Slashdot Mirror
Fate of Terry Childs Now In Jury's Hands
snydeq writes "Closing arguments concluded Monday in the city of San Francisco's case against Terry Childs, the network administrator charged with violating California hacking laws by refusing to hand over network passwords for the city's FiberWAN during a 12-day period in 2008. Childs was charged in July 2008 and has been held on $5 million bail ever since. The highly technical trial, which featured testimony from San Francisco Mayor Gavin Newsom and Cisco Chief Security Officer John Stewart, has dragged on for nearly six months. By Monday, five of the 18 jurors and alternates selected for the trial had dropped out, and the remaining jurors seemed relieved to see the arguments wrap up as they left the courtroom Monday afternoon. They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."
They didn't "allow this person to get complete control of essentially EVERYTHING", they paid him to do it and not tell anyone the password except the mayor.
Technically, he should get a bonus instead of boned
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
> No, I haven't read the links or anything else. But it needs to be said.
Yes, ignorance always leads to well-reason opinions.
...before posting. The frenzy's already started. People - there's a long story here. Do not rely on this summary to tell you the details. Don't litter the thread with inane "he broke the law and should pay" comments. Your fellow non-readers in-spirit have done so on a minimum of twenty prior threads on this issue.
Please, please learn the backstory before commenting. Think of the children. Plus, some readers are getting on in years (35+). They can't handle the spiking blood pressure.
The fact that the case has dragged on this long and that some of the charges have already been dropped seem to highlight the fact that there is some doubt as to whether or not he actually broke the law.
The written policy was that he only gave the passwords to the mayor in a secure setting.
People besides the mayor tried to get the passwords.
The mayor tried to get the passwords in a non-secure setting.
They grossly over-reacted and were probably trying to violate their own written policies.
If they can force you to violate policies or go to jail for up to 5 years, then you don't want to be in that job since the penalty for violating written policies may be just as draconian.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
It's true! Hence why flat earth theory, a geocentric universe, phlogiston theory, and about 90% of the stuff Aristotle wrote about medicine have all retained their relevancy and veracity after all of these years.
"He was an employee and this was the city's property and he refused to give up the passwords. Sweet Zombie Jesus"
The city's property? Who the hell is "The city"? Did "The city" appeared and he refused to give the passwords to him (or is it her?)? Or are you implying that since it was "the city's property" he should give the passwords to any citizen that would happen to ask for? Because as soon as he was asked for the passwords by the proper person (the major) at the proper environment (face to face with him without unknown people at sight) he indeed promptly passed them out.
"then IT Managers will be able to hold sway with the passwords."
You can bet no IT Manager would tell the passwords to the janitor no matter how much "the company's janitor" it is.
I think, what most lay people don't understand is that the rule: 'Don't give out passwords indiscriminately' is equivalent to the Hippocratic oath for some IT admins, particularly those in charge of large networks. If he just handed out passwords insecurely, that would cause more damage than Childs locking down the network for a brief duration. I'm inclined to believe that he was acting in the good faith of his job, particularly because he was willing to be arrested over being fired/becoming redundant. I seriously hope he's cleared, because he performed his job to the letter.
I have worked for small companies in the past where I was the sole administrator. My solution to this was to store a PGP encoded file on a shared drive with the passwords in it, locked with my asymmetric key and one with a random password. Either one would open it. I put the plaintext password in an envelope, sealed it, signed the envelope and had my boss sign it. The envelope got stored in the company safe and I could inspect it at will. If the seal was intact I knew I was the only one with the passwords and was still responsible for the system. If the seal was broken, it was agreed I did not have any responsibility for damage that might have been caused.
This gave my employers the confidence that they could recover from a disaster (hit by a bus, win the lottery, etc) and gave me the confidence that I didn't have to rule out assistance from well meaning but unskilled bosses when something broke.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Who owns those systems? Not his boss -- the City does. And the City did not give his boss authority to get the passwords directly from him. The City established a set of rules for transferring the passwords, and his boss tried to circumvent those rules.
This guy's boss was not acting within the rules established for him to act as a proxy for the City (if we're going to follow your ownership logic). So who's acting responsibly... the guy who chose to follow the rules despite the risk of adverse personal impact? Or the guy who wanted to ride roughshod over the rules in the interest of expediency?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Being judged by twelve random people is as close to 'objective' as possible. I can only imagine the systemic biases that would arise from 'professional' juries, or 'expert technical' juries. Would you want a FOSS defendant judged by a jury from MS or Apple? Vice versa? Or as you seem to allude to, a world of bench rulings like the dark ages? Or a world where lawyers bid for the good opinion of a jury comprised of other lawyers? Disgusting. I'm immensely glad to have the right to be judged by average people, not because I harbor any romantic notion of them (they tend to be dolts), but because the alternatives are far worse.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Just that simple, huh? So let's say the Dean for Admissions demands you give him the organization-wide root or domain admin password. Will you? What if it's the dean for admissions, two members of the board of trustees, the chief of campus police, and a computer lab tech from the biology department, and all want you to give the password to the lab tech?
If the policy states you shall not give the password to anybody but the CIO, and all of these "designated agents" come to you and demand the password... are you going to give it to them?
Let's say you quit your job, and three days afterward they call you asking for the passwords. How do you know if the policy changed? Maybe the CIO was fired. How do you know these are still the "designated agents"?
These are the types of problems that arrise from this prosecution. The law gives organizational policy the force of law, without realizing its limitations. So before you tell us to "shut up", you might want to think about the ramifications of that first.
Ten bucks says if he gets off the case he'll have a job as an iPhone hardware tester at Apple.
APPLE EXEC: "Where's the 5G prototype?!"
CHILDS: "I will personally hand it to Mr. Jobs and only Mr. Jobs only, as I can't trust the rest of you with such sensitive technology!"
Random Thoughts From A Diseased Mind (Not For Dummies)
The important point is that he was asked to give up that information after he was fired.
Incorrect. Please read the case history before repeating misinformation.
Horseshit. Refusing to comply with an order when that order is illegal or against the rules that both parties operate under is definitely justified.
So it's all about CYA? That's weak, man. What if Terry was truly interested in maintaining security over the systems? What if Terry suspected his boss would plant evidence to condemn him?
I don't want to invoke Godwin's law, so I won't directly. But you do understand the implications of what you're saying, right? That as long as you're following orders and documenting that you believe it's against the rules, then you're OK, because it's the easiest way out for yourself?
Screw that. Principles are more important than CYA, and I've put my money where my mouth is on that issue on more than one occasion.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Under the very same anti-hacker law that Childs is being tried for breaking, had he given the passwords to the wrong people after his termination he could be held criminally responsible.
In other words, you don't give the keys over to the janitor when you are terminated, you give the keys over to the authorized representative. If he is in a situation where he doesn't know exactly who is authorized, then the right thing to do is to hang on to them until he knows that the person he is giving access to really is supposed to have access. You can get yourself in an assload of trouble for not doing this. To get in an assload of trouble even if you do it puts IT administrators between a rock and a hard place.
Once an authorized representative requested the passwords, he gave them to him. The mayor was almost certainly higher than necessary to get this done, but he may have been the only person Childs knew for a fact was authorized and could and whom he could also verify the identity.
These were passwords to Cisco routers and switches. He didn't lock anybody out, nobody else was ever authorized access in the first place! The first article to come out about this case said Childs changed everyone else's password and only granted himself access. That's patently absurd - the Cisco equipment they were using only takes two passwords - one to get into the router/switch, and one to make configuration changes. That's it. There are no other passwords to change, and he kept them the same accross the entire network. Because there are no other passwords to change, it is absolutely critical that only those who need to know the password know the password. According to company policy, nobody else needed to know the passwords, since he was the only one who worked on the equipment, and therefore nobody else was authorized to know the passwords. The city policy expressly forbids giving the passwords to your boss if your boss is not already authorized to know them.
The way it sounds to me like it happened was something like this: Childs's bosses wanted the passwords because they did not trust him having sole possesion of the passwords. He refused to give them the passwords because they were not authorized to know the passwords. At this point, instead of calling up someone who was authorized to receive the passwords (the CISO, according to city policy) and having Childs give them the passwords, they held a big meeting - including a teleconference - and demanded he give up the passwords or they would fire him. They may have done this because Childs was being a dick about the whole situation, but the fact is even if there was an authorized individual he could give the passwords to at this meeting, he couldn't share because there were unauthorized people present. At this point, they fired him, and when he refused to give the passwords up (because the people asking were still not authorized) they had him arrested under California's anti-hacking laws. They drummed up all sorts of nonsense charges, but the only thing that had any chance of sticking was the password issue, and even then it took a year and a half to build the case. In any case, as soon as he was able to give the passwords to an authorized individual - and only an authorized individual - he readily gave them up.
It's worth noting that things were running smoothly until the guy's bosses were finally able to access the system, at which point things started to break because they didn't know what the hell they were doing.
Kinda makes you think the policy was there for a reason, huh?
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
Imagine that you're a general contractor, doing home improvement work for Bob and you hire a locksmith to install locks. Whey they finish the job, they refuse to give the keys to you, and only to Bob, because they're worried that you might make your own copies before you give them to Bob? Do you have them arrested and thrown into jail, or do you just have Bob get the key from them?
How about the same situation, but now you're Bob. You come home, your general contractor is out to lunch, and the locksmith has just finished up, but he doesn't actually know you, just the general contractor and so he won't give you the keys? Once again, do you treat this as a criminal situation, or do you just call your contractor and have him sort it out with the locksmith?
Once again, same situation, but now you're the locksmith. You've just finished up. Neither the contractor, nor Bob is around, but Bobs ex-wife arrives. You've met her before, so you know who she is. She seems to be free to come and go when she comes by shuttling their child back and forth. She even was even in charge of the renovation project, even picking out the new doors and doorhandles you've just installed locks in. However you've never actually seen her there when Bob wasn't home and you don't know if she's actually supposed to have her own key. She insists that you give her the key. Company policy says that you're only supposed to give the key to the homeowner, and she doesn't seem to quite fit that definition. So, you insist that you'll give the key to Bob and he can make her a copy. So, she calls the police and has you arrested and thrown in jail. Then Bob comes to your cell and you give him the key as you said you would. Then you get held over for trial with bail set ridiculously high even though you're not a flight risk, on the justification that you could break into Bob's house even though the locks have been changed again. Let's face it, of course you could break in, you're a locksmith, but what have you done that makes anyone think you'd be likely to?