Terry Childs's Slow Road To Justice

snydeq writes "Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"

Sure they could have been readily used.

[mysidia]

'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. I

Don't use a non-specified IP address.

Or more specifically: graph a console cable, plug it into the device, and do what you need to do.

That an unskilled individual would not necessarily be able to easily use them does not mean Childs did anything wrong.

In fact, this is exactly how things should be -- in case the password is compromised, there should be additional layers of defense (IP access lists), to prevent convert abuse of accidentally leaked passwords.

No one password should ever give anyone free reign over a critical network, without at least also having physical access or passing through a designated management point.

Re:Both sides behaved terribly

[FooAtWFU]

It doesn't matter if his employers were competent or not; he should have let them have access to their own property.

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?

Re:Both sides behaved terribly

[Anonymous Coward]

"People authorized by city policy or law to have those passwords most likely included any number of his bosses on up the chain of command"

You are guessing incorrectly, the actual county policy has been previously posted, and indeed, the mayor was the only person authorised. Whether that's an oversight or not, that was the policy.

"but let's not try to pretend that he didn't violate rules and/or laws."

He didn't. You are welcome to prove that he did, but so far you are only guess despite no evidence to support your case.

Re:Both sides behaved terribly

[Anonymous Coward]

It doesn't matter if his employers were competent or not; he should have let them have access to their own property.

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?

I'm pretty sure that's not in his job description. The Mayor is not the 'head of IT', and normally most mayors would NOT know the network passwords. Why would they?

It was in his contract.

Re:Both sides behaved terribly

[Lord Kano]

I can't say that I have read his official job description but I'm pretty sure that "keep the passwords to yourself and the mayor of a major metropolitan city" wasn't it. It was probably "to keep the passwords safe from people not authorized to have them."

If I remember correctly, they tried to get the passwords out of him after he was released from the city's employment. If that's the case, his job description no longer factored in.

"You're fired. Give me the network passwords."
"Sorry, that is no longer my job."
"I'm calling the police."

LK

Re:Both sides behaved terribly

[Nikker]

He would have been liable if he gave it to anyone else so in this world of lawsuits he said the right answer, no. He gave them to the mayor so why didn't the proper owners come by and pick them up? Was the mayor involved in a conspiracy of some kind? You have to realize there are many contracts and legalities involved with a job like this so if he couldn't find someone that could be liable as per his contract and the mayor couldn't find anyone then who is legally responsible for them? The mayor is saying since he doesn't know how to administer the system there was nothing he could do with the passwords. This happened on July 12/08 and the mayor was given the passwords a week later. If he did just give them out and some data loss occurred he would be held liable on a federal level. So what would you do in that situation?

Re:Both sides behaved terribly

[sjames]

He did. There was a written policy from his employer that he was not to disclose those passwords under any circumstances and he followed that policy to the letter.

If that's not what was wanted, I guess it shouldn't have been the policy. Note that the incident where he was finally jailed was when he refused to disclose them on a conference call where he couldn't possibly know who might be listening.

Re:Both sides behaved terribly

[dbIII]

That's exactly it - the people that asked were not in the chain of command and there were a lot of other witnesses from outside of the organisation in the stupid "ambush" meeting he was dragged into. In a previous article here someone quoted some of the rules for that workplace, one of which was not revealing the information to outsiders. It's beginning to look like a nasty trick to back him into a corner so that any response or even lack of response would have got him into trouble.
I'm still curious about the events leading up to this such as the other dismissals and the odd snooping around. It really looks like office politics and cleaning out the workplace to replace with cronies and putting an awkward obstacle in jail.
From looking at what's been released so far I can't see where he violated either the law or their rules.

Re:The Mayor's Testimony

[0WaitState]

Realistically, Newsom wasn't involved in the debacle until they realized that the only way they were going to get the authentication credentials was to do it by the book, as Terry Childs was insisting, which meant the mayor, in person, receiving the credentials. Not over a freaking speakerphone as Childs' supervisor attempted. It's possible that Gavin Newsom appointed some of the idiot IT managers that let a single contractor have undivided ownership of the network...

And no, da mayor does not get to tell the prosecutor to drop a case. Maybe in Chicago, but not in most cities. The real question is why the prosecutor went balls-out for 5 million dollars bail. BTW, the trial judge already tossed 4 of the 5 indictments. Just arresting the guy for a few days was enough to send the message "don't be a prick".

Re:How about men like that dumb mayor?

[deniable]

The idiot wasn't the mayor, but someone in middle management. The mayor was brought in as an appropriate person to receive the passwords because the idiot that originally demanded them wasn't actually covered by the security policies.

Re:Overstepped bounds

[Moryath]

In particular, sitting on all access and passwords and refusing to share or divulge them is effectively the last refuge of someone who's on a power trip, or about to get let go and is trying to delay that.

Except that the policy of SanFran (quoted in a response to previous article on Slashdot, so I'm going to be lazy and let you do your own damn research for once) SPECIFICALLY required that he not reveal the passwords to anyone but the mayor, and certainly not to someone on an open fucking conference call to which anyone else, especially the "spy girl" who he had turned in when he caught her rummaging through shit after hours, might have been party.

He delivered the passwords, AS PER WRITTEN SANFRAN POLICY, to the Mayor in a face-to-face meeting. That is what was required of him by SanFran code. The people who tried to get him to break that policy are the idiots who should lose their jobs and be on trial.

Re:Disagreeing with the majority here...

[eosp]

• He gave the password to the only person allowed by his contract, the mayor.
• He did not give the password over the speakerphone to a room full of other people, including quite possibly some people to whom he was not allowed to give the password. This was the incident that got him arrested.
• A supervisor should have had the password all along. If he was innocently hit by a bus, then the city's network would really be hurting. IT people need to learn that refusal to document does not make job security.
• All people involved are asshats.

Re:Overstepped bounds

[georgewilliamherbert]

Except that the policy of SanFran (quoted in a response to previous article on Slashdot, so I'm going to be lazy and let you do your own damn research for once) SPECIFICALLY required that he not reveal the passwords to anyone but the mayor, and certainly not to someone on an open fucking conference call to which anyone else, especially the "spy girl" who he had turned in when he caught her rummaging through shit after hours, might have been party.

He delivered the passwords, AS PER WRITTEN SANFRAN POLICY, to the Mayor in a face-to-face meeting. That is what was required of him by SanFran code. The people who tried to get him to break that policy are the idiots who should lose their jobs and be on trial.

This is rapidly becoming myth rather than fact-based.

The overall policy page is:
http://www.sfgov.org/site/coit_index.asp?id=56853 [sfgov.org]

The security policy is specifically:
http://www.sfgov.org/site/coit_page.asp?id=79251 [sfgov.org]

Which, basically, says "follow this inter-county planning document":
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf [sfgov.org]

The password policy in CCISDA states:

(pp 32 of the document)

4. Policy
4.1. General
All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis.
All production system-level passwords must be part of the security administered global password management database.

(removed)

B. Password Protection Standards
Do not use the same password for County accounts as for other non-County access (e.g., personal Internet Service Provider (ISP) account, option trading, benefits, etc.). Where possible, don’t use the same password for various County access needs. For example, select one password for the network systems and a separate password for application systems. Also, select a separate password to be used for a NT account and an AS400 or UNIX account.
Do not share County passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential County information.
Here is a list of things to avoid:
Giving your password over the phone to ANYONE.
Sending a password in an e-mail message.
Telling your boss your password .
Talking about a password in front of others.
Hinting at the format of a password (e.g., “my family name”).
Writing in your password on questionnaires or security forms.
Sharing your password with family members.
Telling your co-workers your passwordwhile on vacation.
If someone demands a password, refer him or her to this document or have him or her call someone in Information Security.
Never use the “Remember Password” feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
If you must your passwords down, store them is a secure place and never anywhere in your office.
Passwords stored in a file on ANY computer system (including Palm Pilots or similar devices) can be compromised if encryption isn’t used to secure them.
Change passwords at least once every three months (except system-level passwords, which must be changed monthly). Changing them more often is better.
If you suspect that your account or password is compromised, report the incident per the Incident Response Policy and change all passwords.
Password strength checking may be performed on a periodic or random basis by departmental or county IT or its delegates. Any passwords found out during one of these scans will require the user to change it.

Though the "Do not tell anyone your password" sect

Re:Men like these...

[Eivind Eklund]

Terry Childs refused to divulge the passwords to anybody he didn't know were entitled to get the passwords. That's the appropriate security procedure: You do not give passwords to people that claim that they should get them, you give them to somebody you know should have access to them. If I had called you after you had quit somewhere, you shouldn't give me the passwords - because you have no idea who I am.

Eivind.

Re:Both sides behaved terribly

[Anonymous Coward]

How did you get this far down before making a comment and not see one of the earlier comments about how the mayor WAS the only legally constituted authority who could ask for the passwords?

Re:Men like these...

[haruharaharu]

Well, surrendering a master password to persons unknown on a conference call isn't what I'd call responsible.

Re:Men like these...

[Critical Facilities]

Well, surrendering a master password to persons unknown on a conference call isn't what I'd call responsible.

Nice try. While there were people on a conference call in the room, that's not the whole story. An excerpt from this article [computerworld.com] clearly states:

That afternoon Childs "unwittingly" found himself in a surprise meeting in the city's Hall of Justice, where he maintained network facilities. At the meeting were his boss, DTIC Chief Operations Officer Richard Robinson, San Francisco Police Department CIO Greg Yee and human resources representative Vitus Leung. On the phone were engineers, listening in to confirm whether the passwords he gave were correct.

I think his boss and the COO were quite qualified to meet the "need to know" requirement.

Re:Men like these...

[IICV]

I worked at a company for 8 years. I had set a policy that passwords were given to management in case something happened to me and my IT group. When they laid me off, I was locked out of everything, according to my own plan. The plan stated that if any admin with substantial rights were to leave the company, all keys and passwords must be changed immediately, preferably between the time they were brought into the office to told they were gone, and the time they walked out.

So you mean that someone who wasn't authorized to have the passwords didn't ask you to hand them over while on a speakerphone conversation with an unknown number of potentially unauthorized people on the other end? All totally in contravention of your password policy? Because that's what happened to Terry Childs.

Re:Both sides behaved terribly

[natehoy]

Yes, it is.

Sorry, but even though he is not employed there, he still has access to sensitive information. I'm sure he was under several covenants signed as a condition of employment and continuing for some period after employment.

Otherwise, he could literally go to the Chinese, passwords in hand, and sell that information to them .0000000001 seconds after calling his boss and saying "I quit!"

I know most jobs I've worked have confidentiality agreements that require that I keep company information confidential even after my employment is terminated (for any cause), and I can be sued if I violated those covenants.

Once he was no longer a part of the infrastructure, his only known authentication of someone who can get the information is an elected official. The Mayor could have directed him to give the information to a designee, but the Mayor decided to get the information personally. Unfortunately, the people the Mayor brought in didn't actually know how to use the passwords, but Childs disclosed what he was asked to disclose to the only person he clearly knew retained authorization to it.

I can't personally think of another way he could have ethically fulfilled his responsibility to the city while following the procedures (which you can find on the Web, by the way) he was required to follow.

Re:Both sides behaved terribly

[natehoy]

On the other hand, there's no reason that he couldn't have remembered them and just given them up.

But there are. If you look on the city's IT site, you will find the IT policy. Around page 23, IIRC, you'll see the rules under which you can divulge passwords. There are three specific rules that are important:

1. Don't do it over the telephone.
2. Don't ever tell your boss any password.
3. Don't ever divulge any password in the presence of anyone unknown to you.

They dragged him in a meeting room at the police station where he was doing some wiring work, filled the room with people he didn't know, initiated a conference call over a speakerphone, told him he was being transferred, and asked him to recite the passwords.

Umm, what did he do wrong by saying "NO"? He was, at that time, still an employee. He was bound by policy not to divulge the information under those circumstances.

Then he was fired.

At that point, he had no obligation to give the passwords up any more, and was probably bound by a nondisclosure agreement that would be violated if he HAD given them up. So his logical course would then be to go home and do his best to forget the passwords. His employer shitcanned him because he tried to follow their rules and they didn't like it.

There is no rule in the City IT policy that says you need to give up a password when asked. However, there was one that any "system" passwords (as opposed to "user" passwords) needed to be in a central secure database, and it's up for discussion as to whether he did in fact violate that policy. If he did, then there was an obligation to disclose it, but then the question becomes, to whom?

He offered to divulge the passwords to the only person he KNEW was authorized to receive them - an elected official. The Mayor agreed to accept the passwords, and he gave them up. They Mayor, as an elected official, is then authorized to hand the passwords off to anyone else he chooses.

Then the passwords didn't work because the people the Mayor gave them to apparently didn't understand how the network was configured.

If the City is still unable to access the network, they need to acknowledge that Childs was following THEIR rules when he refused to cooperate, apologize, release him with back pay, and ask nicely for him to come back for a short-term consulting gig so he can teach his successor how to run the network. At which point, the successor changes all the passwords, Childs loses all access to the network, and gets a nice letter of recommendation stating that his ethical standards at protecting information he is charged with protecting are so high that he's willing to go to jail rather than violate them.