Slashdot Mirror
Terry Childs Found Guilty
A jury in San Francisco found Terry Childs guilty of one felony count of computer tampering. The trial lasted four months. Childs now faces a maximum sentence of five years in prison.
← Back to Stories (view on slashdot.org)
he is a sysadmin that refused to disclose passwords to an office which had the prudence to disclose ALL of those LIVE passwords and usernames as evidence in a public court ... exposing personal information of millions of citizens in public databases ...
i doubt that randomly selected array of 20-30 americans would be able to understand how insanely stupid this is.
Read radical news here
Remind me never to do the right thing ever again.
It is my understanding his employment was specific in that he would only disclose the password to the mayor alone. This never happened, thus he never disclosed the password. This case did not require any technical knowledge to grasp the facts, so I am unsure how the jury could come to this result.
Remember that juries are made up of the twelve people who weren't smart enough to get out of jury duty.
What this really all comes down to is that once a company fires you or lets you go you are still obligated to that company.
I don't care if it's a government organization or a corporation as far as I'm concerned once they let you go there should be no more ties to anyone from either side.
I guess it's true...the shackles don't come off even if they put you back in the general population.
"Bah!" - Dogbert
The lesson here is to do whatever your boss says, even if it is incredibly stupid and will make your job entirely unmanageable...
Well, I would have to agree that my 'inner security geek', would have had to swallow really hard a few time before stating production passwords over a teleconference with unknown people. Hell, I would expect to be fired just for doing that.
Damned if you do, damned if you don't. Sometime you just have to suck it up and go look for another job. The sad part is that Terry was probably just a conscientous civil servant, and the boss was a know-nothing political appointee. Terry had probably seen more than a few of these appointed ass-hats come and go, and figured this was just another little tempest that would blow over.
Poor guy
Wherever You Go, There You Are
...holding a city's computer systems random...
Yes, I see where that might be an issue... ;)
Veni, Vidi, Velcro!
Fuck off. He followed the fucking city policy, maybe he was a jerk about it, but that doesn't make you right about him.
Let's say he was hit by a bus, killed, and consequently unable to disclose the password. Would he be guilty of computer tampering in that case? How about the bus driver?
Yes. Security rightly assumes that the weakest link of any computer/information protection is the humans. He followed their policy about how to deal with people trying to get access, no matter where or how powerful those people were.
He should be commended, not disgraced.
Ok the real lesson, sorry to say is: if the Feds want you they will have you. There is a reason why 95+% of indictees plead out. How do I know this? I just emerged from a five year fed sentence at a lovely FCI in Ohio.
Without getting too detailed...I was a media consultant for a major media multinational. The Feds did not like that my focus was piracy but I would not divulge IPs, nyms or rat anyone. After some rather appalling disinformation was seeded (see Darknet...an utter load of made up BS) I was accused of damaging a portable toilet (I am not making this up) and faced life for 18 USC 844(i) and 18 USC 924(c). I was forced to plead out to a mandatory minimum of five years, which I just finished. (in fact, I'm still in a halfway house).
The charges and the character assasination were ALL bullshit. But would you have thrown the dice with a jury and risked life? Me neither.
The feds hate geeks, unless we work for them. Be VERY afraid and very careful. I'll get my life back but the past 52 months were not fun.
"The pie shall be cut in half and each man shall receive.....death. I'll eat the pie."
Best way to save yourself is to use "fuckyou" or "ihavenoidea" as the main password.
-"Terry for the 50th time: what is the password?"
-"fuckyou"
-"officer, arrest him."
Views expressed do not necessarily reflect those of the author.
I wonder how the guys who took over Terry's job feel now. I'd be looking for alternative employment at this point -> like maybe a ditch digger or something that just might not get you pooched by the judicial system.
Talk about setting a dangerous precedent.
It was very probably being a jerk that got him convicted - people are much more likely to convict the headstrong than the guilty. I don't know if he really was guilty of anything, I've not really examined the evidence, but it's a well-documented psychological flaw of individuals that looks and personalities have a far far greater bearing on who is convicted than the actual evidence itself. There is no fix for this bug that is not worse than the bug itself.
Even if he were guilty, his real "crime" would be being a little too uptight, perhaps being an a-hole a little too often, and maybe being a little obnoxious. Note that these are only true if he actually is guilty of something. I fail to see how a purely punitive system is going to be useful in correcting these issues, which are not uncommon amongst those with Geek Syndrome (aka Asperger's). In the same way drunk drivers are sometimes ordered to attend AA meetings, the most suitable punishment (again IF he is guilty) would be to require him to attend an Asperger's group and/or get checked-out by a pdoc for some sort of treatment regimen. (Asperger's is not, technically, treatable but CAN aggravate other problems that are.) This would be cheaper than prison, by a LONG way, be far more likely to be effective, AND would be more likely to increase his value to society (whereas prison rots skills and therefore decreases value).
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
This guy was in the employ of the city government, which necessarily acts differently than a corp, which makes your analogy false. His direct bosses don't make the rules, the elected officials do. The difference is crucial. Furthermore, his following the rules was not to the detriment of the city.
Funny you should say that. The last jury I sat on, the woman sitting across from me was a programmer. Her exact words to the judge, when he asked her employment were, "I twiddle bits". He blinked, and she got a lot more formal afterward.
By the way, she was also the first to vote to convict when we got back to the jury room. Binary logic was not working in the defendant's favor with her.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
I'm posting anonymously, but I remember some of the folks were really spooked that he'd deleted images off devices and wiped configs so that if they were rebooted, they would no longer pass ANY traffic. The city called us to see if there was a way to recover passwords without rebooting the boxes. A tampering conviction fits.
A lot of differing opinions being tossed around here.
But, Slashdot, can we please stop accepting "fuck off" as acceptable debate discourse? And then cheerfully modding it up?
We're adults here, I think we can debate the pros and cons of this situation intellectually without resorting to hurling epithets at eachother.
Thank you in advance for not modding me "Troll" and "Offtopic".
There is just no way around it, no matter how big a douche your employer is, or how wrong or unfair you think it is, or how big a mistake they are making... withholding your employers' passwords will land you in jail.
Some may work up some emotion over this, but I don't think this will really be a surprise to many people.
Here's a hint; when you end up in a room with the cops and a lot of your management, fine, ask for your lawyer, but don't plan on using that same management's written policy against them. They are management - they wrote the policy. They're telling you their new policy. Verbally. In no uncertain terms. With the cops present.
You cannot lock your customers out of their equipment. This is not a legal theory our society will ever adopt, nor should it. Imagine if the courts agreed that IT staff has discretion to withhold their customers' own passwords. "They weren't smart enough to have it." "They asked for it the wrong way." "They once had a written policy that I shouldn't tell them."
OK, so no one can ever fire you. When can't you come up with an excuse to lock the equipment and walk off? Imagine if the courts blessed it! You could pull that burn off and coast, untouchable. Yeah, that philosophy really has legs.
You: "Give me the password."
Your employee: "No."
You: "You're violating my policy - I need the password."
Your employee: "I disagree. I have my own interpretation of your policy."
You: "You're fired."
Your former employee: "Great, now I definitely won't give you the password."
You: "Obviously I'm not paying you to refuse to do what I'm asking. But you still have my passwords."
Your former employee: "Fine, but since you're not paying me, I'm not your slave. You can't force me to perform."
Hear that sound? It's the eyes of every slave who ever lived rolling back in their heads.
Think about it. Childs could, if he truly was motivated by fear of violating a policy, have called his lawyer into the room, to say: "no problem, we'll give you the passwords, we just need you to release us from liability for disclosing those passwords, one pager, sign here..." He didn't, because this was about ego, not policy. He just didn't want to have to cave and do what they said. He's not the first - many an outsized ego has landed its owner in prison.
Tired of Political Trolls? Opt Out!
Fuck off
I know absolutely nothing about the San Francisco network. But I find it interesting that Childs said, "These idiots can't be trusted with the passwords," and the second the idiots got the passwords, they published them for the world to see.
Sure enough, those idiots should not have been trusted with the passwords. Hard to fault a guy when they immediately proved him right. :-)
By the way, since this is a municipal system, here are some of the functions I've seen municipal systems handle:
1. 911 calls over VoIP.
2. Fire dispatch, as in "Building on fire here"
3. Police dispatch, as in "Crazy guy with gun over here."
4. Police data, as in "The license plate you just pulled over is driven by a violent felon."
5. Videoconferencing that connects lawyers to their clients
6. Utility billing/disconnect, as in "These people need their water/power/garbage cut off."
I could go on and on.
Wanna see your basic "evil hacker" movie play out in real life? You couldn't take over the world, but you could make some people miserable. Maybe even get a few of them killed when help doesn't arrive when it should...
Not all computer networks are about making sure Sally in accounting gets her email.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
Now that I am able to speak about this case, I can give you my take on the matter as having been a juror on it. Having not been able to read about the case during its duration, I can't replay to everything that's been said about it, but I will at least provide my perspective.
This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.
This jury was not made up of incompetent people or idiots. Every single person on there was very educated and well-spoken. I myself am a network engineer with a CCIE and thirteen years experience in the field.
This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict. Terry Childs turned his life around and educated himself in the networking field on very complex technologies. One different decision by him, or more effective management by the city could have completely avoided this entire scenario. But those are not factors we could consider as a jury. We applied the law as it was provided to us and our verdict was the unfortunate, but inevitable result.
I'm sure many people posting are of the mindset that he's not guilty because he shouldn't reveal the passwords, some policy says this or that, or whatever. You're entitled to your opinion, but let me tell you that I sat through FIVE MONTHS of testimony, saw over 300 exhibits, and personally wrote over 200 pages of notes. I will guarantee you that no matter what you think of the matter, you do not have the full story, or even 10% of it. I am confident that we reached the correct verdict, whether I like it or not.
This is a post written by someone who has clearly never actually been to a country with corrupt police, and having been to a few my self I was quite happy to get back to Western Europe/N.A. where people don't realize just how lucky they are that bribery is something we talk about on TV not the only way to accomplish anything.
The police do not have the authority to force you to disclose passwords. You see, here in the US we have these things called rights.
I think Terry Childs would disagree with you. He didn't tell the police his passwords, and he went to jail for 5 years.
This was one of the most difficult questions for us to answer. Specifically, who is an "authorized user", and who determines who those people are? I won't go through the mounds of evidence we went through to get beyond any reasonable doubt on this issue, but we did ultimately determine that the person requesting the access (his boss' boss) was an authorized user and should have access upon requesting it.
One really important thing to note here is that it wasn't a concern that he did not provide "his" passwords. The real problem is that he did not provide access -- in any form, even in the form of creating new accounts for those requesting it.
I was a juror on this case (see post way far below). I am a network engineer with thirteen years experience and a CCIE certification. All of my fellow jurors were highly educated individuals. Although none of them were fellow network engineers, they were a far cry from "wishy washy room temp IQ dullards".
We were not swayed at all by emotional opinion, because if we were we probably would have acquitted because we all agreed that the situation Terry Childs was put in was not called for. However, the facts in the case bore out the verdict we reached.
I am that network engineer that was on the jury (see long post further down).. His manager was an idiot, but I have worked for worse, including one that was put on medical leave for psychiatric issues after people learned he was bringing a gun to the office. I understand what it's like to work in a situation like that. However, if I am brought into an office with my manager's manager, an HR representative, and two police officers, and asked to provide access (important keyword -- access!, not my personal password), you can bet I would feel the situation unfair but I would provide that access.
Allow me to elucidate this for you. I won't give the full details, but essentially this juror went into deliberations, had already made up his mind, informed the rest of the jurors that he had thought about the matter on his own and made up his mind, and didn't want to hear anything more about it. This is before we even went through all the questions we were required to examine per the jury instructions! Furthermore, he would not explain his position to the other eleven jurors.
He was not released for "having his own opinion" or being "a lone holdout". In fact, we welcomed a lively debate from both sides of the argument as that's a necessary part of jury deliberations. He was dismissed for other reasons, including outright refusal to follow the jury instructions and the law as provided to us by the judge.
Except for the fact that he had disabled password recovery. So now there was no way to access those devices or their configurations.
It was more difficult because there is no legal definition of "authorized user", and in that case we are left to use a common sense definition of the term. That may be easy to do, but the harder part is determining who those people are, because in different companies and organizations, policies in place many time determine who they are. So now we have another problem here in that there was no formal policy or procedure in place to determine who is an "authorized user", so we had to use the evidence available to us to determine who Terry Childs would reasonably believe an authorized user would be.
To do that, we had to look through a lot of testimony, in addition to pieces of evidence which showed who he had previously determined to be "authorized users". In the end it was our determination that he knew the person requesting access was authorized to have it. Like I said, this was really the hardest question for us to answer, but after examining job descriptions, job vacancy bulletins, performance appraisals, numerous emails, etc., we were able to reach the conclusion we did.
Terry Childs already had this knowledge (as evidenced in the emails). We had to spend the time to sift through all the information to make sure we were beyond a reasonable doubt about this conclusion.
Thanks for your comments, I hope I can address them all. First, he was not fired before asked for access to the FiberWAN. And there's a big distinction there -- not only was he asked for passwords, he was asked for "access". I can understand not giving up your personal username and password, but also not allowing anyone else there own access is entirely different. However, he did go into this meeting knowing that he was being "reassigned", so I'm of the frame of mind that he actually thought he was being fired. After a long period of different claims -- including that he didn't remember them, that he himself had been locked out of the system for three months (even though he was working on it that morning), providing incorrect passwords -- he was placed on administrative leave. He was even scheduled to have a meeting the next week with the CTO of the city to discuss the matter. However, he made one of the biggest mistakes then that he could have. While under police surveillance, he decided then to leave the state and make cash withdrawals of over $10,000. He was arrested, and that's where it became a criminal matter instead of simply an employment matter.
His representation was very good and did a great job in presenting his defense. However, the prosecution was also very good and presented some pretty damning evidence. The law that he broke was a section CA Penal Code 502, specifically that he disrupted or denied computer service to an authorized user and he did so without permission. We had legal definitions provided for many terms, including "computer service" and from this we were able to determine that the ability to manage or configure the routers and switches of the FiberWAN is a "computer service". So, in a nutshell, he broke the law by denying to the COO and others within the IT group the ability to manage those routers when ordered to do so.
I too really wish the case had been dismissed, but I think the city let this story get too large and didn't want to lose face by dropping all the charges. However, as a juror I cannot allow myself to make decisions based on why I think the city did what it did or whether I think that was right or wrong. I really had to take all the facts before me and apply them to the law, and I would hope that if I were ever in court that twelve other people would do the same for me.
Refusing to provide a password is absolutely not a denial of service. That's like claiming losing keys to a rack in a data center is a denial of service.
How this is a criminal act? Was he under court order to stay within the state of California and not touch his money? This whole case was never a criminal matter.
As an American, I am profoundly depressed by this thread. I respect the juror who is posting his perspective here, and greatly appreciate the fact he's taking the time to explain what happened from an insider's perspective. But his account reveals a terrible devolution of our system of justice: the ordinary citizens on a jury no longer protect us against an inappropriate or unfair application of the law.
It makes me furious every time I hear a juror come out of the jury room and say "I don't think he really did anything bad, but according to the judge's instructions, I had no choice but to convict." No, you had a choice. The brilliantly cynical and untrusting rebels who wrote the Constitution put you there to make the choice. Not an unfeeling robotic choice, not a judge-directed decision, but an independent decision that truly reflects the informed judgment of a "jury of peers."
The jury has become, not an independent check against the juggernaut of government prosecution, but a mere puppet of the system. In such a legal system, any one of us can be sent to jail for life on the government's whim, because there's not one of us who doesn't -- knowingly or unknowingly -- violate several laws daily; we count on juries to say, when appropriate, "ok, maybe he technically violated the law, but this prosecution is unreasonable, and we're not going along with it."
Our system was designed to make it really, really hard to convict. And really easy to acquit. If the prosecutor doesn't like the case, he can toss it out. If the judge doesn't like the case, he can toss it out. Heck, if the judge doesn't like the jury's "guilty" verdict, he can toss it out (but he can't set aside a "not guilty" verdict). Why has the jury come to believe they can't exercise at least the same power as the prosecutors and the judge routinely do: the power to toss out a case that just ain't right?
It's not merely the act of not providing a password that was a denial service. It was the over-arching issue of refusing to provide access at all. Furthermore, there was no way to gain access without significant disruption to the network. He was told he was being reassigned. Therefore somebody else had to take over those administrative duties, but nobody could as he would not provide them. He denied the COO and the entire IT group the ability to administer their own devices.
As to leaving the state, that is not itself a criminal act. Actually, these are facts I learned from the inspector after we reached our verdict. During the trial itself we did not learn the exact reason he was arrested when he was, because that information was not provided to us. From what I understand, he was already suspected of violating the penal code that he was tried on, and when he made those moves (large cash withdrawals, leaving the state), the police were worried he was planning on possibly sabotaging the network or possibly leaving, and that's when they decided to go forward with the arrest and charges.
The law he violated was CA Penal Code 502. That code deals with denial of computer service. He was the only person with access to a large and critical computer network. He was being reassigned and would no longer be working on that network. Obviously, you cannot have a network with no administrator(s) to manage or maintain it. He refused to provide access to that network. Not just simply refusing to tell his passwords, but refusing to provide access at all, even configuration backups. Furthermore, he configured the network in a manner which prevented any attempts to access it or reset the passwords, and in a few scenarios those attempts would have even brought the network down.
There were no formally adopted policies for computer or network security. Even then, there are common sense guidelines in the IT industry about sharing your password. But what common sense guideline is there that if you are assigned off of a project, you should then lock out the ability of anybody else to administer it?
Yes, I was on the jury (see my post further on down). An essential part of jury deliberations is keeping an open mind, explaining your thoughts and opinions, and listening to the opinions of others. This was not the case here. I really won't go into the details on the matter as to not reveal personal information or background on the juror, but not only did he not do those items above, he also refused to follow the jury instructions and the legal definitions as provided by the judge that we had to use in our determination of the facts.
While you are allowed to look at testimony differently and debate that, you can't decide that a legal definition as provided by the judge is something you don't agree with and therefore won't follow. Essentially, you're supposed to follow the facts and then come to a conclusion. The problem here was that one person had a conclusion beforehand, and wanted to change the facts to fit it. It just doesn't work that way.
Bet you one of the conditions of Childs' "release" is a prohibition on using computers for the next 5 years.
You did what you thought right, and interpreted the judge's jury instructions as carrying the same weight as black-letter law. But they don't, and as others have pointed out the catch-all term "jury nullification" can be the right thing to do when the law is an ass, or when the prosecution has wildly overreached. Hopefully this'll be overturned on appeal, and I really would like Childs' managers and the key prosecutor's names to become as well-known as Childs. There was (and still is) plenty of blame to go around.
As others have pointed out, if the employer did not have a police force and court system handy, this never would have become a criminal matter.
Remain calm! All is well!
I'll try to answer all the questions you presented. Yes, the relevant part of the law we convicted on was 502(c)(5). We were not even presented with the other portions of the penal code listed above. Specifically, he denied computer service to an authorized user without permission. The specific act here was not providing access to the FiberWAN routers and switches upon the request of the city's COO. For the permission part, he did not have any permission from anyone to not provide that access. We looked through the evidence for anything that would indicate that he had permission to deny access to an authorized user, but there was no such evidence. There was evidence, however, that it was part of his job duties to provide that access to authorized users.
"Computer services" is one of several terms with which we were provided specific, legal definitions which we were to follow. The computer service in question which he denied access to was the management and maintenance of the FiberWAN routers and switches themselves. Authorized users was one of the harder points to distinguish in this matter because there really was no formalized process to authorize or deauthorize users. However, we came to the conclusion that he knew that the person asking for access was authorized to obtain that access. This was made evident by many of the emails we had in evidence. Further, at this point, he had not been fired, but did know that he was being reassigned. Also, if they had not been authorized users, but he had given the passwords, he would not be guilty of the other sections because his actions would then have been both permitted, and within the scope of his employment because he was following the directives of his superiors. The fact that he eventually did relinquish the passwords to the mayor, I think, shows a continuation of past behavior in which if he didn't get what he liked he would simply go to the next higher person in the chain.
His actions were definitely not within the scope of his employment. We examined his job description, performance review, and many other documents to determine this. In fact, we determined that one of the main aspects of his employment was to maintain the stability and resiliency of the network he supported, and his actions actually were doing the exact opposite. Configuring a network to have no console access, to have the core routers come back from a power failure with no configuration, hiding the backups in locations unknown and encrypted -- these are all things that seem to go against what he was supposed to be doing in his work assignment.
There was a central password database (TACACS) in this case, that could have definitely been used here, but that really didn't play a large role in the deliberations.
I think the law fits this situation. I don't think anyone had really thought ahead that this type of situation would come up when it was written, but it certainly does fit. We were beyond a reasonable doubt. We actually brought that up many times as we wanted to make sure of that, and we many times did search through evidence and found things that did reinforce that.
Terry Childs was treated far worse in this matter than he should have. Personally, I think once he gave up access to the mayor, they should have dropped the charges, and at worst charged him with some sort of misdemeanor. From what I understand after the case, the bail was set so high because they were afraid if he was not in jail, he would have some sort of hidden access to the FiberWAN and would do something to damage it. However, I don't see why that bail couldn't have been reduced after the access was provided and other engineers cleaned everything up and made sure it was safe. The money that the city spent was actually spent before access was given to the mayor. This money was spent on recovery efforts by Cisco and other in reasonable efforts to regain access to the devices.
I know it seems like a clear cut case of office politics, and that's what I thought too before