Terry Childs's Slow Road To Justice

snydeq writes "Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"

Men like these...

[jdpars]

Men like these are all that stand between us and the terrorists who would destroy our internet-based communications.

Re:Men like these...

[jdpars]

Something tells me that at the very heart of this entire matter is someone's porn stash hidden on a city computer. Probably the mayor's.

Re:Men like these...

[JWSmythe]

    The difference in your car analogy is that the Hummer doesn't belong to you. It's more like leaving the vehicle with a valet. When you go to pick up the vehicle, the valet refuses because he doesn't think you can handle driving it.

    It was the cities network, not his personal playtoy, regardless of how he felt about it.

    I worked at a company for 8 years. I had set a policy that passwords were given to management in case something happened to me and my IT group. When they laid me off, I was locked out of everything, according to my own plan. The plan stated that if any admin with substantial rights were to leave the company, all keys and passwords must be changed immediately, preferably between the time they were brought into the office to told they were gone, and the time they walked out.

    Despite the fact that I was there for 8 years, and despite the fact that I felt all the servers were my electronic children, the moment I was laid off was the moment that it was no longer mine to say anything about. I was only a caretaker on behalf of the owners. If/when they choose that I am no longer the caretaker, I have no control nor responsibility to that network.

    Another company I worked for improperly terminated me. The moment I was told to "fuck off" was the moment that I had no responsibility to anything they owned. I was contacted later by someone for assistance on a project I worked on. The guy contacting me was a nice guy, and he wasn't asking for much. My responses were.

    1) I don't work there any more. Go away.
    2) They fired me, and I wouldn't help them with anything. Go away.
    3) You're a good guy, here's the answer.

    Those answers were in sequence in one email. He admitted that he expected the first two answers, but was pleased to get the third. They could have gotten another developer in there to figure out what I did. It really wasn't hard, and a good developer could have done it in about 10 minutes. It's not advantageous for anyone to burn bridges. My contacts there may land me my dream job sometime in the future. Terry Childs will have an awful hard time convincing anyone that he isn't a threat to the continuity of their projects.

Re:Men like these...

It was the cities network, not his personal playtoy, regardless of how he felt about it.

True.

I worked at a company for 8 years. I had set a policy that passwords were given to management in case something happened to me and my IT group.

Actually, the city had a policy that employees were NOT to give passwords to their immediate bosses, regardless of what the boss said. Passwords were only supposed to be given to explicitly authorized people, and Childs' superior asking for Childs' passwords was not one of those explicitly authorized people.

Re:Men like these...

[Critical+Facilities]

It's not like he had an obligation to ever divulge passwords

[disclaimer] I'll admit, I'm picking on you because yours if the first post I found relating this point (many others seem to hold this same idea).

Why is it that everyone seems to think that Mr. Childs had no obligation to provide these passwords to anyone? According to this timeline, he had not been fired when the demand for passwords was made, rather he was employed, asked for the passwords, and he refused which resulted in his suspension. Some others have gone on to claim that the terms of Mr. Childs' contract stated that he was only required to provide the passwords to the mayor. I have yet to find a copy of Mr. Childs' contract stating this fact, and it seems fairly incredulous that this would be the case (I am not claiming this as fact, merely pointing out that other assertions to this end have thus far failed to point to any documentation).

I fail to see how this man didn't create this whole situation for himself. His egocentric and territorial nature clearly affected his ability to perform his job in the sense that he had deluded himself into a position of ownership in which he believed that he could determine who he answered to. If someone can point us to credible proof that there was specific, written language which allowed Mr. Childs to withhold this information from his superiors (save the mayor), perhaps this would clear up some controversy. Perhaps I fail at 'googling', but I've not been able to come up with it yet.

Re:Men like these...

[dekemoose]

I see no reason why Childs shouldn't have surrendered his passwords when they were asked for, if he was a decent admin (as opposed to a technically skilled man-child) he would have had these documented somewhere for management. But I can't seriously see how all this should have resulted in criminal charges, let alone his incarceration for 2 years on $5 million bail. The whole things seems like a gross over reaction to a situation that was poorly handled. If this were involving a private company as opposed to a government I question whether police would have ever gotten involved in the matter. I don't generally jump to these types of conclusions but this stinks of abuse of power to me.

Re:Men like these...

[haruharaharu]

Well, surrendering a master password to persons unknown on a conference call isn't what I'd call responsible.

Re:Men like these...

[Critical+Facilities]

Well, surrendering a master password to persons unknown on a conference call isn't what I'd call responsible.

Nice try. While there were people on a conference call in the room, that's not the whole story. An excerpt from this article clearly states:

That afternoon Childs "unwittingly" found himself in a surprise meeting in the city's Hall of Justice, where he maintained network facilities. At the meeting were his boss, DTIC Chief Operations Officer Richard Robinson, San Francisco Police Department CIO Greg Yee and human resources representative Vitus Leung. On the phone were engineers, listening in to confirm whether the passwords he gave were correct.

I think his boss and the COO were quite qualified to meet the "need to know" requirement.

Re:Men like these...

[IICV]

I worked at a company for 8 years. I had set a policy that passwords were given to management in case something happened to me and my IT group. When they laid me off, I was locked out of everything, according to my own plan. The plan stated that if any admin with substantial rights were to leave the company, all keys and passwords must be changed immediately, preferably between the time they were brought into the office to told they were gone, and the time they walked out.

So you mean that someone who wasn't authorized to have the passwords didn't ask you to hand them over while on a speakerphone conversation with an unknown number of potentially unauthorized people on the other end? All totally in contravention of your password policy? Because that's what happened to Terry Childs.

Re:Men like these...

[natehoy]

When the COO, your direct boss, and a rep from Human Resources are there

Right in the middle of the "don't" list in the City's policy (which is freely available on the web) was "DO NOT DISCLOSE PASSWORDS TO YOUR BOSS".

So, right there, he cannot disclose it and uphold the policy that he was told to uphold.

According to 4 articles I've read on the subject, he was invited to this "surprise" meeting and there was an active speakerphone with people on the other end.

Right at the top of the "don't" list was "DO NOT DISCLOSE PASSWORDS OVER THE TELEPHONE"

Again, we have a case where he could not disclose the passwords without violating policy.

I agree that he was probably in violation of the "keep your passwords in the global database" policy, and there should certainly be some ramifications for that if true.

But not disclosing the core passwords at that meeting was not an act of defiance or arrogance, although that may have been the basis for the act. Whether wittingly or unwittingly, he was acting precisely in accordance with the policy he was hired to uphold.

I'm not saying he invoked that policy out of a deep sense of honor, it was probably out of a sense of preservation.

That policy is there specifically in many companies to keep managers from doing things that their employees can be blamed for. If Childs had given up the passwords in a meeting to undisclosed recipients, any one of them could have damaged the system, and he could be blamed for it.

My boss and I get along really well. However, if my boss called me in to his office and told me to tell him my password, my answer would be "no". If he wants access to my user profile, he can go through Security and have the password changed, at which point there is a log entry that he requested that it be changed, and I lose access to my profile.

Then, if something is done using my profile, there is a security record that I was not in control of that profile at that time.

I'm not saying Childs acted in exceptionally good faith, but "I don't think you're cleared for that" is a proper response if people who are not cleared for that are present, or if strangers are listening in and you don't even know who they are.

I'd log in...

I'd log in to post a comment, but Terry Childs won't tell me my password...

Will ciso befored to let take the test with out ha

[Joe+The+Dragon]

Will ciso before to let take the reup test with out having to do full lab test and is he able to get IT books / tests in jail?

Sure they could have been readily used.

[mysidia]

'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. I

Don't use a non-specified IP address.

Or more specifically: graph a console cable, plug it into the device, and do what you need to do.

That an unskilled individual would not necessarily be able to easily use them does not mean Childs did anything wrong.

In fact, this is exactly how things should be -- in case the password is compromised, there should be additional layers of defense (IP access lists), to prevent convert abuse of accidentally leaked passwords.

No one password should ever give anyone free reign over a critical network, without at least also having physical access or passing through a designated management point.

Re:Sure they could have been readily used.

[phantomfive]

When he gave the passwords to the mayor, the mayor came with no one but his press secretary. There was no technical person to ask questions, so it is not completely surprising that they didn't get it figured out the first try (even if a reasonably competent person could have figured it out, apparently there were not many of them left in the department). The important thing is when they came back with followup questions, Childs did help them out.

Here is my question: is the entire city run this badly, or is it just the IT department?

Re:Sure they could have been readily used.

Incompetent? No, you misunderstand. They're very competent. At keeping their jobs and getting reelected that is, of course. You seem to assume that they want the truth or justice or something else. That's silly talk.

Had he gone in wanting to get the passwords then the city may have come out as idiots for putting Childs in jail in the first place. The goal is to make Childs look as bad as possible, innocent or guilty doesn't matter as long as the politicians don't look bad for being idiots for starting this whole mess.

Re:Sure they could have been readily used.

[0WaitState]

Most of the city is run worse. We kind of like it that way, except when the insider dealing takes out a treasured park or restaurant.

But, the prosecutor who slapped five million dollars bail on Terry Childs needs to be taken down, have his political career ended over this. The judge who approved the bail (different from the judge presiding over the trial) also has some explaining to do. ITS COMPUTERZ AND SCARY AND DIFFERENT AND I DONT UNDERSTAAAAAND is not sufficient reason to take away 2 years of a man's life, no matter how big an aspie asshole he might be.

Not to mention the 14-odd jurors who have to show up 8:30AM at the courthouse for 12-16 weeks while this idiocy unfolds. Part of their lives is being stolen away too.

Re:Sure they could have been readily used.

[sjames]

In the case of a sweet target like a government network, it would be negligent to let anyone anywhere connect to try a few passwords. Sometimes it's best to restrict enable mode to serial console.

Re:Sure they could have been readily used.

[Fluffeh]

Not to mention the 14-odd jurors who have to show up 8:30AM at the courthouse for 12-16 weeks while this idiocy unfolds. Part of their lives is being stolen away too.

The thing that worries me the most is that if you are the defense, and you see a juror who is clearly totally non technical and "ITS COMPUTERZ AND SCARY", you kick them from the jury list. While if a juror is tech savvy, the prosecutor will kick them as you will no doubt side with the technical guy who was doing his sysadmin job.

I really wonder who that leaves to be on the jury for this. What is the jury comprised of? To really be a good juror on this, you should have at least some understanding of things technical, yet be impartial enough to be able to make the correct call on the legality of it.

Just who fits into that bucket? I can't think of anyone I know. Either all techies to the bone, or so nontechnical that I could not fathom how on earth they could hold this man's freedom in their hands without buckling.

Re:Sure they could have been readily used.

[mysidia]

He might have foregone AAA on some critical devices, since he was not distributing access to many people but keeping it solely to himself... or (rather) since he [was] the only person who had all the keys. The prosecution's theory would kind of fall apart, if he was using AAA on the network, and admins' could add additional router admins at any time...

Reportedly an initial issue was childs' use of no service password-recovery. As a security compromise to his preference of leaving startup config blank on certain devices, for security reasons.

If they had suspected he did this on the core routers, then there's no way they could risk rebooting them, without a lot of acceptable downtime and one hell of a disaster recovery plan...

However, that was likely a one-sided few favoring the prosecution. If Childs' in fact did not do that (and never said he did) remove startup configs or 'no service password-recovery' on physically secured core equipment, then their fears are not his fault..

Childs may have only told them what he was able to think about to mention.. kind of tough to fill someone in when you don't know what exactly they don't know, what they need to know, etc, etc, and they are impatient / arrogant (as many manager types can act, esp. when they think they are not getting what they want).

Also, you can't exactly search through your own notes, and write usable notes with access details intended for someone else, while sitting in a jail cell.

In other words, by overreacting, grabbing him, and throwing him in jail, they probably made it more difficult, or even impossible for him to provide the very type of information they were wanting....

Re:Sure they could have been readily used.

[tsm_sf]

Most of the city is run worse. We kind of like it that way, except when the insider dealing takes out a treasured park or restaurant.

The openness of the corruption in San Francisco is breathtaking. It's like you're in a noir movie. The mayors are all stock characters from central casting, the police department is on the take, the department of public transportation has a running scam going with the largest towing company, and there's a water scandal (google Raker Act) right out of Chinatown. All that's missing is a shifty little midget trying to slit your nose.

Hang on, someone's at the door.

Re:Sure they could have been readily used.

[Man+On+Pink+Corner]

Maybe they can get the people from Youtube that are in charge of overlapping volume controls and 360p-480p selectors. That might be a good middle ground between technically-literate jurors and barking morons.

The Mayor's Testimony

[zippthorne]

I'm glad to see the mayor can be so jocular and jovial and downright chummy, cracking wise and generally campaigning when a man's freedom is at stake here.

Re:The Mayor's Testimony

[l0ungeb0y]

Newsom represents the best of breed in SF liberalism. They are only for protecting rights and freedoms when it's THEIR rights and freedoms.
Since this guy is a nobody who's being showed who his daddy in by the SF government workers, it's not Gavin's concern at all.
To him, this guy deserves to rot in jail at the behest of some ticked off department head.

The sad thing is, this guy's life has been irreparably harmed by this incident, an acquittal will do nothing but put him out on the streets.
By now I'm sure he's lost his home and possessions. And the lawyer will take whatever is left in the bank.
Frankly, he'd be better off being found guilty and being handed the life sentence he apparently deserves in accordance to that $5 million in bail.

Re:The Mayor's Testimony

[0WaitState]

Realistically, Newsom wasn't involved in the debacle until they realized that the only way they were going to get the authentication credentials was to do it by the book, as Terry Childs was insisting, which meant the mayor, in person, receiving the credentials. Not over a freaking speakerphone as Childs' supervisor attempted. It's possible that Gavin Newsom appointed some of the idiot IT managers that let a single contractor have undivided ownership of the network...

And no, da mayor does not get to tell the prosecutor to drop a case. Maybe in Chicago, but not in most cities. The real question is why the prosecutor went balls-out for 5 million dollars bail. BTW, the trial judge already tossed 4 of the 5 indictments. Just arresting the guy for a few days was enough to send the message "don't be a prick".

Both sides behaved terribly

[Toonol]

Childs doesn't deserve two years in jail, and further penalties heaped upon him. There is a lot of incompetence mixed with hurt pride among the city staff, which is to be expected from any government body.

But Childs himself behaved terribly as well. None of those passwords were his. None of those systems were his. It doesn't matter if his employers were competent or not; he should have let them have access to their own property. If he thought they were going to ruin things, speak out.

Re:Both sides behaved terribly

[FooAtWFU]

It doesn't matter if his employers were competent or not; he should have let them have access to their own property.

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?

Re:Both sides behaved terribly

His employer was the City, which, being a government, is not a private institution but a public service. In protecting the systems from incompetent individuals, Childs is fulfilling his duty to his fellow citizens.

Such a sense of Duty is rare these days.

Re:Both sides behaved terribly

"People authorized by city policy or law to have those passwords most likely included any number of his bosses on up the chain of command"

You are guessing incorrectly, the actual county policy has been previously posted, and indeed, the mayor was the only person authorised. Whether that's an oversight or not, that was the policy.

"but let's not try to pretend that he didn't violate rules and/or laws."

He didn't. You are welcome to prove that he did, but so far you are only guess despite no evidence to support your case.

Re:Both sides behaved terribly

It doesn't matter if his employers were competent or not; he should have let them have access to their own property.

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?

I'm pretty sure that's not in his job description. The Mayor is not the 'head of IT', and normally most mayors would NOT know the network passwords. Why would they?

It was in his contract.

Re:Both sides behaved terribly

[Lord+Kano]

I can't say that I have read his official job description but I'm pretty sure that "keep the passwords to yourself and the mayor of a major metropolitan city" wasn't it. It was probably "to keep the passwords safe from people not authorized to have them."

If I remember correctly, they tried to get the passwords out of him after he was released from the city's employment. If that's the case, his job description no longer factored in.

"You're fired. Give me the network passwords."
"Sorry, that is no longer my job."
"I'm calling the police."

LK

Re:Both sides behaved terribly

[Nikker]

He would have been liable if he gave it to anyone else so in this world of lawsuits he said the right answer, no. He gave them to the mayor so why didn't the proper owners come by and pick them up? Was the mayor involved in a conspiracy of some kind? You have to realize there are many contracts and legalities involved with a job like this so if he couldn't find someone that could be liable as per his contract and the mayor couldn't find anyone then who is legally responsible for them? The mayor is saying since he doesn't know how to administer the system there was nothing he could do with the passwords. This happened on July 12/08 and the mayor was given the passwords a week later. If he did just give them out and some data loss occurred he would be held liable on a federal level. So what would you do in that situation?

Re:Both sides behaved terribly

[sjames]

He did. There was a written policy from his employer that he was not to disclose those passwords under any circumstances and he followed that policy to the letter.

If that's not what was wanted, I guess it shouldn't have been the policy. Note that the incident where he was finally jailed was when he refused to disclose them on a conference call where he couldn't possibly know who might be listening.

Re:Both sides behaved terribly

[dbIII]

That's exactly it - the people that asked were not in the chain of command and there were a lot of other witnesses from outside of the organisation in the stupid "ambush" meeting he was dragged into. In a previous article here someone quoted some of the rules for that workplace, one of which was not revealing the information to outsiders. It's beginning to look like a nasty trick to back him into a corner so that any response or even lack of response would have got him into trouble.
I'm still curious about the events leading up to this such as the other dismissals and the odd snooping around. It really looks like office politics and cleaning out the workplace to replace with cronies and putting an awkward obstacle in jail.
From looking at what's been released so far I can't see where he violated either the law or their rules.

Re:Both sides behaved terribly

[eosp]

Context: the first time they asked was also over speakerphone.

Epic win: he also put the passwords in public court records, so the new IT staff had to scramble.

Re:Both sides behaved terribly

[denobug]

But Childs himself behaved terribly as well. None of those passwords were his. None of those systems were his. It doesn't matter if his employers were competent or not; he should have let them have access to their own property. If he thought they were going to ruin things, speak out.

I beg to disagree. As an engineer public safety is top of our concerns and it is part of the ethics I abide by everyday. A safety concern overrides everything else, until the concerns has been addressed. I still remember I had a discussion with my boss basically he went "I won't stop you from doing anything unless it is unsafe or you are about to make a major mistake", and my reply was simply "I won't follow your order if I know in full will that it will creat an unsafe environment." He agreed with me that that is what I get paid to do, to do things right and make sure no one gets hurt.

I see Mr Childs did just that. Properly secure the network and only give the password to somone who can truely be trusted, when he knows in full will that his immediate supervisor and related management team has no clue and unqualified to make technical decision and is about to creat a major security vulnerability over major accounting information that should have been kept under guards! In a sense he IS protecting public safety and therefore should not, and truely cannot be tried to keep public safe and secure. Too bad that the jury probably won't truely understand it and Child will most likely be sentenced for a very long time with the keys thrown into the pacific ocean.

How ironic that this happens to the most liberal city of United States and is the hometown of our Speaker of the House, Nancy Peloci. I don't see her standing out to protect the weak who are truely in need in this incident.

Re:Both sides behaved terribly

[denobug]

When Terry's immediate supervisors -- in the IT department -- asked for the passwords, he refused, which is flat out insubordination. The senior IT managers should have access to the network passwords. That is a part of their job description. It's the responsibility of administrators to make sure that the passwords are disseminated to the appropriate people, and stored securely. (e.g.: in a lockbox, safe, or whatever...)

If they have fired him first then ask him, that is no longer insubordination. At that point all he had to follow was the simple ethic rules govern the work of a professionals. At no point he is liable to give the password to people who he know will not put it to good use and worse possibly exposing records that were suppose to be kept secure. All I see was they are trying to get him one way or another. If the jury do not give him a not guilty verdit (after being in jain for more than 2 years) I hope the governor of California does. If not I certainly hope Obama will help the "weak in need" in this situation. Child do not deserve to be jailed for what he did. He may be a pain of you know what but he certainly is getting things done the correct way.

Speak of Obama. No one in the military should allow him to fly an F-22 solo (I'm pretty sure he does not have the necessary military training to operate such advanced plane that costs billions of dollars), even if him or Rhom demanded someone to let him fly. Should a colonel (or even a captain) denied Obama access to the cockpit they should not be jailed 2 years and then tried for that. They followed the rules and did their job. Simple as that. It would be endangering public safety to allow him to fly one, not to mention the extensive tax payer dollar that are at risk of being wasted unnecessarily.

Re:Both sides behaved terribly

[tnk1]

If you applied the same reason to people cleaning up after poor police work, the word is vigilantism.

If you put the decisions about how things operate in the hands of government employees who become unaccountable to their bosses, ultimately that breaks the chain of responsibility back to the elected leaders. Mr. Childs may well have the best interests of the city in mind, but we've elected representatives to do that. If a legally constituted authority wants access to the city's servers, he should at the very least pretend to have forgotten them, as opposed to turning it into (almost literally) a federal case. If he wanted the mayor to know about the problems, for gods-sake, write a damn letter.

He should *not* be in jail, but that is merely because he should have no responsibility after his employment ended. That doesn't make him some sort of hero for turning this into some sort of revolution against the city IT department. I can't think of how that would be worth jail time to anyone sane.

Re:Both sides behaved terribly

It was more like:

"Give me the network passwords"
"No, you are not the Mayor" ...
"You're fired. Give me the network passwords."
"Sorry, that is no longer my job."
"I'm calling the police."

Re:Both sides behaved terribly

[serviscope_minor]

And since it was not his job, he should be expected to grant access to anyone he could be reasonably certain was a city official.

Thechically, what you're doing there is making stuff up. Not only that, but idiotic stuff.

Re:Both sides behaved terribly

[Culture20]

I'm just pointing out his moral responsibility. He should allow access to the network to its rightful owners in a manner that doesn't put it at risk from those without the right to access it.

Then he should wait until they hire someone to replace him and give *him* the passwords. Sysadmins keep middle-management types from getting carte blanche access for very good reasons, especially when politics are involved. We've all played D&D and read comic books; we understand the Paladin mindset.

Re:Both sides behaved terribly

[91degrees]

Why should he do that? Once he's no longer an employee the internal structure of the department is none of his concern.

Re:Both sides behaved terribly

[natehoy]

Yes, it is.

Sorry, but even though he is not employed there, he still has access to sensitive information. I'm sure he was under several covenants signed as a condition of employment and continuing for some period after employment.

Otherwise, he could literally go to the Chinese, passwords in hand, and sell that information to them .0000000001 seconds after calling his boss and saying "I quit!"

I know most jobs I've worked have confidentiality agreements that require that I keep company information confidential even after my employment is terminated (for any cause), and I can be sued if I violated those covenants.

Once he was no longer a part of the infrastructure, his only known authentication of someone who can get the information is an elected official. The Mayor could have directed him to give the information to a designee, but the Mayor decided to get the information personally. Unfortunately, the people the Mayor brought in didn't actually know how to use the passwords, but Childs disclosed what he was asked to disclose to the only person he clearly knew retained authorization to it.

I can't personally think of another way he could have ethically fulfilled his responsibility to the city while following the procedures (which you can find on the Web, by the way) he was required to follow.

Re:Both sides behaved terribly

[natehoy]

On the other hand, there's no reason that he couldn't have remembered them and just given them up.

But there are. If you look on the city's IT site, you will find the IT policy. Around page 23, IIRC, you'll see the rules under which you can divulge passwords. There are three specific rules that are important:

1. Don't do it over the telephone.
2. Don't ever tell your boss any password.
3. Don't ever divulge any password in the presence of anyone unknown to you.

They dragged him in a meeting room at the police station where he was doing some wiring work, filled the room with people he didn't know, initiated a conference call over a speakerphone, told him he was being transferred, and asked him to recite the passwords.

Umm, what did he do wrong by saying "NO"? He was, at that time, still an employee. He was bound by policy not to divulge the information under those circumstances.

Then he was fired.

At that point, he had no obligation to give the passwords up any more, and was probably bound by a nondisclosure agreement that would be violated if he HAD given them up. So his logical course would then be to go home and do his best to forget the passwords. His employer shitcanned him because he tried to follow their rules and they didn't like it.

There is no rule in the City IT policy that says you need to give up a password when asked. However, there was one that any "system" passwords (as opposed to "user" passwords) needed to be in a central secure database, and it's up for discussion as to whether he did in fact violate that policy. If he did, then there was an obligation to disclose it, but then the question becomes, to whom?

He offered to divulge the passwords to the only person he KNEW was authorized to receive them - an elected official. The Mayor agreed to accept the passwords, and he gave them up. They Mayor, as an elected official, is then authorized to hand the passwords off to anyone else he chooses.

Then the passwords didn't work because the people the Mayor gave them to apparently didn't understand how the network was configured.

If the City is still unable to access the network, they need to acknowledge that Childs was following THEIR rules when he refused to cooperate, apologize, release him with back pay, and ask nicely for him to come back for a short-term consulting gig so he can teach his successor how to run the network. At which point, the successor changes all the passwords, Childs loses all access to the network, and gets a nice letter of recommendation stating that his ethical standards at protecting information he is charged with protecting are so high that he's willing to go to jail rather than violate them.

$5 million bail

How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?

Re:$5 million bail

How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?

that would be about 2 illegal song uploads or 23 killings.

If he found not guilty is he still a city worker?

[Joe+The+Dragon]

If he found not guilty is he still a city worker? as I think union just don't let city fire some one like that and was he even fired?

Anyways he should get city payed health care (Full with no pre existing at the full cost that this) 2 years in jail = any pre existing that some one can think of.

His job back if he wants it or his full pay for 2 years in jail + 500K per year in jail.

Full unemployment if he can't get his job back.

Any one planing to give him job after this?

[Joe+The+Dragon]

As many HR people not look pass the 2 years in jail even if he is not guilty and even then they may not want to pay the health care costs for some like that.

Re:Any one planing to give him job after this?

Nah, he's pretty much fucked. In an honest world he'd be rewarded for being such an upstanding citizen standing against corruption and incompetence.

In this world we've got whistleblower laws because nobody wants to hire an honest man.

Re:Any one planing to give him job after this?

[dcollins]

"As many HR people not look pass the 2 years in jail even if he is not guilty and even then they may not want to pay the health care costs for some like that."

PR like this puts him into a category beyond HR people. Speaking tours are one possibility. If he continues to work in IT, CEOs will be making cold calls to him personally.

Bitter End

[pgn674]

This for a man who 'ultimately protected the [City's] network until the bitter end.'

Obligatory: xkcd: Devotion to Duty

Linktacular

[pipingguy]

Summary needs more links that won't be read.

reading through the comments

[phantomfive]

encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes.

Actually reading through the comments on the article, it seems most of the emotion is coming from people upset at the mayor Gavin Newsom, more than they are based in any actual sympathy towards the defendant. Like this example comment FTA,

The computer hacker would have been treated with more dignity and respect if he were an undocumented alien with a murder wrap on his head. Kamala Harris would have backed him up.

It is nominally suggesting that Childs was treated badly, but in reality the commenter is more upset with the mayors immigration policies. The comments that look at Childs disfavorably also seem to be the ones that favor the mayor. In the court of public opinion, Newsom was on trial here, not Childs.

System incapable of Justice.

[Zaphod-AVA]

"Amendment 6 - Right to Speedy Trial, Confrontation of Witnesses.
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence."

Sitting in jail waiting 2 years for a trial is not something that should happen in our country. The system is broken and needs to be fixed.

Re:System incapable of Justice.

[sconeu]

Don't forget the Eighth Amendment:

Amendment 8 - Cruel and Unusual Punishment. Ratified 12/15/1791.

Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted.

Re:How about men like that dumb mayor?

[Fluffeh]

Is this the good old U. S. of A. that stands for Justice, Liberty and Truth?

I think it's been a really good while since it actually stood by that slogan. I think it's really the country that stands for what's best for it's corporations and lobby groups, where there is justice for either those with buckets of money and where the truth is whatever the winning side says at the end.

Disagreeing with the majority here...

[Kozar_The_Malignant]

I have said this before here, and will say it again now. I believe Childs is in the wrong and has behaved badly. He seems to have a martyr complex and doesn't seem to remember who actually owns the network. I would never hire this guy to manage my network; and yes, I do have a network I hire people to manage. His actions show me he cannot be trusted. He is not Horatio at the Bridge; he is a complete asshat. For the record, I do live and work in the Bay Area, and I also believe Gavin Newsom is a complete asshat.

Re:Disagreeing with the majority here...

[eosp]

• He gave the password to the only person allowed by his contract, the mayor.
• He did not give the password over the speakerphone to a room full of other people, including quite possibly some people to whom he was not allowed to give the password. This was the incident that got him arrested.
• A supervisor should have had the password all along. If he was innocently hit by a bus, then the city's network would really be hurting. IT people need to learn that refusal to document does not make job security.
• All people involved are asshats.

Re:Disagreeing with the majority here...

[Sycraft-fu]

Well two things here:

1) You sure about his contract? I see that getting paraded around a lot but I've not seen what the actual contract says. You sure it said "Only the mayor,"? Perhaps it said "The mayor, or any of his authorized agents," meaning things like the director of IT and so on.

2) The only reason it ever got to the point of the conference call and all that was his flat out refusal to hand over the passwords. He did the typical geek thing of "No, you can't have it," and they did the typical government thing of throwing a fit. If his concern was really his contract he could have simply said "Well according to my understanding of my contract, I'm not allowed to give the passwords to anyone but the mayor. So I either need to talk to the mayor and have him ask, or if you think that's wrong I need to talk to our lawyers and see what they say." Let people know your concern and what to do about it, they will probably be reasonable in working with you. Just say "No," without qualification, don't be surprised if they go overboard.

In general geek types need to learn this. Don't tell people "No," don't say "I can't be done," because usually you are lying, even if you don't mean to. Most things are possible, there are just preconditions to be met. So tell people what those are. If they can't meet them, well then they can't have it. However it makes you not the bad guy. It really goes a long way with people's attitudes too. They don't feel like they are being shut down, they are being empowered. They are being told what THEY have to do to get something done.

This goes for all kinds of requests. For example:

--Self important asshat departmental manager comes and says "I need 50 terabytes of space on the central server to store files." Company policy is that everyone gets 100GB for no charge. Don't go "No, you can't have that much space." Instead say "Well the company only gives you 100GB for no charge. If you want more, we can certainly do that buy we'll have to add hardware. That is going to cost $X dollars, which you'll need to provide the budget for. You get me the money, I'll get you the space." Now most likely he goes away since he doesn't have the money to spend. However you aren't the bad guy, you offered to help, he couldn't get what he needed. Also you never know, maybe he say "No problem, I'll have the money transferred to your group today."

--Mid-level manager demands administrative access to his PC. He doesn't have a reason, just says "I need it, you have to give it to me." Company policy is that nobody gets access. Again, don't say no. Instead say "Well company policy is that nobody has administrative access. If you'd like it, you'll need to get a policy exception. Here's a form you can take to the big boss to get one." You have him get permission, and sign something that says he takes responsibility for his actions. Again, you are throwing the ball in his court. He has to go ask for permission and if he gets it he has to be responsible. Maybe the big boss never gives permission, that's not your problem, you aren't the bad guy.

In general, that's how you want to operate. Let people know what they need to do to get what they want, even if what they need to do is something you know they won't do. It will keep them much happier over all, and help insulate you against complaints. If someone goes to your boss or boss's boss and bitches that you said no, you can show that indeed you didn't, you told them what they needed to do. You didn't stop them from doing their job, you showed them what they needed to do to be able to do their job.

Re:Disagreeing with the majority here...

[pnutjam]

Hey, don't go getting rational on us!

Re:How about men like that dumb mayor?

[deniable]

The idiot wasn't the mayor, but someone in middle management. The mayor was brought in as an appropriate person to receive the passwords because the idiot that originally demanded them wasn't actually covered by the security policies.

Re:Overstepped bounds

[Moryath]

In particular, sitting on all access and passwords and refusing to share or divulge them is effectively the last refuge of someone who's on a power trip, or about to get let go and is trying to delay that.

Except that the policy of SanFran (quoted in a response to previous article on Slashdot, so I'm going to be lazy and let you do your own damn research for once) SPECIFICALLY required that he not reveal the passwords to anyone but the mayor, and certainly not to someone on an open fucking conference call to which anyone else, especially the "spy girl" who he had turned in when he caught her rummaging through shit after hours, might have been party.

He delivered the passwords, AS PER WRITTEN SANFRAN POLICY, to the Mayor in a face-to-face meeting. That is what was required of him by SanFran code. The people who tried to get him to break that policy are the idiots who should lose their jobs and be on trial.

Re:How about men like that dumb mayor?

[meerling]

So in other words, that phrase is just standard marketing schlock?

Re:Will ciso befored to let take the test with out

[deniable]

It looked like a memo from management to me. Very senior management.

Competence

[not_hylas(+)]

Criminalization of competence. non story.
But seriously, see how things are taking shape?
I don't get it - with a bullet. This guy behaves appropriately and ends up in jail?

At some point you realize that it isn't incompetence. It's their goal.

Communication is only possible between equals.

You can't herd Cats ... but you can move their food.

Re:How about men like that dumb mayor?

[MrNaz]

So you're saying it's time for a new national byline eh.

"Arbitrariness, Security and Hidden Agendas"
No, doesn't flow off the tongue right.

"Commercialized warfare, industrial subjugation and for-profit courts"
No, that's too wordy...

"Injustice, slavery and lies"
Hmm... I think we have a winner!

Re:Overstepped bounds

[georgewilliamherbert]

Except that the policy of SanFran (quoted in a response to previous article on Slashdot, so I'm going to be lazy and let you do your own damn research for once) SPECIFICALLY required that he not reveal the passwords to anyone but the mayor, and certainly not to someone on an open fucking conference call to which anyone else, especially the "spy girl" who he had turned in when he caught her rummaging through shit after hours, might have been party.

He delivered the passwords, AS PER WRITTEN SANFRAN POLICY, to the Mayor in a face-to-face meeting. That is what was required of him by SanFran code. The people who tried to get him to break that policy are the idiots who should lose their jobs and be on trial.

This is rapidly becoming myth rather than fact-based.

The overall policy page is:
http://www.sfgov.org/site/coit_index.asp?id=56853

The security policy is specifically:
http://www.sfgov.org/site/coit_page.asp?id=79251

Which, basically, says "follow this inter-county planning document":
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf

The password policy in CCISDA states:

(pp 32 of the document)

4. Policy
4.1. General
All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis.
All production system-level passwords must be part of the security administered global password management database.

(removed)

B. Password Protection Standards
Do not use the same password for County accounts as for other non-County access (e.g., personal Internet Service Provider (ISP) account, option trading, benefits, etc.). Where possible, don’t use the same password for various County access needs. For example, select one password for the network systems and a separate password for application systems. Also, select a separate password to be used for a NT account and an AS400 or UNIX account.
Do not share County passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential County information.
Here is a list of things to avoid:
Giving your password over the phone to ANYONE.
Sending a password in an e-mail message.
Telling your boss your password .
Talking about a password in front of others.
Hinting at the format of a password (e.g., “my family name”).
Writing in your password on questionnaires or security forms.
Sharing your password with family members.
Telling your co-workers your passwordwhile on vacation.
If someone demands a password, refer him or her to this document or have him or her call someone in Information Security.
Never use the “Remember Password” feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
If you must your passwords down, store them is a secure place and never anywhere in your office.
Passwords stored in a file on ANY computer system (including Palm Pilots or similar devices) can be compromised if encryption isn’t used to secure them.
Change passwords at least once every three months (except system-level passwords, which must be changed monthly). Changing them more often is better.
If you suspect that your account or password is compromised, report the incident per the Incident Response Policy and change all passwords.
Password strength checking may be performed on a periodic or random basis by departmental or county IT or its delegates. Any passwords found out during one of these scans will require the user to change it.

Though the "Do not tell anyone your password" sect

Re:Overstepped bounds

[georgewilliamherbert]

I've never found any press source with a contract quote that said that, or any filing in court.

If you have the source, post a reference, or at least the text of the contract.

As I said above - coverage of this case is largely myth-based. Bring actual facts - they work better.

The city is in it deep now.

[seeker_1us]

It's all pretty much making sense to me. The arrest, the insane bail.

It sounds to me that they screwed up badly.

So they keep trying to intimidate this guy. Keep him in jail for years without a trial, make him plea bargain out.

But he won't blink. And if he is found innocent, he has a hell of a lawsuit.

Re:The city is in it deep now.

[haruharaharu]

Try malicious prosecution. The bail is out of all proportion to his alleged offense, and they paraded him in the media as a dangerous threat - might make it hard to maintain his life or get another job. I know I don't have $500k to throw away on bail. If he can show that the prosecution did this primarily for political reasons, he might manage a hefty award.

Re:Overstepped bounds

[Yaur]

I have no idea what the policy was at the time... but I'm not sure what relevance policy 2 years after the fact is to the case. If there was indeed a policy in place that said he could only turn the keys over to the Mayor at the time I'm sure they would have fixed it in response to this incident.

As an aside I will mention that I left a previous job amidst huge layoffs and refused to give passwords to anyone but the CEO (it was a little company) because I had no guarantee that any other individual or was the new "keeper of the passwords" and certainly couldn't take someones word for it. Granted, other people had the passwords but we were all in the same boat. My point here is that there are cases where this approach is the only one that makes sense, though I don't know enough of the details here to know to what degree that was true for Childs.

Re:what an idiot

[Xemu]

Agreed. It's stupid and downright Quixotic to hang on to their passwords because of "Policy" when he knows the requestors are the legitimate owners of the equipment.

The right thing to do would have been to say "By policy, you can't have the password, but I have provided the password to N.N. as I am allowed to do that. Talk to her/him."

Re:Appalling lack of social skills

[haruharaharu]

Yes, he could have handled it better. But I'm not at all certain I would have.

The source of my outrage is that Childs is on $5MM bail for essentially being a jerk. Really, in what world is that ok?