Slashdot Mirror
Rough Justice For Terry Childs
snydeq writes "Deep End's Paul Venezia sees significant negative ramifications for IT admins in the wake of yesterday's guilty verdict for Terry Childs on a count of 'denial of service.' Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case? In particular, to the person or persons who released hundreds of passwords in public court filings in 2008 for causing a denial of service for the city's widespread VPN services? After all, once the story broke that a large list of usernames and passwords had been released to the public, the city had to take down its VPN services for days while they reset every password and communicated those changes to the users.' Worse, if upheld on appeal, the verdict puts a vast number of IT admins at risk. 'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.'"
I think I would want to draft up a very clear - and legally binding - agreement that I would want my superiors in management to sign on behalf of the company. It would spell out in specific details, the security policies, security review process, enforcement etc. It would absolve me from prosecution unless I violated any of the very specific rules that were listed. If my superior changed, they would have to sign the document when they took up their position etc.
I wouldn't likely get the job, they'd hire someone who wasn't so paranoid, but I don't think I would want to take a job where if someone in management decided to break the rules, and I tried to apply those rules for the sake of ensuring I didn't violate the trust that had been placed in me, then I wasn't liable for prosecution either way, like Childs was.
Now, he could have handled things differently I am sure, but he might have been prosecuted either way from what I have read so far. I would like more details in an objective report on the situation.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Not trying to be a troll here, but... and maybe I'm not understanding the whole case correctly. I've followed the articles on Slashdot for a while. In my opinion: if the city hires you, you are subservient to the city. You do not give passwords to your inferiors. Ever. You do, however, give passwords to your superiors when asked. Always. They hired you, after all. They are your bosses. If I hire a security guard for my building, he'd damn well better give me the key if I decide to fire him, or if I get locked out, or both. You don't hide data from your superiors, plain and simple, however *technologically* less advanced they might be. Maybe the city is making a mountain out of a molehill; I'm really not qualified to comment on that, since I don't know as much about the case as some of the people on here will. Honestly, though, my original point: you get hired by someone, you do what they want to do, provided it isn't illegal. I highly doubt that giving someone the password or passwords to their own systems would have been the wrong thing to do.
They just made our jobs easier.
Hey, you want the password? yeah its p@ssw0rd. Tell your friends!
Before you know it, it'll be written into the next Windows shell and you won't even have to enter it anymore. No more managing passwords and user accounts and all the stuff that makes IT frustrating.
[/sarcasm ]
What what?
originates from here.
I hope this helps your lawsuits from DDOS.
Yours In St. Petersburg,
Kilgore Trout
He broke the law and he's going to do a few years in prison for it. I don't understand what the big deal is? Should I have sympathy for him because he is a sysadmin?
Justice system did exactly what it was designed to do, rehabilitate criminals and deter others from doing crimes.
Next time, is he going to deny people access who deserve that access because of some ideological nonsense? Doubt it.
Though he probably will never get hired in IT again, not just because he is a felon, but because you google his name and there it is, him keeping passwords away from his ex-employer.
The juror has been interviewed some already, and is even on /.
I had many bad assumptions myself. But if the juror is being at all truthful...this guy did some bad things.
@see http://yro.slashdot.org/comments.pl?sid=1633482&cid=32010078
thousands of IT workers all over the country that are now guilty
of violating a California law? I'll be worried once there's a California state court in New York City.
I learned something very important here in this case.
NEVER do the right thing. Cover your own ass.
Doing the right thing rarely pays off. And damm, Now it can get you put in jail.
Keep your head down, keep your mouth shut, dont make waves, and cover your own ass.
Cuz nobody else will.
I think they took away the "initiative to find a way to get the password to the right person in a secure manner" when they locked him up in jail and left him there. He evidently requested to see the mayor, and when the mayor arrived, gave him the password. Unless that isn't the way it went, I don't really see what else he could have done.
Again though, I haven't read a good article that had significant details in it, just crappy links from /. and short articles that had few details. I want a time line, a copy of the relevant rules, links to a transcript of the court sessions etc :P
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Prosecutors, judges and juries all consider intent. Making a mistake is not the same as malicious action. True, there are times when it's difficult to tell. This isn't one of them.
Eagles may soar, but weasels don't get sucked into jet engines.
He did 2 just waiting for court let him out now and give him the time that he did.
'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways.
Setting up and configuring system where they have sole access, locking out the actual owner of the system, arbitrarily deciding that their direct supervisors aren't "authorized users" (based not on any actual rules or policies but their own nebulous "best practices" decision and by the way anyone who thinks a network engineer should have the authority to lock whoever he wants out of the system, based entirely on his own discretion, is incompetent), and then refusing to provide system access when he was assigned other responsibilities not dealing with locked system, then repeatedly refusing to provide the information even after being imprisoned? Really? Thousands of IT workers guilty of that?
Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case?
Childs wasn't convicted of "denial of service", that's just rhetoric. He was convicted of computer tampering, as the linked Slashdot story explains in the summary.
You got an upstart sysadmin who went on a powertrip and thought he was smarter then anyone else and therefor above any laws that only apply to lesser people.
This is not uncommon with people who are highly intelligent but not to well versed in social skills. Not so much nerds but Mensa people. Like that reiserfs guy, thought he could get away with murder because he was smart and the police is dumb, they must be because they ain't him.
Your assessment is 100% right and he had no call to judge the people asking for access to be unsuitable. His opinion simply did not matter at that time. It is like when a cop with a dog tells you to get down on the floor. That is not the time to start an argument. That is the time to get down on the floor and become part of how the justice system works, injustices included and part of the system, sucks to have it happen to you.
If you ever find yourself in the same position as Childs, document EVERYTHING, in paper, print all emails and insist on written instructions, never verbal, and then do as you are told and get the fuck out of there.
Do not argue with the system, you are not smarter. Do you know how you are not smarter then the system? If you think arguing with the system is a good idea.
Childs is an idiot and yes, idiots go to jail. lets see him argue with Bubba about access to his ass.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
When you don't hand over the passwords, and the mayor comes to visit you in jail....you say "I'm sorry, but incarceration appears to have a profound effect on my memory. You know what would improve my memory considerably? MY IMMEDIATE RELEASE and a signed statement that you understand that I was just trying to DO MY JOB."
I'd not have handed over San Franciso backbone passwords in a teleconference either.
If they wanted a more secure and reliable mechanism for storage, they could have specified one. As an administrator, he believed that the systems were at risk and changed the passwords to secure them. Totally within scope of duties. Justice system is broken, but that's no surprise.
You know a study that no one will do? Study of the demographics, employment status, and intelligence level of your average jury these days as compared with the general populace. No matter how low an opinion you may have of humanity, I can assure you that what passes for a jury these days is scraping the VERY BOTTOM of that barrell.
It sounds like the procedures in place at SF City were weak. In the truck analogy, the rules may require the keys be handed to management when requested, but only a suitably licensed driver could use those keys and operate the vehicle (there are rules like that, they're the Road Rules). Perhaps the IT Dept. needed something equivalent whereby management could possess username/password but were not permitted to use them unless appropriate qualifications/certifications/competencies were held.
Terry sounds a bit like the truckie that thinks no-one else can drive as well as he/she can so refuses to hand over the keys to 'their' truck. If there were IT admins working for the city that had the appropriate alphabet soup behind their name then management (which goes all the way to the mayor) could provide the access details to those people for specific tasks.
Now, for the Tui's advert: 'Yeah, Right ...' The PHB is going to use the passwords to have a play themselves to remind themselves of the 'old days', forgetting that when they were trained in MIS they were using punchcards and teletypes, and networking was something that you did at parties. I can see why Terry did what he did, but the letter of the law can be a PITA sometimes. Does California have the equivalent of the GSA that could go through the SF City Council like a dose of the salts and clean things up?
The ramification, that is.
Getcher damn waivers! Or you're going to jail! Stand up goddammit!
For justice, we must go to Don Corleone
Setup a common authentication scheme and disable your account as your last act.
You've got to be kidding. Do you honestly think you can go back to prior cases and use that to show how something is or isn't a crime?
What matters is how good your lawyer is and what sort of strings they can pull. Obviously, this guy's lawyer wasn't as good as the other guy's lawyer.
The rules that apply to us DO NOT apply to rich people. Stop believing for one second that they do. Look at some black dude that goes to jail for 3 years for stealing bread vs. the Wall Street banksters that steal billions and get multi-million dollar bonuses.
Marc Rich was convicted of tax evasion, and fled to Switzerland. It took $250,000 in donations to Bill Clinton for him to pardon him on his last day in office.
There is no justice, all there is is how much money you have to spend to grease the wheels of the system.
Only way I see you being "at risk" is if you are an asshole, or the policies are extremely unclear. In the event of the second case, well then take it upon yourself to get them clarified.
Personally, I'm not worried. Here our policy is that various critical information, including things like root passwords, has to be kept in a safe. My boss is responsible for all that. Also, all our IT staff has the passwords for everything (in theory, there are some I can't remember because I never use them). So, I'm not worried about a situation where I have sole access to a system an am being pressured to divulge the password. They are stored in a location per policy, and the people who can access them are specified by policy. All I need to do is look at the policy and make sure I follow it, and also make sure that should I set up a system that uses a special password for some reason, it gets documented.
Always remember: They aren't your systems, it's not your network. They belong to the organization that you work for. That means said organization gets to decide who gets what access. You can, and should, have input on that policy, but you can't unilaterally declare that you are the only one.
Unless you have your head firmly buried in your ass as Mr Childs did. Seriously his actions do not seem those of someone that should have any sort of power. He wielded his wand to say that no one else was worthy of the right to access the information that was not his. If at the point that it became obvious that he would be arrested he thought that somehow his actions were valiant and necessary to save the citizens of the city, his complex had blossomed out of control. A rational person would have cut their ties at that point and moved on. Anyone seeking to do real damage will still do it, most likely not someone that works in the department. Except for Mr Childs.
I have googled and read a dozen articles about Terry Childs and still cannot find a single article that actually explains what he has done wrong and what this means.
So far, all I can tell is that Terry Childs refused to give out passwords (private information) to somebody else who asked for those passwords. What is illegal about protecting the privacy of your users? How is this in any way related to denial of service or cyber crime?
The guy broke the law and deserves to be sentenced. When you are a system administrator for the city you lose the right to act like a bratty 5 year old child.
This verdict does NOTHING to affect other sysadmins. If other sysadmins break the law on purpose like Child Terry did, they will be sentenced.
If Child Terry wants to act like a 5 year old and hide password, he should hang out on Slashdot for a while. Plenty of other 5 year old attitudes here - such as the people who are saying he should not be charged! LOL, pathetic.
IMO, he got what he deserved, and nobody else has anything to worry about unless they plan on breaking the above rules. (Especially #3)
That is what jury nullification is for. Unfortunately, most jurors don't know about it and the judges refuse to tell them. Thus the FIJA .
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
the post is making very broad generalization with zero backup of any claims. Just exactly how are many IT professionals going to be affected? This is just false story to bait the readers. There is no story here. They guy was a nut-case who broke the law and common sense. All this warm and fuzzy talk of he built this network as his "baby". last I checked, babies need diapers and care. This is a bunch of inanimate iron with a goof-ball maliciously running it like a 5-year old.
You're breaking rule #3.
These are pretty good.
When you're afraid to download music illegally in your own home, then the terrorists have won!
I mean the keeping of a backup with heavy encryption is certainly defensible. After all you might want to make sure you have the configurations in case you are away on vacation and get a panicked "Oh my god we blew up the network!" call. Of course you would want said data heavily encrypted, in case your laptop was stolen.
However when those are the ONLY copy, other than the running config? Hell no, that is a blatant attempt to lock others out. Reliability of the service must always come first. So for one, the configs should be stored on the system flash. There's no security risk there, to get at that you either have to have enable access to the system, or be at it physically. In either case you can already do what you want. Also, I'd want other backups stored on a local configuration server somewhere, in case a switch just shit itself and you had to restore to a completely new one.
The only result of the situation he set up was to make everything critical on him.
SF is criminally stupid, that's all there is to it. They've wasted taxpayer money over a case that should never have been brought.
Their own employees and contractors caused a ton of downtime trying to get control of the network. If they'd left things alone there wouldn't have been any downtime.
Not to mention they violated they guy's constitutional rights over something that could have been resolved amicably within 24 to 72 hours.
Instead, they acted like a totalitarian regime and threw the guy in jail to break his will to resist.
It's the people in charge of SF that should be prosecuted not this guy.
Did he act like a damn jerk? You Bettcha! Did the city act like Ioseb Besarionis dze Jughashvili in 1936-1938? Heck yeah!
Anyone in IT should be worried about ending up like this guy if they anger the SF city government in any way, this could be one heck of a bad precedent.
Semper Fi Comrades
The city of San Francisco has cops, jails, and prosecutors. If the mayor gets mad at you, one of his employees, he can arrest you, throw you in jail, and prosecute you as he did Childs. A private company has to convince a disinterested prosecutor to go after you. While not impossible, that's much harder. I suspect that if the circumstances had been exactly the same except that Childs had been working for a private company he might have been sued but almost certainly not prosecuted.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
"but it was bought and paid for by the City of San Francisco"
Excuse me, it was bought and paid for by THE PEOPLE OF SAN FRANCISCO.
Paid through our tax money, which also means it was paid for through *HIS* tax money.
The government is supposed to serve the public trust and taxes are their main source of revenue - but I take exception to this attitude that, because someone pays taxes, government funds are somehow their money. It's not your money anymore, you gave it to the government. The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
So, for instance: yes, your taxes pay the wages of the police. This doesn't mean you get to boss them around.
Your taxes pay for the schools, but that doesn't entitle you to decide the curriculum.
Your taxes pay for government infrastructure, but that doesn't mean you can micro-manage the government.
That's not to say citizens in the US (or anywhere else, for that matter) have no stake in the government or its affairs - but the money paid in taxes has nothing to do with that. We have a stake in our government because the operation of the government affects our lives, in the short term and the long term. Would this stake not still exist even if the government could somehow operate without taxing its citizens? IMO bitching about "the taxpayers' money" is just a cheap way to get the attention of people who would otherwise not care.
Bow-ties are cool.
He was never convicted, he didn't technically flee to Switzerland, he was already there. And apparently JOE IS GAY. I learned all this from wikipedia.
Ummm that was way, way later in the proceedings. Read the news stories about it and BengalsUF's information. It wasn't like the came in to his office one day and arrested him. He was, repeatedly, asked for access and he wouldn't give it. He had created an extremely locked down system that only he could get in to. He refused to give others access, and gave out false passwords to try and throw people off. Finaly yes, it came down to a "You hand it over or we arrest you." He wouldn't so they did.
Wow, that's, like, 5 minutes late. You're really off your game lately. This must be the sixth article I've read today where the first few posts were actually relevant and interesting.
When you're afraid to download music illegally in your own home, then the terrorists have won!
So if this was a private company, and one of the contractors decided to lock everyone one else out, would it have been different? Just because it is a public system doesn't make it right to 'protect the population from incompetent techs'.
I have contracted for a number of companies, and many time I have had to create 'god' accounts so they can check the system, knowing full well that they may screw it up. But they pay me to do a job, they own the system, and they have rights to the system.
Just because he thinks they will break it, doesn't give him the right to deny access. They may have wanted to give it to a more knowledgeable contractor.
The courts can actually get things right. Faith restored!
Poor Terry Childs. Exactly the kind of personality that would have him be able to design a system resistant to sustained, vicious attack is what landed him in jail.
Childs' only crime was exposing the ignorance and impotence of those who imagine themselves superior.
The comments in the earlier thread reveal this was a case that called out for jury nullification. Sadly, this did not happen.
Law is most fundamentally not about "justice," but about enforcing the rule of the powerful.
I would never hire anyone for a technical role who would give a password to an unauthorised person, including their boss (assuming they're not authorised to receive it).
Your right... Childs thought the network was "his"... he was wrong. The passwords are intellectual property and as such he isnt allowed to keep it. He is however allowed to "forget" the passwords. Then there would have been nothing they could have done to him. His problem was he had an ego, and that ego will get him time in prison. In short, the guy mad a bad judgement call based oh his miscalculated self importance. He deliberately and purposely hid intellectual property. It has been in every employment agreement I have ever signed that you must surrender all passwords, notes, documents, sketches upon termination. Everything you design and implement on company time and on company systems is company property. That includes the passwords. Oh well. Looks like he will learn the hard way to read what you sign.
Don't worry, you probably won't be hiring anyone until you stop calling yourself shitdrummer.
Actually, this is the best thing I've read on the subject, by far.
When you're afraid to download music illegally in your own home, then the terrorists have won!
Or ANY IT job ....
Now, after you are in, you might get them to sign something but good luck doing it during the interview.
---- Booth was a patriot ----
Here's a question: if you get fired, are you legally obligated to turn in your building keys? I honestly don't know and I think there are some interesting similarities.
What doesn't kill you only delays the inevitable
The rules that apply to us DO NOT apply to rich people.
How do you explain Martha Stewart? R. Allen Stanford? Jeffrey Epstein?
If you are too paranoid to give it to your supervisor - then you have no confidence in him - and you should have resigned or asked for something else to do.
If you accept him - take his orders and do it. Worst case - go over his head and talk to his boss..... but that is it.
No 'I wont give you the passwords cos you are a jackass' nonsense. This is not your minutemen or local militia. This is a city administration...
Wasn't the mayor his boss? I seem to recall that it has been stated many times that Childs would have given the passwords to the mayor and the mayor only just as he has been told to do. Unless new facts in regards to this have come to light then it is my opinion that he was doing his job.
Random Thoughts From A Diseased Mind (Not For Dummies)
become a crime? Other than the arrogance of your normal super sysadmin I really see him as doing his job.
Apparently that powers that be don't understand what it involves is much more that moving and blocking 0's and 1's.
It's thwarting social engineering, spurious attacks from with in the organization along with not letting under qualified users have access
to critical systems
Guess its time to turn in the keyboard
For a lawn mower and shovel
better yet a surf board!
no matter how good it is, it is human nature always wants to make things better
The government is supposed to serve the public trust and taxes are their main source of revenue - but I take exception to this attitude that, because someone pays taxes, government funds are somehow their money. It's not your money anymore, you gave it to the government. The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
You are completely wrong on this point. You are entitled to decide how it is used. How much worse would government be if they could just do whatever the fuck they wanted with tax money with absolutely no opposition whatsoever? Pessimists and/or cynics will say that that is already the case, but even now there are at least *some* people fighting things they disagree with for whatever reason.
You do have a say in how government resources are used because it is your money. Use the boxes - soap box, ballot box, jury box, ammo box (in that order).
Random Thoughts From A Diseased Mind (Not For Dummies)
"I know no method to secure the repeal of bad or obnoxious laws so effective as their stringent execution." - Ulysses S. Grant
[End Of Line]
Punctuation. Capitalization. Please use them. This isn't digg.
It wasn't his boss. He was fired.
Ramificationing him in teh butt?
He doesn't work there.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
Terry Childs was naive. I am not going to blow my own horn, I am not a technically talented as others, but I am a battle hardened motherfucker in the work place. If you dont think others won't turn on a dime and stab you in the back, especially in a public service roll then you need to open your eyes or you learn the hard way. As i have in the past, as as terry has now. there is no need to be an asshole, just vigilant.
In post Patriot Act America, the library books scan you.
Are you actually in charge of a shop now? Doubt it!
So they convicted the nasty BOfH even though the nice city managers slipped up and did something they must not do. Feh! I don't think I trust American courts nor juries.
The real effect of this case is costs. Everyone, particularly those with prosecutors on staff and even moreso those with BMfH will have to pay more to cover this "no-win" risk. I foresee a bunch of IT admin turnover as people Vote with their feet.
Er, what? Can you rephrase that in a way that is at least comprehensible?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
He plays peek-a-boo with the passwords and then tries to play Lord God of the network, as if he answered to no one. This guys gives other sysadmins a bad name. He was a Class A jerk. Perhaps he got bad advice from someone, but odds are very high his arrogance brought him down. Nothing new - it happens in all venues (entertainment, sports, business, etc.). I also blame management for letting it get to this point. It should never have been to the point where only he knew the passwords. They should be reprimanded as well unless he unilaterally changed them without their knowledge. Then he definitely deserves to be punished. What a jerk.
Are you actually in charge of a shop now? Doubt it!
Yes. Well, my section within our IT department in an organisation within the Banking industry.
Password security is one of the questions I ask of all potential employees, as should any IT employer.
Funny thing about banks, they kind of take security a bit seriously.
You are entitled to voice your opinion and attempt to influence how it is used. You can do that using your boxes. You are not, however, entitled to decide how the money is used, as you have no legal authority to do so. Otherwise, everyone could just say 'I decide that all the money will be sent to my account'. Doesn't work that way.
every election you get to have your say by voting someone in or out based on the job they do.
the reason you american's FAIL so spectacularly at this, is you have reduced your system to a totally polarised 2 party system where each side always justifies their parties failings to the point it takes 2 unpopular wars, a health care system that is the laughing stock of the 1st world and the worst financial crisis since the great depression before anyone will change their opinion on which side is the right one to vote for.
If you mod me down, I will become more powerful than you can imagine....
It is as simple as that.
This guy was a CCIE. Do not employ anyone that is one. This is proof they're only a bunch of ego driven shit-stabbers.
where the mechanic absconds with jerry's car because jerry wasn't taking good care of it?
the job of the IT admin is to do whatever the hell the OWNERS of a network decide to do with it. if the owners of a network want to give out all the user names and passwords, then that's their call. in what position do you believe the it admin is in to question that?
otherwise, you have some sort of psychotic attachment to your network, you have boundary issues, just like that psychotic mechanic in the seinfeld episode
terry childs is obviously guilty to anyone who isn't a psychotic it admin
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
It didn't come down to "You hand it over or we arrest you" it came down to Terry getting ready to flee the state without telling anyone the passwords and the police having to arrest him to make sure he didn't.
The rules that apply to us DO NOT apply to rich people.
The geek might usefully compare his own income to the median for his city, county or metropolitan district - to see which side of the line he falls and how distant he is from the center.
Do you honestly think you can go back to prior cases and use that to show how something is or isn't a crime? What matters is how good your lawyer is and what sort of strings they can pull. Obviously, this guy's lawyer wasn't as good as the other guy's lawyer.
The geek tends to get the lawyering he deserves.
If only because what he really wants to do is to play the lead in one of the EFF's street theater productions.
For one, they keys aren't your property. Just because someone gives you something to use, doesn't make it yours to keep. My work has a laptop I'm allowed to borrow, but I can't keep it if I leave their employment, that would be theft.
Likewise, they have a right to decide who has access to what. So when you leave, if they decide you should no longer have unrestricted physical access to the building, they can take that away in the form of taking your keys. Should you make a copy or break in or whatever, you can be charged with trespassing or worse.
When you leave employment, or even when you are employed, you have to give up access to things when asked and you can't lock your employer out. I mean you can still have a job and your employer says "We want your master key back, you are only allowed in to the building during normal hours," or "You no longer manage this server, give the root password to this new guy, who will then change it." Their stuff, their rules.
I agree with you, and I'm not all read up on the case, but I have to disagree with #2.
Your login is, in many respects, an electronic signature. This system obviously had lots of logging and checking going on. Giving his login and p/w to someone else is a bad idea, especially if you think the whole mess is going to end up in a courtroom.
What he SHOULD have done (IMHO) is create a login with equal access, and given the credentials to his boss, the mayor, the police, etc., and then let THEM, the more qualified people decide who should get the information.
This way he upholds his obligations to his workplace, and passes the liability to someone better qualified to make the decision.
Pretending that HE was the most qualified person to decide who got access seems to be where he went wrong.
Could I please have your password?
This seemed like a reasonable sig at the time.
Well said.
The juror from ADP made a good statement saying that at the very least he could have created another admin account and handed it over instead.
Really though, if he felt that way he would be ethically right to tell them he felt that way but if the boss continues with the request then hand it over. If they go in and ruin the system then he just got a lot of work to do and some extended job security while he builds it again.
He did 2 years just waiting for his court date he should get out now!
Terry Childs should have just commited suicide rather than give up the password. (only because it would make for better reading).
It's time for everyone in the IT industry that cares for the security of their company's network to write to Governor Arnold Schwarzenegger and demand that he commute this sentence. Further, it is time to write to our Congress Critters and demand that this act not be used for the prosecution of public officials that believe they are properly doing their job. Lastly, anyone that turns their passwords over to the CEO of their organization should never be liable for any criminal action, regardless of how long it took the CEO to realize that his underlings are incompetent boobs.
Pretty interesting interview with one of the jury members, who appears to understand the issues. Terry Childs juror explains why he voted to convict
The juror lays out the legal issues pretty effectively, and makes a compelling case for conviction on those issues, while also discussing the incompetence of the city's IT department. Apparently he does not believe in jury nullification.
Personaly I disagree with the outcome on the basis that I think the City of San Francisco illegitimately used its combined capabilities as employer, and owner of a court system and police force to escalate a civil employment matter into a criminal case, and then jailed a man for 2 years pre-trial on a laughable pretext. But I appreciate this juror's willingness to discuss the issues.
Remain calm! All is well!
Really? Then why is it they consider my password and answering a personal question two-factor authentication? It's possible you work at one of the few banks that actually do authentication properly, but to generalize about the whole banking industry taking security seriously when they pull crap like that, and all but encourage identity theft is a little disingenuous.
Oh, was that my outside voice?
Like it or not now this decision has been made it sets a world wide precedent. Until IT professionals recognise that collaboratively we are the best people to formulate the legal structure of the industry and how laws should be interpreted someone will always be dictating them to us.
Simply put this situation, like many others, is an end product of our own inaction. We either control or be controlled.
My ism, it's full of beliefs.
The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
Actually, you do.
Every 4 years, at the ballot box.
At least you get to say who you want making those proxy decisions on your behalf.
---
"I can't complain, but sometimes still do..." Joe Walsh
Unfortunately the mayor was not fired. :(
The revolution will be mocked
As I understand it, he was required to log the passwords in a central database and didn't. That's what got him. He also carried the ONLY backup copy of the config on his person (heavily encrypted), gave his bosses fake passwords, etc. It reeks of job security.
The government can't save you.
Well, I certainly hope you don't work for Bank of America... I had to deal with shitty password security for 5 years, within one of their non-BoA branded "sub-banks". I complained that I couldn't use special chars and got told it was a security risk to use them...
I haven't used them since, nor will I ever use them again. 5 years of crap because of an employer lock-in...
THIS.
Rest of thread is people with ownership issues.
I'm not in the US, so I can't really talk about US bank security. But there is a difference between customer security and internal security.
I'm dealing with systems that entire banking sectors use to transfer funds between each other. Many billions of dollars passing through these systems daily.
Compare the risk associated with those systems to the risk of a customer losing thousands (even hundreds of thousands) of dollars. Many banks choose to wear the risk of fraud to make customer interaction easier. Not saying it's right or not, but there's always a trade off.
Look at the way some banks (particularly in the US) hand out credit cards. They know that some people aren't going to pay their bills but they calculate (correctly) that the percentage of defaults will be low enough that the overall business will be profitable. They could get tougher with their customer selection criteria so that virtually noone defaults, but they realised they can make more money this way.
Wrong.
You can't tell the government how to spend tax revenue, or how to utilize the things they bought with tax revenue. The money isn't yours and you don't own the things they bought.
What you can do, is suggest how you'd like the money and resource to be utilized, and vote out people who don't utilize it that way. The job of the government is to govern, the job of the people is to choose the people who do the governing. That's how a representative government works, you don't make the decisions, you choose the people who do.
It has been discussed over and over. Two difficult persons collide in a job, something goes wrong, it escalates beyond the point of repairing the damage, some formal rules and orders are pulled out and thrown in the court - from there on its pure luck what happens. Court decisions about duties in the job etc. are always very uncertain, not only for admins.
The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
That's pretty effin' funny, given that this country was founded after a revolution based on the simple concept of being taxed but not receiving representation in exchange.
So, uh, yes- if you're taxed, you damn well do get a stake in deciding how it is used here in the US. Fun fact: in the state where the revolutionary war started (MA), we have "town meetings"- and they're not the kind of Town Meeting you see politicians holding, which are basically just "get some people in a high school gym and have them ask you some questions."
No, see: town meetings are where the town (anyone who wants to show up) debates and votes on damn near everything from policies to budgets. The rest of the year, the town is run by a town council, also elected.
It's impressive to see an entire basketball court full of chairs, and 15+ rows on each side, full of town residents. Democracy in action.
Please help metamoderate.
Im a sysadmin and the lesson for me is, dont give a shit about security, protocol or third party victims in case of security breach. If some clueless middle manager asks me for the passwords to some very sensitive database, i will give them to him no matter what. For all i care he can sell them on Ebay. The only thing i will care about hence forth is getting a written order or atleast having a witness of me handing it over. I wont spend time in jail to prevent some idiot boss from making bad mistakes. Especially if i have to take crap like Terry for keeping security tight.
HTTP/1.1 400
Terry HAD a clear agreement. He couldn't tell his boss (not authorized) and he couldn't tell the Mayor (who was authorized) because there were non-authorized people in the same room as the Mayor and it was on speaker.
The contract was clear.
But he still got jailed.
Your idea has already been tried and failed.
Job security?! Damn right! I'm not condoning what he's done at all, but picture this situation (Not so far fetched in the current economical climate): If you've dedicated a large portion of your life making SF's network infrastructure bulletproof and awesome only to have your boss decide you're now superfluous, and he can save a few thousand dollars hiring a dude in an Indian cube-farm with a VPN connection to do the admin work, I'm fairly sure you'd take small steps to make sure you keep your job.
This didn't happen, but it's not so hard to believe it could have.
Finally had enough. Come see us over at https://soylentnews.org/
Let's imagine a limo driver refused to hand over the keys of the car to a 19 year kid who is prone to fast driving. But the kid doesn’t like that driver so he gets his father to fire the limo driver, but the driver refuses to hand the keys over to the father. The father fires the driver and hires a new limo driver, but the original driver even refuses to hand the keys to the new limo driver. At that point the limo driver has effectively commandeered a car that does not belong to him which makes him legally and morally wrong. It doesn’t matter if a few Internet geeks cheer him on as someone who “stuck it to the man” because if they were in a similar situation, they would go to jail too and I would convict them if I were on the jury.
Awwww, look at the cute little cynical nerd & how he rails against THE MAN. How original.
And your [sic] an idiot.
Another subliterate joins the ranks of Slashdot - just what we need.
But there is a difference between customer security and internal security.
Let me guess. Banks care a lot more about the latter than the former?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
I would never hire anyone for a technical role who would give a password to an unauthorised person, including their boss
That's some job security for your new hire, isn't it? Unless you can become an "authorised person" merely by telling him/her that you are, which clearly defeats the purpose of authorization in the first place...
I never quite bought that he was only required to give passwords to the Mayor. If so, SF had a pretty screwed up system. I can tell you, if my boss wants the passwords to my system he gets them. You know why? Because I want my job. From the beginning, while I sympathized with Childs, he came off as a l337 who built up this huge kingdom in WoW and didn't want anyone to play with it. Give the passwords to your boss, keep a paper trail, if the system comes down you have all you need to defend yourself. Holding the system hostage was idiotic. That's not to say there isn't a case for his innocence, only that he's not completely innocent from what I can see.
Ok, let me get this straight. The article states that among others his own boss asked for the passwords and he refused. Dude, come on. My boss already has the passwords locked away in case I get hit by the proverbial bus. This guy deserves what he gets for being a over protective IT jerk-mo.
How do you explain Martha Stewart? R. Allen Stanford? Jeffrey Epstein?
They didn't follow the rules that apply to rich people.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I would never hire anyone for a technical role who would give a password to an unauthorised person, including their boss (assuming they're not authorised to receive it).
That's nonsensical. If you're not required to do what your boss says, he's not your boss.
In any case, you're making an irrelevant distinction. If the boss wants the password, you give it to him. If the boss then blows up the network or sells the password to the Russians, that's his problem not yours. When law enforcement comes by, you say "It blew up right after my boss demanded the password"
Childs has ego issues. He was just an employee, not Superman, and was not tasked with saving the universe, just with keeping the hardware running. Keeping the password safe from hackers is prudent. Not giving it to his boss even after the city demanded it was just being a dick.
Rule #3. "Don't be a dick."
Your right... Childs thought the network was "his"... he was wrong. The passwords are intellectual property and as such he isnt allowed to keep it. He is however allowed to "forget" the passwords. Then there would have been nothing they could have done to him.
What possible up-side could there be to "forgetting" the passwords, except pissing everybody off and making it really hard to get another job?
I just don't see an up-side in that action for anybody. The city would be need to pay to have their passwords reset, he'd still be out of work (although probably not in jail), but would be publicly known as "the guy who boned his employer when given the chance".
Honestly, I'd hire someone who went to jail for his beliefs long before I'd hire someone with a "scorched earth" policy for job changes.
Rather difficult to create another admin account when they haul you off to jail instead. He was hauled off immediately after being requested for his password in a manner that was extremely suspect. Also, you have NO requirement to provide anything to your former employer after they have fired you.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
All you have said is accurate. He was also proved right about the incompetence of the people replacing him. The Fiber WAN ran perfectly fine until the passwords were given over, and then the new admins managed to crash it.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
I wouldn't, and look for a different job quickly.
However, if I did want job security, I'd not do stupid stuff like giving my boss fake passwords: The key to job security is to convince your boss that the operation can't survive without me. To do that, I should show them how dependent they are on me, not by giving them false information. Anything that makes me hard to replace and my employer doesn't understand isn't really providing job security, but will lower my reputation when I leave, as It'd not lower my chances of getting fired, but would make anyone that used to do my job badmouth my job in fron of my former boss.
So kids, if you are going to be sleazy enough to follow job security practices, at least pick the ones that work.
It seems more like this:
After the driver refused to hand the keys to the 19 y/o, the kid shows up with an unknown adult, tells the driver he's fired and the unknown adult is the new limo driver. In THAT scenario, the driver is justified in not handing the keys over to anyone EXCEPT the father.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Are you saying Terry Childs doesn't know who his boss' boss is or who the CIO or CEO is in his company? You're suggesting the Limo driver doesn't know the father who hired him? This *is* the "FATHER" showing up along with the police who surely would have demanded proof of ownership of the car. And don't try to tell me he thought it was fake police officers throwing him in a fake prison cell and that he hired a fake lawyer to defend him from a fake trial that led to a fake 5-year sentence in a fake prison cell. So stop giving me your fake arguments.
I agree with this. I'm pretty surprised so many people are jumping to this guy's defense based on some pretty off and esoteric arguments regarding details they know nothing about, e.g. "not knowing if the boss can have the password", etc.
Not giving it to his boss even after the city demanded it was just being a dick.
And that's the end of it, Mayor Gavin had to make a PERSONAL visit to get the password. Is HE authorized to have the password? I'm sure he made good use of it - gave it to the IT staff...
Computer Science is Applied Philosophy
You have to return the property of your former employer to the employer. That's not just physical items, but can include IP as needed to do your job. That's been in every severance agreement I've had the displeasure to give or receive. Passwords are in there.
Not having seen the agreement, the password is owned by SF, not this admin. He had no right to withhold it; almost certainly he had an obligation as a part of his severance to provide it.
Computer Science is Applied Philosophy
Maybe I had bad info. What I read was he was being re-assigned, not fired, when originally asked for the account info.
Dont get me wrong, I think the potential of 5 years in prison is extreme for this type of situation.
Too bad that isn't what happened to Terry Childs. He knew everyone involved and they were his superiors.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
He means that he has completed 2 years in jail just waiting for the trial, and that he should be let off for time served now.
I'm not a lawyer, but I play one on the Internet. Blog
The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
Actually, you do.
Every 4 years, at the ballot box.
Well, voting is kind of an incidental, minimal means of influencing the direction of the government. One can involve oneself in the decision-making process by activism or even entry into politics. My point is that it's not the money which grants us this privilege, or which governs the situations in which the privilege may be exercised.
Bow-ties are cool.
I was fired from a job, the passwords demanded.
The management misused the passwords, put themselves in a pickle.
They threatened legal action on the grounds of my "sabotage" wheres they had actually screwed the DNS up and had no clue that they had caused it much less how to fix it. On advice I declined to fix it on the grounds that it would have given me unclean hands. Presumably on advice, the threats came to nothing.
What saved me?
Legal advice that had me write on the envelope: "By opening this envelope and using the passwords within you assume all responsibility for what happens next. You are hereby advised to engage the services of a suitably qualified profession system admin to open this envelope and operate the system for you". there followed a brief description of where the documentation was and the general disposition of the system.
You can't refuse legitimate management instructions. it is their system, not yours. You must, however, as one skilled in the art make management aware of the risks they are taking on if they use the passwords without the requisite levels of technical proficiency. You are under no obligation to advise further once the employment has terminated - indeed you should not so advise, other than to repeat the "get a professional in" mantra.
It's not your money anymore, you gave it to the government.
Perhaps you gave your money to the .gov, but mine was stolen from
me. I have never agreed to pay them a cent, it was all done with
out my consent.
NQS
I can tell you're not an American--you're used to being a 'subject' rather than a citizen.
I have the most fundamental moral and legal ground of all to think that I get a direct say in how my tax dollars are spent: "Governments are instituted among Men, deriving their just powers from the consent of the governed,"
Taking your money and using it for one's own purposes without your consent is called stealing, and government that does it is a tyranny.
---dragoness
Actually, we, "the people" consent to be governed, and delegate our decision-making authority to our representatives. The money IS mine, as I am a citizen of this country, I own my 1/300 millionth or so share of the things it buys, and I can tell the government how to spend my taxes. No guarantee they'll listen, but they generally do if a big enough collective of the citizen-owners yell about it. Governments don't work without the consent of the governed, especially this one.
If my elected delegates don't do a good job of representing me, I (collectively) can fire them and elect someone else who will.
Need to re-organize HR though; it's sticking me with really crappy interview candidates for the job.
---dragoness
Why is that relevant? If I've got the root password on the finance box, I've got the password, whether or not I was in a position to blah bullshit blah bloody blah.
In my experience, yes, they usually are. You can't ask for something if you don't know it exists. If you know it exists but don't know what it is/does, you shouldn't be frigging about with it. That's basic common sense.
I once had someone request sap_all on a production machine (this is like having root on a unix system; a user can do pretty much anything). He must have known what he was asking for (and if he was asking for something when he didn't know what it was, he's an idiot and he should read this). He was refused by three separate people, tried going over people's heads etc. Eventually he found someone compliant and stupid enough to do it. Even if ignorance is an excuse (which it isn't) any attempts after the first time were intentional and culpable.
Also, most organizations have an acceptable use policy that employees must sign as part of enrollment. If it says anywhere in there that passwords are not to be shared, then how can your excuse stand?
The "ah, I'm special" excuse.
Internet tough guy alert.
Then people complain that IT doesn't get treated as a profession. Sure, I'll build this school that'll fall down ... just sign this disclaimer.
What did you say earlier about balls? I'd leave that time at Enron off my resumé if I were you...
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Urm, in a democracy, that is, a government Of the People, By the People, and For the People, YES you absolutely DO have a right to a say in how the money gets spent and in how the police operate and in what the schools teach.
This doesn't generally result in micro management, but in theory anyway, if a large enough group of people petitioned the government insisting on a new rule about who gets the enable passwords, then they should get their way. Good luck getting a significant fraction of the people worked up enough about the issue to actually petition the government...
This is commonly tied in with references to taxpayer money and such due to another part of U.S. history. A big issue leading to the American Revolution was "taxation without representation", that is extracting tax money from the People without giving them any say in how it gets spent.
We keep a "hit by a bus" envelope sealed and secured in a safe just in case something happens and root access is needed to the servers. Curious as to why that wasn't SF's policy and how other municipalities handle these sort of security issues.
-- Stu
/. ID under 2,000. I feel old now.
Ditto.
If someone's authorized to have the password, they'd have it already.
If there needs to be a secure handover of power situation, that should already be in place before it needs to be done.
In fact, if there's anything I'd want to ask Childs its whether he'd ever pressured management for a proper disclosure scenario to be documented.
"In the event of my death or demotion, passwords can be retrieved by ... "
- Michael T. Babcock (Yes, I blog)
Just imagine if every IT employee pulled the "I'll only give the keys to the Mayor". Sure you can do that, but it comes with a 5-year prison term. This wasn't just the boss, but the boss' boss and his boss.
San Francisco is scummy and should be boycotted. Every company and person should just leave and move to the other cities, maybe help clean up Oakland and let Frisco rot in their own stench.
Thanks!
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Actually, you do.
Every 4 years, at the ballot box.
Umm... you do realize that elections are generally held every year in most municipalities? (And certainly every two years everywhere in the U.S.) The terms for a particular office might vary from one year to ten (so your chance to vote a particular person out of office might happen more or less frequently than 4 years), but elections generally happen every year -- sometimes more frequently when special circumstances arise.
It's a sad fact in the U.S. that so many people only show up to vote in Presidential elections every 4 years. There are a lot of local offices that might have a lot more direct impact on your life or your community which are also a critical part of the government.
In fact, most things are not explicitly stated in policy and that's where common sense and the chain of command comes into play. So long as the superior is not asking the employee to do something clearly illegal or unethical, that employee has the choice to comply or face termination. They also have to release control of any company property.
This is so that a person working for the San Francisco federal building can't demand to see President Obama to settle any workplace dispute. You can't say, I'm only going to give access to President Obama just because you feel that the entire chain of command is incompetent. You pull that in the military during war time and they shoot you for that. You are allowed to refuse immediate orders from direct superiors and go above their heads if you have a problem with the order, but you can't refuse the entire chain of command short of the President.
Have you ever worked in a secure IT environment? Actually, have you ever worked in IT?
Good IT security policy has rules and restrictions over who can have access to certain systems. I manage some systems that my boss isn't authorised to access. There are plenty of examples of this and it is completely normal. Basic IT security practice is to only have access to systems you need to access. An example of this is root access for some systems. In order to get root access you need to place a request with IT Security, they enable your root access for a limited time (perhaps an hour or so, depending on what you need the access for). IT Security keep a log of who gained root access when, why, and who authorised it (if additional authorisation is required).
You need clear written rules for password/account hand-over. Places serious about IT security have a dedicated IT Security section. Typically someone there is authorised to receive passwords to pass out to replacements etc. For some systems you may be required to keep a copy of the account details in a sealed envelope within a dual access safe.
If I gave my boss the password to a system he's not authorised to access I would be fired on the spot and taken to court for breaching security protocol. My contract specifically mentions that scenario.
I'm not defending Childs, from what's come out from the trial he was being a dick. However if they didn't have any clear written rules for password hand-over then the higher-ups also should take some blame for this situation.
Could I please have your password?
hunter2
Have you ever worked in a secure IT environment? Actually, have you ever worked in IT?
Unless your first computer came as a pinout diagram for a 4-bit processor, a soldering iron and an idea, I've been doing it longer than you have. I've been in banking since punch-cards and magnetic tape, UUCP over dial-up, thorough mainframes, dumb terminals, terminal emulators, PCs and the beginning of the web, then moved into web and application support for the federal government before starting my own company to go after mid-range businesses.
And as nostalgic as it makes me feel, my experience is irrelevant here. There was nobody in the entire city that he was willing to give the passwords to, which makes him a dick (and now a felon) not a conscientious employee.
For what it's worth, I blame his boss and his boss's boss as much as our pet head-case. They needed to have access restoration policies and procedures in place for exactly this situation. What did they plan on doing if he was hit by a bus or dropped dead from Burger-King and Jolt Cola? One guy holds all the keys? That's just stupid.
Claiming to forget the passwords simply wouldn't pass a litmus test. Right, you forgot the password(s) you've been using for weeks and were using just moments ago. Intentionally changing the passwords to something noone knows (not even to yourself) is evidence of willful intent -- and he'd be on the hook for a great deal more given the difficulty of regaining control without the passwords.
I don't think it's fair to make him a felon over this. But he was certainly an enormous ass to begin with. As I've said before, the city isn't without blame here either. They allowed this maniac to build a network forwhich no one else had access. That is simply wrong. Always.
He didn't go to jail for his beliefs. He's on his way to jail because he's a prima donna who refused to let anyone else touch his network. Did you miss the part about him getting a copyright on the network design?
Really? I've seen no reports to support that. I wouldn't be surprised if they screwed some stuff in the interim when they didn't have the passwords -- and thus learned how he'd "rigged the network"... didn't save configs, and disabled password recovery where he did.
Have you ever worked in a secure IT environment? Actually, have you ever worked in IT?
Unless your first computer came as a pinout diagram for a 4-bit processor, a soldering iron and an idea, I've been doing it longer than you have.
Nice. I wasn't trying to pay you out or anything, it's just that the /. crowd are very varied in their backgrounds.
There was nobody in the entire city that he was willing to give the passwords to, which makes him a dick (and now a felon) not a conscientious employee.
Agreed. However clear written policies may have helped the situation. Then again, there's no guarantee that Childs would have followed those policies.
For what it's worth, I blame his boss and his boss's boss as much as our pet head-case. They needed to have access restoration policies and procedures in place for exactly this situation. What did they plan on doing if he was hit by a bus or dropped dead from Burger-King and Jolt Cola? One guy holds all the keys? That's just stupid.
Definately agreed. I have "hit by a bus" action files for each position in my team, including myself. As I'm sure you know, it's just good risk management. Unfortunately we have had to implement one of those "hit by a bus" action files in the past.
http://www.formortals.com/terry-childs-network-admin-convicted/
No it didn't, there was no policy. What kind of an idiot writes a policy with mayor-only permissions? He pulled this Mayor-only excuse from his a$$.
Read what the juror said. He said Childs had already given the COO access to the system before. He only had a problem giving access after he found out that he was getting reassigned. So he gave a bad username and password to his boss, the COO, and HR despite the fact that police had already been called to the meeting. Then emailed everyone laughing at them that they can't get in the next day. The cops tried to solve this as an employer/employee issue and then Childs withdrew $10K and left for Nevada the day before his arrest.
This guy was a true piece of work. It's a classic case of an IT employee trying to lock out his employers and it gives us all a bad name. This business that it's his management's fault for giving him too much slack is no excuse. I was given a lot of freedom to act and design when I worked in a similar role and I saw that as a privilege that I earned.
Umm... you do realize that elections are generally held every year in most municipalities? (And certainly every two years everywhere in the U.S.) .....
It's a sad fact in the U.S. that so many people only show up to vote in Presidential elections every 4 years. There are a lot of local offices that might have a lot more direct impact on your life or your community which are also a critical part of the government.
It's an equally sad fact that voter turnout is declining rapidly here in Canada as well.
I place a portion of the blame on the un-inspiring selection of candidates and their ideas.
And of course the lazy-assed public deserves their share of the blame as well.
Really, how hard is it to show up and mark an X once in a while
And, yes, when I said every 4 years, I was referring to any specific office, not the entire government apparatus in all it's myriad permutations.
---
"I can't complain, but sometimes still do..." Joe Walsh
.waiting for the SF DA to be prosecuted for distributing 150 of those passwords to the public and actually causing a denial of service?