I find it odd that folks are making this guy a martyr and gushing about his professionalism, while the warrant shows that he threatened the manager over security to the point where she locked herself in a room and had to wait for him to leave. He was camped by the office front door and wouldn't leave while she was there. When he was arrested, he had $10,000 in cash, and a loaded 9mm gun, as well as various hardware from his office.
He put all of the city services at risk for his stunt. If they had a failure, the city would have been unable to respond, and some 300 odd city services that rely on the network would have been endangered. He failed to follow proper procedure, he had no DR plans in place. He also accessed city hardware after his termination.
In the 11 days that he was suspended from July 10th to July 21st, he made no attempts to contact the mayor or anyone else. Apparently he didn't think anyone in the city was qualified to work on 'his' network until they threw him in jail. He cost the city hundreds of thousands of dollars while they tried to regain control of their network.
To add icing to the cake, they found on his computer, pages and pages of usernames and passwords.
This guy was not a professional. He was creepy and a little too in love with his 'precious'.
According to the affidavit, he was asked for the password by the General Security Manager, and the Directory of Security. Both were authorized to request that information. It's stated directly in the password policy that if someone asks for a password, that the employee is to contact Security (who also published the policy btw).
No where in the password policy does it even mention the mayor. I find it amusing that people on here are running with that. The mayor came into it because according to a quote from Childs, he "felt the mayor was the only person he could trust". The mayor has nothing to do with the password policy nor was he listed as an 'authorized requester'.
He was also no longer in charge of the network you're referring to. He was removed from that group when they found that he wasn't following policy. He refused to supply the password to Security per the password policy. It states that all system passwords must be placed into a Security managed database.
Security requested the passwords from him, and they were authorized to access such information (they established the password policy to begin with and noted in the policy that if someone had questions they should contact Security). Both the manager of security and the Director of Security request the password from him, yet he refused or gave them bad credentials. They password policy itself stated that all system passwords must be kept in a security managed database. It is the primary reason his employment was terminated according to the affidavit.
When security asked for the password, he was removed from his position for failing to comply (insubordination). Security was authorized to access those passwords per the policy so many are claiming is his defense. He was in violation of the password policy for not putting the passwords under Security's care to begin with.
(from section 4.1 of the General Security Policy) "All production system-level passwords must be part of the security administered global password management database." "If someone demands a password, refer him or her to this document or have him or her call someone in Information Security."
It was Security that was asking for the password.
By refusing to supply the passwords he put the network at risk. Per the affidavit, he actually told the director of security when asked if he implemented disaster recovery procedures, documented the network under his control, and/or if he had made the required backups on devices, as policy. His answers were "..no..". In the event of a failure, the city would have been screwed.
Security requested the passwords from him, and they were authorized to access such information (they established the password policy to begin with and noted in the policy that if someone had questions they should contact security). Both the manager of security and the director request the password from him, yet he refused. They password policy itself stated that all system passwords must be kept in a security managed database. This is the primary reason he was terminated.
According to the password policy, Childs was already in violation by refusing to place the password in a security administered global password management database.
From Section 4.1 (general) of the Password Policy:
"All production system-level passwords must be part of the security administered global password management database.". Security did ask him for these passwords and he refused.
I see no where in the policy that said it's a violation of policy to give authorized individuals the passwords. Considering that the security manager and the Director of Security asked for the password, I don't see the issue since these are the folks who publish the password policy. The policy itself refers you to Security.
"If someone demands a password, refer him or her to this document or have him or her call someone in Information Security."
According to that article, they said he couldn't be forced to reveal his password as the contents it revealed might self-incriminate him. I don't see how that would apply here.
I agree. I think the policy being floated around is in regards to personal employee passwords. I'm curious if they will try to apply the policy to all infrastructure equipment as the routers would require a different username/password for admin access.
During the interview with Director Robinson, Child was asked if he had implemented disaster recovery procedures, documented the network under his control, and/or if he had made required backups on devices as is policy. His answers were "No".
Mr. Maupin and City Staff were not able to gain access to these devices, nor were they able to locate any documentation, network maps, or configuration files that would allow an authorized person to perform maintenance or rebuild the configuration on these devices.
This is now what I would categorize as a good admin. I would have fired him as well.
That remains to be seen, however, if his only defense is that he felt they weren't qualified, he will lose. Of that I have no doubt. He wasn't contractually obligated to evaluate if someone was qualified to receive the passwords. He was obligated to ensure they were authorized, which being his employers, they were.
He didn't claim he forgot. He gave them false passwords. He can't even claim he forgot, as the records show he exercised his admin credentials AFTER he was terminated for refusing to give them the passwords.
Unlikely. The jugdge would have to fall back on the law as written, or legal precedence if no existing law clearly established right or wrong.
If you refuse an order in the military you had damn well better be right. If you are wrong, they will rake you over the coals.
IMO, Childs just handled things badly. He became emotionally involved in 'his' network in some weird way, and refused to give up his imagined ownership of it. I don't consider this professional, I consider it a bad reflection against responsible admins who work in our field.
Actually I'm not. Previous precedent is well established regarding who owns company data like e-mail.
Probably the best-known case involving e-mail privacy is Flanagan et al. vs. Epson America, Inc. In this case, Alana Shoars, an Epson employee, arriving for work one day discovered her supervisor reading and printing out e-mail messages between other employees. She says she was told by the same manager that all messages on the system were private. She questioned the practice and said she was told to mind her own business. A day later she was fired for insubordination. She filed a $1M wrongful-termination suit. Shoars filed a class-action suit on behalf of herself and other employees, claiming invasion of privacy (under California's constitution and a wiretapping statute). The state court ruled against Shoars on the grounds that email was not covered by California's wiretapping statute and that the right to privacy guaranteed by the state constitution covered personal but not business information. (Incidentally, Shoars also lost her wrongful-termination suit, which she filed after being fired from Epson.)
In another high-profile case, Eugene Wang, a former Borland International vice president, was accused of disclosing confidential corporate information in email messages sent to Symantec CEO Gordon Eubanks shortly before Wang left Borland to go work for Symantec (a Borland rival). Borland executives discovered the messages and filed suit against Wang, Eubanks, and Symantec; a California grand jury also issued criminal indictments against both executives.
In a case decided earlier this year, Michael A. Smyth vs. The Pillsbury Company, executives at Pillsbury fired a manager after finding a printout of an email message in which the manager referred to several of his supervisors as "backstabbing b*****ds." A U.S. District Court in Pennsylvania upheld the company's right to subsequently read all the manager's e-mail. The court ruled: "We do not find a reasonable expectation of privacy in email communications voluntarily made by an employee to his supervisor over the company email system notwithstanding any assurances that such communications would not be intercepted by management...Moreover, the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its email system outweighs any privacy interest the employee may have." Notably, the court differentiated searching through an employee's email account from an invasion of an individual's person, personal information, or personal effects.
He was charged with not divulging the information to unauthorized individuals. I doubt seriously it mentioned the qualifications or intelligence of who he divulged it to.
What official policy would that be? He secured the network. He was reassigned to another work group. At that point, he lost all legal claim to any authority over the network in question.
He was fired for Insubordination. The router then sent a page to his company pager after he was fired, indicating he had exorcised admin rights after being terminated.
The rules pertaining to employee inventions are not limited to patents, but apply to other kinds of intangible property or rights that the law refers to as "intellectual property." In one case, for example, university professors devised a process for producing milk by introducing beneficial bacteria. Later, milk produced using this process was sold under a certain trademark that the university owned and licensed to dairies. The university declined to pay royalties to the professors who claimed to be the inventors of the process that led to the trademark, so the professors brought suit against the university. The court concluded that the trademark belonged to the university, as the professors' employer, and that there was no obligation on the part of the university to pay royalties to the professors who invented the process. Importantly, the court found that the professors, when they were conducting the research that led to the invention or development of the trademarked process, were doing precisely what they had been hired to do.
Oddly enough, I found your definition under Insubordination:
insubordination
- 2 dictionary results insubordinate/nsbrdnt/ Show Spelled Pronunciation [in-suh-bawr-dn-it] Show IPA
–adjective 1. not submitting to authority; disobedient: an insubordinate soldier. 2. not lower. –noun 3. a person who is insubordinate. Origin: 1840–50; in- 3 + subordinate
Related forms: insubordinately, adverb insubordination, noun
For one, laws under military are different than laws in civil life. In the military, you are required to follow any LAWFUL orders. You can refuse to follow an order you know to be unlawful. If you have no knowledge of that your commanding officer will do with the 'keys', then you are without guilt.
Since you're referring to military law, no, it doesn't apply in this case.
Slashdot Mirror
I find it odd that folks are making this guy a martyr and gushing about his professionalism, while the warrant shows that he threatened the manager over security to the point where she locked herself in a room and had to wait for him to leave. He was camped by the office front door and wouldn't leave while she was there. When he was arrested, he had $10,000 in cash, and a loaded 9mm gun, as well as various hardware from his office.
He put all of the city services at risk for his stunt. If they had a failure, the city would have been unable to respond, and some 300 odd city services that rely on the network would have been endangered. He failed to follow proper procedure, he had no DR plans in place. He also accessed city hardware after his termination.
In the 11 days that he was suspended from July 10th to July 21st, he made no attempts to contact the mayor or anyone else. Apparently he didn't think anyone in the city was qualified to work on 'his' network until they threw him in jail. He cost the city hundreds of thousands of dollars while they tried to regain control of their network.
To add icing to the cake, they found on his computer, pages and pages of usernames and passwords.
This guy was not a professional. He was creepy and a little too in love with his 'precious'.
Why in the world would anyone want this sort of guy representing the face of IT?
http://weblog.infoworld.com/venezia/childs/tcoppositiontoreduce_bail.pdf
According to the affidavit, he was asked for the password by the General Security Manager, and the Directory of Security. Both were authorized to request that information. It's stated directly in the password policy that if someone asks for a password, that the employee is to contact Security (who also published the policy btw).
No where in the password policy does it even mention the mayor. I find it amusing that people on here are running with that. The mayor came into it because according to a quote from Childs, he "felt the mayor was the only person he could trust". The mayor has nothing to do with the password policy nor was he listed as an 'authorized requester'.
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
Why do we on ./ continue to perpetrate the lie? This is not piracy. It is copyright infringement.
He was also no longer in charge of the network you're referring to. He was removed from that group when they found that he wasn't following policy. He refused to supply the password to Security per the password policy. It states that all system passwords must be placed into a Security managed database.
Case Affidavit:
http://weblog.infoworld.com/venezia/childs/tcramsay_affidavit1.pdf [infoworld.com]
Security requested the passwords from him, and they were authorized to access such information (they established the password policy to begin with and noted in the policy that if someone had questions they should contact Security). Both the manager of security and the Director of Security request the password from him, yet he refused or gave them bad credentials. They password policy itself stated that all system passwords must be kept in a security managed database. It is the primary reason his employment was terminated according to the affidavit.
County Security Policy (see section 4 for the password policy):
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf [sfgov.org]
When security asked for the password, he was removed from his position for failing to comply (insubordination). Security was authorized to access those passwords per the policy so many are claiming is his defense. He was in violation of the password policy for not putting the passwords under Security's care to begin with.
(from section 4.1 of the General Security Policy)
"All production system-level passwords must be part of the security administered global password management database."
"If someone demands a password, refer him or her to this document or have him or her call someone in Information Security."
It was Security that was asking for the password.
By refusing to supply the passwords he put the network at risk. Per the affidavit, he actually told the director of security when asked if he implemented disaster recovery procedures, documented the network under his control, and/or if he had made the required backups on devices, as policy. His answers were "..no..". In the event of a failure, the city would have been screwed.
"he was still under no legal obligation to expose passwords to systems that he protects. "
He was also no longer in charge of the network you're referring to. He was removed from that group when they found that he wasn't following policy.
http://weblog.infoworld.com/venezia/childs/tcramsay_affidavit1.pdf
Security requested the passwords from him, and they were authorized to access such information (they established the password policy to begin with and noted in the policy that if someone had questions they should contact security). Both the manager of security and the director request the password from him, yet he refused. They password policy itself stated that all system passwords must be kept in a security managed database. This is the primary reason he was terminated.
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
I guess we'll just have to wait and see if they consider the passwords company property.
According to the password policy, Childs was already in violation by refusing to place the password in a security administered global password management database.
From Section 4.1 (general) of the Password Policy:
"All production system-level passwords must be part of the security administered global password management database.". Security did ask him for these passwords and he refused.
I see no where in the policy that said it's a violation of policy to give authorized individuals the passwords. Considering that the security manager and the Director of Security asked for the password, I don't see the issue since these are the folks who publish the password policy. The policy itself refers you to Security.
"If someone demands a password, refer him or her to this document or have him or her call someone in Information Security."
Link to affidavit:
http://weblog.infoworld.com/venezia/childs/tcramsay_affidavit1.pdf
Link to security policy:
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
All arguments aside, I found your analogy to his 'precioussssss' very good ;)
His emotional attachment to his network would look bad in bar lighting. This guy was a nutcake.
According to that article, they said he couldn't be forced to reveal his password as the contents it revealed might self-incriminate him. I don't see how that would apply here.
Interesting read though.
I agree. I think the policy being floated around is in regards to personal employee passwords. I'm curious if they will try to apply the policy to all infrastructure equipment as the routers would require a different username/password for admin access.
Link?
From page 4 and 5 of the affidavit:
http://weblog.infoworld.com/venezia/childs/tcramsay_affidavit1.pdf
During the interview with Director Robinson, Child was asked if he had implemented disaster recovery procedures, documented the network under his control, and/or if he had made required backups on devices as is policy. His answers were "No".
Mr. Maupin and City Staff were not able to gain access to these devices, nor were they able to locate any documentation, network maps, or configuration files that would allow an authorized person to perform maintenance or rebuild the configuration on these devices.
This is now what I would categorize as a good admin. I would have fired him as well.
That remains to be seen, however, if his only defense is that he felt they weren't qualified, he will lose. Of that I have no doubt. He wasn't contractually obligated to evaluate if someone was qualified to receive the passwords. He was obligated to ensure they were authorized, which being his employers, they were.
He didn't claim he forgot. He gave them false passwords. He can't even claim he forgot, as the records show he exercised his admin credentials AFTER he was terminated for refusing to give them the passwords.
http://www.bluoz.com/blog/index.php?/archives/743-Terry-Childs-gets-most-charges-dropped.html
Unlikely. The jugdge would have to fall back on the law as written, or legal precedence if no existing law clearly established right or wrong.
If you refuse an order in the military you had damn well better be right. If you are wrong, they will rake you over the coals.
IMO, Childs just handled things badly. He became emotionally involved in 'his' network in some weird way, and refused to give up his imagined ownership of it. I don't consider this professional, I consider it a bad reflection against responsible admins who work in our field.
Actually I'm not. Previous precedent is well established regarding who owns company data like e-mail.
Probably the best-known case involving e-mail privacy is Flanagan et al. vs. Epson America, Inc. In this case, Alana Shoars, an Epson employee, arriving for work one day discovered her supervisor reading and printing out e-mail messages between other employees. She says she was told by the same manager that all messages on the system were private. She questioned the practice and said she was told to mind her own business. A day later she was fired for insubordination. She filed a $1M wrongful-termination suit. Shoars filed a class-action suit on behalf of herself and other employees, claiming invasion of privacy (under California's constitution and a wiretapping statute). The state court ruled against Shoars on the grounds that email was not covered by California's wiretapping statute and that the right to privacy guaranteed by the state constitution covered personal but not business information. (Incidentally, Shoars also lost her wrongful-termination suit, which she filed after being fired from Epson.)
In another high-profile case, Eugene Wang, a former Borland International vice president, was accused of disclosing confidential corporate information in email messages sent to Symantec CEO Gordon Eubanks shortly before Wang left Borland to go work for Symantec (a Borland rival). Borland executives discovered the messages and filed suit against Wang, Eubanks, and Symantec; a California grand jury also issued criminal indictments against both executives.
In a case decided earlier this year, Michael A. Smyth vs. The Pillsbury Company, executives at Pillsbury fired a manager after finding a printout of an email message in which the manager referred to several of his supervisors as "backstabbing b*****ds." A U.S. District Court in Pennsylvania upheld the company's right to subsequently read all the manager's e-mail. The court ruled: "We do not find a reasonable expectation of privacy in email communications voluntarily made by an employee to his supervisor over the company email system notwithstanding any assurances that such communications would not be intercepted by management...Moreover, the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its email system outweighs any privacy interest the employee may have." Notably, the court differentiated searching through an employee's email account from an invasion of an individual's person, personal information, or personal effects.
He was charged with not divulging the information to unauthorized individuals. I doubt seriously it mentioned the qualifications or intelligence of who he divulged it to.
What official policy would that be? He secured the network. He was reassigned to another work group. At that point, he lost all legal claim to any authority over the network in question.
http://weblog.infoworld.com/venezia/childs/tcramsay_affidavit1.pdf
Now you're equating what he did to saving lives?
Try reading this. He's not a saint. It's the arrest warrant.
http://weblog.infoworld.com/venezia/childs/tcramsay_affidavit1.pdf
That is exactly what happened. Did no one even read the affidavit and arrest warrant?
http://weblog.infoworld.com/venezia/childs/tcramsay_affidavit1.pdf
He was fired for Insubordination. The router then sent a page to his company pager after he was fired, indicating he had exorcised admin rights after being terminated.
Just as they would have to prove that he was indeed the one who 'fsked' the route tables.
I disagree.
The rules pertaining to employee inventions are not limited to patents, but apply to other kinds of intangible property or rights that the law refers to as "intellectual property." In one case, for example, university professors devised a process for producing milk by introducing beneficial bacteria. Later, milk produced using this process was sold under a certain trademark that the university owned and licensed to dairies. The university declined to pay royalties to the professors who claimed to be the inventors of the process that led to the trademark, so the professors brought suit against the university. The court concluded that the trademark belonged to the university, as the professors' employer, and that there was no obligation on the part of the university to pay royalties to the professors who invented the process. Importantly, the court found that the professors, when they were conducting the research that led to the invention or development of the trademarked process, were doing precisely what they had been hired to do.
I think precedent is very clear here.
I don't see that definition anywhere on Websters. I looked for "failed to follow directives or direction" but couldn't find it.
http://dictionary.reference.com/browse/professional
Oddly enough, I found your definition under Insubordination:
insubordination /nsbrdnt/ Show Spelled Pronunciation [in-suh-bawr-dn-it] Show IPA
- 2 dictionary results
insubordinate
–adjective
1. not submitting to authority; disobedient: an insubordinate soldier.
2. not lower.
–noun
3. a person who is insubordinate.
Origin:
1840–50; in- 3 + subordinate
Related forms:
insubordinately, adverb
insubordination, noun
Synonyms:
1. refractory, defiant, insolent.
See this for info on Nuremberg and the "just following orders" defense:
http://usmilitary.about.com/cs/militarylaw1/a/obeyingorders.htm
For one, laws under military are different than laws in civil life. In the military, you are required to follow any LAWFUL orders. You can refuse to follow an order you know to be unlawful. If you have no knowledge of that your commanding officer will do with the 'keys', then you are without guilt.
Since you're referring to military law, no, it doesn't apply in this case.
They asked him for the passwords before he was fired. He didn't claim to forget them, he simply told them no.
Am I missing something?
Perhaps you should stick to the actual facts in the case?