Slashdot Mirror
Terry Childs Found Guilty
A jury in San Francisco found Terry Childs guilty of one felony count of computer tampering. The trial lasted four months. Childs now faces a maximum sentence of five years in prison.
← Back to Stories (view on slashdot.org)
Cause they seem to think it's cool to fuck over the administrator protecting them.
he is a sysadmin that refused to disclose passwords to an office which had the prudence to disclose ALL of those LIVE passwords and usernames as evidence in a public court ... exposing personal information of millions of citizens in public databases ...
i doubt that randomly selected array of 20-30 americans would be able to understand how insanely stupid this is.
Read radical news here
Remind me never to do the right thing ever again.
It is my understanding his employment was specific in that he would only disclose the password to the mayor alone. This never happened, thus he never disclosed the password. This case did not require any technical knowledge to grasp the facts, so I am unsure how the jury could come to this result.
Learn to spell, asshat.
"Jerk" is right. The guy got what was coming to him. To all the sysadmins with a similar "god complex" out there, let this be a lesson to you. You do not own the systems. You are an employee. You answer to someone, and if they demand something you either do it or quit. End of story.
every sysadmin should get a year's salary and a months paid vacation every time he has to give a phb the root password
Remember that juries are made up of the twelve people who weren't smart enough to get out of jury duty.
What this really all comes down to is that once a company fires you or lets you go you are still obligated to that company.
I don't care if it's a government organization or a corporation as far as I'm concerned once they let you go there should be no more ties to anyone from either side.
I guess it's true...the shackles don't come off even if they put you back in the general population.
"Bah!" - Dogbert
The lesson here is to do whatever your boss says, even if it is incredibly stupid and will make your job entirely unmanageable...
Well, I would have to agree that my 'inner security geek', would have had to swallow really hard a few time before stating production passwords over a teleconference with unknown people. Hell, I would expect to be fired just for doing that.
Damned if you do, damned if you don't. Sometime you just have to suck it up and go look for another job. The sad part is that Terry was probably just a conscientous civil servant, and the boss was a know-nothing political appointee. Terry had probably seen more than a few of these appointed ass-hats come and go, and figured this was just another little tempest that would blow over.
Poor guy
Wherever You Go, There You Are
I couldn't find anything that is, definitionally, "computer tampering" through a judicious use of Google.
A jury consists of twelve persons chosen to decide who has the better lawyer. - Robert Frost
Fuck off. He followed the fucking city policy, maybe he was a jerk about it, but that doesn't make you right about him.
Even if he was right. Which lets be realistic here, he wasn't. But right or wrong, he made the city looks dumb, he was going to lose either way. What kind of court system would set a precedent that the city was wrong for asking for something it owned. He should of just given the codes, and gone on with his life. Was it worth it? Not really.
Sound like this could have some bad repercussions for IT folks. Of course all I know about the situation is what has been posted on Slashdot. There could be, and usually is, more to the story. Now that the trial is over with will the court records be posted somewhere?
am i missing something? I thought the US Government had the ability to crack passwords... is this only high level government? wasn't there an article on here about the US Customs using PS3s to crack laptops open...
If this is in regard to "just deserts," then there is no misspelling.
http://www.phrases.org.uk/meanings/just-deserts.html
Yes. Security rightly assumes that the weakest link of any computer/information protection is the humans. He followed their policy about how to deal with people trying to get access, no matter where or how powerful those people were.
He should be commended, not disgraced.
Ok the real lesson, sorry to say is: if the Feds want you they will have you. There is a reason why 95+% of indictees plead out. How do I know this? I just emerged from a five year fed sentence at a lovely FCI in Ohio.
Without getting too detailed...I was a media consultant for a major media multinational. The Feds did not like that my focus was piracy but I would not divulge IPs, nyms or rat anyone. After some rather appalling disinformation was seeded (see Darknet...an utter load of made up BS) I was accused of damaging a portable toilet (I am not making this up) and faced life for 18 USC 844(i) and 18 USC 924(c). I was forced to plead out to a mandatory minimum of five years, which I just finished. (in fact, I'm still in a halfway house).
The charges and the character assasination were ALL bullshit. But would you have thrown the dice with a jury and risked life? Me neither.
The feds hate geeks, unless we work for them. Be VERY afraid and very careful. I'll get my life back but the past 52 months were not fun.
"The pie shall be cut in half and each man shall receive.....death. I'll eat the pie."
Is there an "irrelevant california douchebag" tag we can apply to stories?
I want to delete my account but Slashdot doesn't allow it.
Yes following the rules to the detriment of the entire company/city while it maybe satisfying will get you a felony count and I hope a stiff fine. It's nice to be able to follow the rules, but once your (corporate superior entity) requires you to do something even if it is against company policy you do it. Your (corporate superior entity) made the policy after all. While you and several like thinkers may believe you to be insightful you are missing the point about what point following the rules becomes a felony. He got off easy.
Why bother
He was given the option to hand over the passwords and walk away or face jail time. He could have handed everything over (even though it violated a contract) and it would all be forgotten. Through some misguided sense of morals or utter stupidity he chose to let it go to trial.
Don't kid yourselves for one second, juries are stacked with wishy washy room temp IQ dullards who are easily swayed on emotional opinions. Do you think this jury had any clue what a password file or network topology was? He was portrayed as a rogue agent against the goody two shoes city and they fell for it.
Only the State obtains its revenue by coercion. - Murray Rothbard
Well then, hooray for petty passive-aggressiveness! We should all seek to be more like that.
Best way to save yourself is to use "fuckyou" or "ihavenoidea" as the main password.
-"Terry for the 50th time: what is the password?"
-"fuckyou"
-"officer, arrest him."
Views expressed do not necessarily reflect those of the author.
Look. I know IT doesn't have a union. And I wouldn't want one as a programmer and sysadmin based one everything I've ever seen about a union. But this is the time to speak out through actions.
Any IT professional of any competence, and with any amount of self respect needs to refuse to do business with ANYONE who services the city of SF--directly or indirectly. I will be, and will indicate as much explicitly to anyone acting for or on behalf of the city--directly or indirectly that until a full pardon and compensation is paid to Childs, and the relevant individuals are removed from office for corruption, I will not provide any professional services.
If the relevant DA or mayor retires or resigns without reprimand and appropriate court sanctions, I will *never* provide such services.
Yes, I know many people say Childs acted unprofessionally--that's not the point. By refusing to provide the passwords, it would have been arguably justifiable to fire him. He was arrested for refusing to provide passwords after he was already fired--not his problem any more. Had they arrested him before firing him there *might* have been an argument.
I refuse to work for any organization that supports this. And I hope that the members of /. refuse to as well, unless or until the city releases far more compelling evidence of destructive intent than has come to light thus far.
Of course, it's easier for me to say as I'm two states east...but I've a client or two out there.
Dude, stop posting my internet banking passwords online!!!
Science advances one funeral at a time- Max Planck
Are we getting too hung up on the password issue? Was his refusal to divulge the passwords what he's being found guilty of?
Or is it the fact that if he stepped in front of a bus, the city had no hope of being able to manage the network? My place of employment has "the password list" and it's known to more than one person. If the city allowed Childs to hold all the keys, they're pretty stupid. If they had a policy prohibiting that, I could understand why violating it could get you jail time.
What doesn't kill you only delays the inevitable
I wonder how the guys who took over Terry's job feel now. I'd be looking for alternative employment at this point -> like maybe a ditch digger or something that just might not get you pooched by the judicial system.
Talk about setting a dangerous precedent.
It was very probably being a jerk that got him convicted - people are much more likely to convict the headstrong than the guilty. I don't know if he really was guilty of anything, I've not really examined the evidence, but it's a well-documented psychological flaw of individuals that looks and personalities have a far far greater bearing on who is convicted than the actual evidence itself. There is no fix for this bug that is not worse than the bug itself.
Even if he were guilty, his real "crime" would be being a little too uptight, perhaps being an a-hole a little too often, and maybe being a little obnoxious. Note that these are only true if he actually is guilty of something. I fail to see how a purely punitive system is going to be useful in correcting these issues, which are not uncommon amongst those with Geek Syndrome (aka Asperger's). In the same way drunk drivers are sometimes ordered to attend AA meetings, the most suitable punishment (again IF he is guilty) would be to require him to attend an Asperger's group and/or get checked-out by a pdoc for some sort of treatment regimen. (Asperger's is not, technically, treatable but CAN aggravate other problems that are.) This would be cheaper than prison, by a LONG way, be far more likely to be effective, AND would be more likely to increase his value to society (whereas prison rots skills and therefore decreases value).
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Yep. He had a duty to perform to his employers wishes, and he failed. He knew what it meant and he did it anyway. He wasn't just an average guy that stumbled into an unguarded Big Red Button. He was a sysadmin with full understanding of how he was about toe screw up the works. Nail him.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
Not just for IT folks, but for anybody above the level of janitor with any kind of decision making responsibility.
For justice, we must go to Don Corleone
This guy was in the employ of the city government, which necessarily acts differently than a corp, which makes your analogy false. His direct bosses don't make the rules, the elected officials do. The difference is crucial. Furthermore, his following the rules was not to the detriment of the city.
There's a simple lesson here: don't put policy over what the police tell you to do. Yes, the police may be wrong (and probably are), but that's not your problem. Remember, the police and the government here in America are utterly corrupt, and fighting against that is futile; it's like trying to fight against corruption in the Mexican government (our governments are just as corrupt as each other; the only difference is that Mexican citizens have no illusions about their government and police being anything but corrupt, unlike Americans).
Another simple lesson here: don't work in IT for a city or state government. There's plenty of private-sector jobs out there that pay at least as much, and the worst that can happen to you is you get fired, rather than going to pound-me-in-the-ass prison for 5 years.
The guy, from what I have read, is not the most pleasant person in the world. However, again from what I have read, he was doing his job (even after being fired), and is being convicted of a crime for doing so (in a scenario where he was liable to prosecution for acting otherwise). What are the IT grunts in America going to do about this?
This would be cheaper than prison
Instead, California's budget crisis is going to get even worse with him in prison. I'm looking forward to the government there completely collapsing due to insolvency.
I hope I never have to live in a world where people always do that. I'm quite sure I don't want to see what happens when people do what their told to do by a superior without regard to laws or morals.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
Apparently it cost the city 200,000 dollars they wouldn't have had to spend. He caused a trial that cost more money. I'd say he did quite a lot of damage to the city and I call that detrimental.
Yes a city works slightly differently that a corp. Not much at his level.
Why bother
Yeah obviously having the opinion that he acted stupidly get's you called a troll. Go figure
Why bother
I know it's a difficult concept for socially awkward nerds to understand, but people don't like know-it-all jerks. In the real world, where things aren't black and white or one and zero, it doesn't matter what the law says. It's one of those unspoken rules of social engagement that Terry Childs unfortunately never learned that lesson. It's why charismatic people are able to bend the rules.
That doesn't mean I agree with the verdict.
-Terry for the 50th time: what is the password?"
-"fuckyou"
Unfortunately that may be how the conversation actually went, but without the joke. I would like to think that in a situation like that most people would say something like: "I want to help, I really do, but if I may please explain, there is a policy..."
However real people under real stress can behave in less than rational ways. And, sadly, in the real world even a small single negative action can result in an avalanche of unpleasant reactions.
he deserved to be fired, not go to jail. His refusal to hand-over passwords was certainly grounds for firing but it's not clear he broke the law. To a certain extent he is a victim of his own arrogance but also of the ignorance of everyone surrounding him. Maybe he was right? Maybe they all are idiots and he was better off not trusting them? In any case his obligation ended when he was fired.
I noticed your sig.
Have you noticed that all of twitter's sockpuppet accounts have suddenly gone dead.
Do you think our beloved troll died?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I'm posting anonymously, but I remember some of the folks were really spooked that he'd deleted images off devices and wiped configs so that if they were rebooted, they would no longer pass ANY traffic. The city called us to see if there was a way to recover passwords without rebooting the boxes. A tampering conviction fits.
Slandering the jury is totally appropriate. It's part of the system. They made a bad call. They made a ridiculously bad call. They made a howlingly, ridiculously bad call. Morons, one and all.
Part of the loveliness of living in this country is that I now get to stand up and sing out like Monty Python that twelve mouth-breathing baboons -- no offense to the ACTUAL baboons in their red-butted glory, mind you -- twelve pin-headed boot-licking idiots just sent a man to prison for poor social skills.
And it is entirely appropriate that the denizens of this board call them on it.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
To Terry Childs,
When you finish your sentence, I will have a position waiting for you as an administrator of our large company network. Your devotion to network security, network policy, and willingness to defend them at all costs are a valuable commodity. My company and I would be very happy to employ you in a senior technical position. I can find network experts all over the internet, but it is much harder to find those that would defend their network at risk to their own liberty. I applaud you Mr. Childs.
Remember that juries are made up of the twelve people who weren't smart enough to get out of jury duty.
The american jury is middle age, middle class, small-C conservative.
Mature. Responsible. Committed.
Men and women have chosen to live up to an ideal they have taught their kids.
They are as smart, tough, resilent and dangerous an adversary as you will ever have to face. Play them as fools and they will pound your sorry ass into the marble flooring.
That's pretty much untrue. Most of the regulations in running the business of the city are made by unelected employees. Same thing at the state and federal levels. Elected officials may make statute, but I'd be interested in seeing the statute that lays out the policies of IT operations. It just doesn't happen.
Sounds like being trapped between Not Following Orders and Only Following Orders to me.
Borr: Commissioner, I have the sole operative remaining alive from the Bureau at the time of the experiments on Bucol Two.
Servalan: Who is he?
Borr: His name is Ardus, and he's an ex-officer of the Bureau.
Servalan: Put him on the fastest scout ship available and send him here. No flight plan is to be filed.
Borr: That's against Bureau standing orders, Commissioner.
Servalan: Who do you think wrote those orders, Borr? I did. So do as I say, and do it *now*.
Borr: At once, Commissioner Sleer.
[Ardus's scout ship docks with Servalan's ship. Ardus is interviewed and betrays his recognition of Commissioner Sleer's voice as Servalan's, then disavows it. Afterwards, Servalan contacts Borr again.]
Borr: Commissioner Sleer, is everything satisfactory?
Servalan: When you dispatched Ardus here to me, did his pilot file a flight plan?
Borr: No Commissioner. Everything was as you instructed.
Servalan: They never arrived here Borr.
Borr: But they must have done!
Servalan: I suggest you make sure that your connection with their disappearance is never discovered. Without any records to back you up, it might be hard to explain.
Borr: There's... no cause for concern, Commissioner. I was... very discrete.
Servalan: I hope so. Now get me the photo print record on a scientist named Justin, a genetic engineer.
Borr: Certainly.
[Ardus's scout ship leaves and is blown up by mutoid at Captain's nod]
Servalan: I want you to work out a landing plan for this ship on Bucol Two as soon as possible.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
A lot of differing opinions being tossed around here.
But, Slashdot, can we please stop accepting "fuck off" as acceptable debate discourse? And then cheerfully modding it up?
We're adults here, I think we can debate the pros and cons of this situation intellectually without resorting to hurling epithets at eachother.
Thank you in advance for not modding me "Troll" and "Offtopic".
What this mad did was act ethically, with very rare conviction. From what I can gather he was then victimized by just about every part involved due to their ignorance. I love my country, yet every day brings me closer to expatriation. I suppose living in a mad world is nothing new.
There is just no way around it, no matter how big a douche your employer is, or how wrong or unfair you think it is, or how big a mistake they are making... withholding your employers' passwords will land you in jail.
Some may work up some emotion over this, but I don't think this will really be a surprise to many people.
Here's a hint; when you end up in a room with the cops and a lot of your management, fine, ask for your lawyer, but don't plan on using that same management's written policy against them. They are management - they wrote the policy. They're telling you their new policy. Verbally. In no uncertain terms. With the cops present.
You cannot lock your customers out of their equipment. This is not a legal theory our society will ever adopt, nor should it. Imagine if the courts agreed that IT staff has discretion to withhold their customers' own passwords. "They weren't smart enough to have it." "They asked for it the wrong way." "They once had a written policy that I shouldn't tell them."
OK, so no one can ever fire you. When can't you come up with an excuse to lock the equipment and walk off? Imagine if the courts blessed it! You could pull that burn off and coast, untouchable. Yeah, that philosophy really has legs.
You: "Give me the password."
Your employee: "No."
You: "You're violating my policy - I need the password."
Your employee: "I disagree. I have my own interpretation of your policy."
You: "You're fired."
Your former employee: "Great, now I definitely won't give you the password."
You: "Obviously I'm not paying you to refuse to do what I'm asking. But you still have my passwords."
Your former employee: "Fine, but since you're not paying me, I'm not your slave. You can't force me to perform."
Hear that sound? It's the eyes of every slave who ever lived rolling back in their heads.
Think about it. Childs could, if he truly was motivated by fear of violating a policy, have called his lawyer into the room, to say: "no problem, we'll give you the passwords, we just need you to release us from liability for disclosing those passwords, one pager, sign here..." He didn't, because this was about ego, not policy. He just didn't want to have to cave and do what they said. He's not the first - many an outsized ego has landed its owner in prison.
Tired of Political Trolls? Opt Out!
Karma Brought to you by Friends of Terry Childs.
Why bother
HE DID GIVE THE MAYOR THE PASSWORD. Sure it was after he was arrested, but before his trial. Did I mention his bail was $5 Million dollars? Nice being able to tell the DA, throw the book at him.
Oh, no, your poor behavior has caused me to hurt my fist when I punched your face in for it. I guess I'll just have to punch some more!
The cost of prosecuting him is not to be counted against what he cost the city unless I get to charge you for hurting my fist when I punch you.
Need a Python, C++, Unix, Linux develop
Some people take the concept of sweat equity too seriously. They built the system (for a salary) and therefore assume it is theirs to do with as they please. Then they get mod points on slashdot and spread the joy.
The few times I've been modded Troll usually revolve around this kind of issue.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
Just give him Time served and let him get out now!
He can appeal as well.
I think that he should be able to find a job in tech form people who know stuff about tech.
At Idiotcorp, where I work, the password rules kept getting more and more crazy every 3 months when we had to renew them ("your password must now include 5 Cyrillic letters, an Elbonian tone-poem, 2 cave drawings" and a guitar chord) that I finally threw up my hands on total randomness and started including certain well-known curse expressions aimed the corporate IT director, whom I held in higher contempt than the rest of the Idiotcorp douchebags directors.
It's been 2 years without repercussions (haven't been called on the carpet yet), so I guess they really do get hashed. Either that or the guys in IT feel the same way.
----------------
Now this is spooky: My captcha is "audited" (swallows hard, since he's using a different browser than the corporate-mandated virus magnet)
Ya know the stupidity of that barely deserves an answer.
No if you assault me you can't get medical damages from me.
But if you cause me to take legal action you can bet if I win (and believe me the city was going to win) then I'm going to take my legal fees out of your pocket book.
Why bother
Oh I've been a troll and got the deserved troll designation. But it looks automatic if you agree with the verdict on this one.
Why bother
They didn't have to spend the money. He did not take the computers, nor did he tamper with them. They (the city) could have simply reset the passwords and moved on. Any decision to do something else was not Child's responsibility.
following a policy that makes no sense to the letter is being a jerk.
If you mod me down, I will become more powerful than you can imagine....
Point taken. We'd have to have access to the policies, but I would venture a guess that the law stating it is forbidden for him to give the password to his boss was in fact written by the state government. The federal government makes plenty of statutes regarding the IT laws for federal computer resources. The same is true for state governments and I'd guess local governments as well.
No if you assault me you can't get medical damages from me.
Funny thing: illegal aliens breaking into houses HAVE sued the homeowners for such things as falling on a knife and injuring their legs. Kids screwing around on the roofs of schools have sued the school district when they, illegally trespassing, nevertheless fell through a skylight and injured themselves.
In other words, the law is fucked up, and the fact that you can manage to empanel a jury of 12 retards who don't understand the law & policy, scare them with "wooh this was scary internets stuff", and then have a paid-off judge give the jury bad instructions doesn't help.
Fuck off
But if you cause me to take legal action you can bet if I win (and believe me the city was going to win) then I'm going to take my legal fees out of your pocket book.
Isn't that only possible in a civil case?
Lawyers hate to have engineering types on the jury. At least one side in nearly every case knows that they have squat and are going to try to BS the jury and play to their emotions. Engineering types tend to be more fact based and don't BS as easily.
At least use passwords that meet decent password lengths. A password of "1fuckyou&2biteme" would be more appropriate.
Which makes his bosses, and his client, the elected representatives of the city (presumably elected by the inhabitants of the city) who have hired/appointed/designated his bosses to represent them in administrative matters they are unable directly preside over themselves.
The analogy is the same...the only difference being a public interest vs. a private interest.
You're a bit harsh, but I agree with your point. He was an employee. If he had been my employee, I would have taken legal steps against him.
But, Slashdot, can we please stop accepting "fuck off" as acceptable debate discourse? And then cheerfully modding it up?
You must be new here.
Do what thou wilt shall be the whole of the Law
Oh, no, your poor behavior has caused me to hurt my fist when I punched your face in for it. I guess I'll just have to punch some more!
The cost of prosecuting him is not to be counted against what he cost the city unless I get to charge you for hurting my fist when I punch you.
If you punch me because I was already attacking you, and you break your fist, you certainly CAN sure me for your medical bills. It works a bit different in a criminal trial - the government never attempts to recover the costs of your prosecution. However, that doesn't mean that the cost of the prosecution is zero, so if we're going to count all the damage he did it's certainly fair to include the legal costs.
(corporate superior entities) are not necessarily authoritative. There is no criminal law that says you have to do what your boss tells you to do, unless you're in the military. Whether or not the boss was right is irrelevant to this case I think, because he was not convicted of failing to follow orders.
What he was convicted of is odd in itself "felony computer tampering"... What particular law is this and what are the key points that must be proven to be convicted of it? This case really shouldn't have gotten beyond being a lawsuit.
Where I work, a dismissed employee refused to tell us what a password was. Legal action was threatened by the owner, who claimed it was theft: denying someone of something they owned. My father-in-law is a lawyer, and I asked him about that. He said that refusing to give your employer a password would be classified as "illegal control" (or something close to that), not "theft." Apparently, the laws would be less severe for this. In the end, we just worked around the problem.
Acts 17:28, "For in Him we live, and move, and have our being."
There is no criminal law that says you have to do what your boss tells you to do, unless you're in the military.
And then only if your military is on the winning side of the conflict. Consider WWII.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Wish I had mod points.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
We're adults here,
We are? Shiiittt... [logs off]
Yes, they did have to spend money due to his actions. TFA states they had to spend over $1 Million:
"The city has spent nearly $1 million in efforts to regain control of the network and conduct vulnerability testing".
That is an action any sane infrastructure group would take if after they lost control of their network.
When the head of the security department specifically tells you to release the passwords (the folks who actually own the policy he was claiming to defend), you do as they tell you. You don't argue semantics. It is not his responsibility to judge who is skilled enough to know the passwords. It is the responsibility of his management. This talk of 'morals' and whatnot is a bit silly. If your manager asks you to kill someone (something obviously out of the scope of your managers power to dictate and immoral) you could ignore him, report him to the police, or whatnot. If he tells you to pack your bags, or to move on to a new project, then you really have no choice. There isn't some moral decision here.
If Childs could have proven that the folks he gave these passwords to intended real harm, he might have had a case, but to prove that would be impossible without solid evidence, which he didn't have. He refused because they just weren't 'qualified' to know the passwords, in his opinion, which the court found lacking.
The only trial I was a juror on, we had some people convinced of guilt, even though a few key points did not seem to be proven. They were amazed that the rest of us did not feel the same way. At point one juror said "this guy is an idiot, even if he's not technically guilty of this he's guilty of something!"
As I understand it, they would have lost the config stuff, and there was no back up. Big network, suddenly un-configured. Not a good day.
When you're afraid to download music illegally in your own home, then the terrorists have won!
Indeed. Too bad the mods marked you a troll. Put you in a room with a number of poeple who have no right to the passwords and an unknown number of people at the other end of a voice conference. Policy said who could get those passwords, and I'll bet it's not the chief of police or HR.
Correcting myself: Nearly a million. I misread TFA. Still a huge some of money.
I'd like to see this law. The prosecution has painted it as Childs own choice to release the passwords only to the Mayor, not in any policy or anything. That part might just be a Slashdot myth, it's not clear.
When you're afraid to download music illegally in your own home, then the terrorists have won!
You kid... I worked for a major defense contractor that used "Id0n'tknow" as an admin password.
Dare to Hope. Prepare to be Disappointed.
Amen.
Like it or not - sysadmins do not get to write the rules, no matter how right they may be. When they break them, they should suffer the consequences.
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101
And which particular law states that it is a criminal act to not follow your employer's orders?
Certainly if he had equipment at home he would need to return it after being fired, or else potentially be tried for theft. But he had no city property. If he had broken into the system after leaving he could be guilty of some sort of hacking law, but he didn't do that either. All he did is not disclose some words he had memorized.
Yeah, I know how they find those numbers, having been involved in a municipal investigation . They paid a consultant *AFTER* the fact, after he had provided those passwords, to figure out how much money he had cost them. That consultant is a majority of that cost, guaranteed.
At least it wasn't "changeme". And it didn't get changed to "changeme123" after a painfully embarrassing security breach.
It is my understanding his employment was specific in that he would only disclose the password to the mayor alone. This never happened, thus he never disclosed the password. This case did not require any technical knowledge to grasp the facts, so I am unsure how the jury could come to this result.
You understanding was wrong. He was obligated to hand over the passwords to his supervisor when he was told to. Was a contract where he was obligated to only hand them over to the mayor presented as evidence in court? I don't think so. The fucker deserved what he got.
The soldier's choice: disobey and take a bullet from your commander now, or follow the order and stretch rope later.
> It was his opinion, nothing else.
It was his professional opinion. And he was quite right. When the fuckwits got the passwords, they published them.
He was not following California policy. In his own words:
Childs claimed he was merely following established INDUSTRY GUIDELINES for password protection.
"You do not ever give up your username and password," Childs said.
And:
Ultimately, Chilton said, Childs "didn't follow the law, which was the basic thing that it came down to."
What's that? He DIDN'T FOLLOW THE LAW. Read that again. He DIDN'T FOLLOW THE LAW.
He goes to jail and he deserves it.
Sorry i'm not very informed about this issue and the whole timeline. But I would think if they fired him before they reqeusted the passwords then they would be assed out...
However if they requested the passwords while he was still employed he was being an idiot, however the supervisor/management should also be fired for causing such a large loss of taxpayers money for incompetence.
Plus they had access to the physical hardware. Sometimes you just gotta start all over again but I guess they wanted to make an example of him....
You do know, he gave the Mayor the passwords... So they could have easily done the password change remotely. They should have run the vulnerability test anyways, you do that any time a major component of an operations team leaves.
The bullshit is the city's position, which is exactly the opposite of the words it says:
The fact that the city was unable to do things such as prevent Childs himself from accessing the network shows that computer services were indeed disrupted, Del Rosario argued Monday.
He might be a hero to some and a fool to others, but in the end, he has to live with himself... and survive with himself. Now he will be pretty lucky to have a normal life from this point forward. Odds are, he won't. There are lots of "wrong" things going on in the world every day. If you are asked to do the wrong thing in a similar circumstance, the one best option he could have taken was to quit and walk away giving whoever wanted/needed info is needed... to a point. Personally, if I was the only one with passwords to whatever, I'd just claim not to remember them and to tell them where all the devices are so they can seek them out and reset them manually. Frankly, why they didn't just hire someone to find all of these points of access and lock them out is beyond me. He was a jerk and simply needed to be cut off.
Far too often there is this attitude of "I am always right when it comes to the computers. They are MY systems, it is MY network, I make the rules you all must follow." No, actually. You are in the business of customer service, like it or not. The computers belong to your organization. Your job is to make them do what they need to do. They are tools, nothing more or less, and you are there to help people get those tools to do the job they are needed for. You don't get to tell people how it is. You certainly can and should suggest policies and try to make things safer or better, but you aren't god, you don't get to come in and lay down the law and tell people how it's going to be. Do that and you may well be looking for work, or in extreme cases, in jail.
Do you really think your analogy is apt?
No if you assault me you can't get medical damages from me.
Funny thing: illegal aliens breaking into houses HAVE sued the homeowners for such things as falling on a knife and injuring their legs. Kids screwing around on the roofs of schools have sued the school district when they, illegally trespassing, nevertheless fell through a skylight and injured themselves.
In other words, the law is fucked up, and the fact that you can manage to empanel a jury of 12 retards who don't understand the law & policy, scare them with "wooh this was scary internets stuff", and then have a paid-off judge give the jury bad instructions doesn't help.
Hmmm... so you don't actually know what evidence was presented, but the judge is somehow "paid-off" and the jury are "retards" because you disagree with them?
That says more about you than it does about them.
Give me a break. I mentioned the topic in the post moron!
Why bother
Wow, trolling along are we.
Why bother
When you confuse all government with "the feds". Childs was charged by the state of California. One is not the other and just like the people that make them, you'll find government differ in many ways. If you think all governments are "the feds" it shows a fairly poor understanding of our government and legal system.
The federal government has no interest in this case, it is a matter in state court as a result of his employment with a city government.
No actually in many jurisdictions you must pay for your own prosecution. Besides the idiot responder was talking a civil case anyway.
Why bother
Well actually, in that case our legal system is implicitly advocating to shoot to kill! After all, dead people can't sue let alone take you to court.
Life is not for the lazy.
Yes let me see. He won't give us the passwords to our property after we dismissed him so we will just change all the ... oops.
Why bother
Actually yes it is apt. A bit morbid and over the top but a good analogy none the less.
Why bother
irrelevant how it was determined. If you don't want to pay stupid inflated damages don't fuck up.
Why bother
Is to perhaps not be knee jerk about what "the right thing," is. Don't presume you know better than everyone, don't presume you are the one with whom the buck should stop and so on. You need to be able to look at the bigger picture. While you might think "the right thing," is for you and only you to have access to the systems because you feel you are the only one smart enough to handle it properly, well consider two things:
1) What happens if you are rendered unavailable? You could die, become incapacitated, whatever. What happens then if you are the only one who has the keys to get in? All of a sudden "the right thing" turned in to a rather large disaster.
2) Consider that maybe you aren't as smart as you think you are, or perhaps that everyone else isn't as dumb as you think they are. Perhaps your boss is perfectly capable of having the password as a backup and not using it to cause any trouble. You might not think he's smart enough, but maybe you aren't evaluating the situation fairly.
Also just remember that you job in IT is customer service, even if you never deal with customers. Your job is to help make computers do what people want them to. They are tools to reach some goal, and you are someone who helps that happen. Part of that means doing what your customers (which are usually your coworkers) want. That doesn't mean giving them everything, but it does mean not being a stone wall that just refuses to do something. Work with people, try to persuade rather than intimidate and so on.
Finally, when it comes down to it, they aren't your systems, they are the organization's systems and if they want to fuck it up, that's their thing. Argue against it, document your objections, but if that's what they want, let them do it. It isn't your place to stop it.
can we please stop accepting "fuck off" as acceptable debate discourse? And then cheerfully modding it up?
Fuck, no.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Remember, the police and the government here in America are utterly corrupt, and fighting against that is futile
You know, staying stuff like this is an insult to people who live in / come from places where the government and police *are* truly corrupt. I once worked with a guy from Brazil who was happy when he went through a police roadcheck because it reminded him he wasn't in Brazil. In Brazil he would have had to have paid a bribe to the police, been detained hours, or risked being pulled from his car and beaten. Here it was a few questions and 'have a nice night, sir' - And he was an olive-skinned guy driving a new Nissan. In the USA if the police knock on your door and ask to come in you can tell them to go away - And they have to. In many parts of the world they'll kick your door in without asking, trash your house, and rape your daughter for good measure.
I dunno, it seems pretty obvious that he would have been shafted just as hard had he turned over the passwords to a an unknowable number of unauthorized people and anything unpleasant had happened to the network. Especially since it's a government. It seems likely that a violation of the security policy, if that can be made to seem like it's connected to an actually problem, would lead to the same results for Childs.
He was damned if he did and damned if he didn't. At least this way he gets to have been the good guy who stood up for something, instead of the pragmatist whose caving to convenience got him fired and put in prison.
Obviously, there's no certainty that it would have turned ugly, but it wasn't a forgone conclusion that it would turn ugly this way, either.
Guy got fucked, and probably would have anyway.
ivan
Like to brew? Want to talk about it? Brattlebrew: groups.yahoo.com/group/brattlebrew
Supply name, rank, and serial # only. Plead the 5th and ask for a lawyer. This is why: Don't Talk to Police
Camping on quad since 1996.
"All production system-level passwords must be part of the security administered global password management database."
I know absolutely nothing about the San Francisco network. But I find it interesting that Childs said, "These idiots can't be trusted with the passwords," and the second the idiots got the passwords, they published them for the world to see.
Sure enough, those idiots should not have been trusted with the passwords. Hard to fault a guy when they immediately proved him right. :-)
By the way, since this is a municipal system, here are some of the functions I've seen municipal systems handle:
1. 911 calls over VoIP.
2. Fire dispatch, as in "Building on fire here"
3. Police dispatch, as in "Crazy guy with gun over here."
4. Police data, as in "The license plate you just pulled over is driven by a violent felon."
5. Videoconferencing that connects lawyers to their clients
6. Utility billing/disconnect, as in "These people need their water/power/garbage cut off."
I could go on and on.
Wanna see your basic "evil hacker" movie play out in real life? You couldn't take over the world, but you could make some people miserable. Maybe even get a few of them killed when help doesn't arrive when it should...
Not all computer networks are about making sure Sally in accounting gets her email.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
You mean like posting an AC sock-puppet comment, Hondo? ;-)
Here's an earlier comment that discusses the city policy.
And here's a quote from the password policy of the city, which is in that link:
"Password Policy"
As such, all County employees (including contractors, vendors, and temporary staff with access to County systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis"
"Do not share County passwords with anyone, including administrative assistants or secretaries.
All passwords are to be treated as sensitive, confidential County information.
Here is a list of things to avoid
-Telling your boss your password.
-Talking about a password in front of others.
-Telling your co-workers your password while on vacation."
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
As we can see from the city policy, telling your boss is already out, and talking about your password in front of others (the individuals on the other end of the phone line) is also a no-no. Terry Childs did the right thing by not giving out the passwords to anyone but the Mayor. Did Childs' boss ever get in trouble for breaching city policy? Probably not.
Best "String" Ever!
Oh, don't worry. I'm doing plenty of both today. :-)
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
Rather than investigate what you've just claimed, I'm going to ask if it makes any kind of sense to have a restrictive policy on disclosing one's user level password, and expect that you'll just turn over a system level password to an unknown number of unknown people.
Of course he shouldn't have had sole administrative access to the network; however, it seems likely that the fastest typist among the authorized, well intentioned people hearing this information would be far outpaced by the hypothetical fastest typist among any hypothetical bad guys.
Assuming youre assertion is correct, it is evidence that the people he worked for were even more incompetent to handle the network than he feared. That doesn't put him on the right side of the law, but it does make his position sound a lot more sane.
ivan
Like to brew? Want to talk about it? Brattlebrew: groups.yahoo.com/group/brattlebrew
My password policy is similar. If your mother can type it in without breaking into tears/ vomiting in disgust, it's not strong and/or gross enough.
Now that I am able to speak about this case, I can give you my take on the matter as having been a juror on it. Having not been able to read about the case during its duration, I can't replay to everything that's been said about it, but I will at least provide my perspective.
This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.
This jury was not made up of incompetent people or idiots. Every single person on there was very educated and well-spoken. I myself am a network engineer with a CCIE and thirteen years experience in the field.
This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict. Terry Childs turned his life around and educated himself in the networking field on very complex technologies. One different decision by him, or more effective management by the city could have completely avoided this entire scenario. But those are not factors we could consider as a jury. We applied the law as it was provided to us and our verdict was the unfortunate, but inevitable result.
I'm sure many people posting are of the mindset that he's not guilty because he shouldn't reveal the passwords, some policy says this or that, or whatever. You're entitled to your opinion, but let me tell you that I sat through FIVE MONTHS of testimony, saw over 300 exhibits, and personally wrote over 200 pages of notes. I will guarantee you that no matter what you think of the matter, you do not have the full story, or even 10% of it. I am confident that we reached the correct verdict, whether I like it or not.
Apparently it cost the city 200,000 dollars they wouldn't have had to spend. He caused a trial that cost more money. I'd say he did quite a lot of damage to the city and I call that detrimental. Yes a city works slightly differently that a corp. Not much at his level.
Yes, but did he cause that, or did people looking for a scapegoat do that. They wanted him to break their rules ... had he broken them, he'd have been crucified. He didn't break them, and he still got crucified.
The higher the technology, the sharper that two-edged sword.
This would be cheaper than prison, by a LONG way, be far more likely to be effective, AND would be more likely to increase his value to society (whereas prison rots skills and therefore decreases value).
Besides, taking someone with technical skills who, by the sound of it, has strong ethics and unfairly convicting him of a felony computer crime isn't particularly smart. When he gets out, he's not going to have much respect left for government, and as an ex-con probably won't be able to get legitimate work in his chosen field. Great way to turn an otherwise honest guy into a white-collar criminal.
Brilliant. Just brilliant.
The higher the technology, the sharper that two-edged sword.
The only trial I was a juror on, we had some people convinced of guilt, even though a few key points did not seem to be proven. They were amazed that the rest of us did not feel the same way. At point one juror said "this guy is an idiot, even if he's not technically guilty of this he's guilty of something!"
All I know is, if I'm ever on trial, I'm not likely to be judged by a jury of my peers. That applies to most of us here on Slashdot.
The higher the technology, the sharper that two-edged sword.
It's a wonderful little bubble you live in where "Jerk" means that a guy should get 5 years in prison.
The Taliban has nothing on you.
A Pirate and a Puritan look the same on a balance sheet.
This is a post written by someone who has clearly never actually been to a country with corrupt police, and having been to a few my self I was quite happy to get back to Western Europe/N.A. where people don't realize just how lucky they are that bribery is something we talk about on TV not the only way to accomplish anything.
s/he should be given the guy's job, so she will have to cope up with stupid managers.
Read radical news here
It's funny because I just came across the same thing a few moments ago, see? Thank you muchly, nonetheless!
When you're afraid to download music illegally in your own home, then the terrorists have won!
The police do not have the authority to force you to disclose passwords. You see, here in the US we have these things called rights.
Or execute you on the spot and then plant drugs on you, like the Thai police did during the former PM's "war on drugs." I'm sure it happens in the U.S. once in a while, but not to a thousand people in a year.
Put identity in the browser.
The police do not have the authority to force you to disclose passwords. You see, here in the US we have these things called rights.
I think Terry Childs would disagree with you. He didn't tell the police his passwords, and he went to jail for 5 years.
His direct bosses don't make the rules, the elected officials do. The difference is crucial. Furthermore, his following the rules was not to the detriment of the city.
All true, but apparently irrelevant. He was convicted.
The main lesson from this seems clear: Don't even consider taking a job in which you're responsible for the computer security. If something goes wrong, you can go to jail. If nothing goes wrong, you can still go to jail. Specifically, if a superior orders you to violate the published security rules, and you obey, you can go to jail for not following orders; if you don't obey, you can go to jail for violating the published security rules.
There's only way to win this game is to not play. If they want secure systems, let them do the security themselves.
Yeah, I know; that attitude is why we are having so many stupid computer security problems. But I also know that if the people in charge wanted the problems fixed, they'd be rewarding the people who try to do it right. This is just the latest of a long string of examples in which they punish the security people for doing the job they were hired to do. You and I can't fix this general problem. So we should stay out of the line of fire. When they finally decide to get serious about fixing the security problems, we can talk to them, and maybe help them. But only if we can get detailed contracts saying what we can and can't be punished for.
Until then, the safest approach is to not be hired as a security person.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Comment removed based on user account deletion
I was speaking metaphorically. I meant criminal. And, in my opinion, it's a gross miscarriage of justice to make someone pay for their own prosecution. It's basically punishing them for not pleading guilty and trying to defend themselves. That would have the effect of causing a lot of innocent people to plead guilty.
Of course, plea bargaining already does that, and in my opinion is a strong argument against plea bargaining. They all come from the mindset that a conviction is better than justice.
Need a Python, C++, Unix, Linux develop
I agree. The government should impanel special juries comprised of Geek Squad technicians and entry-level LAMP developers just so that Slashdotters can be judged by their "peers".
During the time Childs was an employee, did the people requesting the passwords have authorization to do so?
Hey, give 'em time. Our cops and government are still learning the ropes.
What changed under Obama? Nothing Good
I'm sure it happens in the U.S. once in a while, but not to a thousand people in a year.
Maybe you should start reading Injustice Everywhere. It is thousands every year.
There's no place like
The police do not have the authority to force you to disclose passwords. You see, here in the US we have these things called rights.
I think Terry Childs would disagree with you. He didn't tell the police his passwords, and he went to jail for 5 years.
Really? dude already did his 5 years?
Hey, next time read the article before you spout whatever you want.
He's been in jail for 2 years, and his sentence is actually 2-5 years.
Most likely, he's going to get timed served.
But he hasn't been in jail for 5 years, so next time learn to read.
Be seeing you...
One juror, Jason Chilton, also a network engineer, said the law Childs was accused of breaking -- knowingly disrupting computer services or denying those services to an authorized user -- is "very specific," and though no services were actually disrupted, "he denied that access."
Chilton, however, said Childs' supervisors at the Department of Technology were also to blame. He said they "did everything wrong that they possibly could," citing "ineffective management and no formalized policies and procedures" for dealing with employees in such situations.
"If the city were on trial, they'd probably be guilty of a lot of stuff too," Chilton said.
Ultimately, Chilton said, Childs "didn't follow the law, which was the basic thing that it came down to."
Telling the police the passwords wouldn't have changed anything, the deed was already done when he was arrested. And I guess we can dismiss all the Slashdot "Well, if they selected technical people for juries," arguments as well. It sounds like Childs came across as such an asshole that the jury crucified him. It would hardly be the first time that happened.
Another juror, Amy Heine, said Childs seemed both egotistical and "paranoid."
"He was intelligent enough to know what he was doing, was heading in a very dangerous direction," she said.
this article has more SF douchery. A good friend of mine was a paramedic for the city of SFO. Her ambulance was broadsided and her back was injured, and she was let go and had to fight for severance.
She knew more than one firefighter who was injured on the job and was let go with minimal compensation, and ended up homeless in the Tenderloin district.
Unless you are one of the six-figure privileged, you need to watch your back as a city of San Francisco employee...
From the San Francisco Chronicle this week:
More than 1 in 3 of San Francisco's nearly 27,000 city workers earned $100,000 or more last year - a number that has been growing steadily for the past decade.
The number of city workers paid at least $100,000 in base salary totaled 6,449 last year. When such extras as overtime are included, the number jumped to 9,487 workers, nearly eight times the number from a decade ago. And that calculation doesn't include the cost of often-generous city benefits such as health care and pensions.
The pay data obtained by The Chronicle show that many of the high earners bolstered their base pay with overtime and "other pay," a category that includes payouts for unused vacation days and extra money for working late-night shifts.
Leading 2009's $100,000 Club was the Police Department's Charles Keohane, a deputy chief who retired midyear.
His total payout was $516,118, city records show, the bulk of which came from cashing out stored-up vacation, sick days and comp time. Several other police employees who changed rank or retired also saw their annual earnings swell.
When asked how he felt about landing in the No. 1 spot, Keohane joked, "Not so good, if it's going to get my name in the paper."
The 36-year SFPD veteran, whose last assignment was head of administration, said much of that pay was taken out in taxes. "I helped reduce the deficit," he said.
The average city worker salary in San Francisco is $93,000 before benefits, according to Deputy City Controller Monique Zmuda. The data take into account everyone from park gardeners and street cleaners to attorneys and technology specialists.
Almost 100 city employees made $200,000 or more in 2009; six bumped past $300,000 when overtime and other cash-outs were included.
Muni chief's base pay
Only one city employee had a base salary topping $300,000. Nathaniel Ford, executive director of the Municipal Transportation Agency, made $332,489.
Mayor Gavin Newsom had a base salary of $250,903 in 2009, which put him 29th on the list of best-paid city employees.
The ballooning number of highly paid workers is driven by several factors, including inflation, a persistent reliance on overtime and generous contracts in a city known for its politically potent unions.
The city also negotiated a deal to give raises to some workers who agreed to pick up a portion of their pension contributions, City Controller Ben Rosenfield said. That arrangement pushed almost 2,000 city employees above the $100,000 mark in recent years, he said.
In years past, the $100,000 Club included large numbers of Muni operators, transit supervisors, firefighters, police officers and sheriff's deputies who padded their paychecks with hundreds of hours of overtime, paid out at a rate of time-and-a-half.
But a 2008 rule capped most employees' overtime to 30 percent of base pay, in effect spreading out overtime opportunities to more employees, Zmuda said. That and other efforts to curtail overtime appear to be working, with payments projected to drop to $139.8 million this fiscal year, down from $142.1 million last year and $167.7 million the year before, according to the controller's office.
In the fiscal year that ended in June 2009, city salaries accounted for $2.5 billion of the $6.6 billion budget. That does not include the cost of benefits.
Faced with a $483 million deficit heading into the new fiscal year that
Ask Me About... The 80's!
It was very probably being a jerk that got him convicted - people are much more likely to convict the headstrong than the guilty. I don't know if he really was guilty of anything, I've not really examined the evidence, but it's a well-documented psychological flaw of individuals that looks and personalities have a far far greater bearing on who is convicted than the actual evidence itself. There is no fix for this bug that is not worse than the bug itself.
Even if he were guilty, his real "crime" would be being a little too uptight, perhaps being an a-hole a little too often, and maybe being a little obnoxious. Note that these are only true if he actually is guilty of something. I fail to see how a purely punitive system is going to be useful in correcting these issues, which are not uncommon amongst those with Geek Syndrome (aka Asperger's). In the same way drunk drivers are sometimes ordered to attend AA meetings, the most suitable punishment (again IF he is guilty) would be to require him to attend an Asperger's group and/or get checked-out by a pdoc for some sort of treatment regimen. (Asperger's is not, technically, treatable but CAN aggravate other problems that are.) This would be cheaper than prison, by a LONG way, be far more likely to be effective, AND would be more likely to increase his value to society (whereas prison rots skills and therefore decreases value).
I like what your saying, but the problem is, it's bullshit.
You didn't read the case, you didn't go to the court to see the case.
Yet your able to make assumptions based on your dislike for peeps that act like jerks.
Be seeing you...
Terry didn't make his case easy, but this trial clearly shows the problems of having a stupid jury decide the fate of someone that believes they are properly protecting their network. Given the results of this trial, no Security officer should ever be subject to firing for giving up their passwords to anyone that claims a position of superiority. It's a sad day. This problem surely could have been settled out of court if the management had a clue.
Reminds me of that Feynman story where he goes down in the middle of the night and removes one of the doors. The next day everyone is upset and they demand people swear that they did not do it. So it goes around the room:
Person 1: "I swear I did not remove the door." ... and so on. Then it gets to Feynman:
Person 2: "I swear I did not remove the door."
Feynman: "Yeah, *I* took the door."
Upset Dude: "Oh, stop kidding around Feynman. Next!"
Person n: "I swear I did not remove the door."
Hit point was that afterward, even though he did admit to taking it, at the time they dismissed it as him not being serious and all they ultimately remembered was everybody denying taking the door.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I agree. The government should impanel special juries comprised of Geek Squad technicians and entry-level LAMP developers just so that Slashdotters can be judged by their "peers".
Hahaha... mod this guy up. You gotta admit, that was good.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Well, given the example of WW2 (which implies we're talking about German soldiers who were complicit in the Holocaust), I certainly would hope that in a similar situation, I would have the courage to risk an immediate bullet. More to the point, when you are commanded to do something that heinous, I don't consider it too unreasonable to say that someone should be willing to fight it at all costs.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
I'm pretty convinced this is all because he stood up to the new security girl that was snooping about with no authority or policy and made her cry. I think he was expected to just quit and make room as other people in that office did.
Once you get a stupid ambush meeting like the one they dragged Terry Childs into you just can't win, all you can do is give up and minimise the damage becuase there is no way you will be working there anymore.
Boycott San Francisco now! What a horrible violation of civil rights. All Arizonans should be aghast at this.
Regards,
Jason
I have also included messages about IT competence in passwords, with the same thought (that to call me on it would be to admit to storing their passwords in plaintext and then reading them, so it's not going to happen even if they are). The password in that case was just for a certain FTP server, not logon or source vaults. The thing that really pissed me off in was that I repeatedly input perfectly reasonable passwords, which where then rejected with no explanation of what the fucked-up password policy actually was.
This is what I believe is even more disturbing than the conviction. The point deserves repeating:
"The jury deliberated for several days before a lone holdout against conviction was removed from the panel, for reasons that were not disclosed. After an alternate was put in that juror's place, the panel started over and reached a decision in a matter of hours."
So when the government discovers a juror who's convinced of your innocence, they can and will simply replace them.
This turns "12 Angry Men" from a compelling 90-minute drama into a sick 60-second comedy sketch.
"I'm not sure he's guilty..." "Bailiff! Remove that man!" (scuffle ensues, Henry Fonda is subdued and removed) "OK, now do we all agree he's guilty?" (in unison) "He's guilty!"
Sorry but posting as an AC, with no references to what company you are talking about rings extremely hollow. If you truly mean it, and you are truly in a position to make said offer then how come you don't stand behind it? Why don't you post form an account, and name the company?
Oh, and if your idea of "security" is "Only one guy has the passwords," I think I'd like the name of your company so I can avoid it :P.
All right, I see tasering, beating, and kicking, but where's the execution? And by execution, I mean on-the-spot, declared-guilty-under-law-and-shot-in-the-head kind, not the "the cop got acquitted in court after a year by a jury of civilians" kind.
Put identity in the browser.
In fact, if the passwords had been in that database, then he would A) probably never had been asked for them and B) would have been able to say "you need to request access from the security department" Now HE may have thought they were "user" passwords because the system was his baby, but if you truly agree with that ... then well this is going to be like arguing with a religious person about the existence of god.
In IOS, there is a possibility of a single enable password, but that means that there is no AAA and no local usernames specified. That means anyone can gain console access, within the limitations of access lists and the configuration of the vty lines. This is not the norm in anyplace that cares a whit about security. Your statement is disingenuous.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
If you're a sys admin, you have to leave the system in a state where another sys admin of your level or higher can take over. If you are the ONLY sys admin and you want to leave, then you will disclose this to your replacement after a knowledge share has occured. If you quit and fail to give the passwords back, this is no different then keeping a set of keys or a access badge/card to the server room.
"Experience is the name everyone gives to their mistakes." --Oscar Wilde
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
As anyone here will tell you: the city had physical access to the ALL of the machines - they can manage any part of it they want and don't need the passwords. They were simply too cheap to pay for his replacement and resetting costs after his boss got the shits. I agree with droopus - this sets a terrible precedent, and we should all be VERY afraid and VERY careful what we say and when. The idiots have us by the balls...
> Glad they found him guilty.
And who do you think deserves to be punished more, Childs, or his idiot supervisors who, obviously, had no contingency plan in the case that Childs suddenly died?
and let him go
*DrugCheese rants*
All right, I see tasering, beating, and kicking, but where's the execution? And by execution, I mean on-the-spot, declared-guilty-under-law-and-shot-in-the-head kind, not the "the cop got acquitted in court after a year by a jury of civilians" kind.
They always get acquitted.
I was speaking about cops taking the law into their own hands--that happens a *lot*. As far as 'murder' under the color of law, that happens less frequently. But keep reading that site--they're good for a handful per month.
There's no place like
He did not 'kill the network', he protected it. Clearly they can now arrest and convict anyone in charge of the computer system. Time to not work for these people. What if he just quit? What if the system went down due to their incompetence, after he quit? The words "just give me everything that I want, I don't care about your civil liberties" really sounds stupid, but thats what we are talking about here.
Research has revealed that judging probability accurately is extremely difficult for human. Beyond that, since all the evidence can be unreliable, there is really no place for reliable deductive logic. Whenever people come to an inductive conclusion, however, there is very little "logic" involved. The brain weights everything with emotion. When someone is experiencing depression or mania, things seems perfectly and absolutely logical that would seem totally absurd at another time. What someone believes at most times is not, therefore, "logical," it's just...normal.
If the defendant is extremely unsympathetic, it can be extremely difficult to deliberate independently of that fact.
The article doesn't mention what, if any, instructions the judge issued to the jury. He may have ruled on who constituted an "authorized user," and thus practically decided the case, since the facts were not really in dispute, only their interpretation. The jury could have still found "not guilty," of course (based on, say, whether there was any criminal intent), but why would they do so when it was so easy to return the guilty verdict that they wanted anyway?
This is the law, California Penal Code 502(c)(5), which he was charged with violating.
(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:
...
...
(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
(h) (1) Subdivision (c) does not apply to punish any acts which are committed by a person within the scope of his or her lawful employment. For purposes of this section, a person acts within the scope of his or her employment when he or she performs acts which are reasonably necessary to the performance of his or her work assignment.
So you see, it was actually extremely relevant whether the acts were "reasonably necessary" for his job. The jury had to decide if following the written policy in that case was "reasonable," but they thought (perhaps rightly) that Childs was a paranoid whackjob. I don't think there is any question that he thought it was reasonable, though. Depending on what the judge said about this, Childs may have grounds for appeal...assuming he can afford it now. Since he's already spent two years in jail, he may very well be sentenced to time served, which is going to make appeal even less...appealing.
Regardless of whether he is guilty or not, consider that he has now been jailed for two years for having a snit with his boss. Laws really do cover nearly anything; "computer crime" laws seems particularly heinous in this regard (e.g. "sexting," or felony prosecution for violating the MySpace EULA). We are all at the mercy of prosecutorial discretion. God help us (metaphorically, of course).
I leave you with the Megan Miers Cyberbullying Prevention Act, introduced by a representative from California. So short. So broad.
All right, I see tasering, beating, and kicking, but where's the execution? And by execution, I mean on-the-spot, declared-guilty-under-law-and-shot-in-the-head kind, not the "the cop got acquitted in court after a year by a jury of civilians" kind.
Ok--here's an example from the first page of that site: A man operating a motor vehicle is tased while the vehicle is in gear, causing him to lose control of the vehicle. The police naturally go into "OMFG HE'S TRYING TO KILL US" mode and shoot him 7 times in the back...
Story
That's murder.
There's no place like
Was there no clearly identified chain of authorization here? Why didn't SF quickly provide evidence of who was authorized? You would think this would be the very first thing they would provide, the hammer that would efficiently drive the nail in Childs' legal coffin. The fact that you had to wade through reams of document and "divine" such a key piece of info is telling. If it took a group of 12 persons to sift through this, how was Child supposed to summon this knowledge too?
Haha, the password still works too!
Ah ha! Bad analogy guy reveals his other UID.
Insanity: voting in the same two parties over and over again and expecting different results
Fighting against it is your duty as a responsible human being, regardless of what happens to you. If nobody stands up, then things will only get worse.
The world is a dangerous place, not because of those who do evil, but because of those who look on and do nothing.
--Albert Einstein
He was an idiot who broke the law by denying his managers and the City of San Francisco access to controlling their network.
I don't care how big an Idiot the boss is, you still give them the root password when they directly ask for it. You might hand it over in a sealed envelope with a long lecture on why it is best they not use it, But you still hand it over.
The City owns the network not Terry Childs.
Do you want to imply that only illegal aliens sue in such cases or that only illegal aliens break into other people's houses or is this just a case of conservative nuttery?
I'm sure citizens of the USA are much more likely to sue in such absurd cases.
It's basically punishing them for not pleading guilty and trying to defend themselves.
Actually, it's punishing them for BEING guilty and not admiting it.
When they're found not guilty they certainly don't have to pay.
The "Do not share County passwords with anyone, including administrative assistants or secretaries." line is most certainly refering to the way you should handle your passwords in day to day business.
It sure does not apply to the event of your emplyment ending. In that case you HAVE to give the root passwords et. al. to somebody.
So how about you quote the regulations for that event?
The main lesson from this seems clear:
Never assume that you own the network that you build/administer. You're just an employee. Don't build back doors into a system for your own convenience. Don't be a jerk.
In the USA if the police knock on your door and ask to come in you can tell them to go away - And they have to.
Hahaha...
Oh wait, you are serious about believing that?
Having been a recipient of a corrupt cop lying in order to come up with a reason to arrest me so he could impound my car and perform a "custodial inventory" (re: search without a warrant), sitting in the back of his squad car for 3+ hours, and then having to pay the impound yard $280 per hour, plus $55 per night plus a $75 processing fee, totaling $970 to find absolutely nothing at all... please don't tell me the cops in america aren't corrupt.
The only difference is that the bribes (in this case kickbacks from the impound yard) have to go through 1 more layer of obfuscation before the cop gets his cut from the tow yard vs. paid directly.
For some reason my word alone isn't enough to counter the cops witness testimony, but the cops witness testimony is enough to convict.
All this because a racist white cop saw an asian in a sports car in an area that is predominantly hispanic and just had to find those drugs that didn't exist
The irony is that what the cop claims happened is not physically possible for any consumer car (let alone a sports car that costs less than $25k) yet in order to prove in court that the numbers don't add up it would require $25,000+ in expert witnesses to fight.
P.S. in America, the cops will knock down your door, steal loose cash, shoot you, then plant cocaine on your person and claim they just did a drug bust.
That's assuming not only that no-one's found guilty when they're actually innocent, but also that the police and prosecutors never intimidate anyone who's innocent into thinking that they'll be found guilty. Neither of these assumptions are true, especially the second one.
`The city has spent nearly $1 million in efforts to regain control of the network and conduct vulnerability testing, according to Del Rosario'
I don't suppose there is any hard evidence for this statement. Who conducted the `vulnerability testing', what were their names, what was the name of the testing company.
You can sue because the sky is blue but did they win?
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Kinda related but in first aid training we were told never to give first aid to an American because they'll sue you.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Supposedly you were allowed to opt out of the execution squads, of course all the other positions in the concentration camps were still available then.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
*facepalm*
*facepalm*
*facepalm* *facepalm* *facepalm*
*bang head repeatedly against the wall*
Excuse me guys, but I'm going to go. My faith in human intelligence is shattered, and I think my head is bleeding.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
Funny thing: illegal aliens breaking into houses HAVE sued the homeowners for such things as falling on a knife and injuring their legs. Kids screwing around on the roofs of schools have sued the school district when they, illegally trespassing, nevertheless fell through a skylight and injured themselves.
In other words, the law is fucked up, and the fact that you can manage to empanel a jury of 12 retards who don't understand the law & policy, scare them with "wooh this was scary internets stuff", and then have a paid-off judge give the jury bad instructions doesn't help.
I see you got that chain email too.
Care to show us these cases? I've started googling and have only come up with sites debunking it.
I know they're so easy to believe since the [skewed] McDonald's hot coffee case, but let's try and be skeptical when we hear about any ridiculous lawsuits.
There are so many things wrong with that trial that it's hard to fathom how it got as far as it did. But one thing stands out, that is mentioned here elsewhere that is absolutely shocking and ought to be understandable and worrisome to all citizens, technical or non-technical:
What the heck is that for a travesty of process? It looks like the One Microsoft Way of thinking entering the courts with fakery all through. He was a city employee, arrested by city cops who had assisted in inappropriate baiting (conference call), held in a city jail, prosecuted by a city district attorney, in a trial presided over by a city judge, tried by a city jury, and presumably staying and continuing to stay in a city jail. That's not going to result in even the possibility of a fair trial. Then when the jury drags in deliberation, it's rebuilt to return the verdict desired by all these other city employees.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
In a situation like that the correct answer, before hanging up, is, "I do not recall. I don't work there anymore. Ask someone who works there. Have a nice day. Bye."
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
In many parts of the world they'll kick your door in without asking, trash your house, and rape your daughter for good measure.
This is actually the image most Europeans have of the US.
The legal definition was in the contract. That's why you have "the party of the first part (hereafter called Fred)" in contracts.
What specific crime are you committing by following rules?
I think being a mean old poopyhead is only a misdemeanor.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
You think he was acting professionally and following policy? Look, I'm aware that his defense spread some story about the rules. You haven't read them, but I have. Here's from their rulebook:
"In accordance with these strategies the following policy statements apply to the key areas and functions of the Security Perimeter. In all statements where the “County Authority” (CA) is mentioned, depending on the County reporting structure, this can be the CIO, CISO, CTO, CEO or COO and implies the CA or their designee(s)."
"If someone demands a password, refer him or her to this document or have him or her call someone in Information Security."
Obviously he hated having to do what his boss told him enough to go to prison. But something tells me that if we go through the records of all the people who asked him for the passwords (and by the end it was certainly more than just his boss), we would find that among them were at least one person "in Information Security," or who was "CIO, CISO, CTO, CEO or COO and implies the CA or their designee(s)." [emphasis added]
You can see for yourself his actions don't match policy. He was just crazy enough to think he could still use password-blackmail to torch his boss to the mayor - from jail.
And that's even without looking at the detailed information that emerged from the trial:
"This jury was not made up of incompetent people. ... I myself am a network engineer with a CCIE and thirteen years experience. ... No matter what you think ... you do not have ... even 10% of ... the full story. I am confident that we reached the correct verdict. ... ... [was] who is an "authorized user"? ... We did ultimately determine ... beyond any reasonable doubt ... his boss' boss was an authorized user."
One of the most difficult questions for us to answer
More here - this juror is a /. user and these are from his posts.
Funny how the truth gets buried and ego is always at the wheel.
Tired of Political Trolls? Opt Out!
You don't need to see any evidence to work out that someone who is committing a crime and injures himself in the process doesn't deserve a penny compensation from anyone, least of all the victim.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
This is one of those situations that seems to draw out the difference between people who understand how policies work (as opposed to laws) and those who do not. A policy is an internal rule generated by an organization. Violating it exposes you to internal punishments and (in some situations) contractual civil liability. In other words, violating your policy might lead to some sort of penalty but not jail time. However, a law is above and beyond the scope of your organization, even when that organization is the government itself. The law that this idiot violated superseded the policy considerations. He was correct in his policy interpretation, I believe, but he was grossly incorrect in his legal interpretation. While the policy bound him against divulging the passwords, the law bound him against NOT divulging the passwords. He was in an ugly situation - one initiated by his boss - but this idiot is the one who broke the law to protect a policy.
"Stumble before you crawl"
He didn't judge who is skilled enough to know the password. (The mayor was not skilled enough).
He did judge who is authorized to have it.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Is it? It doesn't say so.
You don't think handing over the passwords to your immediate boss when you leave creates 1) a huge security risk to the organization and 2) opens you up to getting the blame for anything he does?
As I understand it he gave the passwords to someone n levels higher up. That person would then have the responsibility to choose whether to hand them down to the middle-minions or not.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
http://yro.slashdot.org/comments.pl?sid=1625060&cid=31915856
Build it, Drive it, Improve it! Hybridz.org
Is it? It doesn't say so.
Well, it say's that you should share your passwords with nobody.
If you take that literally, it would mean that root passwords and stuff would be completly lost when you leave the company.
So there has to be an exemption for such cases.
As I understand it he gave the passwords to someone n levels higher up. That person would then have the responsibility to choose whether to hand them down to the middle-minions or not.
You think?
At the end of the day, your (former) superior is responsibly for your place of work, he appoints somebody to fill in for you until somebody permanent is chosen, he needs to make sure that the show is going on.
So yes, your superior is the one you should give the passwords to (not without getting in writing that you did so and he now bears the responsibility). The mayor doesn't know shit about the network, who does what and what needs to be done.
Sorry, but when a jury of your peers found you guilty, we have to assume you are, until new evidence appears.
Otherwise, we couldn't send anybody to jail or fine anybody, because they *might* be punished for a crime that they *might* not have commited.
Terry Childs did the right thing by not giving out the passwords to anyone but the Mayor.
Here we go again with this bullsh*t!. You are absolutely incorrect. According to the very same policy that you're selectively quoting from, it states:
Terry Childs was required by policy to make these "system level" passwords available. This was nothing more than arrogant grandstanding. The guy decided to try to play hardball, and he got taught a lesson.
If your car moves toward an officer then you're going to get shot. That's just basic common knowledge. If you're drunk and refusing orders and you do something that makes your car move toward a cop then you're going to die. Looks like he is nothing more than the recipient to the consequences of his own choices and actions and another entry for the Darwin Awards.
Sorry, but when a jury of your peers found you guilty...
we have to assume you're more guilty than someone who actually plead guilty? This is enough of a problem already, with innocent people ending up spending much longer in jail because they refuse to admit to a crime they didn't commit. If they're charged for legal fees, potentially convicts' families will be punished for them pleading innocent, given how common shared finances are.
touché
Life is not for the lazy.
Show me the case law. You are citing urban legends...
maybe he was a jerk about it, but that doesn't make you right about him.
Actually, it does. No matter what the policy is, if your management says "hand over the passwords" -- you hand over the passwords. Maybe you get a lot of documentation around it, maybe you make sure HR signs off on this breach of policy, but you DO hand them over. If an auditor says it, you follow the same process -- talk to management, leave a paper trail, get sign-off from anyone necessary in the bureaucracy. OR obtain confirmation that you don't have to comply (not the case here).
You don't flounce off like a child having a tantrum because someone else might screw up your precious network. That network isn't yours -- it's your employer's.
So let's assume that he violated policy in refusing to give the password to his boss's boss or create accounts for people. How does this amount to a criminal offense?
If he violates policy, then fire him. But it's the fault of his boss to let him be the only person with access to the system for this long. They should have had other qualified people working with him to help maintain what is described as such an important system. I'm confused about when this goes from being a personnel matter to a criminal matter. Is this just because he was a government employee, or does this extend to the private section? The implications of this become very scary.
IMHO, based on everything I've read about this case, I think Childs should have done the following:
- Demand that a city HR person be present while he argues his case against divulging
- Formally put his objection into his personnel record
- When still ordered to by his boss, divulge the passwords
Where on Earth does it say your corporate IT policy is supposed to be a career suicide pact? I, for one, think that Childs made a life-altering, serious mistake. He started out trying to be principaled, and ended up breaking the law.
I do hope that he ends up only being sentenced to time served, but I can guarantee you he doesn't have a job waiting at my company. This guy's judgement is seriously impaired.
Necron69
I suppose that your acceptance of the analogy is indicative of where we differ. Had he been the fire marshal in the building, and had keys to the elevators, and rather than set the fire, discovered it and took appropriate action by alerting the fire department, locking the elevators, etc. Now the analogy would continue that the building super demands that he provide the keys to the elevators, and he refuses as they should only be given to the fire department once they get there. He is then fired, but still gives the keys to the fire department. He is then thrown in jail and convicted of setting a bomb in the elevators.
He followed the fucking city policy
His real problem was that there were no adequate policies. Had there been a proper security policy it would have defined the process for replacing an admin.
Trying to dictate policies after a situation arises and everybody's emotions are involved is a guarantee for disaster.
I helped set up a simple solution to this scenario years ago for a local hear aid provider.
The root password for their systems was double-blind. The CIO came in and set the password. The Lead network engineer changed the name of the root account (but didn't know the password).
Each component was forwarded to legal records hold for archiving in separate email.
Since no one was allowed to use the root\admin accounts (everything via sudo effectively, hence the double blind setup) in the event of an emergency a simple phone call to legal records hold would retrieve the information if the CIO and admin were not available. Add the two together and problem solved.
Child's could have just as easily secured the password before hand with a policy doing something as simple as a 2-part cypher with 1 part in the hands of the govenor and the other part documented with instructions on retriving the 1st part from the govenor.
e.g. passwd
(Disable backspace key sequence)
(Admin types first 4 characters, leaves room)
(CIO types last 4 characters hit's enter.)
Admin and CIO email legal record hold with their portions.
This was about paranoid liability of someone busting the network, not securing a core password.
I've had to L0phat more then one NT server that a rogue admin tried to lockout the system after getting canned during my career (retired geek now thank God). The most recent one was a net admin that had a $100,000 quarterly budget but we could only find 22k worth of assets at the company (And why did he need 3 22 inch monitors and had every workstation running NT Server edition even though they only paid for 4 licenses of Server....).
From a liability standpoint Terry, or anyone can follow this simple guideline:
If your company has a legal record hold service, periodically gather your configuration files and documentation and forward that information to legal record hold. If not periodically print them, label them as "Legal Record Hold" or "Legal Retain" and sign and date them.
Most government offices have a legal record hold office. If you are terminated and they come back after you you can have your lawyer request the last copy of the configs you sent to legal records hold and compare the current config. Not only that but a quick check of the config's last modified date will confirm if you you have legitimately made that change. In addition if they try and come back and say you came into the system after being canned, the burden of proof is one them to show you had access. It would be a staggering embarrasment if they didn't change master passwords you had access to.
If possible I would go further and use mandatory CVS\RCS\Git etc... for config files of any kind in your process with an audit. The RCS system should be in the hands of the legal records retainment (i.e. independent of netOps) for auditing. Liability then can be quickly determined (Jeff left the company on 3/12 and no issues. On 3/24 Eric made a change and all hell broke loose. No point in going after Jeff, no liability. Eric likely broke it... wait Eric was on vacation and lives in Utah, the VPN came from Washington... where Jeff lives with a similar IP as Jeff's last! Oh shit call the cops!)
Network admins tend to forget\overlook the need to audit the configs, not just for operational purposes, but for legal due-dilligence reasons as well.
Revision Control on Configs + Audits + Double Blind Root\Admin + Mandatory sudo = Reasonable Liability Tracker.
I'm retired now ... almost 5 years now I think and I am sure things have changed so don't take my suggestions as gospel but at least out of this we can starting thinking a bit more on how we manage our networks, not just from an operational standpoint but Risk, Liability, Business Continuity, and Legal viewpoint as well.
AND USE A RCS FOR CONFIGS!!! IT'S NOT JUST FOR TRACKING CODE CHANGES! IT'S AN AUDIT TRAIL AS WELL!
-=[ Who Is John Galt? ]=-
I fear precident has been set here.So may incites have been raised here with good reasoning.Supposedly you are to be judged by your peers which should verify that all jurors truly be knowledgeable enough to make such a decision.I don't think this was the case and so justice was not served.A sad day for all the admins indeed.
As we can see from the city policy, telling your boss is already out, and talking about your password in front of others (the individuals on the other end of the phone line) is also a no-no. Terry Childs did the right thing by not giving out the passwords to anyone but the Mayor. Did Childs' boss ever get in trouble for breaching city policy? Probably not.
No, no, no. That's about sharing your password with secretaries, NOT with giving your passwords to you supervisor. That's not spelled out because it does not need to be. You ALWAYS give your passwords to your supervisor if requested.
The only thing worse than a Democrat is a Republican.
I work in a bank.
If I would do that (give my password to my boss, the CEO, the security guy, or anybody for that matter) I would be fired, and rightly so.
If the organization where this guy worked is so rubbish that there were fully dependant on this guy handling the passwords I frankly fail to see why he should be held responsible for anything frankly.
Obligatory car analogy: it is like blaming an F1 driver for not winning after giving him a car with no steering wheel.
The fact that one single person had so much control and could not be overuled demonstrates that the organization he was working for is utterly incompetent.
I find it scandalous that the defense lawyer could not bring expert witnesses to explain how people that know what they are doing have no "give your boss the password" rule under any circumstances.
Florida is also the state where innocent people (mostly Black) were listed as felons and purged from the voter rolls in order to influence the election.
It is also the state where someone got the death penalty for allowing someone to borrow their car and that person committed a crime where someone was killed. The death penalty, for lending your car to someone who decides to use it in a crime.
And Florida also makes a lot of things felonies that are misdemeanors or legal in other states.
And Florida is one of few states that permanently revokes voting rights from anyone convicted of a felony, even juveniles.
And Florida also is one of few states that executed juveniles, until it was made illegal, and still sentences juveniles to life without eligibility for parole. Taking kids, and throwing away the key, and if the Supreme Court didn't outlaw it, injecting poison into children, and calling it justice.
And Florida is really bad in how Black people are treated. Likely worse that the states that usually come to mind.
Florida is about to as close to fascism as one can get in the US. It's a shame, the weather down their is nice, and it is nice to visit, but forget about justice.
Just because it CAN be done, doesn't mean it should!
That was the "acquitted by a jury of civilians after a year" case. Yeah, it sucks. It's still not pulling you over, declaring you an enemy of the state, putting you on your knees, and executing you on the spot and in the open because they don't like you, then putting some drugs on your dead body in order to make summarily executing you legal.
Get some perspective. The cops in the U.S. trial freaked out and overreacted, and they killed someone. (Yeah, it's wrong and I'm not defending it.) Thaksin's police executed over a thousand people on purpose and with forethought.
It just doesn't.
Any serious security policy will ensure tha there is no "give your boss, or employer, or anybody else the passwords you are custodian off".
I would be fired in the spot if I did such a thing.
If the policies of the employer are wrong to start with, how for the love of god can the law find this chap guilty?
Just don't get it. I don't understand how you have been convinced of the rigtheoussness of the verdict.
I was writing a reply and realized something important. No one gives a sh_t about the opinions of the technical types. Too often we say no, we whine a lot, make ourselves far to important, and cost too much. What's the law with out enforcers? What's google, facebook, youtube with out us?
In the USA if the police knock on your door and ask to come in you can tell them to go away - And they have to.
Hahaha...
Oh wait, you are serious about believing that?
Having been a recipient of a corrupt cop lying in order to come up with a reason to arrest me so he could impound my car and perform a "custodial inventory" (re: search without a warrant), sitting in the back of his squad car for 3+ hours, and then having to pay the impound yard $280 per hour, plus $55 per night plus a $75 processing fee, totaling $970 to find absolutely nothing at all... please don't tell me the cops in america aren't corrupt.
Sounds like you were being a real asshole, so he fucked you over the best he legally could. Why were you originally pulled over?
Fighting against it is your duty as a responsible human being, regardless of what happens to you. If nobody stands up, then things will only get worse.
I don't agree. Yes, you're right, things only get worse if no one fights against injustices. However, fighting against these things, like any fight, is only worthwhile if you have a decent chance of winning, unless you have nothing left to lose and can afford to take extreme chances.
People try to fight against corruption in the US all the time, by going to the voting booth. It isn't working; the system is completely rigged. There aren't many candidates who aren't corrupt, and the problem gets worse as you go up the ladder (i.e., your local cop probably isn't corrupt; the local school board members probably aren't corrupt, but the chances of corruption go up as you go higher: local government, state government, national government). The only thing left to do is violent revolution, and that's a step you only take if you're either reasonably sure you have a good chance of winning (not likely in this country, esp. since there's not enough popular support), or you have nothing left to lose. Worse, the system is just so gargantuan that it wouldn't be easy to overthrow anyway. Overthrowing the government of, say, Singapore (a single city-state), or Brunei Darussalem, is one matter, but overthrowing all the levels of government in the US (since they're all tied together) is entirely another. So unless you're a nut like Tim McVeigh or the guy who flew into the IRS building, it simply makes far more sense to just put up with the problem (while complaining, since we still have that right, for all the good it does us), and minimize your exposure to it (like by not working in a government IT agency), or just move somewhere else where things are better.
Remember the movie Braveheart? He tried fighting against evil, and in the end succeeded in doing nothing but getting himself tortured to death. The time to fight against evil is when you have lots of support on your side, and are able to win the fight.
Yeah I suppose you could argue that.
What he really got convicted for (not of) is being an arrogant asshole who upheld the letter of the rule (it wasn't a law) rather than reasonably complying with requests from his superiors. In order for him to have been correct you have to assume that he had the moral/legal authority to predetermine that his compliance would result in a situation worse than the one he caused by doing what he did.
There are times usually when great financial harm or great bodily harm are imminent that he may have been correct but that was not the case here.
By doing what he did he caused great financial harm rather than preventing it. So by following the letter he violated the spirit and caused the harm he was trying to prevent thereby stepping in the shit and then failing to scrape it off his shoe.
Why bother
There was recently an incident in the Bay Area where a cop executed a guy on the ground.
Probably for DWA. Sounds like he's in California.
I don't see this result as surprising.
I understand why he did some of what he did, but it honestly seems to me (based on statements he made) that he was just trying to make a massive stink against people he didn't respect or like, using legalistic justifications while ignoring pragmatism.
At the end of the day, I wonder what the worst that would've realistically happened to him could've been, had he just handed all the network passwords over to the incompetent asshole supervisor as he walked out the door. At that point, let them all dig their own graves and jack-up the network if they truly don't understand. Would there realistically be criminal charges for failing to follow the employee handbook regarding password security once he was no longer an employee, so long as he didn't disburse passwords in a malicious way?
I'd really love to see that, testimony for such a case would be downright laughable.
City Attorney: "Your honor, the City fired Mr. Childs for insubordination because he refused to turn-over the passwords, as demanded of him. At that point, as the City police were summoned, he handed the passwords over to his supervisor as demanded, so he could walk out the door a free man and get on with his life. That supervisor then proceeded to fuck-up the city's MAN and it went down and cost millions of dollars to repair due to incompetence. I ask that you hold Mr. Childs criminally liable for the damage another City employee, his supervisor, did to the network. He did not follow the proper procedures outlined in our Employee Handbook!"
Perhaps I'm missing some element that he could've been held accountable for beyond his employment with the City, since the penalties for violating a handbook are usually limited to termination of employment as long as they aren't also covered by criminal code or a breach of an actual contract with the employer. Perhaps he wasn't just being obstinate and doing his best to make things difficult after he lost his little power play. Perhaps there really are employees whose loyalty to their employers comes at their own expense, even after their employers attempt to screw them over.
I'm not a hero like that. I wouldn't go out of my way to hurt a former employer (as that WOULD be unethical and potentially criminal), but I don't think I would consider that I owe them a single thing after being fired in the unceremonious manner Mr. Childs was. I'd give them the means to access all work I'd done for them while in their employ, holding nothing back. What they do with it is their business; I would not help them to figure it out or repair it without consulting fees. I sure as hell wouldn't risk arrest to protect their interests after they ceased paying me to do so. If I trusted someone up the chain enough to inform them of what went down, I might do so in hopes of maybe straightening things out, but if I trusted nobody enough to do so, I'd have to ask myself why I'd even want to get my job back, or why I was even working there in the first place, if everyone is so incompetent, spiteful, and dishonorable.
where the buck stops.
so, you are brought into an office with your manager's manager, a hr rep, two police officers, and asked to provide access to the system to someone who you know that is able to screw up so grandly (like how they disclosed live user/passes as evidence in public court to a live system with sensitive info) and potentially expose millions of citizen's or the local authority's very sensitive data and pave way for insane hacking and stealing.
you would give the access to the idiot ? you would save your own ass, and you would do what is TECHNICALLY and legally right, but, would it be the RIGHT thing to do ?
if we exaggerate the concept a little bit, we can come up with an exaggerated example still in the same format with this :
you are an officer in a nuclear silo, and you are ordered to launch, practically ending the lives of countless people, and maybe ending the world. you know that who is ordering you is a top of the notch idiot that screws up.
what would you do ?
Read radical news here
As an American, I am profoundly depressed by this thread. I respect the juror who is posting his perspective here, and greatly appreciate the fact he's taking the time to explain what happened from an insider's perspective. But his account reveals a terrible devolution of our system of justice: the ordinary citizens on a jury no longer protect us against an inappropriate or unfair application of the law.
It makes me furious every time I hear a juror come out of the jury room and say "I don't think he really did anything bad, but according to the judge's instructions, I had no choice but to convict." No, you had a choice. The brilliantly cynical and untrusting rebels who wrote the Constitution put you there to make the choice. Not an unfeeling robotic choice, not a judge-directed decision, but an independent decision that truly reflects the informed judgment of a "jury of peers."
The jury has become, not an independent check against the juggernaut of government prosecution, but a mere puppet of the system. In such a legal system, any one of us can be sent to jail for life on the government's whim, because there's not one of us who doesn't -- knowingly or unknowingly -- violate several laws daily; we count on juries to say, when appropriate, "ok, maybe he technically violated the law, but this prosecution is unreasonable, and we're not going along with it."
Our system was designed to make it really, really hard to convict. And really easy to acquit. If the prosecutor doesn't like the case, he can toss it out. If the judge doesn't like the case, he can toss it out. Heck, if the judge doesn't like the jury's "guilty" verdict, he can toss it out (but he can't set aside a "not guilty" verdict). Why has the jury come to believe they can't exercise at least the same power as the prosecutors and the judge routinely do: the power to toss out a case that just ain't right?
That's exactly the kind of thing I'm talking about. Imagine it happening three times a day in just one small U.S. state, and you'll get an idea of Thailand's war on drugs in Chiang Mai and Chiang Rai.
That's the "acquitted by a jury of civilians after a year" case. Yeah, it sucks. It's still not pulling you over, declaring you an enemy of the state, putting you on your knees, and executing you on the spot and in the open because they don't like you, then putting some drugs on your dead body in order to make summarily executing you legal.
Get some perspective. The cops in the U.S. trial freaked out and overreacted, and they killed someone. (Yeah, it's wrong and I'm not defending it.) Thaksin's police executed over a thousand people on purpose and with forethought.
Put identity in the browser.
Shows how much you read what I wrote. I never said I disliked him, or that I disliked people who act like jerks, I never even assumed that other people disliked him or disliked those who acted like jerks.
I merely stated that it is a known fact that certain personalities will get convicted whether they are innocent or guilty, and that if this is truly a problem, then it is a problem that needs to be treated and not punished. Geek Syndrome is not a crime, although it is treated as such.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
the biggest implication is not to be a dumbass and hold your employers network hostage with a password only you know. I've been hoping for a guilty plea and now I must say its a pretty satisfying feeling knowing I was right in the first place.
C'mon folks this idiot IT guy didn't even have a "hit by a bus" plan, he expected to be the only guy who could maintain the city's network and this is GROSSLY unprofessional to an EXTREME degree. Whoever doesn't agree with this guilty verdict is a pimply nerd out of touch with IT reality.
Is it just coincidence that we call our customers "users" aka drug "users"? "Pst, I got some technology over here..." as I, gently and without suspicion, lift the lapel of my rather worn trench coat.... as the story continues... Seriously, that is what it feels like anymore. Everyone wants it now and if you don't give it to 'em everyone goes all goofy.
More importantly, have an exit strategy.
When he set up this system he should have had a system or policy in place for passing along the passwords after he left (or was fired) from the job. It sounds more like he setup this network thinking he would be working at this job forever.
What if he had been hit by a bus and died? how can an entire network be managed by only one password that is only in one guys head?
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
No. He stood up for the right thing, and the stupid corporate types above him didn't like it, so they abused their power and public funds to crush him.
What is DWA? Driving While Asshole?
This is a major check on the power of government which has been all but ignored.
If you are on a jury, you may acquit for any reason. The judge won't tell you that, but it's true.
Demanding anything from your superiors has a name, insubordination.
I think, after 2 years in jail, the specifics may not matter so much.
I don't particularly mind giving someone my passwords (provided they have the legal authority to have them) as long as the transfer of that username and password pair is *heavily* documented. At that point, anyone trying to associate information or action with my username has a field of possible suspects. When I quit my last job, my information just stopped working. I didn't have to hand any private data to anyone.
I'm pretty shocked that an IT guy on the jury wouldn't hold to that. As soon as you set up a system, you should have *two* (or more) admins. You fire one, you're still good.
Driving While Asian
GP didn't say he thought Childs was completely innocent.
He didn't say that it was only because of a judge's instruction that he convicted, or that he thought he didn't have a choice.
He only said that he was not swayed by emotional appeals; that he was convicted despite not being the only person at fault. Like, you know, you'd expect someone making a decision based on law to act.
But don't let me stop you from going off on your own personal tangent.
Told ya.
It said that police have the ability to coerce passwords out of that administrator's custody. Upon authentication awaiting for police to coerce those passwords, none qualified as police because they lacked the ability to "coerce passwords" from that administrator.
I hear Malox has the ability to coerce bowel movements through an intestine, and it is a prove fact. Police are supermen, but it's just too bad there aren't any being trained that way nowdays. I just can't find myself to calling anyone with a GED and Football-bully training as Police, and it's the same reason I don't call a No-Tech license holder a HAM Radio Op.
English, do you speak it m*th*rf*ck*r?
It's still not pulling you over, declaring you an enemy of the state, putting you on your knees, and executing you on the spot and in the open because they don't like you, then putting some drugs on your dead body in order to make summarily executing you legal.
Bah! We skip all that by sending in the SWAT team because some 'informant' said they saw you smoking a joint. The SWAT team swoops in, shoots your dog, then shoots you because they thought you had a weapon. Saves a lot of time and hassle. No declaring you an enemy of this or that, planting evidence, etc... ;)
Get some perspective. The cops in the U.S. trial freaked out and overreacted, and they killed someone. (Yeah, it's wrong and I'm not defending it.) Thaksin's police executed over a thousand people on purpose and with forethought.
I agree. There's a difference between premeditated murder of thousands verses simply shooting someone for 'contempt of cop' without any forethought.
There's no place like
stop worrying, personal recording devices will save the day. Won't be long before cops can't dump without it being public information.
my karma will be here long after I'm gone
There has been very little quality reporting on this case. Thanks for posting your comments on it. It would be really nice if you could take your 200 pages of notes and write up a summary of the key evidence (or maybe just post the notes).
According to the linked article there must have been a finding that Mr. Childs caused at least $200,000 in damages. I have not seen this addressed anywhere*. Would you care to comment on that? How was this number arrived at? Would the damages have been different if he had been hit by a bus?
*The article has been amended to indicate the city incurred $1 million in expenses to regain control of the network and do vulnerability testing.
I was in a similar situation about 6-7 years ago working for a departmentat at Emory University in Atlanta.
I took the situation to HR.They sided with the department andof course things went hay wire, and to the left.
My point is, if there is no or lack of policy enforcement, lack of oversight by management, Project Management, lack ofchange and fault management, Infosec practices, RFC review, and skilled IT directors, this can happen.
I feel for Mr. Childs and he got a RAW deal !!
This could have easily been resolved by all parties amicabally without losing respect for one's position, by HR mediating or interceeding to protect his rights as a employee and position.
...one court convicting someone of "denial of service" even though he denied no service after another court has told Comcast that they can deny service for any old reason that they please.
We're not seeing the application of "justice" in America; we're seeing the application of that malapropism: Might makes right.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
If the rules are broken to start with (people serious about security demand that nobody shares or gives passwords to anybody else) there should be no chance to convict somebody for following the rules.
If an entity is incompetent enough to corner itself in depending in one individual only in order to access their own resources, then it is not the individual who is to blame, it is the entity that didn't have any forethought about a situation in which the doorman was not there anymore (whatever the reason).
If the law protects such organizations then the law is a sham.
stop worrying, personal recording devices will save the day. Won't be long before cops can't dump without it being public information.
Yeah--except that now it's illegal to record cops in at least one state. I don't recall which one, but it's on the east coast. You record 'em, you go to jail. Awesome.
There's no place like
When the lawyer turned politicians write law, they only have a vague idea about their intention and leave the interpretation of the law to the appeals courts. Lawyers never acknowledge their mistakes and correct them. However, Mr. child had the city property - intangible yet still having value was the password. Every thing he creates using the city's property and at his paid time belongs to the city. Even if he is fired, he has to return the city's
property which is citizen's property too. When his ego and stupid stubborn refusal to respect the law and terms of his employment he was guilty. If you challenge each law at our own convenience, US society will become a Middle East Mullas (not actual law) controlled state and defeat the purpose of creating a democratic society. He got himself into his trouble without first consulting a lawyer about the ramification of his refusal to give away the pass word.
Wow, again, saying this drivel is insightful is like saying Reverend Jones saved their souls in Guyana.
Why bother
We had someone like that on the jury I served on for a Federal case. One of our jurors decided that she didn't want to be responsible for sending someone to prison, so she was going to vote "not guilty". We had to explain to her several times that that wasn't her decision to make, and that we were supposed to be determining whether or not the defendants were guilty of the crimes they had been charged with. I was worried that she'd have to be removed from the jury, and that'd result in us not being able to come to a decision.
Eventually, she agreed to discuss the case, and we managed to come to a decision. Well, 6 decisions, actually, since we had 2 defendants, each charged with three different crimes.
#1. Don't pay sprocket any mind, he is a bullshit artist. #2. http://slashdot.org/comments.pl?sid=1293667&cid=28621185 where sprocket was totally "perfectly" (the word he refused to define along with his evading all questions put to he) #3. Sprocket also likes to put words in others mouths they never even said and tries to state they "implied it" when his dull brain obviously cannot interpret written english properly because when asked by the person replying if sprocket could find where said person supposedly stated what sprocket said he did? Sprocket ran or evaded all questions there. I bookmarked that for everyone's reference so this no mind Sprocket could see it again and regret his stupidity in being a wanna be computer expert (not). He certainly got his ass handed to him there. Read it yourselves, and decide how "expert" sprocket really is.
#1. Don't pay sprocket any mind, he is a bullshit artist. #2. http://slashdot.org/comments.pl?sid=1293667&cid=28621185 where sprocket was totally "perfectly" (the word he refused to define along with his evading all questions put to he) blown away #3. Sprocket also likes to put words in others mouths they never even said and tries to state they "implied it" when his dull brain obviously cannot interpret written english properly because when asked by the person replying if sprocket could find where said person supposedly stated what sprocket said he did? Sprocket ran or evaded all questions there. I bookmarked that for everyone's reference so this no mind Sprocket could see it again and regret his stupidity in being a wanna be computer expert (not). He certainly got his ass handed to him there. Read it yourselves, and decide how "expert" sprocket really is.
#1. Don't pay sprocket any mind, he is a bullshit artist. #2. http://slashdot.org/comments.pl?sid=1293667&cid=28621185 where sprocket was totally "perfectly" (the word he refused to define along with his evading all questions put to he) #3. Sprocket also likes to put words in others mouths they never even said and tries to state they "implied it" when his dull brain obviously cannot interpret written english properly because when asked by the person replying if sprocket could find where said person supposedly stated what sprocket said he did? Sprocket ran or evaded all questions there. I bookmarked that for everyone's reference so this no mind Sprocket could see it again and regret his stupidity in being a wanna be computer expert (not). He certainly got his ass handed to him there. Read it yourselves, and decide how "expert" sprocket really is.