Slashdot Mirror
Rough Justice For Terry Childs
snydeq writes "Deep End's Paul Venezia sees significant negative ramifications for IT admins in the wake of yesterday's guilty verdict for Terry Childs on a count of 'denial of service.' Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case? In particular, to the person or persons who released hundreds of passwords in public court filings in 2008 for causing a denial of service for the city's widespread VPN services? After all, once the story broke that a large list of usernames and passwords had been released to the public, the city had to take down its VPN services for days while they reset every password and communicated those changes to the users.' Worse, if upheld on appeal, the verdict puts a vast number of IT admins at risk. 'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.'"
The only Superior he was supposed to give the password to is the Mayor. He was only supposed to do that in an environment deemed secure enough for no one else to get the password. He complied with that. He is basically being sued into oblivion because he didn't want the secretary, the press, and/or anyone else getting a hold of the password.
Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case?
Childs wasn't convicted of "denial of service", that's just rhetoric. He was convicted of computer tampering, as the linked Slashdot story explains in the summary.
I understood that they had a set of policies for 'user-level' passwords (which this was not classed as) saying things like 'never diclose your password, even to your boss' and another set of policies for 'system-level' passwords, which these passwords were classed as. The policies for 'system-level' passwords say they must be stored in a centrally managed database: a policy that Childs violated by keeping them in a way only accessible to him. Under your model (assuming the above is correct) you wouldn't be absolved from prosecution in this case, because Childs hadn't followed procedures related to 'system-level' passwords.
It's all rather moot though, there is a systemic problem in any organisation which lets its IT be run in a way where someone can hold it hostage like this. The real lesson here is that institutional incompetence can lead to individual criminal liability.
If you're an IT admin working in the States then it's your geographic (not professional) situation that's putting you at risk of going to jail for something stupid like this.
If the person mentioned was on the jury, and there is nothing I've read of his to suggest otherwise, I highly recommend reading his recent posts on his slashdot user page: http://slashdot.org/~BengalsUF
I learned more in 5 minutes about the case than I have over the past 2 years reading Slashdot and news stories. And, as it turns out, most of what I've read up until today has been embellished or simply was an opinion of someone who knew little about the case.
I've worked in the public sector a while and what I learned is - if the agency head(s) ask you to do something job related, even if it's against the policy that's printed out, you do it.
In my experience (private sector, financial industry) that results in immediate termination of your employment. And that isn't theoretical, I'm aware of two instances at my current company. In both cases they had security guards escort them off the premises.
If the superintendent of a school district says - "Whats the password for root on the server?" You tell them.
No you don't. Ever. You say "Go to the safe and get them yourself. Don't forget to sign the register." When Superintendent bleats that it is needed NOW! your answer is to point them to the safe. Terry Childs did not put the passwords in the safe and deserves to go down for that.
A sig is placed here
To display how futile
English Haiku is
Here is the policy. I believe the relevant section (page 32) only really applies to user passwords, not system-level stuff.
When you're afraid to download music illegally in your own home, then the terrorists have won!
According to the network engineer who was a juror on the case (so I am guessing that he knows far more details about it than you or I)....
He didn't refuse to just give his "password" but to give any access at all to the core routers, removed any way of password retrieval without doing a full system reset, and would not provide the configurations to these routers.
On top of that, there were emails and witnesses that made it appear that Childs was doing this all to make it such that only HE had access.
These are pretty good.
When you're afraid to download music illegally in your own home, then the terrorists have won!
Actually, this is the best thing I've read on the subject, by far.
When you're afraid to download music illegally in your own home, then the terrorists have won!
The way I read it, he was following the policy (law) to the letter.
He was required to store system passwords in a central repository. He violated the policy by failing to do this.
That is what jury nullification is for. Unfortunately, most jurors don't know about it and the judges refuse to tell them
The home town boy, the white bread kid, escaped the noose. The black man was lynched.
That has always been the reality of jury nullification - and the geek - the outsider, the prick, the wierdo - who looks to nullification for his salvation is a a god-damned fool.