Slashdot Mirror
The Trial of Terry Childs Begins
snydeq writes "Opening arguments were heard today in the trial against IT admin Terry Childs, who was arrested 18 months ago for refusing to hand over passwords to the San Francisco city network. InfoWorld's Paul Venezia, who has been following the case from the start, speculates that the 18-month wait is due to the fact that 'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.' On the other hand, the city — which has held Childs on $5 million bail despite having already dropped three of the four charges against him — may have finally figured out 'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,' Venezia writes. The trial is expected to last until mid-March. San Francisco Mayor Gavin Newsom, to whom Childs eventually gave the city's network passwords, will be included in the roster of those who will testify in the case — one that could put all admins in danger should Childs be found guilty of tampering."
'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.'
The problem with a democracy is that the masses are ignorant. I will be following this case closely, but am already concerned for the outcome.
Surely you mean all admins who refuse to provide passwords when asked by an authorised official at the company they set the passwords for?
This guy denied access to the owners of that network. Just because there isn't a law to fit the crime doesn't mean he is innocent of wrong doing. Hell, it's not a stretch to say that for a time, before they recovered it, he had stolen the entire network from them.
Take your word smithing and semantics and stick 'em where the sun don't shine. What he did was wrong for it, and he needs to be punished.
Then will Mr. Childs employ the Chewbacca Defense?
I don't think that charges should have been filed... but system administrators have to understand that all of their access is subject to being reviewed by managment. Sadly, I have worked with a number of administrators who hide their own incompentance behind the need for security.
I think he's only being treated as a martyr to it by people who never got rid of their "Free Kevin" tshirts. While I may envy his committment to BOFHism, he really didn't have a right to do what he did and treating him like some sort of hero is just asinine and, much like Christmas, something I wish would just be overwith already.
The equipment was still in the same place it was before. The software was the same as before. The service was the same as before.
So how did he steal anything?
"Down with security!"
'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,'
How common a scenario!
between this genius who thought everything belonged to him and people like I met in my 1 year of working as a consultant for a government agency it's not wonder government is outsourcing. i met this one admin years ago who refused to let his NT domain be part of the larger NT network and it caused all kinds of permissions issues. funny thing was that because of the union rules they couldn't make him do it. and the only reason he refused to let his NT domain work with the others in the organization is because he wanted his own private island to manage that the other admins above him couldn't touch.
so now i get daily emails about how LA and other local governments are going with Google Apps and Gmail. I bet a lot of it has to do with the fact that they can let their unionized admins rot in a hole doing nothing while progress happens
The owners of the network are the public. An employee should act in the best interests of the employer at all times -- even if doing so conflicts with the views of immediate superiors.
I agree. What he did is akin to theft of service. I am entrusted with not only network security, but also allowing reasonable access to network resources. The point of having a network isn't to keep people out of it, but to let the proper people use it.
With that said, I think the $5million bail is way off base. It's excessive to the point that it is used to keep the defended incarcerated. That is not the point of bail. Bail should be set as a deterrent to flee before a trial is finished, not to keep someone indefinitely in a cell.
Why they don't just restore the system from a backup in which the rest of passwords were not locked? Probably no too much information will be loosed in this case.
Why was the network designed so that one single account (or password) held the keys the kingdom? That's just stupid.
"Administrator" groups for Windows machines
Multiple root SSH keys and/or Kerberos logins for Unix boxen
TACACS user-based authentication for routers.
If the dude just left and said "I'm done with you folks, no I'm not handing over my passwords", then fine...go into the user admin system, nuke his passwords and get on with your life.
If the dude deliberately went in and reset passwords and changed network access before walking and then tried to blackmail the city, then that's sabotage/blackmail/downright illegal and should be punished.
If the dude walked out without giving passwords to anyone and the system was poorly designed so that admin passwords had to be forcefully recovered via single user mode or the like, then the city should just eat crow, lick their wounds, and install a real network AAA system.
What would have happened if the dude had been run over by a beer truck on the way to work? Would the city have been screwed as well?
Dude.
This guy denied access to the owners of that network. Just because there isn't a law to fit the crime doesn't mean he is innocent of wrong doing. Hell, it's not a stretch to say that for a time, before they recovered it, he had stolen the entire network from them.
Take your word smithing and semantics and stick 'em where the sun don't shine. What he did was wrong for it, and he needs to be punished.
What do you mean "Just because there isn't a law to fit the crime doesn't mean he is innocent of wrong doing." That's exactly what it means. If there's no law to fit his "crime," then by definition there is no crime committed. Perhaps he's guilty of being an asshat, but doesn't mean he's criminally liable according to your definition.
It's quite a stretch to say he had stolen the entire network. In fact, it's absolutely false. They could have done a hard admin reset on the routers and affected systems and been back in complete control of them. They chose not to, for various legitimate reasons, but the network remained in the possession of the legitimate owners.
You complain about word smithing and semantics yet that's exactly what you are doing. What he did may be wrong, but the question as to whether any laws were broken is far from a given. To punish him for breaking no laws would be absurd and your assertion that he should is equally absurd.
I was initially very skeptical of Childs until additional information came out about the case that changed the story notably.
Their policy prohibited Childs from simply handing passwords over to his boss, when asked by the mayor he handed them over as requested. I think the bigger issue is one of policy on security and a lack of industry best practices by the city. What holds the greater weight, policy or your bosses request? Depending on where you work, handing over your passwords to anyone can readily be a criminal infraction. At a minimum they could have asked Childs to create an additional account with full administrative access and that account could then have been used to disable Childs account.
I know at my employer I am not allowed to share my passwords with anyone, including my supervisor. I have an official backup with equivalent access to myself and my refusal to hand over passwords would not prevent anyone else from taking over for me. If my employer wanted they could simply reset my password and gain access to my account. The issue in San Francisco is there wasn't anyone else who had equivalent access to begin with. Their network was complex and the city had cut to the bone on staffing ahead of time.
Lessons can be learned from this from a management standpoint, the city took an antagonistic approach and did not update their policy and instead asked Childs to break it. Their security personal should have known industry best practices and instead asked Childs to violate them and hand over his password. Ultimately the case showed incompetence in city management and embarrassed them, and that's the only reason I can think of the city pressed the case.
If they would have just threatened to waterboard the guy, and let him walk after he gave up the passwords, there would have been no harm, no foul, and no need to waste the taxpayers money putting a frazzled worker in jail.
We're all getting frazzled these days, and maybe we need to realize that, take a deep breath, and stop tossing everyone in jail and tearing people down left and right in all arenas, and try and claw our way back to being a civilized people.
Right now, I think we are all acting like animals.
This is my sig.
This guy decided to be ass and he's finding out the hard way that law is a bigger ass.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
> the people this guy works for asked for the passwords
My impression was, that in a nice show of cluelessness, they decided to fire this guy first, and then ask him for the passwords which they didn't have (i.e., they didn't have any plan of action if he got run over by a bus or otherwise dropped dead).
This really comes down to;
Is Nick Burns a dick, or is he not a dick?
That's it. Pick your camp and fuck off. There is really nothing else to discuss, there is no middle ground.
Sorting out fact from fiction in the Terry Childs case (InfoWorld)
If he wins will he have to retest for certification or as he all reedy been put on a black list? but even if he is people will likely still look the other way and he can keen them on his CV.
The simple fact is this guy IS guilty of one major (though not legal) flaw. He didnt THINK about the situation, and instead of handing the passwords over, BUT documenting EVERYTHING, he decided to be an ass about it. He had a very valid reason to be an ass, but he should have washed his hands of it.
"Slashdot, where telling the truth is overrated but lying is insightful."
Childs deserves defense not because he appropriately handled a showdown with management he had no hope of navigating successfully, clearly he did not. Rather, he should be defended against having the prosecutorial powers of the city leveled against him and being deprived of his freedom for many months over a matter that should have gone no further than the termination of his employment.
His job was to be in there so being in there is irrelevant. That's part of what he's supposed to be doing.
All of the services were available to all of the users. So there wasn't anyone who couldn't access any of the services (except the passwords).
This is a service issue. Your examples focus on physical items.
> What he did was wrong
Don't know about that. It seems to me that it was a worse crime to let him be the sole repository of such valuable information (the password/s), without having a clue that there was a chance he'd suddenly drop dead. And it was his managers who were guilty of that crime.
If anything, the fact that you wrote down that there might be a problem would be used against you. You set a trap or something. That's how you knew there would be a problem.
This is management. Does anyone who's ever held a tech job believe that you writing down that your boss is, effectively, an idiot won't be used against you?
Oh, Please! IT infrastructure is the plumbing of the 21st century. This guy is a plumber. It is not his job to decide who should or should not have access to the network any more than it is the job of the master control technician at NBC to decide what to air at 8pm on Thursday nights.
I'm not defending Childs' decision to hand over the passwords when asked, but I can sure see his perspective on it. As a consulting network engineer, I've frequently been put in the position of having to decide whether giving someone the keys to the kingdom will put the kingdom at too great a risk.
The problem here is that there was not a documented policy on passwords. As a former government IT employee, we had a documented policy concerning passwords. They were all documented in a password-protected spreadsheet kept on a server that only admins had the access and technical skills to get to. They weren't withheld, per se, they were just in a place that was inconvenient to get to unless there was an emergency situation that required the inconvenience.
The impression I get is that San Francisco's IT department had old-timers waiting for their retirement date and their pensions to mature. They were stuck in the days of mainframes, modems, and 8088's. Here comes Terry Childs, who has not only a clue but a plan for getting them into the 90's, if not the 21st century. He intimidates his superiors because he knows what he's doing, and they don't. He builds a network for the city that his peers should be proud of. Instead they are intimidated. They ask for passwords, and he politely refuses to give over until they understand the enormity of what those passwords do. They get mad and accuse him of hacking.
The worst thing about this case is that Terry Childs did nothing wrong, other than withholding the passwords too long. He's intelligent. He intimidated people with his intelligence. They couldn't fire him without cause, so they created a cause by insisting that he was hacking, even though the evidence does not show this.
The insult to injury here is that by dragging this out, the San Francisco IT department is just putting more egg on their face. Anyone following the case can see that they were incompetent and Terry Childs was trying to protect them from their incompetence. His crime was not knowing when he'd lost the game at the key moment.
Were I living in San Francisco, I'd want an audit of the technical skills of the IT department. It sure sounds to me like there are some people that need some training. If they can't learn from the training, reassignment. If they can't be reassigned, early retirement. But for all that's good and holy, get the incompetence out of the IT departments!
How is there no law to fit the crime?
If I hire say a lock smith to work on my house, and then they do not provide the key to the house but instead say rob it or trash it, there is all kinds of laws to fit those crimes. This is not some sort of new thing.
By the way I am being charitable here by assuming that you can have a "crime" without a "law" makes any sort of sense to talk about at all.
Living in Chile
He had high security turned on that blocked password recovery as some of the network stuff was out in open at some sites and not in a locked room. With the high security you have to do a full reset to get back in without a password.
and is continuing with the prosecution just to save face,'
So, what do taxpayers think about their public funds being thrown away just to "save face"? This charade will end soon. Maybe another generation or so.
Seven puppies were harmed during the making of this post.
Remember that he was working in government, so of course he'd view everyone else like helpless retard-children incapable of doing anything for themselves.
If you were blocking sigs, you wouldn't have to read this.
Is your shift key broken?
you're right. terry childs may not be batshit crazy, but he has a cell phone camera and 1100 secret modems. that scares the crap out of me! i'm calling the police! again!
wow. what a jerk you are.
still banging away at that dumb film that will never be produced?
right on.
Wasn't he terminated before they even asked for the passwords? If it was me they'd have to hire me back as a very, very expensive consultant before I'd even speak with them.
There is a war going on for your mind.
For God's sake, that's circletimessquare! If you don't know who that is, lurk more. Until then, DO NOT FEED THE TROLLS!
You forgot to keep a copy of the keys yourself? I call that stupid. And in the case of this guy's manager, criminally stupid.
Most people are smart enough to give their caretakers copies of their keys. Your analogy stinks.
And even if it didn't stink in that way, it stinks in another way. You could just shell out to have a professional locksmith break into your house and change the locks. Which is what you would have to have done anyway if the caretaker was kidnapped by the mafia or otherwise disappeared (the analogous situation to Childs dying in his sleep).
Actually, I just reviewed the facts as put out in this article by Venezia and most of the negative stuff has to do with mismanagement on the part of the city, in my eyes. A good manager would have understood that Childs was too attached to his creation, and would have already started to bring in another professional who might have had a chance of giving Childs the impression that he was handing his brainchild over into good hands. OTOH, I'm not sure Childs was psychologically capable of doing that. I wonder what will really happen in this trial.
It's quite a stretch to say he had stolen the entire network. In fact, it's absolutely false. They could have done a hard admin reset on the routers and affected systems and been back in complete control of them. They chose not to, for various legitimate reasons, but the network remained in the possession of the legitimate owners.
Using the door analogy, what if he was a custodian, changed all the locks, kept all the keys, refused to give them to the owners? Sure they could hire a locksmith to change all the locks, but why should they?
So what you're saying is that because he was accused of something, he is automatically guilty even though the accusations where later withdrawn?
I sure as hell hope that you never wind up on a jury for *anyone*.
You metaphor is false.
The parallel would be if I hired you to set up and administer my computer, later demanded that you had over the admin credentials, and you refused because you didn't think I could handle it competently. I would be within my rights to fire you and perhaps even sue you, but not to have you thrown in jail.
This is a case of someone trying to use Slashdot to sway popular opinion; kind of like a slashvertisement, except with the legal system instead of a book or piece of software.
Wow, it really worked well for Joel Tennenbaum and Jammie Thomas-Rasset, I'm sure this is going to be very, very effective for Childs!!!
That's true. But if I changed your locks and kept the keys, charging me with "stealing your house" is not legitimate.
Since you like that door analogy.
It's probably worth reading the whole saga - particularly the circumstances under which he was asked for the passwords... very, very odd. I think I would have gone into lockdown given the circumstances...
http://www.infoworld.com/d/data-management/childs-attempt-protect-network-password-gone-awry-978
The guy did something wrong and should be punished.
He was punished, he was fired.
By not giving the keys, he did no more damage than would have been done if he had died accidentally, and his managers didn't seem to be that concerned about that, it seems. Since he did eventually give the keys (to the mayor), he did even less damage, in fact, a lot less damage.
I once had a coworker who worked for the IT department for a rural Bible-belt school district. Upon her resignation, her boss demanded her password. She refused to give it up and resigned anyway.
I used to be the sysadmin and PC Support teacher for a high school. The incompetent/power-tripped Web design teacher, on the first day of class, made all the students divulge their domain passwords to her. Well, one of her students also had me for PC Support, and he knew damn well to never divulge a password, and he refused to give it up. He never got his grade docked for it, but if he did, I would have been in the guidance office with him, going to bat for him, pointing out that the Web design teacher has zero business keeping students' passwords on file.
Fortunately, this never happened. More fortunately, the principal might have been an incompetent boob, but the assistant principal for curriculum was a former IT director and knew his stuff.
The InfoWorld editors are trying to gin-up a hue and cry over this case. snydeq is a PR flack for InfoWorld, so he submits updates on this case the same way he (constantly -- it's his paid job) submits stories with links to the InfoWorld editors' (often thinly-disguised, e.g., "Fatal Exception") blogs. It makes sense for InfoWorld to turn this character Childs into some kind of hero/martyr, because tales of hero/martyrs sell newspapers, and that's what InfoWorld is: A newspaper aimed at Tech Center guys.
You are exactly the type of citizen who has driven the service out of public service and provided us with less than mediocre CYA specialists who have no conscience and no clue. Terry Childs, despite his apparent meglomania, had a clue and a conscience. After he is cleared of all charges, the Mayor should appoint him to teach the other civil servants what service really means. (and that might be the only way to keep from getting sued for millions of dollars for malicious prosecution.)
I think his point was more along the lines of "you seem to have something interesting to say, but should learn to type." - so I think that means he wants to read what you have to say; perhaps it is interesting. However, lack of following the conventions in a conversation is actually contraindicated.
Simple solution, it's called chain of command and works pretty well in static, bureaucratic organisations.
Simply put, you only accept commands from the manager in line or his/her superior.
Although your superior superior (etc. )is allowed to break the chain, it is frowned upon and definitely communicated across the chain.
So unless the manager of accounting is one of your superior superiors, though luck, (s)he should contact his/her superior until there is one who shares both chains.
If consumed, best digested with added seasoning to own preference.
but you are failing to address what the system actually ran
i think you would agree that the guy shouldn't be thrown in jail if the system in question ran a nuclear power facility
and i agree with you the guy should not be thrown in jail if the system in question ran a greeting card company (that's a civil matter: no jail, but he should be sued for substantial damages)
however, if the system ran a public utility, the man deprived the public of their rightful access to public property. that's a punishable criminal offense that very definitely requires jail time
come to think of it, i reverse my earlier statement: even in the greeting card company, you are depriving someone of access to their own property. so yes, jail time there too
i can take your computer off your desk. that's obviously theft. but what if i changed your password and put a postit note on your computer saying "i don't think you have a right to run your own computer, come talk to me first"
that's the same as if i had taken it physically: i am depriving you of your property, which is as criminal as physically taking it
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
> child's job description did not include the self-appointed position of deciding himself who should have access to the network configuration
You are probably correct. But his contract/terms of employment should have been such that the city could sue him for the $125k/yr he was getting paid in the case that he changed the passwords from a configuration known to the city (to deal with the case that he would die unexpectedly). I have a suspicion that the city wasn't smart enough to make turning over the network administration (or at least having a contingency plan for the event that Childs would die) a contractual condition of properly finishing the work of designing the network.
In simple words, his manager(s) were also incompetent. But they aren't going to be looking at jail for it.
It is up to the legal system to determine whether he committed any crimes.
So far, all you have is the accusations and even 3 of those 4 were dropped. So "he deserves punishment" for things that no one is now claiming he did?
Weird.
Perhaps, and it is indeed your right to ignore the grammar rules of the the language you are writing, but you also have to be aware that anyone reading it will naturally make judgements about you because of that.
Capital letters and punctuation are not just "convention", they do help with reading comprehension in the same way that paragraph breaks do. I don't think that ignoring the grammar rules just because you don't like them is an any way superior; as the GP said, it makes you look like an ass just for the sake of it.
If I'm one of the "bunch of assholes" (presumably everyone who uses capital letters correctly) then so be it. Rather be an asshole than come off looking like I don't know how to write.
Your final point jumps right back to what the original poster was talking about that you seem to have missed (hey, maybe there is a connection between people who don't write properly and low comprehension skills); you obviously want to contribute to this discussion and taken seriously, and make no attempt to actually make your posts easily readable. You're no different to the no-paragraph posters; people will just skip over your post without reading, or they'll get part way in and then dismiss it because you simply cannot write (from observation - who knows if you can or not since you don't show it). The content of your post is diminished.
You may have the opinion that good writing doesn't matter, but I'm afraid that it does.
Incidentally, the use of imperial over metric is not the same thing at all. Your bastardisation of the English language because you think it is superior is the same as going down to the hardware store and asking for a metre of timber, where you have defined a metre as the distance from your shoulder to your fingertip. Metric and imperial systems have conventions. If I say I want 1M of timber I'm not using the metric system accurately, since the SI symbol for the metre is m. If I say I want 5"6' of rope I'm also not using the imperial system correctly.
Invent your own language with its own grammar rules if you like, just don't pretend that ignoring the bits of a language you personally don't like as the superior method, and simultaneously complain that anyone who uses the rules properly is an asshole; it makes you look like a dick.
And yes folks, I realise I have a monster run-on in the middle of that with more than two clauses. So sue me, I started this addendum with "and".
Mr Childs gave the password to the Mayor, the only person he felt was authorized to receive it. He's been held for 18 months now and needs $5 million for bail, that's just crazy.
I know it doesn't make sense to you that he refused to give the password up to his manager. Childs was probably being overly protective. But i understand it from a military perspective. General Order #1 "I will guard everything within the limits of my post and quit my post only when properly relieved." Even if a general shows up and says, "ok, you can go home now." You better stand there and refuse. If the OIC/NCOIC relieves you or ends the guard, you may go. But like i said, i can understand what he did.. not that he did the right thing.
It will be interesting to hear the whole story when it's over. His belief that he was saving San Francisco from horrible mis-management could be well founded.
http://soylentnews.org/~tibman
So by your reasoning, he could snatch up anything in the office before they said "your fired", and legally keep it? Hell, by your reasoning, he could simply start snatching up company property with the express intent of getting fired for doing so, but he would still get to keep his parting gifts?
I don't think so...
my comment specifically addresses the final charge that remains
so are you just exercising your propaganda writing abilities or do you not understand the fucking obvious about your own link?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Stop spreading your FUD.
[...] by an authorised official [...]
He did not refuse to hand the passwords over; he just followed city policy when a non-authorised person asked for the passwords. The proof is in this comment: http://news.slashdot.org/comments.pl?sid=1139735&cid=26979667
The word authorised has a clear meaning, and the person he refused to give the passwords too was certainly not authorised. I'm pretty sure if he gave out the passwords, they would have fried him for giving them to a non-authorised person.
This whole story is just a city official using his power in a ridiculous way, and the admin fighting back. Btw, the bail was $5 million, whereas bail for murder is only $1 million. Seems like the SF network is more important than lives of civilians...
Isn't the reality of the scenario that official policy stated that he was only to provide that information to a very specific list of people, and he was unwilling to do so to his manager (who wasn't on said list) or over a teleconference (where he could not verify all receivers were on said list) but did so when presented with an opportunity to do so in accordance with the policy he was supposed to follow in the first place?
You make a wonderful point, it boggles me how many posters here seem to be fine with the idea of letting the city burn if you were following the rules like a good little citizen that never questions those in power.
so now i get daily emails about how LA and other local governments are going with Google Apps and Gmail. I bet a lot of it has to do with the fact that they can let their unionized admins rot in a hole doing nothing while progress happens
That's OK. If one accepts the premise that a good work environment (some say Google has one) improves productivity, then the end result should be really happy IT folks providing great service at an unbeatable price.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This is how physical property and intellectual property differ. Those things all belong to the company, and it let him use them. He left them there when he left. The passwords belong to the company, and it let him use them. When he leaves, are you saying he has to have his memory wiped of all that companies IP? he left, it's now "their" problem. he didn't deprive the company of their passwords by "stealing" them, the company misplaced them and he has no obligation to help them look.
I'm explaining this horribly badly, I know, but still, I feel he has no obligation once he's been fired.
They fired him then asked for the passwords.
Seems pretty clear cut to me. He didn't even work for them and they were trying to force him to still do labor?
He had high security turned on that blocked password recovery as some of the network stuff was out in open at some sites and not in a locked room. With the high security you have to do a full reset to get back in without a password.
Not only that, depending on what routing protocol he was using it most likely used authentication. You would have to take down and reconfigure every single router all at once or they would not communicate and share routing tables.
Posts not to be taken literally. Almost everything is sarcasm.
You know I had wondered why I stopped reading slashdot, then when I come back I find this story which is about as balanced as Fox News and I remember why. It is not a 'fact' that the DA has done no homework on the case, that is a speculative claim from what appears to be a highly partisan source - a journalist who snagged an interview with the perp and wants to retain access. The guy tried to hold the city hostage. Venezia fails to mention that in his bizarrely one sided account. Specifically, the guy had changed the passwords on the routers and refused to tell his employers what he had changed them to. That is, or at least should be recognized as extortion. The employers paid Childs to administer the system, they had a right to expect him to do so honestly and in a way that would allow them to use their property if he was not available. The guy is lucky not to be up on federal charges. The water treatment plants were amongst the infrastructures that he disabled. The incident does demonstrate a security risk that is often given insufficient consideration: failure to maintain control of the system.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Using your door analogy where he is the custodian, imagine that company policy listed who he's authorized to give his key ring to, and the person demanding he turn them over AFTER arresting him on trumped up, later dropped, charges of corporate espionage, wasn't on the list? He'd be breaking the law to hand it over to her, said as much, and said he has to turn them over to somebody on his list of authorized recipients.
ASCII stupid question, get a stupid ANSI
yAAh fKc cuNVEnTiONxxs i tYp HoW i WAnT 2 dUn Giv NO FkS bOuT Any1 THinX
child's job description did not include the self-appointed position of deciding himself who should have access to the network configuration of a public utility.
rIGHt , tHE seCURitY pOLICY - he WAS OperATIng UNdER preVEnTED . HIM FRoM revealing THE paSSworDS SO IT WasN''T seLF-APPOINTED (
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
They didn't 'misplace' them. They knew exactly where they were placed. Obviously they did not have the passwords in their possession, hence the very reason for this man's arrest. They don't require that he 'wipe his memory'. The law does require that he surrender the information.
It is well established that inventions or other IP created while under the employee of a company are the exclusive property of said company. There are countless cases that state this VERY clearly. He doesn't have a legal leg to stand on.
By your logic, he could write the passwords down and bury it in some hidden location on their property to claim they are in possession. The law would laugh you out of court (and I daresay you know it).
On a side note: Yes, your explaining it 'horribly badly'.
Network admins that "own" their networks. Server admins that "own" their servers. DBAs that "own" their databases. Developers that "own" their code. The list goes on. The IT community is full of narcissistic prima donnas who believe no one can do the job better and, therefore, should be elevated to demigod status and allowed to do whatever they want, however they want, with no scrutiny or oversight. No, I'm not saying all IT folks are like that (though I think we all have a little of that within us). Rather, there are the few who see themselves as above all others, including company policy or even public law. Don't get me wrong--there is a place for the Terry Childs in the world, but allowing him, or any of his ilk, to work without restraint is the fault of management. Period. Terry Childs may be a rogue, but his management allowed him, nay, encouraged him to be so. Now, they are lamenting the fallout of their bad decisions.
I don't blame the Pit Bull when it attacks and kills a child. I blame the owners. So does the law. Terry Childs is no more than a Pit Bull. A lot of talent and protective aggression locked up in a single-minded personality. No one controlled him, and he did what he believed to be right. Was he right? No. Should he have turned over the logon credentials? Absolutely. But he should absolutely NOT be blamed for the mess he created. His managers own that. Any manager who thinks they can trust an egotistical, almost maniacally single-minded personality to do what is right IN THE LARGER SENSE is asking for trouble. I know. I made that mistake as a young IT manager years ago, and we paid the price for my lack of oversight and overeager willingness to blindly trust.
I could read what you write, but I don't, because I think you're an antisocial ass who breaks convention just to feel special. Guess why.
I sure as hell hope that you never wind up on a jury for *anyone*.
Your experience may vary, but in my dealings with Americans about 30% of people think like this gentleman.
They are more concerned with punishment for moral abuses or perceived wrongdoings than with what they would call "technical legalities"
tell me all about hurling insults from a position of anonymity and what that has to do with being an antisocial ass. i'm fascinated
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The CCIE is comprised of two tests. The first is a written test taken at a standard testing center, IE Pearson VUE. Once you have passed the written, you can then take an 8 hour lab test as a Cisco facility. Passing both will grant you a CCIE.
Cisco's rules for CCIE re-certification require a CCIE to pass a CCIE written test every two years to maintain certification. You do not have to take the lab test again unless you fail to pass the written in the two year time-frame.
Given he has been in prison for 18 months, I would speculate that he will miss the 2 year deadline. I don't see Cisco making an exception for him either.
Which is a shame, because as a Network Engineer, I feel he did nothing wrong. Of course, even if he wins the trial, he has still lost a lot due to the personal costs involved.
RTFG - Read The F#$%ing Google!
The real crime was that the boss didn't have the passwords before he was terminated.
All our passwords are written down and locked in my boss's safe and updated regularly as I change them. If I get hit by a bus, they won't have to hack, reset, or sleuth around for the passwords like I did when I was hired, months after my predecessor had left.
People of slashdot, this is VERY VERY simple. Go to the boss, the highest you can barge in on, hand him in writing your objections and the passwords AND your resignation. Have them signed and don't look back.
NEVER EVER try to be clever within the system, you cannot win.
Always do this especially when working with government or semi-government (Huge companies that either were once state run, work mostly for the state, are run by ex-state people or because of their size have become ministates. You know the type, where people were ties, even when they are not.
This guy tried to be clever. It never works, you are never clever enough and the system knows how to deal with clever. Instead be smart, get out.
This guy really should have just done as said above. Hand it off and get the fuck out of the way.
There is good money to be made in this segment of the market, but only for those who can play the game and the first rule of the game is, don't get into the game if you don't know the rules.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Hopefully the next employer will know the details of this story (as they will be directly related to the line of work he manages) and will know that Terry was following policy by not divulging passwords to anyone but the Mayor... Which he did at the first instance of being asked by them.
This man sounds like he takes pride in having everything done by the book, and doesn't bodge or workaround issues which shouldn't be worked around. Ideal admin, IMHO.
You can bet that his documentation of the infrastructure he managed is pristine.
Finally had enough. Come see us over at https://soylentnews.org/
If I leave/am fired from my current company, are they allowed to ask me for the passwords a week later, because they lost them? and if I've forgotten them? do I end up in a court case for stealing? No, the company would be "laughed out of court"
The IP is the companies, but they can't stop it from leaving in the minds of the people who leave the company. That's why there's usually clauses in contracts against using information to benefit a competitor.
Also, by my logic, he could do just that, unless, while in the employ of said company, he was ordered to reveal the passwords.
It sucks to be them, but they only have a leg to stand on if they demanded the passwords BEFORE firing him.
He had high security turned on that blocked password recovery as some of the network stuff was out in open at some sites and not in a locked room. With the high security you have to do a full reset to get back in without a password.
Which I would like to add is a standard Security Practice according to the DoD rule's for Network Security. As a CCIE and a person who understands Security, I would have expected nothing less from him.
RTFG - Read The F#$%ing Google!
The law does require that he surrender the information.
Citation please. And not some bullshit about IP, because I have yet to see someone quote one decent case with any precedence that associates passwords with IP in any kind of scenario close to this.
I'm sorry, but it's the responsibility of the company to lock his account and change the passwords the moment they walk him out the door. Just because they have no clue the proper thing to do in the IT industry doesn't mean that they can throw this guy in jail because they fire him then expect him to divulge information. When I quit a company I am expected to give back any IP documents, I'm not expected to brain-dump once I'm out the door. What would have happened if he would have went on vacation or been unavailable? Would there have been a warrant out for his arrest when he got back? It's ignorance on the part of the company, and rather than admit this and try to fix it they are prosecuting. They messed up, pure and simple.
The case is falling apart and everyone knows that.
yes, but it isn't what you think. also bad bad analogy.
1) the passwords were classified and he violated federal law by gving them out.
2) the person requiring the turnover wasn't the owner, the citizens are the owners.
he was bound by contract to never surrender the passwords to anyone including higher ups. the only person who should have got them would be his successor at the time he subscribed to a similar contract.
a much more fitting analogy would be the major requesting a copy of the master key from the facility management of a public building. he wouldnt get it, but he would get in under supervision of someone who signed all the contracts for it.
Did you miss the entire story???
He was asked by someone NOT ON THE LIST of people who had the right to ask him the passwords.
It doesn't matter if he was asked by the Chief of Police or the state AG. If they weren't on the "need to know" list, they weren't going to get it.
Or is it good enough that someone in a police uniform and a badge asks you for system passwords and says he cleared it with your boss (who isn't available to query)?
The door analogy is horrible. In this case it was more like he had the keys to the box that let him change access codes to the automatic door system for a building. The building never closed, the doors all functioned normally. Except for the manager who couldn't get to the controls, everything worked normally for everyone else.
Will people please stop posting that Terry Childs was "being an ass about it"?! He didn't give up the passwords to his supervisor because policy prevented it. It would be a breach of contract (potentially criminally negligent) for him to divulge the passwords requested to anybody but the Mayor.
Guess who got the passwords as soon as they asked? That's right!
THE MAYOR.
End of subject, folks. Stop posting about him "being an ass" or "getting what he deserves" or "setting a bad example." He set the best example by not caving in and handing the "keys to the realm" to some new face he didn't know the technical knowledge of, and was specifically prevented from releasing by the very policy which kept him employed.
This is a PR campaign to save face and nothing else. Someone high up the food chain did something idiotic (calling the police instead of HR / legal dept) and blew things out of proportion. Now they have to see it through, or they'll look like fools and lose their jobs. CYA territory.
I hope the lot of them are fired, and Terry gets to sue every last one.
Finally had enough. Come see us over at https://soylentnews.org/
You are absolutely 100% right. And? What is Childs then guilty off? Being a jerk? An asswipe? An idiot? If that was a crime the jails would be full... fuller.
The case is insane and yet already Childs has served 18 months in jail because of it. For what?
Danger to security? What danger? If he is to blame then so are the people who were supposed to control him.
What we got here is someone who made some really dumb choices but the result of it all has been nothing. He should pay for it, but 18 months I think is more then enough as well as the fact that nobody will every hire his nutty ass ever again.
He never should have done what he did, but neither should he rot in jail for it. or can we lock up every overzealous politician and prosecutor as well? It will be standing room only in the jails.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
They asked him for the passwords before he was fired. He didn't claim to forget them, he simply told them no.
Am I missing something?
Perhaps you should stick to the actual facts in the case?
> child's job description did not include the self-appointed position of deciding himself who should have access to the network configuration of a public utility.
Correct. District policy, however, apparently included providing the password to the mayor, and ONLY to the mayor. This is exactly what he did.
What a depressingly stupid machine.
He didn't decide for himself, he was following written policy.
If I hire a general contractor to build my house and I instruct him to hire you to key the locks, he is your boss, but he is NOT entitled to a copy of the keys.
So which is it? Do you deliberately ignore grammar rules because you think it's "a useless convention" or to "filter out brittle minds"?
What happened to ignoring capitals being the measure of a superior writing system? Now suddenly you've instead claimed it is a "simple minds filter" to weed out people unworthy of attempting to read your words. It's interesting that you correlate a simple mind with one that has to put in a little more effort than usual to read a passage of text. It's not about understanding the content, it's about the way the brain works when it reads ahead. The capital letters do serve a purpose that you are ignoring.
I personally think it's because you're lazy and the whole "breaking with useless convention" angle is just an excuse.
Novelty in writing style is all well and good when done properly, but don't try to claim that's why you do it. Novelty in writing style is something like Portrait of the Artist by Joyce, which changes substantially as the book goes on to the point where it becomes like treacle by the end, or sticking to an iambic pentameter (love or hate either, they're merely examples). It's not just choosing to ignore capital letters. There's no novelty in that whatsoever; if I wanted to read prose with no capital letters I'd just browse livejournal or facebook for half an hour.
Again you come back to the point that people who obey the rules of grammar have nothing to offer. I beg to differ, and would not necessarily claim the opposite (since it it clear that even illiterate people can be remarkably smart).
It boils down to people judging your content based on your laziness with grammar.
Bail should be set as a deterrent to flee before a trial is finished, not to keep someone indefinitely in a cell.
And this is probably why they did it. His bosses probably knew (or were told by their lawyers) right off that they didn't have a chance of convicting him of anything. So they used one of the standard legal ruses to keep him in jail while they delayed the trial. It's not especially unusual for people to be jailed before a trial for longer than the longest legal sentence. It's even done when conviction couldn't get a jail sentence at all. The idea is to keep someone in jail as long as you can, by any means that will work. Then it doesn't much matter if the court exonerates them; you've shown that you can incarcerate them sufficiently long without a trial.
Parts of the US Bill of Rights were designed to prevent this sort of imprisonment. It hasn't worked very well in this case. And it's not the first time that such things have been done in the US. Anyone not aware of this problem is naive and ignorant of history.
The only real question is whether he can get restitution from the courts afterwards. History says he probably won't.
This sort of story is why I gave up on security/admin jobs early on. I read some stories similar to this, and figured out that the non-technical people above my immediate boss were highly likely to pull such stunts, perhaps with me as a chosen victim. The only way to win that game is not to play it, because the higher ups can see all the cards and do all the shuffling. Of course, when I and thousands of others started figuring this out, it inevitably led to our current sorry state of widespread computer insecurity.
One thing we might add to this story is a question about whether SF will be able to hire a competent person to replace him. I certainly wouldn't want to interview with them, except maybe to see if I could get some inside information about their current policies (after which I'd simply ignore any job offers).
One thing I'd suggest to anyone in his position: If your superiors demand that you give admin passwords to non-technical people, you should hand in your resignation along with the passwords. Tell them right out why you consider this a threat to your own legal safety as well as the computer systems. Chances are they won't be surprised, because they knew what was planned. After all, anyone with the root passwords can edit any file and fake lots of evidence, including the timestamps on files.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
i could read what you write, but i don't, because proper spelling, grammar, and capitalization doesn't impart content, unlike content.
If there's no law to fit his "crime," then by definition there is no crime committed.
You do realize that it is possible to legally do wrong without committing any specific crime?
Tort? Misconduct?
Laws vary by jurisdiction, and the devil is in the details, but the lack of a 'turn over passwords' law on the books means very little. There exist catch-alls for this sort of thing in both civil and criminal arenas.
>It is well established that inventions or other IP created while under the employee of a company are the exclusive property of said company.
Ok, so he can't give the passwords to another company or publish them. He's still not under any obligation to tell them the passwords after he's been fired anymore than a programmer would be obligated to tell his company the source code for some proprietary application after he'd been fired.
What if next week they lose the passwords again...should he be compelled once again to tell them the passwords? No. They should have had a system in place to document this kind of information.
Don't take life so seriously. No one makes it out alive.
To punish him for breaking no laws would be absurd and your assertion that he should is equally absurd.
While I think the thread's parent is a bit of an idiot, I think THIS is the point where alot of the disagreement comes up.
Ideally, we should be trying to uphold the spirit of the law, not just the law itself. We make laws as "general" as possible so that they are easier for the public to understand, and that way there doesn't have to be a trillion different laws to cover every single scenario, which no person could memorize each one.
What we should be asking isn't "Did this guy break the law and deserve punishment" but rather "Did this guy do something morally wrong and deserve punishment". When people are able to dodge laws and abuse the system, everyone else loses. And I don't know about you guys, but I hate losing.
Apparently all Childs had to do was give the mayor the passwords. Perhaps it has to be done in writing and in person to limit the possibility of social engineering. (I don't know the specifics of the policy.)
However, mayors have busy schedules, so this probably wasn't very convenient. This doesn't entirely explain why they threw him in jail, though.
I'm trying to envision the conversation here between the new boss and Childs.
Police: We can make it all go away, Mr. Ander-uh, Childs. Give you a fresh start. Just work with us here.
Childs: How about I give you the finger *flip*, and you give me my phone call?
I'm guessing Childs was less than diplomatic about his refusal to hand the passwords over. It was probably fun at the time, but after 7 months in jail I'm guessing he regrets it. (I would)
I do agree that the treatment he has received does NOT justify the apparent "crime" but nevertheless this is a good lesson for the kids here:
Don't be an asshole. You might find out you're pissing off a bigger one.
Sure, it's plumbing (just a series of tubes?), but when unqualified people are allowed to mess with the regulator, the water heater can burst.
If the painter asks him how to crank it to 150 p.s.i. he is perfectly right to insist that he will tell the home owner and ONLY the home owner how to do that (and why he shouldn't).
> He is still obligated to supply the passwords as they are not his property.
You cannot be obligated to remember something. If he had had a stroke, and was incapable of remembering the passwords, do you believe that the city could sue him or jail him for that?
My reading on this fiasco is that he had something similar to a nervous breakdown which made it impossible for him to deliver the passwords on demand. Other posters here have stated that it was actually against his employer's policy for him to give the passwords to the person asking for them. In that case, it was kind of the "give the computer a nervous breakdown by contradictory demands" scenario, a la Star Trek and numerous other SF works.
There are very good reasons the Constitution forbids making up laws after the fact (ex post-facto laws). If there's no law that covers it, that's the end of it. The legislature is perfectly free to pass a law covering that action in the future so they can prosecute the next guy.
He didn't do that though. He told the managers that he would turn the password over to the mayor (the OWNER's duly elected representative). A few days later, the mayor asked him for the password and, as promised, he told him.
Shameless copy paste, but linking as a good article:
http://blog.american-helpdesk.com/2009/09/03/terry-childs-political-techie-prisoner.aspx
Terry Childs, Political Techie Prisoner .
As a techie and having gone to school for broadcasting, I have been particularly interested in the San Francisco Network Engineer who has been in jail for allegedly hacking SanFran's network. From what I have read on the issue, it sounds more like a lack of competent management, following of ITIL rules, idiot reporters, poor HR, political bullying and typical lack of understanding/fear of technology and now a complete disregard of the 6th and 8th Amendments to the Constitution
To give a brief history, 14 months ago Terry Childs was the lone CCIE working for the City of San Francisco, one of the largest cities in the country. He administered all of their networks, data and voice. Apparently, as the only CCIE (certified cisco internet engineer) he worked long odd hours and typically was not the friendliest of people but from all accounts, a very, very good CCIE with a security minded implementation of the network. He took pride and ownership of that network (perhaps too much ownership).
Due to his unfriendly nature (probably due to the fact he had no backup, ITIL process break number one) he was not liked by his non-technical manager. When asked to give access to non-certified and non-technical team members, HR and politicians and police, to "help" he refused as part of the City policy (http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf). He did give them viewer access so they could cause no harm. Apparently, as the only person on-call and qualified to work/fix the network, he had been burned by previously giving passwords to low level techs who decided to play on the network and had to fix network issues in the middle of the night/day.
There of course was no master password database with the CIO (ITIL process break number two) when the manager fired Mr. Childs. He was hired back after the firing broke union rules. Note: they didn't ask for the passwords before firing. Once back, from all accounts, nothing broke, nothing changed, but he did act more like a jerk. After more time he was fired again following union rules, then was asked for passwords (ITIL practice break number three). Under no obligation to give passwords, as he was no longer gainfully employed by the City of San Francisco, he declined. At this point his saga began as he was promptly arrested for 4 counts of computer hacking.
Over the next month, the City and its officials put out press releases noting the network was hacked, under attack, they expected retribution from Terry Childs remotely from jail, that he had monitoring devices setup to read their emails, he could take the whole network out at a whim, etc, etc.
Yet, the network never went down.
The city did hire in Cisco to try to break into their own network...which they were unsuccessful showing the above noted security conscious and skill as a CCIE he possessed. Yet, the network had no issues. His attorney noted he would give the passwords if he was not prosecuted and the city refused, so he sat on the passwords while the media reported all kinds of crazy unfounded theories that sound scary to the non-technical person.
The media reported of evil network sniffers, and modems waiting for remote command, and IPs set aside that were the only ones allowed to change the network in the configs, and passwords too complex to guess (oh and he had been arrested 20 years ago for theft). In reality, this is a standard secure network, sniffers are used to monitor traffic to adjust as needed and troubleshoot, remote administration is typically locked down and if you can guess a password...so can a hacker.
After a month the mayor, Gavin Newsom, met in secret with Terry Childs who gave the passwords up and the city finally
SO he has spent 18 months so far in jail, and will spend more.
Can he sue or get some collection to the damages they have done to him and his name? Isn't he suppose to have a speedy trial, and here he is, spending nearly 2 years in jail for what crime?
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
A woman sleeps her way up the corporate ladder and cries when the competent admin refuses to give her the passwords. This is just a bitch destroying a guys life.
-- Linux user #369862
I inadvertently missed a credit card payment, so the CC company phoned me.
In short, what followed, was a mumbling identification of person with several rapidfire demand for details such as dob, card expiry, address so he could "verify me as the card holder".
I declined to answer firmly, and I said I will call them. He got irate and made a terse comment. I then called the CC company. The pleasant woman explained the situation and problem resolved ( it was flagged "possible mispayment" because I am usually regular.).
The one surprise was she asked if everything was ok as "the last customer contact is tagged Customer was Abusive".
If you hold onto your guns and do what the banks say and never give personal information out over the phone or internet then in this case in turned to custard.
I have reported this incident, but i suspect someone need to do track covering, like I suspect they did in this case when the Admin did the right thing.
In post Patriot Act America, the library books scan you.
> The water treatment plants were amongst the infrastructures that he disabled.
This is the age of the hyperlink. Please provide one.
As for him deserving 20 years, it seems to me that it can never be a crime to forget something. In the same vein, it would seem to me that it cannot be a crime to be psychologically incapable of providing information. Other posters have claimed that it was even against his ex-employer's policies to provide that information.
I wonder if we will ever learn the real truth about this matter. It's fairly clear what version the city government would like to be revealed as the "the truth".
Other posters have claimed that the city's policies actually forbid him from divulging the passwords, i.e., "what his duties required him to do".
This case will be interesting. I cannot see how a US court can possibly make it a crime to not divulge information. OTOH, in some jurisdictions, it can be a crime (e.g., in the UK not divulging an encryption password to the court is a crime).
Wow this is hard to read.
If I hire say a lock smith to work on my house, and then they do not provide the key to the house but instead say rob it or trash it, there is all kinds of laws to fit those crimes.
This is much more like you hiring a professional lock company to fit your doors with their locks. They have master keys to all their cores, and they always will. If you don't want to do business with them any more, it's your right, but you'd better hire another locksmith fast (preferably, hire the old lock company for one last time to help remove the locks since they have the masters that can remove the cores).
...he really didn't have a right to do what he did and treating him like some sort of hero is just asinine and, much like Christmas, something I wish would just be overwith already.
Actually if you read some of the infoworld articles he did what the city's network policies/regulations/rules expressly compeled him to do. According to the articles, the only person in the city gov't that Child's was permitted to provide the passwords to was the Mayor! Fruthermore, when he was first asked for the root-level passwords he was in a police station conference room full of people he didn't know with an active speakerphone with who knows who on the other end of it. Nobody in that room, according to the city rule book was authorized to know these root passwords! He followed the rules to the letter and has been sitting in jail for 18 months for doing his job according to the rules. If you read some of the articles on this case, the technical/legal ignorace of city officals is astounding.
Honestly, won't anyone think of the Childs?
Bow-ties are cool.
http://blog.american-helpdesk.com/2009/09/03/terry-childs-political-techie-prisoner.aspx As a techie and having gone to school for broadcasting, I have been particularly interested in the San Francisco Network Engineer who has been in jail for allegedly hacking SanFran’s network. From what I have read on the issue, it sounds more like a lack of competent management, following of ITIL rules, idiot reporters, poor HR, political bullying and typical lack of understanding/fear of technology and now a complete disregard of the 6th and 8th Amendments to the Constitution . To give a brief history, 14 months ago Terry Childs was the lone CCIE working for the City of San Francisco, one of the largest cities in the country. He administered all of their networks, data and voice. Apparently, as the only CCIE (certified cisco internet engineer) he worked long odd hours and typically was not the friendliest of people but from all accounts, a very, very good CCIE with a security minded implementation of the network. He took pride and ownership of that network (perhaps too much ownership). Due to his unfriendly nature (probably due to the fact he had no backup, ITIL process break number one) he was not liked by his non-technical manager. When asked to give access to non-certified and non-technical team members, HR and politicians and police, to “help” he refused as part of the City policy (http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf). He did give them viewer access so they could cause no harm. Apparently, as the only person on-call and qualified to work/fix the network, he had been burned by previously giving passwords to low level techs who decided to play on the network and had to fix network issues in the middle of the night/day. There of course was no master password database with the CIO (ITIL process break number two) when the manager fired Mr. Childs. He was hired back after the firing broke union rules. Note: they didn’t ask for the passwords before firing. Once back, from all accounts, nothing broke, nothing changed, but he did act more like a jerk. After more time he was fired again following union rules, then was asked for passwords (ITIL practice break number three). Under no obligation to give passwords, as he was no longer gainfully employed by the City of San Francisco, he declined. At this point his saga began as he was promptly arrested for 4 counts of computer hacking. Over the next month, the City and its officials put out press releases noting the network was hacked, under attack, they expected retribution from Terry Childs remotely from jail, that he had monitoring devices setup to read their emails, he could take the whole network out at a whim, etc, etc. Yet, the network never went down. The city did hire in Cisco to try to break into their own networkwhich they were unsuccessful showing the above noted security conscious and skill as a CCIE he possessed. Yet, the network had no issues. His attorney noted he would give the passwords if he was not prosecuted and the city refused, so he sat on the passwords while the media reported all kinds of crazy unfounded theories that sound scary to the non-technical person. The media reported of evil network sniffers, and modems waiting for remote command, and IPs set aside that were the only ones allowed to change the network in the configs, and passwords too complex to guess (oh and he had been arrested 20 years ago for theft). In reality, this is a standard secure network, sniffers are used to monitor traffic to adjust as needed and troubleshoot, remote administration is typically locked down and if you can guess a passwordso can a hacker. After a month the mayor, Gavin Newsom, met in secret with Terry Childs who gave the passwords up and the city finally was able to get back into their networkwhich still hadn’t had an issue nor went down. Yet 14 months later Terry Childs is
You've obviously already prejudged him. "He committed a crime".
But it's an open question, legally, whether refusing to divulge passwords constitutes "denying service ... to authorized users" of that network. The "denying service" charge is, after all, the only one of the original charges that hasn't been thrown out by the judge.
I think everyone agrees that the employment separation could have been handled more calmly and professionally. But what's of more legal importance are the post-separation consequences of Terry refusing to hand over the passwords. Was there a "denial of service"? Or not? If Terry's former managers wanted to minimize the "denial(s) of service", presumably they could have carefully reset-to-default and reconfigured the pieces of the network infrastructure for which they didn't have passwords. Sure, that might be costly and time-consuming, but that's what you get when you force out your main network wizard under tumultuous circumstances. Maybe they'll think twice about it next time...
Of secondary importance, I would think, would be Terry's intent in refusing to hand over the passwords. Did he intend, by doing so, to cause a "denial of service"? Or, did he have a good faith belief that divulging the passwords, to the person or persons requesting them, would actually cause more harm to the network -- more "denials of service" -- than keeping them secret?
Let's not forget that Terry did eventually divulge the passwords to the mayor. So it was really more a question of "who" and "when", than "whether" he would eventually give them up. He may have believed that Gavin Newsom was the only person in the city administration with enough clout to hold the network staff responsible if they took those passwords and used them to make a complete mess of the network that Terry worked so hard to build up.
The progress of the trial should be quite interesting. Despite circletimessquare's superficial analysis, there are some important legal and ethical issues being tested here.
You can install the 200 copys of MS Office and call the bsa and you get off clean.
He did not have user password he had group passwords that where needed to do his job and else touch his precioussssss network? no they where cutting jobs and there are no other person to work on the network with him.
What if a CEO or VP of air line asked the pilot if he can fly and he is not certified to fly that plane / does not have a license? The pilot can say no lock the door and even if he fired on the spot he can't just let any one fly seem like Terry was in the same place.
Ok, that somewhat answers my first question, but what about the second, and a 100 other business ethics examples I could come up with that the BSA doesn't solve?
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
Oh, Please! IT infrastructure is the plumbing of the 21st century. This guy is a plumber. It is not his job to decide who should or should not have access to the network any more than it is the job of the master control technician at NBC to decide what to air at 8pm on Thursday nights.
So, let's run by this completely hypothetical scenario then. Say, you are in charge of the plumbing at a facility called "Chernobyl" and your supervisor is asking you to run a few tests, that violate the security protocols.
Since he's just a plumber (or operator) I guess you're with the Chernobyl supervisor here... enjoying the glow-in-the-dark effect...
Terry Childs said no. I'm with Terry. Policy isn't there to be ignored the first time someone tells you to. Especially if the policy is much smarter than the person telling you to ignore it.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
In some institutions the security rules are absolutes. I think it sounds like Childs did exactly the right thing: he obeyed the security policies of his organization to the letter, since he would be criminally liable for not doing so. :P
I know when I was in the military and handling TS documents, we had clear rules as to who was allowed access to material and facilities and when they were allowed access. If I had failed to obey those rules I would have been liable and punishable.
He really didn't have any choice in the matter IMHO. Now there are lots of people who seem to subscribe to the idea that "Your Boss is an absolute despot with all rights over your person" concept of employment, and I am sorry for them. I hope I never have to work in an environment like that. As long as there is a clear policy over who is granted the rights to security information, and the employee follows it, I don't see the problem.
This is a case of people who are clearly unknowledgeable about their own security policies being given too much authority - and incidently proving Child's point that they were not skilled enough or responsible enough to be entrusted with the the "keys to the kingdom" - and he wasn't authorized by those same policies to hand the passwords over in any case.
He is damned if he did and damned if he didn't. If he had handed them over against policy, and anything had gone wrong, he would have been held liable and ended up in jail on charges.
I don't honestly know why this is being blown so much out of proportion. I sincerely hope he is exonerated and compensated for the time he spent in jail.
Of course in our modern corporate climate, I expect he will be nailed and sent to jail for 10 more years. I don't expect justice in NA these days, it just seems too optimistic
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Crap CTS, you are simply lazy.
We all know it and your pathetic excuses for your incomptence frankly are ridiculous.
Grow up and learn to write properly, and more people might read your posts
Can't be jailed based on the "preponderance of the evidence". That's civil, not criminal. Criminal is "beyond a reasonable doubt." So if it's one persons' word against another, all else being equal, a conviction just isn't possible. So kindly FOAD already with your stupid counter-examples. You don't know what you're talking about, and it really shows.
Then again, you didn't know what "due process" was either in another thread ...
I will bet any amount of money on it that he is a soulless robot like most of the posters on slashdot.
Audits, by their own nature, have to be heavy handed some times.
How are people supposed to know if you are following procedures if the procedures are not tested?
IANAL but write like a drunk one.
"Your *boss* tells you to do something? Then you fucking do it! "
Anybody that has worked in any middle sized company or any multinational corporation knows that what you are saying above is completely and utterly incorrect in many cases.
There are many situations in which you are not supposed to obey your boss, and in some very unpleasant ones you are even obliged to follow procedures to report your boss' behaviour to compliance authorities in your own company.
If your boss tells you "lets go and rob that old lady crossing the street" would you also do it? Do you think you would be exonerated in a court of law?
Some people really should think first when they write (and the moderators should also pause some times).
IANAL but write like a drunk one.
There are a few bits, data. You can't steal data. Get that into your head please.
Why the company didn't have a copy of them?
Why their exit procedures didn't include to ensure all necessary passwords were handed over (in reality the correct procedure would have been for the passwords be known by somebody else or stored in a secure location to which other pople in the company could have access).
IANAL but write like a drunk one.
You follow your company's policies.
If your company does not have policies for this:
a) They are a bunch of amateurs. ... now!
b) They should start writing them
And BTW, all this should be requested formally (in writing or by means of the internal change management procedures or problem ticketing system).
IANAL but write like a drunk one.
The information presented is a bit one-sided because it comes from the criminal investigation of Mr. Childs, but it's half of the story. The half of the story that arrogant geeks on /. don't want to hear because they all assume that Mr. Childs is just a misunderstood genius who was just doing his job and was persecuted for it. Projecting, much?
Much of what's in the affidavit is conjecture, opinion, and hearsay, but if the core of the matter is that SF County policy was indeed that security was charged with keeping a database of passwords, and Childs thought he was above that policy, he was probably wrong, regardless of all the other crap that they're trying to pin on him.
Sorry, couldn't help myself.
I dealt with SF city bureaucracy on a daily basis- specifically, as a researcher in civil and criminal court- for six years, and I got to do things that I'm fairly sure were entirely against policy...for example, when I had to do copy jobs that exceeded 500 pages, I would hand over my ID and get a pass to go in the back to do my work. They do this so the public viewing area won't get clogged with photocopiers, fileboxes and what not.
So far, so good...here's where I start to question their judgment. Now, I don't know if it's because I have an honest face (I'd like to think so) but I was allowed to go pull my own files out of the stacks. This saves the clerks time, because sometimes I would need to pull dozens of volumes to get the documents I needed. This is probably legal, but for obvious reasons it's not a very good idea.
When we were finished with the files, we were supposed to put them on a cart and either leave them in the station with a note on them saying "Not done yet, please leave these alone" or to wheel them back to the returns area so they could be refiled in the stacks.
However, oftentimes I would be asked by the clerks if I could, you know...do them a favor and put my files away when I was done viewing them. Again, there's probably no rule saying that this isn't allowed, but you'd be surprised at how easy it is to screw up a relatively simple numerical filing system....hell, the clerks did it all the time. Fortunately for everyone involved, I can count and was familiar enough with where everything went- every time you pull a file, it gets replaced with a card that has your name on it so they can yell at you if it turns up missing. Since I never got yelled at, I'll assume I wasn't part of the problem.
In retrospect, it seems really irresponsible on the part of the clerks that allowed me to do this even though it was convenient for everyone concerned and I demonstrated that I was trustworthy (and smart) enough to be left to my own devices...but it made me realize that it's not inconceivable for someone to go in there with a photocopier and a job sheet and throw one hell of a monkey wrench into the SF Superior Court filing system.
The comments to date seem to ignore the fact that Childs was being fired, and THEN refused to hand over the passwords. Suppose a police officer refuses to hand over his gun and badge, and keys to the jail when fired, but decides to hold the whole town hostage to his physical control over the gun and jail? We would pretty quickly label that (former) police officer a terrorist, and pretty quickly get state and federal aid to retake control of the town. Similarly, Childs has held the City hostage by refusing to turn over the passwords. I'd call that cyber-terrorism. I wouldn't feel too sorry for him if they put him in Guantanamo. I've been in this industry for 20+ years, and its just crazy to think that one can prevent being fired (and force firing the supervisor instead) by refusing to turn over the passwords. That nonsense about the "Mayor" is just nonsense: Child's supervisor is the authorized, delegated representative of the Mayor. This dispute wasn't about getting an audience with the Mayor. My view is that Childs was trying to force them to fire the supervisor and to employ him. The City's only mistake was to allow the situation that only one person has the passwords. One person is just not that trustworthy.