Slashdot Mirror
Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M
0WaitState writes "A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
We will make an example out of you, who cares about justice?
... who had had exposed hundreds of LIVE login/passwords to city administration system as 'proof', endangering the public system and the private information of citizens and even more, will pay ?
nothing ? i guessed as much. its all ok if you are a moron at the helm of a company or a public office. no really - i am much more polite and eloquent than what wordage you read here, but, i am at a loss to find any word other than moron for publicly exposing hundreds of live login/passwords in a public court. really. morons.
it appears terry childs was right.
Read radical news here
That explains why American culture is so obsessed with vigilante justice - the actual judicial system is fucking retarded .
Terry Childs did some mistakes. I think the restitution for damages is more justified than the criminal punishment he got.
CU, Martin
I forget a lot of what he said, but one of the points which stuck out for me was that Terry kept the keys / passwords out of the key management system, which was against policy. He kept the Keys to the Kingdom in his head, which is just bad IT policy. He also cleaned the backup configs on switches so that any reboots would essentially wipe them clean.
/. poster was on the jury. He'll chip in with better information than anyone else. As for the fine... Well, if he doesn't have that money, he'll default like everyone else would and live off welfare. Shows the system works, eh?
Like I said, a
Finally had enough. Come see us over at https://soylentnews.org/
I just RTFA. It says the money is to
repay the city for its efforts in trying to regain control over the FiberWAN network and later test it for vulnerabilities. City officials had been worried that Childs, who helped set up the network but clashed with his supervisors, might try to sabotage it.
Mind, he already spent 2 years in custody and was convicted to 4 years of jail.
"it is difficult to understand how they came up in $1.5 million in costs" If you read the article..."Prosecutors had sought the money from Terry Childs, a former Department of Technology network engineer, to repay The City for its efforts in trying to regain control over the FiberWAN network and later test it for vulnerabilities."
At first I thought the citizens were going to have to pay for the cleanup and fixing of all the problems, along with the trial and all that. Now that I know this criminal with no job prospects will be paying the $1.5M I can sleep better at night.
My personal ideas about job integrity end at or a little before the threat of getting arrested so I could argue I don't think what he did was wise (I would've made the guy wanting the passwords put it in writing and then quietly laughed when they broke things), but I don't think the punishment fits the crime at all. Why is there never a middle ground in the justice system between ruining someones life and letting them go free?
And why can't the city just let this one go? They won a long time ago.. back when he was fired, jailed, etc and he surrendered the passwords without the network ever going down.
From TFS:
"it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
Come on, we shouldn't be defending this guy otherwise we're no better than the corrupt politicians that occasionally crop up on /. stories.
We all know he was in charge of much of the city's network infrastructure and that ultimately the city dealt with him and his role rather badly - that's not particularly unusual in the public sector anywhere in the world. What's important is how he reacted to it. From what I've heard, his reaction was to say "Fine, if that's going to be your attitude I'll take the passwords to my network and go home!" like a petulant child. But it wasn't his network to take - and I don't believe the arguments that to hand over access to someone unqualified would have put him in greater trouble than refusal to. Faced with an enemy with so much more resources, the sensible thing to do would be to negotiate a way out of any possible repercussions instead of throwing a tantrum.
He did not care about security other than his own job security. He was one of 'those' types of IT people. You know the ones I mean -- they think "job security" means keeping all the secrets locked away so that only he can fix things when they are broken. Furthermore, they tend to behave as if they own the networks and servers they maintain and they tend to hide their limitations of knowledge and experience from others as well as being unwilling to share what little knowledge they actually have. There might have been a time when that was common enough to be acceptable, but today's business and government leaders see through this.
Good riddance to bad rubbish. "Vendor lock-in" is evil regardless of who practices it.
Certainly the management of San Francisco has some responsibility for what happened.
However, I disagree with the assessment that Terry Childs is without blame, as is implied in the article summary. If I hold hostages and demand ransom but later release the hostages, does that mean I did nothing wrong? While Childs didn't literally take hostages, figuratively that's exactly what he did.
The justification for making Childs pay restitution is that the city of San Francisco attempted other means of gaining control of the systems while Childs refused to cooperate. Those attempts cost some money, and that's money that would otherwise be billed to taxpayers.
Why should I feel that Childs is being treated unfairly? He had to know that if he fought those in power, they would find a way to take him down.
so I looked myself and found this article
http://sfappeal.com/news/2011/05/sf-network-engineer-convicted-of-witholding-passwords-ordered-to-pay-15-million-restitution.php
"No city services were ever affected, but officials said they could have been crippled if power had somehow been shut off.
A jury convicted Childs in April 2010 of a computer tampering-related charge, and today San Francisco Superior Court Judge Teri Jackson ordered him to pay $1,485,791 in restitution to the Department of Technology,"
he's paying it to the department of technology, not justice.. so... no...
every day http://en.wikipedia.org/wiki/Special:Random
That scratching sound is onda technology getting added to the "don't use" list all around the world.
Lesson learned?
A better punishment would have been to make him perform community service where he has to work for free for a certain number of hours fixing people's networks and eliminating THEIR downtime. That might have been a better solution.
He who knows best knows how little he knows. - Thomas Jefferson
"it is difficult to understand how they came up in $1.5 million in costs"
Asshole tax?
"...unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
What exactly is being insinuated here? That it's the City's fault that Childs decided to commit a crime?
Sorry, pal, it doesn't work that way. Yes, the city has a lot of work to do to clean up its IT policies, but that has no bearing whatsoever on Childs' decision to commit a criminal act.
"Ask not what your country can do for you." --John F. Kennedy
Terry Childs was clearly on an excessive one-man power trip. I don't think too many on /. think that deserves jail time though.
A firing for unprofessional conduct: sure.
A $1.5M fine? This just adds to the farce.
I'm sure the head of the IMF will get a fair trial.
He has already been convicted (by the media) and is in jail. ... now all we need to do is to get most of Wall Street in jail.
They have been tried in the media but not put in jail.
Mr. Childs clashed with the new Security Manager on the subject of authentication and control, which led to poor formal review.
Sorting out fact from fiction in the Terry Childs case
An IT guy on a power trip acted like a prick and that resulted in serious consequences. Let's see what the slashdot community thinks. ;)
This might as well be a story about getting arrested for living in mom's basement.
he's paying the price for embarrassing the powerful?
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
the network he set up kept running even with him away from it
Actually, it wouldn't. It was specifically designed to fail if he wasn't around any *anything* went wrong. The configs all wiped themselves on boot, and he had the only encrypted backups of them. He also was the only person with the admin passwords and refused to relinquish them to anyone.
I'd be curious how may CCIE (Cisco Certified Internetwork Engineers) you know. Now, my company helps network engineers around the world win their certifications, so I've had to deal with a lot of both CCIEs and wanna-bes. Also, the CCIE community was very, Very, VERY interested in this whole affair, because -- of the ones I talked with -- they thought that Mr. Childs did the right thing by keeping the keys to the network close to the vest. You may be right, erroneus, that Mr. Childs acted out of selfish motivations. From the views expressed by others more knowledgable than myself, though, by keeping everything tight he avoid any untoward and destabalizing meddling.
Could he have done better? Sure he could. For example, if he properly backed up all configuration files from the routers and Etherswitches in a separate computer, he could have given the security auditor those configs and the other guy could have worked from those. You don't need direct access to the vast majority of the equipment to perform a security audit. Mr. Childs could also have provided logs, logs he should have been keeping anyway, for the auditor to examine. From that review, the auditor could then suggest improvements, and Mr. Childs could have made those improvements.
No, it wasn't because there was a "problem"...other than a problem with a control freak who valued personal power over what was good for the City of San Francisco. Unfortunately, that attitude is rampant with our alledged "public servents", which is why things escalated the way they did.
Put more bluntly, mistakes were made on both sides of the argument. Terry Childs has to pay not only for his mistakes, but the mistakes of others. Mistakes that were worse than those made by Mr. Childs. And more costly.
Being a geek is no license to behave like an egotistical, entitled little princess or a common criminal. Too many geeks thinks because they work with teh technology, that normal rules and niceties don't apply to them.
What this guy did was criminal damage, and by rights, he probably should have served time. I've seen people getting done for much less.
He is paying the price of trying to be a decent sysadmin. Next time he will not try to be the nice guy, and then there will be a real disruption of service, and no one to blame of course.
He is paying the price of trying to be a decent sysadmin. Next time he will not try to be the nice guy,
No. He, once his employment was terminated, WAS NO LONGER A SYSTEM ADMINISTRATOR. As much as you might feel like the network and servers are your "baby", you don't own them. You work for the owner. You cannot legally lock them out of it.
As to "next time", trust me - this guy has made himself unemployable in the IT sector for life. The worse anyone has to worry about for a "next time" from him is whether or not he spits on the burgers.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
That hardware toggle wouldn't work in this case. The confs weren't saved to nvram. To use that toggle you have to reload first, which would toss the conf as you don't have access to write mem first.
You are missing the point, next time, he, or any other sysadmin, when he faces the termination letter, he/she will follow the law to the letter. Which could mean that he could "forget" to inform you about some tricky passwords, terminals, systems, etc., and when YOUR system crashes, you could blame only YOURSELF, not the already terminated sysadmin that gave you "all the passwords", and who did not try to protect the public. You understand me? The difference between protecting yourself and the public? If not, go find this article about the hacked PSN hundreds of millions of stolen accounts.
Another case why we need unionization of IT workers. The National ACM will be a good start of leading the movement.
New Economic Perspectives
The solution to that is to:
a) have more than one admin with access to passwords
b) not to act like a jerk to the admins you currently have
c) put a firm stop to people who try and take complete control of a system "for its own good"
Make no mistake, the City of SF is responsible for their own issues.
Still, Childs was just plain stupid. He should have:
a) not admitted to having passwords, since he could have easily said that he forgot them since he no longer works there
b) failing that, immediately given any and all passwords up
c) written a letter to the city or a newspaper, if he wanted to complain about the city, like any other citizen, instead of trying to be a martyr.
$1.5m is a little steep, I was leaning more towards a month or two in jail for being a dumbass, which would be time served. It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.
Why is he not simply given jail time? I could understand being charged this amount if he stole something or benefited financially from this, but the only crime he committed was possibly being arrogant and holding the network hostage. If the state wants to punish him, then they should put him behind bars for a few months and possibly get some of the politicians to join him.
Jumpstart the tartan drive.
call it whatever you want, but I believe hismotive for holding the pwd was reasonable: he was protecting the integrity of the system because he was surrounded by incompetence. case in point:
in April, during a fire, emergency system crashed. they couldn't bring it back up because nobody had the password. 50 people lost their apartments.
http://my.firefighternation.com/forum/topics/review-finds-san-franciscos
emergency services responds with: "That's what we have pencils and paper for."
Childs didn't have the same password, but he's obvioulsy surrounded by incompetence - all systems are managed by the same IT dept. Childs had the pwd to the mainframe.. that kind of access should be guarded, but the password they needed for emergency services was for the god damn internet - that one should be written down in the "how to bring the system back up" documentation.
so slashdotters... what would your CIO say if you respond with "that's what we have pencils and paper for" when a mission critical system crashes and you can't restore service because you don't know what to type after your ID?
The punishment for not doing your job or doing it wrong by violating procedures or otherwise is getting fired. He was fired, that's plenty of punishment.
Anything else they are adding on top of it is a violation of his 8th amendment protections, any competent lawyer should get these extra penalties overturned.
HTML is obsolete. It's time for a new, simpler and richer markup language.
it is possible to make password recovery much harder if not impossible on cisco devices, it is advised against of course in all but the most security paranoid installations where physical access may be a problem.
It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.
That's ok, you're equally annoying to work with because you don't take security seriously enough. There are some other people that I know of that didn't take security serious enough, who was that? Oh yeah, the security folk at Boston Logan International.
And how about this guy from last month:
http://www.geek.com/articles/news/man-wrongly-accused-of-child-porn-learns-to-password-protect-wifi-the-hard-way-20110426/
I bet he takes network security a lot more seriously now. Sysadmins that take security seriously are important because most other people aren't, except the malicious hackers.
Oh bullshit. He was part of the incompetence . At what point do we admit that Mr. Childs was just as irresponsible for neglecting to create an appropriate backup and contingency plan for outages, disaster recovery, etc. that allowed for someone else to get access to the passwords?
Where I'm sitting, any sysadmin with half a brain knows that a single point of failure is a no-no. Let's not pretend he was some white knight, if there were no adequate plans for password access in place, then he's just as incompetent as his managers were. Only difference is, he was incompetent, and broke the law in the process, by refusing to turn over the password to his management chain when he was reassigned and holding the network he was "protecting" hostage.
part of it? how?
he's in fucking jail yet the administrators still can't login to the web?
SPOF? what if he was the only person QUALIFIED to run the system.. ?
http://news.oreilly.com/2008/07/coverage-of-terry-childs.html
Part of the problem is that the level of Security or a System is inverse to its level of Accessibility.
The more people can access systems and the more they can do with them, the less secure they can become.
The trick is finding the balance people are willing to live with (short of unplugging the computer, which makes it REAL secure BTW), and finding ways to mitigate/lessen the threat left by vectors where you find yourself.
I think the real problem is that too many non-security people don't view Computer Security as a serious issue, and too many security people view it as the major issue. This means when they both sit down at a table and try to find the balance point, neither side is happy and both sides feel the other one doesn't understand where they are coming from (which is often true).
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.