Slashdot Mirror


Fate of Terry Childs Now In Jury's Hands

snydeq writes "Closing arguments concluded Monday in the city of San Francisco's case against Terry Childs, the network administrator charged with violating California hacking laws by refusing to hand over network passwords for the city's FiberWAN during a 12-day period in 2008. Childs was charged in July 2008 and has been held on $5 million bail ever since. The highly technical trial, which featured testimony from San Francisco Mayor Gavin Newsom and Cisco Chief Security Officer John Stewart, has dragged on for nearly six months. By Monday, five of the 18 jurors and alternates selected for the trial had dropped out, and the remaining jurors seemed relieved to see the arguments wrap up as they left the courtroom Monday afternoon. They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."

8 of 530 comments (clear)

  1. Re:Oh shut up by Roogna · · Score: 4, Interesting

    But that isn't true. If the written security policy states that that person, even if it is -your boss- isn't to have the password. Then that person doesn't get the password, no matter how many times they ask. Written policies exist to lay down the foundation and rules.

    I've been in similar situations back when I was working as a admin. We once had a executive VP demanding we give the password to a machine to someone not authorized to have it (And no, the VP did NOT have authorization or power to change that policy, he was NOT in charge of security). He threatened to fire us. We told him to go ahead, but that the only people who got the password were our replacements or other authorized individuals. He DID have the power to fire us. But that STILL didn't give him the power to demand that password, or that the security policy be changed.

    Companies, and I'd imagine city governments too, have policies and chains of commands on all sorts of things. These things are usually written down somewhere so as to be enforceable. And THOSE are the things that matter. I don't remember ever working as a admin where my immediate supervisor had a root password to anything or his boss. But the good ones all knew that it wasn't their job to know those things, they paid me to keep those secure from people who asked. Even if that meant some pip-squeak with a highly placed friend.

  2. Re:honestly... by Lumpy · · Score: 4, Interesting

    Welcome to America. My 18 year old daughter is getting charged with a FELONY for kicking a door. She was trying to get the jammed door open to get back to her work area, the asshole federal building superintendent called up his asshole brother cop and he wrote it up. She did no damage to the door, they have no evidence, the cop was not even there. (Illinois it's a level 4 felony for doing damage under $500.00 to a federal building. $0.00 is under $500.00)

    I'm paying $400.00 an hour to get this dropped because of raging Police and Court stupidity. The DA in that district is a idiot that thinks he needs to be "tough on crime". This should have been thrown away the second the officer turned it in, but new laws require them to pursue everything a cop turns in.

    I personally have nothing but contempt for the joke that is our judicial and legal system.

    --
    Do not look at laser with remaining good eye.
  3. My solution in the past by Minupla · · Score: 5, Interesting

    I have worked for small companies in the past where I was the sole administrator. My solution to this was to store a PGP encoded file on a shared drive with the passwords in it, locked with my asymmetric key and one with a random password. Either one would open it. I put the plaintext password in an envelope, sealed it, signed the envelope and had my boss sign it. The envelope got stored in the company safe and I could inspect it at will. If the seal was intact I knew I was the only one with the passwords and was still responsible for the system. If the seal was broken, it was agreed I did not have any responsibility for damage that might have been caused.

    This gave my employers the confidence that they could recover from a disaster (hit by a bus, win the lottery, etc) and gave me the confidence that I didn't have to rule out assistance from well meaning but unskilled bosses when something broke.

    Min

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    1. Re:My solution in the past by QuantumRiff · · Score: 3, Interesting

      I did something similar. Except I gave the President half the password, and the head of HR the other half. I figured since they didn't get along well, it would certainly have to be an emergency (and I would have to be dead) for them to get together and get the password.

      --

      What are we going to do tonight Brain?
  4. Re:Oh shut up by Red+Flayer · · Score: 5, Interesting

    Whoever owns the systems, and their designated agents, have a right to have access. If they ask you for access, give it to them. It's that simple. You don't have to give them your password, you do have to give them a password that gives them access. In the cases of routers, this is often a shared password like an enable password.

    Who owns those systems? Not his boss -- the City does. And the City did not give his boss authority to get the passwords directly from him. The City established a set of rules for transferring the passwords, and his boss tried to circumvent those rules.

    This guy's boss was not acting within the rules established for him to act as a proxy for the City (if we're going to follow your ownership logic). So who's acting responsibly... the guy who chose to follow the rules despite the risk of adverse personal impact? Or the guy who wanted to ride roughshod over the rules in the interest of expediency?

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  5. Re:honestly... by bjourne · · Score: 3, Interesting

    Who on earth modded this interesting??

    For the record, people mod posts interesting because they find them "interesting" not because they are correct. And complaining about modding is childish.

    This has been discussed many [slashdot.org] times [slashdot.org], and I regret to inform you that your argument does not hold water. While it's a nice story to imagine this 'geek hero' standing up against the system, it's an airbrushed, romanticized version of the truth. This dude was out of line, end of story. He decided to try to flex his muscles, and he got taught a very valuable lesson that many could learn from. It was not his place to determine who was "competent" enough for the information.

    The important point is that he was asked to give up that information after he was fired. In a sane world, Childs would have been able to tell them to fuck off because he as no obligation what so ever to work for free for his former employer. Btw, this is one of the many reasons IT workers should be unionized. Unions could have layed down the ground rules to abusive workplaces like this and fined them for millions for their transgressions. Companies don't own you for life.

  6. Re:Really? by Zerth · · Score: 4, Interesting

    No reference? Right in the middle of the "don't" list in the City's policy is "Do NOT disclose passwords to your boss".

    Here, I'll quote it for you:

    Do not share passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential information.

    Here is a list of things to avoid:

    • Giving your password over the phone to ANYONE.
    • Sending a password in an e-mail message.
    • Telling your boss your password .
    • Talking about a password in front of others.
    • Hinting at the format of a password (e.g., "my family name").
    • Writing in your password on questionnaires or security forms.
    • Sharing your password with family members.
    • Telling your co-workers your passwordwhile on vacation.

    If someone demands a password, refer him or her to this document or have him or her call someone in Information Security.

  7. Re:honestly... by MightyMartian · · Score: 4, Interesting

    Does anybody actually have a copy of that contract? I keep hearing this, and I'm wondering whether it's true, or a distortion by his lawyer, or just some oft-repeated bullshit by those that want him to be a hero.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.