Slashdot Mirror
Fate of Terry Childs Now In Jury's Hands
snydeq writes "Closing arguments concluded Monday in the city of San Francisco's case against Terry Childs, the network administrator charged with violating California hacking laws by refusing to hand over network passwords for the city's FiberWAN during a 12-day period in 2008. Childs was charged in July 2008 and has been held on $5 million bail ever since. The highly technical trial, which featured testimony from San Francisco Mayor Gavin Newsom and Cisco Chief Security Officer John Stewart, has dragged on for nearly six months. By Monday, five of the 18 jurors and alternates selected for the trial had dropped out, and the remaining jurors seemed relieved to see the arguments wrap up as they left the courtroom Monday afternoon. They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."
No he didn't.
--- "When you gotta do something wrong. You gotta do it right. (Fighter)"
The written policy was that he only gave the passwords to the mayor in a secure setting.
People besides the mayor tried to get the passwords.
The mayor tried to get the passwords in a non-secure setting.
They grossly over-reacted and were probably trying to violate their own written policies.
If they can force you to violate policies or go to jail for up to 5 years, then you don't want to be in that job since the penalty for violating written policies may be just as draconian.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Mod parent down. His job was to keep the network secure, and the people demanding the passwords didn't have a right to know them. He told the mayor instead.
This is, of course, after they fired him without demanding the passwords first.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Helpful links:
Jul 15, 2008
Aug 23, 2009
Dec 15, 2009
Mar 03, 2010
His supervisors wanted the passwords.
The Mayor wanted the passwords - secure or not if the Mayor of the city you work for wants a password, you give it to them. I work in the public sector and while the head of the agency isn't my supervisor, if she asked for a password that she didn't need, I'd write it down for her.
http://www.cio.com.au/index.php?q=article/255165/sorting_facts_terry_childs_case&fp=&fpid=
"First, despite the many news reports claiming that Childs had shut down all or part of the city and county of San Francisco's network, what actually happened was that Childs refused to provide his superiors the passwords to the city's core FiberWAN network, effectively preventing them from administering the network."
"Following the completion of the FiberWAN, Childs looked upon his creation as art -- so much so that he applied and was granted a copyright for the network design as technical artistry. Skeptical of his colleagues' abilities, Childs became the sole administrator of the FiberWAN, and the only person with the passwords to the routers and switches that comprised the network. This state of affairs was widely known throughout DTIS, and Childs was the only point of contact for changes, troubleshooting, and overall management of this network."
I've looked around and around and see no references to this written policy, just that he'd only agree to give them to the Mayor in person.
Did he do half of what the City of San Francisco said he might do? Nope, but should he have given up the passwords to his damned supervisors? Yes.
This is what the City of San Francisco gets for letting a felon run their network.
"The possession of ammunition may have raised flags with the police, because 25 years ago, at the age of 17, Childs was arrested and convicted of aggravated burglary, and spent four years in a Kansas prison. In 1995, prosecutors said, Childs was again arrested in Kansas and charged with aggravated assault and carrying a concealed weapon. The case was reduced to misdemeanor weapons possession"
They ceased being his superiors they second they fired him, which was before they asked for the password, if I recall the other stories about this correctly
It's funny that you think you're safe because of policy. As another has already said better, so did he.
Oh, but that won't happen to anybody else, right?
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Actually your landlord argument varies by area and contract.
In my experience, with apartments, the management is generally allowed to come inspect as needed. They frequently are checking smoke detectors, leaks from other units, etc. They run into, for example, situations where a leaking pipe in an upper unit causes water damage in a lower unit.
With homes, it's less common for the open access verbage to exist. The more you spend on a rental home, the better (generally) the verbage is for your privacy.
To extend this, the police interviewed my ex-mother-in-law regarding someone who was renting a room. They *wanted* to go into his space, but were legally obliged not to because he had leased that space. She couldn't even legally enter it. Even with her permission, they couldn't go into the room. A little later (like a couple hours), they did secure the proper warrants, and returned. They politely asked to gain access to the room because they did have the proper paperwork.
Serious? Seriousness is well above my pay grade.
Woo! Big miss! The landlord (by default) CANNOT just come in without proper notice, at least by PA Landlord-Tenant Law.
Either way, the analogy doesn't apply at all. Childs wasn't leasing anything here. It would be as if the landlord here had a maintenance man who changed all the locks, and then wouldn't hand over the master keys to another maintenance man because the landlord wasn't there to say it was OK.
And that is still simplifying it WAY too much.
He was just being a dick. He used the policy as an excuse but 'the mayor tried to get the passwords in a non-secure setting' is just fucking bullshit.
They aren't nuclear launch codes and it was the highest man on the totem pole.
Smack his ass back to reality for it and remind him how unacceptable it is to do what he did.
You can argue that he was right ALL day long, but I dare you to make that argument at a job interview. There will be VERY few places that will side with you on that one.
He effectively held hostage ... for 12 days ... the keys to a large chunk of infrastructure. You know what, you're right, we should let admins do whatever they want cause they know best. Admins should just run the country rather than doing their jobs as their told.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
It is perfectly rational when that is exactly what his contract told him to do.
Though hosted on a San Francisco government site, that document self-identifies as being the product of a trade organization composed of County sysadmins (and it does not list the "City and County of San Francisco" as one of the Counties whose members contributed.) Indeed, "San Francisco" doesn't appear in the document at all.
Can you also post a link to a place on the site where the city says they adopted this document as their policy?
(Also the quoted text doesn't support the allegation that the password was only to be "disclosed to the mayor in a secure setting". "Mayor" doesn't appear in the document, and "chief" only appears as part of "chief information security officer", not "chief executive".)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The important point is that he was asked to give up that information after he was fired.
Incorrect. Please read the case history before repeating misinformation.
It was a written policy. You can find the base document here: http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
He was just being a dick. He used the policy as an excuse but 'the mayor tried to get the passwords in a non-secure setting' is just fucking bullshit.
Following policy is not an excuse, it's the right thing to do. If the mayor tried to get the passwords with 15 unauthorized personnel within earshot, it's a non-secure setting and he should not have given it up.
The city policy expressly states that you should not give your passwords out to your boss. The only people who were to receive the passwords were those who required the passwords to fulfill their daily job duties. Childs was the only person on staff who fit that description, and as such, it was against policy to give out the passwords to anybody else (except the mayor in a secure setting).
He may well have been a dick, and he probably could have diffused the whole situation, but that doesn't mean he isn't right, and it doesn't mean his bosses should be allowed to throw him in jail for following policies that could very well have landed him in jail for not following.
They aren't nuclear launch codes and it was the highest man on the totem pole.
There very well could have been legal ramifications for handing out those passwords to unauthorized personnel. That includes his bosses.
I've got a news flash for you - in 12 days, management that doesn't know shit about networks can really fuck things up bad if they are allowed to mess with it. They were the last people he should have been giving access to, and anybody who actually works with this equipment knows that.
Imagine what would have happened if he had immediately turned over the passwords, management started mucking about, and they accidentally shut down half the network? You know what would happen then? This guy would have been fired for violating City policy, and possibly held legally responsible for the costs incurred. God forbid anybody should die in the process, then he's really fucked.
The fact is, from what I can tell anyway, Childs did the responsible thing but his bosses went on a fricking power trip and had him thrown in jail without ever following the proper procedure for any of this. The assholes here are the management, even if the guy is a dick.
Admins should just run the country rather than doing their jobs as their told.
Just want to point out that this guy is on trial precisely because he was doing his job as he was told.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
A jury of techs would be entirely likely to be stupidly biased for childs, that is hardly logical.
This keep cropping up in this thread, and I don't know why. The policy is online, and does not contain the word "Mayor", or the phrase "designated agent", or any of the many other things that are supposedly in it. So he did not follow policy in this respect.
What is in the policy is the actual policy for system level passwords, and the enable password for network kit is definitely a system level password. It states:
"All production system-level passwords must be part of the security administered global password management database."
Simple, clear, and Childs was definitely in breach of it: only he has these enable passwords, and did not put them in the database.
For him to argue that the rules for personal passwords applied to system-level passwords and take it to ridiculous extremes - well, this was always bound to end in tears.
Under the very same anti-hacker law that Childs is being tried for breaking, had he given the passwords to the wrong people after his termination he could be held criminally responsible.
In other words, you don't give the keys over to the janitor when you are terminated, you give the keys over to the authorized representative. If he is in a situation where he doesn't know exactly who is authorized, then the right thing to do is to hang on to them until he knows that the person he is giving access to really is supposed to have access. You can get yourself in an assload of trouble for not doing this. To get in an assload of trouble even if you do it puts IT administrators between a rock and a hard place.
Once an authorized representative requested the passwords, he gave them to him. The mayor was almost certainly higher than necessary to get this done, but he may have been the only person Childs knew for a fact was authorized and could and whom he could also verify the identity.
These were passwords to Cisco routers and switches. He didn't lock anybody out, nobody else was ever authorized access in the first place! The first article to come out about this case said Childs changed everyone else's password and only granted himself access. That's patently absurd - the Cisco equipment they were using only takes two passwords - one to get into the router/switch, and one to make configuration changes. That's it. There are no other passwords to change, and he kept them the same accross the entire network. Because there are no other passwords to change, it is absolutely critical that only those who need to know the password know the password. According to company policy, nobody else needed to know the passwords, since he was the only one who worked on the equipment, and therefore nobody else was authorized to know the passwords. The city policy expressly forbids giving the passwords to your boss if your boss is not already authorized to know them.
The way it sounds to me like it happened was something like this: Childs's bosses wanted the passwords because they did not trust him having sole possesion of the passwords. He refused to give them the passwords because they were not authorized to know the passwords. At this point, instead of calling up someone who was authorized to receive the passwords (the CISO, according to city policy) and having Childs give them the passwords, they held a big meeting - including a teleconference - and demanded he give up the passwords or they would fire him. They may have done this because Childs was being a dick about the whole situation, but the fact is even if there was an authorized individual he could give the passwords to at this meeting, he couldn't share because there were unauthorized people present. At this point, they fired him, and when he refused to give the passwords up (because the people asking were still not authorized) they had him arrested under California's anti-hacking laws. They drummed up all sorts of nonsense charges, but the only thing that had any chance of sticking was the password issue, and even then it took a year and a half to build the case. In any case, as soon as he was able to give the passwords to an authorized individual - and only an authorized individual - he readily gave them up.
It's worth noting that things were running smoothly until the guy's bosses were finally able to access the system, at which point things started to break because they didn't know what the hell they were doing.
Kinda makes you think the policy was there for a reason, huh?
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
County policy document
Section 4.1, page 32.
"All production system-level passwords must be part of the security administered global password management database."