Terry Childs's Slow Road To Justice 253
snydeq writes "Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"
$5 million bail (Score:4, Insightful)
How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?
Any one planing to give him job after this? (Score:4, Insightful)
As many HR people not look pass the 2 years in jail even if he is not guilty and even then they may not want to pay the health care costs for some like that.
Re:Sure they could have been readily used. (Score:5, Insightful)
Here is my question: is the entire city run this badly, or is it just the IT department?
Re:Any one planing to give him job after this? (Score:5, Insightful)
Nah, he's pretty much fucked. In an honest world he'd be rewarded for being such an upstanding citizen standing against corruption and incompetence.
In this world we've got whistleblower laws because nobody wants to hire an honest man.
Root of the problem (Score:1, Insightful)
The problem here is one of who has the authority to what and what safe guards are in place. Haveing worked in serveral large companies, this would never have happend. The rule ussually amounts to the "root level" passwords must be varified by two people then two sealed evelopes containg the passwords with the signature of the people that varified them were placed in a high security safe that was not controlled by IT but by legal. People had differnt levels of access and either had access to the system password if needed however most anything was done with "extended" privilage accounts issued to individual users. System level login was highly discuraged as it lacks most of the AAA of network security. This proccess was part of a number of policies from "the bus crash" to the data center has been leveled by a force of nature. bottom line is that no one person should ever have oporation critial data only in thier head.
This guy gives network security and network oporations a very very bad name. Granted the jail term is a little over the top but what this guy did is wrong on so many functional levels.
This story reminds me of NBC's Dateline (Score:2, Insightful)
It's been 8 weeks since Terry Childs' trial has started. Tonight on Dateline we will talk extensively about the trial and everyone even remotely connected to it, but true to our format, at the end of the hour you won't know if he's innocent or guilty because the trial isn't over.
We will only learn the truth over the course of future Dateline episodes and when we are finally done with the story you'll still wonder if he's guilty or innocent.
Re:Sure they could have been readily used. (Score:2, Insightful)
Incompetent? No, you misunderstand. They're very competent. At keeping their jobs and getting reelected that is, of course. You seem to assume that they want the truth or justice or something else. That's silly talk.
Had he gone in wanting to get the passwords then the city may have come out as idiots for putting Childs in jail in the first place. The goal is to make Childs look as bad as possible, innocent or guilty doesn't matter as long as the politicians don't look bad for being idiots for starting this whole mess.
reading through the comments (Score:4, Insightful)
encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes.
Actually reading through the comments on the article, it seems most of the emotion is coming from people upset at the mayor Gavin Newsom, more than they are based in any actual sympathy towards the defendant. Like this example comment FTA,
The computer hacker would have been treated with more dignity and respect if he were an undocumented alien with a murder wrap on his head. Kamala Harris would have backed him up.
It is nominally suggesting that Childs was treated badly, but in reality the commenter is more upset with the mayors immigration policies. The comments that look at Childs disfavorably also seem to be the ones that favor the mayor. In the court of public opinion, Newsom was on trial here, not Childs.
Re:Sure they could have been readily used. (Score:5, Insightful)
But, the prosecutor who slapped five million dollars bail on Terry Childs needs to be taken down, have his political career ended over this. The judge who approved the bail (different from the judge presiding over the trial) also has some explaining to do. ITS COMPUTERZ AND SCARY AND DIFFERENT AND I DONT UNDERSTAAAAAND is not sufficient reason to take away 2 years of a man's life, no matter how big an aspie asshole he might be.
Not to mention the 14-odd jurors who have to show up 8:30AM at the courthouse for 12-16 weeks while this idiocy unfolds. Part of their lives is being stolen away too.
Re:Sure they could have been readily used. (Score:3, Insightful)
In the case of a sweet target like a government network, it would be negligent to let anyone anywhere connect to try a few passwords. Sometimes it's best to restrict enable mode to serial console.
System incapable of Justice. (Score:5, Insightful)
"Amendment 6 - Right to Speedy Trial, Confrontation of Witnesses.
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence."
Sitting in jail waiting 2 years for a trial is not something that should happen in our country. The system is broken and needs to be fixed.
Re:The Mayor's Testimony (Score:3, Insightful)
Newsom represents the best of breed in SF liberalism. They are only for protecting rights and freedoms when it's THEIR rights and freedoms.
Since this guy is a nobody who's being showed who his daddy in by the SF government workers, it's not Gavin's concern at all.
To him, this guy deserves to rot in jail at the behest of some ticked off department head.
The sad thing is, this guy's life has been irreparably harmed by this incident, an acquittal will do nothing but put him out on the streets.
By now I'm sure he's lost his home and possessions. And the lawyer will take whatever is left in the bank.
Frankly, he'd be better off being found guilty and being handed the life sentence he apparently deserves in accordance to that $5 million in bail.
Re:Any one planing to give him job after this? (Score:5, Insightful)
"As many HR people not look pass the 2 years in jail even if he is not guilty and even then they may not want to pay the health care costs for some like that."
PR like this puts him into a category beyond HR people. Speaking tours are one possibility. If he continues to work in IT, CEOs will be making cold calls to him personally.
Re:Any one planing to give him job after this? (Score:1, Insightful)
of course, everyone wants to hire someone who treats the systems they work on like there own property. I don't see what lessons he would have to teach on speaking tours.
Re:Sure they could have been readily used. (Score:4, Insightful)
Not to mention the 14-odd jurors who have to show up 8:30AM at the courthouse for 12-16 weeks while this idiocy unfolds. Part of their lives is being stolen away too.
The thing that worries me the most is that if you are the defense, and you see a juror who is clearly totally non technical and "ITS COMPUTERZ AND SCARY", you kick them from the jury list. While if a juror is tech savvy, the prosecutor will kick them as you will no doubt side with the technical guy who was doing his sysadmin job.
I really wonder who that leaves to be on the jury for this. What is the jury comprised of? To really be a good juror on this, you should have at least some understanding of things technical, yet be impartial enough to be able to make the correct call on the legality of it.
Just who fits into that bucket? I can't think of anyone I know. Either all techies to the bone, or so nontechnical that I could not fathom how on earth they could hold this man's freedom in their hands without buckling.
Re:Sure they could have been readily used. (Score:3, Insightful)
He might have foregone AAA on some critical devices, since he was not distributing access to many people but keeping it solely to himself... or (rather) since he [was] the only person who had all the keys. The prosecution's theory would kind of fall apart, if he was using AAA on the network, and admins' could add additional router admins at any time...
Reportedly an initial issue was childs' use of no service password-recovery. As a security compromise to his preference of leaving startup config blank on certain devices, for security reasons.
If they had suspected he did this on the core routers, then there's no way they could risk rebooting them, without a lot of acceptable downtime and one hell of a disaster recovery plan...
However, that was likely a one-sided few favoring the prosecution. If Childs' in fact did not do that (and never said he did) remove startup configs or 'no service password-recovery' on physically secured core equipment, then their fears are not his fault..
Childs may have only told them what he was able to think about to mention.. kind of tough to fill someone in when you don't know what exactly they don't know, what they need to know, etc, etc, and they are impatient / arrogant (as many manager types can act, esp. when they think they are not getting what they want).
Also, you can't exactly search through your own notes, and write usable notes with access details intended for someone else, while sitting in a jail cell.
In other words, by overreacting, grabbing him, and throwing him in jail, they probably made it more difficult, or even impossible for him to provide the very type of information they were wanting....
Re:How about men like that dumb mayor? (Score:3, Insightful)
Competence (Score:4, Insightful)
Criminalization of competence. non story.
But seriously, see how things are taking shape?
I don't get it - with a bullet. This guy behaves appropriately and ends up in jail?
At some point you realize that it isn't incompetence. It's their goal.
Communication is only possible between equals.
You can't herd Cats ... but you can move their food.
Re:How about men like that dumb mayor? (Score:5, Insightful)
So you're saying it's time for a new national byline eh.
"Arbitrariness, Security and Hidden Agendas"
No, doesn't flow off the tongue right.
"Commercialized warfare, industrial subjugation and for-profit courts"
No, that's too wordy...
"Injustice, slavery and lies"
Hmm... I think we have a winner!
Re:Sure they could have been readily used. (Score:5, Insightful)
The openness of the corruption in San Francisco is breathtaking. It's like you're in a noir movie. The mayors are all stock characters from central casting, the police department is on the take, the department of public transportation has a running scam going with the largest towing company, and there's a water scandal (google Raker Act) right out of Chinatown. All that's missing is a shifty little midget trying to slit your nose.
Hang on, someone's at the door.
Re:Both sides behaved terribly (Score:3, Insightful)
But Childs himself behaved terribly as well. None of those passwords were his. None of those systems were his. It doesn't matter if his employers were competent or not; he should have let them have access to their own property. If he thought they were going to ruin things, speak out.
I beg to disagree. As an engineer public safety is top of our concerns and it is part of the ethics I abide by everyday. A safety concern overrides everything else, until the concerns has been addressed. I still remember I had a discussion with my boss basically he went "I won't stop you from doing anything unless it is unsafe or you are about to make a major mistake", and my reply was simply "I won't follow your order if I know in full will that it will creat an unsafe environment." He agreed with me that that is what I get paid to do, to do things right and make sure no one gets hurt.
I see Mr Childs did just that. Properly secure the network and only give the password to somone who can truely be trusted, when he knows in full will that his immediate supervisor and related management team has no clue and unqualified to make technical decision and is about to creat a major security vulnerability over major accounting information that should have been kept under guards! In a sense he IS protecting public safety and therefore should not, and truely cannot be tried to keep public safe and secure. Too bad that the jury probably won't truely understand it and Child will most likely be sentenced for a very long time with the keys thrown into the pacific ocean.
How ironic that this happens to the most liberal city of United States and is the hometown of our Speaker of the House, Nancy Peloci. I don't see her standing out to protect the weak who are truely in need in this incident.
Re:Men like these... (Score:4, Insightful)
The difference in your car analogy is that the Hummer doesn't belong to you. It's more like leaving the vehicle with a valet. When you go to pick up the vehicle, the valet refuses because he doesn't think you can handle driving it.
It was the cities network, not his personal playtoy, regardless of how he felt about it.
I worked at a company for 8 years. I had set a policy that passwords were given to management in case something happened to me and my IT group. When they laid me off, I was locked out of everything, according to my own plan. The plan stated that if any admin with substantial rights were to leave the company, all keys and passwords must be changed immediately, preferably between the time they were brought into the office to told they were gone, and the time they walked out.
Despite the fact that I was there for 8 years, and despite the fact that I felt all the servers were my electronic children, the moment I was laid off was the moment that it was no longer mine to say anything about. I was only a caretaker on behalf of the owners. If/when they choose that I am no longer the caretaker, I have no control nor responsibility to that network.
Another company I worked for improperly terminated me. The moment I was told to "fuck off" was the moment that I had no responsibility to anything they owned. I was contacted later by someone for assistance on a project I worked on. The guy contacting me was a nice guy, and he wasn't asking for much. My responses were.
1) I don't work there any more. Go away.
2) They fired me, and I wouldn't help them with anything. Go away.
3) You're a good guy, here's the answer.
Those answers were in sequence in one email. He admitted that he expected the first two answers, but was pleased to get the third. They could have gotten another developer in there to figure out what I did. It really wasn't hard, and a good developer could have done it in about 10 minutes. It's not advantageous for anyone to burn bridges. My contacts there may land me my dream job sometime in the future. Terry Childs will have an awful hard time convincing anyone that he isn't a threat to the continuity of their projects.
Re:Both sides behaved terribly (Score:5, Insightful)
When Terry's immediate supervisors -- in the IT department -- asked for the passwords, he refused, which is flat out insubordination. The senior IT managers should have access to the network passwords. That is a part of their job description. It's the responsibility of administrators to make sure that the passwords are disseminated to the appropriate people, and stored securely. (e.g.: in a lockbox, safe, or whatever...)
If they have fired him first then ask him, that is no longer insubordination. At that point all he had to follow was the simple ethic rules govern the work of a professionals. At no point he is liable to give the password to people who he know will not put it to good use and worse possibly exposing records that were suppose to be kept secure. All I see was they are trying to get him one way or another. If the jury do not give him a not guilty verdit (after being in jain for more than 2 years) I hope the governor of California does. If not I certainly hope Obama will help the "weak in need" in this situation. Child do not deserve to be jailed for what he did. He may be a pain of you know what but he certainly is getting things done the correct way.
Speak of Obama. No one in the military should allow him to fly an F-22 solo (I'm pretty sure he does not have the necessary military training to operate such advanced plane that costs billions of dollars), even if him or Rhom demanded someone to let him fly. Should a colonel (or even a captain) denied Obama access to the cockpit they should not be jailed 2 years and then tried for that. They followed the rules and did their job. Simple as that. It would be endangering public safety to allow him to fly one, not to mention the extensive tax payer dollar that are at risk of being wasted unnecessarily.
Re:Disagreeing with the majority here... (Score:5, Insightful)
Well two things here:
1) You sure about his contract? I see that getting paraded around a lot but I've not seen what the actual contract says. You sure it said "Only the mayor,"? Perhaps it said "The mayor, or any of his authorized agents," meaning things like the director of IT and so on.
2) The only reason it ever got to the point of the conference call and all that was his flat out refusal to hand over the passwords. He did the typical geek thing of "No, you can't have it," and they did the typical government thing of throwing a fit. If his concern was really his contract he could have simply said "Well according to my understanding of my contract, I'm not allowed to give the passwords to anyone but the mayor. So I either need to talk to the mayor and have him ask, or if you think that's wrong I need to talk to our lawyers and see what they say." Let people know your concern and what to do about it, they will probably be reasonable in working with you. Just say "No," without qualification, don't be surprised if they go overboard.
In general geek types need to learn this. Don't tell people "No," don't say "I can't be done," because usually you are lying, even if you don't mean to. Most things are possible, there are just preconditions to be met. So tell people what those are. If they can't meet them, well then they can't have it. However it makes you not the bad guy. It really goes a long way with people's attitudes too. They don't feel like they are being shut down, they are being empowered. They are being told what THEY have to do to get something done.
This goes for all kinds of requests. For example:
--Self important asshat departmental manager comes and says "I need 50 terabytes of space on the central server to store files." Company policy is that everyone gets 100GB for no charge. Don't go "No, you can't have that much space." Instead say "Well the company only gives you 100GB for no charge. If you want more, we can certainly do that buy we'll have to add hardware. That is going to cost $X dollars, which you'll need to provide the budget for. You get me the money, I'll get you the space." Now most likely he goes away since he doesn't have the money to spend. However you aren't the bad guy, you offered to help, he couldn't get what he needed. Also you never know, maybe he say "No problem, I'll have the money transferred to your group today."
--Mid-level manager demands administrative access to his PC. He doesn't have a reason, just says "I need it, you have to give it to me." Company policy is that nobody gets access. Again, don't say no. Instead say "Well company policy is that nobody has administrative access. If you'd like it, you'll need to get a policy exception. Here's a form you can take to the big boss to get one." You have him get permission, and sign something that says he takes responsibility for his actions. Again, you are throwing the ball in his court. He has to go ask for permission and if he gets it he has to be responsible. Maybe the big boss never gives permission, that's not your problem, you aren't the bad guy.
In general, that's how you want to operate. Let people know what they need to do to get what they want, even if what they need to do is something you know they won't do. It will keep them much happier over all, and help insulate you against complaints. If someone goes to your boss or boss's boss and bitches that you said no, you can show that indeed you didn't, you told them what they needed to do. You didn't stop them from doing their job, you showed them what they needed to do to be able to do their job.
The city is in it deep now. (Score:5, Insightful)
It sounds to me that they screwed up badly.
So they keep trying to intimidate this guy. Keep him in jail for years without a trial, make him plea bargain out.
But he won't blink. And if he is found innocent, he has a hell of a lawsuit.
Re:Overstepped bounds (Score:5, Insightful)
As an aside I will mention that I left a previous job amidst huge layoffs and refused to give passwords to anyone but the CEO (it was a little company) because I had no guarantee that any other individual or was the new "keeper of the passwords" and certainly couldn't take someones word for it. Granted, other people had the passwords but we were all in the same boat. My point here is that there are cases where this approach is the only one that makes sense, though I don't know enough of the details here to know to what degree that was true for Childs.
Re:what an idiot (Score:4, Insightful)
Agreed. It's stupid and downright Quixotic to hang on to their passwords because of "Policy" when he knows the requestors are the legitimate owners of the equipment.
The right thing to do would have been to say "By policy, you can't have the password, but I have provided the password to N.N. as I am allowed to do that. Talk to her/him."
Hell of a lawsuit (Score:1, Insightful)
I think you're 100% on the money here (pardon the pun).
The current work is to get the guy to settle or plea bargain because it's 100% certain that he will raise merry hell the moment this is over, and he has just cause. The problem is that it is critical that people in court get brought up to speed on what it takes these days to keep IT secure.
Otherwise they will get a judgement that will lengthen this agony even more.
Personally, I think they should try to settle with him, but I think that'll cost more than they have..
Re:Both sides behaved terribly (Score:5, Insightful)
I'm just pointing out his moral responsibility. He should allow access to the network to its rightful owners in a manner that doesn't put it at risk from those without the right to access it.
Then he should wait until they hire someone to replace him and give *him* the passwords. Sysadmins keep middle-management types from getting carte blanche access for very good reasons, especially when politics are involved. We've all played D&D and read comic books; we understand the Paladin mindset.
Re:Men like these... (Score:4, Insightful)
It's not like he had an obligation to ever divulge passwords
[disclaimer] I'll admit, I'm picking on you because yours if the first post I found relating this point (many others seem to hold this same idea).
Why is it that everyone seems to think that Mr. Childs had no obligation to provide these passwords to anyone? According to this timeline [itworld.com], he had not been fired when the demand for passwords was made, rather he was employed, asked for the passwords, and he refused which resulted in his suspension. Some others have gone on to claim that the terms of Mr. Childs' contract stated that he was only required to provide the passwords to the mayor. I have yet to find a copy of Mr. Childs' contract stating this fact, and it seems fairly incredulous that this would be the case (I am not claiming this as fact, merely pointing out that other assertions to this end have thus far failed to point to any documentation).
I fail to see how this man didn't create this whole situation for himself. His egocentric and territorial nature clearly affected his ability to perform his job in the sense that he had deluded himself into a position of ownership in which he believed that he could determine who he answered to. If someone can point us to credible proof that there was specific, written language which allowed Mr. Childs to withhold this information from his superiors (save the mayor), perhaps this would clear up some controversy. Perhaps I fail at 'googling', but I've not been able to come up with it yet.
Re:Both sides behaved terribly (Score:3, Insightful)
Re:How about men like that dumb mayor? (Score:1, Insightful)
In Money We Trust
Re:Men like these... (Score:5, Insightful)
When the COO, your direct boss, and a rep from Human Resources are there
Right in the middle of the "don't" list in the City's policy (which is freely available on the web) was "DO NOT DISCLOSE PASSWORDS TO YOUR BOSS".
So, right there, he cannot disclose it and uphold the policy that he was told to uphold.
According to 4 articles I've read on the subject, he was invited to this "surprise" meeting and there was an active speakerphone with people on the other end.
Right at the top of the "don't" list was "DO NOT DISCLOSE PASSWORDS OVER THE TELEPHONE"
Again, we have a case where he could not disclose the passwords without violating policy.
I agree that he was probably in violation of the "keep your passwords in the global database" policy, and there should certainly be some ramifications for that if true.
But not disclosing the core passwords at that meeting was not an act of defiance or arrogance, although that may have been the basis for the act. Whether wittingly or unwittingly, he was acting precisely in accordance with the policy he was hired to uphold.
I'm not saying he invoked that policy out of a deep sense of honor, it was probably out of a sense of preservation.
That policy is there specifically in many companies to keep managers from doing things that their employees can be blamed for. If Childs had given up the passwords in a meeting to undisclosed recipients, any one of them could have damaged the system, and he could be blamed for it.
My boss and I get along really well. However, if my boss called me in to his office and told me to tell him my password, my answer would be "no". If he wants access to my user profile, he can go through Security and have the password changed, at which point there is a log entry that he requested that it be changed, and I lose access to my profile.
Then, if something is done using my profile, there is a security record that I was not in control of that profile at that time.
I'm not saying Childs acted in exceptionally good faith, but "I don't think you're cleared for that" is a proper response if people who are not cleared for that are present, or if strangers are listening in and you don't even know who they are.
Re:Disagreeing with the majority here... (Score:1, Insightful)
I can't stand that sort of passive-aggressive obstructionism when it's done to me, so I prefer to avoid doing it to others. You want to tell me "no", tell me "no". Don't tell me "Sure, just meet <insert impossible condition> here", because then I'll just think you're an asshole who won't even take responsibility for being an asshole.
Re:Appalling lack of social skills (Score:3, Insightful)
Yes, he could have handled it better. But I'm not at all certain I would have.
The source of my outrage is that Childs is on $5MM bail for essentially being a jerk. Really, in what world is that ok?
Re:The city is in it deep now. (Score:3, Insightful)