Slashdot Mirror
Terry Childs Found Guilty
A jury in San Francisco found Terry Childs guilty of one felony count of computer tampering. The trial lasted four months. Childs now faces a maximum sentence of five years in prison.
← Back to Stories (view on slashdot.org)
Democracy is a form of government that ensures we are governed as well as we deserve.
Remember that juries are made up of the twelve people who weren't smart enough to get out of jury duty.
...holding a city's computer systems random...
Yes, I see where that might be an issue... ;)
Veni, Vidi, Velcro!
Fuck off. He followed the fucking city policy, maybe he was a jerk about it, but that doesn't make you right about him.
As stupid as it is, its the law. He has an obligation to follow the law, not a moral technical compass. If there is a problem with the law then it needs to be changed not broken. You are your technical vigilantes need to be stopped from taking technology into your own hands.
How exactly was he breaking the law? As I understand it, the whole issue wasn't that he tampered with anything. Instead, he refused to disclose the passwords when the person requesting them did not follow proper protocols.
Charming man. I wish I had a daughter so I could forbid her to marry one. -Arthur Dent
Let's say he was hit by a bus, killed, and consequently unable to disclose the password. Would he be guilty of computer tampering in that case? How about the bus driver?
Yes. Security rightly assumes that the weakest link of any computer/information protection is the humans. He followed their policy about how to deal with people trying to get access, no matter where or how powerful those people were.
He should be commended, not disgraced.
Ok the real lesson, sorry to say is: if the Feds want you they will have you. There is a reason why 95+% of indictees plead out. How do I know this? I just emerged from a five year fed sentence at a lovely FCI in Ohio.
Without getting too detailed...I was a media consultant for a major media multinational. The Feds did not like that my focus was piracy but I would not divulge IPs, nyms or rat anyone. After some rather appalling disinformation was seeded (see Darknet...an utter load of made up BS) I was accused of damaging a portable toilet (I am not making this up) and faced life for 18 USC 844(i) and 18 USC 924(c). I was forced to plead out to a mandatory minimum of five years, which I just finished. (in fact, I'm still in a halfway house).
The charges and the character assasination were ALL bullshit. But would you have thrown the dice with a jury and risked life? Me neither.
The feds hate geeks, unless we work for them. Be VERY afraid and very careful. I'll get my life back but the past 52 months were not fun.
"The pie shall be cut in half and each man shall receive.....death. I'll eat the pie."
Best way to save yourself is to use "fuckyou" or "ihavenoidea" as the main password.
-"Terry for the 50th time: what is the password?"
-"fuckyou"
-"officer, arrest him."
Views expressed do not necessarily reflect those of the author.
According to everything I have read he refused to hand over the password under any circumstance when his supervisors asked for them. There was no "only give to the mayor" rule. He was a regular employee working a regular job where he has the obligation to hand over information requested by his supervisor. After he was arrested and placed in custody is when he stated that he would only give the password to the mayor, not becuase it was a rule or directive but becuase Mayor Newsom was "the only person he felt he could trust". There was no rule about handing passwords over, he felt "None of the persons who requested the password information from Mr. Childs ... were qualified to have it," according to his lawyer. It was his opinion, nothing else.
Why Did He Refuse?
Terry Child built this network. It was his baby and he owned it. He was the only person with access and was on call 24/7/365 and the only person familiar enough with it to work on it. He loved it so much that he applied and was granted a copyright for the network design as technical artistry. His department was going through a series of downsizes and his supervisor began to audit his work, which previously he had free reign in. He got spooked and started snooping on his bosses, which spooked his bosses and it all lead to a stand off.
This guy was in the employ of the city government, which necessarily acts differently than a corp, which makes your analogy false. His direct bosses don't make the rules, the elected officials do. The difference is crucial. Furthermore, his following the rules was not to the detriment of the city.
A lot of differing opinions being tossed around here.
But, Slashdot, can we please stop accepting "fuck off" as acceptable debate discourse? And then cheerfully modding it up?
We're adults here, I think we can debate the pros and cons of this situation intellectually without resorting to hurling epithets at eachother.
Thank you in advance for not modding me "Troll" and "Offtopic".
There is just no way around it, no matter how big a douche your employer is, or how wrong or unfair you think it is, or how big a mistake they are making... withholding your employers' passwords will land you in jail.
Some may work up some emotion over this, but I don't think this will really be a surprise to many people.
Here's a hint; when you end up in a room with the cops and a lot of your management, fine, ask for your lawyer, but don't plan on using that same management's written policy against them. They are management - they wrote the policy. They're telling you their new policy. Verbally. In no uncertain terms. With the cops present.
You cannot lock your customers out of their equipment. This is not a legal theory our society will ever adopt, nor should it. Imagine if the courts agreed that IT staff has discretion to withhold their customers' own passwords. "They weren't smart enough to have it." "They asked for it the wrong way." "They once had a written policy that I shouldn't tell them."
OK, so no one can ever fire you. When can't you come up with an excuse to lock the equipment and walk off? Imagine if the courts blessed it! You could pull that burn off and coast, untouchable. Yeah, that philosophy really has legs.
You: "Give me the password."
Your employee: "No."
You: "You're violating my policy - I need the password."
Your employee: "I disagree. I have my own interpretation of your policy."
You: "You're fired."
Your former employee: "Great, now I definitely won't give you the password."
You: "Obviously I'm not paying you to refuse to do what I'm asking. But you still have my passwords."
Your former employee: "Fine, but since you're not paying me, I'm not your slave. You can't force me to perform."
Hear that sound? It's the eyes of every slave who ever lived rolling back in their heads.
Think about it. Childs could, if he truly was motivated by fear of violating a policy, have called his lawyer into the room, to say: "no problem, we'll give you the passwords, we just need you to release us from liability for disclosing those passwords, one pager, sign here..." He didn't, because this was about ego, not policy. He just didn't want to have to cave and do what they said. He's not the first - many an outsized ego has landed its owner in prison.
Tired of Political Trolls? Opt Out!
There was no "only give to the mayor" rule, but there were "don't tell your boss the password" and "don't say it in front of other people" rules
Fuck off
Hear, hear. Just because the guy is a nerd doesn't mean we have to rally 'round him.
Right. I saw it happening a lot here after Hans Reiser killed his wife. It was pretty damn obvious he did it, but he sure had a lot of otherwise intelligent slashdotters refusing to face facts.
It's a valuble lesson; intelligent people are no more immune to self-deception. They might even be better at it.
What the law says is that your user level password should not be disclosed. This was not a user level password. The law says "All production system-level passwords must be part of the security administered global password management database." He should not be the only person with access to the network. That is why he was asked for the password and should have handed it over. It was not his user level password, but a password to access the network that he built.
I think the problem people have, is that the court should never have been involved at all. Okay... so he's insubordinate and fired. No problem.
AFTER he's fired, they go to him and STILL want him to do part of his job (disclose the passwords). Tough cookies. The deal in employment is "payment received for services rendered". Once he's fired, he is not receiving payment from the city. So he's under no obligation whatsoever to render services.
You can make a case that he was insubordinate and deserved to be fired. But once he *was* fired, he was entirely in the right to tell the city to FOAD. And the court should have told the city to FOAD as well.
Imagine all the people...
Now that I am able to speak about this case, I can give you my take on the matter as having been a juror on it. Having not been able to read about the case during its duration, I can't replay to everything that's been said about it, but I will at least provide my perspective.
This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.
This jury was not made up of incompetent people or idiots. Every single person on there was very educated and well-spoken. I myself am a network engineer with a CCIE and thirteen years experience in the field.
This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict. Terry Childs turned his life around and educated himself in the networking field on very complex technologies. One different decision by him, or more effective management by the city could have completely avoided this entire scenario. But those are not factors we could consider as a jury. We applied the law as it was provided to us and our verdict was the unfortunate, but inevitable result.
I'm sure many people posting are of the mindset that he's not guilty because he shouldn't reveal the passwords, some policy says this or that, or whatever. You're entitled to your opinion, but let me tell you that I sat through FIVE MONTHS of testimony, saw over 300 exhibits, and personally wrote over 200 pages of notes. I will guarantee you that no matter what you think of the matter, you do not have the full story, or even 10% of it. I am confident that we reached the correct verdict, whether I like it or not.
This was one of the most difficult questions for us to answer. Specifically, who is an "authorized user", and who determines who those people are? I won't go through the mounds of evidence we went through to get beyond any reasonable doubt on this issue, but we did ultimately determine that the person requesting the access (his boss' boss) was an authorized user and should have access upon requesting it.
One really important thing to note here is that it wasn't a concern that he did not provide "his" passwords. The real problem is that he did not provide access -- in any form, even in the form of creating new accounts for those requesting it.
I was a juror on this case (see post way far below). I am a network engineer with thirteen years experience and a CCIE certification. All of my fellow jurors were highly educated individuals. Although none of them were fellow network engineers, they were a far cry from "wishy washy room temp IQ dullards".
We were not swayed at all by emotional opinion, because if we were we probably would have acquitted because we all agreed that the situation Terry Childs was put in was not called for. However, the facts in the case bore out the verdict we reached.
Allow me to elucidate this for you. I won't give the full details, but essentially this juror went into deliberations, had already made up his mind, informed the rest of the jurors that he had thought about the matter on his own and made up his mind, and didn't want to hear anything more about it. This is before we even went through all the questions we were required to examine per the jury instructions! Furthermore, he would not explain his position to the other eleven jurors.
He was not released for "having his own opinion" or being "a lone holdout". In fact, we welcomed a lively debate from both sides of the argument as that's a necessary part of jury deliberations. He was dismissed for other reasons, including outright refusal to follow the jury instructions and the law as provided to us by the judge.
It was more difficult because there is no legal definition of "authorized user", and in that case we are left to use a common sense definition of the term. That may be easy to do, but the harder part is determining who those people are, because in different companies and organizations, policies in place many time determine who they are. So now we have another problem here in that there was no formal policy or procedure in place to determine who is an "authorized user", so we had to use the evidence available to us to determine who Terry Childs would reasonably believe an authorized user would be.
To do that, we had to look through a lot of testimony, in addition to pieces of evidence which showed who he had previously determined to be "authorized users". In the end it was our determination that he knew the person requesting access was authorized to have it. Like I said, this was really the hardest question for us to answer, but after examining job descriptions, job vacancy bulletins, performance appraisals, numerous emails, etc., we were able to reach the conclusion we did.
Terry Childs already had this knowledge (as evidenced in the emails). We had to spend the time to sift through all the information to make sure we were beyond a reasonable doubt about this conclusion.
Thanks for your comments, I hope I can address them all. First, he was not fired before asked for access to the FiberWAN. And there's a big distinction there -- not only was he asked for passwords, he was asked for "access". I can understand not giving up your personal username and password, but also not allowing anyone else there own access is entirely different. However, he did go into this meeting knowing that he was being "reassigned", so I'm of the frame of mind that he actually thought he was being fired. After a long period of different claims -- including that he didn't remember them, that he himself had been locked out of the system for three months (even though he was working on it that morning), providing incorrect passwords -- he was placed on administrative leave. He was even scheduled to have a meeting the next week with the CTO of the city to discuss the matter. However, he made one of the biggest mistakes then that he could have. While under police surveillance, he decided then to leave the state and make cash withdrawals of over $10,000. He was arrested, and that's where it became a criminal matter instead of simply an employment matter.
His representation was very good and did a great job in presenting his defense. However, the prosecution was also very good and presented some pretty damning evidence. The law that he broke was a section CA Penal Code 502, specifically that he disrupted or denied computer service to an authorized user and he did so without permission. We had legal definitions provided for many terms, including "computer service" and from this we were able to determine that the ability to manage or configure the routers and switches of the FiberWAN is a "computer service". So, in a nutshell, he broke the law by denying to the COO and others within the IT group the ability to manage those routers when ordered to do so.
I too really wish the case had been dismissed, but I think the city let this story get too large and didn't want to lose face by dropping all the charges. However, as a juror I cannot allow myself to make decisions based on why I think the city did what it did or whether I think that was right or wrong. I really had to take all the facts before me and apply them to the law, and I would hope that if I were ever in court that twelve other people would do the same for me.
As an American, I am profoundly depressed by this thread. I respect the juror who is posting his perspective here, and greatly appreciate the fact he's taking the time to explain what happened from an insider's perspective. But his account reveals a terrible devolution of our system of justice: the ordinary citizens on a jury no longer protect us against an inappropriate or unfair application of the law.
It makes me furious every time I hear a juror come out of the jury room and say "I don't think he really did anything bad, but according to the judge's instructions, I had no choice but to convict." No, you had a choice. The brilliantly cynical and untrusting rebels who wrote the Constitution put you there to make the choice. Not an unfeeling robotic choice, not a judge-directed decision, but an independent decision that truly reflects the informed judgment of a "jury of peers."
The jury has become, not an independent check against the juggernaut of government prosecution, but a mere puppet of the system. In such a legal system, any one of us can be sent to jail for life on the government's whim, because there's not one of us who doesn't -- knowingly or unknowingly -- violate several laws daily; we count on juries to say, when appropriate, "ok, maybe he technically violated the law, but this prosecution is unreasonable, and we're not going along with it."
Our system was designed to make it really, really hard to convict. And really easy to acquit. If the prosecutor doesn't like the case, he can toss it out. If the judge doesn't like the case, he can toss it out. Heck, if the judge doesn't like the jury's "guilty" verdict, he can toss it out (but he can't set aside a "not guilty" verdict). Why has the jury come to believe they can't exercise at least the same power as the prosecutors and the judge routinely do: the power to toss out a case that just ain't right?
It's not merely the act of not providing a password that was a denial service. It was the over-arching issue of refusing to provide access at all. Furthermore, there was no way to gain access without significant disruption to the network. He was told he was being reassigned. Therefore somebody else had to take over those administrative duties, but nobody could as he would not provide them. He denied the COO and the entire IT group the ability to administer their own devices.
As to leaving the state, that is not itself a criminal act. Actually, these are facts I learned from the inspector after we reached our verdict. During the trial itself we did not learn the exact reason he was arrested when he was, because that information was not provided to us. From what I understand, he was already suspected of violating the penal code that he was tried on, and when he made those moves (large cash withdrawals, leaving the state), the police were worried he was planning on possibly sabotaging the network or possibly leaving, and that's when they decided to go forward with the arrest and charges.
I'll try to answer all the questions you presented. Yes, the relevant part of the law we convicted on was 502(c)(5). We were not even presented with the other portions of the penal code listed above. Specifically, he denied computer service to an authorized user without permission. The specific act here was not providing access to the FiberWAN routers and switches upon the request of the city's COO. For the permission part, he did not have any permission from anyone to not provide that access. We looked through the evidence for anything that would indicate that he had permission to deny access to an authorized user, but there was no such evidence. There was evidence, however, that it was part of his job duties to provide that access to authorized users.
"Computer services" is one of several terms with which we were provided specific, legal definitions which we were to follow. The computer service in question which he denied access to was the management and maintenance of the FiberWAN routers and switches themselves. Authorized users was one of the harder points to distinguish in this matter because there really was no formalized process to authorize or deauthorize users. However, we came to the conclusion that he knew that the person asking for access was authorized to obtain that access. This was made evident by many of the emails we had in evidence. Further, at this point, he had not been fired, but did know that he was being reassigned. Also, if they had not been authorized users, but he had given the passwords, he would not be guilty of the other sections because his actions would then have been both permitted, and within the scope of his employment because he was following the directives of his superiors. The fact that he eventually did relinquish the passwords to the mayor, I think, shows a continuation of past behavior in which if he didn't get what he liked he would simply go to the next higher person in the chain.
His actions were definitely not within the scope of his employment. We examined his job description, performance review, and many other documents to determine this. In fact, we determined that one of the main aspects of his employment was to maintain the stability and resiliency of the network he supported, and his actions actually were doing the exact opposite. Configuring a network to have no console access, to have the core routers come back from a power failure with no configuration, hiding the backups in locations unknown and encrypted -- these are all things that seem to go against what he was supposed to be doing in his work assignment.
There was a central password database (TACACS) in this case, that could have definitely been used here, but that really didn't play a large role in the deliberations.
I think the law fits this situation. I don't think anyone had really thought ahead that this type of situation would come up when it was written, but it certainly does fit. We were beyond a reasonable doubt. We actually brought that up many times as we wanted to make sure of that, and we many times did search through evidence and found things that did reinforce that.
Terry Childs was treated far worse in this matter than he should have. Personally, I think once he gave up access to the mayor, they should have dropped the charges, and at worst charged him with some sort of misdemeanor. From what I understand after the case, the bail was set so high because they were afraid if he was not in jail, he would have some sort of hidden access to the FiberWAN and would do something to damage it. However, I don't see why that bail couldn't have been reduced after the access was provided and other engineers cleaned everything up and made sure it was safe. The money that the city spent was actually spent before access was given to the mayor. This money was spent on recovery efforts by Cisco and other in reasonable efforts to regain access to the devices.
I know it seems like a clear cut case of office politics, and that's what I thought too before