Slashdot Mirror
Fate of Terry Childs Now In Jury's Hands
snydeq writes "Closing arguments concluded Monday in the city of San Francisco's case against Terry Childs, the network administrator charged with violating California hacking laws by refusing to hand over network passwords for the city's FiberWAN during a 12-day period in 2008. Childs was charged in July 2008 and has been held on $5 million bail ever since. The highly technical trial, which featured testimony from San Francisco Mayor Gavin Newsom and Cisco Chief Security Officer John Stewart, has dragged on for nearly six months. By Monday, five of the 18 jurors and alternates selected for the trial had dropped out, and the remaining jurors seemed relieved to see the arguments wrap up as they left the courtroom Monday afternoon. They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."
the City of San Francisco should also get smacked upside the head for allowing this person to get complete control of essentially EVERYTHING in their network. No, I haven't read the links or anything else. But it needs to be said.
Sent from your iPad.
ANd just how does this put all IT Admins in danger? The man broke the law
"A verdict that, if rendered, puts all IT admins in danger."
He was an employee and this was the city's property and he refused to give up the passwords. Sweet Zombie Jesus, if anything a not-guilty verdict will do more damage because then IT Managers will be able to hold sway with the passwords.
Is this like Slashdot in "Rights Violation Mode"? (Kind of like Weatherscan's severe weather mode). I am seeing these red curly things next to the articles throughout the entire front page
...before posting. The frenzy's already started. People - there's a long story here. Do not rely on this summary to tell you the details. Don't litter the thread with inane "he broke the law and should pay" comments. Your fellow non-readers in-spirit have done so on a minimum of twenty prior threads on this issue.
Please, please learn the backstory before commenting. Think of the children. Plus, some readers are getting on in years (35+). They can't handle the spiking blood pressure.
The fact that the case has dragged on this long and that some of the charges have already been dropped seem to highlight the fact that there is some doubt as to whether or not he actually broke the law.
Pity he doesn't have a jury of his peers, so he's basically gonna get crucified by joe & jane blow citizen (good citizens who convict evil hackers like the prosecution wants).
I am tired of this "Oh no if he gets convicted all IT admins are in danger!" No, they aren't, not if they do their jobs. It is real simple: Whoever owns the systems, and their designated agents, have a right to have access. If they ask you for access, give it to them. It's that simple. You don't have to give them your password, you do have to give them a password that gives them access. In the cases of routers, this is often a shared password like an enable password.
I don't see this as affecting IT admins at all. Certainly doesn't affect me. Here all the passwords are kept in a safe by my boss, as is required by university policy. Who can and cannot have access is specified in policy. I am not at all worried. If a random grad student demands access, I'll say no. If the CIO demands access, I'll give it. Simple as that.
That's this non-jurors verdict.
Regards,
Jason C. Wells
ohnoitsinfoworld
Hail Eris, full of mischief...
E pluribus sanguinem
He essentially served a 2 year sentence regardless of whether or not he is found guilty? Awesome. I knew justice is blind, but I didn't realize that it was stupid too. What there wasn't a tracking anklet available? Really 2 years waiting in jail for a non-violent "crime"?
Please give a reference for that.
Demand a waiver from all employers..Maybe it takes things like this to get you all to organize. Otherwise live with the verdict if it goes badly.
For justice, we must go to Don Corleone
I have worked for small companies in the past where I was the sole administrator. My solution to this was to store a PGP encoded file on a shared drive with the passwords in it, locked with my asymmetric key and one with a random password. Either one would open it. I put the plaintext password in an envelope, sealed it, signed the envelope and had my boss sign it. The envelope got stored in the company safe and I could inspect it at will. If the seal was intact I knew I was the only one with the passwords and was still responsible for the system. If the seal was broken, it was agreed I did not have any responsibility for damage that might have been caused.
This gave my employers the confidence that they could recover from a disaster (hit by a bus, win the lottery, etc) and gave me the confidence that I didn't have to rule out assistance from well meaning but unskilled bosses when something broke.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
And some of us are 55 +, with GOOD blood pressure, and we don't like the noobs comments who don't bother to get the full story either.
we know what we must do, right?
never a better time....
At least, not anymore. And he refused to hand the passwords over to those who were. Consider what a finding in favour of Childs would mean; any admin upset about termination could hold on to their passwords out of spite.
The city does have some culpability. They should have ensured at least one other person had the passwords, in case Childs was hit by a bus.
Just for him, or for every disgruntled former employee who's petulantly holding on to city property?
Anything can happen in a jury trial, but it's hard to believe that Child's will lose this thing. The district attorney needs to prove two things (at least):
That Child's acted maliciously, that he was trying to cause harm to the network. I have seen no real evidence that supports this idea. The city tried to say that he did it to keep them from firing him.
They also have to prove that his actions actually caused damage. This is problematic because the network never actually went down, his actions didn't cause damage. The city uses the twisted argument that the fact that they were unable to prevent Childs from accessing the network was damage enough, that Childs was the one they needed to defend against.
I did not sit through the trial, but it's hard for me to believe that many juries would find this to be true beyond reasonable doubt.
Qxe4
The organization's policies are no longer any of your business once you leave their employ. They're not law. If they want to violate them, that's their concern, not yours.
Wait, you mean his fate is in the hands of 12 clueless "average" citizens?
He is truly fucked.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
The same op3ra7ion towels on the floor
Pity he doesn't have a jury of his peers, so he's basically gonna get crucified by joe & jane blow citizen ...
The downside to treating everybody as equal before the law is that everybody is everybody else's "peer" for the purposes of jury selection.
"Jury of his peers" is from British law - where the Magna Carta established the right of Lords to be tried by a jury of other Lords in disputes brought by the King, to keep the King from arbitrarily convicting them of made-up crimes and seizing their estates. Later it was extended to the other classes of "Englishmen".
When it comes to the US, while many of the legal principles came across, the explicit legal distinctions among classes of citizens, based on heritage, occupation, government position, etc. were explicitly banished from US law. We were left with free, slave/involuntary servant (a class later eliminated except for those convicted of crimes), non-citizen, and "untaxed Indian" (effectively citizen of an independent country called a tribe who hasn't opted for full US citizen status).
About the closest we have to "peer" in jury selection is the requirement that the trial take place in the community where the crime occurred unless the DEFENDANT requests it be moved elsewhere and the judge agrees he can't get a fair trial in the original location.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It's simple, when your superiors ask for the password, GIVE IT TO THEM.
When you're threatened with arrest, GIVE THEM THE DAMNED PASSWORD.
If he'd tried this at a company you probably would not have heard of Childs.
you know it's technically illegal to kill someone, but the law allows for justifiable homicide.
this guy took over the system to protect it from the rest of the idiot users who, like the rest of the City employees, are incompetent.
I WISH I was on the jury. I'd vote innocent of all charges.. until he was acquitted or the judge declared a hung jury. I can understand his position. My mother does not get admin privs on her machine..
I've been following the story off and on, and the one thing I get hung up on is the crime charged. IANAL but if the crime he is accused of is "disrupting service" - shouldn't this have been thrown out a long time ago? Disrupting service = outage. If no outage was incurred, what service was disrupted? Yes they could not make changes, but the system continued to run. If I abstract this to my personal network... forgetting my network password does not create a disruption of service. Certainly an inconvenience, but I remain connected to the interwebs.
Can you tell me that password again?
They've served .5 years * 12 people = 6 people years!
So if I commit a felony, using the excuse that a company policy (which btw, people further up the food chain, including the highest ranking person there, told him to ignore in this case) prevents me from doing so ... you are in danger.
If you do your job right, you can simply say 'I can't give them to you, but person XXX has them and the authority to give them to you'
And you go home after you've been fired for being a prick like Childs was.
What you don't do is tell YOUR MAYOR that they aren't authorized. Or your CEO, or what ever.
There are REALLY simple ways to handle these solutions. Being an arrogant prick and holding the passwords (that should have been recorded elsewhere for just this situation, as per the policy he's using to defend himself) is actually a federal crime.
When are admins going to realize they are nothing more than computer janitors?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Though hosted on a San Francisco government site, that document self-identifies as being the product of a trade organization composed of County sysadmins (and it does not list the "City and County of San Francisco" as one of the Counties whose members contributed.) Indeed, "San Francisco" doesn't appear in the document at all.
Can you also post a link to a place on the site where the city says they adopted this document as their policy?
(Also the quoted text doesn't support the allegation that the password was only to be "disclosed to the mayor in a secure setting". "Mayor" doesn't appear in the document, and "chief" only appears as part of "chief information security officer", not "chief executive".)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"San Francisco Assistant District Attorney Conrad Del Rosario portrayed Childs as a self-obsessed man who locked the city out of its own network in the misguided hope that it would make it impossible for the city to fire him. "
Let all reasonable people hope for a stiff prison term for this fat stupid nerd.
He refused to hand over passwords when ordered to do so by his superior and his superior's superiors.
It was illegal to do so - he could easily have imagined going to jail for doing exactly that.
Little did he realize that following the law, could also lead to jail...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So give the password to a PHB and he blows the network up and you take the blame that is ok?
The moment Childs was threatened with jail by a credible governmental threat, then he should have surrendered the passwords.
Dude is a hardhead.
Agreed. Isn't there another element to prove? That the askers had a right to the passwds? There is more than reasonable doubt they did not.
This looks much more like a case of false arrest and malicious prosecution. Childs got under someone powerful's skin (congrats&condolensces!) He has suffered serious damages 500k$ (bailbond) + lawyers (500k$?) plus lost earnings . I foresee a multi 10M$ lawsuit once Childs is acquitted. And given the venom of the City's persuit, they will not settle but get hammered by a verdict they will appeal ad nauseam.
Besides, if you wish, you can just have them indemnify you in writing.
Put everything in writing to cover your ass if you like, but you don't get to hold on to things until someone n levels above you gives you a personal audience.
Beyond a reasonable doubt is only the theoretical requirement, people are unlikely to vote not guilty if they think the defendant is guilty.
Strangely, although what you says is logical, I don't think they actually have to prove that to convict under the law. As long as he fulfills the requirements that the law prescribes, he can be convicted. Thus whether he was authorized or not plays no part in the case, other than as evidence to whether he was acting maliciously or not.
Qxe4
It's hard for me to believe that a jury could possibly understand what you just said.
If fact, they probably will not and he will be found guilty and everyone will move on (well, except the convicted). This is just some obscure case about a "hacker" and nobody will give a damn because it's all about those cave dwellers that don't do anything (other than keep everything working; if only they knew).
Put everything in writing to cover your ass if you like, but you don't get to hold on to things until someone n levels above you gives you a personal audience.
If "n" and "personal audience" are defined in policy, then yes, I do. In fact, even if I don't want to, I'm required to. Childs wasn't some Mayor groupie looking for his "Ohmygawd! I just talked in private with the Mayor!" moment. Maybe by the time he finally talked with the Mayor he was a little grumpy from being held in jail, and he was less cordial so it might seem like he was telling the Mayor to kiss his feet, but the impression I get is that he was concerned that his prior boss was *bad news* and that he (Terry) should follow the rules and only let the Mayor have the password.
You probably haven't sat on a jury yet. Most people on the jury are not Mr. Childs' intellectual peers, they are his citizen peers. A person is suppose to be innocent until proven guilty, but too many folks from the general population tend to believe "if there's smoke there's fire; he must be guilty if he's charged for something." Sure it is the job of the defending lawyer to try to filter as many of those as possible out of the pool, but the DA's job is to fill the pool with as many of those as possible. Then we've got jury members who don't know jack about the technical details or the law, so they just go with their gut instinct on the people on the stand and the lawyers. Which lawyer did a better job of saying stuff? Hell, some members even go by what the lawyers wore.
No, sadly, our American justice system claims to be a fair system, and perhaps it is compared to others, but it is really a tyranny of ignorance and money. Mr. Childs likely doesn't have the money to really fight this (since he couldn't afford the $5M bail), so it boils down to his luck of a jury pool. Considering what I've read of his luck, that isn't much luck at all. Guilty or not, he could be serving time. Many other folks are rotting in jail without ever having committed the crime they are "guilty of" because the person's "peers" believed they were.
I hope that Childs will be found innocent of all charges, and he can fight back against the city. I just don't believe that facts are enough.
So.. he's already served over 20 months for something he may or may not be guilty of. If they just manage to drag out the case another three and a bit years it won't matter if he's found guilty or not!
And people wonder why we complain about the legal system.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Isn't this why countries such as France have completely abolished juries, and judgments are rendered solely by Judges (who, under French Civil Code, are inquisitors rather than arbiters, and are professional judges, not promoted lawyers like in our system)?
Of course, that has its own problems, like the fact that one crappy judge will make a lot of bad verdicts, but it does seem better than your fate resting on the opinions of the stupidest people the court could find.
Once he was terminated, his only obligation was to return anything of theirs. If they want to violate their own policies, that's none of his business.
The most he could reasonably do would be to insist his former boss put the request for passwords in writing, and to notify the mayor of this. If the mayor ignores the notice, he has no cause to withhold the passwords.
For a municipality, a "policy" is adopted by the decision-making body at an open meeting as a resolution. Technically, it's a law and the City cannot ignore laws just because they wrote them. A policy binds the decision-making body just as much as its employees and the citizens of the municipality. If Childs was allowing such a policy, his ass is 100% covered.
(Rules may vary, this works in Canada and the US)
Captcha: Breathe.
Always have a procedure in place to deal with the possibility of an "irreplaceable" employee getting hit by a bus. (I once took over a position at Intel where the former employee had died suddenly of a heart attack, leaving a CVS file locked. We decided to leave it locked in memoriam.) In this case, establishing a procedure for hand-off of the passwords long BEFORE firing the only employee that knows them would have been a no-brainer to any competent IT manager. In my book, if you fire me without notice for no reason, I'm not obligated to do ANYTHING after I walk out the door -- should have gotten those passwords in the exit interview if you needed them. Granted, Childs was a paranoid dick, but the managers created this situation themselves -- they should have known better.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Charge the defendant with everything you can think of even if you don't believe he's guilty of all of it and then negotiate down to the only charges you had any chance proving in the first place.
It's like raising prices just before a sale marks them down.
at least you get a trail unlike some other places
All he'd have to do is have the requester warrant, in writing, that they are acting as an agent of the organization.
Besides, I really, really doubt the mayor signed off on any policy requiring him to take direct action in low level network administration. That's just some nonsense Child's wrote up.
Well on the bright side if Terry Childs get convicted it should make social engineering of passwords away from our vicitims much easier :)
I remember many years ago during a merger one of the non-technical administrative staff with no prior warning sent an email to admins in various offices asking for administrative passwords to all systems (SMTP EMAIL) ... it pissed off layers of management when everyone rightfully replied f*ck you. In my opinion anyone who clicked reply and sent the passwords should have been fired on the spot. I don't understand the specifics of this case... To me it seems odd -- while there may have been god complex issues I would be very surprised if there were not also real human management/incompetence/stupidity issues.. How would any competent manager allow such a situation to even be possible in the first place?
I mean what if Terry died in a light cycle crash and something did go horribly wrong requiring enable privledges to fix? Would Terrys rotting corpse have really been held responsible? I've heard of failing upwards but this is grossly incompetent.
Regardless possibility of sending someone to jail for 5 years for sitting on a password for 12 days while hurting noone while acting in what you believe to be the best interests of the city seems like behavior I would expect from the government of a backwards 3rd world country.
There is only one rule, The Golden one (He that has the Gold makes the rules; not the do unto others one), and after more than 20 years as a lawyer I think he holds the system in contempt as well, after being a True Believer, ultra straight edged, right wing, NRA/RNC boyscout for most of his life.
"They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."
This is true, this puts all IT admins who exit their job angrily, hijack the system and lock everyone else out in danger.
I mean, who hasn't been there, right? I mean, one could just leave the job gracefully but something something something freedom.
Nope, he need merely say "evil hacker", blow a lot of smoke, and the jury will convict.
If it's an actual jury of his peers, ie, IT professionals, system admins, etc, then I'd agree with you.
If it's a random selection of people off the street like usual, he's pretty screwed.
"Your honor, The jury finds the defendant innocent, due to the fact that his password really was, 'It's actually a passphrase'. He responded to every request for the password by telling it to them - it's not his fault that they thought he was being arrogant. In reality, he was being completely cooperative.
Furthermore, we request that the city be ordered to pay a large amount of money, say the $5 million that they required he come up with, to Mr. Childs. Because they are such fucktards."
When you're dead, you don't know you're dead. It only affects the people around you. Same thing when you're stupid.
In the US, we have the *right* to a jury, not the requirement for it. If we don't want one, we can ask for a bench trial.
Bob's wife's name is Alice.
What do I win?
Send the passwords in writing to the mayors office. Have it notarized and sent by registered mail if you really think something is up.
What they then do with them is none of your concern.
You are obligated to return any of their property in your possession, and that could include passwords.
If he had a work laptop, they could require him to make reasonable effort to return it. Comparing sending an email to "slavery" is absurd.
I did not sit through the trial, but it's hard for me to believe that many juries would find this to be true beyond reasonable doubt.
Juries can get thing _very_ wrong: O J Simpson.
Stop Feeding the Trools!!!!!
"Chairperson Robinson announced that DTIS internally hired the new Security Manager, Jeana Pieralde. He stated that a memo went out asking departments who their IT security contact person with the plan to implement a security IT work group within the City"
Why are there no reports about others involved in this case?
"The office from which Pieralde removed the hard drive belonged to DTIS Security Officer Nancy Hastings (who naturally was not present in the office because the "security audit" was being conducted after hours.)
Terry Childs had returned late to the offices (which do include his office and do not include Jeana Pieralde's office) at about 5:15 P.M. to find Jeana Pieralde (who does not work in those offices) taking a hard drive from one of Terry's co-workers offices. Terry photographed this act with the camera in his cellphone.
Jeana Pieralde then involved DTIS Deputy Director Rich Robinson. Rich called Terry and told him to stop taking pictures.
Three days later (Monday) both Rich Robinson and Jeana Pieralde filed complaints of threats with the San Francisco police department and Police Inspector James Ramsey was assigned to the case. No charges have ever been filed against Terry Childs for the alleged threats (which included the statement "I'm ready for you Rich. Or I can come up to your office.")"
"5. Mr. Childs clashed with the new Security Manager on the subject of authentication and control, which led to poor formal review"
In early June, Terry Childs sent repeated complaints of incompetency regarding a supervisor (Herb Tong) to that supervisor's superiors. When nothing was done about the informal complaints, Terry Childs filed a formal complaint regarding the supervisor (Herb Tong.) It was several weeks later, on the 20th of June that the reported clash with the new (position created and filled just this year) Security Manager (Jeana Pieralde) occurred.
The Security Manager position was new. Jeana Pieralde was promoted from a prior position within DTIS to the Security Manager position. Jeana Pieralde no longer worked in the same offices with Terry Childs. He returned to those offices on the evening of June 20th, 2008 after normal office hours (which end at 5 P.M.) to find Jeana Pieralde removing a hard drive from someone else's office. She claimed to be performing an unannounced audit.
Jeana Pieralde is the author of a proposed security policy for the city which is still waiting for committee review. That security policy, if accepted, may one day give Jeana Pieralde specific authority to perform audits and perhaps even to have administrative control over city communications networks.
Please dig deeper into this story"
It's tool time.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Generally, defendants can waive their right to a jury trial and have the case go before a judge, they think that is to their benefit.
It seems that government would certainly like to abolish trial by jury, as it has this annoying tendency to slightly slow the growth of the prison-industrial complex. In blatant contradiction to the Constitutional requirement, SCOTUS has somehow become illiterate regarding the phrase "all criminal prosecutions" and ruled that you don't have a right to a jury trial if the sentence is less than six months -- even if you're facing multiple counts and could spend years in jail. And the state continually tries to keep juries ignorant of their right to judge questions of law as well as of fact.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
This sounds like a clear example of the arrogant 'small god' ego that most sysadmins develop. The system belongs to the city. Its not his personal property.
He has no liability for the security of any system at work after he's been fired. If he really was worried about it, he could/should have just asked them to sign a disclaimer of his liability before he handed the password over.
To be honest, if this does endanger all those mini-hitlers that make developers lives hell, then I'm all for it.
http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case?pp=1&fp=&fpid=
That two weeks severance they give you? They can actually insist you sit at your desk for it if they wanted.
Posting AC from work.
He refused to give passwords out except according to the terms of his employement, which once met, he did. Then, he was accused of actually being a real sysadmin and using the hardware he was given in the manner it was supposed to be used (modems in his office).
The only thing they have on him, according to all the articles linked (I read them all) was the presence of some system related documentation, including user account lists, in his home.
Sounds like he has cooperated at every step with the people pressing charges (his employer) within the terms that *they set*. While there are other allegations, there is nothing that smells of arrest-worthy. Did I miss something?
I am not suggesting innocence or guilt - that is a matter of law and IANAL. I am trying to understand the basis for his arrest and sky-high bail. As a citizen, the criteria for being locked up for more than a year should be comprehensible to the general public, no?
OSXCPA2
You're right. I fear for Mr. Childs. I believe he's done no wrong (I'm a systems admin of 7 years myself) but unless his attorney can turn technical stuff into laymens terms really, Really well, then Mr. Childs will be spending three and a half more years in jail (assuming they do a time already served kind of thing). Of course, they may slap him with different sentenced terms for each count they find him guilty of and give him a hefty twenty or so years in prison. This is sadly how it usually ends up for the innocent in our justice system. But, once again, it all boils down to how good his attorney is at turning technical information into information that the dummies in the jury can understand, which will be a very difficult job indeed. I can picture some grannies and hair dressers and other similar people on the jury and already know that he'll be convicted.
If he gets found not guilty on all charges (which I just don't see happening because of my above comments) then I hope he sues the city for millions and millions of dollars. He should also be able to have others criminally charged for false imprisonment but stupid things like immunity for cops and judges and prosecutors will keep such justice from happening.
I really do wish we could remove all immunity for all members of government (local, state and federal). Even the president should be able to be imprisoned for crimes committed.
http://www.google.com/search?client=safari&rls=en&q=alice's+restaurant&ie=UTF-8&oe=UTF-8
Can you be Even More Awesome?!