Slashdot Mirror
3 of 4 Charges Against Terry Childs Dropped
phantomfive writes "Terry Childs, who was arrested nearly a year ago for refusing to turn over the passwords to San Francisco's FiberWAN network, has been cleared of three of the four charges against him. The dropped charges referred to the attachment of modems to the network; the remaining charge is for refusing to turn over the password. The prosecutor has vowed to appeal, to have the charges reinstated. We have the original story, and the story where Childs tells his side, for those who want a refresher."
Always seemed to me this was not much more than a witch hunt. Why else would them set a bail higher than for killers and rapists?
Onda Technology Institute
I'm sorry but this guy has already had time served. Even if they do find him guilty one year in jail for what he did is far more than enough. Plus 1M bail? Is he a violent criminal? ...
This sounds like a classic story if ignorant people making decisions about technical crime and getting scared. I aim that both at the city and at the judge who set the original bail.
We need special technical trials for things like this within which both the defence and prosecution are allowed to bring in technical witnesses to put the case into perspective for non-technical people (as opposed to "HACKER! Get the pitch forks!").
Shocking! The charge that sticks is the only one related to what he actually did wrong! I know the "City of San Francisco" is royally pissed, but even if they're throwing the book at him they have an obligation to stay within the bounds of fact.
I hope he's let off the hook, personally. The damage he's done to his career (who'll hire a DBA who would hijack the whole network?) is probably enough punishment even by itself. And the details of the offense (hostage-taking to avoid a pink slip) are sufficient to keep him from being hired in any field, technical or not.
All he needs is written authorization from the city to turn over the passwords to whoever they say. Any other refusal just makes him a dick and he belongs in jail.
As an ex-employee, it's no longer his call as to "who gets the keys"
I opined on the last story that he was playing the 'power game' from the bottom of the political strata. By most accounts he was at the top of the network knowledge, so a technically important guy. 'Network God' doesn't translate into political power and he got burned.
But what else is in the plea deal? I can't help but think there's waaaay more to the story given the political heat this guy brought on himself. Maybe the plea deal keeps him quiet?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Link to an old Slashdot story that then links to an archive page that doesn't even have the word Childs on it.
You have to go to page three of the archive to find the bloody interview!
Why the hell is it so difficult to provide direct links to the actual articles?
I don't have to read the article to know that. If the charges were dropped, the prosecutor would not be vowing to appeal. When a judge gets rid of charges, they're dismissed. When a prosecutor voluntarily gets rid of charges, then they're dropped.
If someone says he and his monkey have nothing to hide, they almost certainly do.
It's a little known fact that prosecutors cannot be sued for anything they do in court to a defendant. Prosecutors are truly the worst part of the system since they are unaccountable to the public and are rewarded for getting convictions, not enforcing the law wisely. As a profession, they are so corrupt that they make civil lawyers look sympathetic since civil lawyers are at least limiting themselves to cases where you can kinda sorta see how their client was genuinely harmed.
As an ex-employee, it's no longer his call as to "who gets the keys"
Wrong! The SOP was that he was only to turn the passwords over to the Mayor. This has been covered extensively. This requirement DOES go away if you're fired... you don't [by default] have to turn over ANY passwords! Just say "I don't work here any more, and I don't have your passwords." Meanwhile, if you do still work there, then you're still bound by the agreement you already made to follow the policies and procedures, which means he was bound to turn the passwords only over to the mayor.
In other words, the only charge not dismissed by the judge is the only one which he ever should have been accused of (if any) and he has a solid defense against it. We shall see how it plays out, but it is not nearly as cut and dried as you imagine or pretend.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
IIRC, he allegedly changed the Cisco configs but never saved them on NVRAM. You can power-cycle Cisco devices and have a 60-second window to get in without knowing the password That was the big problem.. had he saved the configs to NVRAM, the City could have just power-cycled the devices during a maintenance window, gone in and reset the passwords. But the configs being only in volatile memory meant that if they tried that, the boxes would have lost the config, resulting in the "full system failure"--they City network would have gone down.
As I recall it was something to do with the routers that if they lost power, they lost configuration - something to make sure if gear was stolen then it didnt come up with any of the secure networks details.
From memory someone viewed this as him setting up some sort of timebomb instead of being good security practices, and charged him as such.
"If everybody is thinking alike, somebody isn't thinking" - Gen. George S. Patton
So announcing it at a meeting was right out.
The person that should have taken this all into hand and resulted in a normal dismissal instead of an arrest is Chris Vein. He was originally an accountant but many CIOs are and some manage to pick up management skills and familiarity with technology along the way.
Here is what http://blogs.zdnet.com/BTL/?p=4692 says about him:
It's still possible he got there by merit, but it starting to look like a political appointment. On his linkedin page he describes himself as "Delivering strong and effective leadership", which often means someone that fires people for no good reason to show they are "strong" but maybe I've just seen too many bastards in action that like that word. These things may give an insight or maybe not, but the end result of getting the police involved in a workplace dispute demonstrates to me that he is not paticularly effective, let alone the situation where there was only one person that could do the job. BTW San Francisco, do you have your free WiFi from 2006 yet? If not you now know the name of the guy that was in charge of delivering it.
From http://www.linkedin.com/pub/chris-vein/7/110/71b you can see that Chris Vein was a senior advisor at the White House after only three years in the workforce! I do not think such a rise is possible by merit or desirable in an honest government.
I hope this case looks deeply at the motivations behind getting the police involved. I'm also extremely curious as to what the $1million that has to be spent to repair the "damage" is required for and hope the defence and judge push hard for an explanation of this unusual claim
The defense made a motion challenging the evidence and the judge agreed that there was not sufficient evidence to support 3 of the 4 charges. There was no plea here. The court threw out the state's allegations for lack of evidence. There was no evidence because what he did was probably not sufficient as a matter of law (a matter of fact would probably have been decided by a jury). The charges were merely trumped up. Fabricated. Lies.
And yet they still kept this man in jail for a year awaiting trial for a ridiculous amount of bail money for a non-violent crime.
The road to tyranny has always been paved with claims of necessity.
As an ex-employee, it's no longer his call as to "who gets the keys"
Wrong! The SOP was that he was only to turn the passwords over to the Mayor. This has been covered extensively. This requirement DOES go away if you're fired... you don't [by default] have to turn over ANY passwords! Just say "I don't work here any more, and I don't have your passwords." Meanwhile, if you do still work there, then you're still bound by the agreement you already made to follow the policies and procedures, which means he was bound to turn the passwords only over to the mayor. I'll give passwords to anybody who can produce written authorization from any executive, officer or elected official with the authority to do so.
"SOP" is completely meaningless unless it's law or a written policy authorized by the City, that the employee signed.
If the Mayor wants the passwords, that's fine with me. In fact, assuming it was just a few logins, I'd even give it to him for free, regardless of whetehr I was still an employee or not. In fact, if they want to pay for my services, I'll happily root all their servers and routers and tell them what the new passwords are.
. OTOH, I guess that explains why I'm not in jail and have more business than I can handle. The first rule of successfully working with others is "Don't be an asshole."
some of the routers where in a place with little security and that is where you may want to use that config.
for sys/net admins is to keep in the back of your mind that your actions can be scrutinized somewhere down the line, even if you are the most conscientious, morally upright employee.
If you work in an environment where you are the key technical resource, and others don't have the chops to safely manage the systems you designed/built, you still need to be sure that you put mechanisms in place to track access first, and then you need to provide equivalent access as agreed with management, to other administrators. Since you have the tracking mechanisms there, you can unravel who did what if there is an issue.
I know that it's hard to do this if you work in a hostile environment, or one where people are defensive about their jobs. This is especially true if you are the lead or only techie with the skillset to safely operate in the environment. But without being too paranoid about it, try to inform management as to what you're doing occassionally, track access of yourself & others (if you exclude yourself by using other means of authentication or access, you won't have a leg to stand on, since your actions weren't logged and you could have 'hidden' them).
Try to foster a trust environment with your peers, help them along in becoming competent while giving them access appropriate to their skillset (but make sure others know they are accountable for their actions), and you would improve your chances at exonerating yourself if the PHB's ever start pointing the accusing finger at you.
Bullshit. A skilled system administrator can get root / Administrator access so long as they have access to the machine, so the benefits of giving the password up are far outweighed by the benefits of following industry standard security practices. All too often incompetent upper management needs to be protected from it's own incompetence. You can't make it my job to keep a system running smoothly and simultaneously let any incompetent idiot have root access to it. You can write me a note for the teacher all day, I'm not going to accept it. I'm going to explain to them that they can have the passwords in exactly one manner, and that is concurrent to my resignation. If they want them that bad, they get both. That is where Childs went wrong, but he may well have had the best of intentions.
All of that being said, jail for this guy is absurd, as anyone who actually reads the article and reads Childs' explanation would almost necessarily conclude the same.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
He gave them to the Mayor in person not long after imprisonment. That would be approximately a year ago.
Remember, when asked for the passwords the first time it was over a teleconference with a large group of people whom he did not know. I don't care who's on the other line and what they're threatening; you don't give passwords in such a situation. That is why he wanted to speak with the mayor.
You failed to realize that in fact he stated that he would give the passwords to the mayor, which he did.
i did not know about this case so i went up looking back to all the story and trying to figure out what happened i've runned across these two that explain a bit http://www.infoworld.com/d/adventures-in-it/why-san-franciscos-network-admin-went-rogue-286?page=0,0 http://www.infoworld.com/d/data-management/childs-attempt-protect-network-password-gone-awry-978 What i'm now missing is what were his duties in the contract and who he had to provide those passwords. this document http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf cited in some post here is only about personal passwords and not system ones. So a sysadmin keeps an eye on security, he's asked by his boss in front of unauthorized people to reveal those passwords, in a improvised meeting in a place outside the place where he works. he refuse to say those passwords, he's suspended for unsubordination and some days later he's arrested, and he's still in prison He can only be guilt of being an asshole or too paranoid but since he was the only one responsible for the whole SF Wan who wouldn't have been ? you really would have give away your passwords knowing that if the day after the network would have been down it would have been your only responsability ? - "B....bbbut i gave the password to my boss!" - "Nice work! now you are fired and you'll be charged for the problem you caused with your inefficency" no really.. this story is crazy i really hope he will be released soon but then what about his lost job ? what about the loss in credibility he has to suffer due to ignorance of news that portrayed him as digital version of bin laden ?
According to another poster, it was against standard policy to give your password to your boss. Apparently he was only supposed to turn the passwords over to the mayor, and no one else. In any case, if someone requests your password, you should only give it after they request it in writing, then you have evidence of the event in case something happens.
Qxe4
Really the classic bit of this story is how the prosecutors included a list of usernames and passwords in their court filing which couldn't have been a better home-run for the defense in terms of 'See what happens when you give the passwords out to these idiots?'.
A year of his life gone though.. This should be a cautionary tale for any IT person.. When things get so bad that you're angry and not making good decisions.. just quit. Find somewhere else, relax. A job at burger king is better than going to prison.
misleading title...as the charges weren't "dropped," they were dismissed by the Judge (yes...I rtfa).
"Dropped" implies that the prosecutor did the "dropping," either due to a plea bargain or because the lack of evidence.
plus I don't like how the Examiner "labels" Childs as a hacker....he was the f*cking sysadmin and essentially the father/protector of the city's fiberWAN.
Especially considering the incompetence with computers and network security policies and practices by other city workers, he was considered the messiah/scapegoat.
(definitely, among those of us who have had to deal with the city govt)
there are plenty of other fish that the prosecutor(s) can fry that are worth the frying.
oh, btw, I can't get the triangle button to add a tag to work anymore.
Well, you don't have to turn the equipment over because of employment, you have to turn it over because your (now former) employer is the rightful owner.
Before they fired him, he was bound by policy NOT to give the password to his boss or co-workers. After he was fired, he wasn't even bound to remember the password at all much less tell someone what it was.
Personally when I leave an engagement where I had passwords, I delete personal accounts and if I was the only person with a role account password, change it to unmemorable junk, write it down, and seal it in an envelope (then forget it). That goes to whoever the policy says should have it ONLY. If others already legitimately have the role passwords I tell them to change it IN WRITING.
If they choose not to have an appropriate transitional arrangement for that to happen, that's it, I'm gone, good luck to ya! I don't remember a thing!
He indicated willingness to give the password to the mayor. Once the mayor could be bothered to get said password from him, he did just that. Too bad they made a big stink of it such that that step took place while he was in jail. As for the claims of millions in damage to "repair" the network, that seems rather unlikely unless they really were the bumbling id10ts Childs makes them out to be. Even then, that's not HIS doing.