Slashdot Mirror
Terry Childs's Slow Road To Justice
snydeq writes "Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"
Men like these are all that stand between us and the terrorists who would destroy our internet-based communications.
'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. I
Don't use a non-specified IP address.
Or more specifically: graph a console cable, plug it into the device, and do what you need to do.
That an unskilled individual would not necessarily be able to easily use them does not mean Childs did anything wrong.
In fact, this is exactly how things should be -- in case the password is compromised, there should be additional layers of defense (IP access lists), to prevent convert abuse of accidentally leaked passwords.
No one password should ever give anyone free reign over a critical network, without at least also having physical access or passing through a designated management point.
I'm glad to see the mayor can be so jocular and jovial and downright chummy, cracking wise and generally campaigning when a man's freedom is at stake here.
Can you be Even More Awesome?!
His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?
The World Wide Web is dying. Soon, we shall have only the Internet.
His employer was the City, which, being a government, is not a private institution but a public service. In protecting the systems from incompetent individuals, Childs is fulfilling his duty to his fellow citizens.
Such a sense of Duty is rare these days.
How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?
that would be about 2 illegal song uploads or 23 killings.
Nah, he's pretty much fucked. In an honest world he'd be rewarded for being such an upstanding citizen standing against corruption and incompetence.
In this world we've got whistleblower laws because nobody wants to hire an honest man.
"People authorized by city policy or law to have those passwords most likely included any number of his bosses on up the chain of command"
You are guessing incorrectly, the actual county policy has been previously posted, and indeed, the mayor was the only person authorised. Whether that's an oversight or not, that was the policy.
"but let's not try to pretend that he didn't violate rules and/or laws."
He didn't. You are welcome to prove that he did, but so far you are only guess despite no evidence to support your case.
His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?
I'm pretty sure that's not in his job description. The Mayor is not the 'head of IT', and normally most mayors would NOT know the network passwords. Why would they?
It was in his contract.
I can't say that I have read his official job description but I'm pretty sure that "keep the passwords to yourself and the mayor of a major metropolitan city" wasn't it. It was probably "to keep the passwords safe from people not authorized to have them."
If I remember correctly, they tried to get the passwords out of him after he was released from the city's employment. If that's the case, his job description no longer factored in.
"You're fired. Give me the network passwords."
"Sorry, that is no longer my job."
"I'm calling the police."
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
"Amendment 6 - Right to Speedy Trial, Confrontation of Witnesses.
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence."
Sitting in jail waiting 2 years for a trial is not something that should happen in our country. The system is broken and needs to be fixed.
He did. There was a written policy from his employer that he was not to disclose those passwords under any circumstances and he followed that policy to the letter.
If that's not what was wanted, I guess it shouldn't have been the policy. Note that the incident where he was finally jailed was when he refused to disclose them on a conference call where he couldn't possibly know who might be listening.
So you're saying it's time for a new national byline eh.
"Arbitrariness, Security and Hidden Agendas"
No, doesn't flow off the tongue right.
"Commercialized warfare, industrial subjugation and for-profit courts"
No, that's too wordy...
"Injustice, slavery and lies"
Hmm... I think we have a winner!
I hate printers.
This is rapidly becoming myth rather than fact-based.
The overall policy page is:
http://www.sfgov.org/site/coit_index.asp?id=56853
The security policy is specifically:
http://www.sfgov.org/site/coit_page.asp?id=79251
Which, basically, says "follow this inter-county planning document":
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
The password policy in CCISDA states:
(pp 32 of the document)
Though the "Do not tell anyone your password" sect
Well two things here:
1) You sure about his contract? I see that getting paraded around a lot but I've not seen what the actual contract says. You sure it said "Only the mayor,"? Perhaps it said "The mayor, or any of his authorized agents," meaning things like the director of IT and so on.
2) The only reason it ever got to the point of the conference call and all that was his flat out refusal to hand over the passwords. He did the typical geek thing of "No, you can't have it," and they did the typical government thing of throwing a fit. If his concern was really his contract he could have simply said "Well according to my understanding of my contract, I'm not allowed to give the passwords to anyone but the mayor. So I either need to talk to the mayor and have him ask, or if you think that's wrong I need to talk to our lawyers and see what they say." Let people know your concern and what to do about it, they will probably be reasonable in working with you. Just say "No," without qualification, don't be surprised if they go overboard.
In general geek types need to learn this. Don't tell people "No," don't say "I can't be done," because usually you are lying, even if you don't mean to. Most things are possible, there are just preconditions to be met. So tell people what those are. If they can't meet them, well then they can't have it. However it makes you not the bad guy. It really goes a long way with people's attitudes too. They don't feel like they are being shut down, they are being empowered. They are being told what THEY have to do to get something done.
This goes for all kinds of requests. For example:
--Self important asshat departmental manager comes and says "I need 50 terabytes of space on the central server to store files." Company policy is that everyone gets 100GB for no charge. Don't go "No, you can't have that much space." Instead say "Well the company only gives you 100GB for no charge. If you want more, we can certainly do that buy we'll have to add hardware. That is going to cost $X dollars, which you'll need to provide the budget for. You get me the money, I'll get you the space." Now most likely he goes away since he doesn't have the money to spend. However you aren't the bad guy, you offered to help, he couldn't get what he needed. Also you never know, maybe he say "No problem, I'll have the money transferred to your group today."
--Mid-level manager demands administrative access to his PC. He doesn't have a reason, just says "I need it, you have to give it to me." Company policy is that nobody gets access. Again, don't say no. Instead say "Well company policy is that nobody has administrative access. If you'd like it, you'll need to get a policy exception. Here's a form you can take to the big boss to get one." You have him get permission, and sign something that says he takes responsibility for his actions. Again, you are throwing the ball in his court. He has to go ask for permission and if he gets it he has to be responsible. Maybe the big boss never gives permission, that's not your problem, you aren't the bad guy.
In general, that's how you want to operate. Let people know what they need to do to get what they want, even if what they need to do is something you know they won't do. It will keep them much happier over all, and help insulate you against complaints. If someone goes to your boss or boss's boss and bitches that you said no, you can show that indeed you didn't, you told them what they needed to do. You didn't stop them from doing their job, you showed them what they needed to do to be able to do their job.