San Francisco Just As Guilty In Terry Childs Case

snydeq writes "Deep End's Paul Venezia follows up on the Terry Childs sentencing, stating that the City of San Francisco is as much at fault in this case as Childs is. 'The way that the San Francisco IT department has been run is nothing short of abysmal, and that has been pointed out time and again by anyone paying attention to this case,' Venezia writes. 'Plenty of dirty laundry was aired out in court as well, yet through it all, the city has had a full-court press on Childs, and being both the plaintiff and the prosecution it spared no expense to drill Childs into the ground.' Worse, perhaps, is the disproportion of the sentence, when compared with recent convictions for intended malfeasance on the part of several notable rogue IT admins."

Run Away!

[jasenj1]

FTA: "When faced with dangerously incompetent management, it's best to just look for another job."

I found this a very telling statement. If your management are bozos, don't try to change them or point out their bozo-ness. Just pack up and move on. They hold all the cards. You will be punished for trying to fix anything that makes them look bad.

How very sad and defeatist.

- Jasen.

Re:It's a question of policy

[david_thornley]

By that time, he'd already committed what he was convicted of.

Childs refused to record passwords, in direct violation of policy. When being moved from his current job, he refused to hand over passwords etc. in any environment, again in direct violation of policy. He then prepared to leave town without handing them over.

No competent sysadmin sets things up so he's the only person with the passwords, so that the network is simply screwed if he's hit by a bus. Childs went one further: he had the password for a file on his personal laptop that had the passwords in it. Had his laptop been destroyed, or the file system corrupted, the passwords would be lost.

Re:Heavy sentence?

[RyuuzakiTetsuya]

That's actually not true.

http://slashdot.org/comments.pl?sid=1633482&cid=32008096

one of us actually was on that jury

Article 4 Section II Clause 2

[westlake]

2) Having been convicted, I would have run away. There are a lot of decent IT jobs in the Northeast..... almost 3000 miles away from the SF Government's reach. No different than running from Spain to Poland to start a new life.

US Constitution, Article 4, Section II, Clause 2:

"A Person charged in any State with Treason, Felony, or other Crime, who shall flee from Justice, and be found in another State, shall on demand of the executive Authority of the State from which he fled, be delivered up, to be removed to the State having Jurisdiction of the Crime."

You achieve nothing in your interstate flight but a quarantee of conviction on a new and stiffer felony charge.

You will be doing hard time even if your prior conviction is overturned.

Re:Not Surprising

[turbidostato]

"They paper over the fact that if this guy had been hit by a bus, his employer, the City of San Francisco, would well and truly have been up a creek without a paddle."

Which is a management issue, not a technical one, so the one to blame must be a manager. Was Childs in a manager-level position or in a "mere" technical one?

"However harsh the sentence may have been, the fact is that Childs was a shitty IT manager."

Truly so. But was he in a managerial position to start with? All I can find about him is that he was a "network administrator", a "network engineer" or an "IT administrator", never a manager, so he was not the one to say how the passwords should have to be managed nor the one to deal with policy violations. In fact, as per this reference (http://blogs.sfweekly.com/thesnitch/2010/08/terry_childs_sentenced_hacker.php) it seems clear that upper SF management agree this being a case of bad management: both Terry's direct manager and the security manager were displaced (they are not fired -yet, probably not to ashame that very SF upper management).

Re:Custodial sentences for non violent crimes

[PCM2]

But the United States the trend seems to be regressing thanks to grandstanding politicians and bloodthirsty voters who won't countenance even the slightest hint of being "soft on crime".

That's not even the end of the story. Don't forget that a growing number of prisons in the United States are being privatized. There have already been cases of judges who have been convicted for imposing harsh sentences without appropriate judicial review, because they were accepting kick-backs from the prison industrial complex.

Re:Not Surprising

[rickb928]

" Then the time came where they wanted the list of passwords. I asked them where the old list was and I haven't heard anything since."

You realize that this is dangerously close to Childs' attitude.

When they asked you, you should have (as I would) informed tham that they had a list of the passwords from the CFO's safe. You have since changed them, knowing the safe was 'compromised', and you did not know the disposition of the contents. And then you should have delivered without hesitation, to the CEO, owner, or their authorized agent, the new passwords. And perhaps a written admonition to notify you whenever a critical exeuctive or manager is dismissed, so that you can take appropriate action.

When I was installing small-business systems, it was expected, mandatory, that I leave the business owner with those passwords and access details. When we provided access for our clients, the router configs were delivered on floppy (this is a while ago), and passwords again made delivered as well. Where they had a trustworthy or critical telecom or cable provider, they also got a copy of passwords. All of these also got a disclaimer, that if the passwords were compromised or given to unauthorized agents, or changed without notifying us, our responsibility for the functionality of the system, and SLAs, terminated as of the action, not on date of notification. I had two or three incidents where the passwords, etc., were misused or compromised, and we did not have any real difficulty with the client. Once they changed providers and the new provider ran roughshod through the network with predictable results. We explained the policy, and they clammed up. The owner blamed us, but in a year we were 'back in'... In anothe case, the owner changed consultants and ditched us, and made the changes in the middle of the night without notice. Hey, it's a 'Haitian divorce'. When he did notify us, we of course offered all asssistance, and saved the new player a lot of time figuring things out. That old boss saw no value in further annoying disgruntled customers or competitors. But if a client ever asked me for passwords, they got them. It's their system. If they really wanted to mess it up, they paid for it.

Oh well, my $.02

Re:It's a question of policy

[BitZtream]

Following his employers rules?

Okay, so you obviously haven't actually read anything but slashdot summaries.

Before the police were involved, he was given several VALID ways to turn over the passwords.

He broke policy FIRST but not using the City supplied configuration and password management system which he was supposed to be using ... according to city policy.

Had he followed ALL the rules, he'd have just been fired and there would be no story.

He selectively picked policies that suited his agenda and ignored the rest, using the ones that suited him to try and hide.

Unfortunately for him, the cities only real choice was to go after him for as much as they could to make it clear this sort of shit isn't tolerated in the future.

He's getting punished for conspiring to and eventually holding the cities network hostage. It was very clear during the trial that he planned to do what he did. It wasn't just one of those days where everything went wrong and he is being made out to be the bad guy.

He went out of his way, broke multiple city policies over an extended period of time in order to put himself in the explicit position of holding all the cards.

The city responded by simply pointing out that while he currently held the cards, they were simply going to shoot him and take what they wanted anyway.