Slashdot Mirror
San Francisco Just As Guilty In Terry Childs Case
snydeq writes "Deep End's Paul Venezia follows up on the Terry Childs sentencing, stating that the City of San Francisco is as much at fault in this case as Childs is. 'The way that the San Francisco IT department has been run is nothing short of abysmal, and that has been pointed out time and again by anyone paying attention to this case,' Venezia writes. 'Plenty of dirty laundry was aired out in court as well, yet through it all, the city has had a full-court press on Childs, and being both the plaintiff and the prosecution it spared no expense to drill Childs into the ground.' Worse, perhaps, is the disproportion of the sentence, when compared with recent convictions for intended malfeasance on the part of several notable rogue IT admins."
"Printable version". TFS's link is to a two page version with six paragraphs per page.
Free Martian Whores!
Every time I read something positive pertaining to the American justice system I seem to be two years older than the last time. How does he possibly deserve four years in prison for this?
"Going to war without the French is like going deer hunting without your accordion." ~General Norman Schwarzkopf
You can skip reading TFA; all of it that's relevant to the headline is in the article summary.
Most of the article is pointing out other people who did worse things and got lighter sentences. Frankly, I think that's a useless argument; for any crime, you can just about always find someone who committed a greater crime and received a lesser sentence. So what?
I think there's a lot of an interesting dialogue to be had about the Terry Childs case, but this particular article doesn't add anything to that discussion.
What level rogue was the admin, anyway?
"rogue IT admins" are the only thing worse than, "mall ninjas." *Dunt, dunt, duuuuunt!*
Sure, the SF IT department may be getting managed into the ground. Sure, maybe the city is as much to blame for everything as Childs is. But none of that matters now, does it? Nobody is going to file a case against SF city. Nobody is going to punish the SF IT department. Nah, the city will get to walk away scott free, continuing to practice poor procedures. All the wild, Childs has to live with his sentence as a convenient scapegoat. This case just serves a little more proof the the justice system, on all levels in this country (at least if you live in California) is completely FUBAR.
Motorcycles, Robots, Space Gossip and More!
Did a good job? The guy was keeping passwords and router configs in his head. He may be the best IOS programmer around, but that isn't the mark of a good job, that's the mark of an incredible idiot.
The world's burning. Moped Jesus spotted on I50. Details at 11.
It's good to be the king.
It must have been something you assimilated. . . .
Wow, a nuanced view of the problems.
Before this post gets modded as a troll or flamebait, it is my humble and sincere view as someone born and raised outside the USA, that Americans are often obsessed by finding a single cause for a problem and the idea that there might be multiple causes is rarely explored.
The real "Libtards" are the Libertarians!
The problem lies in that most US people seem to equal justice with revenge.
FTA: "When faced with dangerously incompetent management, it's best to just look for another job."
I found this a very telling statement. If your management are bozos, don't try to change them or point out their bozo-ness. Just pack up and move on. They hold all the cards. You will be punished for trying to fix anything that makes them look bad.
How very sad and defeatist.
- Jasen.
I would suggest it isn't so much an "American" trait as it is a convenient news tactic in America. People naturally want answers to questions. The neater and tighter the answer, the more readily it is accepted by the masses, which, of course, means that the news makes more money because they are more trusted. Simplicity is a hallmark of human (not just American) thinking - this takes different forms in different cultures. The main Western logical process is distinct from Eastern varieties but simplicity within the given culture is the tendency. Looking at modern history books covering the Renaissance and comparing them with 19th century history books of the same, we have a much broader viewpoint than those writing in the 1800s had. This is in part due to different access to resources, but in part due to the development of thought over time away from the natural reaction: Simplicity.
Now, with all that said, this is only... one facet of the change in thought patterns over the past century.
Worse it is the mark of a megalomaniac. He was convinced he has made himself indispensable, that by keeping knowledge to himself, and endangering the systems in doing so, made his job totally secure. He though he ruled the roost and nobody could fire him. He found out the very hard way he was wrong. As the saying goes "The graveyards are filled with indispensable men."
The most important think in an IT person is that they are trustworthy. They have amazing access, and this that comes amazing responsibility. They need to be trustworthy to not abuse that access. He did, badly so. As such he really should never work in IT again. He's shown that he can't set aside his ego and such a person has no business having system level passwords.
I am not even sure I would call the punishment legal. They really shoehorned a law designed for something else into this case. In many ways he is getting punished for following his employer's rules when politics said he should have broken them.
Well, guess what. No matter how much you may think it, generalized poor management is not actually a criminal offense. Whereas, denial of service is.
Justice is not about fairness. It's "did you break the law, and if so what's the stated punishment?"
Was the ordinance used to convict him fair and reasonably applied? The only opinion that matters is the jury's, and they thought it so.
IMHO, Childs may have started out with the best of intentions in his "stand", but it escalated into a pissing match. And you really can't out-piss senior municipal managers and politicians, so you can indict Childs for picking a losing fight.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Agreed. But does he deserve four years in prison? In most other professions, this would lead to a civil lawsuit and a fine, not a prison term on par with that of a violent offender.
"Going to war without the French is like going deer hunting without your accordion." ~General Norman Schwarzkopf
The Economist ripped the US a new one last week for locking up too many people, many of them non violent offences. It wasn't so long ago that people were hanged for stealing a loaf of bread, but we backed off from excess punishment (probably a little too far in some cases). But the United States the trend seems to be regressing thanks to grandstanding politicians and bloodthirsty voters who won't countenance even the slightest hint of being "soft on crime". With the way things are going, I truly think that the US will soon bring back public executions before long and will be indistinguishable from countries like Iran in how they deal with crime.
Drill baby drill - on Mars
"rogue IT admins" - I find that phrase humorous for reasons I cannot explain.
That's a typo. This IS San Francisco we're talking about - they almost certainly meant to say "rouge IT admins".
By that time, he'd already committed what he was convicted of.
Childs refused to record passwords, in direct violation of policy. When being moved from his current job, he refused to hand over passwords etc. in any environment, again in direct violation of policy. He then prepared to leave town without handing them over.
No competent sysadmin sets things up so he's the only person with the passwords, so that the network is simply screwed if he's hit by a bus. Childs went one further: he had the password for a file on his personal laptop that had the passwords in it. Had his laptop been destroyed, or the file system corrupted, the passwords would be lost.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
That's actually not true.
http://slashdot.org/comments.pl?sid=1633482&cid=32008096
one of us actually was on that jury
Non impediti ratione cogitationus.
Whether he does or doesn't will be up to his lawyer to convince on appeal. The broader point here is that a whole lot IT guys seem to blindly be supporting him because he followed the letter of his contract to insane degrees. They paper over the fact that if this guy had been hit by a bus, his employer, the City of San Francisco, would well and truly have been up a creek without a paddle.
If this was such a big concern for Childs, why didn't he have these key passwords and router configs in the Mayor's office. Surely the Mayor has a safe or some other secured storage whereby this critical data could be securely stored in the event that the Mayor had to appoint someone else responsible. Where I work we have a safety deposit box where the originals of all the purchased software is stored, as well as a CD and hardcopy of all the passwords are stored. While it would probably be a bit difficult to keep going without me around, the guy that comes in after me would have a reasonably decent head start.
However harsh the sentence may have been, the fact is that Childs was a shitty IT manager. Being an IT manager is about a helluva lot more than being a clever router hacker, it's about documentation, about appropriate systems, and just as importantly about assuring, for whatever reason, that a smooth transition of IT management from one person or another can be accomplished. Childs didn't set up that damned network to benefit his employer, he set it up so that he was the cornerstone, and while the city has to take a lot of blame for not keeping a better eye on him, he violated some very basic tenets of sound IT operations and management. AS I've said before, I wouldn't hire the guy to manage a popsicle stand, I don't give a crap how brilliant he is.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I'm betting the Governors involved would treat him as any other convicted criminal and Childs would add a few more years onto his sentence for escape/flight.....
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
What if you worked at a nuke plan and your boss wanted the codes over the speakerphone and you did not know if people on the other end where able to run the system and you know that your boss was not able to run the systems.
Because we have more than a couple of Terry Childs like people on Slashdot. You may notice that there are a fair number of posters here who are quite anti-social, and anti-authority. You also many notice that they think their technical skill makes them much smarter than everyone else. This tends to lead to a mentality of "My boss is an idiot and I should be the only one who makes any decisions on the computers." Maybe they've even forced that in their work. So they are sympathetic because it is the kind of thing they either want to do or have done, and they are worried that they might get in trouble.
Basically they are like him, and thus that makes them feel that his actions were correct.
2) Having been convicted, I would have run away. There are a lot of decent IT jobs in the Northeast..... almost 3000 miles away from the SF Government's reach. No different than running from Spain to Poland to start a new life.
US Constitution, Article 4, Section II, Clause 2:
"A Person charged in any State with Treason, Felony, or other Crime, who shall flee from Justice, and be found in another State, shall on demand of the executive Authority of the State from which he fled, be delivered up, to be removed to the State having Jurisdiction of the Crime."
You achieve nothing in your interstate flight but a quarantee of conviction on a new and stiffer felony charge.
You will be doing hard time even if your prior conviction is overturned.
Precisely. Whatever else Childs is, he's a shitty administrator. Do you think the city's chief comptroller has the only set of keys to important confidential accounting files? Do you think the city's chief personnel/HR officer has the only set of keys to personnel files?
As much as all of us IT guys have our moments of self-delusional self-importance, we are, at the end of the day, simply another aspect of any given organization's total infrastructure, and are bound by the same rules, and by the same basic set of good practices. You keep copies of keys, passwords, pass codes, whatever in a secured place. You don't keep them on laptops. You don't keep them in your head. You make damned good and sure that if you were hit by lightning the next morning your employer can assure continuity of operations. That is the most fundamental job anyone in a position of any kind of managerial authority in any organization has.
The world's burning. Moped Jesus spotted on I50. Details at 11.
You mean kind of like how a lot of non-Americans like to find the property of "being an American" as somehow intrinsically to blame in so many situations?
All people need to simplify. You will never understand everything, so you research carefully the things that interest you, and everything else needs to be ignored or fit into a bite-sized piece of intellectualism that you don't need to give any thought to. Nationality has nothing to do with it.
What do you mean "so what"?
First there's the question of precedent.
Second there's the question of just punishment
While the city may have a shitty IT setup, is that illegal? Probably not. However what Childs did WAS illegal.
That is the difference. I know that some geek types seem to think the law should be whatever strikes them personally as fair but that isn't how it works. Childs broke the law, he was tried and convicted of it (and one of his jurors had a CCIE so none of this "stupid jury" bullshit).
If the city is being negligent then a lawsuit can, and should, be brought against them. None of that makes what Childs did right or legal.
Please, please would all Slashdot posters go and READ UP ON THE CASE before posting. The facts please, not the opinions form mother Slashdotters. So much uninformed kneejerk here. Slashdot itself had some good links, including one to an interview with aforementioned CCIE juror. How are you any better than the people you like to look down upon if you cannot be bothered to get your facts straight for something you have strong emotions about?
"They paper over the fact that if this guy had been hit by a bus, his employer, the City of San Francisco, would well and truly have been up a creek without a paddle."
Which is a management issue, not a technical one, so the one to blame must be a manager. Was Childs in a manager-level position or in a "mere" technical one?
"However harsh the sentence may have been, the fact is that Childs was a shitty IT manager."
Truly so. But was he in a managerial position to start with? All I can find about him is that he was a "network administrator", a "network engineer" or an "IT administrator", never a manager, so he was not the one to say how the passwords should have to be managed nor the one to deal with policy violations. In fact, as per this reference (http://blogs.sfweekly.com/thesnitch/2010/08/terry_childs_sentenced_hacker.php) it seems clear that upper SF management agree this being a case of bad management: both Terry's direct manager and the security manager were displaced (they are not fired -yet, probably not to ashame that very SF upper management).
The dude wouldn't turn over passwords when ordered by his Senior Associate. That's just insubordinate in any circumstance, regardless of the job, and will get your ass fired in most places. Terry could have handled things differently if he didn't trust his immediate supervisor, but he didn't. He chose to lie all the way up the food chain and took the for-the-good-of-the-network chip on his shoulder with him.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Furthermore, justice AND revenge both do not mandate prison and/or being subject to physical or sexual abuse. There are many things that can be done in BOTH cases besides the obvious one. Prisons cost too much money and have too much lobbying pressure to maintain or grow the punishment/revenge system we have today.
Having pedophile tattooed on your forehead should be enough...
Terry Childs is going to have career problems for life, no need to waste money holding him in a cage as if he was a wild animal threatening the peace - or even put an invisible fence around his house is not worth it.
Democracy Now! - uncensored, anti-establishment news
I like that rule, I wish it could always be the case too! I'll give you a real life example of my situation. I created said envelope with all the key passwords and sensitive documentation to allow another to step in should I be hit by a bus. It was placed in the safe in the CFOs office.
You may or may not have guessed it but the CFO was fired and his position was removed. Since this was an executive decision they of course waited until way too late to tell me. The COO and Controller emptied the safe and now I do not know where that paperwork wound up. I changed my critical passwords and VPN encryption keys. Then the time came where they wanted the list of passwords. I asked them where the old list was and I haven't heard anything since.
Now for my own sanity I still keep a copy of the records but it is no small feat to change all the sensitive passwords so I keep them in the safe of the owner who has already twice forgotten that he has it. He asks me for it personally sometimes. If the time came I don't believe he would know its in his safe.
This is why I can feel at least some sympathy for Terry Childs although he definitely didn't act in any way professionally. He deserves to be punished but his punishment doesn't fit the crime given what's been brought to light about his management.
My other question is why in a city the size of SF was there only one person responsible for critical city infrastructure? If two people had been working together the whole time then the project would never have been in jeopardy unless Childs managed to corrupt the second guy which I guess is possible if some the ineptitude of management was in fact true.
Go put a chain and padlock on your neighbor's gate and see if you get in any trouble. You haven't stolen his property, so everything should be a-ok, right? (Heck, you haven't even trespassed, since he has to warn you once before it's a crime)
He denied access to the replacement administrators. They are authorized users of the system's configuration utilities.
Only because you're trying really, really hard to turn this into something it's not. Not turning over the passwords blocked the new adminsitrators from accessing the systems, just as if he DDoS'ed the management ports.
Plenty of dirty laundry was aired out in court as well, yet through it all, the city has had a full-court press on Childs, and being both the plaintiff and the prosecution it spared no expense to drill Childs into the ground.
Wow, that metaphor is more confused than an eel at a hovercraft convention. The word on the street is that Infoworld editors are sharper than tacks, but when the rubber hits the road it seems the prose flies like a banana.
Please cite a legal authority for your assertion that passwords are "property". Since they are intangible, I can only think that Intellectual Property laws would have bearing on that assertion. But, since the passwords were neither patented nor trademarked nor copyrighted (copywritten?), I don't see how your assertion can hold up.
/. trying to rationalize his actions, and his vote.
True. The servers were property and he was withholding access to that property.
Essentially what they got him on was "denying services to authorized users", which takes quite a bit of intellectual contortion, since no-one ever proved that his actions directly prevented services to any end-users, only that his inaction (i.e. his initial refusal to disclose passwords after his employment was terminated) temporarily inconvenienced administrators,
The administrators are authorised users as well. They are authorised at a higher level. Why does the anti-hacking statute not cover this?
But the law doesn't really work like that. Intent is quite important. It seems likely that Childs deliberately arranged things in such a way that it would be extremely difficult for his replacement to administer the servers he had a right to administer.
What is even more amazing is there was a (supposedly) tech-savvy member of the jury, who should have been able to explain what a crock this was, but was swayed by the tech-illiterate arguments of the prosecution and thus could not, or would not, prevent this travesty of justice. He's even posted here on
He had access to all the evidence, and had an explanation of how the law works rather than the interpretation of a computer user, expecting the law to work like a computer and have no flexibility in interpretation at all.
" Then the time came where they wanted the list of passwords. I asked them where the old list was and I haven't heard anything since."
You realize that this is dangerously close to Childs' attitude.
When they asked you, you should have (as I would) informed tham that they had a list of the passwords from the CFO's safe. You have since changed them, knowing the safe was 'compromised', and you did not know the disposition of the contents. And then you should have delivered without hesitation, to the CEO, owner, or their authorized agent, the new passwords. And perhaps a written admonition to notify you whenever a critical exeuctive or manager is dismissed, so that you can take appropriate action.
When I was installing small-business systems, it was expected, mandatory, that I leave the business owner with those passwords and access details. When we provided access for our clients, the router configs were delivered on floppy (this is a while ago), and passwords again made delivered as well. Where they had a trustworthy or critical telecom or cable provider, they also got a copy of passwords. All of these also got a disclaimer, that if the passwords were compromised or given to unauthorized agents, or changed without notifying us, our responsibility for the functionality of the system, and SLAs, terminated as of the action, not on date of notification. I had two or three incidents where the passwords, etc., were misused or compromised, and we did not have any real difficulty with the client. Once they changed providers and the new provider ran roughshod through the network with predictable results. We explained the policy, and they clammed up. The owner blamed us, but in a year we were 'back in'... In anothe case, the owner changed consultants and ditched us, and made the changes in the middle of the night without notice. Hey, it's a 'Haitian divorce'. When he did notify us, we of course offered all asssistance, and saved the new player a lot of time figuring things out. That old boss saw no value in further annoying disgruntled customers or competitors. But if a client ever asked me for passwords, they got them. It's their system. If they really wanted to mess it up, they paid for it.
Oh well, my $.02
deleting the extra space after periods so i can stay relevant, yeah.
Following his employers rules?
Okay, so you obviously haven't actually read anything but slashdot summaries.
Before the police were involved, he was given several VALID ways to turn over the passwords.
He broke policy FIRST but not using the City supplied configuration and password management system which he was supposed to be using ... according to city policy.
Had he followed ALL the rules, he'd have just been fired and there would be no story.
He selectively picked policies that suited his agenda and ignored the rest, using the ones that suited him to try and hide.
Unfortunately for him, the cities only real choice was to go after him for as much as they could to make it clear this sort of shit isn't tolerated in the future.
He's getting punished for conspiring to and eventually holding the cities network hostage. It was very clear during the trial that he planned to do what he did. It wasn't just one of those days where everything went wrong and he is being made out to be the bad guy.
He went out of his way, broke multiple city policies over an extended period of time in order to put himself in the explicit position of holding all the cards.
The city responded by simply pointing out that while he currently held the cards, they were simply going to shoot him and take what they wanted anyway.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
That's right. If he had been smart he would have just "deleted all company email, caused the email servers to spew out spam, and intentionally crippled at least some servers, rendering them inoperable" like Stephen Barnes did and been out of jail a year ago. Or perhaps he could have "deliberately and painstakingly attempted to sabotage the company he worked for, intentionally writing scripts to destroy valuable data" like Yung-Hsun Lin did and he would be out of jail in three more months.
But he got a much harsher sentence despite having not caused a single minute of outages on the network he was accused of conducting a denial of service attack on. Maybe someone ought to write (or read) an article comparing these widely disparate sentences.