Slashdot Mirror
Terry Childs's Slow Road To Justice
snydeq writes "Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"
Men like these are all that stand between us and the terrorists who would destroy our internet-based communications.
'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. I
Don't use a non-specified IP address.
Or more specifically: graph a console cable, plug it into the device, and do what you need to do.
That an unskilled individual would not necessarily be able to easily use them does not mean Childs did anything wrong.
In fact, this is exactly how things should be -- in case the password is compromised, there should be additional layers of defense (IP access lists), to prevent convert abuse of accidentally leaked passwords.
No one password should ever give anyone free reign over a critical network, without at least also having physical access or passing through a designated management point.
I'm glad to see the mayor can be so jocular and jovial and downright chummy, cracking wise and generally campaigning when a man's freedom is at stake here.
Can you be Even More Awesome?!
How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?
His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?
The World Wide Web is dying. Soon, we shall have only the Internet.
His employer was the City, which, being a government, is not a private institution but a public service. In protecting the systems from incompetent individuals, Childs is fulfilling his duty to his fellow citizens.
Such a sense of Duty is rare these days.
Nah, he's pretty much fucked. In an honest world he'd be rewarded for being such an upstanding citizen standing against corruption and incompetence.
In this world we've got whistleblower laws because nobody wants to hire an honest man.
Summary needs more links that won't be read.
"People authorized by city policy or law to have those passwords most likely included any number of his bosses on up the chain of command"
You are guessing incorrectly, the actual county policy has been previously posted, and indeed, the mayor was the only person authorised. Whether that's an oversight or not, that was the policy.
"but let's not try to pretend that he didn't violate rules and/or laws."
He didn't. You are welcome to prove that he did, but so far you are only guess despite no evidence to support your case.
His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?
I'm pretty sure that's not in his job description. The Mayor is not the 'head of IT', and normally most mayors would NOT know the network passwords. Why would they?
It was in his contract.
I can't say that I have read his official job description but I'm pretty sure that "keep the passwords to yourself and the mayor of a major metropolitan city" wasn't it. It was probably "to keep the passwords safe from people not authorized to have them."
If I remember correctly, they tried to get the passwords out of him after he was released from the city's employment. If that's the case, his job description no longer factored in.
"You're fired. Give me the network passwords."
"Sorry, that is no longer my job."
"I'm calling the police."
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
"Amendment 6 - Right to Speedy Trial, Confrontation of Witnesses.
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence."
Sitting in jail waiting 2 years for a trial is not something that should happen in our country. The system is broken and needs to be fixed.
He did. There was a written policy from his employer that he was not to disclose those passwords under any circumstances and he followed that policy to the letter.
If that's not what was wanted, I guess it shouldn't have been the policy. Note that the incident where he was finally jailed was when he refused to disclose them on a conference call where he couldn't possibly know who might be listening.
"As many HR people not look pass the 2 years in jail even if he is not guilty and even then they may not want to pay the health care costs for some like that."
PR like this puts him into a category beyond HR people. Speaking tours are one possibility. If he continues to work in IT, CEOs will be making cold calls to him personally.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
The idiot wasn't the mayor, but someone in middle management. The mayor was brought in as an appropriate person to receive the passwords because the idiot that originally demanded them wasn't actually covered by the security policies.
In particular, sitting on all access and passwords and refusing to share or divulge them is effectively the last refuge of someone who's on a power trip, or about to get let go and is trying to delay that.
Except that the policy of SanFran (quoted in a response to previous article on Slashdot, so I'm going to be lazy and let you do your own damn research for once) SPECIFICALLY required that he not reveal the passwords to anyone but the mayor, and certainly not to someone on an open fucking conference call to which anyone else, especially the "spy girl" who he had turned in when he caught her rummaging through shit after hours, might have been party.
He delivered the passwords, AS PER WRITTEN SANFRAN POLICY, to the Mayor in a face-to-face meeting. That is what was required of him by SanFran code. The people who tried to get him to break that policy are the idiots who should lose their jobs and be on trial.
So you're saying it's time for a new national byline eh.
"Arbitrariness, Security and Hidden Agendas"
No, doesn't flow off the tongue right.
"Commercialized warfare, industrial subjugation and for-profit courts"
No, that's too wordy...
"Injustice, slavery and lies"
Hmm... I think we have a winner!
I hate printers.
This is rapidly becoming myth rather than fact-based.
The overall policy page is:
http://www.sfgov.org/site/coit_index.asp?id=56853
The security policy is specifically:
http://www.sfgov.org/site/coit_page.asp?id=79251
Which, basically, says "follow this inter-county planning document":
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
The password policy in CCISDA states:
(pp 32 of the document)
Though the "Do not tell anyone your password" sect
When Terry's immediate supervisors -- in the IT department -- asked for the passwords, he refused, which is flat out insubordination. The senior IT managers should have access to the network passwords. That is a part of their job description. It's the responsibility of administrators to make sure that the passwords are disseminated to the appropriate people, and stored securely. (e.g.: in a lockbox, safe, or whatever...)
If they have fired him first then ask him, that is no longer insubordination. At that point all he had to follow was the simple ethic rules govern the work of a professionals. At no point he is liable to give the password to people who he know will not put it to good use and worse possibly exposing records that were suppose to be kept secure. All I see was they are trying to get him one way or another. If the jury do not give him a not guilty verdit (after being in jain for more than 2 years) I hope the governor of California does. If not I certainly hope Obama will help the "weak in need" in this situation. Child do not deserve to be jailed for what he did. He may be a pain of you know what but he certainly is getting things done the correct way.
Speak of Obama. No one in the military should allow him to fly an F-22 solo (I'm pretty sure he does not have the necessary military training to operate such advanced plane that costs billions of dollars), even if him or Rhom demanded someone to let him fly. Should a colonel (or even a captain) denied Obama access to the cockpit they should not be jailed 2 years and then tried for that. They followed the rules and did their job. Simple as that. It would be endangering public safety to allow him to fly one, not to mention the extensive tax payer dollar that are at risk of being wasted unnecessarily.
Well two things here:
1) You sure about his contract? I see that getting paraded around a lot but I've not seen what the actual contract says. You sure it said "Only the mayor,"? Perhaps it said "The mayor, or any of his authorized agents," meaning things like the director of IT and so on.
2) The only reason it ever got to the point of the conference call and all that was his flat out refusal to hand over the passwords. He did the typical geek thing of "No, you can't have it," and they did the typical government thing of throwing a fit. If his concern was really his contract he could have simply said "Well according to my understanding of my contract, I'm not allowed to give the passwords to anyone but the mayor. So I either need to talk to the mayor and have him ask, or if you think that's wrong I need to talk to our lawyers and see what they say." Let people know your concern and what to do about it, they will probably be reasonable in working with you. Just say "No," without qualification, don't be surprised if they go overboard.
In general geek types need to learn this. Don't tell people "No," don't say "I can't be done," because usually you are lying, even if you don't mean to. Most things are possible, there are just preconditions to be met. So tell people what those are. If they can't meet them, well then they can't have it. However it makes you not the bad guy. It really goes a long way with people's attitudes too. They don't feel like they are being shut down, they are being empowered. They are being told what THEY have to do to get something done.
This goes for all kinds of requests. For example:
--Self important asshat departmental manager comes and says "I need 50 terabytes of space on the central server to store files." Company policy is that everyone gets 100GB for no charge. Don't go "No, you can't have that much space." Instead say "Well the company only gives you 100GB for no charge. If you want more, we can certainly do that buy we'll have to add hardware. That is going to cost $X dollars, which you'll need to provide the budget for. You get me the money, I'll get you the space." Now most likely he goes away since he doesn't have the money to spend. However you aren't the bad guy, you offered to help, he couldn't get what he needed. Also you never know, maybe he say "No problem, I'll have the money transferred to your group today."
--Mid-level manager demands administrative access to his PC. He doesn't have a reason, just says "I need it, you have to give it to me." Company policy is that nobody gets access. Again, don't say no. Instead say "Well company policy is that nobody has administrative access. If you'd like it, you'll need to get a policy exception. Here's a form you can take to the big boss to get one." You have him get permission, and sign something that says he takes responsibility for his actions. Again, you are throwing the ball in his court. He has to go ask for permission and if he gets it he has to be responsible. Maybe the big boss never gives permission, that's not your problem, you aren't the bad guy.
In general, that's how you want to operate. Let people know what they need to do to get what they want, even if what they need to do is something you know they won't do. It will keep them much happier over all, and help insulate you against complaints. If someone goes to your boss or boss's boss and bitches that you said no, you can show that indeed you didn't, you told them what they needed to do. You didn't stop them from doing their job, you showed them what they needed to do to be able to do their job.
It sounds to me that they screwed up badly.
So they keep trying to intimidate this guy. Keep him in jail for years without a trial, make him plea bargain out.
But he won't blink. And if he is found innocent, he has a hell of a lawsuit.
I have no idea what the policy was at the time... but I'm not sure what relevance policy 2 years after the fact is to the case. If there was indeed a policy in place that said he could only turn the keys over to the Mayor at the time I'm sure they would have fixed it in response to this incident.
As an aside I will mention that I left a previous job amidst huge layoffs and refused to give passwords to anyone but the CEO (it was a little company) because I had no guarantee that any other individual or was the new "keeper of the passwords" and certainly couldn't take someones word for it. Granted, other people had the passwords but we were all in the same boat. My point here is that there are cases where this approach is the only one that makes sense, though I don't know enough of the details here to know to what degree that was true for Childs.
I'm just pointing out his moral responsibility. He should allow access to the network to its rightful owners in a manner that doesn't put it at risk from those without the right to access it.
Then he should wait until they hire someone to replace him and give *him* the passwords. Sysadmins keep middle-management types from getting carte blanche access for very good reasons, especially when politics are involved. We've all played D&D and read comic books; we understand the Paladin mindset.
On the other hand, there's no reason that he couldn't have remembered them and just given them up.
But there are. If you look on the city's IT site, you will find the IT policy. Around page 23, IIRC, you'll see the rules under which you can divulge passwords. There are three specific rules that are important:
1. Don't do it over the telephone.
2. Don't ever tell your boss any password.
3. Don't ever divulge any password in the presence of anyone unknown to you.
They dragged him in a meeting room at the police station where he was doing some wiring work, filled the room with people he didn't know, initiated a conference call over a speakerphone, told him he was being transferred, and asked him to recite the passwords.
Umm, what did he do wrong by saying "NO"? He was, at that time, still an employee. He was bound by policy not to divulge the information under those circumstances.
Then he was fired.
At that point, he had no obligation to give the passwords up any more, and was probably bound by a nondisclosure agreement that would be violated if he HAD given them up. So his logical course would then be to go home and do his best to forget the passwords. His employer shitcanned him because he tried to follow their rules and they didn't like it.
There is no rule in the City IT policy that says you need to give up a password when asked. However, there was one that any "system" passwords (as opposed to "user" passwords) needed to be in a central secure database, and it's up for discussion as to whether he did in fact violate that policy. If he did, then there was an obligation to disclose it, but then the question becomes, to whom?
He offered to divulge the passwords to the only person he KNEW was authorized to receive them - an elected official. The Mayor agreed to accept the passwords, and he gave them up. They Mayor, as an elected official, is then authorized to hand the passwords off to anyone else he chooses.
Then the passwords didn't work because the people the Mayor gave them to apparently didn't understand how the network was configured.
If the City is still unable to access the network, they need to acknowledge that Childs was following THEIR rules when he refused to cooperate, apologize, release him with back pay, and ask nicely for him to come back for a short-term consulting gig so he can teach his successor how to run the network. At which point, the successor changes all the passwords, Childs loses all access to the network, and gets a nice letter of recommendation stating that his ethical standards at protecting information he is charged with protecting are so high that he's willing to go to jail rather than violate them.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."