Slashdot Mirror
Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M
0WaitState writes "A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
We will make an example out of you, who cares about justice?
... who had had exposed hundreds of LIVE login/passwords to city administration system as 'proof', endangering the public system and the private information of citizens and even more, will pay ?
nothing ? i guessed as much. its all ok if you are a moron at the helm of a company or a public office. no really - i am much more polite and eloquent than what wordage you read here, but, i am at a loss to find any word other than moron for publicly exposing hundreds of live login/passwords in a public court. really. morons.
it appears terry childs was right.
Read radical news here
That explains why American culture is so obsessed with vigilante justice - the actual judicial system is fucking retarded .
That is the high price of caring about security.
Terry Childs did some mistakes. I think the restitution for damages is more justified than the criminal punishment he got.
CU, Martin
I forget a lot of what he said, but one of the points which stuck out for me was that Terry kept the keys / passwords out of the key management system, which was against policy. He kept the Keys to the Kingdom in his head, which is just bad IT policy. He also cleaned the backup configs on switches so that any reboots would essentially wipe them clean.
/. poster was on the jury. He'll chip in with better information than anyone else. As for the fine... Well, if he doesn't have that money, he'll default like everyone else would and live off welfare. Shows the system works, eh?
Like I said, a
Finally had enough. Come see us over at https://soylentnews.org/
I just RTFA. It says the money is to
repay the city for its efforts in trying to regain control over the FiberWAN network and later test it for vulnerabilities. City officials had been worried that Childs, who helped set up the network but clashed with his supervisors, might try to sabotage it.
Mind, he already spent 2 years in custody and was convicted to 4 years of jail.
"it is difficult to understand how they came up in $1.5 million in costs" If you read the article..."Prosecutors had sought the money from Terry Childs, a former Department of Technology network engineer, to repay The City for its efforts in trying to regain control over the FiberWAN network and later test it for vulnerabilities."
At first I thought the citizens were going to have to pay for the cleanup and fixing of all the problems, along with the trial and all that. Now that I know this criminal with no job prospects will be paying the $1.5M I can sleep better at night.
My personal ideas about job integrity end at or a little before the threat of getting arrested so I could argue I don't think what he did was wise (I would've made the guy wanting the passwords put it in writing and then quietly laughed when they broke things), but I don't think the punishment fits the crime at all. Why is there never a middle ground in the justice system between ruining someones life and letting them go free?
And why can't the city just let this one go? They won a long time ago.. back when he was fired, jailed, etc and he surrendered the passwords without the network ever going down.
From TFS:
"it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
Come on, we shouldn't be defending this guy otherwise we're no better than the corrupt politicians that occasionally crop up on /. stories.
We all know he was in charge of much of the city's network infrastructure and that ultimately the city dealt with him and his role rather badly - that's not particularly unusual in the public sector anywhere in the world. What's important is how he reacted to it. From what I've heard, his reaction was to say "Fine, if that's going to be your attitude I'll take the passwords to my network and go home!" like a petulant child. But it wasn't his network to take - and I don't believe the arguments that to hand over access to someone unqualified would have put him in greater trouble than refusal to. Faced with an enemy with so much more resources, the sensible thing to do would be to negotiate a way out of any possible repercussions instead of throwing a tantrum.
Certainly the management of San Francisco has some responsibility for what happened.
However, I disagree with the assessment that Terry Childs is without blame, as is implied in the article summary. If I hold hostages and demand ransom but later release the hostages, does that mean I did nothing wrong? While Childs didn't literally take hostages, figuratively that's exactly what he did.
The justification for making Childs pay restitution is that the city of San Francisco attempted other means of gaining control of the systems while Childs refused to cooperate. Those attempts cost some money, and that's money that would otherwise be billed to taxpayers.
Why should I feel that Childs is being treated unfairly? He had to know that if he fought those in power, they would find a way to take him down.
so I looked myself and found this article
http://sfappeal.com/news/2011/05/sf-network-engineer-convicted-of-witholding-passwords-ordered-to-pay-15-million-restitution.php
"No city services were ever affected, but officials said they could have been crippled if power had somehow been shut off.
A jury convicted Childs in April 2010 of a computer tampering-related charge, and today San Francisco Superior Court Judge Teri Jackson ordered him to pay $1,485,791 in restitution to the Department of Technology,"
he's paying it to the department of technology, not justice.. so... no...
every day http://en.wikipedia.org/wiki/Special:Random
That scratching sound is onda technology getting added to the "don't use" list all around the world.
... I'll hire him.
Never mind him. Hire me, I can hold your passwords for as long as you want.
Lesson learned?
A better punishment would have been to make him perform community service where he has to work for free for a certain number of hours fixing people's networks and eliminating THEIR downtime. That might have been a better solution.
He who knows best knows how little he knows. - Thomas Jefferson
Might want to wait seven years before you pay him... until then all his earnings will be garnished.
"it is difficult to understand how they came up in $1.5 million in costs"
Asshole tax?
I was aiming for a "Funny" moderation, but hey, the network he set up kept running even with him away from it...
Onda Technology Institute
"...unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
What exactly is being insinuated here? That it's the City's fault that Childs decided to commit a crime?
Sorry, pal, it doesn't work that way. Yes, the city has a lot of work to do to clean up its IT policies, but that has no bearing whatsoever on Childs' decision to commit a criminal act.
"Ask not what your country can do for you." --John F. Kennedy
Terry Childs was clearly on an excessive one-man power trip. I don't think too many on /. think that deserves jail time though.
A firing for unprofessional conduct: sure.
A $1.5M fine? This just adds to the farce.
I'm sure the head of the IMF will get a fair trial.
He has already been convicted (by the media) and is in jail. ... now all we need to do is to get most of Wall Street in jail.
They have been tried in the media but not put in jail.
Mr. Childs clashed with the new Security Manager on the subject of authentication and control, which led to poor formal review.
Sorting out fact from fiction in the Terry Childs case
I would fire him. There is no excuse for what he did. This guy willingly bypassed password management which is partly there to make sure that no person is indispensable. What if he was hit by a car? This guy was more then irresponsible, he was malicieus (since he refused to hand over the passwd's).
That scratching sound is onda technology getting added to the "don't use" list all around the world.
+1 insightful
Wether he was right or wrong in being the only person with admin access, and wether that was a situation he created, or was thrust upon him, I am APPALLED by the fact that he attempted to hold the system for ransom.
There should be a System Admin "Code of Ethics". The closest is the IEEE "Code of Ethics", or the ACM "Code of Conduct" if they happen to have joined.
The first is "bite sized", the second is probably more relevant but way more wordy, but how many people even bother joining either?
We are unorganized as a group at large, and the lack of standards to adhere to is part of the problem that we, as a Profession; including Admins, Programmers/Developers, Support Techs; need to address somehow.
(/rant) :)
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
to fine him more money than he will ever make is too much.
Sure, the city already won when they got the passwords, but they wanted to make the point that they can run up the score. It probably makes little to no difference in Terry Childs life whether he was released or fined $1.5M at this point in time, either way he's not going to get more than subsistence pay for the next seven years.
But... just incase there's somebody with more means (read: more to lose) than Terry in the future, they're hoping for a deterrent effect.
I'd like to remind the audience about the effectiveness of public hanging of pickpockets...
He's already been crucified.
They're just casting lots for his robes.
I can't figure out how this guy got convicted. He was an asshole and lacked common sense but 4 years in jail?, 1.5M? talk about "cruel or unusual punishment", 8th amendment anyone?
Are they appealing this case?, why is the EFF not involved?, this is the kind of case they should be looking at. This case sets the scary precedent that admins are criminally liable for the network they maintain.
HTML is obsolete. It's time for a new, simpler and richer markup language.
They couldn't stop the furnace because the last guy who used to operate it ran of with the control-panel is a more accurate description.
Tell me who you are so I can add you to my shitlist.
Guilt by association, isn't it lovely?
Don't take it personally, it just means I don't trust the judgement of someone who would trust an asshole like that.
An IT guy on a power trip acted like a prick and that resulted in serious consequences. Let's see what the slashdot community thinks. ;)
This might as well be a story about getting arrested for living in mom's basement.
he's paying the price for embarrassing the powerful?
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
Disclaimer: I'm a systems engineer who spent many years as an admin. I don't do as much daily firefighting as I used to, but I sure have tons of experience in that department.
How many of you (good natured) IT folk looked at the Terry Childs case and said, "Hey, that sounds like X, the total jerk I used to work with!" I know I did... We had a guy like this who (a) did the passive-aggressive thing when asked to take care of something, (b) kept all the secrets in his head so that it would be hard for anyone to take over, and (c) got fired because management/staff had finally had enough of him and decided it would be worth it to just get a consultant in to put everything right.
Stories like this, and unfortunate stereotypes, are what keep IT work "in the basement" and prevent us from being recognized as professionals, IMO. We don't get respect from the MBA crowd because we can't justify our existence...but I think we could change that by changing the typical attitude.
Obviously, most IT people aren't like Comic Book Guy from the Simpsons, but those who are sure make it hard for the rest of us.
Now that computers are totally pervasive, maybe it's time to set some standards and get the various branches of IT work (development, network admin, systems admin, etc.) recognized as professions. At least there would be some kind of code of conduct and minimum education standard so employers would be sure of what they're getting.
I'm sure they'll have a real easy time finding a talented individual to replace him. There's nothing like the threat of imprisonment, humiliation and millions in fines to attract IT staff.
That is part of a job for a sys admin. If they were happy with one admin and no backup, the damage is at most a part of his salary for the amount of time that it would normally have cost him.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
the network he set up kept running even with him away from it
Actually, it wouldn't. It was specifically designed to fail if he wasn't around any *anything* went wrong. The configs all wiped themselves on boot, and he had the only encrypted backups of them. He also was the only person with the admin passwords and refused to relinquish them to anyone.
Having an affair isn't a crime. What Childs did, is.
This is yet another example of how public sector workers think that they are beyond reproach, and do not have to work to the same standards that the private sector does.
FTFY
Incidentally, I've worked for both the public and private sectors. Granted I've never worked in the States - the people in the public sector there may have a different attitude. But certainly in the UK, people working in the public sector are considerably less greedy and far more conscientious than the private sector workers. To add to that they have a layer of bureaucracy above them that "holds them accountable if they screw up" (read: because some politician somewhere will fire them as a scapegoat) - certainly more than in the private sector.
Being a geek is no license to behave like an egotistical, entitled little princess or a common criminal. Too many geeks thinks because they work with teh technology, that normal rules and niceties don't apply to them.
What this guy did was criminal damage, and by rights, he probably should have served time. I've seen people getting done for much less.
The large hole you find in your bank account is usually notice enough.
You are entitled to your own opinions, not your own facts.
Except that isn't what happened. A "rogue admin who absconded with all the data/access" is what the prosecution made up out of cloth to ensure a guilty verdict.
What ACTUALLY happened is that someone who couldn't demand the passwords asked for them, asked over an insecure medium (telephone call) and was sacked because the admin said "no".
When the person who COULD demand the passwords asked in a secure manner (a room with no other bystanders not allowed to know the passwords), the passwords were handed over, DESPITE this being after he was no longer employed therefore had NO responsibility to hand over the passwords.
Note also that a hardware toggle allows the passwords to be reset, so at the VERY WORST they would have had to get someone to pop over to each Cisco rack and reset the passwords to blank.
this hardly costs $1.5M.
Garnishment orders are sent to the payor, so it doesn't matter whether you pay electronically, by paper check, or sack of cash down by the railroad tracks at midnight, the payor still has to send the garnishor's cut to them.
He is paying the price of trying to be a decent sysadmin. Next time he will not try to be the nice guy, and then there will be a real disruption of service, and no one to blame of course.
There should be a System Admin "Code of Ethics". The closest is the IEEE "Code of Ethics", or the ACM "Code of Conduct" if they happen to have joined.
The first is "bite sized", the second is probably more relevant but way more wordy, but how many people even bother joining either?
We are unorganized as a group at large, and the lack of standards to adhere to is part of the problem that we, as a Profession; including Admins, Programmers/Developers, Support Techs; need to address somehow.
(/rant) :)
computer professionals for social responsibility
cpsr.org
http://cpsr.org/issues/ethics/index.html
FTFY
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
He is paying the price of trying to be a decent sysadmin. Next time he will not try to be the nice guy,
No. He, once his employment was terminated, WAS NO LONGER A SYSTEM ADMINISTRATOR. As much as you might feel like the network and servers are your "baby", you don't own them. You work for the owner. You cannot legally lock them out of it.
As to "next time", trust me - this guy has made himself unemployable in the IT sector for life. The worse anyone has to worry about for a "next time" from him is whether or not he spits on the burgers.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
this is /. and we don't rtfa as it's anathema to our preconcieved notions of truth, mom's cooking and the Nerd Way
Mod me up/Mod me down: I wont frown as I've no crown
You are missing the point, next time, he, or any other sysadmin, when he faces the termination letter, he/she will follow the law to the letter. Which could mean that he could "forget" to inform you about some tricky passwords, terminals, systems, etc., and when YOUR system crashes, you could blame only YOURSELF, not the already terminated sysadmin that gave you "all the passwords", and who did not try to protect the public. You understand me? The difference between protecting yourself and the public? If not, go find this article about the hacked PSN hundreds of millions of stolen accounts.
There is one, http://www.sage.org/ethics/
Cheap storage VM.
When organized labor goes on strike, it stops production. Sometimes actual damage is done.
Yet, those guys are considered heros for the working people.
So why is it, when a techie does something similar, the reaction is total to completely freakout and over-react?
Another case why we need unionization of IT workers. The National ACM will be a good start of leading the movement.
New Economic Perspectives
how indelibly burned into your psyche is the concept
"I will not be crossing that line!" because of the example they have made, and continue to make, of this individual.
That's true. They have proven, beyond the shadow of a doubt, that working for them is fucking stupid.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The solution to that is to:
a) have more than one admin with access to passwords
b) not to act like a jerk to the admins you currently have
c) put a firm stop to people who try and take complete control of a system "for its own good"
Make no mistake, the City of SF is responsible for their own issues.
Still, Childs was just plain stupid. He should have:
a) not admitted to having passwords, since he could have easily said that he forgot them since he no longer works there
b) failing that, immediately given any and all passwords up
c) written a letter to the city or a newspaper, if he wanted to complain about the city, like any other citizen, instead of trying to be a martyr.
$1.5m is a little steep, I was leaning more towards a month or two in jail for being a dumbass, which would be time served. It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.
Why is he not simply given jail time? I could understand being charged this amount if he stole something or benefited financially from this, but the only crime he committed was possibly being arrogant and holding the network hostage. If the state wants to punish him, then they should put him behind bars for a few months and possibly get some of the politicians to join him.
Jumpstart the tartan drive.
call it whatever you want, but I believe hismotive for holding the pwd was reasonable: he was protecting the integrity of the system because he was surrounded by incompetence. case in point:
in April, during a fire, emergency system crashed. they couldn't bring it back up because nobody had the password. 50 people lost their apartments.
http://my.firefighternation.com/forum/topics/review-finds-san-franciscos
emergency services responds with: "That's what we have pencils and paper for."
Childs didn't have the same password, but he's obvioulsy surrounded by incompetence - all systems are managed by the same IT dept. Childs had the pwd to the mainframe.. that kind of access should be guarded, but the password they needed for emergency services was for the god damn internet - that one should be written down in the "how to bring the system back up" documentation.
so slashdotters... what would your CIO say if you respond with "that's what we have pencils and paper for" when a mission critical system crashes and you can't restore service because you don't know what to type after your ID?
Exactly what i said, anyway i do agree with your comment. The fact is that he was punished for his social skills, which is simply not fair.
Absolutely wrong. There was no policy other than Childs' unilateral decision. This is the same supervisor who a week before Childs had provided account passwords. This seems to be Childs' problem; as well as the problem of a lot of his defenders on slashdot.
It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.
That's ok, you're equally annoying to work with because you don't take security seriously enough. There are some other people that I know of that didn't take security serious enough, who was that? Oh yeah, the security folk at Boston Logan International.
And how about this guy from last month:
http://www.geek.com/articles/news/man-wrongly-accused-of-child-porn-learns-to-password-protect-wifi-the-hard-way-20110426/
I bet he takes network security a lot more seriously now. Sysadmins that take security seriously are important because most other people aren't, except the malicious hackers.
Who really deserves a $1.5mil fine? And will that party ever pay? Regardless of your answer to the first question, the answer to the second question will always be no.
I8-D
Oh bullshit. He was part of the incompetence . At what point do we admit that Mr. Childs was just as irresponsible for neglecting to create an appropriate backup and contingency plan for outages, disaster recovery, etc. that allowed for someone else to get access to the passwords?
Where I'm sitting, any sysadmin with half a brain knows that a single point of failure is a no-no. Let's not pretend he was some white knight, if there were no adequate plans for password access in place, then he's just as incompetent as his managers were. Only difference is, he was incompetent, and broke the law in the process, by refusing to turn over the password to his management chain when he was reassigned and holding the network he was "protecting" hostage.
I wouldn't hire you, or use your company's services. Anyone who thinks hiring a violent felon who committed a crime while on duty shows a total lack of judgement.
I'm sure this two-time loser will be back in jail a third time...
How is fathering a child out of welock a crime? Maybe it needs to be -- after all, we have weirder laws on the books.
However; here's some REAL CRIME that no one is interested in prosecuting:
With a gun you can rob a bank, with a bank you can rob the world. When a person robs a bank, they should go to jail, but what about when the banks rob people?
- Joseph Cassano â" the former head of AIGâ(TM)s financial products unit. Under his watch the company amassed massive amounts of risk that lead to the biggest bailout in U.S. history. Thereâ(TM)s very little chance of Cassano facing time, however; Federal prosecutors recently dropped their investigation against him.
- Dick Fuld & Joe Gregory â" Lehman Brothers CEO and COO who watched their house of cards come tumbling down, bringing the global financial system to the edge of the collapse.
- Angelo Mozilo â" The Countrywide CEO helped fuel the subprime madness. His companyâ(TM)s lack of due diligence is a prime reason for the foreclosure problem. Mozilo also co-founded IndyMac, the large California bank that was seized by the FDIC in July 2008.
- Stanley Oâ(TM)Neal â" the former Merrill Lynch CEO pushed the firm to aggressively market and trade CDOs. O'Neal left with the firm on the brink of collapse before Bank of America purchased it. For all his good work, Oâ(TM)Neal was fired but left with a golden parachute and options valued at $161.5 million at the time.
- Fabrice âoeFabulous Fabâ Tourre & John Paulson â" the banker and hedge fund manager at the center of the SECâ(TM)s criminal fraud complaint against Goldman Sachs. People need to know the Goldmanâ(TM)s of the world donâ(TM)t have politicians in their pockets and that the American markets are a safe place to put your money.
- The C level executives from the rating companies Moodyâ(TM)s, S&P and Fitch that gave the highest ratings, investment grade - triple A, to all the worthless sub-prime CDOâ(TM)s, SIVâ(TM)s, MBSâ(TM)s. It was their ratings of these worthless pieces of paper that encouraged investors to purchase them and subsequently lose everything. This is out and out fraud!
During the S&L scandal of the 1980s over 1,000 people went to jail. To date only Ralph Cioffi and Matthew Tannin, two Bear Stearns hedge fund managers, have even gone on trial. Both were acquitted. I urge all Americans to write their Senator and ask them why these miscreants have not been charged. They did just as much damage to the American economy as the Taliban and the Mafia, its time they are put on trial!
Nothing done about banks, nothing done about oil spill, nothing done to withdraw troops, nothing done to reduce deficit, so far nothing done to reduce healthcare. Man I see a whole lot of nothing getting done in D.C.
But this dude has to pay 1.5 Million and spend 4 years in jail over a few passwords? Give me a break, obviously, when you OWN the country, as the rich do, you can get away with anything - heel, you can bankrupt the country, set it on fire, and we'll give you MORE money rather than throw you in jail.
What a crock. There's no real justice here.
If telephones are outlawed, then only outlaws will have telephones.
part of it? how?
he's in fucking jail yet the administrators still can't login to the web?
SPOF? what if he was the only person QUALIFIED to run the system.. ?
http://news.oreilly.com/2008/07/coverage-of-terry-childs.html
You sir, (or madam, however unlikely), would be a strong candidate to work on my team.
In fact, I'm going to add Terry Childs questions to my IT interviewing process...
This -- "efforts in trying to regain control over the FiberWAN network and later test it" -- does not cost $1.5 million dollars.
What part of making equipment completely inaccessible to your *authorized* colleagues is a good security practice? By that reasoning, I could make all planes safe from terrorism by never letting anyone but the pilot on the plane.
His issue wasn't security, it was control. He didn't want his FiberWAN blemished by the incompetents that he worked with, so he effected a denial of access to critical maintenance controls. Sure, he locked out the block heads, but he also locked out everyone else too. I don't care what his skills were, I wouldn't have this guy work for me for free.
If he wanted to build a perfect little dollhouse for himself, he should have done it with his own equipment on his own time. He made himself into an irreplaceable single point of failure, which is pretty much the worst thing you can do to make your network safe in the long run. Sure, it may run perfectly, until you get hit by a bus, or get fired for completely lacking in social skills. Then, no one can run it without ripping out most of your configurations so they can do simple maintenance.
The only disturbing thing I am getting from this whole fiasco is that there are people who believe that holding a network hostage is the best way to achieve their goals. If you are employed to operate equipment, it is your job to operate the equipment, not to effect a coup.
Part of the problem is that the level of Security or a System is inverse to its level of Accessibility.
The more people can access systems and the more they can do with them, the less secure they can become.
The trick is finding the balance people are willing to live with (short of unplugging the computer, which makes it REAL secure BTW), and finding ways to mitigate/lessen the threat left by vectors where you find yourself.
I think the real problem is that too many non-security people don't view Computer Security as a serious issue, and too many security people view it as the major issue. This means when they both sit down at a table and try to find the balance point, neither side is happy and both sides feel the other one doesn't understand where they are coming from (which is often true).
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
Seems you are unfamiliar with the concept of sarcasm.
Onda Technology Institute
As said before, you guys really should learn about the concept of sarcasm.
Onda Technology Institute
Once his Management asks him for the Passwords, even if he is the "only one QUALIFIED to run the system", then he needed to turn those passwords over.
He can do it "under protest", he can ask them to provide a signed request for them, but what he can't do is say "No, You don't know what your doing so I'll protect you" EVEN IF HE'S RIGHT.
His job in that situation is to make them aware of the risks, and then to do what they want done.
Their job is to hear his issues, and then make a decision to either listen to his requests/warnings, hire outside help, or just plunge ahead and deal with the consequences later.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
GEEEZ! SARCASM, ANYONE? Remember that concept? I think it still appears in a dictionary!
Onda Technology Institute
By neglecting to build a failsafe into the systems he administered, allowing other people to gain access in case he were sacked or incapacitated. The old "hit by a bus" rule. He had EVERY responsibility, obligation, and freedom to set up such a system, and he opted not to. That makes him, at best, an incompetent admin, no matter how gifted he is with configuring and troubleshooting the boxes.
Then you implement a failsafe so that if you are incapacitated, or terminate your employment, your employer is not fucked, and can hire another admin to come in and take over using the carefully & securely documented passwords & critical information you've written down to start from. This is EVEN MORE important if you are a SPOF. People have heart attacks. People get in car accidents. People get laid off, outsourced, or simply get fed up and decide to quit their job. If you are a competent professional, you plan for these things and don't take your systems hostage. If you are incompetent, you keep it all in your head and try to ransom access when you feel slighted.
He had nothing to do with the issue detailed in the link you provided, and I never said he was the ONLY incompetent in the city's employ. I said he was PART of the incompetence, and he was. I'm a SPOF in my role; I did two things when I realized this:
1) Spent a week documenting critical processes, passwords, and systems; Handed the ~20 pages of documentation to my boss in a sealed envelope, and told him, "In case you fire me, or I get hit by a bus, this is the critical information somebody would need to keep things running here. Please lock it up in one of your filing cabinets for safekeeping." I also provide him with an updated printout (new passwords, system config changes, hardware changes, etc) at the beginning of each month, and ask him to destroy the old one and replace it with the new. It's not ideal, but it provides some level of coverage.
2) Spent a couple months badgering every manager in my division to identify people who they would agree to let me cross-train so they could do at least the basics of my role while they found a replacement for me if I ever left / was incapacitated. I now have two guys trained in the simple "day to day" stuff, which means I can also take a goddamned vacation without having to be plugged into the network constantly.
This "I'm the only one QUALIFIED" to run the system is nonsense, and you know it. He's not the only guy who could possibly hope to understand his network config, and sooner or later, he'll quit, retire, get laid off or fired, or move on - and somebody will need to replace him. Part of his job while he's there is to think to the future and document things clearly in light of that fact.
I believe there is no need for a password if one has simple physical access to a Cisco router. I was doing this as part of CCNA training around the time this was going down.
You know, the group of 4Channers who mete out vigilante justice as they see fit?
But I think gman003 was more talking about media. There are like 5 superhero movies coming out this year. Virtually all of them are vigilantes (although having seen Thor, the current #1 movie, it's not actually a vigilante movie).
http://lkml.org/lkml/2005/8/20/95
Yeah, because what he did was exactly the same as killing people or stealing from half the country.
"Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
"By neglecting to build a failsafe into the systems he administered, allowing other people to gain access in case he were sacked or incapacitated. The old "hit by a bus" rule. He had EVERY responsibility, obligation, and freedom to set up such a system, and he opted not to. That makes him, at best, an incompetent admin, no matter how gifted he is with configuring and troubleshooting the boxes." ..and THREE YEARS LATER, they still have a SPOF - that fire was LAST MONTH. nobody fixed the problem.. one would think that after an incident like this, they would have modified procedures - incompetence persits.
It's interesting in a sociological way. The evidence I knew of for Reiser was insufficient to show that a murder had been committed, let alone that he did it. Presumably, there was more evidence at the trial. Since then, I seem to remember a bargain for better treatment in exchange for locating his wife's body. With Childs, what came out at first seemed to show he was a victim, not a criminal. More recently, a Slashdotter who was on the trial and knew his stuff explained what really went on. Currently, Julian Assange is accused of rape. He may or may not be guilty, but the facts given on Slashdot are not entirely consistent with the treatment he's been getting. In all these cases (well, not Assange yet), there were a sizable number of Slashdot comments that went with the early, incomplete, and slanted version of the facts only.
Possibly more interesting is the case of the test iPhone 4. The "journalist" quite clearly paid $5K for property that didn't belong to the seller, which is a felony under California law, and then blogged about it. Police investigation of a felony that was not only self-proclaimed but known all over was attributed to Apple influencing the law enforcement system to their own ends. Many commenters blithely assumed that the blog post that described the felony in detail was entirely truthful in other ways, such as how the iPhone 4 was left at the bar.
There is no group mind on Slashdot, but a lot of Slashdotters seem to twist facts and assumptions to point to what they want to believe. I wouldn't want them debugging or testing software.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Eh, you can't garnish every single penny someone has. He'll have this over his head for the rest of his life but doesn't necessarily mean he'll be homeless.
This is really pointless. They should just order him to pay a hundredrytrillionbajillion dollars, because if the judge wants to dream, he should dream big. Unless he made some amazing investments twenty years ago, there is no way he will ever be able to pay that. Moreover, it is really easy to get a visa to live in another country with IT skills. He should just pick up and leave and send the judge a 'fuck you' postcard from France.
Granted he was kind of a dick in the way he handled things, but every aspect of this court case screams of excess. Sticking around to appeal this sentence is just asking for another undeserved ass-kicking.
HA! I just wasted some of your bandwidth with a frivolous sig!
If he was "no longer a system[s] administrator" then there was no business talking to him about passwords, etc. In fact, it was an additional sysadmin duty that was being requested of him: to work with them in a way they directed regarding password maintenance.
It is that refusal to engage in additional duties, due to a belief that they were professionally inappropriate, that he is being accused and found guilty of.
I consider what he did to be at least half correct, though he handled in an impolite way. In any case it is clearly within the normal range of views that sysadmins have, that such passwords would never be given out and that a new sysadmin would be issued a new password.
If they're not already authorized enough to have passwords, and you no longer work there, how can you have any formal belief that they are in fact authorized?
And... what's your point? The two are completely unrelated situations, aside from happening "in the same city." That they replaced one incompetent admin with another incompetent admin doesn't mean that the first incompetent admin is somehow innocent of attempting to hold the city's infrastructure hostage.
Your assertion was that somehow withholding the password was a sign of his competence, such that he was refusing to turn it over to incompetent people. Yet the fact that he built no failsafe indicates that he is - at best - incompetent, and at worse downright malicious. He was not a white knight. He fucked up, and then he made the situation worse by digging in his heels, instead of simply pointing them to his failsafe and saying, "Go ahead and use the passwords, they're clearly documented."
Funny how many people say this but when challenged on it, fail to come up with what "crime" he would have committed by giving the passwords to his supervisor. I'll ask you, but of course you're not going to answer it.
No, it wouldn't be.
The evidence I knew of for Reiser was insufficient to show that a murder had been committed, let alone that he did it.
Really? He was the last to see her alive. Conveniently after she disappeared his seat goes missing, he's washing out his car and blood stains are found inside her car. He was also found to have recently purchased a book about how to get away with murder. That's an awful lot of coincidences to ignore. Contrast this to the wild conspiracy theories involving the Russian Mafia, trying to pin it on other people who were found to be unable to have committed the crime and just generally trying to smear Nina in order to get himself out of paying for his crime. I'm sorry, but the only ones who had "insufficient evidence" where the Reiser team and his legions of nerd defenders.
Since then, I seem to remember a bargain for better treatment in exchange for locating his wife's body.
Yes, the defense made the bargain after he was already convicted on the first degree murder charge. In exchange for showing where the body was the prosecution was willing to let him plea to 2nd degree murder instead of the first degree murder charge he was convicted. This bargain didn't come about because the prosecution was losing the case because they had already achieved the conviction. It was done purely to stave off the possibility of receiving the death penalty due to the first degree murder conviction.
There is no group mind on Slashdot, but a lot of Slashdotters seem to twist facts and assumptions to point to what they want to believe.
Yes and it was disgusting. I remember reading about people calling Nina a whore and badmouthing her to no end and even after her body was found their were still nerds who were claiming she deserved it, etc. And all the woman did was have the "audacity" to leave the marriage she had with an emotionally abusive asshole.
Still, Childs was just plain stupid. He should have:
a) not admitted to having passwords, since he could have easily said that he forgot them since he no longer works there
Saying you can't remember. Saying you can't recall.
That will land you in the county lock-up until hell freezes over or your memory improves. Whichever comes first.
The geek should never tell a lie because he is no damn good at it.
Not really.
Using ftp smells like using scp/sftp, but the level of security is increased by encrypting traffic. Calling that diminished accessibility implies that a regular user *needed* to sniff traffic to use FTP in it's intended fashion, which is absurd.
Ditto (by degrees) randomization of packet counter increments, antispoofing, switched networks vs hubs, dedicated encrypted tunnels for untrusted-network communication, logging, log-monitoring, IPS/IDS, SIEM, SSL, proxies, scanning, pentests, smart cards, active directory, SSO, group policy, disabling unused services and nearly every other security best practice. Some diminish accessibility, but seldom significantly. Some stop nonwork activity, which is unpopular but prudent. And *many* are transparent or irrelevant to the user's work-related needs.
As for TFA, I've avoided researching the issue, but am I right that neither side seems to believe Childs had criminal intent? That'd make me think he hardly deserves a million-dollar penalty.
on how gullible the hiring managers are. When your boss gives you a legal order, you do it or quit. And when fired for not doing this, it is no longer your job, and you have no right to keep the passwords. Self important delusions of adequacy do not mean that the network is your own personal plaything. No self respecting manager would ever hire this idiot, and I would fire any of our managers that did.
This is the Slashdot homepage of the juror on the case who posted heavily in the Slashdot thread about the verdict in the criminal trial of Terry Childs.
A call to the HR department to verify their position? Failing that, when the cops showed up at the door, he would have realized that they were authorized.
The only reason they were not "authorized" enough to have the passwords is that he built the configurations, with the passwords, and didn't give them to anyone else, even when requested.
Online sarcasm was deprecated in 1987.
So, management had no responsibility to follow any government procedures in place? Don't even try that shit with me. If I interfaced with his manager and found out any of the issues were going on I would have the manager fired for negligence. But, of course, managers who have ONE NETWORK ADMIN for the WHOLE CITY OF SAN FRANCISCO aren't apparently culpable.
You included stuff from El Salvador, Colombia, Thailand, India, Mexico, England, Ireland and some loopy environmental groups; I probably missed some.
So half that list isn't US, many aren't even violent, so we're down to one or two nutters every decade in a country of 300 million.
And most people have never even *heard* of these people. Conclusion: no obsession.
The police aren't even part of the same department! How would they even know? And how would they certify it? There is no mechanism.
And in fact they did NOT hire somebody authorized, as you imply he could have been verifying. He was refusing to give it to an unqualified manager. The sort of person who might post it on a sticky note. And if he doesn't work there anymore, why should he spend time to make phone calls for free and verify stuff that doesn't matter to him anymore anyways? When they fire him he doesn't revert to some sort of indentured status... oh wait, he's in jail, he did!
He was actually following the terms of his contract to the letter. AFAIK he was required to not give the admin passwords to anyone, even his boss. I think there's some grey area but it was clear that his acts were not simply malignant or illegal. IANAL, but isn't that reasonable double?
Oops, that should have read reasonable doubt.
Here's an interesting article on the case which sheds more light on why they convicted him.
http://www.pcworld.com/article/195198/terry_childs_juror_explains_why_he_voted_to_convict.html