The Trial of Terry Childs Begins 502
snydeq writes "Opening arguments were heard today in the trial against IT admin Terry Childs, who was arrested 18 months ago for refusing to hand over passwords to the San Francisco city network. InfoWorld's Paul Venezia, who has been following the case from the start, speculates that the 18-month wait is due to the fact that 'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.' On the other hand, the city — which has held Childs on $5 million bail despite having already dropped three of the four charges against him — may have finally figured out 'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,' Venezia writes. The trial is expected to last until mid-March. San Francisco Mayor Gavin Newsom, to whom Childs eventually gave the city's network passwords, will be included in the roster of those who will testify in the case — one that could put all admins in danger should Childs be found guilty of tampering."
He was in a catch 22 (Score:5, Informative)
I was initially very skeptical of Childs until additional information came out about the case that changed the story notably.
Their policy prohibited Childs from simply handing passwords over to his boss, when asked by the mayor he handed them over as requested. I think the bigger issue is one of policy on security and a lack of industry best practices by the city. What holds the greater weight, policy or your bosses request? Depending on where you work, handing over your passwords to anyone can readily be a criminal infraction. At a minimum they could have asked Childs to create an additional account with full administrative access and that account could then have been used to disable Childs account.
I know at my employer I am not allowed to share my passwords with anyone, including my supervisor. I have an official backup with equivalent access to myself and my refusal to hand over passwords would not prevent anyone else from taking over for me. If my employer wanted they could simply reset my password and gain access to my account. The issue in San Francisco is there wasn't anyone else who had equivalent access to begin with. Their network was complex and the city had cut to the bone on staffing ahead of time.
Lessons can be learned from this from a management standpoint, the city took an antagonistic approach and did not update their policy and instead asked Childs to break it. Their security personal should have known industry best practices and instead asked Childs to violate them and hand over his password. Ultimately the case showed incompetence in city management and embarrassed them, and that's the only reason I can think of the city pressed the case.
He had high security turned on that block password (Score:4, Informative)
He had high security turned on that blocked password recovery as some of the network stuff was out in open at some sites and not in a locked room. With the high security you have to do a full reset to get back in without a password.
Re:All admins (Score:3, Informative)
Surely you mean all admins who refuse to provide passwords when asked by an authorised official at the company they set the passwords for?
The person who asked Childs for the passwords wasn't an authorized official.
Re:All admins (Score:3, Informative)
Re:He was in a catch 22 (Score:4, Informative)
Re:anyone here who defends this man (Score:3, Informative)
For God's sake, that's circletimessquare! If you don't know who that is, lurk more. Until then, DO NOT FEED THE TROLLS!
Re:All admins (Score:5, Informative)
I remember it being different than that. He wasn't supposed to tell anyone other than the mayor what the password was. Some new manager showed up one day and said "Hey, what's the password?" He says "I can't tell you." So the new manager called the police. Then as soon as the mayor showed up and asked for the password, Mr Childs told him.
As far as i remember, there was zero authorized officials at the company to receive the password.
Chain of Command (Score:2, Informative)
Simple solution, it's called chain of command and works pretty well in static, bureaucratic organisations.
Simply put, you only accept commands from the manager in line or his/her superior.
Although your superior superior (etc. )is allowed to break the chain, it is frowned upon and definitely communicated across the chain.
So unless the manager of accounting is one of your superior superiors, though luck, (s)he should contact his/her superior until there is one who shares both chains.
Re:Incompetent Imbeciles (Score:2, Informative)
The problem here is that there was not a documented policy on passwords.
No, the problem is there WAS a documented policy on passwords, and the problem was he followed it. After he was fired, the only person the policy allowed him to tell the password was the mayor himself. As soon as the mayor asked, he quickly shared the password.
Terry Childs might be an arrogant jerk, but he did nothing wrong.
Re:All admins (Score:5, Informative)
Except he did have a lot to worry about, if you read about it. What happened is he caught a former coworker who got promoted to a different department, without his knowledge. He thought she was fired because she just vanished, and he never saw her again. He catches her searching through peoples desks, and removing hard drives from their computers. She claims he was taking illegal pictures of her and disrupting her "secret audit", which is why she had him arrested and held on a $5 million bond. (The "illegal pictures" he took never surfaced). That's right, he was arrested before being fired, and before refusing to give up the password. The "refused to give up the password" was when she called him in jail and demanded it. Still a woman who, as far as he knows, was fired, not promoted, demands the password over speakerphone in a police station. He says no way. His boss pipes in over the speaker phone and says "Just do whatever she says, or else", and he says no, it's against corporate policy to discuss that sort of thing over speakerphone where anybody can pipe in, but if the boss or the mayor calls in person without speakerphone, he will. They hung up and told the police to process him.
As far as he knows, an ex-employee was breaking in and snooping though peoples files and desks. And I guess she must be blackmailing his boss, for the boss to be says "do what she says or else". If Childs doesn't own the network, how do you reason this middle management fuck owns it?!!? The OWNERS didn't ask shit. At any rate, for him to have given the password like that violated company policy, which he told them, he told them they had to get it in person, and they REFUSED. He told them he'd tell the Mayor, he told the police, who refused to tell him what he was being held on, that he would tell the Mayor, who as the people's representative, is the owner of the network. At this point, people ran with the fact that he was a corporate spy of some sort, because his CITY OWNED CELL HAD A CAMERA IN IT JUST LIKE ALL CELLS, and also he used a firing range, highly illegal, only outlaws use firearms, remember! He also was looking at storage space, a clear crime. When all he really did was refuse to give a password to a co-worked who was "fired" but actually secretly promoted to conduct "secret audits" by searching desks and desktop HDs at midnight on a Friday night. And, to repeat, he was arrested and charged before he even was asked for the password. AND he was asked for the password in a way that was against corporate policy, and also possibly a felony.
Re:Fired him first? (Score:3, Informative)
For the love of God... (Score:5, Informative)
Guess who got the passwords as soon as they asked? That's right!
THE MAYOR.
End of subject, folks. Stop posting about him "being an ass" or "getting what he deserves" or "setting a bad example." He set the best example by not caving in and handing the "keys to the realm" to some new face he didn't know the technical knowledge of, and was specifically prevented from releasing by the very policy which kept him employed.
This is a PR campaign to save face and nothing else. Someone high up the food chain did something idiotic (calling the police instead of HR / legal dept) and blew things out of proportion. Now they have to see it through, or they'll look like fools and lose their jobs. CYA territory.
I hope the lot of them are fired, and Terry gets to sue every last one.
Re:anyone here who defends this man (Score:3, Informative)
He didn't decide for himself, he was following written policy.
If I hire a general contractor to build my house and I instruct him to hire you to key the locks, he is your boss, but he is NOT entitled to a copy of the keys.
Re:Fired him first? (Score:4, Informative)
It would seem the prudent thing to do, if you find yourself in a similar situation, would be to turn over the damn passwords.
Hmmm ... Apparently you missed the earlier post's link to the article about the official policy of the county government. It included this summary excerpt:
So if he'd handed over the password to his bosses, he would have been charged with a violation of official published policy, and that charge would have probably stuck. By following the official policy, he may well have succeeded in winning the court case. Of course, it didn't stop the city from implementing what's almost certainly an illegal incarceration before trial. We'll have to keep checking to see how it turns out, and whether he can get restitution for the jail time.
In security-related situations, it's often a good idea to know the official published policy. When asked to violate it, it often can help to point out that what you're being asked to do is illegal, and ask if they really intended that. (If you're a contractor, you might try grinning and saying that you charge extra for illegal acts. Tell them that your consulting firm has a policy against performing illegal acts without first getting the explicit job description on paper with all the right signatures authorizing the higher rate, indemnification for possible charges, etc. It can be fun to watch their reaction.)
Re:Why is this guy being treated as a Martyr to IT (Score:3, Informative)
He didn't do that though. He told the managers that he would turn the password over to the mayor (the OWNER's duly elected representative). A few days later, the mayor asked him for the password and, as promised, he told him.
Re:Fired him first? (Score:3, Informative)
He was also ordered to surrender them to someone department policy said he was not allowed to tell and who was likely to screw things up and blame it on him.
He did the responsible thing and insisted on following policy in a manner that ensured the network continued to function.
Re:Fired him first? (Score:3, Informative)
Just to quote their policy:
Re:Why is this guy being treated as a Martyr to IT (Score:1, Informative)
...he really didn't have a right to do what he did and treating him like some sort of hero is just asinine and, much like Christmas, something I wish would just be overwith already.
Actually if you read some of the infoworld articles he did what the city's network policies/regulations/rules expressly compeled him to do. According to the articles, the only person in the city gov't that Child's was permitted to provide the passwords to was the Mayor! Fruthermore, when he was first asked for the root-level passwords he was in a police station conference room full of people he didn't know with an active speakerphone with who knows who on the other end of it. Nobody in that room, according to the city rule book was authorized to know these root passwords! He followed the rules to the letter and has been sitting in jail for 18 months for doing his job according to the rules. If you read some of the articles on this case, the technical/legal ignorace of city officals is astounding.
Re:Childs should get twenty years (Score:2, Informative)
He was also no longer in charge of the network you're referring to. He was removed from that group when they found that he wasn't following policy. He refused to supply the password to Security per the password policy. It states that all system passwords must be placed into a Security managed database.
Case Affidavit:
http://weblog.infoworld.com/venezia/childs/tcramsay_affidavit1.pdf [infoworld.com] [infoworld.com]
Security requested the passwords from him, and they were authorized to access such information (they established the password policy to begin with and noted in the policy that if someone had questions they should contact Security). Both the manager of security and the Director of Security request the password from him, yet he refused or gave them bad credentials. They password policy itself stated that all system passwords must be kept in a security managed database. It is the primary reason his employment was terminated according to the affidavit.
County Security Policy (see section 4 for the password policy):
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf [sfgov.org] [sfgov.org]
When security asked for the password, he was removed from his position for failing to comply (insubordination). Security was authorized to access those passwords per the policy so many are claiming is his defense. He was in violation of the password policy for not putting the passwords under Security's care to begin with.
(from section 4.1 of the General Security Policy)
"All production system-level passwords must be part of the security administered global password management database."
"If someone demands a password, refer him or her to this document or have him or her call someone in Information Security."
It was Security that was asking for the password.
By refusing to supply the passwords he put the network at risk. Per the affidavit, he actually told the director of security when asked if he implemented disaster recovery procedures, documented the network under his control, and/or if he had made the required backups on devices, as policy. His answers were "..no..". In the event of a failure, the city would have been screwed.
Re:Childs should get twenty years (Score:3, Informative)
The site policy was for the passwords to be entered in a security database. He may have disagreed with the policy but he was not entitled to refuse to comply with it.
I find the claim that he did not recognize his superiors or that his actions were genuinely motivated by a desire to protect the network as somewhat incredulous. His actions are rather more consistent with attempting to preserve his job security by ensuring that he was the only person that could control the network and refusing to co-operate with legitimate attempts by his management to regain control.
The idea that this should be a concern to someone acting in good faith is ludicrous.
Re:Childs should get twenty years (Score:2, Informative)
You are assuming facts not in evidence re. the quality of his work. Additionally, it's obvious that he didn't do "all that" since the simple fact is he was a single point of failure with respect to management access to the equipment. It doesn't matter if packets moved smoothly through the network or not. He fundamentally failed at his job since he had no plan in place to handle the situation where he was unavailable.
Why is it inflammatory? You are the one who makes some kind of connection between bondage and being ashamed and stigmatized, not me.
Re:Mod parent up (Score:3, Informative)
The guy was creepy. When he was arrested, his PC contained pages and pages of usernames and passwords. He had $10,000 in cash on him when he was arrested, and a loaded 9mm.
No one on here wants to hear those details. He was a saint. A true hero. Whatever, mark the info above as Trolling (not even sure how that applies, as those are public records from the case as well as the official SF security policy), but it is what it is.