Slashdot Mirror
Fate of Terry Childs Now In Jury's Hands
snydeq writes "Closing arguments concluded Monday in the city of San Francisco's case against Terry Childs, the network administrator charged with violating California hacking laws by refusing to hand over network passwords for the city's FiberWAN during a 12-day period in 2008. Childs was charged in July 2008 and has been held on $5 million bail ever since. The highly technical trial, which featured testimony from San Francisco Mayor Gavin Newsom and Cisco Chief Security Officer John Stewart, has dragged on for nearly six months. By Monday, five of the 18 jurors and alternates selected for the trial had dropped out, and the remaining jurors seemed relieved to see the arguments wrap up as they left the courtroom Monday afternoon. They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."
They didn't "allow this person to get complete control of essentially EVERYTHING", they paid him to do it and not tell anyone the password except the mayor.
Technically, he should get a bonus instead of boned
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
> No, I haven't read the links or anything else. But it needs to be said.
Yes, ignorance always leads to well-reason opinions.
...before posting. The frenzy's already started. People - there's a long story here. Do not rely on this summary to tell you the details. Don't litter the thread with inane "he broke the law and should pay" comments. Your fellow non-readers in-spirit have done so on a minimum of twenty prior threads on this issue.
Please, please learn the backstory before commenting. Think of the children. Plus, some readers are getting on in years (35+). They can't handle the spiking blood pressure.
The fact that the case has dragged on this long and that some of the charges have already been dropped seem to highlight the fact that there is some doubt as to whether or not he actually broke the law.
The written policy was that he only gave the passwords to the mayor in a secure setting.
People besides the mayor tried to get the passwords.
The mayor tried to get the passwords in a non-secure setting.
They grossly over-reacted and were probably trying to violate their own written policies.
If they can force you to violate policies or go to jail for up to 5 years, then you don't want to be in that job since the penalty for violating written policies may be just as draconian.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
The city of San Fran was luck to get someone that has a backbone and some moral fiber. He was protecting the citizens of the city against complete IT ignoramuses who happened to hold positions of authority and leadership. If they were even a quarter as competent as him, his actions would have posed no threats what so ever.
The situation is kind of like you closing the front door of your apartment and the landlord can't figure out how to turn the door knob. Why did you close the front door? Cause the landlord wants to store your neighbors' valuables with the door open for all to see. So now the landlord sues you for holding the house and its contents hostage! Oh and btw, if anything gets stolen, its your fault! _You_ should have closed and locked the door!
YES, the case is really that stupid!
Mod parent down. His job was to keep the network secure, and the people demanding the passwords didn't have a right to know them. He told the mayor instead.
This is, of course, after they fired him without demanding the passwords first.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
It's true! Hence why flat earth theory, a geocentric universe, phlogiston theory, and about 90% of the stuff Aristotle wrote about medicine have all retained their relevancy and veracity after all of these years.
What 12 guys in a room decide they collectively think happened has no bearing whatsoever on what actually happened.
Go green: turn off your refrigerator.
"He was an employee and this was the city's property and he refused to give up the passwords. Sweet Zombie Jesus"
The city's property? Who the hell is "The city"? Did "The city" appeared and he refused to give the passwords to him (or is it her?)? Or are you implying that since it was "the city's property" he should give the passwords to any citizen that would happen to ask for? Because as soon as he was asked for the passwords by the proper person (the major) at the proper environment (face to face with him without unknown people at sight) he indeed promptly passed them out.
"then IT Managers will be able to hold sway with the passwords."
You can bet no IT Manager would tell the passwords to the janitor no matter how much "the company's janitor" it is.
You are not a real, proper IT geek until you've either been fired or quit over this sort of nonsense.
Securing systems from morons is just part of the job.
A Pirate and a Puritan look the same on a balance sheet.
But that isn't true. If the written security policy states that that person, even if it is -your boss- isn't to have the password. Then that person doesn't get the password, no matter how many times they ask. Written policies exist to lay down the foundation and rules.
I've been in similar situations back when I was working as a admin. We once had a executive VP demanding we give the password to a machine to someone not authorized to have it (And no, the VP did NOT have authorization or power to change that policy, he was NOT in charge of security). He threatened to fire us. We told him to go ahead, but that the only people who got the password were our replacements or other authorized individuals. He DID have the power to fire us. But that STILL didn't give him the power to demand that password, or that the security policy be changed.
Companies, and I'd imagine city governments too, have policies and chains of commands on all sorts of things. These things are usually written down somewhere so as to be enforceable. And THOSE are the things that matter. I don't remember ever working as a admin where my immediate supervisor had a root password to anything or his boss. But the good ones all knew that it wasn't their job to know those things, they paid me to keep those secure from people who asked. Even if that meant some pip-squeak with a highly placed friend.
It is real simple: Whoever owns the systems, and their designated agents, have a right to have access.
Yeah, say that with a straight face to the guy demanding the root password because he read "it was important", and you got a call last week from him asking you to change his desktop wallpaper because "it got stuck". IT admins not going in for that kind of non-sense is a compelling reason why large sections of the internet don't slide off the side of the planet in a dribble-like fashion.
This guy was responsible for critical public infrastructure -- infrastructure that kept working for months after they fired him. They broke it repeatedly after gaining access, and it took hundreds, if not thousands, of billable hours to repair the damage that happened when those owners and their "designated agents" got their hands around the gooey core of the network.
Justice is about harmony, not law and order.
#fuckbeta #iamslashdot #dicemustdie
It is real simple: Whoever owns the systems, and their designated agents, have a right to have access. If they ask you for access, give it to them. It's that simple.
It so simple, it sounds like that's exactly what Terry Childs did. He may have withheld access from a "designated agent" for a while, but he had no way of verifying exactly who the designated agents were. Would you suggest he just take their word for it?
Give me Classic Slashdot or give me death!
It's not as clear cut as that. From what I understand, we was operating under a specific protocol for release of the passwords, that excluded the possibility of him handing them over to his bosses at their request.
So what's more important -- following the established rules, or doing as your boss says? In a perfect world (not that we operate in one), the rules are more important than the individual. If the boss wanted the passwords directly handed over, then the boss should have gotten the rules changed to allow that.
Just because someone is your boss doesn't make you their slave. And if you believe your boss is doing something wrong, it is morally incorrect to do as you are told, even if you document your protests.
Although, it does seem likely the guy was being a jerkwad... that doesn't mean he was an incorrect jerkwad, or a jerkwad acting illegally.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Welcome to America. My 18 year old daughter is getting charged with a FELONY for kicking a door. She was trying to get the jammed door open to get back to her work area, the asshole federal building superintendent called up his asshole brother cop and he wrote it up. She did no damage to the door, they have no evidence, the cop was not even there. (Illinois it's a level 4 felony for doing damage under $500.00 to a federal building. $0.00 is under $500.00)
I'm paying $400.00 an hour to get this dropped because of raging Police and Court stupidity. The DA in that district is a idiot that thinks he needs to be "tough on crime". This should have been thrown away the second the officer turned it in, but new laws require them to pursue everything a cop turns in.
I personally have nothing but contempt for the joke that is our judicial and legal system.
Do not look at laser with remaining good eye.
His supervisors wanted the passwords.
The Mayor wanted the passwords - secure or not if the Mayor of the city you work for wants a password, you give it to them. I work in the public sector and while the head of the agency isn't my supervisor, if she asked for a password that she didn't need, I'd write it down for her.
http://www.cio.com.au/index.php?q=article/255165/sorting_facts_terry_childs_case&fp=&fpid=
"First, despite the many news reports claiming that Childs had shut down all or part of the city and county of San Francisco's network, what actually happened was that Childs refused to provide his superiors the passwords to the city's core FiberWAN network, effectively preventing them from administering the network."
"Following the completion of the FiberWAN, Childs looked upon his creation as art -- so much so that he applied and was granted a copyright for the network design as technical artistry. Skeptical of his colleagues' abilities, Childs became the sole administrator of the FiberWAN, and the only person with the passwords to the routers and switches that comprised the network. This state of affairs was widely known throughout DTIS, and Childs was the only point of contact for changes, troubleshooting, and overall management of this network."
I've looked around and around and see no references to this written policy, just that he'd only agree to give them to the Mayor in person.
Did he do half of what the City of San Francisco said he might do? Nope, but should he have given up the passwords to his damned supervisors? Yes.
This is what the City of San Francisco gets for letting a felon run their network.
"The possession of ammunition may have raised flags with the police, because 25 years ago, at the age of 17, Childs was arrested and convicted of aggravated burglary, and spent four years in a Kansas prison. In 1995, prosecutors said, Childs was again arrested in Kansas and charged with aggravated assault and carrying a concealed weapon. The case was reduced to misdemeanor weapons possession"
I think, what most lay people don't understand is that the rule: 'Don't give out passwords indiscriminately' is equivalent to the Hippocratic oath for some IT admins, particularly those in charge of large networks. If he just handed out passwords insecurely, that would cause more damage than Childs locking down the network for a brief duration. I'm inclined to believe that he was acting in the good faith of his job, particularly because he was willing to be arrested over being fired/becoming redundant. I seriously hope he's cleared, because he performed his job to the letter.
I have worked for small companies in the past where I was the sole administrator. My solution to this was to store a PGP encoded file on a shared drive with the passwords in it, locked with my asymmetric key and one with a random password. Either one would open it. I put the plaintext password in an envelope, sealed it, signed the envelope and had my boss sign it. The envelope got stored in the company safe and I could inspect it at will. If the seal was intact I knew I was the only one with the passwords and was still responsible for the system. If the seal was broken, it was agreed I did not have any responsibility for damage that might have been caused.
This gave my employers the confidence that they could recover from a disaster (hit by a bus, win the lottery, etc) and gave me the confidence that I didn't have to rule out assistance from well meaning but unskilled bosses when something broke.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Who owns those systems? Not his boss -- the City does. And the City did not give his boss authority to get the passwords directly from him. The City established a set of rules for transferring the passwords, and his boss tried to circumvent those rules.
This guy's boss was not acting within the rules established for him to act as a proxy for the City (if we're going to follow your ownership logic). So who's acting responsibly... the guy who chose to follow the rules despite the risk of adverse personal impact? Or the guy who wanted to ride roughshod over the rules in the interest of expediency?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Well, sort of - for various reasons, he refused to give up the passwords to his bosses because he decided (correctly or not, of course, is for the jury to decide) that the only person authorized to receive the passwords was Mayor Newsom. Now, I'll note that, if his interpretation was that the "city" owned the passwords, you could make the argument that, if that's the case, he could also interpret that as broadly as humanly possible and give everyone in San Francisco the passwords; after all, if the network is owned by the city, that means its *public* property, not just the private property of Mayor Newsom or select city employees. Realistically, he adopted a particularly narrow and self-serving interpretation of city policies to suit his own agenda, a point which the city is trying to make in court.
Ultimately, Childs is, at best, technically correct. It doesn't change the fact that he rules lawyered himself a rather convenient bit of job security, even if it proved to be temporary. This case won't put "all IT admins in danger" unless "all IT admins" work in places where there are no sane, documented policies regarding password handling and sharing and where ownership of IT equipment is rhetorically ambiguous.
The GP has a valid point though. What if the admin got hit by a bus and died? The city would be in the exact same position. In my opinion that's just straight up bad management.
I don't believe in karma, I just call it like I see it.
Being judged by twelve random people is as close to 'objective' as possible. I can only imagine the systemic biases that would arise from 'professional' juries, or 'expert technical' juries. Would you want a FOSS defendant judged by a jury from MS or Apple? Vice versa? Or as you seem to allude to, a world of bench rulings like the dark ages? Or a world where lawyers bid for the good opinion of a jury comprised of other lawyers? Disgusting. I'm immensely glad to have the right to be judged by average people, not because I harbor any romantic notion of them (they tend to be dolts), but because the alternatives are far worse.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Just that simple, huh? So let's say the Dean for Admissions demands you give him the organization-wide root or domain admin password. Will you? What if it's the dean for admissions, two members of the board of trustees, the chief of campus police, and a computer lab tech from the biology department, and all want you to give the password to the lab tech?
If the policy states you shall not give the password to anybody but the CIO, and all of these "designated agents" come to you and demand the password... are you going to give it to them?
Let's say you quit your job, and three days afterward they call you asking for the passwords. How do you know if the policy changed? Maybe the CIO was fired. How do you know these are still the "designated agents"?
These are the types of problems that arrise from this prosecution. The law gives organizational policy the force of law, without realizing its limitations. So before you tell us to "shut up", you might want to think about the ramifications of that first.
It's funny that you think you're safe because of policy. As another has already said better, so did he.
Oh, but that won't happen to anybody else, right?
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
What I don't quite understand is how Childs was hired by The City to begin with given his criminal past.
http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case?pp=2&fp=&fpid=
Sure, he was convicted of burglary when he was only 17, so I'm not sure if he was classified as a juvenile under Kansas law. He was then charged with misdemeanor weapons possession years later.
The guy did his time, so I'm not holding anything against him peronsally....I just find it surprising that a government agency would hire someone with that kind of record.
If you post as Anonymous Coward, don't expect a reply.
Actually your landlord argument varies by area and contract.
In my experience, with apartments, the management is generally allowed to come inspect as needed. They frequently are checking smoke detectors, leaks from other units, etc. They run into, for example, situations where a leaking pipe in an upper unit causes water damage in a lower unit.
With homes, it's less common for the open access verbage to exist. The more you spend on a rental home, the better (generally) the verbage is for your privacy.
To extend this, the police interviewed my ex-mother-in-law regarding someone who was renting a room. They *wanted* to go into his space, but were legally obliged not to because he had leased that space. She couldn't even legally enter it. Even with her permission, they couldn't go into the room. A little later (like a couple hours), they did secure the proper warrants, and returned. They politely asked to gain access to the room because they did have the proper paperwork.
Serious? Seriousness is well above my pay grade.
Anything can happen in a jury trial, but it's hard to believe that Child's will lose this thing. The district attorney needs to prove two things (at least):
That Child's acted maliciously, that he was trying to cause harm to the network. I have seen no real evidence that supports this idea. The city tried to say that he did it to keep them from firing him.
They also have to prove that his actions actually caused damage. This is problematic because the network never actually went down, his actions didn't cause damage. The city uses the twisted argument that the fact that they were unable to prevent Childs from accessing the network was damage enough, that Childs was the one they needed to defend against.
I did not sit through the trial, but it's hard for me to believe that many juries would find this to be true beyond reasonable doubt.
Qxe4
The organization's policies are no longer any of your business once you leave their employ. They're not law. If they want to violate them, that's their concern, not yours.
Woo! Big miss! The landlord (by default) CANNOT just come in without proper notice, at least by PA Landlord-Tenant Law.
Either way, the analogy doesn't apply at all. Childs wasn't leasing anything here. It would be as if the landlord here had a maintenance man who changed all the locks, and then wouldn't hand over the master keys to another maintenance man because the landlord wasn't there to say it was OK.
And that is still simplifying it WAY too much.
Wait, you mean his fate is in the hands of 12 clueless "average" citizens?
He is truly fucked.
True enough.
The way we do it:
We have 5 USB tokens. To override a root login requires 3 of the 5 keys. Done deal.
In addition, I have a sealed envelope. My boss's boss has it locked in his desk. If I go AWOL all he as to do is open it and he's golden, keys to the castle are in there. I take the old one and replace it every 90 days.
Point is that if an admin wants to be a dick there is little you can do to stop them, however, an admin refusing to give out keys to anyone but pre-authorized people is admirable, not criminal. In the same boat I've done similar, but fortunately for me my boss had my back, rather than knifing it.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Who on earth modded this interesting??
For the record, people mod posts interesting because they find them "interesting" not because they are correct. And complaining about modding is childish.
This has been discussed many [slashdot.org] times [slashdot.org], and I regret to inform you that your argument does not hold water. While it's a nice story to imagine this 'geek hero' standing up against the system, it's an airbrushed, romanticized version of the truth. This dude was out of line, end of story. He decided to try to flex his muscles, and he got taught a very valuable lesson that many could learn from. It was not his place to determine who was "competent" enough for the information.
The important point is that he was asked to give up that information after he was fired. In a sane world, Childs would have been able to tell them to fuck off because he as no obligation what so ever to work for free for his former employer. Btw, this is one of the many reasons IT workers should be unionized. Unions could have layed down the ground rules to abusive workplaces like this and fined them for millions for their transgressions. Companies don't own you for life.
Football Odds
technically correct; The best kind of correct.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
I get the same thing here at my company in IT security - lower-level store managers across the country who (supposedly) decide that one of their employees is loafing off too much and want their Web history for the past week or so. Or maybe they just want to know, how can I tell?
Of course, we don't use proxy authentication so it's insanely hard and time-consuming to even find that data with a degree of certainty, but even if I can, no way am I giving that up to somebody who I don't even know is definitely that person's manager.
We finally decided enough was enough, and now we categorically refuse to provide any information whatsoever unless an actual investigation incident is created with Human Resources, and only Human Resources can make the request. Problem solved on that one!
Another great one: a few years ago I helped on a worldwide Active Directory deployment for a company made up of many sub-companies. Anyway, this bunch of Battlin' Business Units distrusted one another so much that they actually paid our consulting company to be the only entity with Enterprise Admin credentials - of THEIR own AD forest! So I've somewhat been in this situation, and believe me, we also specified very carefully how that credential would be turned over and to who. Luckily this company didn't press the issue at all.
Wow... Just wow.
In times like this, I think the media is your best friend. Surely, there has to be some local investigative TV reporter who likes going after government excesses. If I were involved, I'd play it to the max and do everything humanly possible to get this retarded governmental behavior plastered all over the the 6:00 news, and use the investigator to go after the state reps and senators to put pressure on these buffoons.
You and your daughter deserve public apologies and reparation from everyone involved (who in return each deserve a firm kick in the ass) The only way it's going to happen is to make it visible. Just sayin'
Constitutional rights may be respected, repealed, or modified; but they must never be ignored.
Yes, The City did appear, or at least its duly elected representative, 'The Mayor of The City', who told him to give up the keys, to which he refused sighting some more bullshit about it being an unsecured facility ....
There are also several other people that represent the city and most likely are legally allowed to assume responsibility of infrastruction in the case of emergancies, the City Manager is the first that comes to mind.
This really isn't that hard to comprehend if you're older than 8 years.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
No reference? Right in the middle of the "don't" list in the City's policy is "Do NOT disclose passwords to your boss".
Here, I'll quote it for you:
Does anybody actually have a copy of that contract? I keep hearing this, and I'm wondering whether it's true, or a distortion by his lawyer, or just some oft-repeated bullshit by those that want him to be a hero.
The world's burning. Moped Jesus spotted on I50. Details at 11.
It is real simple: Whoever owns the systems, and their designated agents, have a right to have access. If they ask you for access, give it to them. It's that simple. You don't have to give them your password, you do have to give them a password that gives them access.
Let me provide you with a real world example:
Edward Diego should have never been given access to Shodan. Sure, a hacker gave him access, not one of the station admins, but that's quibbling. The main point is that stupid people shouldn't mess with AIs controlling space mining lasers and robots.
Good lord, I had no idea I was going to get modded into oblivion for this comment....ROLLBACK!!!ROLLBACK!!!
If you post as Anonymous Coward, don't expect a reply.
It is perfectly rational when that is exactly what his contract told him to do.
Ten bucks says if he gets off the case he'll have a job as an iPhone hardware tester at Apple.
APPLE EXEC: "Where's the 5G prototype?!"
CHILDS: "I will personally hand it to Mr. Jobs and only Mr. Jobs only, as I can't trust the rest of you with such sensitive technology!"
Random Thoughts From A Diseased Mind (Not For Dummies)
Though hosted on a San Francisco government site, that document self-identifies as being the product of a trade organization composed of County sysadmins (and it does not list the "City and County of San Francisco" as one of the Counties whose members contributed.) Indeed, "San Francisco" doesn't appear in the document at all.
Can you also post a link to a place on the site where the city says they adopted this document as their policy?
(Also the quoted text doesn't support the allegation that the password was only to be "disclosed to the mayor in a secure setting". "Mayor" doesn't appear in the document, and "chief" only appears as part of "chief information security officer", not "chief executive".)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
That's not the point... a FELONY for kicking a door? What's next, going to jail for littering? /me thinks it's a little excessive
(oh, and I'm posting with my ID, not as AC)
I've got better things to do tonight than die.
The important point is that he was asked to give up that information after he was fired.
Incorrect. Please read the case history before repeating misinformation.
I think, what most lay people don't understand is that the rule: 'Don't give out passwords indiscriminately' is equivalent to the Hippocratic oath for some IT admins
No kidding; every time I get a user who starts saying "do you need may passsword? It's Fluf-", I start plugging my ears and loudly saying "NO NO NO NO NO". Once they stop, I explain: 1) never share your password 2) when it is absolutely truly necessary, like life or death, never say it out loud unless you're in a cone of silence, watch the person you shared it with, and change your password immediately after they're done. 3) I don't ever want to know your passwords, ever.
The moment Childs was threatened with jail by a credible governmental threat, then he should have surrendered the passwords.
Dude is a hardhead.
This guy took over this system because he felt entitled and a sense of ownership. He created a little fiefdom which grew in power as the department was gutted due to budge cuts.
http://www.cio.com.au/index.php?q=article/255165/sorting_facts_terry_childs_case
Then he got all uppity because someone else was auditing the network, oh someone of higher rank than he was. And then he threatened that supervisor into running away from him and hiding in their office.
It sounds like he was full of himself, the hard work he had done and felt like he should have all the power over it.
http://www.cio.com.au/article/253823/why_san_francisco_network_admin_went_rogue
I wish I were on the jury so I could vote guilty.
Horseshit. Refusing to comply with an order when that order is illegal or against the rules that both parties operate under is definitely justified.
So it's all about CYA? That's weak, man. What if Terry was truly interested in maintaining security over the systems? What if Terry suspected his boss would plant evidence to condemn him?
I don't want to invoke Godwin's law, so I won't directly. But you do understand the implications of what you're saying, right? That as long as you're following orders and documenting that you believe it's against the rules, then you're OK, because it's the easiest way out for yourself?
Screw that. Principles are more important than CYA, and I've put my money where my mouth is on that issue on more than one occasion.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Which media?
There was a time when reporters really cared about getting stories to the public. They even attempted to elucidate some measure of "truth", using certain ethics and journalistic principles which they held dear.
Today, thanks to the concentration of media ownership in the hand of a very few corporations, and the subsequent gutting of news departments and purging of investigative journalists, the news has become little more than a collection of press releases and political hit pieces. Syndicated columnists make up a larger part daily newspapers than ever before and local television news has become five minutes of fires and arrests wrapped around 10 minutes of network stories wrapped around 15 minutes of commercials.
Everyone is chasing the 24 hour news-free news cycle. There is no one left to report stories like this one.
You are welcome on my lawn.
It was a written policy. You can find the base document here: http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
He was just being a dick. He used the policy as an excuse but 'the mayor tried to get the passwords in a non-secure setting' is just fucking bullshit.
Following policy is not an excuse, it's the right thing to do. If the mayor tried to get the passwords with 15 unauthorized personnel within earshot, it's a non-secure setting and he should not have given it up.
The city policy expressly states that you should not give your passwords out to your boss. The only people who were to receive the passwords were those who required the passwords to fulfill their daily job duties. Childs was the only person on staff who fit that description, and as such, it was against policy to give out the passwords to anybody else (except the mayor in a secure setting).
He may well have been a dick, and he probably could have diffused the whole situation, but that doesn't mean he isn't right, and it doesn't mean his bosses should be allowed to throw him in jail for following policies that could very well have landed him in jail for not following.
They aren't nuclear launch codes and it was the highest man on the totem pole.
There very well could have been legal ramifications for handing out those passwords to unauthorized personnel. That includes his bosses.
I've got a news flash for you - in 12 days, management that doesn't know shit about networks can really fuck things up bad if they are allowed to mess with it. They were the last people he should have been giving access to, and anybody who actually works with this equipment knows that.
Imagine what would have happened if he had immediately turned over the passwords, management started mucking about, and they accidentally shut down half the network? You know what would happen then? This guy would have been fired for violating City policy, and possibly held legally responsible for the costs incurred. God forbid anybody should die in the process, then he's really fucked.
The fact is, from what I can tell anyway, Childs did the responsible thing but his bosses went on a fricking power trip and had him thrown in jail without ever following the proper procedure for any of this. The assholes here are the management, even if the guy is a dick.
Admins should just run the country rather than doing their jobs as their told.
Just want to point out that this guy is on trial precisely because he was doing his job as he was told.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
Do you really want to go down the rabbit hole of advocating that a company has the legal right to enter a person's memory to retrieve/remove their "intellectual property"? Because if so, please go find some other universe and don't come back.
Well, when someone at a C-level asks the IT admin person for some password there are really three choices:
Those are pretty much the choices. There is no #4 where you get to "do the right thing" and walk away a free man. The fact that he had already left the organization meant his real responsibility was over. Trying to "save the organization from itself" almost never gets you anywhere and carries huge risks. Terry is about to experience the result of these huge risks.
My guess is the jury takes about 10 minutes to return a guilty verdict.
This keep cropping up in this thread, and I don't know why. The policy is online, and does not contain the word "Mayor", or the phrase "designated agent", or any of the many other things that are supposedly in it. So he did not follow policy in this respect.
What is in the policy is the actual policy for system level passwords, and the enable password for network kit is definitely a system level password. It states:
"All production system-level passwords must be part of the security administered global password management database."
Simple, clear, and Childs was definitely in breach of it: only he has these enable passwords, and did not put them in the database.
For him to argue that the rules for personal passwords applied to system-level passwords and take it to ridiculous extremes - well, this was always bound to end in tears.
Under the very same anti-hacker law that Childs is being tried for breaking, had he given the passwords to the wrong people after his termination he could be held criminally responsible.
In other words, you don't give the keys over to the janitor when you are terminated, you give the keys over to the authorized representative. If he is in a situation where he doesn't know exactly who is authorized, then the right thing to do is to hang on to them until he knows that the person he is giving access to really is supposed to have access. You can get yourself in an assload of trouble for not doing this. To get in an assload of trouble even if you do it puts IT administrators between a rock and a hard place.
Once an authorized representative requested the passwords, he gave them to him. The mayor was almost certainly higher than necessary to get this done, but he may have been the only person Childs knew for a fact was authorized and could and whom he could also verify the identity.
These were passwords to Cisco routers and switches. He didn't lock anybody out, nobody else was ever authorized access in the first place! The first article to come out about this case said Childs changed everyone else's password and only granted himself access. That's patently absurd - the Cisco equipment they were using only takes two passwords - one to get into the router/switch, and one to make configuration changes. That's it. There are no other passwords to change, and he kept them the same accross the entire network. Because there are no other passwords to change, it is absolutely critical that only those who need to know the password know the password. According to company policy, nobody else needed to know the passwords, since he was the only one who worked on the equipment, and therefore nobody else was authorized to know the passwords. The city policy expressly forbids giving the passwords to your boss if your boss is not already authorized to know them.
The way it sounds to me like it happened was something like this: Childs's bosses wanted the passwords because they did not trust him having sole possesion of the passwords. He refused to give them the passwords because they were not authorized to know the passwords. At this point, instead of calling up someone who was authorized to receive the passwords (the CISO, according to city policy) and having Childs give them the passwords, they held a big meeting - including a teleconference - and demanded he give up the passwords or they would fire him. They may have done this because Childs was being a dick about the whole situation, but the fact is even if there was an authorized individual he could give the passwords to at this meeting, he couldn't share because there were unauthorized people present. At this point, they fired him, and when he refused to give the passwords up (because the people asking were still not authorized) they had him arrested under California's anti-hacking laws. They drummed up all sorts of nonsense charges, but the only thing that had any chance of sticking was the password issue, and even then it took a year and a half to build the case. In any case, as soon as he was able to give the passwords to an authorized individual - and only an authorized individual - he readily gave them up.
It's worth noting that things were running smoothly until the guy's bosses were finally able to access the system, at which point things started to break because they didn't know what the hell they were doing.
Kinda makes you think the policy was there for a reason, huh?
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
You handle it gracefully and politely, while covering your ass. You point out that the current policy says you'll get fired for just giving out the passwords - so you ask your boss for some guidance on how to resolve the situation properly - their need for access and your concern about policy (or whatever). You work together... not against each other with policy as a hammer.
There is only one rule, The Golden one (He that has the Gold makes the rules; not the do unto others one), and after more than 20 years as a lawyer I think he holds the system in contempt as well, after being a True Believer, ultra straight edged, right wing, NRA/RNC boyscout for most of his life.
Nope, he need merely say "evil hacker", blow a lot of smoke, and the jury will convict.
(which btw, people further up the food chain, including the highest ranking person there, told him to ignore in this case)
The highest ranking person there doesn't mean shit if the highest ranking person there isn't authorized by the city to make such a decision.
What happens if you give the passwords to someone who, according to the IT Security policy which you had to sign a binding legal agreement to uphold, is not authorized to have the password and it leaks out, putting the entire infrastructure at risk?
What then? That's pretty much exactly what happened here. The people who were telling him to ignore the policy did not have the authority to tell them to ignore policy - it was binding on them too!
I'll tell you what happens if he gives the passwords to people he shouldn't. In the case of a private entity, not only can you be fired (and rightly so), but if your actions led to the leaking of information that must be kept secret by federal privacy guidelines then you can be held criminally and civilly liable as well. In the case of a government entity, it's almost a certainty that you can be held criminally liable. This system absolutely had sensitive data on it, and it was part of his job to make sure it did not get out.
So what the hell are you supposed to do? Give up the passwords in spite of security policy and go to jail when stuff breaks or private data leaks, or refuse to give up the passwords and go to jail anyway? What the fuck man? I'll admit, it sounds like Childs was being a dick about the whole situation, and had he been more diplomatic he could have diffused the whole thing early on, but what if it's your bosses being dicks, and nothing you do to try to do things the right way works. I've seen office politics, and some people know how to stir up a shit storm in a hurry to get rid of someone they don't like.
In any case, nobody should lose two years of their life for no better reason than they were being a bit of a dick at work.
There are REALLY simple ways to handle these solutions.
You're right, and they were laid down in policy format, and his bosses didn't follow them.
When are admins going to realize they are nothing more than computer janitors?
That's funny, they get paid a hell of a lot more than janitors do.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
Imagine that you're a general contractor, doing home improvement work for Bob and you hire a locksmith to install locks. Whey they finish the job, they refuse to give the keys to you, and only to Bob, because they're worried that you might make your own copies before you give them to Bob? Do you have them arrested and thrown into jail, or do you just have Bob get the key from them?
How about the same situation, but now you're Bob. You come home, your general contractor is out to lunch, and the locksmith has just finished up, but he doesn't actually know you, just the general contractor and so he won't give you the keys? Once again, do you treat this as a criminal situation, or do you just call your contractor and have him sort it out with the locksmith?
Once again, same situation, but now you're the locksmith. You've just finished up. Neither the contractor, nor Bob is around, but Bobs ex-wife arrives. You've met her before, so you know who she is. She seems to be free to come and go when she comes by shuttling their child back and forth. She even was even in charge of the renovation project, even picking out the new doors and doorhandles you've just installed locks in. However you've never actually seen her there when Bob wasn't home and you don't know if she's actually supposed to have her own key. She insists that you give her the key. Company policy says that you're only supposed to give the key to the homeowner, and she doesn't seem to quite fit that definition. So, you insist that you'll give the key to Bob and he can make her a copy. So, she calls the police and has you arrested and thrown in jail. Then Bob comes to your cell and you give him the key as you said you would. Then you get held over for trial with bail set ridiculously high even though you're not a flight risk, on the justification that you could break into Bob's house even though the locks have been changed again. Let's face it, of course you could break in, you're a locksmith, but what have you done that makes anyone think you'd be likely to?
I wish I were on the jury so I could vote guilty.
Is this the kind of justice you have down under? All it takes is just one guy writing a story based on one long email that he received from an anonymous source, and you're ready to hang the defendant despite the fact that you haven't heard anything from his side yet. Wow!
No, I did not. The poster said "for kicking a door". That leaves out a considerable amount of context. She wasn't kicking just ANY door, it was a door into a federal office building.
Wow, you are amazing. What the poster wrote was, "My 18 year old daughter is getting charged with a FELONY for kicking a door. She was trying to get the jammed door open to get back to her work area,"
As in she kicked a jammed door that she had every right to pass through.
Sham debate tactic indeed, in your self-confident arrogance you couldn't have done a better job of demonstrating your point if you had tried.
Why should an employee get to kick in the door to a federal office building? The proper course of action is to call the maintenance people and report the door, not blast through it yourself.
Nobody is permitted to think or act for themselves. Exactly the kind of people we want working for the government. As the man also wrote, and which you also left out of your version of the 'context' was that absolutely no damage was done. Even more context you left out - the law is about damaging federal property not simply applying a bit of percussive maintenance.
When information is power, privacy is freedom.
County policy document
Section 4.1, page 32.
"All production system-level passwords must be part of the security administered global password management database."
I'm a smoker and outside the main city areas of Australia most people would consider throwing a butt out of the window tantamount to arson. In other places it may not be as serious but IMHO the selfish pigs that keep their own car clean by littering public highways should be put to work cleaning it up. I think 1km of highway per butt seems fair.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
He may well have been a dick, and he probably could have diffused the whole situation, but that doesn't mean he isn't right, and it doesn't mean his bosses should be allowed to throw him in jail for following policies that could very well have landed him in jail for not following.
True. But it does mean that I and many others like me aren't going to get all up in arms about it, because most people don't feel sorry for dicks.