Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M

Posted by timothy on from the rough-justice dept.

0WaitState writes "A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"

37 of 488 comments (clear)

  1. Take that Terry Childs by seeker_1us · · Score: 4, Insightful

    We will make an example out of you, who cares about justice?

    1. Re:Take that Terry Childs by Moryath · · Score: 5, Interesting

      It's probably billing him for the temerity to actually take his case to trial.

      You know, exercising his constitutional rights. That's something the "justice" system has to punish at all costs.

      Here's some info for you.
      Here's more.

      Or, to put it in a more sinister way: You get a heavier sentence if you insist on asserting your constitutional rights to a trial, to confront your accusers, to privacy from searches without probable cause, to avoid incriminating yourself, etc.

    2. Re:Take that Terry Childs by Richard_at_work · · Score: 5, Insightful

      Some of us do and some of us do consider Childs to be guilty. He acted like a prick and suffered for it, but imho he was guilty of what he was found guilty of.

    3. Re:Take that Terry Childs by scubamage · · Score: 3, Informative

      Not really, just a financial ruin sentence. You can't get out of legal penalties by declaring bankruptcy :(

    4. Re:Take that Terry Childs by Richard_at_work · · Score: 4, Interesting

      How much is a full review of the network, from the bare bones upward, including reflashing all firmware, and checking all servers going to cost in a city wide network?

      $1.5m would be cheap for that.

    5. Re:Take that Terry Childs by jimrthy · · Score: 3, Interesting

      Along the same lines, this is why so many innocent people wind up striking plea bargains.

      A friend of a friend is currently serving the second year of a one year sentence (!) for a crime he didn't commit. He didn't take it to trial, because the prosecutor threatened him with 10 years, and his lawyer convinced him that it just wasn't worth the risk.

      I'm not claiming he's an innocent man. Just that he didn't commit the particular crime he's actually serving time for. It's a "Sleep with the dogs and pick up their fleas" sort of thing.

  2. How much will the morons in administration by unity100 · · Score: 3, Insightful

    ... who had had exposed hundreds of LIVE login/passwords to city administration system as 'proof', endangering the public system and the private information of citizens and even more, will pay ?

    nothing ? i guessed as much. its all ok if you are a moron at the helm of a company or a public office. no really - i am much more polite and eloquent than what wordage you read here, but, i am at a loss to find any word other than moron for publicly exposing hundreds of live login/passwords in a public court. really. morons.

    it appears terry childs was right.

    --
    Read radical news here
    1. Re:How much will the morons in administration by fifedrum · · Score: 3, Interesting

      It blows my mind that the guy spent any time at all in jail for this, especially after the city lied about the access (they had access several days before he tuned over the passwords). It's worse when the city again lied, time and time again, in fact, in painting his actions and configurations as nefarious when they're all common practice. The sniffer thing, the modem stuff, the paging issue. Those lies the city told should have been a get out of jail free card for him by painting the city as the scumbags they are.

      He did one thing wrong to his bosses, his bosses (via lawyer proxy, I assume) then turn around and lie in court, which is the real crime.

  3. That explains it... by gman003 · · Score: 4, Insightful

    That explains why American culture is so obsessed with vigilante justice - the actual judicial system is fucking retarded .

    1. Re:That explains it... by smelch · · Score: 3, Insightful

      Well, also sometimes the only way to get real justice is as a vigilante, and nobody wants to admit that they would go too far with it. Americans tend to view things in absolutes. There is true justice, true good and true evil independent of what society says, thinks or does. If somebody rapes your child it would be true justice to remove that guy's balls and feed them to him, but no court would ever allow that to happen.

      --
      If I can just reach out with my words and touch a butthole, just one, it will all be worth it.
    2. Re:That explains it... by sco08y · · Score: 4, Insightful

      Any actual evidence that Americans are "obsessed" with vigilante justice? I'm trying to recall the last time I heard of any notorious vigilante actions, and I'm drawing a blank. Even when the WBC crowd protested military funerals, the worst anyone did was slash their tires.

  4. Restitution more fair than the jail time... by mseeger · · Score: 4, Insightful

    Terry Childs did some mistakes. I think the restitution for damages is more justified than the criminal punishment he got.

    CU, Martin

  5. Queue the dude who was on the jury by L4t3r4lu5 · · Score: 5, Interesting

    I forget a lot of what he said, but one of the points which stuck out for me was that Terry kept the keys / passwords out of the key management system, which was against policy. He kept the Keys to the Kingdom in his head, which is just bad IT policy. He also cleaned the backup configs on switches so that any reboots would essentially wipe them clean.

    Like I said, a /. poster was on the jury. He'll chip in with better information than anyone else. As for the fine... Well, if he doesn't have that money, he'll default like everyone else would and live off welfare. Shows the system works, eh?

    --
    Finally had enough. Come see us over at https://soylentnews.org/
    1. Re:Queue the dude who was on the jury by Syberz · · Score: 3, Insightful

      Although I do agree that Terry was in the wrong, so was the City for its bad procedures. I just don't think that the wrongness he did is worth 1.5 million dollars.

      Guy locks out everyone from the City network after losing his job due to his perceived moral implications: gets a 1.5 million dollar fine.

      Guys cause Worldwide economical downturn, massive job loss, massive wealth reduction to the middle and lower classes: get multi-million dollar government jobs.

      Wait, what?

      --
      ~Syberz
    2. Re:Queue the dude who was on the jury by DrgnDancer · · Score: 4, Interesting

      The problem often comes in determining at what point "marginal and mistreated" ends and "sociopathic desire to hurt anyone who slights me" begins. For every anecdote like yours, there's another about a geek who was simply paranoid or antisocial enough to *feel* victimized by the normal churn of the day. A guy (or girl) who wrote your kill script, or something worse, with the full intention of using it. It's not even hard to imagine such a person (your old boss seems the type). Which is more common? Really hard to say, ask employees and they'll probably say your situation, ask managers, they'll probably say the opposite. Most people can't point to more than a handful of examples of either situation though.

      Businesses and governments clearly need to watch out for and prepare for either situation. Ironically, your anecdote shows that at least in the first of your two cases, your company was doing exactly that. Someone did notice your boss' bad behavior and did something about it. Management isn't *always* incompetent or out to get you. In this case their actions both protected the marginalized and mistreated workers, and hopefully avoided a future Terry Childs situation on the form of your obviously immature and potentially dangerous boss.

      In the case of Child's himself, there's a significant disconnect as to whether he was a marginalized victim, or a childish asshat lashing out at perceived injustice. To hear him talk sometimes, he was the former. Other times, he seems a lot more like the latter (obviously management thought he was the latter). I'm inclined to believe that, while he probably doesn't deserve the level of punishment he's gotten, his actions were blameworthy.

      --
      I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
    3. Re:Queue the dude who was on the jury by Americano · · Score: 3, Insightful

      Although I do agree that Terry was in the wrong, so was the City for its bad procedures.

      Mr. Childs was in a position to implement better procedures, and in fact, had a professional obligation to improve the bad procedures which you point out. He did not do this. At a bare minimum, he could have simply done this: "Hey boss, since I'm a single point of failure, if I'm ever hit by a bus, here's a sealed envelope with passwords and critical access information for all of the systems I work with. I'll update this once a month, and make sure you receive a new copy. I'll also do the same with $some_guy_who_covers_for_me_when_im_on_vacation, and if you like, a third manager who you deem appropriate." This is cheap and easy to implement, and requires absolutely no "new policies" or politicking. He's simply setting up a failsafe in case he's incapacitated or turfed out - the sort of failsafe any sysadmin should implement ASAP in any new job where they find that they're the only person who knows the appropriate access passwords to critical systems.

      He failed to do anything like this, and elected to keep everything in his head. We can only conclude from this that he was just as incompetent as the rest of the people implementing "bad procedures" on behalf of the city, or he was deliberately trying to set up a chokehold on city infrastructure. Either way, I have very little sympathy with him for obstructing access to the systems under the guise of "caring so deeply" about them. If he cared so deeply about the systems, he never would have set himself up as a single point of failure.

  6. Repay city? by rackeer · · Score: 3, Informative

    I just RTFA. It says the money is to
    repay the city for its efforts in trying to regain control over the FiberWAN network and later test it for vulnerabilities. City officials had been worried that Childs, who helped set up the network but clashed with his supervisors, might try to sabotage it.
    Mind, he already spent 2 years in custody and was convicted to 4 years of jail.

  7. Oh thank god.. by whois · · Score: 5, Funny

    At first I thought the citizens were going to have to pay for the cleanup and fixing of all the problems, along with the trial and all that. Now that I know this criminal with no job prospects will be paying the $1.5M I can sleep better at night.

    My personal ideas about job integrity end at or a little before the threat of getting arrested so I could argue I don't think what he did was wise (I would've made the guy wanting the passwords put it in writing and then quietly laughed when they broke things), but I don't think the punishment fits the crime at all. Why is there never a middle ground in the justice system between ruining someones life and letting them go free?

    And why can't the city just let this one go? They won a long time ago.. back when he was fired, jailed, etc and he surrendered the passwords without the network ever going down.

    1. Re:Oh thank god.. by Myopic · · Score: 3, Informative

      Why is there never a middle ground in the justice system between ruining someones life and letting them go free?

      Just to be clear, there is a middle ground, and the middle ground is used in the vast majority of prosecutions. It's called a plea bargain. Most people charged with crimes are guilty, and most guilt can be demonstrated at trial. So, everyone can save a lot of trouble with a guilty plea, and a negotiated punishment. That's the middle ground.

      Some people are guilty and yet won't bargain. In this case, prosecutors will generally take a big sigh and go to trial, demonstrate guilt, and try to get the maximum punishment. That's NOT the middle ground, because the middle ground was already passed by.

      There is plenty of room for legitimate criticism of the system, but there are sliding scales in the different dimensions of justice.

    2. Re:Oh thank god.. by Anonymous Coward · · Score: 4, Insightful

      Which is why so many people who are innocent of crimes plead guilty. Often the thought of the "maximum" sentence and the fear that your defense will not pay out are enough to make someone choose guilty. This is generally true for those who can't afford a defense. Prosecutors don't care about innocence or guilt, they will work to scare you into a bargain so they get an easy win. Public defenders don't care much either, a bargain is less work and doesn't look as bad as a loss.

  8. Re:Cost by erroneus · · Score: 5, Insightful

    He did not care about security other than his own job security. He was one of 'those' types of IT people. You know the ones I mean -- they think "job security" means keeping all the secrets locked away so that only he can fix things when they are broken. Furthermore, they tend to behave as if they own the networks and servers they maintain and they tend to hide their limitations of knowledge and experience from others as well as being unwilling to share what little knowledge they actually have. There might have been a time when that was common enough to be acceptable, but today's business and government leaders see through this.

    Good riddance to bad rubbish. "Vendor lock-in" is evil regardless of who practices it.

  9. I thought the exact same thing by way2trivial · · Score: 3, Informative

    so I looked myself and found this article
    http://sfappeal.com/news/2011/05/sf-network-engineer-convicted-of-witholding-passwords-ordered-to-pay-15-million-restitution.php
    "No city services were ever affected, but officials said they could have been crippled if power had somehow been shut off.

    A jury convicted Childs in April 2010 of a computer tampering-related charge, and today San Francisco Superior Court Judge Teri Jackson ordered him to pay $1,485,791 in restitution to the Department of Technology,"

    he's paying it to the department of technology, not justice.. so... no...

    --
    every day http://en.wikipedia.org/wiki/Special:Random
    1. Re:I thought the exact same thing by hesiod · · Score: 4, Interesting

      he's paying it to the department of technology, not justice

      Just because it's not a court-ordered bribe doesn't mean it's definitely not a punishment verdict.

  10. Re:Inflammatory summary, anyone? by SJHillman · · Score: 5, Insightful

    The problem isn't that we're defending him. Most people on Slashdot think he's an idiot and a criminal. The problem is the $1.5 million fine. That's around 20 years of his salary (at a comfortable $75k/yr). It's not a matter of whether or not he's guilty or deserves punishment, it's a matter of letting the punishment fit the crime. That pesky eighth amendment that mentions no excessive fines.

  11. Re:Let the guy come here... by nedlohs · · Score: 3, Insightful

    That scratching sound is onda technology getting added to the "don't use" list all around the world.

  12. Two entirely separate issues by goldspider · · Score: 5, Insightful

    "...unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"

    What exactly is being insinuated here? That it's the City's fault that Childs decided to commit a crime?

    Sorry, pal, it doesn't work that way. Yes, the city has a lot of work to do to clean up its IT policies, but that has no bearing whatsoever on Childs' decision to commit a criminal act.

    --
    "Ask not what your country can do for you." --John F. Kennedy
    1. Re:Two entirely separate issues by jaymz666 · · Score: 3, Insightful

      If he had been hit by a bus and killed the city would have been even more screwed, so yes, the city is partially to blame for not having a backup plan to begin with.

  13. A fine example of American justice by seniorcoder · · Score: 5, Interesting

    Terry Childs was clearly on an excessive one-man power trip. I don't think too many on /. think that deserves jail time though. A firing for unprofessional conduct: sure. A $1.5M fine? This just adds to the farce. I'm sure the head of the IMF will get a fair trial. He has already been convicted (by the media) and is in jail. ... now all we need to do is to get most of Wall Street in jail. They have been tried in the media but not put in jail.

  14. what really happened? by doperative · · Score: 4, Interesting

    Mr. Childs clashed with the new Security Manager on the subject of authentication and control, which led to poor formal review.

    Sorting out fact from fiction in the Terry Childs case

  15. Re:Perhaps.... by conspirator57 · · Score: 3, Insightful

    An IT guy on a power trip acted like a prick and that resulted in serious consequences. Let's see what the slashdot community thinks. ;)

    This might as well be a story about getting arrested for living in mom's basement.

    he's paying the price for embarrassing the powerful?

    --
    "If still these truths be held to be
    Self evident."
    -Edna St. Vincent Millay
  16. Re:Inflammatory summary, anyone? by dwandy · · Score: 4, Informative

    yes, withhold passwords on a network resulting in no measurable loss, get 20yrs of income as fine. Damage and destroy an ecosystem causing loss of animal life and depressing an entire area economically; get fines that amount to about 7~mos of income. That's called justice.

    --
    If you think imaginary property and real property are the same, when does your house become public domain?
  17. Re:Perhaps.... by stanlyb · · Score: 3, Insightful

    You are missing the point, next time, he, or any other sysadmin, when he faces the termination letter, he/she will follow the law to the letter. Which could mean that he could "forget" to inform you about some tricky passwords, terminals, systems, etc., and when YOUR system crashes, you could blame only YOURSELF, not the already terminated sysadmin that gave you "all the passwords", and who did not try to protect the public. You understand me? The difference between protecting yourself and the public? If not, go find this article about the hacked PSN hundreds of millions of stolen accounts.

  18. Re:Perhaps.... by tnk1 · · Score: 3, Insightful

    The solution to that is to:

    a) have more than one admin with access to passwords
    b) not to act like a jerk to the admins you currently have
    c) put a firm stop to people who try and take complete control of a system "for its own good"

    Make no mistake, the City of SF is responsible for their own issues.

    Still, Childs was just plain stupid. He should have:

    a) not admitted to having passwords, since he could have easily said that he forgot them since he no longer works there
    b) failing that, immediately given any and all passwords up
    c) written a letter to the city or a newspaper, if he wanted to complain about the city, like any other citizen, instead of trying to be a martyr.

    $1.5m is a little steep, I was leaning more towards a month or two in jail for being a dumbass, which would be time served. It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.

  19. Re:Guilty of not having a competent lawyer by spectro · · Score: 3, Informative

    The punishment for not doing your job or doing it wrong by violating procedures or otherwise is getting fired. He was fired, that's plenty of punishment.

    Anything else they are adding on top of it is a violation of his 8th amendment protections, any competent lawyer should get these extra penalties overturned.

    --
    HTML is obsolete. It's time for a new, simpler and richer markup language.
  20. Re:Perhaps.... by suso · · Score: 3, Interesting

    It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.

    That's ok, you're equally annoying to work with because you don't take security seriously enough. There are some other people that I know of that didn't take security serious enough, who was that? Oh yeah, the security folk at Boston Logan International.

    And how about this guy from last month:

    http://www.geek.com/articles/news/man-wrongly-accused-of-child-porn-learns-to-password-protect-wifi-the-hard-way-20110426/

    I bet he takes network security a lot more seriously now. Sysadmins that take security seriously are important because most other people aren't, except the malicious hackers.

  21. Re:Perhaps.... by Americano · · Score: 4, Insightful

    he was surrounded by incompetence

    Oh bullshit. He was part of the incompetence . At what point do we admit that Mr. Childs was just as irresponsible for neglecting to create an appropriate backup and contingency plan for outages, disaster recovery, etc. that allowed for someone else to get access to the passwords?

    Where I'm sitting, any sysadmin with half a brain knows that a single point of failure is a no-no. Let's not pretend he was some white knight, if there were no adequate plans for password access in place, then he's just as incompetent as his managers were. Only difference is, he was incompetent, and broke the law in the process, by refusing to turn over the password to his management chain when he was reassigned and holding the network he was "protecting" hostage.

  22. Re:Perhaps.... by powerlord · · Score: 3, Interesting

    Part of the problem is that the level of Security or a System is inverse to its level of Accessibility.

    The more people can access systems and the more they can do with them, the less secure they can become.

    The trick is finding the balance people are willing to live with (short of unplugging the computer, which makes it REAL secure BTW), and finding ways to mitigate/lessen the threat left by vectors where you find yourself.

    I think the real problem is that too many non-security people don't view Computer Security as a serious issue, and too many security people view it as the major issue. This means when they both sit down at a table and try to find the balance point, neither side is happy and both sides feel the other one doesn't understand where they are coming from (which is often true).

    --
    This space for rent. All reasonable inquiries will be entertained at proprietors discretion.