Slashdot Mirror
Terry Childs Found Guilty
A jury in San Francisco found Terry Childs guilty of one felony count of computer tampering. The trial lasted four months. Childs now faces a maximum sentence of five years in prison.
← Back to Stories (view on slashdot.org)
he is a sysadmin that refused to disclose passwords to an office which had the prudence to disclose ALL of those LIVE passwords and usernames as evidence in a public court ... exposing personal information of millions of citizens in public databases ...
i doubt that randomly selected array of 20-30 americans would be able to understand how insanely stupid this is.
Read radical news here
Remind me never to do the right thing ever again.
It is my understanding his employment was specific in that he would only disclose the password to the mayor alone. This never happened, thus he never disclosed the password. This case did not require any technical knowledge to grasp the facts, so I am unsure how the jury could come to this result.
Remember that juries are made up of the twelve people who weren't smart enough to get out of jury duty.
What this really all comes down to is that once a company fires you or lets you go you are still obligated to that company.
I don't care if it's a government organization or a corporation as far as I'm concerned once they let you go there should be no more ties to anyone from either side.
I guess it's true...the shackles don't come off even if they put you back in the general population.
"Bah!" - Dogbert
The lesson here is to do whatever your boss says, even if it is incredibly stupid and will make your job entirely unmanageable...
Well, I would have to agree that my 'inner security geek', would have had to swallow really hard a few time before stating production passwords over a teleconference with unknown people. Hell, I would expect to be fired just for doing that.
Damned if you do, damned if you don't. Sometime you just have to suck it up and go look for another job. The sad part is that Terry was probably just a conscientous civil servant, and the boss was a know-nothing political appointee. Terry had probably seen more than a few of these appointed ass-hats come and go, and figured this was just another little tempest that would blow over.
Poor guy
Wherever You Go, There You Are
...holding a city's computer systems random...
Yes, I see where that might be an issue... ;)
Veni, Vidi, Velcro!
Fuck off. He followed the fucking city policy, maybe he was a jerk about it, but that doesn't make you right about him.
Sound like this could have some bad repercussions for IT folks. Of course all I know about the situation is what has been posted on Slashdot. There could be, and usually is, more to the story. Now that the trial is over with will the court records be posted somewhere?
No that would be a simple case of bitnapping. You'd have to request some sort of recompense in exchange for releasing / in order for it to be "holding random".
Let's say he was hit by a bus, killed, and consequently unable to disclose the password. Would he be guilty of computer tampering in that case? How about the bus driver?
Yes. Security rightly assumes that the weakest link of any computer/information protection is the humans. He followed their policy about how to deal with people trying to get access, no matter where or how powerful those people were.
He should be commended, not disgraced.
Ok the real lesson, sorry to say is: if the Feds want you they will have you. There is a reason why 95+% of indictees plead out. How do I know this? I just emerged from a five year fed sentence at a lovely FCI in Ohio.
Without getting too detailed...I was a media consultant for a major media multinational. The Feds did not like that my focus was piracy but I would not divulge IPs, nyms or rat anyone. After some rather appalling disinformation was seeded (see Darknet...an utter load of made up BS) I was accused of damaging a portable toilet (I am not making this up) and faced life for 18 USC 844(i) and 18 USC 924(c). I was forced to plead out to a mandatory minimum of five years, which I just finished. (in fact, I'm still in a halfway house).
The charges and the character assasination were ALL bullshit. But would you have thrown the dice with a jury and risked life? Me neither.
The feds hate geeks, unless we work for them. Be VERY afraid and very careful. I'll get my life back but the past 52 months were not fun.
"The pie shall be cut in half and each man shall receive.....death. I'll eat the pie."
Is there an "irrelevant california douchebag" tag we can apply to stories?
I want to delete my account but Slashdot doesn't allow it.
He was given the option to hand over the passwords and walk away or face jail time. He could have handed everything over (even though it violated a contract) and it would all be forgotten. Through some misguided sense of morals or utter stupidity he chose to let it go to trial.
Don't kid yourselves for one second, juries are stacked with wishy washy room temp IQ dullards who are easily swayed on emotional opinions. Do you think this jury had any clue what a password file or network topology was? He was portrayed as a rogue agent against the goody two shoes city and they fell for it.
Only the State obtains its revenue by coercion. - Murray Rothbard
Best way to save yourself is to use "fuckyou" or "ihavenoidea" as the main password.
-"Terry for the 50th time: what is the password?"
-"fuckyou"
-"officer, arrest him."
Views expressed do not necessarily reflect those of the author.
Look. I know IT doesn't have a union. And I wouldn't want one as a programmer and sysadmin based one everything I've ever seen about a union. But this is the time to speak out through actions.
Any IT professional of any competence, and with any amount of self respect needs to refuse to do business with ANYONE who services the city of SF--directly or indirectly. I will be, and will indicate as much explicitly to anyone acting for or on behalf of the city--directly or indirectly that until a full pardon and compensation is paid to Childs, and the relevant individuals are removed from office for corruption, I will not provide any professional services.
If the relevant DA or mayor retires or resigns without reprimand and appropriate court sanctions, I will *never* provide such services.
Yes, I know many people say Childs acted unprofessionally--that's not the point. By refusing to provide the passwords, it would have been arguably justifiable to fire him. He was arrested for refusing to provide passwords after he was already fired--not his problem any more. Had they arrested him before firing him there *might* have been an argument.
I refuse to work for any organization that supports this. And I hope that the members of /. refuse to as well, unless or until the city releases far more compelling evidence of destructive intent than has come to light thus far.
Of course, it's easier for me to say as I'm two states east...but I've a client or two out there.
Are we getting too hung up on the password issue? Was his refusal to divulge the passwords what he's being found guilty of?
Or is it the fact that if he stepped in front of a bus, the city had no hope of being able to manage the network? My place of employment has "the password list" and it's known to more than one person. If the city allowed Childs to hold all the keys, they're pretty stupid. If they had a policy prohibiting that, I could understand why violating it could get you jail time.
What doesn't kill you only delays the inevitable
I wonder how the guys who took over Terry's job feel now. I'd be looking for alternative employment at this point -> like maybe a ditch digger or something that just might not get you pooched by the judicial system.
Talk about setting a dangerous precedent.
It was very probably being a jerk that got him convicted - people are much more likely to convict the headstrong than the guilty. I don't know if he really was guilty of anything, I've not really examined the evidence, but it's a well-documented psychological flaw of individuals that looks and personalities have a far far greater bearing on who is convicted than the actual evidence itself. There is no fix for this bug that is not worse than the bug itself.
Even if he were guilty, his real "crime" would be being a little too uptight, perhaps being an a-hole a little too often, and maybe being a little obnoxious. Note that these are only true if he actually is guilty of something. I fail to see how a purely punitive system is going to be useful in correcting these issues, which are not uncommon amongst those with Geek Syndrome (aka Asperger's). In the same way drunk drivers are sometimes ordered to attend AA meetings, the most suitable punishment (again IF he is guilty) would be to require him to attend an Asperger's group and/or get checked-out by a pdoc for some sort of treatment regimen. (Asperger's is not, technically, treatable but CAN aggravate other problems that are.) This would be cheaper than prison, by a LONG way, be far more likely to be effective, AND would be more likely to increase his value to society (whereas prison rots skills and therefore decreases value).
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
This guy was in the employ of the city government, which necessarily acts differently than a corp, which makes your analogy false. His direct bosses don't make the rules, the elected officials do. The difference is crucial. Furthermore, his following the rules was not to the detriment of the city.
I thought Random was quite on point. :P
Science advances one funeral at a time- Max Planck
The guy, from what I have read, is not the most pleasant person in the world. However, again from what I have read, he was doing his job (even after being fired), and is being convicted of a crime for doing so (in a scenario where he was liable to prosecution for acting otherwise). What are the IT grunts in America going to do about this?
Apparently it cost the city 200,000 dollars they wouldn't have had to spend. He caused a trial that cost more money. I'd say he did quite a lot of damage to the city and I call that detrimental.
Yes a city works slightly differently that a corp. Not much at his level.
Why bother
-Terry for the 50th time: what is the password?"
-"fuckyou"
Unfortunately that may be how the conversation actually went, but without the joke. I would like to think that in a situation like that most people would say something like: "I want to help, I really do, but if I may please explain, there is a policy..."
However real people under real stress can behave in less than rational ways. And, sadly, in the real world even a small single negative action can result in an avalanche of unpleasant reactions.
he deserved to be fired, not go to jail. His refusal to hand-over passwords was certainly grounds for firing but it's not clear he broke the law. To a certain extent he is a victim of his own arrogance but also of the ignorance of everyone surrounding him. Maybe he was right? Maybe they all are idiots and he was better off not trusting them? In any case his obligation ended when he was fired.
I'm posting anonymously, but I remember some of the folks were really spooked that he'd deleted images off devices and wiped configs so that if they were rebooted, they would no longer pass ANY traffic. The city called us to see if there was a way to recover passwords without rebooting the boxes. A tampering conviction fits.
Slandering the jury is totally appropriate. It's part of the system. They made a bad call. They made a ridiculously bad call. They made a howlingly, ridiculously bad call. Morons, one and all.
Part of the loveliness of living in this country is that I now get to stand up and sing out like Monty Python that twelve mouth-breathing baboons -- no offense to the ACTUAL baboons in their red-butted glory, mind you -- twelve pin-headed boot-licking idiots just sent a man to prison for poor social skills.
And it is entirely appropriate that the denizens of this board call them on it.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
To Terry Childs,
When you finish your sentence, I will have a position waiting for you as an administrator of our large company network. Your devotion to network security, network policy, and willingness to defend them at all costs are a valuable commodity. My company and I would be very happy to employ you in a senior technical position. I can find network experts all over the internet, but it is much harder to find those that would defend their network at risk to their own liberty. I applaud you Mr. Childs.
A lot of differing opinions being tossed around here.
But, Slashdot, can we please stop accepting "fuck off" as acceptable debate discourse? And then cheerfully modding it up?
We're adults here, I think we can debate the pros and cons of this situation intellectually without resorting to hurling epithets at eachother.
Thank you in advance for not modding me "Troll" and "Offtopic".
There is just no way around it, no matter how big a douche your employer is, or how wrong or unfair you think it is, or how big a mistake they are making... withholding your employers' passwords will land you in jail.
Some may work up some emotion over this, but I don't think this will really be a surprise to many people.
Here's a hint; when you end up in a room with the cops and a lot of your management, fine, ask for your lawyer, but don't plan on using that same management's written policy against them. They are management - they wrote the policy. They're telling you their new policy. Verbally. In no uncertain terms. With the cops present.
You cannot lock your customers out of their equipment. This is not a legal theory our society will ever adopt, nor should it. Imagine if the courts agreed that IT staff has discretion to withhold their customers' own passwords. "They weren't smart enough to have it." "They asked for it the wrong way." "They once had a written policy that I shouldn't tell them."
OK, so no one can ever fire you. When can't you come up with an excuse to lock the equipment and walk off? Imagine if the courts blessed it! You could pull that burn off and coast, untouchable. Yeah, that philosophy really has legs.
You: "Give me the password."
Your employee: "No."
You: "You're violating my policy - I need the password."
Your employee: "I disagree. I have my own interpretation of your policy."
You: "You're fired."
Your former employee: "Great, now I definitely won't give you the password."
You: "Obviously I'm not paying you to refuse to do what I'm asking. But you still have my passwords."
Your former employee: "Fine, but since you're not paying me, I'm not your slave. You can't force me to perform."
Hear that sound? It's the eyes of every slave who ever lived rolling back in their heads.
Think about it. Childs could, if he truly was motivated by fear of violating a policy, have called his lawyer into the room, to say: "no problem, we'll give you the passwords, we just need you to release us from liability for disclosing those passwords, one pager, sign here..." He didn't, because this was about ego, not policy. He just didn't want to have to cave and do what they said. He's not the first - many an outsized ego has landed its owner in prison.
Tired of Political Trolls? Opt Out!
...but I remember enough to say that holding a city's computer systems random [sic] (which is essentially what he was doing) certainly deserves a guilty verdict on a count of "computer tampering." You really think it's acceptable under any circumstances for someone to hijack a network like that? Yes, he works there and technically "administrates" those machines, but he has a duty to his employers (ultimately, the citizens), and he was not upholding that duty.
I remember it differently. Either that or this is for some other definition of "hijack", "ransom", and "duty" than the definitions commonly used and found in the dictionary.
"hijack" : He didn't take it over, he was the network admin.
"ransom" : He didn't ask for any ransom, he stated he would only give the password to the Mayor.
"duty" : According to how he interpreted the written job requirements, giving the password to anyone else much less a roomful of known, semi-known, unknown and a phone full of unknown people did not match the written security requirements.
Frankly, from what I've read, I agree. Although, I would hope and expect that the jury has a good deal more information than I have. It does scare me that an ignorant jury could have just been afraid of a "Oh my god!, computer hacker" and convicted him on their emotional response rather than intelligent deliberation. I hope I'm just missing some of the info they had.
Oh, no, your poor behavior has caused me to hurt my fist when I punched your face in for it. I guess I'll just have to punch some more!
The cost of prosecuting him is not to be counted against what he cost the city unless I get to charge you for hurting my fist when I punch you.
Need a Python, C++, Unix, Linux develop
No if you assault me you can't get medical damages from me.
Funny thing: illegal aliens breaking into houses HAVE sued the homeowners for such things as falling on a knife and injuring their legs. Kids screwing around on the roofs of schools have sued the school district when they, illegally trespassing, nevertheless fell through a skylight and injured themselves.
In other words, the law is fucked up, and the fact that you can manage to empanel a jury of 12 retards who don't understand the law & policy, scare them with "wooh this was scary internets stuff", and then have a paid-off judge give the jury bad instructions doesn't help.
Fuck off
Wish I had mod points.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Resetting the passwords on a router that you have physical access to is trivial. This turned into a showdown. There was never any need to detain Childs and demand the passwords from him other than to avoid a physical visit and reboot of every router on the network. The city apparently decided to send a message that ex-employees will not be allowed to cost their former employer thousands of dollars because they wanted to act like children.
The only thing Childs could have accomplished was to force the city to do a little extra work, they were never at risk of not regaining control of the routers. He had to have known it, unless he was incompetent.
He might be a hero to some and a fool to others, but in the end, he has to live with himself... and survive with himself. Now he will be pretty lucky to have a normal life from this point forward. Odds are, he won't. There are lots of "wrong" things going on in the world every day. If you are asked to do the wrong thing in a similar circumstance, the one best option he could have taken was to quit and walk away giving whoever wanted/needed info is needed... to a point. Personally, if I was the only one with passwords to whatever, I'd just claim not to remember them and to tell them where all the devices are so they can seek them out and reset them manually. Frankly, why they didn't just hire someone to find all of these points of access and lock them out is beyond me. He was a jerk and simply needed to be cut off.
Is to perhaps not be knee jerk about what "the right thing," is. Don't presume you know better than everyone, don't presume you are the one with whom the buck should stop and so on. You need to be able to look at the bigger picture. While you might think "the right thing," is for you and only you to have access to the systems because you feel you are the only one smart enough to handle it properly, well consider two things:
1) What happens if you are rendered unavailable? You could die, become incapacitated, whatever. What happens then if you are the only one who has the keys to get in? All of a sudden "the right thing" turned in to a rather large disaster.
2) Consider that maybe you aren't as smart as you think you are, or perhaps that everyone else isn't as dumb as you think they are. Perhaps your boss is perfectly capable of having the password as a backup and not using it to cause any trouble. You might not think he's smart enough, but maybe you aren't evaluating the situation fairly.
Also just remember that you job in IT is customer service, even if you never deal with customers. Your job is to help make computers do what people want them to. They are tools to reach some goal, and you are someone who helps that happen. Part of that means doing what your customers (which are usually your coworkers) want. That doesn't mean giving them everything, but it does mean not being a stone wall that just refuses to do something. Work with people, try to persuade rather than intimidate and so on.
Finally, when it comes down to it, they aren't your systems, they are the organization's systems and if they want to fuck it up, that's their thing. Argue against it, document your objections, but if that's what they want, let them do it. It isn't your place to stop it.
Remember, the police and the government here in America are utterly corrupt, and fighting against that is futile
You know, staying stuff like this is an insult to people who live in / come from places where the government and police *are* truly corrupt. I once worked with a guy from Brazil who was happy when he went through a police roadcheck because it reminded him he wasn't in Brazil. In Brazil he would have had to have paid a bribe to the police, been detained hours, or risked being pulled from his car and beaten. Here it was a few questions and 'have a nice night, sir' - And he was an olive-skinned guy driving a new Nissan. In the USA if the police knock on your door and ask to come in you can tell them to go away - And they have to. In many parts of the world they'll kick your door in without asking, trash your house, and rape your daughter for good measure.
I know absolutely nothing about the San Francisco network. But I find it interesting that Childs said, "These idiots can't be trusted with the passwords," and the second the idiots got the passwords, they published them for the world to see.
Sure enough, those idiots should not have been trusted with the passwords. Hard to fault a guy when they immediately proved him right. :-)
By the way, since this is a municipal system, here are some of the functions I've seen municipal systems handle:
1. 911 calls over VoIP.
2. Fire dispatch, as in "Building on fire here"
3. Police dispatch, as in "Crazy guy with gun over here."
4. Police data, as in "The license plate you just pulled over is driven by a violent felon."
5. Videoconferencing that connects lawyers to their clients
6. Utility billing/disconnect, as in "These people need their water/power/garbage cut off."
I could go on and on.
Wanna see your basic "evil hacker" movie play out in real life? You couldn't take over the world, but you could make some people miserable. Maybe even get a few of them killed when help doesn't arrive when it should...
Not all computer networks are about making sure Sally in accounting gets her email.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
Here's an earlier comment that discusses the city policy.
And here's a quote from the password policy of the city, which is in that link:
"Password Policy"
As such, all County employees (including contractors, vendors, and temporary staff with access to County systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis"
"Do not share County passwords with anyone, including administrative assistants or secretaries.
All passwords are to be treated as sensitive, confidential County information.
Here is a list of things to avoid
-Telling your boss your password.
-Talking about a password in front of others.
-Telling your co-workers your password while on vacation."
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
As we can see from the city policy, telling your boss is already out, and talking about your password in front of others (the individuals on the other end of the phone line) is also a no-no. Terry Childs did the right thing by not giving out the passwords to anyone but the Mayor. Did Childs' boss ever get in trouble for breaching city policy? Probably not.
Best "String" Ever!
Rather than investigate what you've just claimed, I'm going to ask if it makes any kind of sense to have a restrictive policy on disclosing one's user level password, and expect that you'll just turn over a system level password to an unknown number of unknown people.
Of course he shouldn't have had sole administrative access to the network; however, it seems likely that the fastest typist among the authorized, well intentioned people hearing this information would be far outpaced by the hypothetical fastest typist among any hypothetical bad guys.
Assuming youre assertion is correct, it is evidence that the people he worked for were even more incompetent to handle the network than he feared. That doesn't put him on the right side of the law, but it does make his position sound a lot more sane.
ivan
Like to brew? Want to talk about it? Brattlebrew: groups.yahoo.com/group/brattlebrew
Now that I am able to speak about this case, I can give you my take on the matter as having been a juror on it. Having not been able to read about the case during its duration, I can't replay to everything that's been said about it, but I will at least provide my perspective.
This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.
This jury was not made up of incompetent people or idiots. Every single person on there was very educated and well-spoken. I myself am a network engineer with a CCIE and thirteen years experience in the field.
This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict. Terry Childs turned his life around and educated himself in the networking field on very complex technologies. One different decision by him, or more effective management by the city could have completely avoided this entire scenario. But those are not factors we could consider as a jury. We applied the law as it was provided to us and our verdict was the unfortunate, but inevitable result.
I'm sure many people posting are of the mindset that he's not guilty because he shouldn't reveal the passwords, some policy says this or that, or whatever. You're entitled to your opinion, but let me tell you that I sat through FIVE MONTHS of testimony, saw over 300 exhibits, and personally wrote over 200 pages of notes. I will guarantee you that no matter what you think of the matter, you do not have the full story, or even 10% of it. I am confident that we reached the correct verdict, whether I like it or not.
This would be cheaper than prison, by a LONG way, be far more likely to be effective, AND would be more likely to increase his value to society (whereas prison rots skills and therefore decreases value).
Besides, taking someone with technical skills who, by the sound of it, has strong ethics and unfairly convicting him of a felony computer crime isn't particularly smart. When he gets out, he's not going to have much respect left for government, and as an ex-con probably won't be able to get legitimate work in his chosen field. Great way to turn an otherwise honest guy into a white-collar criminal.
Brilliant. Just brilliant.
The higher the technology, the sharper that two-edged sword.
This is a post written by someone who has clearly never actually been to a country with corrupt police, and having been to a few my self I was quite happy to get back to Western Europe/N.A. where people don't realize just how lucky they are that bribery is something we talk about on TV not the only way to accomplish anything.
The police do not have the authority to force you to disclose passwords. You see, here in the US we have these things called rights.
I think Terry Childs would disagree with you. He didn't tell the police his passwords, and he went to jail for 5 years.
I was speaking metaphorically. I meant criminal. And, in my opinion, it's a gross miscarriage of justice to make someone pay for their own prosecution. It's basically punishing them for not pleading guilty and trying to defend themselves. That would have the effect of causing a lot of innocent people to plead guilty.
Of course, plea bargaining already does that, and in my opinion is a strong argument against plea bargaining. They all come from the mindset that a conviction is better than justice.
Need a Python, C++, Unix, Linux develop
I agree. The government should impanel special juries comprised of Geek Squad technicians and entry-level LAMP developers just so that Slashdotters can be judged by their "peers".
During the time Childs was an employee, did the people requesting the passwords have authorization to do so?
Hey, give 'em time. Our cops and government are still learning the ropes.
What changed under Obama? Nothing Good
Reminds me of that Feynman story where he goes down in the middle of the night and removes one of the doors. The next day everyone is upset and they demand people swear that they did not do it. So it goes around the room:
Person 1: "I swear I did not remove the door." ... and so on. Then it gets to Feynman:
Person 2: "I swear I did not remove the door."
Feynman: "Yeah, *I* took the door."
Upset Dude: "Oh, stop kidding around Feynman. Next!"
Person n: "I swear I did not remove the door."
Hit point was that afterward, even though he did admit to taking it, at the time they dismissed it as him not being serious and all they ultimately remembered was everybody denying taking the door.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Was there no clearly identified chain of authorization here? Why didn't SF quickly provide evidence of who was authorized? You would think this would be the very first thing they would provide, the hammer that would efficiently drive the nail in Childs' legal coffin. The fact that you had to wade through reams of document and "divine" such a key piece of info is telling. If it took a group of 12 persons to sift through this, how was Child supposed to summon this knowledge too?
I am that network engineer that was on the jury (see long post further down).. His manager was an idiot, but I have worked for worse, including one that was put on medical leave for psychiatric issues after people learned he was bringing a gun to the office. I understand what it's like to work in a situation like that. However, if I am brought into an office with my manager's manager, an HR representative, and two police officers, and asked to provide access (important keyword -- access!, not my personal password), you can bet I would feel the situation unfair but I would provide that access.
Allow me to elucidate this for you. I won't give the full details, but essentially this juror went into deliberations, had already made up his mind, informed the rest of the jurors that he had thought about the matter on his own and made up his mind, and didn't want to hear anything more about it. This is before we even went through all the questions we were required to examine per the jury instructions! Furthermore, he would not explain his position to the other eleven jurors.
He was not released for "having his own opinion" or being "a lone holdout". In fact, we welcomed a lively debate from both sides of the argument as that's a necessary part of jury deliberations. He was dismissed for other reasons, including outright refusal to follow the jury instructions and the law as provided to us by the judge.
Except for the fact that he had disabled password recovery. So now there was no way to access those devices or their configurations.
You say
essentially this juror went into deliberations, had already made up his mind, informed the rest of the jurors that he had thought about the matter on his own and made up his mind, and didn't want to hear anything more about it.
And yet you claim
He was not released for "having his own opinion" or being "a lone holdout".
It sounds to me from what you've written here that having his own opinion is exactly why he was removed.
This juror may not have explained his opinion to your (and perhaps other jurors') satisfaction - but unless I'm mistaken jurors are charged to render their verdict, not to satisfy the other jurors.
This person may have indeed had all the social graces of a rock, or it may have been the case they were being coerced by the mob behavior of the rest of the jury. I don't know, I certainly wasn't there. Important points may be in the full details you chose not to give. And we only have your experience of it - we don't have theirs.
It sounds like, if you were in fact on the jury, you were taking your responsibilities very seriously. But from what you've said this jury incident sounds a lot like the entire event in microcosm: someone with no social skills stands up for their principles in the face of public pressure to do the expedient thing, and is punished for it.
I appreciate you taking the time to respond. It was really very helpful and illuminating. Thank you again.
In the USA if the police knock on your door and ask to come in you can tell them to go away - And they have to.
Hahaha...
Oh wait, you are serious about believing that?
Having been a recipient of a corrupt cop lying in order to come up with a reason to arrest me so he could impound my car and perform a "custodial inventory" (re: search without a warrant), sitting in the back of his squad car for 3+ hours, and then having to pay the impound yard $280 per hour, plus $55 per night plus a $75 processing fee, totaling $970 to find absolutely nothing at all... please don't tell me the cops in america aren't corrupt.
The only difference is that the bribes (in this case kickbacks from the impound yard) have to go through 1 more layer of obfuscation before the cop gets his cut from the tow yard vs. paid directly.
For some reason my word alone isn't enough to counter the cops witness testimony, but the cops witness testimony is enough to convict.
All this because a racist white cop saw an asian in a sports car in an area that is predominantly hispanic and just had to find those drugs that didn't exist
The irony is that what the cop claims happened is not physically possible for any consumer car (let alone a sports car that costs less than $25k) yet in order to prove in court that the numbers don't add up it would require $25,000+ in expert witnesses to fight.
P.S. in America, the cops will knock down your door, steal loose cash, shoot you, then plant cocaine on your person and claim they just did a drug bust.
Kinda related but in first aid training we were told never to give first aid to an American because they'll sue you.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Funny thing: illegal aliens breaking into houses HAVE sued the homeowners for such things as falling on a knife and injuring their legs. Kids screwing around on the roofs of schools have sued the school district when they, illegally trespassing, nevertheless fell through a skylight and injured themselves.
In other words, the law is fucked up, and the fact that you can manage to empanel a jury of 12 retards who don't understand the law & policy, scare them with "wooh this was scary internets stuff", and then have a paid-off judge give the jury bad instructions doesn't help.
I see you got that chain email too.
Care to show us these cases? I've started googling and have only come up with sites debunking it.
I know they're so easy to believe since the [skewed] McDonald's hot coffee case, but let's try and be skeptical when we hear about any ridiculous lawsuits.
You think he was acting professionally and following policy? Look, I'm aware that his defense spread some story about the rules. You haven't read them, but I have. Here's from their rulebook:
"In accordance with these strategies the following policy statements apply to the key areas and functions of the Security Perimeter. In all statements where the “County Authority” (CA) is mentioned, depending on the County reporting structure, this can be the CIO, CISO, CTO, CEO or COO and implies the CA or their designee(s)."
"If someone demands a password, refer him or her to this document or have him or her call someone in Information Security."
Obviously he hated having to do what his boss told him enough to go to prison. But something tells me that if we go through the records of all the people who asked him for the passwords (and by the end it was certainly more than just his boss), we would find that among them were at least one person "in Information Security," or who was "CIO, CISO, CTO, CEO or COO and implies the CA or their designee(s)." [emphasis added]
You can see for yourself his actions don't match policy. He was just crazy enough to think he could still use password-blackmail to torch his boss to the mayor - from jail.
And that's even without looking at the detailed information that emerged from the trial:
"This jury was not made up of incompetent people. ... I myself am a network engineer with a CCIE and thirteen years experience. ... No matter what you think ... you do not have ... even 10% of ... the full story. I am confident that we reached the correct verdict. ... ... [was] who is an "authorized user"? ... We did ultimately determine ... beyond any reasonable doubt ... his boss' boss was an authorized user."
One of the most difficult questions for us to answer
More here - this juror is a /. user and these are from his posts.
Funny how the truth gets buried and ego is always at the wheel.
Tired of Political Trolls? Opt Out!
So let's assume that he violated policy in refusing to give the password to his boss's boss or create accounts for people. How does this amount to a criminal offense?
If he violates policy, then fire him. But it's the fault of his boss to let him be the only person with access to the system for this long. They should have had other qualified people working with him to help maintain what is described as such an important system. I'm confused about when this goes from being a personnel matter to a criminal matter. Is this just because he was a government employee, or does this extend to the private section? The implications of this become very scary.
He was dismissed for other reasons, including outright refusal to follow the jury instructions and the law as provided to us by the judge.
A citizen is not required to follow the law. It's called Jury Nullification. On the other hand, not explaining yourself isn't going to work. You pretty much have to know why you think what you think.
On the other hand, we just have to believe whatever you say, and I'm not willing to do that. This is why no court proceedings should ever be secret. We cannot judge the efficacy of our legal system in that manner. We need to know precisely what happened in the jury chamber to know if this juror should have been removed, or not. The only thing we in fact do not need to know is how each juror voted.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I helped set up a simple solution to this scenario years ago for a local hear aid provider.
The root password for their systems was double-blind. The CIO came in and set the password. The Lead network engineer changed the name of the root account (but didn't know the password).
Each component was forwarded to legal records hold for archiving in separate email.
Since no one was allowed to use the root\admin accounts (everything via sudo effectively, hence the double blind setup) in the event of an emergency a simple phone call to legal records hold would retrieve the information if the CIO and admin were not available. Add the two together and problem solved.
Child's could have just as easily secured the password before hand with a policy doing something as simple as a 2-part cypher with 1 part in the hands of the govenor and the other part documented with instructions on retriving the 1st part from the govenor.
e.g. passwd
(Disable backspace key sequence)
(Admin types first 4 characters, leaves room)
(CIO types last 4 characters hit's enter.)
Admin and CIO email legal record hold with their portions.
This was about paranoid liability of someone busting the network, not securing a core password.
I've had to L0phat more then one NT server that a rogue admin tried to lockout the system after getting canned during my career (retired geek now thank God). The most recent one was a net admin that had a $100,000 quarterly budget but we could only find 22k worth of assets at the company (And why did he need 3 22 inch monitors and had every workstation running NT Server edition even though they only paid for 4 licenses of Server....).
From a liability standpoint Terry, or anyone can follow this simple guideline:
If your company has a legal record hold service, periodically gather your configuration files and documentation and forward that information to legal record hold. If not periodically print them, label them as "Legal Record Hold" or "Legal Retain" and sign and date them.
Most government offices have a legal record hold office. If you are terminated and they come back after you you can have your lawyer request the last copy of the configs you sent to legal records hold and compare the current config. Not only that but a quick check of the config's last modified date will confirm if you you have legitimately made that change. In addition if they try and come back and say you came into the system after being canned, the burden of proof is one them to show you had access. It would be a staggering embarrasment if they didn't change master passwords you had access to.
If possible I would go further and use mandatory CVS\RCS\Git etc... for config files of any kind in your process with an audit. The RCS system should be in the hands of the legal records retainment (i.e. independent of netOps) for auditing. Liability then can be quickly determined (Jeff left the company on 3/12 and no issues. On 3/24 Eric made a change and all hell broke loose. No point in going after Jeff, no liability. Eric likely broke it... wait Eric was on vacation and lives in Utah, the VPN came from Washington... where Jeff lives with a similar IP as Jeff's last! Oh shit call the cops!)
Network admins tend to forget\overlook the need to audit the configs, not just for operational purposes, but for legal due-dilligence reasons as well.
Revision Control on Configs + Audits + Double Blind Root\Admin + Mandatory sudo = Reasonable Liability Tracker.
I'm retired now ... almost 5 years now I think and I am sure things have changed so don't take my suggestions as gospel but at least out of this we can starting thinking a bit more on how we manage our networks, not just from an operational standpoint but Risk, Liability, Business Continuity, and Legal viewpoint as well.
AND USE A RCS FOR CONFIGS!!! IT'S NOT JUST FOR TRACKING CODE CHANGES! IT'S AN AUDIT TRAIL AS WELL!
-=[ Who Is John Galt? ]=-
The city didn't have the configurations stored anyplace else, and the routers were configured in such a way as to not allow password recovery. If you look at the list of city services that were being handled by this system, it's not exactly something for which you can simply declare "planned downtime" and go to work.
What folks here need to get their heads around is that (a) the managers responsible for this system are badly incompetent and handled this in the worst possible way*, and (b) at the end of the day that still doesn't matter for shit -- he still broke the law, he dug himself a hole and he paid (and likely will continue to pay) the price.
The jury found the guy guilty because he was guilty -- the mitigating factors here don't justify or excuse his actions. That's exactly what they're supposed to do, and I'm certain it's what I would have done in their place.
* One of the jurors was quoted saying this: "We had a lot of sympathy for him... He was put in a position he should not have been put in... Management did everything they possibly could wrong... There was ineffective management, ineffective communication. I think that if they put the city on trial, they would be guilty, too."
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I'd like to not commit an ad-hominem attack on the Jury, but sadly I cannot understand how 12 right-thinking people came to such a ridiculous conclusion. Unfortunately, people are rarely right-thinking.
You just described the old lady who walks into the deliberation and and says "He's guilty."
Why?
"Because his charged with something, so he must be guilty."
The Jury review is supposed to weed defective things like this out. But it is in the best interest of the prosecution, and horribly immoral, to get as many people who think like this in that Jury box as possible. Next to the 'person awed by the power of something they read in a detective novel' these people are their best friend.
Humans judging other humans is about the worst possible thing you could ask for. Except for all the alternatives.
People will trust authority over facts, judge bases on clothing and hairstyle and attitude over facts and ignore anything that disagrees with a pre-existing idea about the world (e.g. their religion.) The selection process is supposed to catch a lot of this. Sadly, stacking the Jury is as old and the Jury trial itself.
As an American, I am profoundly depressed by this thread. I respect the juror who is posting his perspective here, and greatly appreciate the fact he's taking the time to explain what happened from an insider's perspective. But his account reveals a terrible devolution of our system of justice: the ordinary citizens on a jury no longer protect us against an inappropriate or unfair application of the law.
It makes me furious every time I hear a juror come out of the jury room and say "I don't think he really did anything bad, but according to the judge's instructions, I had no choice but to convict." No, you had a choice. The brilliantly cynical and untrusting rebels who wrote the Constitution put you there to make the choice. Not an unfeeling robotic choice, not a judge-directed decision, but an independent decision that truly reflects the informed judgment of a "jury of peers."
The jury has become, not an independent check against the juggernaut of government prosecution, but a mere puppet of the system. In such a legal system, any one of us can be sent to jail for life on the government's whim, because there's not one of us who doesn't -- knowingly or unknowingly -- violate several laws daily; we count on juries to say, when appropriate, "ok, maybe he technically violated the law, but this prosecution is unreasonable, and we're not going along with it."
Our system was designed to make it really, really hard to convict. And really easy to acquit. If the prosecutor doesn't like the case, he can toss it out. If the judge doesn't like the case, he can toss it out. Heck, if the judge doesn't like the jury's "guilty" verdict, he can toss it out (but he can't set aside a "not guilty" verdict). Why has the jury come to believe they can't exercise at least the same power as the prosecutors and the judge routinely do: the power to toss out a case that just ain't right?
The law he violated was CA Penal Code 502. That code deals with denial of computer service. He was the only person with access to a large and critical computer network. He was being reassigned and would no longer be working on that network. Obviously, you cannot have a network with no administrator(s) to manage or maintain it. He refused to provide access to that network. Not just simply refusing to tell his passwords, but refusing to provide access at all, even configuration backups. Furthermore, he configured the network in a manner which prevented any attempts to access it or reset the passwords, and in a few scenarios those attempts would have even brought the network down.
There were no formally adopted policies for computer or network security. Even then, there are common sense guidelines in the IT industry about sharing your password. But what common sense guideline is there that if you are assigned off of a project, you should then lock out the ability of anybody else to administer it?
Yes, I was on the jury (see my post further on down). An essential part of jury deliberations is keeping an open mind, explaining your thoughts and opinions, and listening to the opinions of others. This was not the case here. I really won't go into the details on the matter as to not reveal personal information or background on the juror, but not only did he not do those items above, he also refused to follow the jury instructions and the legal definitions as provided by the judge that we had to use in our determination of the facts.
While you are allowed to look at testimony differently and debate that, you can't decide that a legal definition as provided by the judge is something you don't agree with and therefore won't follow. Essentially, you're supposed to follow the facts and then come to a conclusion. The problem here was that one person had a conclusion beforehand, and wanted to change the facts to fit it. It just doesn't work that way.
I'll try to answer all the questions you presented. Yes, the relevant part of the law we convicted on was 502(c)(5). We were not even presented with the other portions of the penal code listed above. Specifically, he denied computer service to an authorized user without permission. The specific act here was not providing access to the FiberWAN routers and switches upon the request of the city's COO. For the permission part, he did not have any permission from anyone to not provide that access. We looked through the evidence for anything that would indicate that he had permission to deny access to an authorized user, but there was no such evidence. There was evidence, however, that it was part of his job duties to provide that access to authorized users.
"Computer services" is one of several terms with which we were provided specific, legal definitions which we were to follow. The computer service in question which he denied access to was the management and maintenance of the FiberWAN routers and switches themselves. Authorized users was one of the harder points to distinguish in this matter because there really was no formalized process to authorize or deauthorize users. However, we came to the conclusion that he knew that the person asking for access was authorized to obtain that access. This was made evident by many of the emails we had in evidence. Further, at this point, he had not been fired, but did know that he was being reassigned. Also, if they had not been authorized users, but he had given the passwords, he would not be guilty of the other sections because his actions would then have been both permitted, and within the scope of his employment because he was following the directives of his superiors. The fact that he eventually did relinquish the passwords to the mayor, I think, shows a continuation of past behavior in which if he didn't get what he liked he would simply go to the next higher person in the chain.
His actions were definitely not within the scope of his employment. We examined his job description, performance review, and many other documents to determine this. In fact, we determined that one of the main aspects of his employment was to maintain the stability and resiliency of the network he supported, and his actions actually were doing the exact opposite. Configuring a network to have no console access, to have the core routers come back from a power failure with no configuration, hiding the backups in locations unknown and encrypted -- these are all things that seem to go against what he was supposed to be doing in his work assignment.
There was a central password database (TACACS) in this case, that could have definitely been used here, but that really didn't play a large role in the deliberations.
I think the law fits this situation. I don't think anyone had really thought ahead that this type of situation would come up when it was written, but it certainly does fit. We were beyond a reasonable doubt. We actually brought that up many times as we wanted to make sure of that, and we many times did search through evidence and found things that did reinforce that.
Terry Childs was treated far worse in this matter than he should have. Personally, I think once he gave up access to the mayor, they should have dropped the charges, and at worst charged him with some sort of misdemeanor. From what I understand after the case, the bail was set so high because they were afraid if he was not in jail, he would have some sort of hidden access to the FiberWAN and would do something to damage it. However, I don't see why that bail couldn't have been reduced after the access was provided and other engineers cleaned everything up and made sure it was safe. The money that the city spent was actually spent before access was given to the mayor. This money was spent on recovery efforts by Cisco and other in reasonable efforts to regain access to the devices.
I know it seems like a clear cut case of office politics, and that's what I thought too before
There has been very little quality reporting on this case. Thanks for posting your comments on it. It would be really nice if you could take your 200 pages of notes and write up a summary of the key evidence (or maybe just post the notes).
According to the linked article there must have been a finding that Mr. Childs caused at least $200,000 in damages. I have not seen this addressed anywhere*. Would you care to comment on that? How was this number arrived at? Would the damages have been different if he had been hit by a bus?
*The article has been amended to indicate the city incurred $1 million in expenses to regain control of the network and do vulnerability testing.
Definitely not an attorney. I just went and read the actual statute. This is slashdot, we rarely ever even bother to read the article. Thank you for your responses on this.
I have to say, it's amazing how many issues one run-on sentence in a legal statute. Personally, I still think that you collectively made the wrong call on this. Not as a matter of compassion or as a matter of balancing the scales against some clear injustices on the other side as many have suggested. Two things bother me. The definitions of authorized users and of denial in the context of this law.
You've addressed the authorized user question fairly extensively, but I still don't agree. You determined that Childs at one time believed his boss' boss to be an authorized user, but I think it's still reasonable for him to cease believing that his boss is an authorized user. At least to such a degree that there's reasonable doubt that he knowingly denied access to an authorized user. As others have said, if it took that long to work it out, how could Childs really have been sure. Especially given his apparent belief that incompetence was sufficient to disqualify a user from being authorized.
The issue of denial is the real biggie for me. I read that law and see the section that boils down to denial of computer services. In my mind, I have a very clear idea of what a denial of service attack is in the context of computer services and it's active, not passive. I keep thinking about what the situation would have been if he'd just quit and moved to Wyoming, etc. The law seems to be for attackers, not people who just cease to be helpful.
Here's a thought experiment from another post: Bob is a network administrator. Bob sets the password for the network but doesn't write it down directly. Instead, he just writes down a reminder. Bob gets hit by a bus, and the only thing everyone has to go on is a scrap of paper that says "the private nickname I had for my first girlfriend". So, they track down his first girlfriend and ask her what the password is. For her own reasons, she refuses to tell them, even after they prove to her that they are authorized users. So, based on this law, she is knowingly and without permission disrupting or causing the disruption of computer services or denying or causing the denial of computer services to an authorized user of a computer, computer system, or computer network. Using the definition of that law that was used to convict Childs, she would be just as guilty as Childs has been found. The only thing in the law that she might be able to argue is the permission bit, but clearly she doesn't have permission from anyone to deny them access to their network (as senseless as that is in this context, it's a hundred percent true), so she's a felon. The fact that she's not an employee of the owner of the network doesn't seem to protect her under this law. Employees get a little extra protection than her, in fact.
I just don't know anymore. It seems like more and more things are becoming life-destroying crimes that would have once been handled in-house or as civil matters or just not been crimes. Violation of computer use policies. Children looking at each other naked. Letting the kids have an unsupervised party. All manner of copyright violations. Being rude to flight attendants. So on and so forth. I may just be suffering from curmudgeons disease, but it seems like we're getting less and less free in just about every way. This case especially rubs me the wrong way because it hits so close to home.