Forgot your password?
typodupeerror
Government The Courts IT Your Rights Online

The Trial of Terry Childs Begins 502

Posted by kdawson
from the there-but-for-luck-and-precedent-go-we-all dept.
snydeq writes "Opening arguments were heard today in the trial against IT admin Terry Childs, who was arrested 18 months ago for refusing to hand over passwords to the San Francisco city network. InfoWorld's Paul Venezia, who has been following the case from the start, speculates that the 18-month wait is due to the fact that 'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.' On the other hand, the city — which has held Childs on $5 million bail despite having already dropped three of the four charges against him — may have finally figured out 'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,' Venezia writes. The trial is expected to last until mid-March. San Francisco Mayor Gavin Newsom, to whom Childs eventually gave the city's network passwords, will be included in the roster of those who will testify in the case — one that could put all admins in danger should Childs be found guilty of tampering."
This discussion has been archived. No new comments can be posted.

The Trial of Terry Childs Begins

Comments Filter:
  • All admins (Score:5, Insightful)

    by RichardJenkins (1362463) on Tuesday December 15, 2009 @09:12AM (#30442956)
    Surely you mean all admins who refuse to provide passwords when asked by an authorised official at the company they set the passwords for?
    • Well the issue is that if they disclose the passwords and he fucks things up, they can already be screwed, so this precedent has potential to just invalidate their only option

      • The law is an ass. (Score:2, Insightful)

        by TapeCutter (624760) *
        This guy decided to be ass and he's finding out the hard way that law is a bigger ass.
    • Re:All admins (Score:4, Interesting)

      by tdobson (1391501) on Tuesday December 15, 2009 @09:24AM (#30443054)

      There is a potential for problems if a very manager with very insecure security tendencies asks a sysadmin for very important passwords. In some circumstances, the sysadmin might feel justified not handing the passwords over as it would compromise the security of the existing system.

      • Re:All admins (Score:5, Insightful)

        by DJRumpy (1345787) on Tuesday December 15, 2009 @09:29AM (#30443100)

        It doesn't matter since in this case, the people this guy works for asked for the passwords. He is completely free of guilt should they screw things up and no court would hold him responsible for doing exactly what his duties required him to do.

        He never owned these passwords, the hardware, the systems, or the infrastructure he worked on. When the owners asked for the password, he should have noted his concerns, and given them up.

        • Re:All admins (Score:5, Insightful)

          by DarkOx (621550) on Tuesday December 15, 2009 @09:40AM (#30443214) Journal

          The answer is obvious. You simply put it in writing that in your professional opinion someone without an educational background or specific vocational training related the security and operation of whatever system you are dealing with should not operate its administrative features. You than state that you cannot be solely responsible for security or system failures if you are not permitted to be the gatekeeper. You then hand over the passwords if your employer or client agrees.

          There is really no problem here at all.

          • Re:All admins (Score:5, Insightful)

            by remmelt (837671) on Tuesday December 15, 2009 @09:46AM (#30443252) Homepage

            Except when they still ass rape you for killing their system. Yes, this happens. You're the admin, you're responsible! Sucks to be you! Sure, you have some bullshit in writing, but who cares? Go look for another job! Oh, you want to sue us now? Go right ahead, see who has the deeper pockets.

            Either way, you lose.

            • Re: (Score:2, Troll)

              by DJRumpy (1345787)

              It's not like this guy started yelling the passwords while his bosses were screaming "La La La La" with their fingers in their ears. He has a very clear request from his management that they requested the passwords. What they do with them from that point on is solely their responsibility.

              If employees could simply do what they wished at work because they didn't happen to like what their place of employment was doing, we would have a very different workplace these days. That obviously isn't the case.

            • Mod parent up! (Score:4, Insightful)

              by khasim (1285) <brandioch.conner@gmail.com> on Tuesday December 15, 2009 @09:55AM (#30443336)

              If anything, the fact that you wrote down that there might be a problem would be used against you. You set a trap or something. That's how you knew there would be a problem.

              This is management. Does anyone who's ever held a tech job believe that you writing down that your boss is, effectively, an idiot won't be used against you?

          • Now, you may live in an alternate reality where being an asshole is the number one concern in any situation, but here on Earth, liability is not the only issue when a system has the potential to be compromised.

            If my boss asks me to do something which has the potential to destroy the systems I am responsible for, it's not just the ability to run away and shout "not my fault!" in as loud a voice as possible to my next potential employer- see, it turns out I (and most people) like keeping my/their current job.

        • Fired him first? (Score:5, Insightful)

          by Mathinker (909784) on Tuesday December 15, 2009 @09:43AM (#30443226) Journal

          > the people this guy works for asked for the passwords

          My impression was, that in a nice show of cluelessness, they decided to fire this guy first, and then ask him for the passwords which they didn't have (i.e., they didn't have any plan of action if he got run over by a bus or otherwise dropped dead).

          • by lannocc (568669)

            My impression was, that in a nice show of cluelessness, they decided to fire this guy first, and then ask him for the passwords which they didn't have (i.e., they didn't have any plan of action if he got run over by a bus or otherwise dropped dead).

            I think this is ultimately where the case might hinge, and if it's true that they fired him first then in my opinion (I'm not a legal professional) he might have a chance of winning. On one hand, say you are fired and your employer later discovers you took something of theirs with you, well you would obviously be charged with theft. But in this case we are dealing with information, in the guy's head, not physical property. At what point does information become property? What if he had something illegal hidd

          • Re: (Score:3, Informative)

            by canajin56 (660655)
            Actually, they had him arrested first, fired second, and somebody who wasn't his boss, and as far as he knew, was an ex-employee, asked for the password over speakerphone THIRD. All this because he caught this ex-employee (who apparently was secretly promoted to the secret police to conduct "secret audits" at midnight on Fridays by snooping through desks and stealing hardware), and told his boss about it.
        • This really comes down to;

          Is Nick Burns a dick, or is he not a dick?

          That's it. Pick your camp and fuck off. There is really nothing else to discuss, there is no middle ground.

        • Re:All admins (Score:5, Informative)

          by canajin56 (660655) on Tuesday December 15, 2009 @11:08AM (#30444272)

          Except he did have a lot to worry about, if you read about it. What happened is he caught a former coworker who got promoted to a different department, without his knowledge. He thought she was fired because she just vanished, and he never saw her again. He catches her searching through peoples desks, and removing hard drives from their computers. She claims he was taking illegal pictures of her and disrupting her "secret audit", which is why she had him arrested and held on a $5 million bond. (The "illegal pictures" he took never surfaced). That's right, he was arrested before being fired, and before refusing to give up the password. The "refused to give up the password" was when she called him in jail and demanded it. Still a woman who, as far as he knows, was fired, not promoted, demands the password over speakerphone in a police station. He says no way. His boss pipes in over the speaker phone and says "Just do whatever she says, or else", and he says no, it's against corporate policy to discuss that sort of thing over speakerphone where anybody can pipe in, but if the boss or the mayor calls in person without speakerphone, he will. They hung up and told the police to process him.

          He never owned these passwords, the hardware, the systems, or the infrastructure he worked on. When the owners asked for the password, he should have noted his concerns, and given them up.

          As far as he knows, an ex-employee was breaking in and snooping though peoples files and desks. And I guess she must be blackmailing his boss, for the boss to be says "do what she says or else". If Childs doesn't own the network, how do you reason this middle management fuck owns it?!!? The OWNERS didn't ask shit. At any rate, for him to have given the password like that violated company policy, which he told them, he told them they had to get it in person, and they REFUSED. He told them he'd tell the Mayor, he told the police, who refused to tell him what he was being held on, that he would tell the Mayor, who as the people's representative, is the owner of the network. At this point, people ran with the fact that he was a corporate spy of some sort, because his CITY OWNED CELL HAD A CAMERA IN IT JUST LIKE ALL CELLS, and also he used a firing range, highly illegal, only outlaws use firearms, remember! He also was looking at storage space, a clear crime. When all he really did was refuse to give a password to a co-worked who was "fired" but actually secretly promoted to conduct "secret audits" by searching desks and desktop HDs at midnight on a Friday night. And, to repeat, he was arrested and charged before he even was asked for the password. AND he was asked for the password in a way that was against corporate policy, and also possibly a felony.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Surely you mean all admins who refuse to provide passwords when asked by an authorised official at the company they set the passwords for?

      The person who asked Childs for the passwords wasn't an authorized official.

    • Re:All admins (Score:5, Insightful)

      by QuantumRiff (120817) on Tuesday December 15, 2009 @10:08AM (#30443500)

      If someone higher ranking than me from our accounting division wants the Domain admin password, should I hand it to them? What about the head marketing person? How do you determine who it is "Safe" to hand over the passwords to?

    • Re: (Score:3, Interesting)

      by Tuoqui (1091447)

      Sure you turn over the password, they delete something and YOU are on the hook for obstruction of justice.

      Being forced to 'hand over the passwords' should be like a vehicle transfer. The moment you hand the keys off to the person who you are obligated to give them to THEY become responsible for the entire network including their own fuck ups.

    • Re: (Score:3, Informative)

      by eosp (885380)
      Said authorised individual should have already had access to those passwords. This guy was more interested in not giving them up to parties that he could not see over a teleconference, or at least that's what his defence will say.
    • Re: (Score:2, Insightful)

      by mysidia (191772)

      What about IT admins who configure systems to use Biometric authentication?

      Do they have to cut off their right hand, if a manager asks them?

      IT admins' user accounts on enterprise systems may use the same password the person uses on personal systems, like their bank account.

      What if the hand scanner includes liveness detection?

      Passwords and authentication credentials aren't for managers, they're for technical workers who can actually competently administer the systems they access.

      They don't need

    • by D'Sphitz (699604)
      Surely that is worth a minimum of 15 months in prison...
    • Re:All admins (Score:5, Informative)

      by tibman (623933) on Tuesday December 15, 2009 @10:26AM (#30443710) Homepage

      I remember it being different than that. He wasn't supposed to tell anyone other than the mayor what the password was. Some new manager showed up one day and said "Hey, what's the password?" He says "I can't tell you." So the new manager called the police. Then as soon as the mayor showed up and asked for the password, Mr Childs told him.

      As far as i remember, there was zero authorized officials at the company to receive the password.

    • Re:All admins (Score:5, Insightful)

      by L4t3r4lu5 (1216702) on Tuesday December 15, 2009 @10:37AM (#30443868)
      He did just that. The "Authorised official" you refer to was the Mayor, who he dutifuly revealed the password to when asked. Who he didn't reveal the password to was his line manager / supervisor, who he was expressly forbidden from doing so by district policy.

      It's not his fault for knowing the policy better than his own supervisor. He followed it to the letter, but his boss got his knickers in a twist and decided to get him arrested. I hope he's made to choke down that choice with a lovely pink slip in his Christmas stocking.
  • by zmnatz (1502127) on Tuesday December 15, 2009 @09:21AM (#30443024)

    Then will Mr. Childs employ the Chewbacca Defense?

  • between this genius who thought everything belonged to him and people like I met in my 1 year of working as a consultant for a government agency it's not wonder government is outsourcing. i met this one admin years ago who refused to let his NT domain be part of the larger NT network and it caused all kinds of permissions issues. funny thing was that because of the union rules they couldn't make him do it. and the only reason he refused to let his NT domain work with the others in the organization is becaus

  • Network Design? (Score:5, Insightful)

    by DarthBart (640519) on Tuesday December 15, 2009 @09:37AM (#30443174)

    Why was the network designed so that one single account (or password) held the keys the kingdom? That's just stupid.

    "Administrator" groups for Windows machines
    Multiple root SSH keys and/or Kerberos logins for Unix boxen
    TACACS user-based authentication for routers.

    If the dude just left and said "I'm done with you folks, no I'm not handing over my passwords", then fine...go into the user admin system, nuke his passwords and get on with your life.

    If the dude deliberately went in and reset passwords and changed network access before walking and then tried to blackmail the city, then that's sabotage/blackmail/downright illegal and should be punished.

    If the dude walked out without giving passwords to anyone and the system was poorly designed so that admin passwords had to be forcefully recovered via single user mode or the like, then the city should just eat crow, lick their wounds, and install a real network AAA system.

    What would have happened if the dude had been run over by a beer truck on the way to work? Would the city have been screwed as well?

    Dude.

    • Why was the network designed so that one single account (or password) held the keys the kingdom? That's just stupid.

      "Administrator" groups for Windows machines
      Multiple root SSH keys and/or Kerberos logins for Unix boxen
      TACACS user-based authentication for routers.

      Probably because the guy they hired to avoid problems like this, created the problem. There is always a way that someone can ruin your day. You can't always avoid placing a lot of trust into the hands of a few or even one individual.

      Ever fly on a

  • He was in a catch 22 (Score:5, Informative)

    by onyxruby (118189) <onyxruby@@@comcast...net> on Tuesday December 15, 2009 @09:39AM (#30443192)

    I was initially very skeptical of Childs until additional information came out about the case that changed the story notably.

    Their policy prohibited Childs from simply handing passwords over to his boss, when asked by the mayor he handed them over as requested. I think the bigger issue is one of policy on security and a lack of industry best practices by the city. What holds the greater weight, policy or your bosses request? Depending on where you work, handing over your passwords to anyone can readily be a criminal infraction. At a minimum they could have asked Childs to create an additional account with full administrative access and that account could then have been used to disable Childs account.

    I know at my employer I am not allowed to share my passwords with anyone, including my supervisor. I have an official backup with equivalent access to myself and my refusal to hand over passwords would not prevent anyone else from taking over for me. If my employer wanted they could simply reset my password and gain access to my account. The issue in San Francisco is there wasn't anyone else who had equivalent access to begin with. Their network was complex and the city had cut to the bone on staffing ahead of time.

    Lessons can be learned from this from a management standpoint, the city took an antagonistic approach and did not update their policy and instead asked Childs to break it. Their security personal should have known industry best practices and instead asked Childs to violate them and hand over his password. Ultimately the case showed incompetence in city management and embarrassed them, and that's the only reason I can think of the city pressed the case.

  • If they would have just threatened to waterboard the guy, and let him walk after he gave up the passwords, there would have been no harm, no foul, and no need to waste the taxpayers money putting a frazzled worker in jail.

    We're all getting frazzled these days, and maybe we need to realize that, take a deep breath, and stop tossing everyone in jail and tearing people down left and right in all arenas, and try and claw our way back to being a civilized people.

    Right now, I think we are all acting like animals.

  • by viralMeme (1461143) on Tuesday December 15, 2009 @09:45AM (#30443238)
    "On Friday, June 20, there was an altercation between Childs and Jeana Pieralde [slashdot.org], the new DTIS security manager at the 1 Market Street datacenter in San Francisco. Until her promotion, she had been a city network engineer who worked with Childs"

    Sorting out fact from fiction [yahoo.com] in the Terry Childs case (InfoWorld)

    .. the city had claimed it could not access the FiberWAN network's devices. But four days before that bail hearing, the city claimed it had scheduled a power outage at the 1 Market Street datacenter. That power outage would have affected routers and switches running the FiberWAN network.

    In the court filing four days later, the city contended that Childs had "booby-trapped" the network to collapse during this power outage by not writing the device configurations to flash on some number of routers. A local news report stated that "experts caught the problem in time and transferred data to permanent files, [Assistant DA Conrad] del Rosario said."

    This statement contradicts the city's stance that it had no access to these routers, as there is no way it could have written those configurations to flash, or save them anywhere, on July 19 if it could not access the devices ..

    • Re: (Score:3, Interesting)

      by Spazztastic (814296)

      In the court filing four days later, the city contended that Childs had "booby-trapped" the network to collapse during this power outage by not writing the device configurations to flash on some number of routers.

      You know, some Cisco guys just have bad habits of not pressing "CTRL+Z" then entering "wr mem" when they're done working on a Cisco appliance. Maybe he just made a mistake?

  • If he wins will he have to retest for certification or as he all reedy been put on a black list? but even if he is people will likely still look the other way and he can keen them on his CV.

  • The simple fact is this guy IS guilty of one major (though not legal) flaw. He didnt THINK about the situation, and instead of handing the passwords over, BUT documenting EVERYTHING, he decided to be an ass about it. He had a very valid reason to be an ass, but he should have washed his hands of it.
  • I thought someone said it best when they said

    "Terry Childs nearly built the San Francisco computer network by himself, to the point of actually filing for copyright on his design of the network. Management in the San Francisco IT department apparently couldn't fathom half of what he was doing and Terry Childs himself called them incompetent on numerous occasions, which is pretty much what the sole standing charge is all about. Refusing to hand over the network to incompetent imbeciles."
    http://blogs.compu [computerworld.com]

  • and is continuing with the prosecution just to save face,'

          So, what do taxpayers think about their public funds being thrown away just to "save face"? This charade will end soon. Maybe another generation or so.

  • by L4t3r4lu5 (1216702) on Tuesday December 15, 2009 @12:03PM (#30445092)
    Will people please stop posting that Terry Childs was "being an ass about it"?! He didn't give up the passwords to his supervisor because policy prevented it. It would be a breach of contract (potentially criminally negligent) for him to divulge the passwords requested to anybody but the Mayor.

    Guess who got the passwords as soon as they asked? That's right!

    THE MAYOR.

    End of subject, folks. Stop posting about him "being an ass" or "getting what he deserves" or "setting a bad example." He set the best example by not caving in and handing the "keys to the realm" to some new face he didn't know the technical knowledge of, and was specifically prevented from releasing by the very policy which kept him employed.

    This is a PR campaign to save face and nothing else. Someone high up the food chain did something idiotic (calling the police instead of HR / legal dept) and blew things out of proportion. Now they have to see it through, or they'll look like fools and lose their jobs. CYA territory.

    I hope the lot of them are fired, and Terry gets to sue every last one.
    • Re: (Score:3, Interesting)

      by Ykant (318168)

      I decided to read a couple of articles about the situation after reading the parent post. That's led me to believe that IT admins everywhere should be supporting this guy wholeheartedly. When you get down to the point of it, this is a guy getting shafted as a result of sticking to the documented policy.

      I realize that it's a long-running joke around here that people don't RTFA. RTFA.

One small step for man, one giant stumble for mankind.

Working...