Fate of Terry Childs Now In Jury's Hands
snydeq writes "Closing arguments concluded Monday in the city of San Francisco's case against Terry Childs, the network administrator charged with violating California hacking laws by refusing to hand over network passwords for the city's FiberWAN during a 12-day period in 2008. Childs was charged in July 2008 and has been held on $5 million bail ever since. The highly technical trial, which featured testimony from San Francisco Mayor Gavin Newsom and Cisco Chief Security Officer John Stewart, has dragged on for nearly six months. By Monday, five of the 18 jurors and alternates selected for the trial had dropped out, and the remaining jurors seemed relieved to see the arguments wrap up as they left the courtroom Monday afternoon. They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."
They didn't "allow this person to get complete control of essentially EVERYTHING", they paid him to do it and not tell anyone the password except the mayor.
Technically, he should get a bonus instead of boned
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
> No, I haven't read the links or anything else. But it needs to be said.
Yes, ignorance always leads to well-reason opinions.
...before posting. The frenzy's already started. People - there's a long story here. Do not rely on this summary to tell you the details. Don't litter the thread with inane "he broke the law and should pay" comments. Your fellow non-readers in-spirit have done so on a minimum of twenty prior threads on this issue.
Please, please learn the backstory before commenting. Think of the children. Plus, some readers are getting on in years (35+). They can't handle the spiking blood pressure.
The fact that the case has dragged on this long and that some of the charges have already been dropped seem to highlight the fact that there is some doubt as to whether or not he actually broke the law.
"He was an employee and this was the city's property and he refused to give up the passwords. Sweet Zombie Jesus"
The city's property? Who the hell is "The city"? Did "The city" appeared and he refused to give the passwords to him (or is it her?)? Or are you implying that since it was "the city's property" he should give the passwords to any citizen that would happen to ask for? Because as soon as he was asked for the passwords by the proper person (the major) at the proper environment (face to face with him without unknown people at sight) he indeed promptly passed them out.
"then IT Managers will be able to hold sway with the passwords."
You can bet no IT Manager would tell the passwords to the janitor no matter how much "the company's janitor" it is.
It is real simple: Whoever owns the systems, and their designated agents, have a right to have access.
Yeah, say that with a straight face to the guy demanding the root password because he read "it was important", and you got a call last week from him asking you to change his desktop wallpaper because "it got stuck". IT admins not going in for that kind of non-sense is a compelling reason why large sections of the internet don't slide off the side of the planet in a dribble-like fashion.
This guy was responsible for critical public infrastructure -- infrastructure that kept working for months after they fired him. They broke it repeatedly after gaining access, and it took hundreds, if not thousands, of billable hours to repair the damage that happened when those owners and their "designated agents" got their hands around the gooey core of the network.
Justice is about harmony, not law and order.
#fuckbeta #iamslashdot #dicemustdie
I think, what most lay people don't understand is that the rule: 'Don't give out passwords indiscriminately' is equivalent to the Hippocratic oath for some IT admins, particularly those in charge of large networks. If he just handed out passwords insecurely, that would cause more damage than Childs locking down the network for a brief duration. I'm inclined to believe that he was acting in the good faith of his job, particularly because he was willing to be arrested over being fired/becoming redundant. I seriously hope he's cleared, because he performed his job to the letter.
Being judged by twelve random people is as close to 'objective' as possible. I can only imagine the systemic biases that would arise from 'professional' juries, or 'expert technical' juries. Would you want a FOSS defendant judged by a jury from MS or Apple? Vice versa? Or as you seem to allude to, a world of bench rulings like the dark ages? Or a world where lawyers bid for the good opinion of a jury comprised of other lawyers? Disgusting. I'm immensely glad to have the right to be judged by average people, not because I harbor any romantic notion of them (they tend to be dolts), but because the alternatives are far worse.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Just that simple, huh? So let's say the Dean for Admissions demands you give him the organization-wide root or domain admin password. Will you? What if it's the dean for admissions, two members of the board of trustees, the chief of campus police, and a computer lab tech from the biology department, and all want you to give the password to the lab tech?
If the policy states you shall not give the password to anybody but the CIO, and all of these "designated agents" come to you and demand the password... are you going to give it to them?
Let's say you quit your job, and three days afterward they call you asking for the passwords. How do you know if the policy changed? Maybe the CIO was fired. How do you know these are still the "designated agents"?
These are the types of problems that arrise from this prosecution. The law gives organizational policy the force of law, without realizing its limitations. So before you tell us to "shut up", you might want to think about the ramifications of that first.
True enough.
The way we do it:
We have 5 USB tokens. To override a root login requires 3 of the 5 keys. Done deal.
In addition, I have a sealed envelope. My boss's boss has it locked in his desk. If I go AWOL all he as to do is open it and he's golden, keys to the castle are in there. I take the old one and replace it every 90 days.
Point is that if an admin wants to be a dick there is little you can do to stop them, however, an admin refusing to give out keys to anyone but pre-authorized people is admirable, not criminal. In the same boat I've done similar, but fortunately for me my boss had my back, rather than knifing it.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
technically correct; The best kind of correct.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
Horseshit. Refusing to comply with an order when that order is illegal or against the rules that both parties operate under is definitely justified.
So it's all about CYA? That's weak, man. What if Terry was truly interested in maintaining security over the systems? What if Terry suspected his boss would plant evidence to condemn him?
I don't want to invoke Godwin's law, so I won't directly. But you do understand the implications of what you're saying, right? That as long as you're following orders and documenting that you believe it's against the rules, then you're OK, because it's the easiest way out for yourself?
Screw that. Principles are more important than CYA, and I've put my money where my mouth is on that issue on more than one occasion.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Do you really want to go down the rabbit hole of advocating that a company has the legal right to enter a person's memory to retrieve/remove their "intellectual property"? Because if so, please go find some other universe and don't come back.
(which btw, people further up the food chain, including the highest ranking person there, told him to ignore in this case)
The highest ranking person there doesn't mean shit if the highest ranking person there isn't authorized by the city to make such a decision.
What happens if you give the passwords to someone who, according to the IT Security policy which you had to sign a binding legal agreement to uphold, is not authorized to have the password and it leaks out, putting the entire infrastructure at risk?
What then? That's pretty much exactly what happened here. The people who were telling him to ignore the policy did not have the authority to tell them to ignore policy - it was binding on them too!
I'll tell you what happens if he gives the passwords to people he shouldn't. In the case of a private entity, not only can you be fired (and rightly so), but if your actions led to the leaking of information that must be kept secret by federal privacy guidelines then you can be held criminally and civilly liable as well. In the case of a government entity, it's almost a certainty that you can be held criminally liable. This system absolutely had sensitive data on it, and it was part of his job to make sure it did not get out.
So what the hell are you supposed to do? Give up the passwords in spite of security policy and go to jail when stuff breaks or private data leaks, or refuse to give up the passwords and go to jail anyway? What the fuck man? I'll admit, it sounds like Childs was being a dick about the whole situation, and had he been more diplomatic he could have diffused the whole thing early on, but what if it's your bosses being dicks, and nothing you do to try to do things the right way works. I've seen office politics, and some people know how to stir up a shit storm in a hurry to get rid of someone they don't like.
In any case, nobody should lose two years of their life for no better reason than they were being a bit of a dick at work.
There are REALLY simple ways to handle these solutions.
You're right, and they were laid down in policy format, and his bosses didn't follow them.
When are admins going to realize they are nothing more than computer janitors?
That's funny, they get paid a hell of a lot more than janitors do.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
Imagine that you're a general contractor, doing home improvement work for Bob and you hire a locksmith to install locks. Whey they finish the job, they refuse to give the keys to you, and only to Bob, because they're worried that you might make your own copies before you give them to Bob? Do you have them arrested and thrown into jail, or do you just have Bob get the key from them?
How about the same situation, but now you're Bob. You come home, your general contractor is out to lunch, and the locksmith has just finished up, but he doesn't actually know you, just the general contractor and so he won't give you the keys? Once again, do you treat this as a criminal situation, or do you just call your contractor and have him sort it out with the locksmith?
Once again, same situation, but now you're the locksmith. You've just finished up. Neither the contractor, nor Bob is around, but Bobs ex-wife arrives. You've met her before, so you know who she is. She seems to be free to come and go when she comes by shuttling their child back and forth. She even was even in charge of the renovation project, even picking out the new doors and doorhandles you've just installed locks in. However you've never actually seen her there when Bob wasn't home and you don't know if she's actually supposed to have her own key. She insists that you give her the key. Company policy says that you're only supposed to give the key to the homeowner, and she doesn't seem to quite fit that definition. So, you insist that you'll give the key to Bob and he can make her a copy. So, she calls the police and has you arrested and thrown in jail. Then Bob comes to your cell and you give him the key as you said you would. Then you get held over for trial with bail set ridiculously high even though you're not a flight risk, on the justification that you could break into Bob's house even though the locks have been changed again. Let's face it, of course you could break in, you're a locksmith, but what have you done that makes anyone think you'd be likely to?