3 of 4 Charges Against Terry Childs Dropped

phantomfive writes "Terry Childs, who was arrested nearly a year ago for refusing to turn over the passwords to San Francisco's FiberWAN network, has been cleared of three of the four charges against him. The dropped charges referred to the attachment of modems to the network; the remaining charge is for refusing to turn over the password. The prosecutor has vowed to appeal, to have the charges reinstated. We have the original story, and the story where Childs tells his side, for those who want a refresher."

Witch hunt

[joaommp]

Always seemed to me this was not much more than a witch hunt. Why else would them set a bail higher than for killers and rapists?

Re:Witch hunt

politics 101. pissing of the ones in power is the worst crime you can commit.

1M bail and 1yr in jail...?

[Manip]

I'm sorry but this guy has already had time served. Even if they do find him guilty one year in jail for what he did is far more than enough. Plus 1M bail? Is he a violent criminal? ...

This sounds like a classic story if ignorant people making decisions about technical crime and getting scared. I aim that both at the city and at the judge who set the original bail.

We need special technical trials for things like this within which both the defence and prosecution are allowed to bring in technical witnesses to put the case into perspective for non-technical people (as opposed to "HACKER! Get the pitch forks!").

Re:1M bail and 1yr in jail...?

[Seumas]

Ignorant people are afraid of the technologically savvy the same way they are afraid of science. They don't understand it, so rather than bettering their knowledge and informing themselves, they'd rather fear the worst and attack those who represent a threat (that is, those who know something they don't).

Also, why didn't the guy just say "dude, it was a complex random password and I've completely forgotten it"? They can't force you to give them a password that you've forgotten, surely? Also, is a partial "moral victory" really worth an entire year of your short life span?

Re:1M bail and 1yr in jail...?

[LordKronos]

We need special technical trials for things like this within which both the defence and prosecution are allowed to bring in technical witnesses to put the case into perspective for non-technical people

Huh? Special technical trials? Why? The current system already allows lawyers to bring in expert witnesses to explain stuff. And lawyers are allowed to do a bit of story telling during their opening and closing arguments, and they can use that opportunity to explain thing in other terms (including car analogies, if they choose).

A lot of us around here always complain about legislature creating special laws to make illegal things that are already illegal under an existing law. Let's not turn it around and start asking for special trials when the cases can already be accommodated by the existing court system.

Re:1M bail and 1yr in jail...?

[MrKaos]

This sounds like a classic story if ignorant people making decisions about technical crime and getting scared. I aim that both at the city and at the judge who set the original bail.

There is a saying, There is no such thing as a bad student only a bad teacher. If the legal system is ignorant about how 'technical crime' should be addressed it's because we, as technology professionals, have failed to lobby for the appropriate changes to be made to law to handle these cases properly.

We need special technical trials for things like this within which both the defence and prosecution are allowed to bring in technical witnesses to put the case into perspective for non-technical people (as opposed to "HACKER! Get the pitch forks!").

Why? The framework for all of these things already exist in the legal system. All this world changing technology has been unleashed over the last decade or two and Information Technology is maturing as a profession. It's a bit unrealistic to expect the legal system to make quality decisions about how the law should be adapted to handle those changes while the people responsible for delivering the technology do not get involved in educating those who can codify the law to behave reasonably.

It ridicules us to point the finger and say 'look at how ignorant they are' when in reality we should be more self critical and understand that this is the treatment we should expect if we are too apathetic to influence the legal system appropriately.

Re:1M bail and 1yr in jail...?

[Jah-Wren+Ryel]

Huh? Special technical trials? Why? The current system already allows lawyers to bring in expert witnesses to explain stuff. And lawyers are allowed to do a bit of story telling during their opening and closing arguments, and they can use that opportunity to explain thing in other terms (including car analogies, if they choose).

Once upon a time a "jury of your peers" really meant peers, and not just the most easily swayed people in the jury pool. I'm not saying every single person on the jury needs to be a network engineer, but you can pretty much count on the prosecutor objecting to anyone in the pool with any technical expertise relevant to the case.

So, not special trials per se, but a process that rules out anyone with domain knowledge relevant to the trial is fundamentally broken. The number of really bad car analogies that get made here everyday among the relatively technically astute should be proof enough that requiring the issues to be dumbed down for an uneducated jury is not a very good way to run the system.

Re:1M bail and 1yr in jail...?

[Yetihehe]

There is a saying, There is no such thing as a bad student only a bad teacher.

You haven't seen some people who don't want and/or are incapable of learning the most basic scientific facts. Yes, you could spend with them 5x the normal time for normal student, but is it really worth it? We need someone to clean the streets, and really intelligent ambitious people don't really want to do it. Typical street cleaner doesn't need to know what an Ohm's law is.

Re:1M bail and 1yr in jail...?

[ScrewMaster]

With respect, none of this is as complex as DNA and other forensic evidence which is handled quite well in criminal trials every day.

With equal respect, have you ever been through jury selection? I have (a number of times unfortunately: every time I move they waste a day of my time not selecting me) and the GP is correct. The system selects for the most ignorant of any issues relevant to the proceedings, and anyone who could be presumed to have knowledge of mathematics or statistics suffer the first peremptory challenges issued. Don't want someone who can see through the numbers the trial lawyers and their expert witnesses pull out of their nether regions. I'm just a software engineer, and every god damn time I was asked what I do for a living I was promptly removed from the jury. The people that were left were often very nice people (you get to know some of your potential fellow jurors in the jury pool beforehand) but not people that I would want on my jury, if I were accused of a computer crime ... especially if I were innocent. The naked fear so many individuals have of computers, and especially those who are accused of computer crimes is unnerving. Fear of the unknown is not intrinsically irrational: but fear of gaining understanding is.

All the juries I've (almost) been on are filled with people to whom a trial about computer systems is, in fact, just as unfamiliar and frightening as a trial involving DNA or other complex evidence, and might just as well be about DNA so far as their level of understanding is concerned. The idea of a technical court is not a bad one at all, particularly given the importance of sophisticated science and technology to all of us, not just those with technical backgrounds. Imagine judges with engineering or science degrees running the show in such trials. Honestly, if we had such courts the patent system probably wouldn't be broken and the RIAA would have been laughed out of court from day one. I can just see a judge who just incidentally happened to have a degree in computer science asking an RIAA attorney: "So, you're claiming that a logged IP address infallibly identifies an individual copyright infringer? Hm. Not on this planet, bucko."

Truly, in these times ignorance is not bliss, and we as a society are paying the price for allowing our adversarial system to dumb down those who judge us. Remember, our justice system was developed in much simpler times. The pace of change being what it is, it's too much to expect the law itself to always be on top of things, but it shouldn't be too much to expect our juries to really be composed of our peers.

Re:1M bail and 1yr in jail...?

[ScrewMaster]

Oh, God, don't you think we've TRIED? Forget the legal system; you can't get the ordinary person on the street to deal with the idea that computers are science, not black magic!

"Any sufficiently advanced technology is indistinguishable from magic" - - Arthur C. Clarke

The problem is, a lot of people are insufficiently advanced, and are unable to make that distinction.

Re:1M bail and 1yr in jail...?

[budgenator]

You do realize that there is a truck driver that knows so much about the nuclear weapons built in the 1940s and '50s that he has been invited to give presentations at Los Almos. Some people like menial labor because it give them the opportunity to think about things they are more passionate about.

Re:Actual crime

[GaryOlson]

...sufficient to keep him from being hired...

After this thorough exposure and experience with the legal profession, law firms should be recruiting him. Not to mention his arrogance and narrow focus on a crucial point of fact indicates he would fit well in with lawyers of the same personality traits.

Re:Actual crime

[dbIII]

And the details of the offense (hostage-taking to avoid a pink slip)

I'm not really sure that makes sense either but we should know soon. It really just looks like management that was so spectacularly bad that they called in the police to handle a simple workplace dispute. It should have been escalated up the chain away from these clowns to some form of adult supervision before calling in the police.
Just a bit of wild speculation here, but it will be very interesting to find out if the inexperienced "IT security" person that sparked all this off is a relative or lover of the new management that handled this all so badly. If I found a complete stranger wandering about removing hard drives containing sensitive information I would be asking rude questions, taking photos and making threats about calling the police as well. The only way you tell a surprise security audit from a robbery is by having someone known within the company follow them around to avoid STUPID situations like this. If a manager can't get anyone or do it themselves they really have to put in their notice and get a job with less responsibility.
Very wild speculation here, but wouldn't it be funny if the entire thing was revenge for making the new manager's mistress cry?

Re:Excelent way to link to that interview.

[drinkypoo]

It's like watching cable news doing a circle jerk talking about how a twitter post talks about a blog post that mentions an article that refers to an interview where the reporter asks a question about something, but no one even cares about showing the relevant clip!

They do that kind of thing on the news all the time. When they do, it is always a sign that they want you to blindly accept what they are telling you. They will tell you about a hundred times what the video clip shows and then finally show it to you after they've programmed you to accept their version of events.

Not saying that's what's happening here, but when someone hides the facts from me, I assume they are acting nefariously. Incompetence qualifies, if you are behaving as if you had a clue.

Re:Overzealous prosecutors

Prosecutors can be sued, but you have to show that they were not acting in good faith. Mike Nifong, the prosecutor for the Duke "rape" case was tried and disbarred for his conduct. There's accountability, but a prosecutor has to go from being a jackass to trying to screw over justice to get a lawsuit going.

Re:Great!

[drinkypoo]

As an ex-employee, it's no longer his call as to "who gets the keys"

Wrong! The SOP was that he was only to turn the passwords over to the Mayor. This has been covered extensively. This requirement DOES go away if you're fired... you don't [by default] have to turn over ANY passwords! Just say "I don't work here any more, and I don't have your passwords." Meanwhile, if you do still work there, then you're still bound by the agreement you already made to follow the policies and procedures, which means he was bound to turn the passwords only over to the mayor.

In other words, the only charge not dismissed by the judge is the only one which he ever should have been accused of (if any) and he has a solid defense against it. We shall see how it plays out, but it is not nearly as cut and dried as you imagine or pretend.

Re:Overzealous prosecutors

Only problem is, like so many people convicted of crimes, by the time they are in the system by a corrupt DA, they can no longer vote and may even possibly be limited to what they can protest (due to being in jail or whatever).

"Just change the law" or "just vote them out" doesn't work when the most affected people can't participate. Effectively, the corrupt can silence opposition at will.

Plea? What plea?

[Bacon+Bits]

The defense made a motion challenging the evidence and the judge agreed that there was not sufficient evidence to support 3 of the 4 charges. There was no plea here. The court threw out the state's allegations for lack of evidence. There was no evidence because what he did was probably not sufficient as a matter of law (a matter of fact would probably have been decided by a jury). The charges were merely trumped up. Fabricated. Lies.

And yet they still kept this man in jail for a year awaiting trial for a ridiculous amount of bail money for a non-violent crime.

Re:Great!

[pushf+popf]

As an ex-employee, it's no longer his call as to "who gets the keys"

Wrong! The SOP was that he was only to turn the passwords over to the Mayor. This has been covered extensively. This requirement DOES go away if you're fired... you don't [by default] have to turn over ANY passwords! Just say "I don't work here any more, and I don't have your passwords." Meanwhile, if you do still work there, then you're still bound by the agreement you already made to follow the policies and procedures, which means he was bound to turn the passwords only over to the mayor. I'll give passwords to anybody who can produce written authorization from any executive, officer or elected official with the authority to do so.

"SOP" is completely meaningless unless it's law or a written policy authorized by the City, that the employee signed.

If the Mayor wants the passwords, that's fine with me. In fact, assuming it was just a few logins, I'd even give it to him for free, regardless of whetehr I was still an employee or not. In fact, if they want to pay for my services, I'll happily root all their servers and routers and tell them what the new passwords are.

. OTOH, I guess that explains why I'm not in jail and have more business than I can handle. The first rule of successfully working with others is "Don't be an asshole."

some of the routers where in a place with little s

[Joe+The+Dragon]

some of the routers where in a place with little security and that is where you may want to use that config.

He should have offered his resignation ...

[Zero__Kelvin]

"All he needs is written authorization from the city to turn over the passwords to whoever they say. Any other refusal just makes him a dick and he belongs in jail."

Bullshit. A skilled system administrator can get root / Administrator access so long as they have access to the machine, so the benefits of giving the password up are far outweighed by the benefits of following industry standard security practices. All too often incompetent upper management needs to be protected from it's own incompetence. You can't make it my job to keep a system running smoothly and simultaneously let any incompetent idiot have root access to it. You can write me a note for the teacher all day, I'm not going to accept it. I'm going to explain to them that they can have the passwords in exactly one manner, and that is concurrent to my resignation. If they want them that bad, they get both. That is where Childs went wrong, but he may well have had the best of intentions.

All of that being said, jail for this guy is absurd, as anyone who actually reads the article and reads Childs' explanation would almost necessarily conclude the same.

Re:He should have offered his resignation ...

[ka8zrt]

Ya know... that is not always the case. Or to use your vernacular, with emphasis... BULLSHIT! I have administered systems which were secure enough that they would not boot up into single user mode and grant access without the root password, and the drives were secured in such a way that not even pulling the drive and putting it in another system would help... the boot loader required a password to decrypt the filesystem. Given that this machine was up for like 10 years last I knew, when it was finally taken out of commission... reboots were rare. As for exploiting holes in remote access routes, such as through sendmail, http, etc... the only active routes into the system were for Kerberos (e.g. ports like kerberos, kpasswd, and klogin) and considered at the time to be secure short of the resources of the likes of NSA, CIA or DOD.

Now in the particulars of this case, Child's practice of not committing configurations to NVRAM complicates the problem, and makes it even more impossible for the passwords to be recovered. Ever spent some time configuring a router, holding off on the saving to NVRAM to test the configuration, and then lost power? If the scripts to configure the routers were some place only he knew (such as on a USB key, or hidden away some place on a 300GB drive, perhaps in an encrypted file), it was no problem for him if a unit rebooted. But try to reboot to gain access... guess what, you just lost what you were looking to find. And since we are talking about a router, even if he had committed the configuration (and associated password) to NVRAM, how would having physical access help you? Most routers I have seen, the best you can do is to reset to factory defaults with a little magic button, and provide no way to boot off of other media and still access the configuration on the switch. Nor can you pull the drive and put it in another PC and go that route. As someone who helped write the firmware for networking gear, I know. Only those of us who did that work even had a clue on how to get at a shell like environment to get at the stored configuration. But again, we are bitten by the lack of writing to non-volatile storage in this case. And if you are going to try to brute force a password... it would not help if the password for the console access is "KGToNBhChA2ayofcVL1voA". Granted, using such a password on quite a few switches/routers would be stupid, unless you scripted that access (something I have done). But then there are the countermeasures against such brute force attacks, such as delaying login re-attempts for 5-15 seconds, locking accounts after so many failed logins, etc.

So, with all this said, someone needing to try to gain access to some machines had better either hope they have the configurations stored someplace off the switch to enable restoration, or hope that they only have to assume a position of humility (e.g. the mayor asking Childs) in having to ask for the administrator password which has hopefully not been locked down. Because, if that is not the case, they are going to soon be assuming the same position a ex-LEO or child rapist is said to be forced to assume in prison...

Oh... and as for resigning (can one say he was really given a chance to do so properly) and giving the passwords to someone who was not supposed to get them, he could quite possibly be held responsible for the resulting damages if it was contrary to procedures. And given that this has all the appearances of being one pissing match of a turf war... I would be very afraid that that would be the case were I in his position, and as such, the case is IMO totally absurd, and perhaps just has some folks wanting to make a name for themselves...

Re:Actual crime

[Sun.Jedi]

First, switch CISSP with DBA.

Lets not forget...

1. 1. The network he was unable to attend to (because of being jailed inappropriately) ran FINE in his absence. He has skills, and previous descriptions indicate this is not a simple network.
2. 2. He stuck to his beliefs. I think this is a good quality, especially considering it cost him his freedom for a period of time.
3. 3. In spite of the negative connotations of imprisonment, I'm sure there is educational value from his situation.
4. 4. In my personal opinion, from whats been published, management screwed the pooch on this one, he did the right thing, in several situations.

I would hire him.

This is crazy!

[samuX]

i did not know about this case so i went up looking back to all the story and trying to figure out what happened i've runned across these two that explain a bit http://www.infoworld.com/d/adventures-in-it/why-san-franciscos-network-admin-went-rogue-286?page=0,0 http://www.infoworld.com/d/data-management/childs-attempt-protect-network-password-gone-awry-978 What i'm now missing is what were his duties in the contract and who he had to provide those passwords. this document http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf cited in some post here is only about personal passwords and not system ones. So a sysadmin keeps an eye on security, he's asked by his boss in front of unauthorized people to reveal those passwords, in a improvised meeting in a place outside the place where he works. he refuse to say those passwords, he's suspended for unsubordination and some days later he's arrested, and he's still in prison He can only be guilt of being an asshole or too paranoid but since he was the only one responsible for the whole SF Wan who wouldn't have been ? you really would have give away your passwords knowing that if the day after the network would have been down it would have been your only responsability ? - "B....bbbut i gave the password to my boss!" - "Nice work! now you are fired and you'll be charged for the problem you caused with your inefficency" no really.. this story is crazy i really hope he will be released soon but then what about his lost job ? what about the loss in credibility he has to suffer due to ignorance of news that portrayed him as digital version of bin laden ?

misleading title and tags don't work

[MoFoQ]

misleading title...as the charges weren't "dropped," they were dismissed by the Judge (yes...I rtfa).

"Dropped" implies that the prosecutor did the "dropping," either due to a plea bargain or because the lack of evidence.

plus I don't like how the Examiner "labels" Childs as a hacker....he was the f*cking sysadmin and essentially the father/protector of the city's fiberWAN.
Especially considering the incompetence with computers and network security policies and practices by other city workers, he was considered the messiah/scapegoat.
(definitely, among those of us who have had to deal with the city govt)

there are plenty of other fish that the prosecutor(s) can fry that are worth the frying.

oh, btw, I can't get the triangle button to add a tag to work anymore.

Re:Great!

[sjames]

Well, you don't have to turn the equipment over because of employment, you have to turn it over because your (now former) employer is the rightful owner.

Before they fired him, he was bound by policy NOT to give the password to his boss or co-workers. After he was fired, he wasn't even bound to remember the password at all much less tell someone what it was.

Personally when I leave an engagement where I had passwords, I delete personal accounts and if I was the only person with a role account password, change it to unmemorable junk, write it down, and seal it in an envelope (then forget it). That goes to whoever the policy says should have it ONLY. If others already legitimately have the role passwords I tell them to change it IN WRITING.

If they choose not to have an appropriate transitional arrangement for that to happen, that's it, I'm gone, good luck to ya! I don't remember a thing!

He indicated willingness to give the password to the mayor. Once the mayor could be bothered to get said password from him, he did just that. Too bad they made a big stink of it such that that step took place while he was in jail. As for the claims of millions in damage to "repair" the network, that seems rather unlikely unless they really were the bumbling id10ts Childs makes them out to be. Even then, that's not HIS doing.

Re:Overzealous prosecutors

If sysadmins unionized, they could fight stuff like this collectively. The union could pay legal fees to handle Terry Childs' case. The union could also demand liability protection clauses in employment contracts and push for legislation to further protect themselves.

Unfortunately, people these days are very well trained by propaganda to hate things that are actually in their best interest, so the idea of unionizing is repulsive to most. Too bad, a strong IT union could prevent things like this.