Slashdot Mirror
Rough Justice For Terry Childs
snydeq writes "Deep End's Paul Venezia sees significant negative ramifications for IT admins in the wake of yesterday's guilty verdict for Terry Childs on a count of 'denial of service.' Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case? In particular, to the person or persons who released hundreds of passwords in public court filings in 2008 for causing a denial of service for the city's widespread VPN services? After all, once the story broke that a large list of usernames and passwords had been released to the public, the city had to take down its VPN services for days while they reset every password and communicated those changes to the users.' Worse, if upheld on appeal, the verdict puts a vast number of IT admins at risk. 'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.'"
I think I would want to draft up a very clear - and legally binding - agreement that I would want my superiors in management to sign on behalf of the company. It would spell out in specific details, the security policies, security review process, enforcement etc. It would absolve me from prosecution unless I violated any of the very specific rules that were listed. If my superior changed, they would have to sign the document when they took up their position etc.
I wouldn't likely get the job, they'd hire someone who wasn't so paranoid, but I don't think I would want to take a job where if someone in management decided to break the rules, and I tried to apply those rules for the sake of ensuring I didn't violate the trust that had been placed in me, then I wasn't liable for prosecution either way, like Childs was.
Now, he could have handled things differently I am sure, but he might have been prosecuted either way from what I have read so far. I would like more details in an objective report on the situation.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Not trying to be a troll here, but... and maybe I'm not understanding the whole case correctly. I've followed the articles on Slashdot for a while. In my opinion: if the city hires you, you are subservient to the city. You do not give passwords to your inferiors. Ever. You do, however, give passwords to your superiors when asked. Always. They hired you, after all. They are your bosses. If I hire a security guard for my building, he'd damn well better give me the key if I decide to fire him, or if I get locked out, or both. You don't hide data from your superiors, plain and simple, however *technologically* less advanced they might be. Maybe the city is making a mountain out of a molehill; I'm really not qualified to comment on that, since I don't know as much about the case as some of the people on here will. Honestly, though, my original point: you get hired by someone, you do what they want to do, provided it isn't illegal. I highly doubt that giving someone the password or passwords to their own systems would have been the wrong thing to do.
He broke the law and he's going to do a few years in prison for it. I don't understand what the big deal is? Should I have sympathy for him because he is a sysadmin?
Justice system did exactly what it was designed to do, rehabilitate criminals and deter others from doing crimes.
Next time, is he going to deny people access who deserve that access because of some ideological nonsense? Doubt it.
Though he probably will never get hired in IT again, not just because he is a felon, but because you google his name and there it is, him keeping passwords away from his ex-employer.
The juror has been interviewed some already, and is even on /.
I had many bad assumptions myself. But if the juror is being at all truthful...this guy did some bad things.
@see http://yro.slashdot.org/comments.pl?sid=1633482&cid=32010078
I think they took away the "initiative to find a way to get the password to the right person in a secure manner" when they locked him up in jail and left him there. He evidently requested to see the mayor, and when the mayor arrived, gave him the password. Unless that isn't the way it went, I don't really see what else he could have done.
Again though, I haven't read a good article that had significant details in it, just crappy links from /. and short articles that had few details. I want a time line, a copy of the relevant rules, links to a transcript of the court sessions etc :P
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Prosecutors, judges and juries all consider intent. Making a mistake is not the same as malicious action. True, there are times when it's difficult to tell. This isn't one of them.
Eagles may soar, but weasels don't get sucked into jet engines.
He did 2 just waiting for court let him out now and give him the time that he did.
'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways.
Setting up and configuring system where they have sole access, locking out the actual owner of the system, arbitrarily deciding that their direct supervisors aren't "authorized users" (based not on any actual rules or policies but their own nebulous "best practices" decision and by the way anyone who thinks a network engineer should have the authority to lock whoever he wants out of the system, based entirely on his own discretion, is incompetent), and then refusing to provide system access when he was assigned other responsibilities not dealing with locked system, then repeatedly refusing to provide the information even after being imprisoned? Really? Thousands of IT workers guilty of that?
Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case?
Childs wasn't convicted of "denial of service", that's just rhetoric. He was convicted of computer tampering, as the linked Slashdot story explains in the summary.
You got an upstart sysadmin who went on a powertrip and thought he was smarter then anyone else and therefor above any laws that only apply to lesser people.
This is not uncommon with people who are highly intelligent but not to well versed in social skills. Not so much nerds but Mensa people. Like that reiserfs guy, thought he could get away with murder because he was smart and the police is dumb, they must be because they ain't him.
Your assessment is 100% right and he had no call to judge the people asking for access to be unsuitable. His opinion simply did not matter at that time. It is like when a cop with a dog tells you to get down on the floor. That is not the time to start an argument. That is the time to get down on the floor and become part of how the justice system works, injustices included and part of the system, sucks to have it happen to you.
If you ever find yourself in the same position as Childs, document EVERYTHING, in paper, print all emails and insist on written instructions, never verbal, and then do as you are told and get the fuck out of there.
Do not argue with the system, you are not smarter. Do you know how you are not smarter then the system? If you think arguing with the system is a good idea.
Childs is an idiot and yes, idiots go to jail. lets see him argue with Bubba about access to his ass.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
You've got to be kidding. Do you honestly think you can go back to prior cases and use that to show how something is or isn't a crime?
What matters is how good your lawyer is and what sort of strings they can pull. Obviously, this guy's lawyer wasn't as good as the other guy's lawyer.
The rules that apply to us DO NOT apply to rich people. Stop believing for one second that they do. Look at some black dude that goes to jail for 3 years for stealing bread vs. the Wall Street banksters that steal billions and get multi-million dollar bonuses.
Marc Rich was convicted of tax evasion, and fled to Switzerland. It took $250,000 in donations to Bill Clinton for him to pardon him on his last day in office.
There is no justice, all there is is how much money you have to spend to grease the wheels of the system.
Only way I see you being "at risk" is if you are an asshole, or the policies are extremely unclear. In the event of the second case, well then take it upon yourself to get them clarified.
Personally, I'm not worried. Here our policy is that various critical information, including things like root passwords, has to be kept in a safe. My boss is responsible for all that. Also, all our IT staff has the passwords for everything (in theory, there are some I can't remember because I never use them). So, I'm not worried about a situation where I have sole access to a system an am being pressured to divulge the password. They are stored in a location per policy, and the people who can access them are specified by policy. All I need to do is look at the policy and make sure I follow it, and also make sure that should I set up a system that uses a special password for some reason, it gets documented.
Always remember: They aren't your systems, it's not your network. They belong to the organization that you work for. That means said organization gets to decide who gets what access. You can, and should, have input on that policy, but you can't unilaterally declare that you are the only one.
IMO, he got what he deserved, and nobody else has anything to worry about unless they plan on breaking the above rules. (Especially #3)
You're breaking rule #3.
These are pretty good.
When you're afraid to download music illegally in your own home, then the terrorists have won!
I mean the keeping of a backup with heavy encryption is certainly defensible. After all you might want to make sure you have the configurations in case you are away on vacation and get a panicked "Oh my god we blew up the network!" call. Of course you would want said data heavily encrypted, in case your laptop was stolen.
However when those are the ONLY copy, other than the running config? Hell no, that is a blatant attempt to lock others out. Reliability of the service must always come first. So for one, the configs should be stored on the system flash. There's no security risk there, to get at that you either have to have enable access to the system, or be at it physically. In either case you can already do what you want. Also, I'd want other backups stored on a local configuration server somewhere, in case a switch just shit itself and you had to restore to a completely new one.
The only result of the situation he set up was to make everything critical on him.
SF is criminally stupid, that's all there is to it. They've wasted taxpayer money over a case that should never have been brought.
Their own employees and contractors caused a ton of downtime trying to get control of the network. If they'd left things alone there wouldn't have been any downtime.
Not to mention they violated they guy's constitutional rights over something that could have been resolved amicably within 24 to 72 hours.
Instead, they acted like a totalitarian regime and threw the guy in jail to break his will to resist.
It's the people in charge of SF that should be prosecuted not this guy.
Did he act like a damn jerk? You Bettcha! Did the city act like Ioseb Besarionis dze Jughashvili in 1936-1938? Heck yeah!
Anyone in IT should be worried about ending up like this guy if they anger the SF city government in any way, this could be one heck of a bad precedent.
Semper Fi Comrades
"but it was bought and paid for by the City of San Francisco"
Excuse me, it was bought and paid for by THE PEOPLE OF SAN FRANCISCO.
Paid through our tax money, which also means it was paid for through *HIS* tax money.
The government is supposed to serve the public trust and taxes are their main source of revenue - but I take exception to this attitude that, because someone pays taxes, government funds are somehow their money. It's not your money anymore, you gave it to the government. The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
So, for instance: yes, your taxes pay the wages of the police. This doesn't mean you get to boss them around.
Your taxes pay for the schools, but that doesn't entitle you to decide the curriculum.
Your taxes pay for government infrastructure, but that doesn't mean you can micro-manage the government.
That's not to say citizens in the US (or anywhere else, for that matter) have no stake in the government or its affairs - but the money paid in taxes has nothing to do with that. We have a stake in our government because the operation of the government affects our lives, in the short term and the long term. Would this stake not still exist even if the government could somehow operate without taxing its citizens? IMO bitching about "the taxpayers' money" is just a cheap way to get the attention of people who would otherwise not care.
Bow-ties are cool.
Ummm that was way, way later in the proceedings. Read the news stories about it and BengalsUF's information. It wasn't like the came in to his office one day and arrested him. He was, repeatedly, asked for access and he wouldn't give it. He had created an extremely locked down system that only he could get in to. He refused to give others access, and gave out false passwords to try and throw people off. Finaly yes, it came down to a "You hand it over or we arrest you." He wouldn't so they did.
I would never hire anyone for a technical role who would give a password to an unauthorised person, including their boss (assuming they're not authorised to receive it).
Don't worry, you probably won't be hiring anyone until you stop calling yourself shitdrummer.
Actually, this is the best thing I've read on the subject, by far.
When you're afraid to download music illegally in your own home, then the terrorists have won!
Wasn't the mayor his boss? I seem to recall that it has been stated many times that Childs would have given the passwords to the mayor and the mayor only just as he has been told to do. Unless new facts in regards to this have come to light then it is my opinion that he was doing his job.
Random Thoughts From A Diseased Mind (Not For Dummies)
The government is supposed to serve the public trust and taxes are their main source of revenue - but I take exception to this attitude that, because someone pays taxes, government funds are somehow their money. It's not your money anymore, you gave it to the government. The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
You are completely wrong on this point. You are entitled to decide how it is used. How much worse would government be if they could just do whatever the fuck they wanted with tax money with absolutely no opposition whatsoever? Pessimists and/or cynics will say that that is already the case, but even now there are at least *some* people fighting things they disagree with for whatever reason.
You do have a say in how government resources are used because it is your money. Use the boxes - soap box, ballot box, jury box, ammo box (in that order).
Random Thoughts From A Diseased Mind (Not For Dummies)
"I know no method to secure the repeal of bad or obnoxious laws so effective as their stringent execution." - Ulysses S. Grant
[End Of Line]
He doesn't work there.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
He plays peek-a-boo with the passwords and then tries to play Lord God of the network, as if he answered to no one. This guys gives other sysadmins a bad name. He was a Class A jerk. Perhaps he got bad advice from someone, but odds are very high his arrogance brought him down. Nothing new - it happens in all venues (entertainment, sports, business, etc.). I also blame management for letting it get to this point. It should never have been to the point where only he knew the passwords. They should be reprimanded as well unless he unilaterally changed them without their knowledge. Then he definitely deserves to be punished. What a jerk.
Yes, you are. They are not your property, and never were.
It didn't come down to "You hand it over or we arrest you" it came down to Terry getting ready to flee the state without telling anyone the passwords and the police having to arrest him to make sure he didn't.
Building keys != sys admin passwords.
Back when I left Boeing, I gave my replacement the passwords (root and others) for all the systems I was responsible for. Plus instructions on changing them as well as revising some configuration settings that directed system maintenance messages to my personal pager. For four years thereafter, I'd continue to get messages for various system events. Inspection of the message headers indicated that they had never disabled my various system accounts from which these messages originated. I never tried to log on, but I'm willing to bet that my passwords were never changed.
My problem? I doubt it.
Have gnu, will travel.
Could I please have your password?
This seemed like a reasonable sig at the time.
Pretty interesting interview with one of the jury members, who appears to understand the issues. Terry Childs juror explains why he voted to convict
The juror lays out the legal issues pretty effectively, and makes a compelling case for conviction on those issues, while also discussing the incompetence of the city's IT department. Apparently he does not believe in jury nullification.
Personaly I disagree with the outcome on the basis that I think the City of San Francisco illegitimately used its combined capabilities as employer, and owner of a court system and police force to escalate a civil employment matter into a criminal case, and then jailed a man for 2 years pre-trial on a laughable pretext. But I appreciate this juror's willingness to discuss the issues.
Remain calm! All is well!
That is what jury nullification is for. Unfortunately, most jurors don't know about it and the judges refuse to tell them
The home town boy, the white bread kid, escaped the noose. The black man was lynched.
That has always been the reality of jury nullification - and the geek - the outsider, the prick, the wierdo - who looks to nullification for his salvation is a a god-damned fool.
I'm not in the US, so I can't really talk about US bank security. But there is a difference between customer security and internal security.
I'm dealing with systems that entire banking sectors use to transfer funds between each other. Many billions of dollars passing through these systems daily.
Compare the risk associated with those systems to the risk of a customer losing thousands (even hundreds of thousands) of dollars. Many banks choose to wear the risk of fraud to make customer interaction easier. Not saying it's right or not, but there's always a trade off.
Look at the way some banks (particularly in the US) hand out credit cards. They know that some people aren't going to pay their bills but they calculate (correctly) that the percentage of defaults will be low enough that the overall business will be profitable. They could get tougher with their customer selection criteria so that virtually noone defaults, but they realised they can make more money this way.
The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
That's pretty effin' funny, given that this country was founded after a revolution based on the simple concept of being taxed but not receiving representation in exchange.
So, uh, yes- if you're taxed, you damn well do get a stake in deciding how it is used here in the US. Fun fact: in the state where the revolutionary war started (MA), we have "town meetings"- and they're not the kind of Town Meeting you see politicians holding, which are basically just "get some people in a high school gym and have them ask you some questions."
No, see: town meetings are where the town (anyone who wants to show up) debates and votes on damn near everything from policies to budgets. The rest of the year, the town is run by a town council, also elected.
It's impressive to see an entire basketball court full of chairs, and 15+ rows on each side, full of town residents. Democracy in action.
Please help metamoderate.
Terry Child's crime was being a borderline psychotic control freak, ensuring that no one other than himself had access to any system and that they could not easily recover the system and then refusing to turn over any of the passwords or configuration.
This was not a system designed to resist sustained viscious attack. Apparently the switches all came back up from a power cut without any configuration and he was the only person who knew where the configurations or how to decrypt them. You could guarantee major downtime for the city just by cutting the power and hitting this guy with a crowbar.
Then - there's no nice way to put this - you are an idiot.
There are established protocols for preventing this situation for coming up in the first place. Well, actually they're there in the event of you getting run over by a bus but they'd work just as well if you got fired.
The established protocol is that the passwords are encrypted and a brief written explanation for how to decrypt them (be it key, file or passphrase) is kept somewhere secure such as a bank deposit box or in a sealed envelope in a safe to which few others have access.
Yes, it does open the organisation to a certain degree of risk. But the risk is substantially lower than setting things up so that if you get run over by a bus, your former employer is totally screwed.