The Trial of Terry Childs Begins 502
snydeq writes "Opening arguments were heard today in the trial against IT admin Terry Childs, who was arrested 18 months ago for refusing to hand over passwords to the San Francisco city network. InfoWorld's Paul Venezia, who has been following the case from the start, speculates that the 18-month wait is due to the fact that 'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.' On the other hand, the city — which has held Childs on $5 million bail despite having already dropped three of the four charges against him — may have finally figured out 'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,' Venezia writes. The trial is expected to last until mid-March. San Francisco Mayor Gavin Newsom, to whom Childs eventually gave the city's network passwords, will be included in the roster of those who will testify in the case — one that could put all admins in danger should Childs be found guilty of tampering."
Re:All admins (Score:4, Interesting)
There is a potential for problems if a very manager with very insecure security tendencies asks a sysadmin for very important passwords. In some circumstances, the sysadmin might feel justified not handing the passwords over as it would compromise the security of the existing system.
Terry Childs and the female boss (Score:5, Interesting)
Sorting out fact from fiction [yahoo.com] in the Terry Childs case (InfoWorld)
Re:anyone here who defends this man (Score:5, Interesting)
Childs deserves defense not because he appropriately handled a showdown with management he had no hope of navigating successfully, clearly he did not. Rather, he should be defended against having the prosecutorial powers of the city leveled against him and being deprived of his freedom for many months over a matter that should have gone no further than the termination of his employment.
Re:All admins (Score:3, Interesting)
Sure you turn over the password, they delete something and YOU are on the hook for obstruction of justice.
Being forced to 'hand over the passwords' should be like a vehicle transfer. The moment you hand the keys off to the person who you are obligated to give them to THEY become responsible for the entire network including their own fuck ups.
Re:All admins (Score:4, Interesting)
It's called CYA - report it to your direct manager, if you are overridden, have it all in writing for the blame game which is certain to happen later.
Re:Why is this guy being treated as a Martyr to IT (Score:2, Interesting)
Re:Intellecutal Property Laws are not difficult fo (Score:2, Interesting)
I'm explaining this horribly badly, I know, but still, I feel he has no obligation once he's been fired.
Re:Terry Childs and the female boss (Score:3, Interesting)
In the court filing four days later, the city contended that Childs had "booby-trapped" the network to collapse during this power outage by not writing the device configurations to flash on some number of routers.
You know, some Cisco guys just have bad habits of not pressing "CTRL+Z" then entering "wr mem" when they're done working on a Cisco appliance. Maybe he just made a mistake?
Re:Childs should get twenty years (Score:5, Interesting)
so you would rather that he broke the policy that was given to him with regard to passwords and let unauthorized people have access? The city policy only allowed him to give passwords to the Mayor, which he did as soon as he was allowed to. If you are fired, and some random people ask you to give up the password, would you? If you say yes, then you will end up at the wrong end of a lawsuit, as that would make you criminally culpable in whatever havoc those people caused on the network.
Re:Childs should get twenty years (Score:3, Interesting)
The water treatment plants were amongst the infrastructures that he disabled.
Uhm, come again?
Nothing was "disabled." Nothing was turned off. The situation was quite simply that the routers were secured down to the point where, without having admin credentials, someone could not CHANGE them. This is not "negligent", this is smart design.
Then we get to the exorbitant bail amount, the fact that he's being held in lockup without a bail reduction even though better than 3/4 of the case has been dropped due to lack of evidence, and the fact that he in fact gave the passwords up to a competent authority (the SF Mayor, aka his boss's boss's boss), and it looks like a kangaroo court in process. The DA's office doesn't have much, if anything, of a case but they're desperate to justify what they have done so far so they just keep pushing along.
I'll offer you a choice. You are being reassigned to a new area. Your "boss", the blithering idiot who still keeps his password in a sticky note on his monitor and who holds a bitchfest every time he's told he has to pick a password that actually conforms to complexity requirements rather than using "god", demands a ton of passwords with root-level access. You've seen numerous situations before where the "admin at the time" (e.g. you) has been turned into the fall guy for shit going wrong or security breaches, when it's obvious to anyone doing any research that the real problem is some moron boss with less brain cells than teeth, an MBA, and a napoleon complex.
What. Do. You. Do?
Exactly, this ain't that hard (Score:2, Interesting)
People of slashdot, this is VERY VERY simple. Go to the boss, the highest you can barge in on, hand him in writing your objections and the passwords AND your resignation. Have them signed and don't look back.
NEVER EVER try to be clever within the system, you cannot win.
Always do this especially when working with government or semi-government (Huge companies that either were once state run, work mostly for the state, are run by ex-state people or because of their size have become ministates. You know the type, where people were ties, even when they are not.
This guy tried to be clever. It never works, you are never clever enough and the system knows how to deal with clever. Instead be smart, get out.
This guy really should have just done as said above. Hand it off and get the fuck out of the way.
There is good money to be made in this segment of the market, but only for those who can play the game and the first rule of the game is, don't get into the game if you don't know the rules.
Re:Childs should get twenty years (Score:2, Interesting)
So what? They were his bosses and the owners of the equipment. He had no right to refuse them access to their own property no matter what they could have and would have done to fuck it up.
Re:Why is this guy being treated as a Martyr to IT (Score:5, Interesting)
Bail should be set as a deterrent to flee before a trial is finished, not to keep someone indefinitely in a cell.
And this is probably why they did it. His bosses probably knew (or were told by their lawyers) right off that they didn't have a chance of convicting him of anything. So they used one of the standard legal ruses to keep him in jail while they delayed the trial. It's not especially unusual for people to be jailed before a trial for longer than the longest legal sentence. It's even done when conviction couldn't get a jail sentence at all. The idea is to keep someone in jail as long as you can, by any means that will work. Then it doesn't much matter if the court exonerates them; you've shown that you can incarcerate them sufficiently long without a trial.
Parts of the US Bill of Rights were designed to prevent this sort of imprisonment. It hasn't worked very well in this case. And it's not the first time that such things have been done in the US. Anyone not aware of this problem is naive and ignorant of history.
The only real question is whether he can get restitution from the courts afterwards. History says he probably won't.
This sort of story is why I gave up on security/admin jobs early on. I read some stories similar to this, and figured out that the non-technical people above my immediate boss were highly likely to pull such stunts, perhaps with me as a chosen victim. The only way to win that game is not to play it, because the higher ups can see all the cards and do all the shuffling. Of course, when I and thousands of others started figuring this out, it inevitably led to our current sorry state of widespread computer insecurity.
One thing we might add to this story is a question about whether SF will be able to hire a competent person to replace him. I certainly wouldn't want to interview with them, except maybe to see if I could get some inside information about their current policies (after which I'd simply ignore any job offers).
One thing I'd suggest to anyone in his position: If your superiors demand that you give admin passwords to non-technical people, you should hand in your resignation along with the passwords. Tell them right out why you consider this a threat to your own legal safety as well as the computer systems. Chances are they won't be surprised, because they knew what was planned. After all, anyone with the root passwords can edit any file and fake lots of evidence, including the timestamps on files.
Citation needed (Score:2, Interesting)
> The water treatment plants were amongst the infrastructures that he disabled.
This is the age of the hyperlink. Please provide one.
As for him deserving 20 years, it seems to me that it can never be a crime to forget something. In the same vein, it would seem to me that it cannot be a crime to be psychologically incapable of providing information. Other posters have claimed that it was even against his ex-employer's policies to provide that information.
I wonder if we will ever learn the real truth about this matter. It's fairly clear what version the city government would like to be revealed as the "the truth".
Re:All admins (Score:3, Interesting)
The courts have held people liable for 3rd party actions in MANY cases. For example, you're the host of a party, and you let guests get good and drunk, and you then let them drive anyway. Or you have a hazard in your house, and a crook breaks in and hurts themselves. Or you're sick and tired of someone siphoning your gas, so you put razor blades around the inside of the filler flap. Or you're in the military and you obey an order that is contrary to military law (in which case, unless you frag the person who gave the order, you're up shit creek either way - either you disobeyed an order, or you obeyed an illegal order. Officers who give illegal orders would tend to darwin themselves).
Same thing applies in business - bars have been held liable for letting customers get too drunk to drive and not stopping them. The code of ethics for various professional bodies acknowledges that their members have a larger duty to society as a whole, and not just their employers, and that when there's a conflict, it has to be resolved in society's favour. An engineer can't just certify a bridge that is marginal because his boss tells him to,or choose to willfully ignore a dangerous defect in an area not under his or her direct purview.
Similarly, the courts are now starting to apply a standard of care on the general public - failure to act when you could have prevented harm is now punishable in jurisdictions that have passed "good samaritan" laws. With the protection afforded by these laws, you now have no legal excuse not to help someone in danger who is in need of immediate assistance.
Search for "failure to render assistance" - it's now a crime in many areas. Just look at how many "failure to render assistance" are listed in this 6-week crime stats report from one town in Texas [sugarlandnewspaper.com].
Re:Childs should get twenty years (Score:3, Interesting)
Then how would you suggest a security audit be done? How else can we find out if someone will violate security policy than by giving them a chance to do exactly that?
I've been subjected to those kinds of audits on several occasions. Yes, they're mildly insulting. But they're also necessary, aren't they?
Re:For the love of God... (Score:3, Interesting)
I decided to read a couple of articles about the situation after reading the parent post. That's led me to believe that IT admins everywhere should be supporting this guy wholeheartedly. When you get down to the point of it, this is a guy getting shafted as a result of sticking to the documented policy.
I realize that it's a long-running joke around here that people don't RTFA. RTFA.