Slashdot Mirror
The Trial of Terry Childs Begins
snydeq writes "Opening arguments were heard today in the trial against IT admin Terry Childs, who was arrested 18 months ago for refusing to hand over passwords to the San Francisco city network. InfoWorld's Paul Venezia, who has been following the case from the start, speculates that the 18-month wait is due to the fact that 'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.' On the other hand, the city — which has held Childs on $5 million bail despite having already dropped three of the four charges against him — may have finally figured out 'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,' Venezia writes. The trial is expected to last until mid-March. San Francisco Mayor Gavin Newsom, to whom Childs eventually gave the city's network passwords, will be included in the roster of those who will testify in the case — one that could put all admins in danger should Childs be found guilty of tampering."
Surely you mean all admins who refuse to provide passwords when asked by an authorised official at the company they set the passwords for?
The owners of the network are the public. An employee should act in the best interests of the employer at all times -- even if doing so conflicts with the views of immediate superiors.
Why was the network designed so that one single account (or password) held the keys the kingdom? That's just stupid.
"Administrator" groups for Windows machines
Multiple root SSH keys and/or Kerberos logins for Unix boxen
TACACS user-based authentication for routers.
If the dude just left and said "I'm done with you folks, no I'm not handing over my passwords", then fine...go into the user admin system, nuke his passwords and get on with your life.
If the dude deliberately went in and reset passwords and changed network access before walking and then tried to blackmail the city, then that's sabotage/blackmail/downright illegal and should be punished.
If the dude walked out without giving passwords to anyone and the system was poorly designed so that admin passwords had to be forcefully recovered via single user mode or the like, then the city should just eat crow, lick their wounds, and install a real network AAA system.
What would have happened if the dude had been run over by a beer truck on the way to work? Would the city have been screwed as well?
Dude.
This guy denied access to the owners of that network. Just because there isn't a law to fit the crime doesn't mean he is innocent of wrong doing. Hell, it's not a stretch to say that for a time, before they recovered it, he had stolen the entire network from them.
Take your word smithing and semantics and stick 'em where the sun don't shine. What he did was wrong for it, and he needs to be punished.
What do you mean "Just because there isn't a law to fit the crime doesn't mean he is innocent of wrong doing." That's exactly what it means. If there's no law to fit his "crime," then by definition there is no crime committed. Perhaps he's guilty of being an asshat, but doesn't mean he's criminally liable according to your definition.
It's quite a stretch to say he had stolen the entire network. In fact, it's absolutely false. They could have done a hard admin reset on the routers and affected systems and been back in complete control of them. They chose not to, for various legitimate reasons, but the network remained in the possession of the legitimate owners.
You complain about word smithing and semantics yet that's exactly what you are doing. What he did may be wrong, but the question as to whether any laws were broken is far from a given. To punish him for breaking no laws would be absurd and your assertion that he should is equally absurd.
> the people this guy works for asked for the passwords
My impression was, that in a nice show of cluelessness, they decided to fire this guy first, and then ask him for the passwords which they didn't have (i.e., they didn't have any plan of action if he got run over by a bus or otherwise dropped dead).
If anything, the fact that you wrote down that there might be a problem would be used against you. You set a trap or something. That's how you knew there would be a problem.
This is management. Does anyone who's ever held a tech job believe that you writing down that your boss is, effectively, an idiot won't be used against you?
So what you're saying is that because he was accused of something, he is automatically guilty even though the accusations where later withdrawn?
I sure as hell hope that you never wind up on a jury for *anyone*.
Perhaps, and it is indeed your right to ignore the grammar rules of the the language you are writing, but you also have to be aware that anyone reading it will naturally make judgements about you because of that.
Capital letters and punctuation are not just "convention", they do help with reading comprehension in the same way that paragraph breaks do. I don't think that ignoring the grammar rules just because you don't like them is an any way superior; as the GP said, it makes you look like an ass just for the sake of it.
If I'm one of the "bunch of assholes" (presumably everyone who uses capital letters correctly) then so be it. Rather be an asshole than come off looking like I don't know how to write.
Your final point jumps right back to what the original poster was talking about that you seem to have missed (hey, maybe there is a connection between people who don't write properly and low comprehension skills); you obviously want to contribute to this discussion and taken seriously, and make no attempt to actually make your posts easily readable. You're no different to the no-paragraph posters; people will just skip over your post without reading, or they'll get part way in and then dismiss it because you simply cannot write (from observation - who knows if you can or not since you don't show it). The content of your post is diminished.
You may have the opinion that good writing doesn't matter, but I'm afraid that it does.
Incidentally, the use of imperial over metric is not the same thing at all. Your bastardisation of the English language because you think it is superior is the same as going down to the hardware store and asking for a metre of timber, where you have defined a metre as the distance from your shoulder to your fingertip. Metric and imperial systems have conventions. If I say I want 1M of timber I'm not using the metric system accurately, since the SI symbol for the metre is m. If I say I want 5"6' of rope I'm also not using the imperial system correctly.
Invent your own language with its own grammar rules if you like, just don't pretend that ignoring the bits of a language you personally don't like as the superior method, and simultaneously complain that anyone who uses the rules properly is an asshole; it makes you look like a dick.
Nah, more like the chauffeur refusing to give the keys of the Rolls to the empty headed daughter. He did hand them over to dad.
Heh, that's nearly a car analogy.
What. Do. You. Do?
Uh, you give them the passwords.
Christ, how is this even a question? Your *boss* tells you to do something? Then you fucking do it! Have a problem with it? Go over his head to his boss. And if that guy tells you to go pound sand? You do your fucking job and hand over the passwords.
In short: This guy was an idiot. That network wasn't his personal property and he had no right to refuse access to it for those in a position of authority, regardless of his impressions of their professional qualifications.
I think you need to read up on the case a bit. Childs was actually protecting the network and keeping it running. The people he was asked to provide the passwords to had already demonstrated their incompetence by causing outages. Far from "holding the city hostage", as you claim, he was actually keeping the network running. The only disruptions were caused by the non-technical manager types that were asking him for control, without providing any assurances that they could maintain the network or even understand the configurations they wanted to be able to muck with.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Actually that would be after he found a girl, who he had originally thought was a cleaning lady that was fired 3 weeks earlier, under the hood with a wrench and a hammer, and upon confrontation she had him arrested and held without bail or telling him what the charges were. Then her and the Gardner were demanding he throw the keys out the jail window into the crowded street.
Of course, all of the passwords then found themselves in a public court document. Oops.
And so his point about security being mis-handled by others was proven true. The moment they got the passwords, they told the entire world what they were.
He had a responsibility to the people of the city who depended on the city infrastructure not to recklessly endanger that infrastructure. As a trained professional, in his professional jidgement, giving the passwords to his boss would have been dangerous. He acted reasonably (and within policy), insisting on moving somewhat higher up the chain of command, and drawing attention to the incompetence of his boss.
Your boss has no moral authority. He's just another employee, no different from you.
Socialism: a lie told by totalitarians and believed by fools.
I worked for a company that performed services for companies that had a lot of personal information. Our systems were kept pretty tight.
For a while, I was the only IT person in the company. I had the primary passwords for much of the company's infrastructure, and the policy manual that was worked up allowed me to give those passwords to two other people on request - the President and my departmental Vice President of the company. The VP was three rungs up the ladder from me.
Neither had the chops to do anything with the passwords, but of course they could easily have hired someone who did. I also had to keep the current passwords in an offsite lockbox at a local bank and only the three of us had access to that box. That way, if I got hit by a bus (or terminated for cause, quit under suspicious circumstances, or whatever) the company could continue operations smoothly.
My boss's boss walked in my office one day and asked for a password for one of the main systems. After a long, involved, and rather unpleasant conversation, I was threatened with termination if the passwords were not handed over. As I started to pack my crap up, the President walked in the room and thanked me for my diligence in following security protocol. It was a surprise audit. I don't think I would have been terminated if I had handed over the passwords, but I'm sure my clearance to possess them would have been revoked in a very large hurry. And that would have been the correct action to take.
There are circumstances where you DO NOT have the authority to give information to your boss. If there is a policy against it, the policy trumps your boss's ability to ask you for the information.
I don't know for sure the policies in place at this particular department, but it is very possible that the boss was not authorized for that information. Passwords and security information do not necessarily follow the chain of command - they follow a chain of responsibility and/or trust, and that isn't always perfectly aligned with the chain of command. If Childs' boss was not authorized for the information, he did the right thing in insisting that the information be turned over to the people his security protocol manual specified.
If Childs' boss WAS authorized for the information by policy, and Childs honestly felt the boss would misuse the information for something illegal and/or was gunning for Childs, then his actions may or may not be justifiable in this case - he's going to have to produce some proof that his boss had an illegitimate purpose. That could be tough.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
I disagree. Sorry, but if you're going to trust me with very sensitive data, you need to be able to trust me with it, and that means testing me in such a way that the results are valid.
Which is no way means it's pleasant, or fun, or is anything other than a complete horror show. On the other hand, I was ready to leave the company with my head held high because I stuck to my principles, and there's a part of me that is proud of that.
It still sucked fetid donkey balls when I was going through it, and I have no desire to repeat the experience.
But if you can come up with another test that can demonstrate without doubt that an employee's personal integrity is worth more to them than any specific job, I'm certain a whole lot of people who are responsible for important data would love to hear it.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."