Juror Explains Guilty Vote In Terry Childs Case

alphadogg writes "Terry Childs, the San Francisco network administrator who refused to hand over passwords to his boss, was found guilty of one felony count of denying computer services, a jury found Tuesday. Now, one of those jurors (Jason Chilton, juror #4) is speaking out in an interview with IDG News Service's Bob McMillan: 'The questions were, first, did the defendant know he caused a disruption or a denial of computer service. It was rather easy for us to answer, "Yes there was a denial of service." And that service was the ability to administer the routers and switches of the FiberWAN. That was the first aspect of it. The second aspect was the denial to an authorized user. And for us that's what we really had to spend the most time on, defining who an authorized user was. Because that wasn't one of the definitions given to us.'"

Take some time and think

[Concern]

As someone who saw through Terry Childs early on, I found myself in the minority here. I took one of my first big karma beatings just pointing out a few ways how this narrative of him being a idealistic professional locked up by his evil, stupid bosses was pretty obviously not possible, even just looking at the bare facts.

What struck me was the way so many of us in the industry instinctively acted out our prejudices, made assumptions, hunted out any shred of fact that supported him (selective and misleading quotes from the CA rulebook, for instance), and even assiduously avoided rational counterarguments and conflicting evidence.

And now here we are at the end of the trial. The evidence is utterly damning. Long before he was fired, he was asked by someone for access to these systems and refused. We know he knew the guy (his boss' boss) was authorized, because there's written evidence in Childs's own emails to that effect. There was no moral justification for what he did. He was just being a criminal, the same as if someone you trusted locked you out of your computer.

Just read:

Thanks for your comments, I hope I can address them all. First, he was not fired before asked for access to the FiberWAN. And there's a big distinction there -- not only was he asked for passwords, he was asked for "access". I can understand not giving up your personal username and password, but also not allowing anyone else there own access is entirely different. However, he did go into this meeting knowing that he was being "reassigned", so I'm of the frame of mind that he actually thought he was being fired. After a long period of different claims -- including that he didn't remember them, that he himself had been locked out of the system for three months (even though he was working on it that morning), providing incorrect passwords -- he was placed on administrative leave. He was even scheduled to have a meeting the next week with the CTO of the city to discuss the matter. However, he made one of the biggest mistakes then that he could have. While under police surveillance, he decided then to leave the state and make cash withdrawals of over $10,000. He was arrested, and that's where it became a criminal matter instead of simply an employment matter.

I think this is a good moment for all of us to reflect on how rallying around this lying criminal stained our profession, and how we should practice the same objectivity with ourselves and those "in the downtrodden world of IT" that we expect in others.

Re:Take some time and think

[BlueBoxSW.com]

I tend to agree.

I don't see this as one of our own being unjustly persecuted.

I see bad behavior combined with a smug sense of self-importance causing real damage and being properly punished for it.

The real question is later, after he finishes whatever jail/house arrest/probation period, who will hire him?

Will those that defend him here find a way to bring him onboard at their organizations?

Re:Take some time and think

You were making assumptions like everyone else by assuming you had enough facts to declare him guilty. There were plenty of people claiming he was innocent, but a lot of the conversation was speculative, and there's nothing wrong with that. Now that the trial is done we have access to more facts, so just because you guessed right doesn't make you smarter.

As far as "lying criminal," even the juror said it would have been better if it was just handled internally, but it wasn't. So yeah he lied and he was found guilty, but it went way too far as a direct result of bad decisions by both him AND the city. So I think you're being really harsh about it. You've said why you think other people were emotionally invested in finding him innocent, but from your multiple posts on it you seem to have been to be emotionally invested in finding him guilty.

Re:Take some time and think

[Omnifarious]

When a jury reaches a verdict, I usually give them the benefit of a doubt. They saw the trial, I didn't.

But I will not hesitate to defend someone again when it seems like they might be wrongfully accused. Far too often people are thought of as guilty just because they are charged. The state should have to make its case against a vigorous and heated defense. Being convicted in the court of public opinion can be quite damaging to someone, and there is no recourse. I'm happy to have that conviction happen after the real one instead of before.

Re:Take some time and think

[gabereiser]

We may find that in his sentencing, he may be barred from doing that line of work in the future. I don't think anyone would hire him in an IT department after doing a simple background check on him (this being a felony would definitely show up). So the question I propose is, was it worth it? I know a lot of IT Admins that have this "Holier than thou" attitude and unfortunately for Mr. Childs, it bit him where it hurts.

Re:Take some time and think

[drinkypoo]

You were making assumptions like everyone else by assuming you had enough facts to declare him guilty. There were plenty of people claiming he was innocent, but a lot of the conversation was speculative, and there's nothing wrong with that. Now that the trial is done we have access to more facts, so just because you guessed right doesn't make you smarter.

I know that I defended him on the basis of his being fired before being asked for the passwords, which was what was in the news. Goes to show both that the media was not his enemy, and that listening to the media is dumb. Sorry for being dumb, not sorry for defending an apparently hypothetical Childs who didn't exist.

Re:Take some time and think

[Omnifarious]

I see bad behavior combined with a smug sense of self-importance causing real damage and being properly punished for it.

Interestingly, that could describe Hans Reiser has well. I think it's the disease of our profession.

I would be willing to hire him, though I think maybe I'd want to review the case and work history a little more before making that decision. I would just make it very clear to him that he did not have sole authority over the network and make sure that others always had access.

Re:Take some time and think

[MikeBabcock]

Notably the jurors weren't given a definition of authorized persons. I'd say that's pretty substantial to his own defence as I recall.

If you don't feel that anyone is properly authorized to receive the information you possess or that it will cause harm, then "just do it, its your employer" isn't good enough.

Re:Take some time and think

[Loser4Now]

It's my understanding his boss's boss asked for the passwords over an intercom, with police and HR present. The boss's boss was authorized, those others, not so much.

I think Terry fscked up. I think he should have been fired. I don't think he should have served 2 years, with the probability of 3 more plus a lifetime stain of FELON for being a paranoid system admin. And apparently I'm not the only one.

My least favorite part about this whole trial is that they removed a guy who was going to vote not guilty. It doesn't matter why he was going to vote not guilty. They decided they didn't like his verdict, and replaced him. Talk about a fscking miscarriage of justice.

Re:Take some time and think

[Coren22]

I would have to agree to that. Authorized in this situation should have been defined from the beginning. Childs worked on his own definition of authorized as that was never given to him either. Did he fail to give the passwords to the person he felt was authorized? I thought the Mayor got the passwords in the end, so how did he not deliver them to an authorized person?

Rhetorical questions, not directed at you, just stating that they haven't been properly answered yet.

Re:Take some time and think

[Concern]

That's what I would call "false balance" or the desire to create equality or parity where none exists.

His story didn't make sense. I didn't need to rely on any assumptions to point out how. You only need to actually read the rules that everyone loved to reference without reading themselves to see how unlikely his story was to be true.

If you look back at my posts - please do - you'll see that all I did was point out the ways the story obviously didn't make sense. I have no emotional investment in Terry Childs - other than wishing he really wasn't guilty, because when one person in our profession behaves as badly as I feared he did, it affects all of us.

As often happens when you use your common sense instead of your emotions, you are more likely to be right. That's all that happened here. And if you're denying that, be my guest. But I'm going to point out that you're missing an opportunity to learn something valuable about yourself.

Re:Take some time and think

[gnasher719]

If you don't feel that anyone is properly authorized to receive the information you possess or that it will cause harm, then "just do it, its your employer" isn't good enough.

He was told "you are not looking after our FiberWAN network anymore, someone else is. Hand over the keys so that your successor can do their job". He used to be properly authorised because it was his job to look after the network. If the company gives the job to someone else, that person is then authorised. If he doesn't feel that his successor is authorised then this feeling is completely irrational. This wasn't about authorisation, this was about one man deciding that he deserved the power to look after his network, and nobody else did.

Unfortunately, he didn't just grumble and moan and complain, he actually took action. He actively prevented _anyone_ from accessing "his" network. On a personal level I can understand how this happened, and unsympathetic or clumsy employers probably didn't help, but the fact is that his actions were highly illegal.

Re:Take some time and think

[Concern]

Leaving a company locked out of their equipment is not leaving them in working order, nor does it constitute a "lack of damage."

If you can be that wrong, there's not much point in addressing the other ways your "interpretation" of the facts is wrong.

Re:Take some time and think

[MikeBabcock]

Agreed entirely.

I thought the definition of authorized persons was the most important part of the case.

Failing to establish that, I'd have to find him not guilty.

Re:Take some time and think

[nedlohs]

Hans Reiser is just another inept murderer, the fact that happened to be good at something else is irrelevant.

I really don't think murdering your spouse is a common trait in the computing professions.

Sysadmins acting like they "own" the equipment, and programmers acting like they "own" the code is however, common enough. But I think that's much more universal than computing.

I suspect other people who work with one thing closely have the same "attachment". Drivers and "their" truck/bus/etc (ignoring independent owner/drivers of course who do have that claim).

Re:Take some time and think

[phantomfive]

As someone who saw through Terry Childs early on, I found myself in the minority here. I took one of my first big karma beatings just pointing out a few ways how this narrative of him being a idealistic professional locked up by his evil, stupid bosses was pretty obviously not possible, even just looking at the bare facts.

There were lots of people on both sides all along. Here is one guy, modded up to +5. If you find yourself getting modded down, it's probably because you come across as an angry old man, and I say that in the kindest possible way. For example, in this comment you say:

You know, babyish insults kind of give up that you are a baby, David. And what's moronic? Contradicting yourself in a written medium like this, when it's so obvious. People generally read these in chronological order, you know.

Not cool, it looks a lot like flamebait. Also, in your present post you come across as sounding like, "haha I was right, you were wrong!!!! Suck it losers!!!!" A lot of your posts sound like that, actually. You should work on that.

Re:Take some time and think

[jollyreaper]

Interestingly, that could describe Hans Reiser has well. I think it's the disease of our profession.

Oh, please. It's called being human. We're naturally more inclined to distrust those different from us and trust those who are like us. Grifters will prey on their own ethnic groups because there's naturally less suspicion. A black man is going to scam other blacks more successfully than whites. A white woman is going to scam other whites easier. And if you share a religion, why, that makes you all the safer! Because no good Christian would ever scam another Christian. And it's always easier to find sympathy for a pretty person than for an ugly one. Human nature.

As geeks, we're naturally willing to give Hans the benefit of the doubt because we identify with him. It takes time to read the case and realize just how screwed up the guy is. Bernie Madoff got away with what he did for so long because Jews weren't expecting to get fucked over by a pillar of their community. Christians have a lot more experience with that sort of thing. Likewise, other rich people weren't expecting a fraud from a guy of his pedigree. He was in all the right clubs, he was an outstanding member of the uppper class.

Don't make us geeks out like we're the only stupid ones. There's plenty of stupid to go around here.

Re:Take some time and think

[Angst+Badger]

I think this is a good moment for all of us to reflect on how rallying around this lying criminal stained our profession, and how we should practice the same objectivity with ourselves and those "in the downtrodden world of IT" that we expect in others.

Childs' arguments reminded me of the kind of quasi-legal nitpicking one sees in Slashdot posts almost every day. It's the same kind of thing you see when you have two children in the back seat on a long road trip, and one or both of them are determined to pick a fight, so whatever rules you lay down, they interpret them as literally and selectively as possible in order to violate the spirit of the rule while keeping tenuously to the letter. Child A pokes child B, so you tell them not to touch each other, at which point A pokes B with some object, arguing that he didn't poke B, the object did. Similar rationales come up whenever copyright violations are discussed. It is, no pun intended, childish. Pirate all the mp3s you want, but show enough respect for other people's intelligence (and have enough balls) not to play word games about it.

At the end of the day, Terry Childs threw a tantrum using an exceedingly narrow and selective interpretation of the rules and then didn't have the good sense or maturity to back down before he ran afoul of the law. Your boss asks you to do something? In most cases -- including this one -- you can either do what you're asked to do or quit. And if you quit, walking off with company property, passwords included, is something that you can reasonably expect to be prosecuted for.

I don't think the sentence should be particularly harsh in light of the fact that the defendant is plainly emotionally immature and the level of actual harm done doesn't appear to have risen above the level of nuisance, but Childs is not some kind of innocent martyr in the name of principle, and his conviction does not bode particularly ill for any other IT worker with a modicum of maturity and common sense.

Re:Take some time and think

[RulerOf]

Sysadmins acting like they "own" the equipment, and programmers acting like they "own" the code is however, common enough. But I think that's much more universal than computing.

As sysadmins, we're basically hired to be the ultimate authority on whether or not problem X can be solved with what hardware and manpower is currently under our (sometimes totalitarian) control. As the person employed to manage and/or oversee management of that hardware and software, you should act like you own it, and also inform those who you report to on whether or not the systems are adequate for the task at hand or the task upcoming. Further, if you're fired or replaced, you no longer technically have that authority, and it is most definitely your responsibility to transfer the power that it came with to whoever does at that point.

As sysadmins, we care deeply about the architecture and health of the infrastructure we manage, and especially of those we design and implement. Giving up the keys, as it were, sucks, but unless you literally own the system, it's just the thing you inevitably have to do some day. I'm pretty sure that all of us understand that though. It seems that Childs may not have.

Re:Take some time and think

[pla]

He was told "you are not looking after our FiberWAN network anymore, someone else is. Hand over the keys so that your successor can do their job". He used to be properly authorised because it was his job to look after the network.

"Mr Jones, you no longer fly this space shuttle. Hand the keys over to Bob the janitor. Bob, take 'er up!".

Quite seriously, I would call a city-wide WAN (particularly on the scale of SF) considerably more complex than flying the space shuttle. Even a highly competent network engineer might take months to map the whole thing out starting with nothing but a handful of router passwords.

Being told "give Bob access" and "GTFO" very much count as mutually exclusive instructions.


In his shoes, I probably would have just turned over the passwords and walked out, laughing in the knowledge that I'd get a call in a week begging me to fix the smoking ruins of their network at any price. I can, however, appreciate the sense of misplaced possession in wanting to defend "his" network; I would say that most admins feel somewhat protective of the networks they maintain.

Childs just took it too far. But, so did the city in pressing criminal charges against him.

Re:Take some time and think

[blair1q]

Finding out more of the facts, it's becoming clearer to me that Childs was trying either to get revenge or extort some sort of offer of compensation for releasing the network to its owners' control. You don't go on the lam over a misunderstanding. His behavior in the weeks before the meeting indicates it was contemplated and suggests it was planned. His actions in stalling during and after the meeting, and then his flight, prove he had intent to continue to disrupt the business of the city.

Yesterday I was okay with the verdict and with the idea of "time served" being the extent of the punishment. Today, I'd push for the 5 years.

What I want to know now is why did the trial take so long? And why did it have to go into technical detail? The issue wasn't technological in nature. It was a simple matter of a guy having authority, losing that authority, and refusing to give the tools of that authority back to the owners of the authority. The use of the "denial of service" charge is a bit obtuse, but was sufficient; in truth, there should be a law specifically dealing with intentional refusal to relenquish control of government property, whether it's of any use or not.

Re:Take some time and think

[jeff4747]

As the person employed to manage and/or oversee management of that hardware and software, you should act like you own it, and also inform those who you report to on whether or not the systems are adequate for the task at hand or the task upcoming.

The problem is your "ownership" is derived from management's ownership of that hardware and software. So if they demand access, you do not have the authority to deny it.

A boss can not authorize access to a system that that boss doesn't have authority to access himself. For security reasons they might not have an account or password, but they still have authority.

Re:Take some time and think

[mikael_j]

hilds' arguments reminded me of the kind of quasi-legal nitpicking one sees in Slashdot posts almost every day. It's the same kind of thing you see when you have two children in the back seat on a long road trip, and one or both of them are determined to pick a fight, so whatever rules you lay down, they interpret them as literally and selectively as possible in order to violate the spirit of the rule while keeping tenuously to the letter. Child A pokes child B, so you tell them not to touch each other, at which point A pokes B with some object, arguing that he didn't poke B, the object did. Similar rationales come up whenever copyright violations are discussed. It is, no pun intended, childish. Pirate all the mp3s you want, but show enough respect for other people's intelligence (and have enough balls) not to play word games about it.

Have you ever worked for a large company (let's say 2k+ employees)? I have, and in those environments the main reason IT and dev staff behave in the way you describe is because that's how management behaves and a lot of times it's actually safer to play along with their little power trip game than it is to use common sense. I'm not saying this is what Childs did but I've definitely seen it, PHB comes up with insanely literal interpretation of a corporate policy and everyone just reciprocates by also interpreting the rules to the letter (while ignoring the spirit), a few weeks or months later the first literal interpretation is quietly swept under the rug and everything is working properly again.

An example of this would be a standard fine print clause in the contracts of almost all employees stating that it is their responsibility to see to that they can work for their entire workday which is interpreted by the PHB as a way to force the employees to come to work 10-15 minutes early to log on to their workstations. The employees return the favor by noting that some of them who have been working for the company for a long time don't have that clause in their contracts and the rest also note that there's another clause which states that overtime pay is to paid to employees for all non-scheduled work and that it is calculated in whole hours and rounded up so they all start coming to work ten minutes early and putting in one hour of overtime every day on their timesheets.

Re:Take some time and think

[RightSaidFred99]

You saw the same ridiculous bullshit around the Reiser case. It was obvious he did it even prior to the trial. Afterwards, once the evidence was presented, it was even more obvious. But nerds around here conveniently invented a new standard of evidence for Reiser. I call it the "beyond any possible conceivable (even imagined) doubt and requiring of videotape, DNA evidence, 3 witnesses, and fingerprints left on greasy windows" standard.

Re:Take some time and think

[alan_dershowitz]

The city said and did a lot of things that were fishy and didn't make sense either. You seem to be having trouble with the concept that without all the facts people can legitimately disagree on what the correct outcome should be.

My opinion was influenced by knowing good and well that many companies/managers will screw you over to cover up their own incompetence, which does seem to have been a component of this despite his guilt on one count out of four.

It's pretty damn important to think "what scenarios might have occurred that would indicate this person isn't guilty?" because that's how REASONABLE DOUBT is established instead of "his story is fishy, OBVIOUSLY GUILTY."

Re:Take some time and think

[eosp]

Or just the fact that he didn't make an I-got-hit-by-a-bus contingency plan.

Re:Take some time and think

[jeff4747]

You do realize that not defining who an authorized person was actually helped the defense, right?

Let me put it this way: His boss granted him authorization to the system. If his boss can not authorize people to access the system, then what right does he have to access the system?

Keeping it murky helped the defense, because any logical attempt to come up with a definition would make it absolutely clear that he was in the wrong.

Re:Take some time and think

[BlackSnake112]

There are convicted hackers/crackers (take your pick on term) who have been banned from using a computer or computer like device for X number of years. So I would say, yes the court can bar you from a profession. If you are banned from using a computer, being a sysadmin is kind of difficult.

Re:Take some time and think

[Angst+Badger]

Have you ever worked for a large company (let's say 2k+ employees)? I have, and in those environments the main reason IT and dev staff behave in the way you describe is because that's how management behaves and a lot of times it's actually safer to play along with their little power trip game than it is to use common sense.

I've worked for several with 100k+ employees, and I know exactly what you mean. But part of playing along with their little power trip would, in Childs' case, have reasonably included handing over the passwords, if not immediately, then certainly by the time it became front page news.

One thing I've learned about the power games in large corporations is that you do not ever try to compete with people above you in the hierarchy. It's never a fair fight, partly because the rules are designed to reinforce the hierarchy, but also because those people ended up above you at least in part because they're really, really good at playing the game.

Re:Take some time and think

[frank_adrian314159]

Don't make us geeks out like we're the only stupid ones. There's plenty of stupid to go around here.

Yes, but we (generally speaking) often hold ourselves up as paragons of intelligence and rationality. Just as we laugh at preachers who fall short of their own moral teachings, stupidity that would be cleared if one were being truly rational, is quite heinous when rationality is one of the key attributes we profess. In reality, you are correct - we are all only human. But when we paragons of intelligence and rationality are hoist on our own petard, failing to point out how stupid and irrational we are smacks of hypocrisy. And when we don't point it out, it blinds us not only to our frailties, but to our own hypocrisy.

Re:Take some time and think

[zn0k]

There is. But if you work really, really hard you can prevent that. Password recovery doesn't really recover a password, it just circumvents the login process on boot. So he deleted the configuration from NVRAM (permanently stored) and left only the running-config (RAM, deleted on reboot) in place. Recovering the router would have left the router unconfigured. He had backups of the configs, but they were on an encrypted DVD that could only be read on his laptop as it required a passphrase to unlock, and the presence of a specific file, and he refused to make that available. The log servers he placed into locked containers with holes drilled for cable runs.

And he did some of those things after being asked to hand over the network, so he specifically took action to prevent others from accessing the network.

You can read up on those in the big Childs thread from the other day, where the same juror being interviewed posted in that thread, and divulged those details.

Re:Take some time and think

[Concern]

It was pretty simple to spot that his story doesn't make sense, actually, since it involves things that obviously don't fit with the facts that you can verify.

Here's a prior post of mine - you can judge for yourself if you think I was right to make the call.

I want to add something here. Obviously his bosses were ignorant dickwads who ran a terrible shop and made all kinds of mistakes - not least, hiring Childs. Everyone also agrees on that. Unfortunately, Terry Childs made it all beside the point. The guy was an even bigger douchebag. He single-handedly helped and protected his shitty bosses through his dumbass actions.

You know what would have been the classiest, slickest thing in the world? If he just gave up the passwords, quit, and started writing and speaking about his experiences with the city. He could have told stories, campaigned, embarrassed the administration, and gotten his ass up and working to affect positive political change, just the way citizens in America have been doing for hundreds of years. He would be my fucking hero.

When your asshole boss is shitting on you, and destroying years of your blood-sweat-and-tears work, there are so many smart ways to see him off. Childs did none of them. He doesn't deserve to be anyone's hero. He deserves to be a little noted jailhouse occupant.

Re:Take some time and think

[stdarg]

How does not defining it help the defense more than defining it in a way that vindicates the defense?

If Terry Childs really thought the only person authorized to receive the information was the mayor, and his boss had no argument against that since nowhere in their reams of paperwork was "authorized" clearly defined, that seems like a point in the defense's favor.

On the other hand, leaving it undefined means most people are going to substitute their own "reasonable" definition, which would probably consider many people (the police and the manager for instance) to be authorized.

Re:Take some time and think

[FlightTest]

He was told "you are not looking after our FiberWAN network anymore, someone else is. Hand over the keys so that your successor can do their job". He used to be properly authorised because it was his job to look after the network.

"Mr Jones, you no longer fly this space shuttle. Hand the keys over to Bob the janitor. Bob, take 'er up!".

The correct and legal thing to do in that situation is hand over the keys to the shuttle and make sure you aren't anywhere near it when Bob tries to launch. You don't own the shuttle, NASA does. It's up to THEM, not you, to decide who flies it.

You may want to go to the press and try to get them interested in NASA allowing a janitor to fly it, but refusing to hand the keys to the janitor is insubordination at least, and if those are the ONLY keys, then it's a form of theft.

Quite seriously, I would call a city-wide WAN (particularly on the scale of SF) considerably more complex than
flying the space shuttle. Even a highly competent network engineer might take months to map the whole thing out starting
with nothing but a handful of router passwords.

This statement is laughable. You either have a vastly over-inflated opinion of network management, or absolutely no clue in life what's involved in flying something like the shuttle. Shuttle commanders aren't just pulled off the street you know. They are all highly accomplished military pilots, most if not all with flight test backgrounds, for a reason.

Being told "give Bob access" and "GTFO" very much count as mutually exclusive instructions.

Not at all. People get fired all the time, and that is exactly what happens when anyone in any profession, gets canned. I'd say being told "give Bob the keys" and "strap yourself in" are far more mutually exclusive.

Re:Take some time and think

After reading the article, I stand by points I made in earlier discussions.

What we have here is a travesty and not justice. We have a juror who was given faulty jury instructions, who had relevant information withheld from them. And in the end, the decision made by the jurors amounted to what it looks like from the start - a collection of people who did not know anything about what they were looking at, scared by the prosecutors saying this is "w00h scary internets stuff", and making a faulty decision and a verdict that's a mockery of the law.

The legal system is broken.

umm...yeah...you sure you read the same article we did? Cus in the one the rest of us read, the juror is a Senior Network Engineer with a CCIE and a solid grasp of the technology.

Re:Take some time and think

[Grishnakh]

As geeks, we're naturally willing to give Hans the benefit of the doubt because we identify with him. It takes time to read the case and realize just how screwed up the guy is.

Huh? I don't know about you, but I didn't have to sit on the jury to realize the guy was probably guilty. Just a quick reading of an article that spelled out all the evidence found and other clues and factors in the case was enough for me. Obviously, I wouldn't rely on that for a conviction; I'd want to be on the jury and see all the testimony and evidence, not just what fits into a short article, but I don't feel I gave him any extra benefit of the doubt just because he's a programmer and a Linux geek like me.

Re:Take some time and think

[Jah-Wren+Ryel]

You don't go on the lam over a misunderstanding.

And he didn't. He withdrew a bunch of cash. I'd probably try to do the same thing if I thought the government was going to arrest me - which he had been threatened with. Maybe you haven't noticed, but a common enough tactic is for the government to freeze the assets of people it tries to prosecute. No cash means the best you can get is an overworked public defender. Sure they don't do it to everyone, they don't even do it in the majority of cases, but man it sure would suck for them to do it to you wouldn't it?

Re:Take some time and think

[insertwackynamehere]

Hans Reiser is just another inept murderer, the fact that happened to be good at something else is irrelevant.

no but you see he had aspergers and all the great people have aspergers anyway thats why i cant get a prom date and why its acceptable to commit murder havent u heard of einstein

Re:Take some time and think

[SleazyRidr]

Will those that defend him here find a way to bring him onboard at their organizations?

I have seen more than a few comments to this effect. Whether these were made by people with authority to act on them, or by teenagers in their mothers' basements is still an open question.

Re:Take some time and think

[alan_dershowitz]

But something tells me that

Assumption.

if he was telling the truth about this legal issue being his real concern, he would

Assumption.

...which is what I'm given to believe he did?

Assumption. By the way, is that guidelines document you linked to the one that was in effect at the time he was fired? You don't know that because you don't have the power to subpoena.

These are all extrapolations either from events that had not been established as fact at the time you made them, or are your opinions about what a reasonable person (by your definition) would have done. OP's point was that you didn't know.

Childs is not my hero, it sure looks to me like he broke the law and locked the city out of its network. But I'm satisfied saying I didn't know for sure if he was guilty before the trial concluded, while you seem to be really certain. While you are entitled to your opinions at the time as to why you believed him guilty, you don't get to hold up your opinion as some guiding light for the rest of us, because you weren't in that court room. You guessed right.

Re:Take some time and think

[Achromatic1978]

Quite seriously, I would call a city-wide WAN (particularly on the scale of SF) considerably more complex than flying the space shuttle. Even a highly competent network engineer might take months to map the whole thing out starting with nothing but a handful of router passwords.

Actually, it was even worse than that, since he'd actively set the system up so that in order to reset passwords, you had to trash the entire configuration. A configuration that only he had. So you wouldn't be re-mapping the network, you'd be rebuilding it from scratch, all the ACLs, routing tables, access, etc.

On the devices he couldn't do that on, he'd set them up so they didn't store any config, that they lost config on power loss, and that you had to dial back in by modem to reload config, and you could only do that from his personal laptop.

This doesn't even begin to factor in the system log server, stored in a black metal box with two holes drilled in it, for ethernet and power, and padlocked, twice. Padlocks purchased by Childs personally, and which no-one else in the city had a key for.

This guy was out of control, and saw things as his. He thought he could get away with it because of this. The whole "only the mayor" was blown up by many on Slashdot, as an offer made by him, AFTER arrest.

Here's a question, when he started on the job, did the mayor personally give him the admin passwords? No, well, either the person who did was unauthorized, or guess what, that whole line was specious and facile.

Re:Take some time and think

[FrangoAssado]

If Terry Childs really thought the only person authorized to receive the information was the mayor

Did you even read the interview? During normal work (before all the confusion), he was asked to create some user accounts. He did it and send an email with the created usernames/passwords to his boss and a copy to his boss's boss.

So, no, he didn't really think the only person authorized to receive access information was the mayor. That's just the excuse he used later for not wanting yo give up control of the system.

Re:Take some time and think

[PCM2]

Childs worked on his own definition of authorized as that was never given to him either. Did he fail to give the passwords to the person he felt was authorized? I thought the Mayor got the passwords in the end, so how did he not deliver them to an authorized person?

This just sounds like the usual geek interpretation of legal matters that you see on Slashdot all the time. You now the type of thing: "The law says 'you shall not do this.' But if I let my brother do half of it and I do the other half, neither of us did the whole thing, so obviously we're both scot free!" It just doesn't work that way. Wherever a question of law is present, it's decided by either a judge or a jury, and in both cases the standard usually boils down to how a reasonable person would interpret the law. Everyone's heard these kinds of terms before: "acting in good faith," "reasonable expectation," etc. In my opinion Child just simply wasn't acting like a reasonable person. He fails the sniff test.

Re:Take some time and think

[Skyshadow]

It's not just his 'Holier than Thou' attitude that'd worry me as a potential employer, it's that he pretty clearly was also a terrible admin.

Who the heck sets up a mission-critical system (in this case, quite literally given the city services it fed) and then proceeds to set themselves up as a single point of failure? That's not just being slightly paranoid, that's being either grossly incompetent (not thinking of the downside) or wildly unethical (using it to ensure lifetime employment).

Re:Take some time and think

[Archangel+Michael]

I've actually done something like what you're suggesting that we don't do, that is competing with higher ups.

In my case the higher up was trying to write me up (preface to firing). My boss was trying to nitpick a "rule" about "Unauthorized network connections with unknown hosts" (I was using Bittorrent to download a Linux ISO), saying that I violated the rule/policy.

I looked at him squarely in the eye, and asked him if he was sure that any "unauthorized network connection with unknown hosts" was a violation of this rule. He stated that it was. I asked again, ARE YOU SURE. He responded that he was.

I then informed him that I would be bringing charges against him and everyone else in the district who used a web browser, and the whole IT dept for running webservers, as every connection to any server that wasn't authorized was a violation of the literal letter of the policy, exactly as he was trying to enforce with me.

His ashen face was classic. That was the end of that.

Re:Take some time and think

[sbeckstead]

Except that they can not freeze assets that you use to defend yourself.

Re:Take some time and think

[_Sprocket_]

That said, when your manager asks you for access to a system, you give it to them -- you can write for the record that you're doing so under protest and list the reasons, but you do it.

It bugs me that so many seem to be thinking this is the lesson to get out of all this. The lesson SHOULD be to ensure that you understand the policies that apply to situations like privileged access. And in the lack of a set policy, get someone to give you guidance in writing. Then follow that closely.

In simple environments, your manager is probably going to be on the short list of people that should have access. But that's not always the case. I've been in environments where my level of access was shared by some co-workers but it took climbing a couple levels of management before you'd find someone with the same authorization. And I've also had to insist on policy while dealing with politics and egos. This wasn't about me serving my ego or protecting my job (per se) - it was about me being very aware of my requirements to follow policy and how those policies worked.

Military lore has lots of examples. One story has a base commander visiting an ammo facility on a rainy day. He shows up early without his escort and the sky opens up. He dashes to the nearest shelter - an ammo bunker with a young airman on the other side of the security door. The airman checks the access list and, sure enough, the General isn't on it. The usual "do you know who I am" and "yes sir, but you are not authorized" conversation ensues until an aghast shop chief comes running up to the scene. The shop chief is on the list, rushes the VIP in to the shelter, and proceeds to chew out the young airman. The Base Commander interrupts, notes that procedure was properly followed, and praises the nervous troop on his proper conduct.

Of course, things don't always work out that way. Even when you have proper policies to follow. But if the legal paperwork starts to fly, you best find yourself on the right side of any policy that exists (and fight to make sure it does).

Re:Take some time and think

[zn0k]

>>> If you look for BengalsUF's other posts in that thread you can see that he is the juror interviewed in the article this thread is about.

Preview, preview, preview. It took out the below link:

http://yro.slashdot.org/comments.pl?sid=1633482&cid=32016846

Re:Take some time and think

[Dun+Malg]

Driving bans for professional drivers anyone?

They can't ban you from driving, they can only revoke your license. You can drive all you like on private property. My boss' brother, a truck driver, lost his license for a DUI and now drives a truck for a shipping company: moving trailers around on private property at their distribution hub.

Exclusion from politics

That's simply part of being convicted of a felony, not part of a judge's sentence.

or being a company director (and that's just for certain civil offences)?

As part of a civil judgement? Never heard of that happening. Citation?

Publicans can lose their licences.

Licensed businesses are the only case that even approaches this, and nothing actually bars one from being a bartender or managing a pub under someone else's license.

It doesn't even have to be the government that does it.

If it's not the government, then it's not a judge sentencing, so the point is moot.

Doctors, dentists, lawyers, veterinarians, there are umpteen professions you can get banned from.

A judge still can't have a lawyer disbarred as a random punishment unrelated to the terms of licensure. Ditto the others.

Why should IT be any different?

Maybe it should, but until there's a professional organization that sets standards and the various states require membership in that organization in order to work in that field, under penalty of law, then it is different.

Re:Take some time and think

[phantomfive]

But you wouldn't drive to another state to withdraw a bunch of cash. Or, if you are the kind of person who would, don't. :)

Re:Take some time and think

[BitZtream]

Why? Whats your plan? To run? Please explain how acting out of the ordinary is the right thing to do when you think the police may be involved.

Also please explain what rational reason you have for withdrawing money if you expect to go to deal with the police? The first thing they do when you get there is take your money away from you and put it in a secure location until you get released or transferred.

Re:Take some time and think

[CAIMLAS]

Who the heck sets up a mission-critical system (in this case, quite literally given the city services it fed) and then proceeds to set themselves up as a single point of failure?

You wouldn't happen to know my position's predecessor, would you?

I suspect it's pretty common amongst "genius" administrators who are given free reign over a system. They consider themselves superior and everyone else unable to deal with their awesomeness, regardless of actual ability - so lump their trust of said person right up there with the front desk clerk who has to have his computer wiped weekly due to malware.

Interesting, a competent jury

[Omnifarious]

They clearly understood the issues and had a very fine judgement call to make. I don't necessarily agree with it, but I no longer feel they were idiots who made a clearly bad call.

I hope they recommended the lightest possible sentence when giving their verdict. They can't determine the sentence, but I think they can give the judge advice.

Re:Interesting, a competent jury

[badboy_tw2002]

Not really. I've served on a couple (in San Francisco even) and they pretty much just dismiss you and send you on your way right after the verdict. You can come back for sentencing if you want, but after weeks/months in the courtroom thats pretty much the last thing you want to do.

I guess you could put a note in there or something, but most of the time unless you read up on the statutes in question you don't know how much jail time he's facing or whatnot. And personally, I think to be completely objective its probably better not to know. Your job is to apply the law and answer the question if beyond reasonable doubt did the defendant break the law. That's it. You have to do it objectively and I think knowing that you're personally responsible for sending some guy to jail for 20 years might make some people "iffy" on returning a guilty verdict. Its pretty black and white - there's no "guilty, but only by a little bit". Obviously there are some cases (death penalty, civil suits) where the jury does make the decision on the outcome after the "who won" phase, but for something like this its up to the judge.

I would certainly hope that they give him time served considering he's been in jail a couple of years already. Having read a bunch on this and followed the story my opinion is that he's guilty, but honestly he should have just been fired and fined. Its not like he was trying to defraud the city or personally gain from this or from what I can tell had any malicious intent beyond "these guys are idiots". I wouldn't hire him, but in the grand scheme of things it sounds like he's just a jerk who could still be a productive member of society.

Re:Interesting, a competent jury

[Omnifarious]

You have to do it objectively and I think knowing that you're personally responsible for sending some guy to jail for 20 years might make some people "iffy" on returning a guilty verdict.

I disagree. I think a big part of the jury's job is justice, not necessarily just determining guilt or innocence. There needs to be a better brake on politicians for requiring ever increasing and ridiculous punishments for a crime, and one big brake would be a jury refusing to convict because the sentence is too severe.

Re:Interesting, a competent jury

[dwinks616]

That's what "Jury Nullification" is for. http://en.wikipedia.org/wiki/Jury_nullification

Re:Interesting, a competent jury

[Hatta]

I still don't buy his reasoning.

Eventually we looked at it and we saw that in late June his manager had requested certain accounts to be created that would have access to certain routers and switches. And he did create those accounts, and he sent that back in an email with the user IDs and passwords, to which Richard Robinson was also copied. If his big concern was that Richard Robinson was not authorized to be a user, why -- just a week before -- did he copy him on an email that has user IDs and passwords?

Because Richard Robinson was authorized to access certain routers and switches, he must then be authorized to access every router? Clearly wrong.

If he would have simply said, "I will create you an account and you can go in and you can remove my access if you want." If he had created access for someone else, I think that would have resolved it.

Was he asked to do this? Did he refuse? Given the nature of the confrontation, would anyone even have let him log in to create such an account?

If he had not decided to leave and go to Nevada a few days later and withdraw US$10,000 in cash, [Childs did this the day before his arrest, while under police surveillance] I think the police may have let it continue on as an employment issue and not a criminal matter.

So now someone who takes a vacation after losing his job is in danger of a felony conviction? That's bullshit.

Maybe there are good answers to these questions. But they're not in the article. What is in the article is not enough to convince me that this juror is competent.

If it was so hard for the jury to decide who an authorized user is, wouldn't Terry Childs have the same problem deciding who an authorized user is? That right there is more than enough to establish reasonable doubt.

Re:Interesting, a competent jury

[hazem]

That's call Jury Nullification. It's often legal, but defense lawyers are typically not allowed to mention it as an option.

Don't even try that.

[khasim]

I think this is a good moment for all of us to reflect on how rallying around this lying criminal stained our profession, and how we should practice the same objectivity with ourselves and those "in the downtrodden world of IT" that we expect in others.

How many charges were initially filed against him? How many charges was he found guilty of?

Note the discrepancy in those numbers.

At least now the facts are out and we can determine for ourselves whether the law was applied correctly (and if so, whether the law itself is at fault).

Re:Don't even try that.

[Humus+B.+Chittenbee]

@khasim - I am only a dabbler in the computer field but have well over 30 years in the legal arena. In criminal cases, often the prosecutor will present several charges regarding a single offense. For example - in what most would consider a straight forward burglary case, they may charge: burglary [for that is what crime occurred]; trespass [a lesser included crime]; vandalism/criminal mischief [lesser included for the damage to the window to get into the house]; and theft [lesser included crime.] All charges are 'tried' at the same time. So a jury that might not find for the burglary, may find for some/all the lesser included charges. Prosecutors also do it in the hopes of having some bargaining power when it comes to reaching a plea deal [i.e. - drop whatever charge[s] with a plea of guilty to 'X' charge] - which saves time and money for the courts. So the fact that he was not found guilty of ALL the charges is nearly irrelevant.

Re:Don't even try that.

[Rene+S.+Hollan]

I never liked the idea of a plea bargain.

I negotiated a plea bargain for disorderly conduct in order to close the case on a pending charge of felony assault. Not because I feared having to defend against what I was arrested for, but because the prosecution appeared to not formally charge me for lack of a strong enough case. (At my arraignment, I formally identified myself, expecting the prosecution to present their charges, and the attorney left!) The case could have been left open for up to five years, and I'm in circumstances where an open case was far worse than a disorderly conduct conviction.

The problem here is that, after an arrest and finding of probable cause, the prosecution can take an inordinate amount of time to actually charge you. Sure, you can post bail, and be free, but the accusation can hang over your head for years before trial, if charges are ever pressed. Because they can be pressed on short notice, your circumstances are very much in limbo.

Far better would be if the accused could force the issue of trial without having to sit in jail: if incarcerated, one has a right to a speedy trial -- within 60 days in WA. But, if one posts bail, trial has to take place within 90 days of formal charges being laid. and those can be "sat on" for years (as defined by the state's statute of limitations, if any). Further, the court can order release one one not formally charged, and the same "sitting on" can occur.

Of course, the prosecution gets "one shot" to press formal charges, because of the prohibition against double jeopardy, so if they think their case is weak, they can sit on it. I say that is wrong.

From a finding of probable cause to a trial on the evidence should be a swift process. This would prevent arrests on the flimsiest evidence. After all, there is nothing stopping law enforcement to get necessary warrants to gather the evidence they need over a period of time.

Re:Don't even try that.

[Rene+S.+Hollan]

I am in the process of seeking custody of my kids, and possible pending criminal charges would have hurt my changes MUCH MORE than a disorderly conduct conviction, though both are not good: innocent until proven guilty means squat in a civil (custody) case. It was a strategic decision based on advice by counsel.

I was out of jail on bail, and because of that they were not charging me. But, they were not willing to dismiss the charges.

Hell yes, if it weren't for my kids, I'd be all "bring it on!" And, while you're at it, you can feed, clothe, and house me at your expense. I'll sit out the 60 days waiting for trial.

What DID piss me off was that the public defender had stipulated to probable cause despite the fact that I had hired my own attorney (who was two minutes late to my probable cause hearing). I was tempted to assert self-representation, if only to motion for a continuance until my attorney appeared, but as about 30 of us were present for an "en masse" probable cause hearing, the judge told us to "shut up." When my attorney did show up, we did get a continuance to set bail since my address was not verified, which would mean a very high bail. We got it, but as it was Friday, I would end up spending the weekend in jail. Bail hearing was continued to Monday, at 13:00, set at 13:01, and posted at 13:02. I was released at 19:00. About 5 minutes after the continence was granted, my address verification came in, but it was too late: I'd have to wait until Monday.

What's telling was my sentence. Usually, with no priors, on a non-violent offense and a guilty plea, the judge sets a modest fine, a sentence with credit for time served, and the rest suspended (i.e. keep out of trouble for two years). In my case, the entire sentence was suspended. Apparently, that's "code" for "hint, hint, nudge, nudge: he pled guilty only to close the case faster".

Was I actually guilty of disorderly conduct? I think so. Without going into details, in WA, one is guilty of disorderly conduct if one acts in a manner that might cause someone to assault them. In my case, I was preventing my son, who was having a tantrum, from running into a highway, by restraining him with minimal force. Someone might think I was kidnapping him and try to intervene. His mother alleged a prior injury was caused by my restraint, and I was arrested for felony assault.

Re:So

Exactly. Even if he broke the letter of the law, I think the real story here and why it has developed so much interest is because of the penalties that can be applied and the selective enforcement of laws.

How many of us can say we've never been in a similar situation, or one that could be brute forced through court even if we were "right". Honestly, this could be any admin. Someone famous once said something about throwing stones.

no job is worth jail time

[jimmyfrank]

Seriously, I have, against my recommendations, incompetent managers telling me to stupid things all the time. All that can be done is voicing my opinion on why it's "stupid." Often those bad decisions come back to haunt, I like to call it, "feeling the pain." But I'd personally never risk getting in that sort of trouble for a silly job.

Here is the key, I think

[phantomfive]

Two points brought up in the interview really stand out to me, first this one:

If he had not decided to leave and go to Nevada a few days later and withdraw US$10,000 in cash, [Childs did this the day before his arrest, while under police surveillance] I think the police may have let it continue on as an employment issue and not a criminal matter.

I can understand the police thinking, "wow, he's locked down the network, and now trying to run away. What is going to do to the network once he gets to Mexico?" Secondly, this:

Eventually we looked at it and we saw that in late June his manager had requested certain accounts to be created that would have access to certain routers and switches. And he did create those accounts, and he sent that back in an email with the user IDs and passwords, to which Richard Robinson was also copied. If his big concern was that Richard Robinson was not authorized to be a user, why -- just a week before -- did he copy him on an email that has user IDs and passwords?

So there is evidence to say it was about control of the network, and not about security policy (there's more if you read the article).

Still, it's really hard for me to say anything he did deserves jail time. Getting fired, yes, he should have been, but jail time? That seems a bit much. Someone once said, "If you skate close to the edge of the ice, you're likely to fall in," and I guess that's what Terry did here, and he got burned.

Re:Here is the key, I think

[sribe]

"If you skate close to the edge of the ice, you're likely to fall in," and I guess that's what Terry did here, and he got burned."

You should get a +5 funny just for the mixed metaphor ;-)

Habeas Corpus

[Locke2005]

The real question should be "Who, if anyone, was harmed by Terry Childs's actions?" The next question should be "Does that harm really justify taking away several years of his life?" Look, I'm the first to admit that Childs was being a dick. But so were his managers, and the punishment is way out of proportion to the crime. $5 million bail?!? WTF!

Re:Habeas Corpus

[CraftyJack]

The real question should be "Who, if anyone, was harmed by...

That can be a really tricky question for an awful lot of illegal activities, which is why the question posed to the jury is: "Was this rule broken?" Whether or not that merits jail time is a function of the legislators and the judge.

Re:Habeas Corpus

[91degrees]

There was potential harm. Something could have happened and nobody would have been able to fix it.

Since it was only potential harm, I don't think this does deserve a prison sentence, and I hope he doesn't suffer too great a punishment. I'd even like to see him get another job. That's partly out of sympathy for him, but he has useful skills and in an environment where they're simply more used to this personality type (most tech companies should be able to work with him), he should be a beneficial employee.

Re:Habeas Corpus

[phantomfive]

The bail was set high because he was seen as a flight risk. They arrested him after he went off to Nevada and withdrew $10,000 from the bank. They were worried he would try to escape or something if they let him out. It is fairly common, I believe.

Re:Habeas Corpus

[david_thornley]

If I fire a few shots in your direction, and hit nothing, should I be convicted? Who, in that case, was harmed? If I drive around drunk at twice the speed limit and hit nobody, should I be liable?

It's reasonable to consider potential harm in these cases. In this case, the city was unable to get anybody to administer its network. As it happened, the network ran satisfactorily until the Mayor got the passwords, so there was no actual harm done. It was entirely possible that something could have happened that would require an administrator with access. If Childs had successfully left the state and become unavailable, and he was apparently planning to bug out, something would have happened eventually that would have required administration, and anybody the city hired would still be locked out.

I'm not arguing that his managers were well-meaning or competent, or the same for the prosecutors, but that isn't the issue. I'm not arguing that Childs should have done this or that specific thing. I am arguing that what he did endangered city services, and what he was planning to do was far worse.

If you have objections to making holding a computer system hostage for unnamed ransom a crime, I suggest you write to your legislator. Don't expect me to back you up.

Re:Habeas Corpus

[dkf]

In all the cases you cite, there is clear intent to harm. The intention to harm is not so clear in the Terry Childs case.

It was clear enough that a jury convicted him, i.e., they found that it was a fact that there was malicious intent (or at least aggressive indifference to consequences). That's the core of what a conviction means. What's more, one of the jurors has taken the time to explain why Childs was convicted, which is a rare privilege for the rest of us.

The take home message has got to be "don't be a douche, even when the other guys are douches".

Re:Try what?

[Loser4Now]

http://online.wsj.com/article/SB10001424052748704471504574438900830760842.html

You're a criminal too. You just haven't been charged yet.

So have that juror explain to us

[unity100]

What the punishment should be, for that VERY bosses who were authorized to have those passwords, after they have disclosed LIVE usernames and passwords to the system as evidence in a PUBLIC court, therefore causing a disruption of 2-3 days in the city services in the ensuing chaos, and potentially paving the way for an untold number of hacking incidents that may or may not have taken place ?

it is probable that terry childs knew his bosses were STUPID enough to be capable of doing things of this, well, stupidity.

so, he should have just willy nillily disclose the passwords to the stupid management, and just get the responsibility off him, whereas endangering the private information of city services and maybe millions of citizens in the process ?

a similar example comes to mind, maybe if a bit exaggerated :

you are the commanding officer of a nuclear silo. you get orders from your boss to initiate a launch, ending lives of hundreds of millions, and potentially ending the world. your boss is an idiot of the first order and screws up regularly. but, the order is compliant with the procedure.

what do you do ? do you kill the stupid jurors who would find you guilty in case you refused ? or would you save their lives ?

i would like the juror to explain.

Re:So have that juror explain to us

[evan1l38]

I think it's more like you're the commanding officer of a silo who gets replaced, locks everything down and refuses to let your successor into the silo. Your successor would like to come in, perform maintenance, and prevent the thing from degrading and exploding, and you refuse to let them in.

As for competence ... well, Childs gave different passwords to these same managers the week before when he wasn't getting fired, so he clearly didn't have THAT many reservations about handing them over. The juror actually referred to that quite specifically if you read the article, saying that was what convinced him that Childs was not really worried about password security but about causing problems (my words there, not the jurors.)

And honestly ... if I worked for you, and locked you out of your own network, locked down all the machines and walked out saying you weren't competent enough to have the passwords ... would you really defend me and be pleased no one could access your network hardware? If you hired a replacement for me that you liked, and I refused to give HIM the passwords saying he wasn't competent either, how happy would you be that I was protecting you by preventing you from accessing your own hardware? And when I started withdrawing money and getting ready to flee to Mexico ... you'd still be defending me?

Passive Denial of Service is a Bad Precedent

[Jah-Wren+Ryel]

From this guy's discussion it sure sounds like the jury convicted Childs for literally doing nothing - as in not revealing the password when asked.
That seems completely out of line with the reason for "denial of service" laws in the first place - unauthorized access leading to various sorts of downtime.

Childs clearly had authorized access up until the point in which they decided to "transfer" him and it doesn't sound like he tried to access the systems afterwards.
He may have been an ego-maniacal dick about how he managed the systems when he was authorized, but being a dick is not a criminal offense.

I think a doctrine of calling inaction after authorized actions denial of service is the kind of thing that is so overbroad it could lead to all kinds of unfairness - a maintenance guy sees a leaky roof in a server room, gets transferred to another building and doesn't tell anyone about it and a week later the computers in that room get flooded, is he now criminally responsible for that denial of service?

Re:Passive Denial of Service is a Bad Precedent

[StormReaver]

I think a doctrine of calling inaction after authorized actions denial of service is the kind of thing that is so overbroad it could lead to all kinds of unfairness - a maintenance guy sees a leaky roof in a server room, gets transferred to another building and doesn't tell anyone about it and a week later the computers in that room get flooded, is he now criminally responsible for that denial of service?

More accurately, a maintenance guy knows the server room roof leaks a lot and can potentially cause tremendous harm to the highly expensive contents of the room. All the roofing tools and materials are in an impenetrable locked room, and he is the only one with the keys. He knows he is going to be reassigned, is ordered by his boss to hand over the keys, and refuses. That is a denial of (roofing) service attack, and should rightfully be punishable under the law.

If the roof subsequently leaks and destroys the equipment, then he should be held liable since he is actively preventing the roof from being serviced. That is the situation that the city faced with Terry Childs, and the city acted responsibly.

Re:Passive Denial of Service is a Bad Precedent

[brillow]

I see this as more of a property issue than anything, though I know that legal tack hasn't been taking with this case. The way I see it, the passwords or the more abstract concept of "access" is property of the organization. The network is property of the organization. By not returning the passwords or access under termination, he stole company property. Its like if you have a company car and get reassigned and don't turn in the keys. You've then stolen the keys, and prevented use of the car. Not doing something is just as active a thing as doing something when its done purposefully with the intent of blocking something. If he didn't do something because it was outside his responsibility and didn't see how it could cause much harm is one thing, but seeing a situation, and taking purposeful inaction with the purpose of preventing something else is in that case an action. Its perfectly criminal in many cases to NOT do something.

Re:Passive Denial of Service is a Bad Precedent

[jeff4747]

From this guy's discussion it sure sounds like the jury convicted Childs for literally doing nothing - as in not revealing the password when asked.

Not revealing the password is doing something.

Re:Passive Denial of Service is a Bad Precedent

[Skyshadow]

> He may have been an ego-maniacal dick about how he managed the systems when
> he was authorized, but being a dick is not a criminal offense.

He can be a dick all he wants, you're right. Refusing access to an authorized user, as it turns out, actually *is* a criminal offense.

I'll even go a step further and say it's a good law to have. Electronic infrastructure is important and needs to be safeguarded -- you simply cannot have situations like this where some admin decides that he can hold a company or (in this case) government hostage to his whim by locking them out of their important systems, systems that are (at the end of the day) property of the entity that owns them, not the individual hired to set them up or maintain them. It doesn't matter if that person denies access actively (suspending all the other admins, for example) or passively, as in this case -- it's the same effect.

How could you possibly reply on computers for anything otherwise?

Re:Took some time to think.

Because it's common practice in IT for this to happen. The underling needs the information to do his job, his boss doesn't. You don't spread sensitive information around simply because you can. Especially since his boss, as chiefly a manager, may not have the training to properly handle all the information.

I have to agree with that.

[khasim]

"Denial of service". Words that the average person believes s/he understands. So s/he must understand the implications of that phrase, right?

No.

Which makes it even worse that the CCIE didn't correct the jury about.

A DoS means that a service your system is offering is being denied. It is NOT about humans providing services.

Re:And what if he wins the appeal?

[Concern]

Why not? He is guilty. He has stained our profession, and these unseemly and ridiculous attempts to defend and justify criminal behavior by resorting to the kinds of pathetic errors of logic that we normally scoff at others for making do even worse.

By your own logic, we can never call anyone a criminal, since merely being convicted is not enough. Hardly anyone is beyond an appeal or reversal in judgement.

You're also leaving aside how damning the evidence really is against him. Which is really astounding to me. I highly doubt he will be getting out of this.

Re:Took some time to think.

[lambent]

the boss of a forklift driver may not necessarily be licensed or authorized to drive said forklift. in a case like that, where someone can cause significant damage by not being properly trained in how to use a resource, access should definitely be denied.

Re:Took some time to think.

[fluffy99]

To take that analogy a step further. If the boss fires the forklift guy, he expects to get the keys to the forklift back.

Re:Who's egotistical?

[SuiteSisterMary]

He's not being egotistical, he's pointing out that he's got the chops to be talking about this from several different angles. Or do you think that a doctor, called in to provide testimony about a medical matter, is egotistical to list his various suffixes?

When I was reading his initial accounts, my thinking went something like 'Who is this guy to be...oh, he's a CCIE. At least he's not talking out of his ass.'

Re:And what if he wins the appeal?

[fatalwall]

Stained our profession? Really? Have you not met the average Admin? Its rare one you find one whos not a complete prick. He did nothing I woudlnt expect out of more then half the admins ive worked with other the years.

Very little you can do to actually hurt the profession

Re:And what if he wins the appeal?

Bzzt. Sorry. Please play again.

He was convicted of a crime by a jury of his peers. That makes him a criminal. He will be sentenced as a criminal, and immediately take his part in the criminal justice system.

The vanishingly small possibility of a reversal on appeal does not make him a non-criminal today. Maybe in your world OJ or Scott Peterson will win on appeal, so they are non-criminals. Good luck with that.

Everyone managed to lose

[MECC]

What bothers me most about this isn't that childs was found guilty, but what he was found guilty of. Yeah he's guilty of not handing over passwords when asked. Yeah he's guilty of manuvering to avoid giving control of the network at every turn, when clearly he was being asked to do so.

I mean, really if his supervisors crashed the network, I would think that once he gives them passwords they become directly responsible for damages. Particularly since cisco routers and switches can be set up log log admin activity, in come cases command by command, to a remote syslog server, so if something did go wrong, the guilty userid can be determined with no question. So yeah, Childs is guilty. But of a DOS? By stretching the definition of what a DOS is, the instructions from the judge and the ruling here places anyone in charge of anything that could be thought of as a computer service of any kind at considerably more risk, and unnecessarily so. This outcome provides no useful legal precedent due to its stretch of definitions.

Re:Everyone managed to lose

[Todd+Knarr]

IIRC the reason the city had to shut down their VPN and reissue passwords was that the city had dumped the entire list of usernames and passwords into the public-available court record as part of one of their filings. Childs had nothing to do with that, and had the city not revealed all those passwords to the world they'd've had no need to disrupt their VPN at all.

Re:Power & Control

[blair1q]

Little petty tyrant wannabe. ...and the /.'ers who wannabe him...

I still support Childs

[Rene+S.+Hollan]

I think there is "reasonable doubt" in Juror #4's mind, and a bit of confusion.

He concludes that because Childs provided some access information to a particular person, that made that person an "authorized user", and his subsequent refusal to provide more information evidence of his guilt in not providing access to an authorized user.

But, the question becomes, authorized to do what?

I have root access on a number of machines where I work, on a "need to have" basis. I certainly do not have root access to every machine. Neither do I want it, as a matter of potential liability if something goes wrong.

I think Juror #4 missed this point, based on TFA.

As to Child's odd behavior, I'd attribute it more to paranoia than malice: if I though I was getting fired for doing my job, and feared my bank accounts might be frozen (paranoia), I'd likely want to be a bit flush with cash too.

I maintain that his behavior is subject to "reasonable doubt" as to intent. If he acted in a manner to render difficult or impossible his providing of access credentials regardless of demonstration of authorization, I'd side with the prosecution. But, instead, he DID provide such credentials to someone he viewed as authorized who then had the means to provide them to others.

If this were a civil dispute, this "preponderance of the evidence" would be enough to result in a decision against him. but I don't think it meets the "beyond a reasonable doubt" requirement.

He was railroaded because he exposed incompetence.

Re:I still support Childs

[eulernet]

if I though I was getting fired for doing my job, and feared my bank accounts might be frozen (paranoia), I'd likely want to be a bit flush with cash too.

Wow, do you really need over $10,000 for your daily expenses ?
If this is the case, could you lend me some money, pretty please ?

He was railroaded because he exposed incompetence.

From where comes this weird conclusion ?

He blocked all access to their network, and used what I call 'noble motives'. This is a manipulation trick we all use when we want to look good, even though we did wrong things.
Using the excuse that everybody is incompetent (see, they don't even have access, so they are incompetent), he locked everybody away, and all his actions show that he wanted to use his access as a ransom. He seemed also to consider that he was the owner of the network.

I know several guys like him, and I can assure you that they are sociopaths.
It's very difficult to work with them, since they place traps everywhere to prevent you from working.
They tend to degrade you, and show themselves as the only competent ones, because only they can do this particular job.
Frankly, if you do your job correctly, you should be easily replaced, but your real value resides in your human traits.

If Childs had been a little bit honest, I doubt he would be in his current situation.

Although the punition is tough, I hope he'll accept the lesson and change for the better.

Re:Try what?

[PenguiN42]

Interesting that the two examples given in that article were cases where the defendant was eventually found NOT GUILTY.

Re:Try what?

[StikyPad]

And yet society still performs remarkably well, with very few people being convicted of crimes without intent. Even the examples in the book you reference are incredibly poor. E.g., the article makes it sound like one Mr. Councilman was innocently routing mail, and was charged merely because his server made copies incidental to that function. In reality, he was siphoning certain e-mails to use them for personal financial gain. It was not an "unknowing crime," it was a malicious act that was eventually (and erroneously, I believe) decided NOT to be a violation of federal wiretap laws:

"Councilman directed Interloc employees to intercept and copy all incoming communications to subscriber dealers from Amazon.com, an Internet retailer that sells books and other products. Interloc's systems administrator modified the server's procmail recipe so that, before delivering any message from Amazon.com to the recipient's mailbox, procmail would copy the message and place the copy in a separate mailbox that Councilman could access. Thus, procmail would intercept and copy all incoming messages from Amazon.com before they were delivered to the recipient's mailbox, and therefore, before the intended recipient could read the message. This diversion intercepted thousands of messages, and Councilman and other Interloc employees routinely read the e-mail messages sent to Interloc subscribers in the hope of gaining a commercial advantage."

According to the jury, the defendant in this case had clear intent to block access for malicious purposes. I trust their insights over anyone else on Slashdot, because they *saw* the evidence, they *heard* the testimony, and they acted accordingly. Yes, this was an unfortunate incident that could have been handled without the courts, but the party on trial was not without fault. When you play with fire...

Re:Who's egotistical?

[JakiChan]

You must not have met that many CCIEs, then. The ones who don't bother to mention it are the ones with clue.

The jurors were misinformed of the law = mistrial

[junglebeast]

Jason Chilton's explanation of being told that he needed to determine the verdict based on letter-of-the-law interpretation is false.

Jury nullification is the right of a juror to disagree with the constitutionality of the law, and apparently Chilton was deceived into thinking he did not have this right.

Therefore, I think this is a mistrial.

http://en.wikipedia.org/wiki/Jury_nullification

Mention the right of a jury to "veto." If actually selected to be on a jury, you are likely to be asked to swear to find a verdict solely on the basis of the facts presented in court. Decline to swear this on the grounds that the jury has a right to find a verdict as they see fit. This right is called "jury nullification." In short, it allows a jury to return a verdict of "innocent" when the accused is clearly guilty, because the jury disagrees with the law that was broken. You probably want to read up on this before your jury duty. This is a right held by the juror and affirmed by the Supreme Court, but one that both prosecutors and judges usually deeply loathe, if they even acknowledge its existence. You will almost certainly be excused from the jury for holding unacceptable views, but if not, you will be better prepared for the experience from your research.

        * Judges who says to jurors that, "you will be required to follow and apply this law regardless of whether it seems just or not", might be asked if they would exercise this rule against Harriet Tubman (1820-1913), who violated the federal Fugitive Slave Laws by participating in the Underground Railroad for escaped slaves, or against Rosa Parks (b.1913), who was arrested in 1955 for violating the segregation laws in Montgomery, Alabama, by refusing to move to the back of the bus when the bus driver told her to give up her seat to a white passenger. If a judge bites the bullet and says that, yes, he would have to instruct juries to convict these women because the law is the law, he might be told that such blind obedience was not accepted as a defense during the War Crimes Tribunal at Nuremberg, when many Nazis claimed that they were just "following orders." A judge who participates in injustices because he is "following orders" might be similarly called to account.
        * The late Justice William C. Goodloe (1919-1997) of the Washington State Supreme Court, an advocate of jury nullification, suggested that the following instruction be given by judges to all juries in criminal cases: "You are instructed that this being a criminal case you are the exclusive judges of the evidence, the credibility of the witnesses and the weight to be given to their testimony, and you have a right also to determine the law in the case. The court does not intend to express any opinion concerning the weight of the evidence, but it is the duty of the court to advise you as to the law, and it is your duty to consider the instructions of the court; yet in your decision upon the merits of the case you have a right to determine for yourselves the law as well as the facts by which your verdict shall be governed."

Re:Another attempt.

[Concern]

No.

Your line of argument is ridiculous.

In the English language in the US of A, when someone loses in criminal court, and is declared guilty by a jury, we consider that person to be a criminal. We sentence them. We declare justice to have been served. The system does not need to work perfectly, nor do convictions need to be permanent, for this to be how our language, and our society, works.

I can't believe I'm actually explaining this.

Will it make you happy if, in the utterly ludicrous case that new facts come to light and he is later exonerated, I promise to come back here and to apologize and admit my mistake? Because I actually would.

Until that time, what I've said stands quite well.

You're confusing the issue

[Skyshadow]

The whole "taking out $10k and planning to leave the state" thing got Childs arrested, but that's not why he was tried. He was tried and convicted for refusing to provide access to the computer system to people whom he was legally required to do so. At the end of the day, it really doesn't matter what his "views" were about who deserved access, there was a management chain and he choose to ignore it. It wasn't his call to make.

I can't imagine how you get "railroaded" out of that. The jury clearly did their bit here, examining the law as written and finding that Childs violated it. That's exactly what juries are supposed to do.

Now, we can talk about the severity of the punishment, but that's hardly unique to this case.

Re:So

[thePowerOfGrayskull]

How many of us can say we've never been in a similar situation, or one that could be brute forced through court even if we were "right". Honestly, this could be any admin. Someone famous once said something about throwing stones.

Holy carp, really? As a sometime-admin myself, and as someone who works with admins regularly -- I can't think of any one of them who would have pulled this. It would cost the job at minimum -- and if it actually impacted the business significantly, you can bet civil and/or criminal prosecution would follow depending on the type and extent of the damages.

It disturbs me to realize that not only are there folks who think the behavior was justifiable, but also that it's somehow commonplace in IT. Even more disturbing to think that if there's one of you, there are more...

Re:The jurors were misinformed of the law = mistri

[BBTaeKwonDo]

Mistrial? Would you mind reading the Wikipedia link, especially this part:

The 1895 decision in Sparf v. U.S. written by Justice John Marshall Harlan held that a trial judge has no responsibility to inform the jury of the right to nullify laws. It was a 5-4 decision. This decision, often cited, has led to a common practice by United States judges to penalize anyone who attempts to present legal argument to jurors and to declare a mistrial if such argument has been presented to them. In some states, jurors are likely to be struck from the panel during voir dire if they will not agree to accept as correct the rulings and instructions of the law as provided by the judge.
Recent court rulings have contributed to the prevention of jury nullification. A 1969 Fourth Circuit decision, U.S. v. Moylan, affirmed the right of jury nullification, but also upheld the power of the court to refuse to permit an instruction to the jury to this effect. In 1972, in United States v. Dougherty, 473 F.2d 1113, the United States Court of Appeals for the District of Columbia Circuit issued a ruling similar to Moylan that affirmed the de facto power of a jury to nullify the law but upheld the denial of the defense's chance to instruct the jury about the power to nullify. In 1988, the Sixth Circuit upheld a jury instruction that "There is no such thing as valid jury nullification." In 1997, the Second Circuit ruled that jurors can be removed if there is evidence that they intend to nullify the law, under Federal Rules of Criminal Procedure 23(b). The Supreme Court has not recently confronted the issue of jury nullification.

So there might have been a mistrial if the jurors had been told about nullification, but there certainly wouldn't be a mistrial if the jurors were not told about nullification.

Jury nullification is a power that juries have, but that doesn't mean they have to be told about it.

Re:Try what?

[Sabriel]

Also interesting is that the two cases took six and five years respectively to resolve. Despite the "not guilty" at the end, each still had the government's sword hanging over their head for that length of time....

Of course Slashdot is going to support Childs....

[cprincipe]

The only thing that Slashdotters need to remember is the next time they pile on *any* other group for being self-serving and close minded (Republicans, Environmentalists, Christians, Vegans, Wall-Street-types, what have you), remember how Slashdot overwhelmingly supported Childs, regardless of the evidence of his hubris.