The Trial of Terry Childs Begins

snydeq writes "Opening arguments were heard today in the trial against IT admin Terry Childs, who was arrested 18 months ago for refusing to hand over passwords to the San Francisco city network. InfoWorld's Paul Venezia, who has been following the case from the start, speculates that the 18-month wait is due to the fact that 'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.' On the other hand, the city — which has held Childs on $5 million bail despite having already dropped three of the four charges against him — may have finally figured out 'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,' Venezia writes. The trial is expected to last until mid-March. San Francisco Mayor Gavin Newsom, to whom Childs eventually gave the city's network passwords, will be included in the roster of those who will testify in the case — one that could put all admins in danger should Childs be found guilty of tampering."

All admins

[RichardJenkins]

Surely you mean all admins who refuse to provide passwords when asked by an authorised official at the company they set the passwords for?

Re:All admins

[tdobson]

There is a potential for problems if a very manager with very insecure security tendencies asks a sysadmin for very important passwords. In some circumstances, the sysadmin might feel justified not handing the passwords over as it would compromise the security of the existing system.

Re:All admins

[DJRumpy]

It doesn't matter since in this case, the people this guy works for asked for the passwords. He is completely free of guilt should they screw things up and no court would hold him responsible for doing exactly what his duties required him to do.

He never owned these passwords, the hardware, the systems, or the infrastructure he worked on. When the owners asked for the password, he should have noted his concerns, and given them up.

Re:All admins

[DarkOx]

The answer is obvious. You simply put it in writing that in your professional opinion someone without an educational background or specific vocational training related the security and operation of whatever system you are dealing with should not operate its administrative features. You than state that you cannot be solely responsible for security or system failures if you are not permitted to be the gatekeeper. You then hand over the passwords if your employer or client agrees.

There is really no problem here at all.

Re:All admins

[remmelt]

Except when they still ass rape you for killing their system. Yes, this happens. You're the admin, you're responsible! Sucks to be you! Sure, you have some bullshit in writing, but who cares? Go look for another job! Oh, you want to sue us now? Go right ahead, see who has the deeper pockets.

Either way, you lose.

Re:All admins

Surely you mean all admins who refuse to provide passwords when asked by an authorised official at the company they set the passwords for?

The person who asked Childs for the passwords wasn't an authorized official.

Re:All admins

[QuantumRiff]

If someone higher ranking than me from our accounting division wants the Domain admin password, should I hand it to them? What about the head marketing person? How do you determine who it is "Safe" to hand over the passwords to?

Re:All admins

[Tuoqui]

Sure you turn over the password, they delete something and YOU are on the hook for obstruction of justice.

Being forced to 'hand over the passwords' should be like a vehicle transfer. The moment you hand the keys off to the person who you are obligated to give them to THEY become responsible for the entire network including their own fuck ups.

Re:All admins

[eosp]

Said authorised individual should have already had access to those passwords. This guy was more interested in not giving them up to parties that he could not see over a teleconference, or at least that's what his defence will say.

Re:All admins

[mysidia]

What about IT admins who configure systems to use Biometric authentication?

Do they have to cut off their right hand, if a manager asks them?

IT admins' user accounts on enterprise systems may use the same password the person uses on personal systems, like their bank account.

What if the hand scanner includes liveness detection?

Passwords and authentication credentials aren't for managers, they're for technical workers who can actually competently administer the systems they access.

They don't need to be asked to tell passwords. They need to be asked to provide access to such and such person.

And if they're leaving: to surrender that access.

And they need to give a fair amount of time for the person to make sure they are indeed authorized and a proper security procedure is being followed. Otherwise ANYONE could walk up to you in the company, and claim they are authorized to know the password, and authorized to require you to give them access.

If the company's IT operations were so poorly run as to not have policies already in place to ensure multiple people can access critical systems, then that's not the person's fault.

Re:All admins

[vvaduva]

It's called CYA - report it to your direct manager, if you are overridden, have it all in writing for the blame game which is certain to happen later.

Re:All admins

[tibman]

I remember it being different than that. He wasn't supposed to tell anyone other than the mayor what the password was. Some new manager showed up one day and said "Hey, what's the password?" He says "I can't tell you." So the new manager called the police. Then as soon as the mayor showed up and asked for the password, Mr Childs told him.

As far as i remember, there was zero authorized officials at the company to receive the password.

Re:All admins

[D'Sphitz]

without a trial and essentially denied bail, I might add.

Re:All admins

[L4t3r4lu5]

He did just that. The "Authorised official" you refer to was the Mayor, who he dutifuly revealed the password to when asked. Who he didn't reveal the password to was his line manager / supervisor, who he was expressly forbidden from doing so by district policy.

It's not his fault for knowing the policy better than his own supervisor. He followed it to the letter, but his boss got his knickers in a twist and decided to get him arrested. I hope he's made to choke down that choice with a lovely pink slip in his Christmas stocking.

Re:All admins

[canajin56]

Except he did have a lot to worry about, if you read about it. What happened is he caught a former coworker who got promoted to a different department, without his knowledge. He thought she was fired because she just vanished, and he never saw her again. He catches her searching through peoples desks, and removing hard drives from their computers. She claims he was taking illegal pictures of her and disrupting her "secret audit", which is why she had him arrested and held on a $5 million bond. (The "illegal pictures" he took never surfaced). That's right, he was arrested before being fired, and before refusing to give up the password. The "refused to give up the password" was when she called him in jail and demanded it. Still a woman who, as far as he knows, was fired, not promoted, demands the password over speakerphone in a police station. He says no way. His boss pipes in over the speaker phone and says "Just do whatever she says, or else", and he says no, it's against corporate policy to discuss that sort of thing over speakerphone where anybody can pipe in, but if the boss or the mayor calls in person without speakerphone, he will. They hung up and told the police to process him.

He never owned these passwords, the hardware, the systems, or the infrastructure he worked on. When the owners asked for the password, he should have noted his concerns, and given them up.

As far as he knows, an ex-employee was breaking in and snooping though peoples files and desks. And I guess she must be blackmailing his boss, for the boss to be says "do what she says or else". If Childs doesn't own the network, how do you reason this middle management fuck owns it?!!? The OWNERS didn't ask shit. At any rate, for him to have given the password like that violated company policy, which he told them, he told them they had to get it in person, and they REFUSED. He told them he'd tell the Mayor, he told the police, who refused to tell him what he was being held on, that he would tell the Mayor, who as the people's representative, is the owner of the network. At this point, people ran with the fact that he was a corporate spy of some sort, because his CITY OWNED CELL HAD A CAMERA IN IT JUST LIKE ALL CELLS, and also he used a firing range, highly illegal, only outlaws use firearms, remember! He also was looking at storage space, a clear crime. When all he really did was refuse to give a password to a co-worked who was "fired" but actually secretly promoted to conduct "secret audits" by searching desks and desktop HDs at midnight on a Friday night. And, to repeat, he was arrested and charged before he even was asked for the password. AND he was asked for the password in a way that was against corporate policy, and also possibly a felony.

Re:All admins

[tomhudson]

The courts have held people liable for 3rd party actions in MANY cases. For example, you're the host of a party, and you let guests get good and drunk, and you then let them drive anyway. Or you have a hazard in your house, and a crook breaks in and hurts themselves. Or you're sick and tired of someone siphoning your gas, so you put razor blades around the inside of the filler flap. Or you're in the military and you obey an order that is contrary to military law (in which case, unless you frag the person who gave the order, you're up shit creek either way - either you disobeyed an order, or you obeyed an illegal order. Officers who give illegal orders would tend to darwin themselves).

Same thing applies in business - bars have been held liable for letting customers get too drunk to drive and not stopping them. The code of ethics for various professional bodies acknowledges that their members have a larger duty to society as a whole, and not just their employers, and that when there's a conflict, it has to be resolved in society's favour. An engineer can't just certify a bridge that is marginal because his boss tells him to,or choose to willfully ignore a dangerous defect in an area not under his or her direct purview.

Similarly, the courts are now starting to apply a standard of care on the general public - failure to act when you could have prevented harm is now punishable in jurisdictions that have passed "good samaritan" laws. With the protection afforded by these laws, you now have no legal excuse not to help someone in danger who is in need of immediate assistance.

Search for "failure to render assistance" - it's now a crime in many areas. Just look at how many "failure to render assistance" are listed in this 6-week crime stats report from one town in Texas.

Frankenstein Offense?

[zmnatz]

Then will Mr. Childs employ the Chewbacca Defense?

this is why governments are outsourcing

[alen]

between this genius who thought everything belonged to him and people like I met in my 1 year of working as a consultant for a government agency it's not wonder government is outsourcing. i met this one admin years ago who refused to let his NT domain be part of the larger NT network and it caused all kinds of permissions issues. funny thing was that because of the union rules they couldn't make him do it. and the only reason he refused to let his NT domain work with the others in the organization is because he wanted his own private island to manage that the other admins above him couldn't touch.

so now i get daily emails about how LA and other local governments are going with Google Apps and Gmail. I bet a lot of it has to do with the fact that they can let their unionized admins rot in a hole doing nothing while progress happens

Re:Why is this guy being treated as a Martyr to IT

The owners of the network are the public. An employee should act in the best interests of the employer at all times -- even if doing so conflicts with the views of immediate superiors.

Network Design?

[DarthBart]

Why was the network designed so that one single account (or password) held the keys the kingdom? That's just stupid.

"Administrator" groups for Windows machines
Multiple root SSH keys and/or Kerberos logins for Unix boxen
TACACS user-based authentication for routers.

If the dude just left and said "I'm done with you folks, no I'm not handing over my passwords", then fine...go into the user admin system, nuke his passwords and get on with your life.

If the dude deliberately went in and reset passwords and changed network access before walking and then tried to blackmail the city, then that's sabotage/blackmail/downright illegal and should be punished.

If the dude walked out without giving passwords to anyone and the system was poorly designed so that admin passwords had to be forcefully recovered via single user mode or the like, then the city should just eat crow, lick their wounds, and install a real network AAA system.

What would have happened if the dude had been run over by a beer truck on the way to work? Would the city have been screwed as well?

Dude.

Re:Why is this guy being treated as a Martyr to IT

[NitroWolf]

This guy denied access to the owners of that network. Just because there isn't a law to fit the crime doesn't mean he is innocent of wrong doing. Hell, it's not a stretch to say that for a time, before they recovered it, he had stolen the entire network from them.

Take your word smithing and semantics and stick 'em where the sun don't shine. What he did was wrong for it, and he needs to be punished.

What do you mean "Just because there isn't a law to fit the crime doesn't mean he is innocent of wrong doing." That's exactly what it means. If there's no law to fit his "crime," then by definition there is no crime committed. Perhaps he's guilty of being an asshat, but doesn't mean he's criminally liable according to your definition.

It's quite a stretch to say he had stolen the entire network. In fact, it's absolutely false. They could have done a hard admin reset on the routers and affected systems and been back in complete control of them. They chose not to, for various legitimate reasons, but the network remained in the possession of the legitimate owners.

You complain about word smithing and semantics yet that's exactly what you are doing. What he did may be wrong, but the question as to whether any laws were broken is far from a given. To punish him for breaking no laws would be absurd and your assertion that he should is equally absurd.

He was in a catch 22

[onyxruby]

I was initially very skeptical of Childs until additional information came out about the case that changed the story notably.

Their policy prohibited Childs from simply handing passwords over to his boss, when asked by the mayor he handed them over as requested. I think the bigger issue is one of policy on security and a lack of industry best practices by the city. What holds the greater weight, policy or your bosses request? Depending on where you work, handing over your passwords to anyone can readily be a criminal infraction. At a minimum they could have asked Childs to create an additional account with full administrative access and that account could then have been used to disable Childs account.

I know at my employer I am not allowed to share my passwords with anyone, including my supervisor. I have an official backup with equivalent access to myself and my refusal to hand over passwords would not prevent anyone else from taking over for me. If my employer wanted they could simply reset my password and gain access to my account. The issue in San Francisco is there wasn't anyone else who had equivalent access to begin with. Their network was complex and the city had cut to the bone on staffing ahead of time.

Lessons can be learned from this from a management standpoint, the city took an antagonistic approach and did not update their policy and instead asked Childs to break it. Their security personal should have known industry best practices and instead asked Childs to violate them and hand over his password. Ultimately the case showed incompetence in city management and embarrassed them, and that's the only reason I can think of the city pressed the case.

Re:He was in a catch 22

[eosp]

And the original request was done over a teleconference. Bad idea. Of course, all of the passwords then found themselves in a public court document. Oops.

Re:He was in a catch 22

[sjames]

Of course, all of the passwords then found themselves in a public court document. Oops.

And so his point about security being mis-handled by others was proven true. The moment they got the passwords, they told the entire world what they were.

The law is an ass.

[TapeCutter]

This guy decided to be ass and he's finding out the hard way that law is a bigger ass.

Fired him first?

[Mathinker]

> the people this guy works for asked for the passwords

My impression was, that in a nice show of cluelessness, they decided to fire this guy first, and then ask him for the passwords which they didn't have (i.e., they didn't have any plan of action if he got run over by a bus or otherwise dropped dead).

Re:Fired him first?

[PopeRatzo]

When you are fired from work, you can't simply raid your cubicle and take everything in it.

The sweet Humanscale Freedom High-back chair in plum vellum with the graphite frame in which I am now sitting begs to differ.

Re:Fired him first?

[GaryOlson]

No, not irrelevant. Termination of employment means a termination of responsibilities in both directions:
the employer does not provide any services to you; and, you are not obligated to provide any services to the ex-employer. Those passwords are not the property of the employer; but merely a method for controlling the assets of the employer. The failure of the employer to implement methods to regain control of their assets is not the ex-employees problem.

Re:Fired him first?

[Spazztastic]

When you are fired from work, you can't simply raid your cubicle and take everything in it.

The sweet Humanscale Freedom High-back chair in plum vellum with the graphite frame in which I am now sitting begs to differ.

You bastard! I replaced you and now I'm sitting on a milk crate!

Re:Fired him first?

[multisync]

He didn't steal the network. He stole the passwords.

He didn't "steal" the passwords. He knew them because it was his job to know them. He can't simply "unknow" them once he is fired. Nothing was "taken" from them, their passwords are still there, happily guarding the system against unauthorized access.

As far as being obliged to divulge this information to his former employers, I see no reason he should do so. He is no longer their employee, so they can not compel him to tell them anything. They might have thought to make sure they were in a position to replace him before they fired him.

The only way I see him being liable for anything is if he accessed their systems after leaving their employment. If he didn't, I'd say the city can get stuffed.

Re:Fired him first?

[canajin56]

Actually, they had him arrested first, fired second, and somebody who wasn't his boss, and as far as he knew, was an ex-employee, asked for the password over speakerphone THIRD. All this because he caught this ex-employee (who apparently was secretly promoted to the secret police to conduct "secret audits" at midnight on Fridays by snooping through desks and stealing hardware), and told his boss about it.

Re:Fired him first?

[jc42]

It would seem the prudent thing to do, if you find yourself in a similar situation, would be to turn over the damn passwords.

Hmmm ... Apparently you missed the earlier post's link to the article about the official policy of the county government. It included this summary excerpt:

"Password Policy"
As such, all County employees (including contractors, vendors, and temporary staff with access to County systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis"
"Do not share County passwords with anyone, including administrative assistants or secretaries.

All passwords are to be treated as sensitive, confidential County information.

Here is a list of things to avoid
-Telling your boss your password.
-Talking about a password in front of others.
-Telling your co-workers your password while on vacation."

http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf

So if he'd handed over the password to his bosses, he would have been charged with a violation of official published policy, and that charge would have probably stuck. By following the official policy, he may well have succeeded in winning the court case. Of course, it didn't stop the city from implementing what's almost certainly an illegal incarceration before trial. We'll have to keep checking to see how it turns out, and whether he can get restitution for the jail time.

In security-related situations, it's often a good idea to know the official published policy. When asked to violate it, it often can help to point out that what you're being asked to do is illegal, and ask if they really intended that. (If you're a contractor, you might try grinning and saying that you charge extra for illegal acts. Tell them that your consulting firm has a policy against performing illegal acts without first getting the explicit job description on paper with all the right signatures authorizing the higher rate, indemnification for possible charges, etc. It can be fun to watch their reaction.)

Re:Fired him first?

[Zerth]

He was also ordered to surrender them to someone department policy said he was not allowed to tell and who was likely to screw things up and blame it on him.

He did the responsible thing and insisted on following policy in a manner that ensured the network continued to function.

Re:Fired him first?

[Zerth]

Just to quote their policy:

All passwords are to be treated as sensitive, confidential County information.
Here is a list of things to avoid:
Giving your password over the phone to ANYONE.
Telling your boss your password.
Talking about a password in front of others.
Telling your co-workers your password while on vacation.

If someone demands a password, refer him or her to this document or have him or her call someone in Information Security

Re:Fired him first?

[AK+Marc]

His emotional attachment to his network would look bad in bar lighting. This guy was a nutcake.

Sadly, that's the real issue. This nutcake (who did his job without problem and they fired for his "attitude" rather than anything related to his ability to actually do his job) is being persecuted because he's weird. I mean who wouldn't give up a password when guys with guns were demanding it and threatening you with jail if you didn't? It mattered to him that they weren't on the authorized list. But to the police, that's contempt of cop. To his boss that wanted him to just disappear after she was caught performing audits in direct violation to policy, it was contempt. He wanted to give the information to the proper authorities, and did, it's just those that thought they were the proper authorities and what he thought didn't agree. From what I can tell from the papers released so far, the boss was not authorized for those (no need to know and not a technical position). Yes, it's job suicide to say no to your boss, but he'd rather lose his job than screw up his network.

That's why he's a nutcake, and that's why authorities hate him and everything he stands for. No one should ever stand up to the police or his boss. It's unamerican.

Terry Childs and the female boss

[viralMeme]

"On Friday, June 20, there was an altercation between Childs and Jeana Pieralde, the new DTIS security manager at the 1 Market Street datacenter in San Francisco. Until her promotion, she had been a city network engineer who worked with Childs"

Sorting out fact from fiction in the Terry Childs case (InfoWorld)

.. the city had claimed it could not access the FiberWAN network's devices. But four days before that bail hearing, the city claimed it had scheduled a power outage at the 1 Market Street datacenter. That power outage would have affected routers and switches running the FiberWAN network.

In the court filing four days later, the city contended that Childs had "booby-trapped" the network to collapse during this power outage by not writing the device configurations to flash on some number of routers. A local news report stated that "experts caught the problem in time and transferred data to permanent files, [Assistant DA Conrad] del Rosario said."

This statement contradicts the city's stance that it had no access to these routers, as there is no way it could have written those configurations to flash, or save them anywhere, on July 19 if it could not access the devices ..

Re:Terry Childs and the female boss

[Spazztastic]

In the court filing four days later, the city contended that Childs had "booby-trapped" the network to collapse during this power outage by not writing the device configurations to flash on some number of routers.

You know, some Cisco guys just have bad habits of not pressing "CTRL+Z" then entering "wr mem" when they're done working on a Cisco appliance. Maybe he just made a mistake?

Re:anyone here who defends this man

[LaminatorX]

Childs deserves defense not because he appropriately handled a showdown with management he had no hope of navigating successfully, clearly he did not. Rather, he should be defended against having the prosecutorial powers of the city leveled against him and being deprived of his freedom for many months over a matter that should have gone no further than the termination of his employment.

Mod parent up!

[khasim]

If anything, the fact that you wrote down that there might be a problem would be used against you. You set a trap or something. That's how you knew there would be a problem.

This is management. Does anyone who's ever held a tech job believe that you writing down that your boss is, effectively, an idiot won't be used against you?

Re:How so "stolen"?

[WolfWalker545]

Denial of access to their property. As a system administrator, I don't own the hardware I administer. Heck, I do it on contract right now. If the client wants something stupid done, I put my concerns in writing, if they still insist on doing it their way, I do it. If I think they're idiots and I keep having additional grief trying to fix their frequent mistakes, I find someone else to work for.

Incompetent Imbeciles

[anomaly0617]

I thought someone said it best when they said

"Terry Childs nearly built the San Francisco computer network by himself, to the point of actually filing for copyright on his design of the network. Management in the San Francisco IT department apparently couldn't fathom half of what he was doing and Terry Childs himself called them incompetent on numerous occasions, which is pretty much what the sole standing charge is all about. Refusing to hand over the network to incompetent imbeciles."
http://blogs.computerworld.com/14592/good_news_for_jailed_sf_net_admin_terry_childs

I'm not defending Childs' decision to hand over the passwords when asked, but I can sure see his perspective on it. As a consulting network engineer, I've frequently been put in the position of having to decide whether giving someone the keys to the kingdom will put the kingdom at too great a risk.

The problem here is that there was not a documented policy on passwords. As a former government IT employee, we had a documented policy concerning passwords. They were all documented in a password-protected spreadsheet kept on a server that only admins had the access and technical skills to get to. They weren't withheld, per se, they were just in a place that was inconvenient to get to unless there was an emergency situation that required the inconvenience.

The impression I get is that San Francisco's IT department had old-timers waiting for their retirement date and their pensions to mature. They were stuck in the days of mainframes, modems, and 8088's. Here comes Terry Childs, who has not only a clue but a plan for getting them into the 90's, if not the 21st century. He intimidates his superiors because he knows what he's doing, and they don't. He builds a network for the city that his peers should be proud of. Instead they are intimidated. They ask for passwords, and he politely refuses to give over until they understand the enormity of what those passwords do. They get mad and accuse him of hacking.

The worst thing about this case is that Terry Childs did nothing wrong, other than withholding the passwords too long. He's intelligent. He intimidated people with his intelligence. They couldn't fire him without cause, so they created a cause by insisting that he was hacking, even though the evidence does not show this.

The insult to injury here is that by dragging this out, the San Francisco IT department is just putting more egg on their face. Anyone following the case can see that they were incompetent and Terry Childs was trying to protect them from their incompetence. His crime was not knowing when he'd lost the game at the key moment.

Were I living in San Francisco, I'd want an audit of the technical skills of the IT department. It sure sounds to me like there are some people that need some training. If they can't learn from the training, reassignment. If they can't be reassigned, early retirement. But for all that's good and holy, get the incompetence out of the IT departments!

Re:Incompetent Imbeciles

The problem here is that there was not a documented policy on passwords.

No, the problem is there WAS a documented policy on passwords, and the problem was he followed it. After he was fired, the only person the policy allowed him to tell the password was the mayor himself. As soon as the mayor asked, he quickly shared the password.

Terry Childs might be an arrogant jerk, but he did nothing wrong.

He had high security turned on that block password

[Joe+The+Dragon]

He had high security turned on that blocked password recovery as some of the network stuff was out in open at some sites and not in a locked room. With the high security you have to do a full reset to get back in without a password.

Re:anyone here who defends this man

[BenEnglishAtHome]

For God's sake, that's circletimessquare! If you don't know who that is, lurk more. Until then, DO NOT FEED THE TROLLS!

So you're dumb

[Mathinker]

You forgot to keep a copy of the keys yourself? I call that stupid. And in the case of this guy's manager, criminally stupid.

Most people are smart enough to give their caretakers copies of their keys. Your analogy stinks.

And even if it didn't stink in that way, it stinks in another way. You could just shell out to have a professional locksmith break into your house and change the locks. Which is what you would have to have done anyway if the caretaker was kidnapped by the mafia or otherwise disappeared (the analogous situation to Childs dying in his sleep).

Actually, I just reviewed the facts as put out in this article by Venezia and most of the negative stuff has to do with mismanagement on the part of the city, in my eyes. A good manager would have understood that Childs was too attached to his creation, and would have already started to bring in another professional who might have had a chance of giving Childs the impression that he was handing his brainchild over into good hands. OTOH, I'm not sure Childs was psychologically capable of doing that. I wonder what will really happen in this trial.

Re:anyone here who defends this man

[schon]

So what you're saying is that because he was accused of something, he is automatically guilty even though the accusations where later withdrawn?

I sure as hell hope that you never wind up on a jury for *anyone*.

Re:Why is this guy being treated as a Martyr to IT

[adipocere]

That's true. But if I changed your locks and kept the keys, charging me with "stealing your house" is not legitimate.

Since you like that door analogy.

Re:Why is this guy being treated as a Martyr to IT

You are exactly the type of citizen who has driven the service out of public service and provided us with less than mediocre CYA specialists who have no conscience and no clue. Terry Childs, despite his apparent meglomania, had a clue and a conscience. After he is cleared of all charges, the Mayor should appoint him to teach the other civil servants what service really means. (and that might be the only way to keep from getting sued for millions of dollars for malicious prosecution.)

Chain of Command

[Martin+P.+Hellwig]

Simple solution, it's called chain of command and works pretty well in static, bureaucratic organisations.
Simply put, you only accept commands from the manager in line or his/her superior.
Although your superior superior (etc. )is allowed to break the chain, it is frowned upon and definitely communicated across the chain.

So unless the manager of accounting is one of your superior superiors, though luck, (s)he should contact his/her superior until there is one who shares both chains.

Re:Chain of Command

[MrNaz]

So *that's* why it takes so long for a guy in the appropriations department to approve a new box of paperclips for the guy in accounting.

He is accused of 4 crimes (3 were later dropped).

[khasim]

It is up to the legal system to determine whether he committed any crimes.

So far, all you have is the accusations and even 3 of those 4 were dropped. So "he deserves punishment" for things that no one is now claiming he did?

Weird.

Re:the affected dickwad says:

[jo_ham]

Perhaps, and it is indeed your right to ignore the grammar rules of the the language you are writing, but you also have to be aware that anyone reading it will naturally make judgements about you because of that.

Capital letters and punctuation are not just "convention", they do help with reading comprehension in the same way that paragraph breaks do. I don't think that ignoring the grammar rules just because you don't like them is an any way superior; as the GP said, it makes you look like an ass just for the sake of it.

If I'm one of the "bunch of assholes" (presumably everyone who uses capital letters correctly) then so be it. Rather be an asshole than come off looking like I don't know how to write.

Your final point jumps right back to what the original poster was talking about that you seem to have missed (hey, maybe there is a connection between people who don't write properly and low comprehension skills); you obviously want to contribute to this discussion and taken seriously, and make no attempt to actually make your posts easily readable. You're no different to the no-paragraph posters; people will just skip over your post without reading, or they'll get part way in and then dismiss it because you simply cannot write (from observation - who knows if you can or not since you don't show it). The content of your post is diminished.

You may have the opinion that good writing doesn't matter, but I'm afraid that it does.

Incidentally, the use of imperial over metric is not the same thing at all. Your bastardisation of the English language because you think it is superior is the same as going down to the hardware store and asking for a metre of timber, where you have defined a metre as the distance from your shoulder to your fingertip. Metric and imperial systems have conventions. If I say I want 1M of timber I'm not using the metric system accurately, since the SI symbol for the metre is m. If I say I want 5"6' of rope I'm also not using the imperial system correctly.

Invent your own language with its own grammar rules if you like, just don't pretend that ignoring the bits of a language you personally don't like as the superior method, and simultaneously complain that anyone who uses the rules properly is an asshole; it makes you look like a dick.

Re:How so "stolen"?

Nah, more like the chauffeur refusing to give the keys of the Rolls to the empty headed daughter. He did hand them over to dad.
Heh, that's nearly a car analogy.

Re:Idiots

[jaggeh]

I finished an IT security & Responsibility training day on friday and heres what i learned.

In my company any passwords i have for any part of the system are my property and my responsability to maintain and protect.

My boss can not ask me for my passwords, in order for him to gain access to my system he has to go through an 'e-share' system of approval from our IT department and they allow or disallow it based on his actual need to access my files.

If my employment is terminated for anything other than misconduct i get a months notice and in that time i have to wind down any operations im involved in and hand over the keys to whoever is taking my place.

---
In the case of misconduct my pc is confiscated and im escorted from the building. The pc is sent to a data retreival company and any/all relevant info is sent back to employer and then the pc is wiped and returned.

2 weeks later i get a box in the mail with my personal effects left in my desk.

---

Now i havent been fired yet ;) but i know someone who has gone through the process and from all the companies ive worked in this company is my favorite for IT security.

I've been keeping track of Terry's case and i fully support his decision not to hand over passwords to critical systems to someone who was
a) Not authorised to have them
b) Not qualified to maintain the system they belong to

Re:Why is this guy being treated as a Martyr to IT

[Tlosk]

You make a wonderful point, it boggles me how many posters here seem to be fine with the idea of letting the city burn if you were following the rules like a good little citizen that never questions those in power.

Re:Intellecutal Property Laws are not difficult fo

[LordAndrewSama]

This is how physical property and intellectual property differ. Those things all belong to the company, and it let him use them. He left them there when he left. The passwords belong to the company, and it let him use them. When he leaves, are you saying he has to have his memory wiped of all that companies IP? he left, it's now "their" problem. he didn't deprive the company of their passwords by "stealing" them, the company misplaced them and he has no obligation to help them look.

I'm explaining this horribly badly, I know, but still, I feel he has no obligation once he's been fired.

Childs should get twenty years

[Zeinfeld]

You know I had wondered why I stopped reading slashdot, then when I come back I find this story which is about as balanced as Fox News and I remember why. It is not a 'fact' that the DA has done no homework on the case, that is a speculative claim from what appears to be a highly partisan source - a journalist who snagged an interview with the perp and wants to retain access. The guy tried to hold the city hostage. Venezia fails to mention that in his bizarrely one sided account. Specifically, the guy had changed the passwords on the routers and refused to tell his employers what he had changed them to. That is, or at least should be recognized as extortion. The employers paid Childs to administer the system, they had a right to expect him to do so honestly and in a way that would allow them to use their property if he was not available. The guy is lucky not to be up on federal charges. The water treatment plants were amongst the infrastructures that he disabled. The incident does demonstrate a security risk that is often given insufficient consideration: failure to maintain control of the system.

Re:Childs should get twenty years

[Coren22]

so you would rather that he broke the policy that was given to him with regard to passwords and let unauthorized people have access? The city policy only allowed him to give passwords to the Mayor, which he did as soon as he was allowed to. If you are fired, and some random people ask you to give up the password, would you? If you say yes, then you will end up at the wrong end of a lawsuit, as that would make you criminally culpable in whatever havoc those people caused on the network.
   

Re:Childs should get twenty years

[Moryath]

The water treatment plants were amongst the infrastructures that he disabled.

Uhm, come again?

Nothing was "disabled." Nothing was turned off. The situation was quite simply that the routers were secured down to the point where, without having admin credentials, someone could not CHANGE them. This is not "negligent", this is smart design.

Then we get to the exorbitant bail amount, the fact that he's being held in lockup without a bail reduction even though better than 3/4 of the case has been dropped due to lack of evidence, and the fact that he in fact gave the passwords up to a competent authority (the SF Mayor, aka his boss's boss's boss), and it looks like a kangaroo court in process. The DA's office doesn't have much, if anything, of a case but they're desperate to justify what they have done so far so they just keep pushing along.

I'll offer you a choice. You are being reassigned to a new area. Your "boss", the blithering idiot who still keeps his password in a sticky note on his monitor and who holds a bitchfest every time he's told he has to pick a password that actually conforms to complexity requirements rather than using "god", demands a ton of passwords with root-level access. You've seen numerous situations before where the "admin at the time" (e.g. you) has been turned into the fall guy for shit going wrong or security breaches, when it's obvious to anyone doing any research that the real problem is some moron boss with less brain cells than teeth, an MBA, and a napoleon complex.

What. Do. You. Do?

Re:Childs should get twenty years

[Abcd1234]

What. Do. You. Do?

Uh, you give them the passwords.

Christ, how is this even a question? Your *boss* tells you to do something? Then you fucking do it! Have a problem with it? Go over his head to his boss. And if that guy tells you to go pound sand? You do your fucking job and hand over the passwords.

In short: This guy was an idiot. That network wasn't his personal property and he had no right to refuse access to it for those in a position of authority, regardless of his impressions of their professional qualifications.

Re:Childs should get twenty years

[Curunir_wolf]

I think you need to read up on the case a bit. Childs was actually protecting the network and keeping it running. The people he was asked to provide the passwords to had already demonstrated their incompetence by causing outages. Far from "holding the city hostage", as you claim, he was actually keeping the network running. The only disruptions were caused by the non-technical manager types that were asking him for control, without providing any assurances that they could maintain the network or even understand the configurations they wanted to be able to muck with.

Re:Childs should get twenty years

[HarrySquatter]

So what? They were his bosses and the owners of the equipment. He had no right to refuse them access to their own property no matter what they could have and would have done to fuck it up.

Re:Childs should get twenty years

[lgw]

He had a responsibility to the people of the city who depended on the city infrastructure not to recklessly endanger that infrastructure. As a trained professional, in his professional jidgement, giving the passwords to his boss would have been dangerous. He acted reasonably (and within policy), insisting on moving somewhat higher up the chain of command, and drawing attention to the incompetence of his boss.

Your boss has no moral authority. He's just another employee, no different from you.

Re:Childs should get twenty years

[natehoy]

I worked for a company that performed services for companies that had a lot of personal information. Our systems were kept pretty tight.

For a while, I was the only IT person in the company. I had the primary passwords for much of the company's infrastructure, and the policy manual that was worked up allowed me to give those passwords to two other people on request - the President and my departmental Vice President of the company. The VP was three rungs up the ladder from me.

Neither had the chops to do anything with the passwords, but of course they could easily have hired someone who did. I also had to keep the current passwords in an offsite lockbox at a local bank and only the three of us had access to that box. That way, if I got hit by a bus (or terminated for cause, quit under suspicious circumstances, or whatever) the company could continue operations smoothly.

My boss's boss walked in my office one day and asked for a password for one of the main systems. After a long, involved, and rather unpleasant conversation, I was threatened with termination if the passwords were not handed over. As I started to pack my crap up, the President walked in the room and thanked me for my diligence in following security protocol. It was a surprise audit. I don't think I would have been terminated if I had handed over the passwords, but I'm sure my clearance to possess them would have been revoked in a very large hurry. And that would have been the correct action to take.

There are circumstances where you DO NOT have the authority to give information to your boss. If there is a policy against it, the policy trumps your boss's ability to ask you for the information.

I don't know for sure the policies in place at this particular department, but it is very possible that the boss was not authorized for that information. Passwords and security information do not necessarily follow the chain of command - they follow a chain of responsibility and/or trust, and that isn't always perfectly aligned with the chain of command. If Childs' boss was not authorized for the information, he did the right thing in insisting that the information be turned over to the people his security protocol manual specified.

If Childs' boss WAS authorized for the information by policy, and Childs honestly felt the boss would misuse the information for something illegal and/or was gunning for Childs, then his actions may or may not be justifiable in this case - he's going to have to produce some proof that his boss had an illegitimate purpose. That could be tough.

Re:Childs should get twenty years

[dougmc]

Personally, if that sort of thing was done intentionally to see how I responded, I might have just kept packing my stuff up ...

I assume that part of the unpleasant conversation was you suggesting that the VP or Pres get involved, and this was rebuked.

Re:Childs should get twenty years

[arth1]

Christ, how is this even a question? Your *boss* tells you to do something? Then you fucking do it!

That was the defense that many of the accused at the Nuremberg trials tried.
It didn't work then either.

Re:Childs should get twenty years

[BenEnglishAtHome]

if that sort of thing was done intentionally to see how I responded, I might have just kept packing my stuff up...

Then how would you suggest a security audit be done? How else can we find out if someone will violate security policy than by giving them a chance to do exactly that?

I've been subjected to those kinds of audits on several occasions. Yes, they're mildly insulting. But they're also necessary, aren't they?

Re:Childs should get twenty years

[dougmc]

Mildly insulting is one thing. Going so far that you've basically quit your job is too far.

Re:Childs should get twenty years

[Zeinfeld]

According to the depositions in the case, this claim is utterly false.

The site policy was for the passwords to be entered in a security database. He may have disagreed with the policy but he was not entitled to refuse to comply with it.

I find the claim that he did not recognize his superiors or that his actions were genuinely motivated by a desire to protect the network as somewhat incredulous. His actions are rather more consistent with attempting to preserve his job security by ensuring that he was the only person that could control the network and refusing to co-operate with legitimate attempts by his management to regain control.

The idea that this should be a concern to someone acting in good faith is ludicrous.

Re:Childs should get twenty years

[natehoy]

I disagree. Sorry, but if you're going to trust me with very sensitive data, you need to be able to trust me with it, and that means testing me in such a way that the results are valid.

Which is no way means it's pleasant, or fun, or is anything other than a complete horror show. On the other hand, I was ready to leave the company with my head held high because I stuck to my principles, and there's a part of me that is proud of that.

It still sucked fetid donkey balls when I was going through it, and I have no desire to repeat the experience.

But if you can come up with another test that can demonstrate without doubt that an employee's personal integrity is worth more to them than any specific job, I'm certain a whole lot of people who are responsible for important data would love to hear it.

For the love of God...

[L4t3r4lu5]

Will people please stop posting that Terry Childs was "being an ass about it"?! He didn't give up the passwords to his supervisor because policy prevented it. It would be a breach of contract (potentially criminally negligent) for him to divulge the passwords requested to anybody but the Mayor.

Guess who got the passwords as soon as they asked? That's right!

THE MAYOR.

End of subject, folks. Stop posting about him "being an ass" or "getting what he deserves" or "setting a bad example." He set the best example by not caving in and handing the "keys to the realm" to some new face he didn't know the technical knowledge of, and was specifically prevented from releasing by the very policy which kept him employed.

This is a PR campaign to save face and nothing else. Someone high up the food chain did something idiotic (calling the police instead of HR / legal dept) and blew things out of proportion. Now they have to see it through, or they'll look like fools and lose their jobs. CYA territory.

I hope the lot of them are fired, and Terry gets to sue every last one.

Re:For the love of God...

[Ykant]

I decided to read a couple of articles about the situation after reading the parent post. That's led me to believe that IT admins everywhere should be supporting this guy wholeheartedly. When you get down to the point of it, this is a guy getting shafted as a result of sticking to the documented policy.

I realize that it's a long-running joke around here that people don't RTFA. RTFA.

Re:anyone here who defends this man

[sjames]

He didn't decide for himself, he was following written policy.

If I hire a general contractor to build my house and I instruct him to hire you to key the locks, he is your boss, but he is NOT entitled to a copy of the keys.

Re:How so "stolen"?

[KC7JHO]

Actually that would be after he found a girl, who he had originally thought was a cleaning lady that was fired 3 weeks earlier, under the hood with a wrench and a hammer, and upon confrontation she had him arrested and held without bail or telling him what the charges were. Then her and the Gardner were demanding he throw the keys out the jail window into the crowded street.

Re:Why is this guy being treated as a Martyr to IT

[jc42]

Bail should be set as a deterrent to flee before a trial is finished, not to keep someone indefinitely in a cell.

And this is probably why they did it. His bosses probably knew (or were told by their lawyers) right off that they didn't have a chance of convicting him of anything. So they used one of the standard legal ruses to keep him in jail while they delayed the trial. It's not especially unusual for people to be jailed before a trial for longer than the longest legal sentence. It's even done when conviction couldn't get a jail sentence at all. The idea is to keep someone in jail as long as you can, by any means that will work. Then it doesn't much matter if the court exonerates them; you've shown that you can incarcerate them sufficiently long without a trial.

Parts of the US Bill of Rights were designed to prevent this sort of imprisonment. It hasn't worked very well in this case. And it's not the first time that such things have been done in the US. Anyone not aware of this problem is naive and ignorant of history.

The only real question is whether he can get restitution from the courts afterwards. History says he probably won't.

This sort of story is why I gave up on security/admin jobs early on. I read some stories similar to this, and figured out that the non-technical people above my immediate boss were highly likely to pull such stunts, perhaps with me as a chosen victim. The only way to win that game is not to play it, because the higher ups can see all the cards and do all the shuffling. Of course, when I and thousands of others started figuring this out, it inevitably led to our current sorry state of widespread computer insecurity.

One thing we might add to this story is a question about whether SF will be able to hire a competent person to replace him. I certainly wouldn't want to interview with them, except maybe to see if I could get some inside information about their current policies (after which I'd simply ignore any job offers).

One thing I'd suggest to anyone in his position: If your superiors demand that you give admin passwords to non-technical people, you should hand in your resignation along with the passwords. Tell them right out why you consider this a threat to your own legal safety as well as the computer systems. Chances are they won't be surprised, because they knew what was planned. After all, anyone with the root passwords can edit any file and fake lots of evidence, including the timestamps on files.

Re:Why is this guy being treated as a Martyr to IT

[sjames]

He didn't do that though. He told the managers that he would turn the password over to the mayor (the OWNER's duly elected representative). A few days later, the mayor asked him for the password and, as promised, he told him.

Re:Exactly, this ain't that hard

[tngaijin]

Your recommendations are great recommendations! My only problem with it as applied to Terry Childs is that they totally ignores his situation!

Go to the boss, the highest you can barge in on, hand him in writing your objections and the passwords AND your resignation. Have them signed and don't look back.

Care explaining how you do that while you are in custody at the police station?

NEVER EVER try to be clever within the system, you cannot win.

I totally agree with you. Absolutely do not violate policy on handing out root passwords by, let us say, giving them out to people over the phone, on speaker phone, in a room full of unauthorized people listening.

Always do this especially when working with government or semi-government (Huge companies that either were once state run, work mostly for the state, are run by ex-state people or because of their size have become ministates. You know the type, where people were ties, even when they are not.

Good point. Don't work for a company that is going to put you in a situation that you can't win if you do, can't win if you don't. It makes you the easiest target to become the person to take the fall. But then, if that happened, we would only have stupid people applying for public service jobs such as Mr. Child's. Is that really what we want?

This guy tried to be clever. It never works, you are never clever enough and the system knows how to deal with clever. Instead be smart, get out.

Once again don't work for that kind of system if this is always the case. And for a second time, he didn't have the option you are saying he had.

This guy really should have just done as said above. Hand it off and get the fuck out of the way.

Okay lets get serious for a second. This attitude of not rocking the boat is exactly what allows these sorts of 'systems' to become what they are. I guess we could all run away, ignore the glaring problems and move on to leave them to someone else. And as we all do that they will get worse and worse. Instead, I propose dealing with the problems. For example, if you are put in a position where people are abusing their authority to try and force you to do something that could cause harm to, lets say for example, a whole city, you should stand up against that. I hope that Mr. Childs wins this case and wins damages that are large enough that the whole tax base pays attention to what happened here and demands that heads roll and that these sorts of 'systems' are dismantled. I don't see how else to stop these sorts of 'systems' to become the norm when the common attitude seems to be to bury your head in the sand and move on when there is a problem.

There is good money to be made in this segment of the market, but only for those who can play the game and the first rule of the game is, don't get into the game if you don't know the rules.

I'm sorry I didn't realize that government was a game. I take it all back. Since it is all a game I guess it is perfectly okay to make 'good money' and ignore the problems inherent in the IT department of Frisco! I mean its a game! Tax payer money and public employee competence doesn't matter! What was I thinking!?!?

Citation needed

[Mathinker]

> The water treatment plants were amongst the infrastructures that he disabled.

This is the age of the hyperlink. Please provide one.

As for him deserving 20 years, it seems to me that it can never be a crime to forget something. In the same vein, it would seem to me that it cannot be a crime to be psychologically incapable of providing information. Other posters have claimed that it was even against his ex-employer's policies to provide that information.

I wonder if we will ever learn the real truth about this matter. It's fairly clear what version the city government would like to be revealed as the "the truth".

Re:Why is this guy being treated as a Martyr to IT

[St.Creed]

Oh, Please! IT infrastructure is the plumbing of the 21st century. This guy is a plumber. It is not his job to decide who should or should not have access to the network any more than it is the job of the master control technician at NBC to decide what to air at 8pm on Thursday nights.

So, let's run by this completely hypothetical scenario then. Say, you are in charge of the plumbing at a facility called "Chernobyl" and your supervisor is asking you to run a few tests, that violate the security protocols.
Since he's just a plumber (or operator) I guess you're with the Chernobyl supervisor here... enjoying the glow-in-the-dark effect...

Terry Childs said no. I'm with Terry. Policy isn't there to be ignored the first time someone tells you to. Especially if the policy is much smarter than the person telling you to ignore it.

Re:Mod parent up

[DJRumpy]

The guy was creepy. When he was arrested, his PC contained pages and pages of usernames and passwords. He had $10,000 in cash on him when he was arrested, and a loaded 9mm.

No one on here wants to hear those details. He was a saint. A true hero. Whatever, mark the info above as Trolling (not even sure how that applies, as those are public records from the case as well as the official SF security policy), but it is what it is.