Slashdot Mirror
The Trial of Terry Childs Begins
snydeq writes "Opening arguments were heard today in the trial against IT admin Terry Childs, who was arrested 18 months ago for refusing to hand over passwords to the San Francisco city network. InfoWorld's Paul Venezia, who has been following the case from the start, speculates that the 18-month wait is due to the fact that 'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.' On the other hand, the city — which has held Childs on $5 million bail despite having already dropped three of the four charges against him — may have finally figured out 'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,' Venezia writes. The trial is expected to last until mid-March. San Francisco Mayor Gavin Newsom, to whom Childs eventually gave the city's network passwords, will be included in the roster of those who will testify in the case — one that could put all admins in danger should Childs be found guilty of tampering."
Surely you mean all admins who refuse to provide passwords when asked by an authorised official at the company they set the passwords for?
between this genius who thought everything belonged to him and people like I met in my 1 year of working as a consultant for a government agency it's not wonder government is outsourcing. i met this one admin years ago who refused to let his NT domain be part of the larger NT network and it caused all kinds of permissions issues. funny thing was that because of the union rules they couldn't make him do it. and the only reason he refused to let his NT domain work with the others in the organization is because he wanted his own private island to manage that the other admins above him couldn't touch.
so now i get daily emails about how LA and other local governments are going with Google Apps and Gmail. I bet a lot of it has to do with the fact that they can let their unionized admins rot in a hole doing nothing while progress happens
The owners of the network are the public. An employee should act in the best interests of the employer at all times -- even if doing so conflicts with the views of immediate superiors.
If you hire the man to take care of your house, and when you ask for the keys back he refuses to give them (or even a copy of them, in this case) to you... well the house is still in the same place. The furnishings are still the same as before.
But you don't have access to your property. Someone denying you access to property that is lawfully yours by denying you the means to entry which you lawfully own... That may not be theft, but it's pretty damn close.
Why was the network designed so that one single account (or password) held the keys the kingdom? That's just stupid.
"Administrator" groups for Windows machines
Multiple root SSH keys and/or Kerberos logins for Unix boxen
TACACS user-based authentication for routers.
If the dude just left and said "I'm done with you folks, no I'm not handing over my passwords", then fine...go into the user admin system, nuke his passwords and get on with your life.
If the dude deliberately went in and reset passwords and changed network access before walking and then tried to blackmail the city, then that's sabotage/blackmail/downright illegal and should be punished.
If the dude walked out without giving passwords to anyone and the system was poorly designed so that admin passwords had to be forcefully recovered via single user mode or the like, then the city should just eat crow, lick their wounds, and install a real network AAA system.
What would have happened if the dude had been run over by a beer truck on the way to work? Would the city have been screwed as well?
Dude.
This guy denied access to the owners of that network. Just because there isn't a law to fit the crime doesn't mean he is innocent of wrong doing. Hell, it's not a stretch to say that for a time, before they recovered it, he had stolen the entire network from them.
Take your word smithing and semantics and stick 'em where the sun don't shine. What he did was wrong for it, and he needs to be punished.
What do you mean "Just because there isn't a law to fit the crime doesn't mean he is innocent of wrong doing." That's exactly what it means. If there's no law to fit his "crime," then by definition there is no crime committed. Perhaps he's guilty of being an asshat, but doesn't mean he's criminally liable according to your definition.
It's quite a stretch to say he had stolen the entire network. In fact, it's absolutely false. They could have done a hard admin reset on the routers and affected systems and been back in complete control of them. They chose not to, for various legitimate reasons, but the network remained in the possession of the legitimate owners.
You complain about word smithing and semantics yet that's exactly what you are doing. What he did may be wrong, but the question as to whether any laws were broken is far from a given. To punish him for breaking no laws would be absurd and your assertion that he should is equally absurd.
This guy decided to be ass and he's finding out the hard way that law is a bigger ass.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
> the people this guy works for asked for the passwords
My impression was, that in a nice show of cluelessness, they decided to fire this guy first, and then ask him for the passwords which they didn't have (i.e., they didn't have any plan of action if he got run over by a bus or otherwise dropped dead).
If anything, the fact that you wrote down that there might be a problem would be used against you. You set a trap or something. That's how you knew there would be a problem.
This is management. Does anyone who's ever held a tech job believe that you writing down that your boss is, effectively, an idiot won't be used against you?
Denial of access to their property. As a system administrator, I don't own the hardware I administer. Heck, I do it on contract right now. If the client wants something stupid done, I put my concerns in writing, if they still insist on doing it their way, I do it. If I think they're idiots and I keep having additional grief trying to fix their frequent mistakes, I find someone else to work for.
I'm not defending Childs' decision to hand over the passwords when asked, but I can sure see his perspective on it. As a consulting network engineer, I've frequently been put in the position of having to decide whether giving someone the keys to the kingdom will put the kingdom at too great a risk.
The problem here is that there was not a documented policy on passwords. As a former government IT employee, we had a documented policy concerning passwords. They were all documented in a password-protected spreadsheet kept on a server that only admins had the access and technical skills to get to. They weren't withheld, per se, they were just in a place that was inconvenient to get to unless there was an emergency situation that required the inconvenience.
The impression I get is that San Francisco's IT department had old-timers waiting for their retirement date and their pensions to mature. They were stuck in the days of mainframes, modems, and 8088's. Here comes Terry Childs, who has not only a clue but a plan for getting them into the 90's, if not the 21st century. He intimidates his superiors because he knows what he's doing, and they don't. He builds a network for the city that his peers should be proud of. Instead they are intimidated. They ask for passwords, and he politely refuses to give over until they understand the enormity of what those passwords do. They get mad and accuse him of hacking.
The worst thing about this case is that Terry Childs did nothing wrong, other than withholding the passwords too long. He's intelligent. He intimidated people with his intelligence. They couldn't fire him without cause, so they created a cause by insisting that he was hacking, even though the evidence does not show this.
The insult to injury here is that by dragging this out, the San Francisco IT department is just putting more egg on their face. Anyone following the case can see that they were incompetent and Terry Childs was trying to protect them from their incompetence. His crime was not knowing when he'd lost the game at the key moment.
Were I living in San Francisco, I'd want an audit of the technical skills of the IT department. It sure sounds to me like there are some people that need some training. If they can't learn from the training, reassignment. If they can't be reassigned, early retirement. But for all that's good and holy, get the incompetence out of the IT departments!
and is continuing with the prosecution just to save face,'
So, what do taxpayers think about their public funds being thrown away just to "save face"? This charade will end soon. Maybe another generation or so.
Seven puppies were harmed during the making of this post.
You forgot to keep a copy of the keys yourself? I call that stupid. And in the case of this guy's manager, criminally stupid.
Most people are smart enough to give their caretakers copies of their keys. Your analogy stinks.
And even if it didn't stink in that way, it stinks in another way. You could just shell out to have a professional locksmith break into your house and change the locks. Which is what you would have to have done anyway if the caretaker was kidnapped by the mafia or otherwise disappeared (the analogous situation to Childs dying in his sleep).
Actually, I just reviewed the facts as put out in this article by Venezia and most of the negative stuff has to do with mismanagement on the part of the city, in my eyes. A good manager would have understood that Childs was too attached to his creation, and would have already started to bring in another professional who might have had a chance of giving Childs the impression that he was handing his brainchild over into good hands. OTOH, I'm not sure Childs was psychologically capable of doing that. I wonder what will really happen in this trial.
So what you're saying is that because he was accused of something, he is automatically guilty even though the accusations where later withdrawn?
I sure as hell hope that you never wind up on a jury for *anyone*.
That's true. But if I changed your locks and kept the keys, charging me with "stealing your house" is not legitimate.
Since you like that door analogy.
It is up to the legal system to determine whether he committed any crimes.
So far, all you have is the accusations and even 3 of those 4 were dropped. So "he deserves punishment" for things that no one is now claiming he did?
Weird.
Perhaps, and it is indeed your right to ignore the grammar rules of the the language you are writing, but you also have to be aware that anyone reading it will naturally make judgements about you because of that.
Capital letters and punctuation are not just "convention", they do help with reading comprehension in the same way that paragraph breaks do. I don't think that ignoring the grammar rules just because you don't like them is an any way superior; as the GP said, it makes you look like an ass just for the sake of it.
If I'm one of the "bunch of assholes" (presumably everyone who uses capital letters correctly) then so be it. Rather be an asshole than come off looking like I don't know how to write.
Your final point jumps right back to what the original poster was talking about that you seem to have missed (hey, maybe there is a connection between people who don't write properly and low comprehension skills); you obviously want to contribute to this discussion and taken seriously, and make no attempt to actually make your posts easily readable. You're no different to the no-paragraph posters; people will just skip over your post without reading, or they'll get part way in and then dismiss it because you simply cannot write (from observation - who knows if you can or not since you don't show it). The content of your post is diminished.
You may have the opinion that good writing doesn't matter, but I'm afraid that it does.
Incidentally, the use of imperial over metric is not the same thing at all. Your bastardisation of the English language because you think it is superior is the same as going down to the hardware store and asking for a metre of timber, where you have defined a metre as the distance from your shoulder to your fingertip. Metric and imperial systems have conventions. If I say I want 1M of timber I'm not using the metric system accurately, since the SI symbol for the metre is m. If I say I want 5"6' of rope I'm also not using the imperial system correctly.
Invent your own language with its own grammar rules if you like, just don't pretend that ignoring the bits of a language you personally don't like as the superior method, and simultaneously complain that anyone who uses the rules properly is an asshole; it makes you look like a dick.
Nah, more like the chauffeur refusing to give the keys of the Rolls to the empty headed daughter. He did hand them over to dad.
Heh, that's nearly a car analogy.
I finished an IT security & Responsibility training day on friday and heres what i learned.
In my company any passwords i have for any part of the system are my property and my responsability to maintain and protect.
My boss can not ask me for my passwords, in order for him to gain access to my system he has to go through an 'e-share' system of approval from our IT department and they allow or disallow it based on his actual need to access my files.
If my employment is terminated for anything other than misconduct i get a months notice and in that time i have to wind down any operations im involved in and hand over the keys to whoever is taking my place.
---
In the case of misconduct my pc is confiscated and im escorted from the building. The pc is sent to a data retreival company and any/all relevant info is sent back to employer and then the pc is wiped and returned.
2 weeks later i get a box in the mail with my personal effects left in my desk.
---
Now i havent been fired yet ;) but i know someone who has gone through the process and from all the companies ive worked in this company is my favorite for IT security.
I've been keeping track of Terry's case and i fully support his decision not to hand over passwords to critical systems to someone who was
a) Not authorised to have them
b) Not qualified to maintain the system they belong to
I would give everything i own for a little bit more.
You make a wonderful point, it boggles me how many posters here seem to be fine with the idea of letting the city burn if you were following the rules like a good little citizen that never questions those in power.
You know I had wondered why I stopped reading slashdot, then when I come back I find this story which is about as balanced as Fox News and I remember why. It is not a 'fact' that the DA has done no homework on the case, that is a speculative claim from what appears to be a highly partisan source - a journalist who snagged an interview with the perp and wants to retain access. The guy tried to hold the city hostage. Venezia fails to mention that in his bizarrely one sided account. Specifically, the guy had changed the passwords on the routers and refused to tell his employers what he had changed them to. That is, or at least should be recognized as extortion. The employers paid Childs to administer the system, they had a right to expect him to do so honestly and in a way that would allow them to use their property if he was not available. The guy is lucky not to be up on federal charges. The water treatment plants were amongst the infrastructures that he disabled. The incident does demonstrate a security risk that is often given insufficient consideration: failure to maintain control of the system.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Actually that would be after he found a girl, who he had originally thought was a cleaning lady that was fired 3 weeks earlier, under the hood with a wrench and a hammer, and upon confrontation she had him arrested and held without bail or telling him what the charges were. Then her and the Gardner were demanding he throw the keys out the jail window into the crowded street.
Of course, all of the passwords then found themselves in a public court document. Oops.
And so his point about security being mis-handled by others was proven true. The moment they got the passwords, they told the entire world what they were.
Go to the boss, the highest you can barge in on, hand him in writing your objections and the passwords AND your resignation. Have them signed and don't look back.
Care explaining how you do that while you are in custody at the police station?
NEVER EVER try to be clever within the system, you cannot win.
I totally agree with you. Absolutely do not violate policy on handing out root passwords by, let us say, giving them out to people over the phone, on speaker phone, in a room full of unauthorized people listening.
Always do this especially when working with government or semi-government (Huge companies that either were once state run, work mostly for the state, are run by ex-state people or because of their size have become ministates. You know the type, where people were ties, even when they are not.
Good point. Don't work for a company that is going to put you in a situation that you can't win if you do, can't win if you don't. It makes you the easiest target to become the person to take the fall. But then, if that happened, we would only have stupid people applying for public service jobs such as Mr. Child's. Is that really what we want?
This guy tried to be clever. It never works, you are never clever enough and the system knows how to deal with clever. Instead be smart, get out.
Once again don't work for that kind of system if this is always the case. And for a second time, he didn't have the option you are saying he had.
This guy really should have just done as said above. Hand it off and get the fuck out of the way.
Okay lets get serious for a second. This attitude of not rocking the boat is exactly what allows these sorts of 'systems' to become what they are. I guess we could all run away, ignore the glaring problems and move on to leave them to someone else. And as we all do that they will get worse and worse. Instead, I propose dealing with the problems. For example, if you are put in a position where people are abusing their authority to try and force you to do something that could cause harm to, lets say for example, a whole city, you should stand up against that. I hope that Mr. Childs wins this case and wins damages that are large enough that the whole tax base pays attention to what happened here and demands that heads roll and that these sorts of 'systems' are dismantled. I don't see how else to stop these sorts of 'systems' to become the norm when the common attitude seems to be to bury your head in the sand and move on when there is a problem.
There is good money to be made in this segment of the market, but only for those who can play the game and the first rule of the game is, don't get into the game if you don't know the rules.
I'm sorry I didn't realize that government was a game. I take it all back. Since it is all a game I guess it is perfectly okay to make 'good money' and ignore the problems inherent in the IT department of Frisco! I mean its a game! Tax payer money and public employee competence doesn't matter! What was I thinking!?!?
Oh, Please! IT infrastructure is the plumbing of the 21st century. This guy is a plumber. It is not his job to decide who should or should not have access to the network any more than it is the job of the master control technician at NBC to decide what to air at 8pm on Thursday nights.
So, let's run by this completely hypothetical scenario then. Say, you are in charge of the plumbing at a facility called "Chernobyl" and your supervisor is asking you to run a few tests, that violate the security protocols.
Since he's just a plumber (or operator) I guess you're with the Chernobyl supervisor here... enjoying the glow-in-the-dark effect...
Terry Childs said no. I'm with Terry. Policy isn't there to be ignored the first time someone tells you to. Especially if the policy is much smarter than the person telling you to ignore it.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)