Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rough Justice For Terry Childs

Posted by timothy on from the might-not-like-the-aftershocks dept.

snydeq writes "Deep End's Paul Venezia sees significant negative ramifications for IT admins in the wake of yesterday's guilty verdict for Terry Childs on a count of 'denial of service.' Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case? In particular, to the person or persons who released hundreds of passwords in public court filings in 2008 for causing a denial of service for the city's widespread VPN services? After all, once the story broke that a large list of usernames and passwords had been released to the public, the city had to take down its VPN services for days while they reset every password and communicated those changes to the users.' Worse, if upheld on appeal, the verdict puts a vast number of IT admins at risk. 'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.'"

31 of 418 comments (clear)

  1. If I were taking an IT Admin position... by Phrogman · · Score: 5, Insightful

    I think I would want to draft up a very clear - and legally binding - agreement that I would want my superiors in management to sign on behalf of the company. It would spell out in specific details, the security policies, security review process, enforcement etc. It would absolve me from prosecution unless I violated any of the very specific rules that were listed. If my superior changed, they would have to sign the document when they took up their position etc.

    I wouldn't likely get the job, they'd hire someone who wasn't so paranoid, but I don't think I would want to take a job where if someone in management decided to break the rules, and I tried to apply those rules for the sake of ensuring I didn't violate the trust that had been placed in me, then I wasn't liable for prosecution either way, like Childs was.

    Now, he could have handled things differently I am sure, but he might have been prosecuted either way from what I have read so far. I would like more details in an objective report on the situation.

    --
    "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
    1. Re:If I were taking an IT Admin position... by SteveFoerster · · Score: 5, Insightful

      I wouldn't likely get the job, they'd hire someone who wasn't so paranoid

      That's crazy -- who wants a system administrator who isn't paranoid?

      --
      Space game using normal deck of cards: http://BattleCards.org
    2. Re:If I were taking an IT Admin position... by SanityInAnarchy · · Score: 4, Insightful

      You have a boss who makes the rules, if your boss later tells you to break the rules then you do it.

      Just like Enron's accountants?

      Sorry, no. If your boss later wants to change the rules, there's likely a procedure in place to do so, but they can't simply do that by fiat. That's the whole point of having a policy in the first place.

      --
      Don't thank God, thank a doctor!
    3. Re:If I were taking an IT Admin position... by __aasqbs9791 · · Score: 5, Insightful

      Changing the rules isn't always the same as breaking the law. If you boss tells you to never give out passwords, and then asks you for a password, and when you refuse says he's changing that rule, it is whole different thing than your boss ordering you to break a law regarding financial accounting laws. Especially if that boss was the owner of the company (which isn't the case in either your example or Childs, of course.

      Though I've seen so many different things on this case I'm not sure where I stand. It seems to depend on the specifics. If the rules were such that it actually said he couldn't release the passwords except to the Mayor himself in person then I'm probably on his side. But otherwise someone like the Mayor likely does many things by proxy, so he may have just been acting the fool (to quote Judge Joe Brown). The devil's in the details I guess.

    4. Re:If I were taking an IT Admin position... by Anonymous Coward · · Score: 4, Insightful

      Just like Enron's accountants?

      If you're not comfortable doing what you're told, then quit. (Or, in the case of Enron, go to the SEC or whatever.) Even if you believe that all people have a right to a job, nobody has a right to a particular job.

      Sorry, no. If your boss later wants to change the rules, there's likely a procedure in place to do so, but they can't simply do that by fiat. That's the whole point of having a policy in the first place.

      It's a great theory, but it's also hopelessly naive. The rules don't apply equally to everyone. It sucks that the world works this way, but it does, and that's never, ever going to change. Behaving as if the rules your boss tells you apply equally to him is an exercise in frustration, and also a good recipe for getting fired. Or, as in this case, sent to jail.

      That's politics, my friend, and any time you have more than two people in a room you get politics. There is no avoiding it. Which is why policies and procedures are worthless. The people who write them can change them any time they choose. They can be enforced selectively or not at all. And you can be accused of not following a procedure, even though you did, because the person interpreting the procedure is the same person who wants to punish you for some other reason.

      Seriously, learn from my experience in corporate America. (Which, I am told, is nothing compared to the politics that goes on in public service jobs, and I'm not even talking about politicians.) This is the way the world works. The good news is that you don't have to be an active participant, and in fact taking the passive approach makes your life easier in many ways. But you do have to be aware of it, and Childs was not. Either that or he very badly overestimated his clout with the mayor (it's probably a combination of the two).

    5. Re:If I were taking an IT Admin position... by green1 · · Score: 4, Insightful

      If, after you've been fired, you refuse to disclose the passwords necessary for your successor to do your job, then it is no longer something they can simply "fire" you for, (as you no longer work there) so it becomes something you need to take to court, not "theft" in this case, but "denial of service" because his action of refusing to release the passwords denied them access to administer those systems.

    6. Re:If I were taking an IT Admin position... by LurkerXXX · · Score: 4, Insightful

      The problem is, you want someone who is paranoid AND smart. The guy was incompetent. If you are in charge of vital machines passwords, you make sure the passwords are written down and stored in a secure location (like a bank safety deposit box, etc) and available to an authorized person in case you are hit by a bus, etc. This wasn't done. If it had been done properly, he wouldn't be facing any jail time or even charges.

    7. Re:If I were taking an IT Admin position... by Vellmont · · Score: 4, Insightful


      That's crazy -- who wants a system administrator who isn't paranoid?

      I don't want system administrators who are paranoid. I want system administrators who understand what risk is, what the real risks are, and are able to weigh one risk against another. Being paranoid usually entails the inability to weigh risks, since you think "everyone is out to get me". Anyone who can't weigh risks against another is a fool.

      --
      AccountKiller
    8. Re:If I were taking an IT Admin position... by Vellmont · · Score: 5, Insightful

      I guess I don't find it funny because I know paranoid system administrators, and they do indeed suck at what they do.

      --
      AccountKiller
  2. Not trying to be a troll here, but... by andrewme · · Score: 4, Insightful

    Not trying to be a troll here, but... and maybe I'm not understanding the whole case correctly. I've followed the articles on Slashdot for a while. In my opinion: if the city hires you, you are subservient to the city. You do not give passwords to your inferiors. Ever. You do, however, give passwords to your superiors when asked. Always. They hired you, after all. They are your bosses. If I hire a security guard for my building, he'd damn well better give me the key if I decide to fire him, or if I get locked out, or both. You don't hide data from your superiors, plain and simple, however *technologically* less advanced they might be. Maybe the city is making a mountain out of a molehill; I'm really not qualified to comment on that, since I don't know as much about the case as some of the people on here will. Honestly, though, my original point: you get hired by someone, you do what they want to do, provided it isn't illegal. I highly doubt that giving someone the password or passwords to their own systems would have been the wrong thing to do.

    1. Re:Not trying to be a troll here, but... by George+Beech · · Score: 4, Insightful

      No that's a twist on what happened to suit the ideas of slashdot. What happened was he was locked up and said "I'll only give these passwords to the Mayor" Now what he was required to do by the state policy was provide the passwords to Information Security for inclusion in the central password management database due to them being production passwords. He obviously did not do this as none of this would have happened if he did.

    2. Re:Not trying to be a troll here, but... by beakerMeep · · Score: 4, Insightful
      People keep saying this but where's the proof? I haven't seen any evidence of such a policy. But I admittedly have only been partially following the case.

      From: http://www.ktvu.com/news/23283217/detail.html (emphasis mine).

      Childs reportedly had a fractious relationship with some of his coworkers, attorneys on both sides said. He testified at trial that he never intended to harm the network but said that other employees, including his supervisors, were not qualified to have the passwords. Childs claimed he was merely following established industry guidelines for password protection. "You do not ever give up your username and password," Childs said.

      That doesn't sound like you make it sound. Industry guidelines are not the same as company/government policy.

      To be honest I think the Slashdot community is wrong to defend this guy. He sounds like an ego-maniac driven not by security, but by the sys-admin God complex. However, that's just what I think, and I could be wrong. Sans the full transcript of the trial it's really hard to say what happened. I'd love for groklaw to take a look at it too. They probably need a break from SCO shenanigans. :)

      --
      meep
    3. Re:Not trying to be a troll here, but... by Sycraft-fu · · Score: 4, Insightful

      Also they weren't asking for HIS username and password, they were asking for THE username and password. There is a difference as any competent sysadmin should know. I won't give up my password to any systems here at work. Policy requires that I do not. However my password is only for my accounts. There are other accounts I have the password for, that are not mine, share accounts. There would be root on the UNIX systems, the local administrator account on the Windows systems, the enable password on the switches, the SA password on the DB server, and so on. There is only one of those accounts (and in the case of things like root, can only be one). It isn't my password on them, it is a password all the IT staff share. That password isn't something I can change to one only I know and refuse to give out, I'd get in trouble for that.

      Big, big difference. Had the city said "We want your password to log in to your personal e-mail account and bank account," well ya, I'd be supporting him for saying no. However they wanted the system passwords for various devices and services that have but one master password. If those passwords were the same as his personal password that is bad security practice on his part, however there is still a solution: Change the passwords and give them the new ones (or change the password on your account).

    4. Re:Not trying to be a troll here, but... by TENTH+SHOW+JAM · · Score: 4, Informative

      If the superintendent of a school district says - "Whats the password for root on the server?" You tell them.

      No you don't. Ever. You say "Go to the safe and get them yourself. Don't forget to sign the register." When Superintendent bleats that it is needed NOW! your answer is to point them to the safe. Terry Childs did not put the passwords in the safe and deserves to go down for that.

      --
      A sig is placed here
      To display how futile
      English Haiku is
    5. Re:Not trying to be a troll here, but... by MushMouth · · Score: 5, Informative

      According to the network engineer who was a juror on the case (so I am guessing that he knows far more details about it than you or I)....
      He didn't refuse to just give his "password" but to give any access at all to the core routers, removed any way of password retrieval without doing a full system reset, and would not provide the configurations to these routers.

      On top of that, there were emails and witnesses that made it appear that Childs was doing this all to make it such that only HE had access.

    6. Re:Not trying to be a troll here, but... by Jah-Wren+Ryel · · Score: 4, Insightful

      No you don't. Ever. You say "Go to the safe and get them yourself. Don't forget to sign the register." When Superintendent bleats that it is needed NOW! your answer is to point them to the safe. Terry Childs did not put the passwords in the safe and deserves to go down for that.

      I disagree. The decision to put passwords in a safe in the first place is above his pay-grade.
      It seems nobody instructed him to do so, so you can't blame him for not following a procedure that didn't exist.
      If anything, the blame lies on his superior(s) who failed to adequately implement a "sysadmin gets hit by bus (or fired)" plan.

      --
      When information is power, privacy is freedom.
    7. Re:Not trying to be a troll here, but... by LurkerXXX · · Score: 4, Insightful

      Sorry, No. It's the job of any competent admin to make sure necessary passwords are safely stored in a location where they are available to others they will be needed by in the case he is hit by a bus. It's not above his pay grade. It's a minimum common sense necessity obvious to anyone who should be allowed to run production systems and call themselves a sysadmin.

  3. Heading this off--see link to juror by Anonymous Coward · · Score: 5, Interesting

    The juror has been interviewed some already, and is even on /.

    I had many bad assumptions myself. But if the juror is being at all truthful...this guy did some bad things.

    @see http://yro.slashdot.org/comments.pl?sid=1633482&cid=32010078

    1. Re:Heading this off--see link to juror by bartle · · Score: 4, Insightful
      Exactly. Quoting from this post on Slashdot:

      As to these configuration backups, Mr. Childs kept these on a DVD he kept with him at all times. Furthermore, this DVD was encrypted and could only be decrypted using his laptop (as the encryption program required not only a password, but access to a specific file that existed on the laptop).

      Can these actions be defended as anything other than job security? Unless someone has reason to think that BengalsUF is getting the story wrong, why is there so much popular defense for this guy?

  4. ugh by nomadic · · Score: 4, Insightful

    'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways.

    Setting up and configuring system where they have sole access, locking out the actual owner of the system, arbitrarily deciding that their direct supervisors aren't "authorized users" (based not on any actual rules or policies but their own nebulous "best practices" decision and by the way anyone who thinks a network engineer should have the authority to lock whoever he wants out of the system, based entirely on his own discretion, is incompetent), and then refusing to provide system access when he was assigned other responsibilities not dealing with locked system, then repeatedly refusing to provide the information even after being imprisoned? Really? Thousands of IT workers guilty of that?

  5. The case is very simple by SmallFurryCreature · · Score: 4, Insightful

    You got an upstart sysadmin who went on a powertrip and thought he was smarter then anyone else and therefor above any laws that only apply to lesser people.

    This is not uncommon with people who are highly intelligent but not to well versed in social skills. Not so much nerds but Mensa people. Like that reiserfs guy, thought he could get away with murder because he was smart and the police is dumb, they must be because they ain't him.

    Your assessment is 100% right and he had no call to judge the people asking for access to be unsuitable. His opinion simply did not matter at that time. It is like when a cop with a dog tells you to get down on the floor. That is not the time to start an argument. That is the time to get down on the floor and become part of how the justice system works, injustices included and part of the system, sucks to have it happen to you.

    If you ever find yourself in the same position as Childs, document EVERYTHING, in paper, print all emails and insist on written instructions, never verbal, and then do as you are told and get the fuck out of there.

    Do not argue with the system, you are not smarter. Do you know how you are not smarter then the system? If you think arguing with the system is a good idea.

    Childs is an idiot and yes, idiots go to jail. lets see him argue with Bubba about access to his ass.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

    1. Re:The case is very simple by nomadic · · Score: 5, Informative

      The way I read it, he was following the policy (law) to the letter.

      He was required to store system passwords in a central repository. He violated the policy by failing to do this.

  6. Re:The sky is not falling. by Ossifer · · Score: 4, Insightful

    In appropriate words: don't lie about you violent past, don't harass the person employed to do your background check, don't give false passwords to keep your boss' boss off your trail, don't admit to your co-worker that you're going to screw over your employer if they fire you, and most of all don't come afterward with the lame excuse of being the only IT God on the planet such that only you could ever possess the keys to the kingdom.

  7. qual application of justice??? LOL by CPE1704TKS · · Score: 5, Insightful

    You've got to be kidding. Do you honestly think you can go back to prior cases and use that to show how something is or isn't a crime?

    What matters is how good your lawyer is and what sort of strings they can pull. Obviously, this guy's lawyer wasn't as good as the other guy's lawyer.

    The rules that apply to us DO NOT apply to rich people. Stop believing for one second that they do. Look at some black dude that goes to jail for 3 years for stealing bread vs. the Wall Street banksters that steal billions and get multi-million dollar bonuses.

    Marc Rich was convicted of tax evasion, and fled to Switzerland. It took $250,000 in donations to Bill Clinton for him to pardon him on his last day in office.

    There is no justice, all there is is how much money you have to spend to grease the wheels of the system.

  8. Re:Before everybody gets their shorts all twisted by Anonymous Coward · · Score: 5, Insightful

    You're breaking rule #3.

  9. SF is criminally stupid by unix_geek_512 · · Score: 4, Insightful

    SF is criminally stupid, that's all there is to it. They've wasted taxpayer money over a case that should never have been brought.

    Their own employees and contractors caused a ton of downtime trying to get control of the network. If they'd left things alone there wouldn't have been any downtime.

    Not to mention they violated they guy's constitutional rights over something that could have been resolved amicably within 24 to 72 hours.

    Instead, they acted like a totalitarian regime and threw the guy in jail to break his will to resist.

    It's the people in charge of SF that should be prosecuted not this guy.

    Did he act like a damn jerk? You Bettcha! Did the city act like Ioseb Besarionis dze Jughashvili in 1936-1938? Heck yeah!

    Anyone in IT should be worried about ending up like this guy if they anger the SF city government in any way, this could be one heck of a bad precedent.

    Semper Fi Comrades

  10. The "taxpayers' money"... isn't. by Tetsujin · · Score: 5, Insightful

    "but it was bought and paid for by the City of San Francisco"

    Excuse me, it was bought and paid for by THE PEOPLE OF SAN FRANCISCO.

    Paid through our tax money, which also means it was paid for through *HIS* tax money.

    The government is supposed to serve the public trust and taxes are their main source of revenue - but I take exception to this attitude that, because someone pays taxes, government funds are somehow their money. It's not your money anymore, you gave it to the government. The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.

    So, for instance: yes, your taxes pay the wages of the police. This doesn't mean you get to boss them around.
    Your taxes pay for the schools, but that doesn't entitle you to decide the curriculum.
    Your taxes pay for government infrastructure, but that doesn't mean you can micro-manage the government.

    That's not to say citizens in the US (or anywhere else, for that matter) have no stake in the government or its affairs - but the money paid in taxes has nothing to do with that. We have a stake in our government because the operation of the government affects our lives, in the short term and the long term. Would this stake not still exist even if the government could somehow operate without taxing its citizens? IMO bitching about "the taxpayers' money" is just a cheap way to get the attention of people who would otherwise not care.

    --
    Bow-ties are cool.
  11. Re:Before everybody gets their shorts all twisted by shitdrummer · · Score: 4, Insightful

    I would never hire anyone for a technical role who would give a password to an unauthorised person, including their boss (assuming they're not authorised to receive it).

  12. Re:Before everybody gets their shorts all twisted by ClosedSource · · Score: 5, Funny

    Don't worry, you probably won't be hiring anyone until you stop calling yourself shitdrummer.

  13. Re: Initiative by biryokumaru · · Score: 5, Informative

    Actually, this is the best thing I've read on the subject, by far.

    --
    When you're afraid to download music illegally in your own home, then the terrorists have won!
  14. interview with the netword engineer on the jury by 0WaitState · · Score: 5, Insightful

    Pretty interesting interview with one of the jury members, who appears to understand the issues. Terry Childs juror explains why he voted to convict

    The juror lays out the legal issues pretty effectively, and makes a compelling case for conviction on those issues, while also discussing the incompetence of the city's IT department. Apparently he does not believe in jury nullification.

    Personaly I disagree with the outcome on the basis that I think the City of San Francisco illegitimately used its combined capabilities as employer, and owner of a court system and police force to escalate a civil employment matter into a criminal case, and then jailed a man for 2 years pre-trial on a laughable pretext. But I appreciate this juror's willingness to discuss the issues.

    --

    Remain calm! All is well!