Slashdot Mirror
The Trial of Terry Childs Begins
snydeq writes "Opening arguments were heard today in the trial against IT admin Terry Childs, who was arrested 18 months ago for refusing to hand over passwords to the San Francisco city network. InfoWorld's Paul Venezia, who has been following the case from the start, speculates that the 18-month wait is due to the fact that 'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.' On the other hand, the city — which has held Childs on $5 million bail despite having already dropped three of the four charges against him — may have finally figured out 'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,' Venezia writes. The trial is expected to last until mid-March. San Francisco Mayor Gavin Newsom, to whom Childs eventually gave the city's network passwords, will be included in the roster of those who will testify in the case — one that could put all admins in danger should Childs be found guilty of tampering."
There is a potential for problems if a very manager with very insecure security tendencies asks a sysadmin for very important passwords. In some circumstances, the sysadmin might feel justified not handing the passwords over as it would compromise the security of the existing system.
Sorting out fact from fiction in the Terry Childs case (InfoWorld)
Childs deserves defense not because he appropriately handled a showdown with management he had no hope of navigating successfully, clearly he did not. Rather, he should be defended against having the prosecutorial powers of the city leveled against him and being deprived of his freedom for many months over a matter that should have gone no further than the termination of his employment.
Sure you turn over the password, they delete something and YOU are on the hook for obstruction of justice.
Being forced to 'hand over the passwords' should be like a vehicle transfer. The moment you hand the keys off to the person who you are obligated to give them to THEY become responsible for the entire network including their own fuck ups.
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
It's called CYA - report it to your direct manager, if you are overridden, have it all in writing for the blame game which is certain to happen later.
You are exactly the type of citizen who has driven the service out of public service and provided us with less than mediocre CYA specialists who have no conscience and no clue. Terry Childs, despite his apparent meglomania, had a clue and a conscience. After he is cleared of all charges, the Mayor should appoint him to teach the other civil servants what service really means. (and that might be the only way to keep from getting sued for millions of dollars for malicious prosecution.)
This is how physical property and intellectual property differ. Those things all belong to the company, and it let him use them. He left them there when he left. The passwords belong to the company, and it let him use them. When he leaves, are you saying he has to have his memory wiped of all that companies IP? he left, it's now "their" problem. he didn't deprive the company of their passwords by "stealing" them, the company misplaced them and he has no obligation to help them look.
I'm explaining this horribly badly, I know, but still, I feel he has no obligation once he's been fired.
so you would rather that he broke the policy that was given to him with regard to passwords and let unauthorized people have access? The city policy only allowed him to give passwords to the Mayor, which he did as soon as he was allowed to. If you are fired, and some random people ask you to give up the password, would you? If you say yes, then you will end up at the wrong end of a lawsuit, as that would make you criminally culpable in whatever havoc those people caused on the network.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
The water treatment plants were amongst the infrastructures that he disabled.
Uhm, come again?
Nothing was "disabled." Nothing was turned off. The situation was quite simply that the routers were secured down to the point where, without having admin credentials, someone could not CHANGE them. This is not "negligent", this is smart design.
Then we get to the exorbitant bail amount, the fact that he's being held in lockup without a bail reduction even though better than 3/4 of the case has been dropped due to lack of evidence, and the fact that he in fact gave the passwords up to a competent authority (the SF Mayor, aka his boss's boss's boss), and it looks like a kangaroo court in process. The DA's office doesn't have much, if anything, of a case but they're desperate to justify what they have done so far so they just keep pushing along.
I'll offer you a choice. You are being reassigned to a new area. Your "boss", the blithering idiot who still keeps his password in a sticky note on his monitor and who holds a bitchfest every time he's told he has to pick a password that actually conforms to complexity requirements rather than using "god", demands a ton of passwords with root-level access. You've seen numerous situations before where the "admin at the time" (e.g. you) has been turned into the fall guy for shit going wrong or security breaches, when it's obvious to anyone doing any research that the real problem is some moron boss with less brain cells than teeth, an MBA, and a napoleon complex.
What. Do. You. Do?
People of slashdot, this is VERY VERY simple. Go to the boss, the highest you can barge in on, hand him in writing your objections and the passwords AND your resignation. Have them signed and don't look back.
NEVER EVER try to be clever within the system, you cannot win.
Always do this especially when working with government or semi-government (Huge companies that either were once state run, work mostly for the state, are run by ex-state people or because of their size have become ministates. You know the type, where people were ties, even when they are not.
This guy tried to be clever. It never works, you are never clever enough and the system knows how to deal with clever. Instead be smart, get out.
This guy really should have just done as said above. Hand it off and get the fuck out of the way.
There is good money to be made in this segment of the market, but only for those who can play the game and the first rule of the game is, don't get into the game if you don't know the rules.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
So what? They were his bosses and the owners of the equipment. He had no right to refuse them access to their own property no matter what they could have and would have done to fuck it up.
Bail should be set as a deterrent to flee before a trial is finished, not to keep someone indefinitely in a cell.
And this is probably why they did it. His bosses probably knew (or were told by their lawyers) right off that they didn't have a chance of convicting him of anything. So they used one of the standard legal ruses to keep him in jail while they delayed the trial. It's not especially unusual for people to be jailed before a trial for longer than the longest legal sentence. It's even done when conviction couldn't get a jail sentence at all. The idea is to keep someone in jail as long as you can, by any means that will work. Then it doesn't much matter if the court exonerates them; you've shown that you can incarcerate them sufficiently long without a trial.
Parts of the US Bill of Rights were designed to prevent this sort of imprisonment. It hasn't worked very well in this case. And it's not the first time that such things have been done in the US. Anyone not aware of this problem is naive and ignorant of history.
The only real question is whether he can get restitution from the courts afterwards. History says he probably won't.
This sort of story is why I gave up on security/admin jobs early on. I read some stories similar to this, and figured out that the non-technical people above my immediate boss were highly likely to pull such stunts, perhaps with me as a chosen victim. The only way to win that game is not to play it, because the higher ups can see all the cards and do all the shuffling. Of course, when I and thousands of others started figuring this out, it inevitably led to our current sorry state of widespread computer insecurity.
One thing we might add to this story is a question about whether SF will be able to hire a competent person to replace him. I certainly wouldn't want to interview with them, except maybe to see if I could get some inside information about their current policies (after which I'd simply ignore any job offers).
One thing I'd suggest to anyone in his position: If your superiors demand that you give admin passwords to non-technical people, you should hand in your resignation along with the passwords. Tell them right out why you consider this a threat to your own legal safety as well as the computer systems. Chances are they won't be surprised, because they knew what was planned. After all, anyone with the root passwords can edit any file and fake lots of evidence, including the timestamps on files.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
> The water treatment plants were amongst the infrastructures that he disabled.
This is the age of the hyperlink. Please provide one.
As for him deserving 20 years, it seems to me that it can never be a crime to forget something. In the same vein, it would seem to me that it cannot be a crime to be psychologically incapable of providing information. Other posters have claimed that it was even against his ex-employer's policies to provide that information.
I wonder if we will ever learn the real truth about this matter. It's fairly clear what version the city government would like to be revealed as the "the truth".
The courts have held people liable for 3rd party actions in MANY cases. For example, you're the host of a party, and you let guests get good and drunk, and you then let them drive anyway. Or you have a hazard in your house, and a crook breaks in and hurts themselves. Or you're sick and tired of someone siphoning your gas, so you put razor blades around the inside of the filler flap. Or you're in the military and you obey an order that is contrary to military law (in which case, unless you frag the person who gave the order, you're up shit creek either way - either you disobeyed an order, or you obeyed an illegal order. Officers who give illegal orders would tend to darwin themselves).
Same thing applies in business - bars have been held liable for letting customers get too drunk to drive and not stopping them. The code of ethics for various professional bodies acknowledges that their members have a larger duty to society as a whole, and not just their employers, and that when there's a conflict, it has to be resolved in society's favour. An engineer can't just certify a bridge that is marginal because his boss tells him to,or choose to willfully ignore a dangerous defect in an area not under his or her direct purview.
Similarly, the courts are now starting to apply a standard of care on the general public - failure to act when you could have prevented harm is now punishable in jurisdictions that have passed "good samaritan" laws. With the protection afforded by these laws, you now have no legal excuse not to help someone in danger who is in need of immediate assistance.
Search for "failure to render assistance" - it's now a crime in many areas. Just look at how many "failure to render assistance" are listed in this 6-week crime stats report from one town in Texas.
Then how would you suggest a security audit be done? How else can we find out if someone will violate security policy than by giving them a chance to do exactly that?
I've been subjected to those kinds of audits on several occasions. Yes, they're mildly insulting. But they're also necessary, aren't they?
I decided to read a couple of articles about the situation after reading the parent post. That's led me to believe that IT admins everywhere should be supporting this guy wholeheartedly. When you get down to the point of it, this is a guy getting shafted as a result of sticking to the documented policy.
I realize that it's a long-running joke around here that people don't RTFA. RTFA.
Spelling, grammar, punctuation? We need something that checks logic.