Slashdot Mirror
Terry Childs's Slow Road To Justice
snydeq writes "Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"
Men like these are all that stand between us and the terrorists who would destroy our internet-based communications.
I'd log in to post a comment, but Terry Childs won't tell me my password...
Will ciso before to let take the reup test with out having to do full lab test and is he able to get IT books / tests in jail?
'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. I
Don't use a non-specified IP address.
Or more specifically: graph a console cable, plug it into the device, and do what you need to do.
That an unskilled individual would not necessarily be able to easily use them does not mean Childs did anything wrong.
In fact, this is exactly how things should be -- in case the password is compromised, there should be additional layers of defense (IP access lists), to prevent convert abuse of accidentally leaked passwords.
No one password should ever give anyone free reign over a critical network, without at least also having physical access or passing through a designated management point.
I'm glad to see the mayor can be so jocular and jovial and downright chummy, cracking wise and generally campaigning when a man's freedom is at stake here.
Can you be Even More Awesome?!
Childs doesn't deserve two years in jail, and further penalties heaped upon him. There is a lot of incompetence mixed with hurt pride among the city staff, which is to be expected from any government body.
But Childs himself behaved terribly as well. None of those passwords were his. None of those systems were his. It doesn't matter if his employers were competent or not; he should have let them have access to their own property. If he thought they were going to ruin things, speak out.
How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?
If he found not guilty is he still a city worker? as I think union just don't let city fire some one like that and was he even fired?
Anyways he should get city payed health care (Full with no pre existing at the full cost that this) 2 years in jail = any pre existing that some one can think of.
His job back if he wants it or his full pay for 2 years in jail + 500K per year in jail.
Full unemployment if he can't get his job back.
As many HR people not look pass the 2 years in jail even if he is not guilty and even then they may not want to pay the health care costs for some like that.
The auto browser detection and print destination URL aside... It's an absolute mess and was a chore even finding the correct story from a mobile browser. Have they ever used it? That's what I get for trying to RTFA.
This for a man who 'ultimately protected the [City's] network until the bitter end.'
Obligatory: xkcd: Devotion to Duty
The problem here is one of who has the authority to what and what safe guards are in place. Haveing worked in serveral large companies, this would never have happend. The rule ussually amounts to the "root level" passwords must be varified by two people then two sealed evelopes containg the passwords with the signature of the people that varified them were placed in a high security safe that was not controlled by IT but by legal. People had differnt levels of access and either had access to the system password if needed however most anything was done with "extended" privilage accounts issued to individual users. System level login was highly discuraged as it lacks most of the AAA of network security. This proccess was part of a number of policies from "the bus crash" to the data center has been leveled by a force of nature. bottom line is that no one person should ever have oporation critial data only in thier head.
This guy gives network security and network oporations a very very bad name. Granted the jail term is a little over the top but what this guy did is wrong on so many functional levels.
What am I missing? Why is this modded funny?
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Summary needs more links that won't be read.
It's been 8 weeks since Terry Childs' trial has started. Tonight on Dateline we will talk extensively about the trial and everyone even remotely connected to it, but true to our format, at the end of the hour you won't know if he's innocent or guilty because the trial isn't over.
We will only learn the truth over the course of future Dateline episodes and when we are finally done with the story you'll still wonder if he's guilty or innocent.
When I read GP, I couldn't stop giggling. It's so poorly worded. I'm sure it's a meme of some sort, but it's funny in its own right.
Why in the world that the good guy is thrown into jail and that idiot still remains the mayor?
Is this the good old U. S. of A. that stands for Justice, Liberty and Truth?
Muchas Gracias, Señor Edward Snowden !
encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes.
Actually reading through the comments on the article, it seems most of the emotion is coming from people upset at the mayor Gavin Newsom, more than they are based in any actual sympathy towards the defendant. Like this example comment FTA,
The computer hacker would have been treated with more dignity and respect if he were an undocumented alien with a murder wrap on his head. Kamala Harris would have backed him up.
It is nominally suggesting that Childs was treated badly, but in reality the commenter is more upset with the mayors immigration policies. The comments that look at Childs disfavorably also seem to be the ones that favor the mayor. In the court of public opinion, Newsom was on trial here, not Childs.
Qxe4
"Amendment 6 - Right to Speedy Trial, Confrontation of Witnesses.
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence."
Sitting in jail waiting 2 years for a trial is not something that should happen in our country. The system is broken and needs to be fixed.
I can understand Childs' frustration with some managers - but IT folks don't set corporate or city policy. Sometimes we are asked to write a draft policy for security - or participate in organizational efforts to draft one - but we don't get to arbitrarily impose one.
In particular, sitting on all access and passwords and refusing to share or divulge them is effectively the last refuge of someone who's on a power trip, or about to get let go and is trying to delay that.
They aren't your systems. The people who paid for them - the city, and its elected and hired management, the company, the shareholders of the company and their hired execs and management - they own the systems. When IT starts to assert ownership, it's wrong.
We need to assert responsibility - and that includes not giving out the passwords and access controls inappropriately. But appropriate sharing of that information is required. Any of us could have a heart attack or be hit by a bus tomorrow. If you haven't thought through the impact of the "Bus Test" on each of your coworkers, and yourself, then you're not doing your job. Your boss absolutely must be able to tell your emergency replacement how to do their job. If they can't do their job, or take an inordinate amount of time hacking in to everything to get access that you didn't share, you did your job wrong.
I don't think he should have been charged as he was. But he did wrong. He probably deserved to be suspended or fired for doing it as persistently as he did, even if his bosses were bozos (and I have no personal knowledge or opinion on that point). If he thought his bosses were doing wrong, he should have escalated within his management chain, ultimately to the mayor. But just saying no, until arrested, isn't responsible or reasonable.
Unless security policy already says "don't tell managers this" and management has already signed off on that - and there's another techie, or a envelope in the safe with the info, in case of Bus - when managers in the management chain insist on it, you give it up, or immediately escalate to more senior management. Period. Even if you think it's going to be a disaster. You are not the last and final judge of who gets it and who doesn't, and if you think you are, your career is likely not going to last that long.
Childs isn't going to be convicted. Not only that but the personal injury lawyers in California are going to be falling over themselves to represent him in a civil suit against the city, manager that caused all this and the DA that went along with it. He's worth several million dollars for what they did to him. His job specifically required that he not disclose his password to anyone other than city management. He was confronted with a situation he handled badly with a room full of people demanding the passwords to the WAN. His response should have been that he couldn't legally provide them to the people in the meeting or that he needed an attorney present before answering any questions.
But the past is the past, once the city went to the stage of prosecuting him and publicly demonizing him they had to go full court and try to convict him because they just opened themselves up to civil damages. Now two years later I'm willing to bet they have made at least one offer for a minor conviction to end it all simply so he can't sue them. He didn't fall for the trick and once this is over he's going to be paid a tidy sum, likely with an NDA so the political people involved don't get burned for what they did. Personally I hope he demands they fire the bitch that caused all this as part of the settlement with the city. I know I would.
I have said this before here, and will say it again now. I believe Childs is in the wrong and has behaved badly. He seems to have a martyr complex and doesn't seem to remember who actually owns the network. I would never hire this guy to manage my network; and yes, I do have a network I hire people to manage. His actions show me he cannot be trusted. He is not Horatio at the Bridge; he is a complete asshat. For the record, I do live and work in the Bay Area, and I also believe Gavin Newsom is a complete asshat.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
It looked like a memo from management to me. Very senior management.
Criminalization of competence. non story.
But seriously, see how things are taking shape?
I don't get it - with a bullet. This guy behaves appropriately and ends up in jail?
At some point you realize that it isn't incompetence. It's their goal.
Communication is only possible between equals.
You can't herd Cats ... but you can move their food.
~hylas
It was in his contract that only the mayor was authorized root access to everything. He repeatedly asked for the mayor to come, and he would share the information.
It is not his job to do his boss' job. If he gets hit by a bus, you can't sue a dead body for missing passwords.
His boss didnt do his job according to the contract (secure access controls and mitigation plans), but that is hardly this IT guy's fault.
He got fired. Then the unauthorized people starts asking him for passwords in the POLICE STATION.
When the mayor showed up on his request, he shared all the required passwords, even after having been fired (pure luxury on the city's behalf as he is free of any obligations at that point).
Of course if they were competent, the city would have made sure they got the access and authorizations BEFORE they fired him.
Heck, they would KEEP him instead, and not try to fire him illegally in the first place.
This mayor is criminal, and the city should be charged with false criminal complaint, and injustice of having imprisoned an innocent man for 2 years.
You have to excessive your right to speedy trial. More or less your lawyer files a speedy trial motion and that sets things in motion. What sort of time limits there are depends on the jurisdiction (notice the Constitution doesn't specify a specific time) different states have different laws, and the judge in the case.
Generally, this isn't done. The defense wants time to prepare for trial. They don't try and push the trial date. That seems to have been the case here.
The Constitution says you have a right to a speedy trial, it doesn't say you can be forced to have one. If neither side push the issue, it can drag on.
Seriously. Any large organization has lawyers, and a city government certainly does. So you have someone who is higher up than you on the chain saying "Give me these passwords or else." You don't know if they should be allowed to have them legally. Say "I can't give them to you until I've consulted with the lawyers." Ask them what to do, who can have access, etc. If you are real nervous, get it in writing. At that point, you are in the clear more or less. I mean I suppose they can fire you, you can basically be fired for anything, but legally you are fine. If the legal group said "This is what you can do," then you can do it. If they are wrong, that's their problem.
Had he said "I don't know that I can give you this, I need to talk to the lawyers first," I doubt there would have been a problem. What started the trouble was he basically just flat out said "No."
Here is the passcode to SF City's IT goodies:
GavinNewstromIsAThumbdick
It sounds to me that they screwed up badly.
So they keep trying to intimidate this guy. Keep him in jail for years without a trial, make him plea bargain out.
But he won't blink. And if he is found innocent, he has a hell of a lawsuit.
You are really brought up terrorism and communism over this? Please at least attempt to be serious.
A major clue here about what is going on is that the Mayor didn't go there with anybody with any technical skills but instead his MEDIA MANAGER. This is just grubby office politics where an excuse is found after the fact with maximum spin. This is going to get interesting when the defence comes in, I know if I was a lawyer and asking questions I'd be very interested in the new "security" person and exactly what nepotism was going on that got her the job and got the guy that made her cry fired.
If there was anything at all in this we'd be seeing convincing evidence on day one instead of coming up some time soon after eight weeks!
Agreed. It's stupid and downright Quixotic to hang on to their passwords because of "Policy" when he knows the requestors are the legitimate owners of the equipment.
The right thing to do would have been to say "By policy, you can't have the password, but I have provided the password to N.N. as I am allowed to do that. Talk to her/him."
Tell your friends about xenu.net
I think you're 100% on the money here (pardon the pun).
The current work is to get the guy to settle or plea bargain because it's 100% certain that he will raise merry hell the moment this is over, and he has just cause. The problem is that it is critical that people in court get brought up to speed on what it takes these days to keep IT secure.
Otherwise they will get a judgement that will lengthen this agony even more.
Personally, I think they should try to settle with him, but I think that'll cost more than they have..
Mr. anonymous coward,
You don't know shit about what you're attempting to talk about....I guess that's why you posted as an AC.
This devolved into a pissing match, but it doesn't change the fact that Childs was in the right.
Personally,
I'd hire Terry Childs in a second because he is clearly very good at what he does. The only thing I would change is that I would make him document his procedures. It was a failure of management that helped him to develop a NetGod complex. Did he handle his grievances correctly? No, but I doubt that there isn't an IT professional in the field that hasn't experienced heartburn at the hands of incompetent management (at least as far as their IT skills and knowledge are concerned).
To some extent, this story reminds me of the first Ghostbusters movie, when the Fed blessed with authority but cursed with ignorance demanded that the Ghostbusters shut down the spirit containment grid. They were thrown in jail until a personal conference with the mayor convinced him of that which mattered most to him; saving millions of VOTERS. That however was a comedy fiction, this is actually a little scary.
I suspect that Mr. Childs' bail is set so high because unlike most of us ordinary citizens, the city is AFRAID of him. He represents an unwelcome check on their power because beyond the normal parameters of the relationship between citizens and their government, or even workers and their employers, the machines only respect those with the expertise to utilize them properly. We've implicitly given the machines a LOT of power over us in this society, and Mr. Childs knew how to talk to the machines. He must be contained because the state cannot have citizens disgruntled with its periodic incompetence doing end runs around its bureaucracy. The amount of his bail reflects the magnitude of the threat he poses in the eyes of the city.
Personally, I think there should be a fund raised (contributions of $1, $5, $10) to bail him out; while he didn't handle his concerns properly, his real crime is embarrassing the city of San Francisco. For that, 2 years in jail is excessive especially given that if they are like any other city I've ever visited, they probably deserved it. I'd bet that there's a little bit of Terry Childs in most if not all IT professionals that take pride in their work. When he gets out, I hope he writes a book and does paid speaking engagements.
As boring as the trial may be, I'm sure his story would be a lot more interesting.
Sounds like this guy didn't document how he secured the system, then refused to show his employer how to access it again. I say screw him. You're working for the city and your employer. Their resources belong to them, including the security measures you put in place. You refuse to relinquish that access, whether the keys to the kingdom be virtual or real, then you deserve to go to jail. I hope he stays there. I have no clue why idiots like this become Slashdot Heroes.
I swear to God...I swear to God! That is NOT how you treat your human!
I know of one former job where they have no clue on the passwords used for things like databases, configuration passwords, etc. When they laid me off they didn't even ask. I guess they thought I did nothing there.
I know it won't happen soon but there will come a day when they'll wonder what those passwords are. Hell I don't even remember them, I used nice cryptic passwords for everything.
That is what Terry Childs is really "guilty" of.
In his zealous creation of unorthodox network configurations, and his hoarding of all the administrative secrets,
he probably thought he was creating a uniquely secure network. He was probably proud of the way he was doing
it. While his intuition to keep password distribution to a minimum was correct, he apparently failed to recognize
that some redundancy was required, and some network config documentation in trusted hands other than his own,
in order to protect the network from "run over by bus" scenarios.
Other aspects of what the affidavit against him charges, such as connection of "unauthorized" devices, are spurious
accusations, because Childs probably believed, and quite possibly with justification given his "total responsibility
for that network's creation and operation" role, that it was within the discretion of his mandate and role to set up such access
devices, if he saw fit. It sounds like no one was supervising him at all for a long time, then they came in with
a whole bunch of regs & requirements after the fact which he was retroactively violating.
No. The real issue here is that poor mister Childs, and, it seems, his direct supervisors, were all guilty of a lack of the basic social
skills that would have allowed each other to understand what the basis of each others' position on various issues
was, and to come to some amicable agreement on those issues. Childs was clearly very senior, and had been given
carte blanche authority in his domain. This led him to some excessive perceptions of his "rightful powers" and to his somewhat
distorted sense of complete justification for retaining sole custody of the vital secrets of the network.
With better social skills, he would have understood why the organization wanted a more institutionalized, standard procedure based, and redundant way of operating the vital network, and he would have made concessions in this regard while still maintaining
a high level of operational security and technical integrity.
With better social skills, his management should have had no real problem in convincing Childs of the reasonableness of some
aspects of their requests. It seems as if it was all escalated to "conflict level" almost immediately, and that the organization's
management, as well as Childs, each became rapidly paranoid about the others' motives.
I place most of the blame for the way it worked out on those managing Childs. They let the situation get out of hand, allowing non-documentation and informal operation for a long time, and allowing a non-team-based, non-redundant
approach to the operation of the network. And they were unable to effectively use management and leadership skills to
get the changes they needed from their senior technical employee, or failing that, to put in another senior technical person
to whom Childs was ordered to train on the full operation of the network. Rather than saying "we're ordering you to hand over
the loot", a competent management could have convinced him of the obvious benefits of becoming more methodical and implementing redundancy of critical operational knowledge. They could have made a rational argument about some of the specific
ways in which redundancy needed to be added, and specific ways that security needed to be improved on the network.
And if they were properly skilled, they could even have done that in a way that did not damage and threaten his fragile
ego. They could have made it seem to him like it was his great idea.
This is all just a huge misunderstanding, and a situation that management let get out of control from the get-go of that
network's creation. It does not justify the criminal skapegoating that has occurred.
Where are we going and why are we in a handbasket?
Childs did not hold anyone or anything hostage. He was just following the information security policy. The network never went down and no damage was done because he tuned the system to operate flawlessly even when he was unavailable to manage it.
Childs is a contractor, not a civil servant, so the union has no role in having him re-instated. But once he is a free man, you can bet there will be many job offers from all over the place. If I had any power to hire IT staff, I'd be calling him the day after he is acquitted.
Which, basically, says "follow this inter-county planning document":
Actually, I don't read the document entitled "COIT Security Policy" as saying that as all.
The document section is badly titled. If you read it carefully the heading "COIT Security Policy" should really be read "COIT Plan for Drafting New Security Policies". In fact, the whole thing is dreadfully written; I'd give it a "C" in High School English at best. For example under "Policy" it states "Recommends an initial policy to address the following:" which you would expect to be followed by a litany of concerns the policy must address. In fact, what the following points address is the steps recommended to arrive at a future policy, steps which by the way don't involve any kind of threat analysis or examination of legal responsibilities, or any other clarification of the goals the procedure outlined is supposed to pursue.
Here is the relevant quote,under the heading "Recommends an initial policy to address the following:"
COIT will initially adopt the California Counties Information Services Directors Association (CCISDA) “Best Policies for the Countywide Information Security Program” Framework (pdf) as a starting point and initial reference for CCSF Security Policies.
[emphasis mine]
Note it does NOT say "COIT hereby adopts CCISDA's BPCISP with all instances of 'County' replaced by 'City'." As best as I can make out this compositional abortion, it says that COIT will adopt BPCISP as a starting point for drafting its own future regulations.
In any case this document does not seem to say anything about what the current security policies are.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Can we get all the uninformed morons commenting on this story to read natehoy's comment here? Please?
If the investigating police had of showed Child their badges or at least identified themselves as police officers, I'm sure this whole debacle could have been avoided from the get go.
the fat virgin geeks are sure sticking together on this one!