the SF officials involved if they lose.

I wish the "justice" system were just enough for that to happen! I hope Childs does manage to accomplish that, but I'm not holding my breath.

Re:Great!

[Fulcrum+of+Evil]

See, this is where knowledge transfer is different from holding onto hardware. Or do you think my boss owns the stuff in my head?

Re:Great!

[Timex]

In fact, assuming it was just a few logins, I'd even give it to him for free, regardless of whetehr I was still an employee or not.

I'll tell you what... Whoever replaced you (in this situation) should be fired immediately if any of the passwords you knew still worked.

I know for a fact that any access I had in each of the last two jobs was eliminated upon my release (one I left a job to take the second, and the second was a recent lay-off). It isn't necessarily a case where I wasn't trusted, but simply one where no self-respecting SysAdmin is going to intentionally leave access open to former employees without a good reason.

In fact, if they want to pay for my services, I'll happily root all their servers and routers and tell them what the new passwords are.

THIS is an entirely different problem. :D

misleading title and tags don't work

[MoFoQ]

misleading title...as the charges weren't "dropped," they were dismissed by the Judge (yes...I rtfa).

"Dropped" implies that the prosecutor did the "dropping," either due to a plea bargain or because the lack of evidence.

plus I don't like how the Examiner "labels" Childs as a hacker....he was the f*cking sysadmin and essentially the father/protector of the city's fiberWAN.
Especially considering the incompetence with computers and network security policies and practices by other city workers, he was considered the messiah/scapegoat.
(definitely, among those of us who have had to deal with the city govt)

there are plenty of other fish that the prosecutor(s) can fry that are worth the frying.

oh, btw, I can't get the triangle button to add a tag to work anymore.

Re:1M bail and 1yr in jail...? - too late

But that all happens AFTER you get charged with a crime, bail hearing, etc. Some system "Don't worry, once you've been in jail for a year, you'll be vindicated!".

Weird Arrest

[b4upoo]

To start with normally crimes involve doing something wrong not in failing to do something right. Secondly if the man was fired and then asked to hand over a password he has no obligation at all to his former employer. If he was asked to reveal his password before he was fired and failed to do so then the remedy is to fire him and perhaps to sue him in a civil court. The fact that his failure to reveal his password was expensive to others is irrelevant. This man should sue for false arrest.

Re: Weird Arrest

[mrchaotica]

...not in failing to do something right.

And Childs didn't even do that -- from what I read, pretty much everything he did was right!

Re:Great!

[sjames]

Well, you don't have to turn the equipment over because of employment, you have to turn it over because your (now former) employer is the rightful owner.

Before they fired him, he was bound by policy NOT to give the password to his boss or co-workers. After he was fired, he wasn't even bound to remember the password at all much less tell someone what it was.

Personally when I leave an engagement where I had passwords, I delete personal accounts and if I was the only person with a role account password, change it to unmemorable junk, write it down, and seal it in an envelope (then forget it). That goes to whoever the policy says should have it ONLY. If others already legitimately have the role passwords I tell them to change it IN WRITING.

If they choose not to have an appropriate transitional arrangement for that to happen, that's it, I'm gone, good luck to ya! I don't remember a thing!

He indicated willingness to give the password to the mayor. Once the mayor could be bothered to get said password from him, he did just that. Too bad they made a big stink of it such that that step took place while he was in jail. As for the claims of millions in damage to "repair" the network, that seems rather unlikely unless they really were the bumbling id10ts Childs makes them out to be. Even then, that's not HIS doing.

Re:Great!

Only assholes say "don't be an asshole".

criminal?

[belmolis]

The thing I don't get is how refusing to give away the password is a crime. Even if he was wrong to refuse to give it away when asked (which is unclear), that would be grounds for dismissal and a civil suit to obtain the password and/or damages, but I fail to see what criminal offence he might have committed. None of the articles that I have seen explain this. Anybody know what exactly the remaining charge is?

Boycott

All I know if when this first came out, my immediate reaction was that under no circumstances will I willingly work for any government in the SF area, or for any private enterprise that would cooperate or contract for them at any cost. That's right--I'd take the luxury of resigning from my current job if they told me to cooperate with, work for, or deal with anyone in the SF area in any manner--including by proxy.

Given that the prosecutor has vowed to appeal, I'm going to have to extend this to being unwilling to work for them under any circumstances until everyone involved is publicly terminated for cause, regardless of the outcome of Child's trial.

I know a lot of people were saying the passwords weren't Child's to keep--but it should be painfully clear to everyone claiming that that they also were not his to give out--including if his boss instructed him to. Where I work, I have the *luxury* of reporting directly to the CEO--and if he tells me to do something, I hop. At times in the past--I have not had that luxury--if my immediate supervisor, or HR told me to do something contrary to company policy--I would point it out, debate it politely--and if they insisted, file a complaint and let somebody else above them resolve it and copy us both on their instructions. I'm not going to break policy because some idiot micromanager thinks they need to know a password that the CIO has already forbidden them access to.

And once the police were called--having been fired (or clearly given a good reason to resign immediately)--he's not even under an ethical obligation to provide them anymore until given a court order to do so. Because frankly--if he was a good sysadmin, once he was terminated, he would have no longer had access to his old password. I'm under the same obligation to be reasonable that the employer is--if their definition of reasonable involves handcuffs, they better believe all future consulting will be billed at 2000/hr billed in 4 hour increments--payable in advance of delivery.

None of this would have happened...

...if Childs was gay, or a minority, or an illegal immigrant, or a member of the local Communist party.

Re:None of this would have happened...

[Bourbonium]

How do you know he is not a member of any of these categories?

Re:Great!

[hesaigo999ca]

Unless he has proof that the City that asks him to turn over the passwords happens to have been compromised, and he has proof, and in this case he asked to hand over the passwords directly to the mayor...which once he was visited by him in jail, did turn over the passwords.

He felt he had a moral obligation to keep the people of SF safe from whatever he discovered was happening. Should you find out that someone on your network have figured out how to hack everybody's computer and that the only person you trusted to tell about this was the president of your company, but waiting to tell him before actually telling your closes supervisor gets you in trouble, which do you do....?

I think he did the right thing, too many people try to tell themselves that it's not their place to help security
or get involved, such as walking by someone getting mugged...god forbid anyone try to help the guy getting mugged! But we live in a world where people make themselves feel better about their mediocraty by saying
stupid sh*t like he probably deserved it, or is must be a d*ck >: (

Hazardous-duty pay for computer security work?

[freepay]

Clearly Terry Childs does not belong in jail. Maybe what happened is that San Francisco's mismanagement finally realized that having only one person with access to so critical a network was intolerable. But then, instead of discussing a way forward, it began with a secret investigation, as if Childs was a criminal, and the situation escalated from there, with both sides handling it badly. There are enough cases like this, of sysadmins and security experts charged with hacking for doing their jobs after a dispute with management, that professional education should include a section on how to stay out of trouble. Either that, or add hazardous-duty pay if jail is an unavoidable risk of this work.

Re:Great!

[tnk1]

Of course, the legality is important to the charges, but let's be honest, Childs could have avoided the whole thing by just handing the passwords over to any one of his legitimate superiors in the department. If he was concerned that they were going to fuck things up and frame him for it, he should have transferred the password in writing via some sort of certified method.

Yes, he may win, and yes, his superiors are probably complete idiots. I have yet to see why that was his problem. Now, whether or not he wins, people are going to know that he's the guy who wanted to administer the ramrod to his superiors publicly when he was terminated. Given the general incompetence of government IT departments, I don't think it was worth his reputation and possible hiring prospects (and JAIL time) for him to make this statement. If anything, it shows that he's someone who is willing to go that far to make some sort of point.

For my part, I don't want someone working for me who has the demonstrated capability to endure jail time just to rub me the wrong way because he didn't like how I conducted my department. As a boss, I am accountable to my superiors or the shareholders for my work, not to him. If giving me the passwords to the routers and servers meant that the servers would have fallen apart afterwards, that's no longer his problem, it's his bosses'. And it would have probably make a better point for the city's network to fail after his departure rather than give those moron superiors cover by clouding up the issue of their own incompetence. The best way for prove incompetence is to allow those accused to demonstrate it.

Re:Great!

What's annoying in this is that HE'S in JAIL. 5 million in bail, what a hoot. Too bad that California's bankrupt, he should sue them right into the stinking ocean. What a bunch of whiny babies, they got their password, yet they still kept him in jail. I wouldn't have given the passwords from jail unless I got a "get out of jail free" card and payment for my services, including the jail time.

Re:Great!

They threatened him with more jail time if he didn't give the passwords to the mayor. My guess is he thought he would be released after they verified the passwords. But of course the mayor probably lied to him. I mean he was probably pissed that he had to get his lazy a$$ up and travel to the jail.

wtf? where is the outrage??

"accused city hacker" instead of "the guy who built and maintained san francisco's networks for several years"?

"essentially commandeered the system" instead of "yeah, that's his JOB"?

with the city still trying to politically assassinate this guy, the judicial system still eager to help, and the press still spewing this ignorant garbage to the general public, why isn't the entire IT community out on the streets protesting for this guy? why aren't you guys screaming bloody murder?