Slashdot Mirror
Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M
0WaitState writes "A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
This is an example that drives home the fact that people might actually give a crap about network meddling.
We will make an example out of you, who cares about justice?
... who had had exposed hundreds of LIVE login/passwords to city administration system as 'proof', endangering the public system and the private information of citizens and even more, will pay ?
nothing ? i guessed as much. its all ok if you are a moron at the helm of a company or a public office. no really - i am much more polite and eloquent than what wordage you read here, but, i am at a loss to find any word other than moron for publicly exposing hundreds of live login/passwords in a public court. really. morons.
it appears terry childs was right.
Read radical news here
That explains why American culture is so obsessed with vigilante justice - the actual judicial system is fucking retarded .
That is the high price of caring about security.
Terry Childs did some mistakes. I think the restitution for damages is more justified than the criminal punishment he got.
CU, Martin
I forget a lot of what he said, but one of the points which stuck out for me was that Terry kept the keys / passwords out of the key management system, which was against policy. He kept the Keys to the Kingdom in his head, which is just bad IT policy. He also cleaned the backup configs on switches so that any reboots would essentially wipe them clean.
/. poster was on the jury. He'll chip in with better information than anyone else. As for the fine... Well, if he doesn't have that money, he'll default like everyone else would and live off welfare. Shows the system works, eh?
Like I said, a
Finally had enough. Come see us over at https://soylentnews.org/
I just RTFA. It says the money is to
repay the city for its efforts in trying to regain control over the FiberWAN network and later test it for vulnerabilities. City officials had been worried that Childs, who helped set up the network but clashed with his supervisors, might try to sabotage it.
Mind, he already spent 2 years in custody and was convicted to 4 years of jail.
... I'll hire him.
Onda Technology Institute
"it is difficult to understand how they came up in $1.5 million in costs" If you read the article..."Prosecutors had sought the money from Terry Childs, a former Department of Technology network engineer, to repay The City for its efforts in trying to regain control over the FiberWAN network and later test it for vulnerabilities."
it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
Maybe you should read the decision; I'm sure it's all explained in there. Once you've done so, you can discuss the reasoning given by the court and agree or disagree with it, but until then, everything is just idle speculation.
At first I thought the citizens were going to have to pay for the cleanup and fixing of all the problems, along with the trial and all that. Now that I know this criminal with no job prospects will be paying the $1.5M I can sleep better at night.
My personal ideas about job integrity end at or a little before the threat of getting arrested so I could argue I don't think what he did was wise (I would've made the guy wanting the passwords put it in writing and then quietly laughed when they broke things), but I don't think the punishment fits the crime at all. Why is there never a middle ground in the justice system between ruining someones life and letting them go free?
And why can't the city just let this one go? They won a long time ago.. back when he was fired, jailed, etc and he surrendered the passwords without the network ever going down.
No... It was not down. It was just not administrable. There is a huge difference.
I think his jail time served and permanent damage to his career is more than sufficient. He is still dumbass of the year, but to fine him more money than he will ever make is too much.
this is like suing a guy who used to work at a steel making joint, because they didnt know how to stop the furnace.
From TFS:
"it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
Come on, we shouldn't be defending this guy otherwise we're no better than the corrupt politicians that occasionally crop up on /. stories.
We all know he was in charge of much of the city's network infrastructure and that ultimately the city dealt with him and his role rather badly - that's not particularly unusual in the public sector anywhere in the world. What's important is how he reacted to it. From what I've heard, his reaction was to say "Fine, if that's going to be your attitude I'll take the passwords to my network and go home!" like a petulant child. But it wasn't his network to take - and I don't believe the arguments that to hand over access to someone unqualified would have put him in greater trouble than refusal to. Faced with an enemy with so much more resources, the sensible thing to do would be to negotiate a way out of any possible repercussions instead of throwing a tantrum.
Certainly the management of San Francisco has some responsibility for what happened.
However, I disagree with the assessment that Terry Childs is without blame, as is implied in the article summary. If I hold hostages and demand ransom but later release the hostages, does that mean I did nothing wrong? While Childs didn't literally take hostages, figuratively that's exactly what he did.
The justification for making Childs pay restitution is that the city of San Francisco attempted other means of gaining control of the systems while Childs refused to cooperate. Those attempts cost some money, and that's money that would otherwise be billed to taxpayers.
Why should I feel that Childs is being treated unfairly? He had to know that if he fought those in power, they would find a way to take him down.
so I looked myself and found this article
http://sfappeal.com/news/2011/05/sf-network-engineer-convicted-of-witholding-passwords-ordered-to-pay-15-million-restitution.php
"No city services were ever affected, but officials said they could have been crippled if power had somehow been shut off.
A jury convicted Childs in April 2010 of a computer tampering-related charge, and today San Francisco Superior Court Judge Teri Jackson ordered him to pay $1,485,791 in restitution to the Department of Technology,"
he's paying it to the department of technology, not justice.. so... no...
every day http://en.wikipedia.org/wiki/Special:Random
Sick of making a stinkin $60K/annum for 365/24/7 service? Well now you're a member of a ruling elite, concomitantly liable for millions in damages!
Now that you need a multimillion dollar bond, doesn't that make you feel underpaid?
That dereliction of duty, and violation of the public trust is not OK just because nothing bad happened. By that logic, these morons who fly passenger jetliners after imbibing should not be punished because they managed to get the plane down OK and didn't kill anyone.
This is yet another example of how public sector workers think that they are beyond reproach, and do not have to work to the same standards that the public sector does. He needs to understand his place and apparently he didn't, and now will have to pay.
Hopefully this serves as an example to other people who don't understand their position and think just because they have the keys to the office or the password to the server that they own the place. They are fungible and will be held accountable.
"And why can't the city just let this one go? They won a long time ago.. back when he was fired, jailed, etc and he surrendered the passwords without the network ever going down."
how indelibly burned into your psyche is the concept
"I will not be crossing that line!" because of the example they have made, and continue to make, of this individual.
taking another unredeemable swing at him at this later date? serves the same purpose as the electric chair-- a warning to others......
Lets use another example entirely- considering what happened to the poor carpenter from Nazareth, would you consider claiming to be him?
every day http://en.wikipedia.org/wiki/Special:Random
Lesson learned?
A better punishment would have been to make him perform community service where he has to work for free for a certain number of hours fixing people's networks and eliminating THEIR downtime. That might have been a better solution.
He who knows best knows how little he knows. - Thomas Jefferson
"it is difficult to understand how they came up in $1.5 million in costs"
Asshole tax?
"...unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
What exactly is being insinuated here? That it's the City's fault that Childs decided to commit a crime?
Sorry, pal, it doesn't work that way. Yes, the city has a lot of work to do to clean up its IT policies, but that has no bearing whatsoever on Childs' decision to commit a criminal act.
"Ask not what your country can do for you." --John F. Kennedy
Terry Childs was clearly on an excessive one-man power trip. I don't think too many on /. think that deserves jail time though.
A firing for unprofessional conduct: sure.
A $1.5M fine? This just adds to the farce.
I'm sure the head of the IMF will get a fair trial.
He has already been convicted (by the media) and is in jail. ... now all we need to do is to get most of Wall Street in jail.
They have been tried in the media but not put in jail.
Mr. Childs clashed with the new Security Manager on the subject of authentication and control, which led to poor formal review.
Sorting out fact from fiction in the Terry Childs case
Honestly, hasn't this poor guy been strung out long enough? Why can't they give him some peace.
www.awkwardengineer.com
can you be guaranteed that illegal and full-on crazy actions by a sysadmin be ignored in place of ranting against his employer.
In my personal opinion, it is a mistake for our profession to defend the likes of a person who carries out such an act. While the restitution is clearly beyond his means, his actions are just as clearly unconscionable. I have been in this profession for 35 years and still work at the technical level. We need to act with integrity and disassociate ourselves from such malpractitioners. Otherwise, our profession will fall under deep suspicion and eventually die.
He's already been crucified.
They're just casting lots for his robes.
I can't figure out how this guy got convicted. He was an asshole and lacked common sense but 4 years in jail?, 1.5M? talk about "cruel or unusual punishment", 8th amendment anyone?
Are they appealing this case?, why is the EFF not involved?, this is the kind of case they should be looking at. This case sets the scary precedent that admins are criminally liable for the network they maintain.
HTML is obsolete. It's time for a new, simpler and richer markup language.
Meanwhile the former Governator admits that he fathered a child out of wedlock while on the payroll of the state. This is *while* he was railing against Gay Marriage because it would harm the "sanctity" of marriage.
Good job there dude. And will any charges be brought against him? Nope. It won't even affect his attempt at restarting his movie career. Just another day in Hollywoodland.
Meanwhile, Terry Childs is fined $1.5 mill for acting like a douche AND is spending 4 years in jail.
How much you want to bet that if he was a rich and famous dude, he wouldn't be spending one day in jail? Why is it that we live in a "free" and "equal" country where there's one set of laws for the wealthy and powerful, and another set of laws for the commoners?
If telephones are outlawed, then only outlaws will have telephones.
Disclaimer: I'm a systems engineer who spent many years as an admin. I don't do as much daily firefighting as I used to, but I sure have tons of experience in that department.
How many of you (good natured) IT folk looked at the Terry Childs case and said, "Hey, that sounds like X, the total jerk I used to work with!" I know I did... We had a guy like this who (a) did the passive-aggressive thing when asked to take care of something, (b) kept all the secrets in his head so that it would be hard for anyone to take over, and (c) got fired because management/staff had finally had enough of him and decided it would be worth it to just get a consultant in to put everything right.
Stories like this, and unfortunate stereotypes, are what keep IT work "in the basement" and prevent us from being recognized as professionals, IMO. We don't get respect from the MBA crowd because we can't justify our existence...but I think we could change that by changing the typical attitude.
Obviously, most IT people aren't like Comic Book Guy from the Simpsons, but those who are sure make it hard for the rest of us.
Now that computers are totally pervasive, maybe it's time to set some standards and get the various branches of IT work (development, network admin, systems admin, etc.) recognized as professions. At least there would be some kind of code of conduct and minimum education standard so employers would be sure of what they're getting.
I'm sure they'll have a real easy time finding a talented individual to replace him. There's nothing like the threat of imprisonment, humiliation and millions in fines to attract IT staff.
That is part of a job for a sys admin. If they were happy with one admin and no backup, the damage is at most a part of his salary for the amount of time that it would normally have cost him.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Restitution: paid to crime victim(s) to make them whole. If you light a display in Target on fire, you owe Target the cost of the merchandise plus the cost of cleanup plus the money they spent rebuilding.
Fine: paid to the state as punishment. You will ALSO have to pay a fine to the state as punishment, completely separate from restitution.
A judge sentences you to pay a fine. Then the judge holds a restitution hearing where he hears from witnesses about what the amount (if any) of restitution should be.
Being a geek is no license to behave like an egotistical, entitled little princess or a common criminal. Too many geeks thinks because they work with teh technology, that normal rules and niceties don't apply to them.
What this guy did was criminal damage, and by rights, he probably should have served time. I've seen people getting done for much less.
Except that isn't what happened. A "rogue admin who absconded with all the data/access" is what the prosecution made up out of cloth to ensure a guilty verdict.
What ACTUALLY happened is that someone who couldn't demand the passwords asked for them, asked over an insecure medium (telephone call) and was sacked because the admin said "no".
When the person who COULD demand the passwords asked in a secure manner (a room with no other bystanders not allowed to know the passwords), the passwords were handed over, DESPITE this being after he was no longer employed therefore had NO responsibility to hand over the passwords.
Note also that a hardware toggle allows the passwords to be reset, so at the VERY WORST they would have had to get someone to pop over to each Cisco rack and reset the passwords to blank.
this hardly costs $1.5M.
Excessive fines mentions one instance, some person took $357,144 of his own money outside the united states, but failed to report it, so they fined him the entire amount -- that is excessive
All that RIAA/MPAA calculations for copying some bits, clearly excessive.
Without knowing how the judge decided on 1.5million, you can't say its excessive
There should be a System Admin "Code of Ethics". The closest is the IEEE "Code of Ethics", or the ACM "Code of Conduct" if they happen to have joined.
The first is "bite sized", the second is probably more relevant but way more wordy, but how many people even bother joining either?
We are unorganized as a group at large, and the lack of standards to adhere to is part of the problem that we, as a Profession; including Admins, Programmers/Developers, Support Techs; need to address somehow.
(/rant) :)
computer professionals for social responsibility
cpsr.org
http://cpsr.org/issues/ethics/index.html
FTFY
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
Pity you didn't look in the case before shutting it.
Childs would have done a crime if he'd passed the passwords on to someone who didn't have clearance.
Or is it OK to pass on any old thing to a superior, even if they aren't supposed to have it now?
What Childs did wasn't. If he'd given the new manager the passwords, THAT would have been a crime: that manager WAS NOT ALLOWED THE PASSWORDS.
Just because a General asks a corporal for the keys to the nuclear button doesn't mean that the corporal has committed a crime by saying "Sorry, sir, that only gets given to the CFO".
Worse, the demand was done over the phone with people who had ABSOLUTELY NO CLEARANCE WHATSOEVER.
So the new manager did the crime: demand something he had no security clearance to demand.
When organized labor goes on strike, it stops production. Sometimes actual damage is done.
Yet, those guys are considered heros for the working people.
So why is it, when a techie does something similar, the reaction is total to completely freakout and over-react?
Another case why we need unionization of IT workers. The National ACM will be a good start of leading the movement.
New Economic Perspectives
A judge Tuesday ordered a former city worker...
Judges Wednesday and Sunday were unavailable for comment.
Who really deserves a $1.5mil fine? And will that party ever pay? Regardless of your answer to the first question, the answer to the second question will always be no.
I8-D
This -- "efforts in trying to regain control over the FiberWAN network and later test it" -- does not cost $1.5 million dollars.
there was no key system when he setup the network and over time he became the only network guy there.
I believe there is no need for a password if one has simple physical access to a Cisco router. I was doing this as part of CCNA training around the time this was going down.
I think the password is property, and Childs kept that property when he left. Is that property worth $1.5M, probably not. Did he cause $1.5M in damages, it is obvious to everyone that he did not.
Honestly, dropping an unfair sentence on this guy is a mistake, a $1.5M debt hanging over him for the rest of his life is going to make him crack. The probability of him getting a gun and shooting up city offices is incredibly high. He's been convicted of aggravated assault, aggravated burglary and carrying a concealed weapon from way back (about 25 years ago). His time in a Kansas prison makes him a felon, when he was arrested for what he did in SF they found him with 9mm and 45 ammunition, but no firearms. Where are his firearms, why have ammo without a gun? He cleverly hid the firearms because they are illegal for him to posses, when he gets out of prison is he going to just pick up his stash of guns?
When Terry Childs goes on his 2016 shooting spree, the prosecutors and judges will no longer be smiling smugly at a job well done.
You know, the group of 4Channers who mete out vigilante justice as they see fit?
But I think gman003 was more talking about media. There are like 5 superhero movies coming out this year. Virtually all of them are vigilantes (although having seen Thor, the current #1 movie, it's not actually a vigilante movie).
http://lkml.org/lkml/2005/8/20/95
If he would of gave out the password then he may of been in the same place or worse.
The network stayed up but if one other people people on that call got the passwords and F* the network and they all the blame is on terry.
Eh, you can't garnish every single penny someone has. He'll have this over his head for the rest of his life but doesn't necessarily mean he'll be homeless.
This is really pointless. They should just order him to pay a hundredrytrillionbajillion dollars, because if the judge wants to dream, he should dream big. Unless he made some amazing investments twenty years ago, there is no way he will ever be able to pay that. Moreover, it is really easy to get a visa to live in another country with IT skills. He should just pick up and leave and send the judge a 'fuck you' postcard from France.
Granted he was kind of a dick in the way he handled things, but every aspect of this court case screams of excess. Sticking around to appeal this sentence is just asking for another undeserved ass-kicking.
HA! I just wasted some of your bandwidth with a frivolous sig!
Say the City hires a $1,000 an hour consultant to get back control of the network and test it then get Childs to pay the resulting $1.5 million bill. That equates to the consultant billing 37.5 weeks (40 hour weeks) to do the job.
Or, almost a year and a half for a $500 an hour consultant.
No, it wouldn't be.
Still, Childs was just plain stupid. He should have:
a) not admitted to having passwords, since he could have easily said that he forgot them since he no longer works there
Saying you can't remember. Saying you can't recall.
That will land you in the county lock-up until hell freezes over or your memory improves. Whichever comes first.
The geek should never tell a lie because he is no damn good at it.
on how gullible the hiring managers are. When your boss gives you a legal order, you do it or quit. And when fired for not doing this, it is no longer your job, and you have no right to keep the passwords. Self important delusions of adequacy do not mean that the network is your own personal plaything. No self respecting manager would ever hire this idiot, and I would fire any of our managers that did.
This is the Slashdot homepage of the juror on the case who posted heavily in the Slashdot thread about the verdict in the criminal trial of Terry Childs.
How is not saving Cisco router and switch configurations to device memory a valid form of disaster recovery and change management? Find one Cisco manual that endorses not saving configurations to flash memory. Mr. Childs consciously made a decision that violates general IT security policy to make himself a key holder to the kingdom as a form of dead man switch in case he were terminated. His termination did not come till after he refused a direct order from his supervisors. What would you do with employee insubordination and lack of professional ethics managing critical hardware? The damage costs stems from the cost to hire a certified third party to conduct asset identification, full vulnerability assessment, remediate vulnerabilities (patching an replacing Cisco hardware) and to bring in CCIEs to reengineer the network. Courts allow the plaintive to multiply substantiated damage costs to cover labor and overhead expenses that are hard to exactly calculate. In Federal court the formula is to multiply by four. Labor costs would be the calculation of employee hourly wage times lost employee work hours for each employee effected (12 days plus remediation time). Overhead costs would be office supplies consumed, office space lease cost, heat and A/C, water, hardware, software and equipment maintenance multiplied by each employee effected (12 days plus remediation time).
You included stuff from El Salvador, Colombia, Thailand, India, Mexico, England, Ireland and some loopy environmental groups; I probably missed some.
So half that list isn't US, many aren't even violent, so we're down to one or two nutters every decade in a country of 300 million.
And most people have never even *heard* of these people. Conclusion: no obsession.
http://en.wikipedia.org/wiki/Category:Vigilante_films
Obsession is not an absolute notion, and it does not necessarily imply people actually do what is obsessed about.