Slashdot Mirror
Terry Childs's Slow Road To Justice
snydeq writes "Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"
Men like these are all that stand between us and the terrorists who would destroy our internet-based communications.
I'd log in to post a comment, but Terry Childs won't tell me my password...
Will ciso before to let take the reup test with out having to do full lab test and is he able to get IT books / tests in jail?
'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. I
Don't use a non-specified IP address.
Or more specifically: graph a console cable, plug it into the device, and do what you need to do.
That an unskilled individual would not necessarily be able to easily use them does not mean Childs did anything wrong.
In fact, this is exactly how things should be -- in case the password is compromised, there should be additional layers of defense (IP access lists), to prevent convert abuse of accidentally leaked passwords.
No one password should ever give anyone free reign over a critical network, without at least also having physical access or passing through a designated management point.
I'm glad to see the mayor can be so jocular and jovial and downright chummy, cracking wise and generally campaigning when a man's freedom is at stake here.
Can you be Even More Awesome?!
Childs doesn't deserve two years in jail, and further penalties heaped upon him. There is a lot of incompetence mixed with hurt pride among the city staff, which is to be expected from any government body.
But Childs himself behaved terribly as well. None of those passwords were his. None of those systems were his. It doesn't matter if his employers were competent or not; he should have let them have access to their own property. If he thought they were going to ruin things, speak out.
How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?
If he found not guilty is he still a city worker? as I think union just don't let city fire some one like that and was he even fired?
Anyways he should get city payed health care (Full with no pre existing at the full cost that this) 2 years in jail = any pre existing that some one can think of.
His job back if he wants it or his full pay for 2 years in jail + 500K per year in jail.
Full unemployment if he can't get his job back.
As many HR people not look pass the 2 years in jail even if he is not guilty and even then they may not want to pay the health care costs for some like that.
The auto browser detection and print destination URL aside... It's an absolute mess and was a chore even finding the correct story from a mobile browser. Have they ever used it? That's what I get for trying to RTFA.
This for a man who 'ultimately protected the [City's] network until the bitter end.'
Obligatory: xkcd: Devotion to Duty
The problem here is one of who has the authority to what and what safe guards are in place. Haveing worked in serveral large companies, this would never have happend. The rule ussually amounts to the "root level" passwords must be varified by two people then two sealed evelopes containg the passwords with the signature of the people that varified them were placed in a high security safe that was not controlled by IT but by legal. People had differnt levels of access and either had access to the system password if needed however most anything was done with "extended" privilage accounts issued to individual users. System level login was highly discuraged as it lacks most of the AAA of network security. This proccess was part of a number of policies from "the bus crash" to the data center has been leveled by a force of nature. bottom line is that no one person should ever have oporation critial data only in thier head.
This guy gives network security and network oporations a very very bad name. Granted the jail term is a little over the top but what this guy did is wrong on so many functional levels.
What am I missing? Why is this modded funny?
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Summary needs more links that won't be read.
It's been 8 weeks since Terry Childs' trial has started. Tonight on Dateline we will talk extensively about the trial and everyone even remotely connected to it, but true to our format, at the end of the hour you won't know if he's innocent or guilty because the trial isn't over.
We will only learn the truth over the course of future Dateline episodes and when we are finally done with the story you'll still wonder if he's guilty or innocent.
When I read GP, I couldn't stop giggling. It's so poorly worded. I'm sure it's a meme of some sort, but it's funny in its own right.
encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes.
Actually reading through the comments on the article, it seems most of the emotion is coming from people upset at the mayor Gavin Newsom, more than they are based in any actual sympathy towards the defendant. Like this example comment FTA,
The computer hacker would have been treated with more dignity and respect if he were an undocumented alien with a murder wrap on his head. Kamala Harris would have backed him up.
It is nominally suggesting that Childs was treated badly, but in reality the commenter is more upset with the mayors immigration policies. The comments that look at Childs disfavorably also seem to be the ones that favor the mayor. In the court of public opinion, Newsom was on trial here, not Childs.
Qxe4
"Amendment 6 - Right to Speedy Trial, Confrontation of Witnesses.
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence."
Sitting in jail waiting 2 years for a trial is not something that should happen in our country. The system is broken and needs to be fixed.
Is this the good old U. S. of A. that stands for Justice, Liberty and Truth?
I think it's been a really good while since it actually stood by that slogan. I think it's really the country that stands for what's best for it's corporations and lobby groups, where there is justice for either those with buckets of money and where the truth is whatever the winning side says at the end.
Moved to http://soylentnews.org/. You are invited to join us too!
Childs isn't going to be convicted. Not only that but the personal injury lawyers in California are going to be falling over themselves to represent him in a civil suit against the city, manager that caused all this and the DA that went along with it. He's worth several million dollars for what they did to him. His job specifically required that he not disclose his password to anyone other than city management. He was confronted with a situation he handled badly with a room full of people demanding the passwords to the WAN. His response should have been that he couldn't legally provide them to the people in the meeting or that he needed an attorney present before answering any questions.
But the past is the past, once the city went to the stage of prosecuting him and publicly demonizing him they had to go full court and try to convict him because they just opened themselves up to civil damages. Now two years later I'm willing to bet they have made at least one offer for a minor conviction to end it all simply so he can't sue them. He didn't fall for the trick and once this is over he's going to be paid a tidy sum, likely with an NDA so the political people involved don't get burned for what they did. Personally I hope he demands they fire the bitch that caused all this as part of the settlement with the city. I know I would.
I have said this before here, and will say it again now. I believe Childs is in the wrong and has behaved badly. He seems to have a martyr complex and doesn't seem to remember who actually owns the network. I would never hire this guy to manage my network; and yes, I do have a network I hire people to manage. His actions show me he cannot be trusted. He is not Horatio at the Bridge; he is a complete asshat. For the record, I do live and work in the Bay Area, and I also believe Gavin Newsom is a complete asshat.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
The idiot wasn't the mayor, but someone in middle management. The mayor was brought in as an appropriate person to receive the passwords because the idiot that originally demanded them wasn't actually covered by the security policies.
In particular, sitting on all access and passwords and refusing to share or divulge them is effectively the last refuge of someone who's on a power trip, or about to get let go and is trying to delay that.
Except that the policy of SanFran (quoted in a response to previous article on Slashdot, so I'm going to be lazy and let you do your own damn research for once) SPECIFICALLY required that he not reveal the passwords to anyone but the mayor, and certainly not to someone on an open fucking conference call to which anyone else, especially the "spy girl" who he had turned in when he caught her rummaging through shit after hours, might have been party.
He delivered the passwords, AS PER WRITTEN SANFRAN POLICY, to the Mayor in a face-to-face meeting. That is what was required of him by SanFran code. The people who tried to get him to break that policy are the idiots who should lose their jobs and be on trial.
So in other words, that phrase is just standard marketing schlock?
It looked like a memo from management to me. Very senior management.
It is interesting, but early legal doctrine was hugely tilted toward the rich; and much of the lack of Justice, Liberty, and Truth that you complain about occured with the movement toward more democratic (not republican) USA government. Nevertheless, it may be argued that the USA never stood for justice or truth, and perhaps not liberty either.
Criminalization of competence. non story.
But seriously, see how things are taking shape?
I don't get it - with a bullet. This guy behaves appropriately and ends up in jail?
At some point you realize that it isn't incompetence. It's their goal.
Communication is only possible between equals.
You can't herd Cats ... but you can move their food.
~hylas
So you're saying it's time for a new national byline eh.
"Arbitrariness, Security and Hidden Agendas"
No, doesn't flow off the tongue right.
"Commercialized warfare, industrial subjugation and for-profit courts"
No, that's too wordy...
"Injustice, slavery and lies"
Hmm... I think we have a winner!
I hate printers.
This is rapidly becoming myth rather than fact-based.
The overall policy page is:
http://www.sfgov.org/site/coit_index.asp?id=56853
The security policy is specifically:
http://www.sfgov.org/site/coit_page.asp?id=79251
Which, basically, says "follow this inter-county planning document":
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
The password policy in CCISDA states:
(pp 32 of the document)
Though the "Do not tell anyone your password" sect
I've never found any press source with a contract quote that said that, or any filing in court.
If you have the source, post a reference, or at least the text of the contract.
As I said above - coverage of this case is largely myth-based. Bring actual facts - they work better.
You have to excessive your right to speedy trial. More or less your lawyer files a speedy trial motion and that sets things in motion. What sort of time limits there are depends on the jurisdiction (notice the Constitution doesn't specify a specific time) different states have different laws, and the judge in the case.
Generally, this isn't done. The defense wants time to prepare for trial. They don't try and push the trial date. That seems to have been the case here.
The Constitution says you have a right to a speedy trial, it doesn't say you can be forced to have one. If neither side push the issue, it can drag on.
Seriously. Any large organization has lawyers, and a city government certainly does. So you have someone who is higher up than you on the chain saying "Give me these passwords or else." You don't know if they should be allowed to have them legally. Say "I can't give them to you until I've consulted with the lawyers." Ask them what to do, who can have access, etc. If you are real nervous, get it in writing. At that point, you are in the clear more or less. I mean I suppose they can fire you, you can basically be fired for anything, but legally you are fine. If the legal group said "This is what you can do," then you can do it. If they are wrong, that's their problem.
Had he said "I don't know that I can give you this, I need to talk to the lawyers first," I doubt there would have been a problem. What started the trouble was he basically just flat out said "No."
Here is the passcode to SF City's IT goodies:
GavinNewstromIsAThumbdick
It sounds to me that they screwed up badly.
So they keep trying to intimidate this guy. Keep him in jail for years without a trial, make him plea bargain out.
But he won't blink. And if he is found innocent, he has a hell of a lawsuit.
Yes I think people forget the issue here. It wasn't as though he was being asked to give up his personal password. He was being asked to give up passwords for system accounts. Anyone who's ever played with a UNIX OS knows that there is only one of those. While you certainly wouldn't give that out to anyone, there are probalby more people than just "the big guy in charge aka mayor" who are on that list.
I mean where I work the root password is known by about 5 different people. My boss also has it in a safe, along with some other things like that, because policy requires it. Were I to change that password to something only I knew, any of them would be perfectly justified in demanding I tell them what it was.
Sounds like he already violated policy by not having the password documented in said database. So for him to then try and cry he was only trying to follow the policy is disingenuous. In fact, I'm going to guess that's how they found out in the first place. They probalby went to said database and the passwords were either absent or wrong. Thus they then went to him and he refused.
If the policy says your job is to document passwords somewhere, you'd better do it. If you don't, you've little room to bitch when someone comes at you angry demanding the password.
I have no idea what the policy was at the time... but I'm not sure what relevance policy 2 years after the fact is to the case. If there was indeed a policy in place that said he could only turn the keys over to the Mayor at the time I'm sure they would have fixed it in response to this incident.
As an aside I will mention that I left a previous job amidst huge layoffs and refused to give passwords to anyone but the CEO (it was a little company) because I had no guarantee that any other individual or was the new "keeper of the passwords" and certainly couldn't take someones word for it. Granted, other people had the passwords but we were all in the same boat. My point here is that there are cases where this approach is the only one that makes sense, though I don't know enough of the details here to know to what degree that was true for Childs.
If you look at the website, the multiple counties model policy document is from 2003, and the enacting executive order for San Francisco making that the ruling policy was from 2007, so these were in effect at the time Childs was employed (at least by the end) and at the time he was terminated and then arrested.
These are the applicable, contemporary policies he was operating under, apparently with little or no modification still in effect now.
You are really brought up terrorism and communism over this? Please at least attempt to be serious.
A major clue here about what is going on is that the Mayor didn't go there with anybody with any technical skills but instead his MEDIA MANAGER. This is just grubby office politics where an excuse is found after the fact with maximum spin. This is going to get interesting when the defence comes in, I know if I was a lawyer and asking questions I'd be very interested in the new "security" person and exactly what nepotism was going on that got her the job and got the guy that made her cry fired.
If there was anything at all in this we'd be seeing convincing evidence on day one instead of coming up some time soon after eight weeks!
From previous coverage, it seemed pretty clear that SF didn't HAVE a "security administered global password management database", outside of what Childs was himself maintaining (and I've seen no specific indication that he wasn't maintaining such a database, nor that he would have been the wrong person to maintain it).
It did seem clear that the people who ambushed him didn't, shouldn't and wouldn't have had access to the contents of such a database.
Hmm, actually, by that policy it would be perfectly valid to store the decryption key for the database in the database. If it was public key encrypted, you could make it 'perfectly' secure (and effectively write only).
Realities just a bunch of bits.
Agreed. It's stupid and downright Quixotic to hang on to their passwords because of "Policy" when he knows the requestors are the legitimate owners of the equipment.
The right thing to do would have been to say "By policy, you can't have the password, but I have provided the password to N.N. as I am allowed to do that. Talk to her/him."
Tell your friends about xenu.net
I think you're 100% on the money here (pardon the pun).
The current work is to get the guy to settle or plea bargain because it's 100% certain that he will raise merry hell the moment this is over, and he has just cause. The problem is that it is critical that people in court get brought up to speed on what it takes these days to keep IT secure.
Otherwise they will get a judgement that will lengthen this agony even more.
Personally, I think they should try to settle with him, but I think that'll cost more than they have..
Mr. anonymous coward,
You don't know shit about what you're attempting to talk about....I guess that's why you posted as an AC.
This devolved into a pissing match, but it doesn't change the fact that Childs was in the right.
Personally,
I'd hire Terry Childs in a second because he is clearly very good at what he does. The only thing I would change is that I would make him document his procedures. It was a failure of management that helped him to develop a NetGod complex. Did he handle his grievances correctly? No, but I doubt that there isn't an IT professional in the field that hasn't experienced heartburn at the hands of incompetent management (at least as far as their IT skills and knowledge are concerned).
To some extent, this story reminds me of the first Ghostbusters movie, when the Fed blessed with authority but cursed with ignorance demanded that the Ghostbusters shut down the spirit containment grid. They were thrown in jail until a personal conference with the mayor convinced him of that which mattered most to him; saving millions of VOTERS. That however was a comedy fiction, this is actually a little scary.
I suspect that Mr. Childs' bail is set so high because unlike most of us ordinary citizens, the city is AFRAID of him. He represents an unwelcome check on their power because beyond the normal parameters of the relationship between citizens and their government, or even workers and their employers, the machines only respect those with the expertise to utilize them properly. We've implicitly given the machines a LOT of power over us in this society, and Mr. Childs knew how to talk to the machines. He must be contained because the state cannot have citizens disgruntled with its periodic incompetence doing end runs around its bureaucracy. The amount of his bail reflects the magnitude of the threat he poses in the eyes of the city.
Personally, I think there should be a fund raised (contributions of $1, $5, $10) to bail him out; while he didn't handle his concerns properly, his real crime is embarrassing the city of San Francisco. For that, 2 years in jail is excessive especially given that if they are like any other city I've ever visited, they probably deserved it. I'd bet that there's a little bit of Terry Childs in most if not all IT professionals that take pride in their work. When he gets out, I hope he writes a book and does paid speaking engagements.
As boring as the trial may be, I'm sure his story would be a lot more interesting.
Sounds like this guy didn't document how he secured the system, then refused to show his employer how to access it again. I say screw him. You're working for the city and your employer. Their resources belong to them, including the security measures you put in place. You refuse to relinquish that access, whether the keys to the kingdom be virtual or real, then you deserve to go to jail. I hope he stays there. I have no clue why idiots like this become Slashdot Heroes.
I swear to God...I swear to God! That is NOT how you treat your human!
I know of one former job where they have no clue on the passwords used for things like databases, configuration passwords, etc. When they laid me off they didn't even ask. I guess they thought I did nothing there.
I know it won't happen soon but there will come a day when they'll wonder what those passwords are. Hell I don't even remember them, I used nice cryptic passwords for everything.
In Money We Trust
That is what Terry Childs is really "guilty" of.
In his zealous creation of unorthodox network configurations, and his hoarding of all the administrative secrets,
he probably thought he was creating a uniquely secure network. He was probably proud of the way he was doing
it. While his intuition to keep password distribution to a minimum was correct, he apparently failed to recognize
that some redundancy was required, and some network config documentation in trusted hands other than his own,
in order to protect the network from "run over by bus" scenarios.
Other aspects of what the affidavit against him charges, such as connection of "unauthorized" devices, are spurious
accusations, because Childs probably believed, and quite possibly with justification given his "total responsibility
for that network's creation and operation" role, that it was within the discretion of his mandate and role to set up such access
devices, if he saw fit. It sounds like no one was supervising him at all for a long time, then they came in with
a whole bunch of regs & requirements after the fact which he was retroactively violating.
No. The real issue here is that poor mister Childs, and, it seems, his direct supervisors, were all guilty of a lack of the basic social
skills that would have allowed each other to understand what the basis of each others' position on various issues
was, and to come to some amicable agreement on those issues. Childs was clearly very senior, and had been given
carte blanche authority in his domain. This led him to some excessive perceptions of his "rightful powers" and to his somewhat
distorted sense of complete justification for retaining sole custody of the vital secrets of the network.
With better social skills, he would have understood why the organization wanted a more institutionalized, standard procedure based, and redundant way of operating the vital network, and he would have made concessions in this regard while still maintaining
a high level of operational security and technical integrity.
With better social skills, his management should have had no real problem in convincing Childs of the reasonableness of some
aspects of their requests. It seems as if it was all escalated to "conflict level" almost immediately, and that the organization's
management, as well as Childs, each became rapidly paranoid about the others' motives.
I place most of the blame for the way it worked out on those managing Childs. They let the situation get out of hand, allowing non-documentation and informal operation for a long time, and allowing a non-team-based, non-redundant
approach to the operation of the network. And they were unable to effectively use management and leadership skills to
get the changes they needed from their senior technical employee, or failing that, to put in another senior technical person
to whom Childs was ordered to train on the full operation of the network. Rather than saying "we're ordering you to hand over
the loot", a competent management could have convinced him of the obvious benefits of becoming more methodical and implementing redundancy of critical operational knowledge. They could have made a rational argument about some of the specific
ways in which redundancy needed to be added, and specific ways that security needed to be improved on the network.
And if they were properly skilled, they could even have done that in a way that did not damage and threaten his fragile
ego. They could have made it seem to him like it was his great idea.
This is all just a huge misunderstanding, and a situation that management let get out of control from the get-go of that
network's creation. It does not justify the criminal skapegoating that has occurred.
Where are we going and why are we in a handbasket?
Childs did not hold anyone or anything hostage. He was just following the information security policy. The network never went down and no damage was done because he tuned the system to operate flawlessly even when he was unavailable to manage it.
Childs is a contractor, not a civil servant, so the union has no role in having him re-instated. But once he is a free man, you can bet there will be many job offers from all over the place. If I had any power to hire IT staff, I'd be calling him the day after he is acquitted.
Childs not mentioning it in a meeting or conference call, where it might be overheard, is appropriate under the latter policy, but inappropriate given a failure to have initially shared it with the designated central security authority.
I'm not sure what you're trying to say here. "If he failed to have it stored in a central security authority, he should completely ignore all the other policy requirements?". That doesn't make a whole lot of sense to me.
As a completely subjective point of view, judging from the general incompetence, I wouldn't be at all surprised if a 'security administered global password management database' did not exist. In which case, he wouldn't have been able to place his password there.
Which, basically, says "follow this inter-county planning document":
Actually, I don't read the document entitled "COIT Security Policy" as saying that as all.
The document section is badly titled. If you read it carefully the heading "COIT Security Policy" should really be read "COIT Plan for Drafting New Security Policies". In fact, the whole thing is dreadfully written; I'd give it a "C" in High School English at best. For example under "Policy" it states "Recommends an initial policy to address the following:" which you would expect to be followed by a litany of concerns the policy must address. In fact, what the following points address is the steps recommended to arrive at a future policy, steps which by the way don't involve any kind of threat analysis or examination of legal responsibilities, or any other clarification of the goals the procedure outlined is supposed to pursue.
Here is the relevant quote,under the heading "Recommends an initial policy to address the following:"
COIT will initially adopt the California Counties Information Services Directors Association (CCISDA) “Best Policies for the Countywide Information Security Program” Framework (pdf) as a starting point and initial reference for CCSF Security Policies.
[emphasis mine]
Note it does NOT say "COIT hereby adopts CCISDA's BPCISP with all instances of 'County' replaced by 'City'." As best as I can make out this compositional abortion, it says that COIT will adopt BPCISP as a starting point for drafting its own future regulations.
In any case this document does not seem to say anything about what the current security policies are.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.