Fate of Terry Childs Now In Jury's Hands 530
snydeq writes "Closing arguments concluded Monday in the city of San Francisco's case against Terry Childs, the network administrator charged with violating California hacking laws by refusing to hand over network passwords for the city's FiberWAN during a 12-day period in 2008. Childs was charged in July 2008 and has been held on $5 million bail ever since. The highly technical trial, which featured testimony from San Francisco Mayor Gavin Newsom and Cisco Chief Security Officer John Stewart, has dragged on for nearly six months. By Monday, five of the 18 jurors and alternates selected for the trial had dropped out, and the remaining jurors seemed relieved to see the arguments wrap up as they left the courtroom Monday afternoon. They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."
Re:honestly... (Score:5, Insightful)
They didn't "allow this person to get complete control of essentially EVERYTHING", they paid him to do it and not tell anyone the password except the mayor.
Technically, he should get a bonus instead of boned
Re:honestly... (Score:5, Insightful)
> No, I haven't read the links or anything else. But it needs to be said.
Yes, ignorance always leads to well-reason opinions.
Please Read the History... (Score:5, Insightful)
...before posting. The frenzy's already started. People - there's a long story here. Do not rely on this summary to tell you the details. Don't litter the thread with inane "he broke the law and should pay" comments. Your fellow non-readers in-spirit have done so on a minimum of twenty prior threads on this issue.
Please, please learn the backstory before commenting. Think of the children. Plus, some readers are getting on in years (35+). They can't handle the spiking blood pressure.
Did he really? (Score:5, Insightful)
The fact that the case has dragged on this long and that some of the charges have already been dropped seem to highlight the fact that there is some doubt as to whether or not he actually broke the law.
Re:I don't think so... (Score:3, Insightful)
What 12 guys in a room decide they collectively think happened has no bearing whatsoever on what actually happened.
Pity ... (Score:1, Insightful)
Pity he doesn't have a jury of his peers, so he's basically gonna get crucified by joe & jane blow citizen (good citizens who convict evil hackers like the prosecution wants).
Re:Please Read the History... (Score:2, Insightful)
Ok... I gotta know. Why troll? Whoever modded this - I don't mind a genuine disagreement of opinion. But seriously - I entreated the readers to actually know the story. Yes, I'm new here. But why troll? Post anonymously if you have to, but please explain - why did you think I was trolling?
Re:Really? (Score:5, Insightful)
"He was an employee and this was the city's property and he refused to give up the passwords. Sweet Zombie Jesus"
The city's property? Who the hell is "The city"? Did "The city" appeared and he refused to give the passwords to him (or is it her?)? Or are you implying that since it was "the city's property" he should give the passwords to any citizen that would happen to ask for? Because as soon as he was asked for the passwords by the proper person (the major) at the proper environment (face to face with him without unknown people at sight) he indeed promptly passed them out.
"then IT Managers will be able to hold sway with the passwords."
You can bet no IT Manager would tell the passwords to the janitor no matter how much "the company's janitor" it is.
Re:Oh shut up (Score:4, Insightful)
You are not a real, proper IT geek until you've either been fired or quit over this sort of nonsense.
Securing systems from morons is just part of the job.
Re:Oh shut up (Score:5, Insightful)
It is real simple: Whoever owns the systems, and their designated agents, have a right to have access.
Yeah, say that with a straight face to the guy demanding the root password because he read "it was important", and you got a call last week from him asking you to change his desktop wallpaper because "it got stuck". IT admins not going in for that kind of non-sense is a compelling reason why large sections of the internet don't slide off the side of the planet in a dribble-like fashion.
This guy was responsible for critical public infrastructure -- infrastructure that kept working for months after they fired him. They broke it repeatedly after gaining access, and it took hundreds, if not thousands, of billable hours to repair the damage that happened when those owners and their "designated agents" got their hands around the gooey core of the network.
Justice is about harmony, not law and order.
Re:Oh shut up (Score:4, Insightful)
It is real simple: Whoever owns the systems, and their designated agents, have a right to have access. If they ask you for access, give it to them. It's that simple.
It so simple, it sounds like that's exactly what Terry Childs did. He may have withheld access from a "designated agent" for a while, but he had no way of verifying exactly who the designated agents were. Would you suggest he just take their word for it?
Re:I don't think so... (Score:4, Insightful)
It's not as clear cut as that. From what I understand, we was operating under a specific protocol for release of the passwords, that excluded the possibility of him handing them over to his bosses at their request.
So what's more important -- following the established rules, or doing as your boss says? In a perfect world (not that we operate in one), the rules are more important than the individual. If the boss wanted the passwords directly handed over, then the boss should have gotten the rules changed to allow that.
Just because someone is your boss doesn't make you their slave. And if you believe your boss is doing something wrong, it is morally incorrect to do as you are told, even if you document your protests.
Although, it does seem likely the guy was being a jerkwad... that doesn't mean he was an incorrect jerkwad, or a jerkwad acting illegally.
Re:honestly... (Score:5, Insightful)
Re:honestly... (Score:2, Insightful)
Re:Really? (Score:1, Insightful)
He did his job. He followed the letter of the law, and has already spent quite a bit of time in jail for doing his job properly. This is (once again) mental instability run wild. Just a week ago I heard of a terrible plane crash in which case nearly 100 senior government officials died when the leader of the country (who shall remain anonymous) perhaps (and we can only guess) ordered the pilot to land in dangerous situations. The now deceased leader had ordered pilots to do dangerous things before, and they refused before, only to lose their job and reputation and face the wrath of the state. This one obeyed and nearly 100 died (including the pilot). Getting back to this case, the mayor clearly overstepped his bounds, and did not follow his own rules. If it were an airplane instead of a computer network, many could have died. There are rules in place to protect all parties. Its when ass-hat administrators over step their bounds of authority and common sense, that disasters occur. Its one thing to be voted in, but being voted in doesn't mean that they are suddenly experts in everything. There are technical things in this world that require technical expertise. Ignoring that fact can cause royal disasters like this. Why this guy has spent so much time in jail is absurd. My wish is that the city lose its entire IT staff, and that they get HaXored till there is little left to protect (and then all the elected officials lose their jobs and face equal jail time).
Re:I don't think so... (Score:5, Insightful)
Re:I don't think so... (Score:1, Insightful)
No, you have it wrong... He was not a jerkwad that refused to give his poss the password......
HE HAD NO BOSS.
They already fired him! This is such a big point.
Then they realized that they were idiots who had only one person working on the entire network... And no one else knew the first thing about it.
That was the superiors fault, not his.
THEN they asked this guy, who worked his butt off on the network only to be fired by a 'superior' who doesn't know a network from a CPU, who already tried to get him fired without cause 'because he is a quite type who does not fit in'.
"Um, hey, yea, you don't work for us anymore, and even though I don't actually know what your job was I decided you don't know how to do it...
And even though it would actually be breaking our own rules and possibly the law.... Um yea' will you give a room full of unauthorized people and a open conference call your admin passwords to the entire city wide network?"...
THEN they arrest you? Then they say that because he could VPN from home when he got calls in the middle of the night he was 'hacking'.. Etc.
Read up on the case.
If I get fired I won't screw anything up, but I sure as shit am not giving my 'superior' one more second of my time. I have no legal responsibility to do or say anything my 'superior' wants... Even if he is the butt buddy of some cops and DA's.
Re:Oh shut up (Score:5, Insightful)
Just that simple, huh? So let's say the Dean for Admissions demands you give him the organization-wide root or domain admin password. Will you? What if it's the dean for admissions, two members of the board of trustees, the chief of campus police, and a computer lab tech from the biology department, and all want you to give the password to the lab tech?
If the policy states you shall not give the password to anybody but the CIO, and all of these "designated agents" come to you and demand the password... are you going to give it to them?
Let's say you quit your job, and three days afterward they call you asking for the passwords. How do you know if the policy changed? Maybe the CIO was fired. How do you know these are still the "designated agents"?
These are the types of problems that arrise from this prosecution. The law gives organizational policy the force of law, without realizing its limitations. So before you tell us to "shut up", you might want to think about the ramifications of that first.
It's hard to believe Child's will lose this thing (Score:3, Insightful)
That Child's acted maliciously, that he was trying to cause harm to the network. I have seen no real evidence that supports this idea. The city tried to say that he did it to keep them from firing him.
They also have to prove that his actions actually caused damage. This is problematic because the network never actually went down, his actions didn't cause damage. The city uses the twisted argument that the fact that they were unable to prevent Childs from accessing the network was damage enough, that Childs was the one they needed to defend against.
I did not sit through the trial, but it's hard for me to believe that many juries would find this to be true beyond reasonable doubt.
And are irrelevant on termination (Score:3, Insightful)
The organization's policies are no longer any of your business once you leave their employ. They're not law. If they want to violate them, that's their concern, not yours.
He's fucked (Score:3, Insightful)
Wait, you mean his fate is in the hands of 12 clueless "average" citizens?
He is truly fucked.
Re:But he wasn't in charge of the network (Score:5, Insightful)
True enough.
The way we do it:
We have 5 USB tokens. To override a root login requires 3 of the 5 keys. Done deal.
In addition, I have a sealed envelope. My boss's boss has it locked in his desk. If I go AWOL all he as to do is open it and he's golden, keys to the castle are in there. I take the old one and replace it every 90 days.
Point is that if an admin wants to be a dick there is little you can do to stop them, however, an admin refusing to give out keys to anyone but pre-authorized people is admirable, not criminal. In the same boat I've done similar, but fortunately for me my boss had my back, rather than knifing it.
Re:Really? (Score:5, Insightful)
technically correct; The best kind of correct.
Re:honestly... (Score:3, Insightful)
Wow... Just wow.
In times like this, I think the media is your best friend. Surely, there has to be some local investigative TV reporter who likes going after government excesses. If I were involved, I'd play it to the max and do everything humanly possible to get this retarded governmental behavior plastered all over the the 6:00 news, and use the investigator to go after the state reps and senators to put pressure on these buffoons.
You and your daughter deserve public apologies and reparation from everyone involved (who in return each deserve a firm kick in the ass) The only way it's going to happen is to make it visible. Just sayin'
Re:Really? (Score:3, Insightful)
Yes, The City did appear, or at least its duly elected representative, 'The Mayor of The City', who told him to give up the keys, to which he refused sighting some more bullshit about it being an unsecured facility ....
There are also several other people that represent the city and most likely are legally allowed to assume responsibility of infrastruction in the case of emergancies, the City Manager is the first that comes to mind.
This really isn't that hard to comprehend if you're older than 8 years.
Re:honestly... (Score:3, Insightful)
Re:honestly... (Score:3, Insightful)
I think, what most lay people don't understand is that the rule: 'Don't give out passwords indiscriminately' is equivalent to the Hippocratic oath for some IT admins
No kidding; every time I get a user who starts saying "do you need may passsword? It's Fluf-", I start plugging my ears and loudly saying "NO NO NO NO NO". Once they stop, I explain: 1) never share your password 2) when it is absolutely truly necessary, like life or death, never say it out loud unless you're in a cone of silence, watch the person you shared it with, and change your password immediately after they're done. 3) I don't ever want to know your passwords, ever.
Think Duress (Score:3, Insightful)
The moment Childs was threatened with jail by a credible governmental threat, then he should have surrendered the passwords.
Dude is a hardhead.
Re:justifiable homicide (Score:3, Insightful)
This guy took over this system because he felt entitled and a sense of ownership. He created a little fiefdom which grew in power as the department was gutted due to budge cuts.
http://www.cio.com.au/index.php?q=article/255165/sorting_facts_terry_childs_case [cio.com.au]
Then he got all uppity because someone else was auditing the network, oh someone of higher rank than he was. And then he threatened that supervisor into running away from him and hiding in their office.
It sounds like he was full of himself, the hard work he had done and felt like he should have all the power over it.
http://www.cio.com.au/article/253823/why_san_francisco_network_admin_went_rogue [cio.com.au]
I wish I were on the jury so I could vote guilty.
Re:Oh shut up (Score:5, Insightful)
Horseshit. Refusing to comply with an order when that order is illegal or against the rules that both parties operate under is definitely justified.
So it's all about CYA? That's weak, man. What if Terry was truly interested in maintaining security over the systems? What if Terry suspected his boss would plant evidence to condemn him?
I don't want to invoke Godwin's law, so I won't directly. But you do understand the implications of what you're saying, right? That as long as you're following orders and documenting that you believe it's against the rules, then you're OK, because it's the easiest way out for yourself?
Screw that. Principles are more important than CYA, and I've put my money where my mouth is on that issue on more than one occasion.
Re:honestly... (Score:3, Insightful)
Which media?
There was a time when reporters really cared about getting stories to the public. They even attempted to elucidate some measure of "truth", using certain ethics and journalistic principles which they held dear.
Today, thanks to the concentration of media ownership in the hand of a very few corporations, and the subsequent gutting of news departments and purging of investigative journalists, the news has become little more than a collection of press releases and political hit pieces. Syndicated columnists make up a larger part daily newspapers than ever before and local television news has become five minutes of fires and arrests wrapped around 10 minutes of network stories wrapped around 15 minutes of commercials.
Everyone is chasing the 24 hour news-free news cycle. There is no one left to report stories like this one.
Re:But he wasn't in charge of the network (Score:5, Insightful)
Do you really want to go down the rabbit hole of advocating that a company has the legal right to enter a person's memory to retrieve/remove their "intellectual property"? Because if so, please go find some other universe and don't come back.
Re:honestly... (Score:4, Insightful)
Well, when someone at a C-level asks the IT admin person for some password there are really three choices:
Those are pretty much the choices. There is no #4 where you get to "do the right thing" and walk away a free man. The fact that he had already left the organization meant his real responsibility was over. Trying to "save the organization from itself" almost never gets you anywhere and carries huge risks. Terry is about to experience the result of these huge risks.
My guess is the jury takes about 10 minutes to return a guilty verdict.
Re:Really? (Score:1, Insightful)
Straw man arguments are lies.
Re:Oh shut up (Score:2, Insightful)
You handle it gracefully and politely, while covering your ass. You point out that the current policy says you'll get fired for just giving out the passwords - so you ask your boss for some guidance on how to resolve the situation properly - their need for access and your concern about policy (or whatever). You work together... not against each other with policy as a hammer.
Re:He's fucked (Score:3, Insightful)
These people are hardly average. Juries consist of 12 people who are not smart enough to get out of Jury Duty.
You assume that everyone is a self-absorbed shithead who doesn't give a fuck about his country or the justice system, and not just you. It's also worth noting that the easiest way to not be selected for the jury was to be a dumbass.
I've served on a Jury, and except for the filling out forms and waiting around part, I was interested, honored, and proud to be entrusted with that kind of responsibility. Self-important assholes who think they are a lot smarter than they actually are better off not being selected anyway.
The only part of the experience that sucked was I went through the whole thing and ended up being the alternate, and didn't actually get to deliberate.
In front of a Jury of admins this guy might stand a chance. But it is entirely plausible that anyone with any knowledge of computers was selected out of this Jury (to avoid any preconceptions). Given that this trial is related to Child's professional conduct, the logical course would be to select a Jury of fellow techies (his true peers). Unfortunately, our legal system just does work that way.
Frankly, you obviously have no concept of what a jury actually does, or who a "peer" is. A "peer" isn't related, in any way, to your job. You are not defined by your job. Frankly, if the prosecution cannot argue their points to a layman juror in a way they can understand, it will be easy to introduce doubt. Reasonable doubt is pretty strict - it means you believe that the defendant's explanation is at all reasonable, in light of the facts presented, then the prosecution did not prove their point. This applies to every single point of law in the case, and there always at least two, often three, and sometimes four or more points to prove. The prosecution must convince a jury that it is not reasonable to think anything but the prosecution's interpretation of what happened is what actually happened. Obviously there is rarely any way to be absolutely certain of anything, but reasonable doubt is only one step below that. Only a sociopath would not recognize the gravity of the situation and not take the job seriously.
Most of this case centers around things for which technical skill has absolutely no bearing. For example, whether or not Childs had malicious intent, and whether or not any damage was actually done. In fact, in a lot of cases overly technical people would get wrapped up in stupid details that mean next to nothing and would be a horrible judge of either of those.
Childs is in a very good position on both, because the network ran fine up until he gave up the passwords and his bosses started mucking with the system. The prosecution is going to have a hard time proving he booby trapped it, which is essentially what they will have to do.
Re:It's hard to believe Child's will lose this thi (Score:3, Insightful)
Nope, he need merely say "evil hacker", blow a lot of smoke, and the jury will convict.
Re:I fail to see how this puts me in danger (Score:5, Insightful)
(which btw, people further up the food chain, including the highest ranking person there, told him to ignore in this case)
The highest ranking person there doesn't mean shit if the highest ranking person there isn't authorized by the city to make such a decision.
What happens if you give the passwords to someone who, according to the IT Security policy which you had to sign a binding legal agreement to uphold, is not authorized to have the password and it leaks out, putting the entire infrastructure at risk?
What then? That's pretty much exactly what happened here. The people who were telling him to ignore the policy did not have the authority to tell them to ignore policy - it was binding on them too!
I'll tell you what happens if he gives the passwords to people he shouldn't. In the case of a private entity, not only can you be fired (and rightly so), but if your actions led to the leaking of information that must be kept secret by federal privacy guidelines then you can be held criminally and civilly liable as well. In the case of a government entity, it's almost a certainty that you can be held criminally liable. This system absolutely had sensitive data on it, and it was part of his job to make sure it did not get out.
So what the hell are you supposed to do? Give up the passwords in spite of security policy and go to jail when stuff breaks or private data leaks, or refuse to give up the passwords and go to jail anyway? What the fuck man? I'll admit, it sounds like Childs was being a dick about the whole situation, and had he been more diplomatic he could have diffused the whole thing early on, but what if it's your bosses being dicks, and nothing you do to try to do things the right way works. I've seen office politics, and some people know how to stir up a shit storm in a hurry to get rid of someone they don't like.
In any case, nobody should lose two years of their life for no better reason than they were being a bit of a dick at work.
There are REALLY simple ways to handle these solutions.
You're right, and they were laid down in policy format, and his bosses didn't follow them.
When are admins going to realize they are nothing more than computer janitors?
That's funny, they get paid a hell of a lot more than janitors do.
Re:Oh shut up (Score:5, Insightful)
Imagine that you're a general contractor, doing home improvement work for Bob and you hire a locksmith to install locks. Whey they finish the job, they refuse to give the keys to you, and only to Bob, because they're worried that you might make your own copies before you give them to Bob? Do you have them arrested and thrown into jail, or do you just have Bob get the key from them?
How about the same situation, but now you're Bob. You come home, your general contractor is out to lunch, and the locksmith has just finished up, but he doesn't actually know you, just the general contractor and so he won't give you the keys? Once again, do you treat this as a criminal situation, or do you just call your contractor and have him sort it out with the locksmith?
Once again, same situation, but now you're the locksmith. You've just finished up. Neither the contractor, nor Bob is around, but Bobs ex-wife arrives. You've met her before, so you know who she is. She seems to be free to come and go when she comes by shuttling their child back and forth. She even was even in charge of the renovation project, even picking out the new doors and doorhandles you've just installed locks in. However you've never actually seen her there when Bob wasn't home and you don't know if she's actually supposed to have her own key. She insists that you give her the key. Company policy says that you're only supposed to give the key to the homeowner, and she doesn't seem to quite fit that definition. So, you insist that you'll give the key to Bob and he can make her a copy. So, she calls the police and has you arrested and thrown in jail. Then Bob comes to your cell and you give him the key as you said you would. Then you get held over for trial with bail set ridiculously high even though you're not a flight risk, on the justification that you could break into Bob's house even though the locks have been changed again. Let's face it, of course you could break in, you're a locksmith, but what have you done that makes anyone think you'd be likely to?
Re:justifiable homicide (Score:3, Insightful)
I wish I were on the jury so I could vote guilty.
Is this the kind of justice you have down under? All it takes is just one guy writing a story based on one long email that he received from an anonymous source, and you're ready to hang the defendant despite the fact that you haven't heard anything from his side yet. Wow!
Re:honestly... (Score:1, Insightful)
Welcome to America. My 18 year old daughter is getting charged with a FELONY for kicking a door. She was trying to get the jammed door open to get back to her work area, the asshole federal building superintendent called up his asshole brother cop and he wrote it up. She did no damage to the door, they have no evidence, the cop was not even there.
Is this the same asshole federal building superintendent who repeatedly made sexually suggestive remarks and advances to your eighteen year old daughter and who threatened her with legal problems if she didn't accede with his lascivious demands?
*hint* *hint*
Re:honestly... (Score:3, Insightful)
Re:Really? (Score:3, Insightful)
He may well have been a dick, and he probably could have diffused the whole situation, but that doesn't mean he isn't right, and it doesn't mean his bosses should be allowed to throw him in jail for following policies that could very well have landed him in jail for not following.
True. But it does mean that I and many others like me aren't going to get all up in arms about it, because most people don't feel sorry for dicks.
Re:honestly... (Score:1, Insightful)
That link doesn't say anything either way about whether he was asked before or after he was fired, only that "events are unclear" for that time period.