Slashdot Mirror
Terry Childs Found Guilty
A jury in San Francisco found Terry Childs guilty of one felony count of computer tampering. The trial lasted four months. Childs now faces a maximum sentence of five years in prison.
← Back to Stories (view on slashdot.org)
The man was already a felon from the 1980s, so it shows he tended not to follow the law.
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=209100472
"The Chronicle also reported on Wednesday that Childs has a 25-year-old felony criminal record in Kansas, where he was convicted of aggravated robbery and aggravated burglary stemming from charges filed in 1982. Childs was on probation or parole until 1987, according to records uncovered by the newspaper. Childs had disclosed the felony conviction when he applied for the San Francisco job five years ago."
From http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case?pp=2&fp=&fpid= "DTIS officials demanded that Childs relinquish the usernames and passwords used to access the FiberWAN network devices, and Childs refused to do so. He was suspended for insubordination on July 9. " He was arrested shortly thereafter. DTIS is the city's IT department. His refusing to disclose passwords to a public court has nothing to do with why he was arrested and found guilty.
Sound like this could have some bad repercussions for IT folks. Of course all I know about the situation is what has been posted on Slashdot. There could be, and usually is, more to the story. Now that the trial is over with will the court records be posted somewhere?
Hear, hear. Just because the guy is a nerd doesn't mean we have to rally 'round him.
Of course, if during the trial everyone's login credentials were exposed (I don't know if they were, I didn't RTFA) that would be pretty goddamn stupid indeed.
Democracy is a form of government that ensures we are governed as well as we deserve.
Explain that again. Do smart people deserve to be governed like idiots just because they're outnumbered by idiots?
Ok the real lesson, sorry to say is: if the Feds want you they will have you. There is a reason why 95+% of indictees plead out. How do I know this? I just emerged from a five year fed sentence at a lovely FCI in Ohio.
Without getting too detailed...I was a media consultant for a major media multinational. The Feds did not like that my focus was piracy but I would not divulge IPs, nyms or rat anyone. After some rather appalling disinformation was seeded (see Darknet...an utter load of made up BS) I was accused of damaging a portable toilet (I am not making this up) and faced life for 18 USC 844(i) and 18 USC 924(c). I was forced to plead out to a mandatory minimum of five years, which I just finished. (in fact, I'm still in a halfway house).
The charges and the character assasination were ALL bullshit. But would you have thrown the dice with a jury and risked life? Me neither.
The feds hate geeks, unless we work for them. Be VERY afraid and very careful. I'll get my life back but the past 52 months were not fun.
"The pie shall be cut in half and each man shall receive.....death. I'll eat the pie."
If my boss asks me to do something, I generally do it. What if it violates policy? Well, he's more culpable than I am.
That's the thing. That network is more Childs' boss' than it is his... his boss has more responsibility to it. He wants the password, give it to him and document that you did so. When the network comes crashing down, it's more his fault than yours.... and you're not in jail. Hopefully.
What doesn't kill you only delays the inevitable
Are we getting too hung up on the password issue? Was his refusal to divulge the passwords what he's being found guilty of?
Or is it the fact that if he stepped in front of a bus, the city had no hope of being able to manage the network? My place of employment has "the password list" and it's known to more than one person. If the city allowed Childs to hold all the keys, they're pretty stupid. If they had a policy prohibiting that, I could understand why violating it could get you jail time.
What doesn't kill you only delays the inevitable
Funny you should say that. The last jury I sat on, the woman sitting across from me was a programmer. Her exact words to the judge, when he asked her employment were, "I twiddle bits". He blinked, and she got a lot more formal afterward.
By the way, she was also the first to vote to convict when we got back to the jury room. Binary logic was not working in the defendant's favor with her.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
To Terry Childs,
When you finish your sentence, I will have a position waiting for you as an administrator of our large company network. Your devotion to network security, network policy, and willingness to defend them at all costs are a valuable commodity. My company and I would be very happy to employ you in a senior technical position. I can find network experts all over the internet, but it is much harder to find those that would defend their network at risk to their own liberty. I applaud you Mr. Childs.
San Francisco's mayor is one of the most prominent douchebags of recent history. There's no way he would resign unless it meant that he could become governor, senator, or president of the USA by next election. He's an animated golemn, crafted of every negative stereotype of San Francisco there is. When he had every reason to defend Child's actions, he testified against him - condemning what he knew to be an innocent man. What would an egomaniac like that have to gain from stepping down or retracting his testimony against the man when he's busy patting himself on the back for helping put away a dangerous terrorist such as Terry Childs?
If this was 200 years ago, I'd challenge the man to a duel. "You took 5 years of an innocent man's life away because you could. Just how many innocent men have you knowingly put away for 5 years? 10 years? 20 years? How many innocent lifetimes has your sick ego cost the world? I'm sure the devil will give you a full report when you reach Hell."
But now, in 2010, I could probably get charges filed against me just for suggesting something like that! It's those damned everchanging laws of propriety...
I am the richest astronaut ever to win the superbowl.
A lot of differing opinions being tossed around here.
But, Slashdot, can we please stop accepting "fuck off" as acceptable debate discourse? And then cheerfully modding it up?
We're adults here, I think we can debate the pros and cons of this situation intellectually without resorting to hurling epithets at eachother.
Thank you in advance for not modding me "Troll" and "Offtopic".
...but I remember enough to say that holding a city's computer systems random [sic] (which is essentially what he was doing) certainly deserves a guilty verdict on a count of "computer tampering." You really think it's acceptable under any circumstances for someone to hijack a network like that? Yes, he works there and technically "administrates" those machines, but he has a duty to his employers (ultimately, the citizens), and he was not upholding that duty.
I remember it differently. Either that or this is for some other definition of "hijack", "ransom", and "duty" than the definitions commonly used and found in the dictionary.
"hijack" : He didn't take it over, he was the network admin.
"ransom" : He didn't ask for any ransom, he stated he would only give the password to the Mayor.
"duty" : According to how he interpreted the written job requirements, giving the password to anyone else much less a roomful of known, semi-known, unknown and a phone full of unknown people did not match the written security requirements.
Frankly, from what I've read, I agree. Although, I would hope and expect that the jury has a good deal more information than I have. It does scare me that an ignorant jury could have just been afraid of a "Oh my god!, computer hacker" and convicted him on their emotional response rather than intelligent deliberation. I hope I'm just missing some of the info they had.
I don't know - taking a felon's job sounds like a pretty easy act to follow:
PHB: "It took you that long? Why Terry could have done it .. Ugh never mind.
After he was arrested and placed in custody is when he stated that he would only give the password to the mayor, not becuase it was a rule or directive but becuase Mayor Newsom was "the only person he felt he could trust".
I haven't followed this case very closely so forgive me if this has been answered elsewhere, but do you know why the mayor didn't just take the password from this guy and then hand it over to the new admins? It doesn't seem like too big a hassle for Mayor Newsom if 20 minutes on the phone would have actually helped the city avoid significant costs and problems.
There's this little thing called "precedent". If Gavin Newsome had taken whatever piddling amount of time to deal with this idiot sysadmin then it would set a precedent for this sort of thing. Soon every little pissant city employee would have some chickenshit issue and would start bleating that they'd only deal with the mayor.
Eventually instead of doing mayor stuff, all of the mayor's time would be tied up with having to deal with all sorts of insignificant chickenshit stuff because some self-important flunky wanted attention from the big boss man in order to feel important instead of sticking with the chain of command.
Terry Childs wanted his ego stroked and wanted attention. Well he sure as hell got attention but probably not the sort he was hoping for. I hope he's happy now.
Here is a list of things to avoid (from the policy document):
Giving your password over the phone to ANYONE.
Sending a password in an e-mail message.
Telling your boss your password .
Talking about a password in front of others.
Hinting at the format of a password (e.g., “my family name”).
Writing in your password on questionnaires or security forms.
Sharing your password with family members.
Telling your co-workers your password while on vacation.
It would seem that giving your password out over a conference call would be against policy as well. The most striking thing about this case to me has always been this: He worked for the city. City cops assisted in the inappropriate, although not illegal, conference call and arrested him. He was held in a city jail. He was prosecuted by a city district attorney and tried by a city judge and jury. Now that he is convicted he will probably serve the remainder of his sentence in a city jail where he might be offered some form of community service for the city. I really hate to think that the jury could not see a pattern here. Moreover why didn't the state or feds step in and offer oversight.
This so much reminds me of a time when i was going to school in a small Georgia town. After getting arrested for "Driving on a roadway laned for traffic" I realized that the cop, judge, bail bondsmen, my insurance agent and landlord all had the same last name. fortunately my lawyer was not so named and we had the case moved to another court.
Lets try this from the other persepective:
Your Employer: Give me the password.
You: But you told me I'd be liable for anything that happens if I give it to you.
Your Employer: Give me the password!!
You: No. I don't want to be liable.
Your Employer: You're fired!!!
You: Fine.
Your Employer: Give me the password!!!!
You: I don't work for you anymore. And I still don't want to be liable.
Your Employer: Peon!!!! I own you!!!!!! I'll grind you into dust!!!!! Lawyers! Destroy him!!!
And they did.
You know what the moral of this story is? Don't work for anyone.
May the Maths Be with you!
He might be a hero to some and a fool to others, but in the end, he has to live with himself... and survive with himself. Now he will be pretty lucky to have a normal life from this point forward. Odds are, he won't. There are lots of "wrong" things going on in the world every day. If you are asked to do the wrong thing in a similar circumstance, the one best option he could have taken was to quit and walk away giving whoever wanted/needed info is needed... to a point. Personally, if I was the only one with passwords to whatever, I'd just claim not to remember them and to tell them where all the devices are so they can seek them out and reset them manually. Frankly, why they didn't just hire someone to find all of these points of access and lock them out is beyond me. He was a jerk and simply needed to be cut off.
Every little piss-ant city employee is not a highly paid professional who designed, built, and maintained the city governments entire network infrastructure. When the street sweepers refuse to turn their keys in to anyone but they Mayor, tell them to fuck off. When someone who you have given a lot of money and entrusted with the security and reliability of the systems that keep critical city infrastructure wants 10 minutes of your time, it's probably a good idea to fucking listen. If the city's top lawyer wanted a word with the mayor on a matter he considered urgent, do you think he'd wait?
The whole thing is a farce. Terry Childs may have deserved to be fired. From the sounds of it, he allowed himself to become a critical, irreplaceable part of the infrastructure, which in of itself is a good reason to fire him. Clearly his ego and misguided sense of dedication to his job was clouding his judgment. His managers should be fired for being completely incompetent. They allowed a situation to develop where Childs was irreplaceable. They then decided to fire him, but developed no plan on how to smoothly transition away. And after they fired him, and realized how incredibly they had fucked up, they threw him in jail, turning a bad situation into a disaster. They passed over repeated chances to defuse the situation, all to save face. They proceeded to try their best to ruin a man's life just to avoid admitting they had made mistakes, and it looks like they have succeeded. By all accounts the city's network worked flawlessly the entire time. They were apparently convinced he would use his passwords to bring the network down just because he was upset about being fired, but there is no evidence he attempted to do so or would have attempted. To do so would have destroyed his career, that he clearly cared a lot about if he invested the time and effort into getting a CCIE. Furthermore, it's doubtful that had he given all the passwords, he would have lost his ability to do so. Given how much they relied on him, and his knowledge of the network, he couldn't have found a way even if they changed all the passwords he gave them? Theres always a backup account somewhere, or a forgotten out-of-band management tool, etc.
The precedent this court case leaves is "support your former employers for free, forever, or go to jail". I for one am not looking forward to getting calls from a former employer at 3 am because even though I left 6 months ago, they forgot to ask me for the password to the backup system, and now it's on the fritz, and I refuse to answer and tell them how to login, and the account credentials, they will call the cops.
Now that I am able to speak about this case, I can give you my take on the matter as having been a juror on it. Having not been able to read about the case during its duration, I can't replay to everything that's been said about it, but I will at least provide my perspective.
This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.
This jury was not made up of incompetent people or idiots. Every single person on there was very educated and well-spoken. I myself am a network engineer with a CCIE and thirteen years experience in the field.
This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict. Terry Childs turned his life around and educated himself in the networking field on very complex technologies. One different decision by him, or more effective management by the city could have completely avoided this entire scenario. But those are not factors we could consider as a jury. We applied the law as it was provided to us and our verdict was the unfortunate, but inevitable result.
I'm sure many people posting are of the mindset that he's not guilty because he shouldn't reveal the passwords, some policy says this or that, or whatever. You're entitled to your opinion, but let me tell you that I sat through FIVE MONTHS of testimony, saw over 300 exhibits, and personally wrote over 200 pages of notes. I will guarantee you that no matter what you think of the matter, you do not have the full story, or even 10% of it. I am confident that we reached the correct verdict, whether I like it or not.
linky:
During the time Childs was an employee, did the people requesting the passwords have authorization to do so?
Reminds me of that Feynman story where he goes down in the middle of the night and removes one of the doors. The next day everyone is upset and they demand people swear that they did not do it. So it goes around the room:
Person 1: "I swear I did not remove the door." ... and so on. Then it gets to Feynman:
Person 2: "I swear I did not remove the door."
Feynman: "Yeah, *I* took the door."
Upset Dude: "Oh, stop kidding around Feynman. Next!"
Person n: "I swear I did not remove the door."
Hit point was that afterward, even though he did admit to taking it, at the time they dismissed it as him not being serious and all they ultimately remembered was everybody denying taking the door.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
except they pulled the POLICE in before even offering such a deal. That was the ENTIRE problem. They perp walked him out the door, then went to his house days later expecting to get the passwords. He's got enough for wrongful termination for all the crap they pulled.
Basically you could be accused of his "crime" for nailing boards over the computer room. I think at sentencing, more of the truth will come out. The judge feels the need to get some kind of "serious verdict" because of the dog-n-pony-show but it's obvious even the judge isn't really on board with the charges either. I see him getting another year or two probation and "time served" because he's been sitting in jail for just about 2 years now,. I think the judge will throw out the "damage" claims as well as the malicious intent... the guy has been sitting in jail since a week after being fired with no access to the computers since he left his job.... he was set up and NOTHING HAPPENED. So all the money spent is the CITY'S fault for not properly running the department, Child's made no THREATS to cause damage, there was no valid reason for such an extensive audit. They have had nearly 2 years to fix their problems, I can't see a judge granting anymore arguments from the DA.
Was there no clearly identified chain of authorization here? Why didn't SF quickly provide evidence of who was authorized? You would think this would be the very first thing they would provide, the hammer that would efficiently drive the nail in Childs' legal coffin. The fact that you had to wade through reams of document and "divine" such a key piece of info is telling. If it took a group of 12 persons to sift through this, how was Child supposed to summon this knowledge too?
Allow me to elucidate this for you. I won't give the full details, but essentially this juror went into deliberations, had already made up his mind, informed the rest of the jurors that he had thought about the matter on his own and made up his mind, and didn't want to hear anything more about it. This is before we even went through all the questions we were required to examine per the jury instructions! Furthermore, he would not explain his position to the other eleven jurors.
He was not released for "having his own opinion" or being "a lone holdout". In fact, we welcomed a lively debate from both sides of the argument as that's a necessary part of jury deliberations. He was dismissed for other reasons, including outright refusal to follow the jury instructions and the law as provided to us by the judge.
> No large company runs like that.
Good grief, how I wish that were true :-/
I helped set up a simple solution to this scenario years ago for a local hear aid provider.
The root password for their systems was double-blind. The CIO came in and set the password. The Lead network engineer changed the name of the root account (but didn't know the password).
Each component was forwarded to legal records hold for archiving in separate email.
Since no one was allowed to use the root\admin accounts (everything via sudo effectively, hence the double blind setup) in the event of an emergency a simple phone call to legal records hold would retrieve the information if the CIO and admin were not available. Add the two together and problem solved.
Child's could have just as easily secured the password before hand with a policy doing something as simple as a 2-part cypher with 1 part in the hands of the govenor and the other part documented with instructions on retriving the 1st part from the govenor.
e.g. passwd
(Disable backspace key sequence)
(Admin types first 4 characters, leaves room)
(CIO types last 4 characters hit's enter.)
Admin and CIO email legal record hold with their portions.
This was about paranoid liability of someone busting the network, not securing a core password.
I've had to L0phat more then one NT server that a rogue admin tried to lockout the system after getting canned during my career (retired geek now thank God). The most recent one was a net admin that had a $100,000 quarterly budget but we could only find 22k worth of assets at the company (And why did he need 3 22 inch monitors and had every workstation running NT Server edition even though they only paid for 4 licenses of Server....).
From a liability standpoint Terry, or anyone can follow this simple guideline:
If your company has a legal record hold service, periodically gather your configuration files and documentation and forward that information to legal record hold. If not periodically print them, label them as "Legal Record Hold" or "Legal Retain" and sign and date them.
Most government offices have a legal record hold office. If you are terminated and they come back after you you can have your lawyer request the last copy of the configs you sent to legal records hold and compare the current config. Not only that but a quick check of the config's last modified date will confirm if you you have legitimately made that change. In addition if they try and come back and say you came into the system after being canned, the burden of proof is one them to show you had access. It would be a staggering embarrasment if they didn't change master passwords you had access to.
If possible I would go further and use mandatory CVS\RCS\Git etc... for config files of any kind in your process with an audit. The RCS system should be in the hands of the legal records retainment (i.e. independent of netOps) for auditing. Liability then can be quickly determined (Jeff left the company on 3/12 and no issues. On 3/24 Eric made a change and all hell broke loose. No point in going after Jeff, no liability. Eric likely broke it... wait Eric was on vacation and lives in Utah, the VPN came from Washington... where Jeff lives with a similar IP as Jeff's last! Oh shit call the cops!)
Network admins tend to forget\overlook the need to audit the configs, not just for operational purposes, but for legal due-dilligence reasons as well.
Revision Control on Configs + Audits + Double Blind Root\Admin + Mandatory sudo = Reasonable Liability Tracker.
I'm retired now ... almost 5 years now I think and I am sure things have changed so don't take my suggestions as gospel but at least out of this we can starting thinking a bit more on how we manage our networks, not just from an operational standpoint but Risk, Liability, Business Continuity, and Legal viewpoint as well.
AND USE A RCS FOR CONFIGS!!! IT'S NOT JUST FOR TRACKING CODE CHANGES! IT'S AN AUDIT TRAIL AS WELL!
-=[ Who Is John Galt? ]=-
I'd like to not commit an ad-hominem attack on the Jury, but sadly I cannot understand how 12 right-thinking people came to such a ridiculous conclusion. Unfortunately, people are rarely right-thinking.
You just described the old lady who walks into the deliberation and and says "He's guilty."
Why?
"Because his charged with something, so he must be guilty."
The Jury review is supposed to weed defective things like this out. But it is in the best interest of the prosecution, and horribly immoral, to get as many people who think like this in that Jury box as possible. Next to the 'person awed by the power of something they read in a detective novel' these people are their best friend.
Humans judging other humans is about the worst possible thing you could ask for. Except for all the alternatives.
People will trust authority over facts, judge bases on clothing and hairstyle and attitude over facts and ignore anything that disagrees with a pre-existing idea about the world (e.g. their religion.) The selection process is supposed to catch a lot of this. Sadly, stacking the Jury is as old and the Jury trial itself.
Thanks. Yes there were tons of other issues involved in this matter which the press simply doesn't cover in their reports. I myself feel that five years is a rather extreme sentence for what he did, which is why I have been glad to read in news reports that they expect the judge to let him go with time served or possibly sentence him to just a few more months. He doesn't need to be kept away from the public or punished any more for what he did.
If you're really one of the jurors... I had thought that maybe there was some extra information that the Jury was privy to that just wasn't in the news reports. Something else that he'd done, some explicit threat he'd made rather than just paranoia on the part of the city employees ganging up on him. But it looks like there's nothing.
So, as a juror in this case, can we ask you some questions? Frankly, I think it would be great if they'd do a Slashdot interview story with you and any other jurors who'd care to answer. But if you could answer some questions here, it would be great.
First of all, the relevant bit of the law, skipping the definitions section and punishments:
(c) Except as provided in subdivision (h), any person who commits
any of the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages,
deletes, destroys, or otherwise uses any data, computer, computer
system, or computer network in order to either (A) devise or execute
any scheme or artifice to defraud, deceive, or extort, or (B)
wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or
makes use of any data from a computer, computer system, or computer
network, or takes or copies any supporting documentation, whether
existing or residing internal or external to a computer, computer
system, or computer network.
(3) Knowingly and without permission uses or causes to be used
computer services.
(4) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software, or
computer programs which reside or exist internal or external to a
computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the denial of
computer services to an authorized user of a computer, computer
system, or computer network.
(6) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system, or
computer network in violation of this section.
(7) Knowingly and without permission accesses or causes to be
accessed any computer, computer system, or computer network.
(8) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network.
(9) Knowingly and without permission uses the Internet domain name
of another individual, corporation, or entity in connection with the
sending of one or more electronic mail messages, and thereby damages
or causes damage to a computer, computer system, or computer
network.
And, also, subdivision (h), since it seems relevant in this case:
(h) (1) Subdivision (c) does not apply to punish any acts which
are committed by a person within the scope of his or her lawful
employment. For purposes of this section, a person acts within the
scope of his or her employment when he or she performs acts which are
reasonably necessary to the performance of his or her work
assignment.
(2) Paragraph (3) of subdivision (c) does not apply to penalize
any acts committed by a person acting outside of his or her lawful
employment, provided that the employee's activities do not cause an
injury, as defined in paragraph (8) of subdivision (b), to the
employer or another, or provided that the value of supplies or
computer services, as defined in paragraph (4) of subdivision (b),
which are used does not exceed an accumulated total of two hundred
fifty dollars ($250).
So, first of all (5) seems to be the relevant part of this law that Childs was convicted of. Did you convict solely on that part of the law, or was there some other part that you believe he is
There has been very little quality reporting on this case. Thanks for posting your comments on it. It would be really nice if you could take your 200 pages of notes and write up a summary of the key evidence (or maybe just post the notes).
According to the linked article there must have been a finding that Mr. Childs caused at least $200,000 in damages. I have not seen this addressed anywhere*. Would you care to comment on that? How was this number arrived at? Would the damages have been different if he had been hit by a bus?
*The article has been amended to indicate the city incurred $1 million in expenses to regain control of the network and do vulnerability testing.