Ex-SF Admin Terry Childs Gets 4-Year Sentence

Robert McMillan writes "You remember Terry Childs, right? He was finally sentenced Friday. Childs got four years in prison for refusing to hand over passwords to his bosses. This is a denial of service under California law."

Sounds pretty fair

[Sycraft-fu]

Especially when you read the story of one of the jurors who has a CCIE (http://www.networkworld.com/news/2010/042910-terry-childs-juror-explains-why.html). This wasn't a case of some PHB demanding access to something he shouldn't have. This was a case of an egomaniac sysadmin trying to make himself irreplaceable by locking everyone else out. When called on this he refused, bluffed, and finally lied.

For me, the lying part is where it clearly went to criminal levels. I suppose some of the other things he did (like store the WAN config only in memory, not saved to flash and keep the only backup on his laptop) could possibly be justified as just being paranoid and poorly educated in actual security practice. However when he gave his supervisors false passwords, lied to them, to me that showed clearly that he knew he was in the wrong. He knew he was supposed to give up the passwords but wouldn't.

Hopefully it'll be a lesson to other sysadmins to consider that at work, the computers are not yours. They don't belong to you. They belong to the organization you work for. Part of that means the origination gets to decide who has access. You can (and should) have input in to that, and should make sure it is all documented, but ultimately the systems belong to them and you need to do as they say.

As IT workers, our job to is provide service, not prevent it. We need to do what we can to ensure people can get what they need. It is a service industry, like it or no.

No but you have to give them access before you go

[Sycraft-fu]

Now ideally this is in the form of someone else having access, or there being a central password store. Read in to the Childs case and indeed there was a place where passwords were supposed to be stored and he didn't do it. However even if that's not the case, you have to relinquish the passwords when you leave. If you are the only one with the root password, you have to hand it over (or change it for them or whatever). Same shit as your keys, when you leave employment, you have to turn in your keys.

You don't have to help them figure anything out, but you are not allowed to lock them out of their own systems. If you cannot see the difference, you are being deliberately blind.

Re:Justice is Served

[Jedi+Alec]

Making jokes the way Americans do about "pound me in the ass prison" indirectly condones the fact that such a prison system exists. Heck, how many tv shows have a cop quickly whispering into the ear of the just arrested (and hence not convicted eg innocent) perp about what's going to happen to him in jail?

People are missing the point

[Sycraft-fu]

It isn't about PASSWORDS it is about ACCESS. He had sole access to some systems, including some very critical ones. He wouldn't turn over access. In some cases, this would have meant creating accounts for other people. In other cases, this would have meant handing over the password. Remember that some things like root or enable have only one password.

So the issue wasn't that he wouldn't give up his own personal password, the issue was that he was denying the rightful owners of the systems (the city) access to those systems.

Also please note this all started way before he got canned.

Re:Justice is Served

[mopower70]

America may be civilized in the broadest sense of the term, but it is anything but civil. When you have a "civilization" where keeping people imprisoned is a $40 billion a year industry, and prison wardens allowing criminal activity inside their institutions as a cost-effective means of self-policing, you're going to have people getting raped and your going to have people coming out of prison much worse off than when they went in.

"Turned Out" is an interesting and disturbing documentary about the dynamic of prison sex and rape http://www.youtube.com/watch?v=M4_uvvcaDqw

Re:Justice is Served

[Joce640k]

This.

The people who really ought to be having a miserable time in prison get a free pass to carry on tormenting and hurting other people for their own amusement. Other people who have nowhere to escape and nobody to turn to for help.

That is because you are wrong

[aepervius]

The process of "being fired" does not end your responsabilities with you stopping to work and going out of the building. It ends only when you :
1) gave back all physical object the firm loaned to you within the execution of your work (laptop, cars, etc...)
2) gave back all access key in your possession (be it physical, RSA keys, or electronics)
3) gave back all financial access you had to (firm credit card for example), and I may pass a few others.

If you do not think so, you are a "terry child in waiting", as in, risk prison if you think you can skimp on your responsability. being fired don't mean you can keep stuff from the firm, be it unique key knowledge (like passwords), or physical items.


It actually pretty dumb to think so. About as dumb as somebody keeping a laptop at home after being fired.