Fate of Terry Childs Now In Jury's Hands 530
snydeq writes "Closing arguments concluded Monday in the city of San Francisco's case against Terry Childs, the network administrator charged with violating California hacking laws by refusing to hand over network passwords for the city's FiberWAN during a 12-day period in 2008. Childs was charged in July 2008 and has been held on $5 million bail ever since. The highly technical trial, which featured testimony from San Francisco Mayor Gavin Newsom and Cisco Chief Security Officer John Stewart, has dragged on for nearly six months. By Monday, five of the 18 jurors and alternates selected for the trial had dropped out, and the remaining jurors seemed relieved to see the arguments wrap up as they left the courtroom Monday afternoon. They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."
Re:honestly... (Score:2, Interesting)
The city of San Fran was luck to get someone that has a backbone and some moral fiber. He was protecting the citizens of the city against complete IT ignoramuses who happened to hold positions of authority and leadership. If they were even a quarter as competent as him, his actions would have posed no threats what so ever.
The situation is kind of like you closing the front door of your apartment and the landlord can't figure out how to turn the door knob. Why did you close the front door? Cause the landlord wants to store your neighbors' valuables with the door open for all to see. So now the landlord sues you for holding the house and its contents hostage! Oh and btw, if anything gets stolen, its your fault! _You_ should have closed and locked the door!
YES, the case is really that stupid!
so (Score:1, Interesting)
He essentially served a 2 year sentence regardless of whether or not he is found guilty? Awesome. I knew justice is blind, but I didn't realize that it was stupid too. What there wasn't a tracking anklet available? Really 2 years waiting in jail for a non-violent "crime"?
Re:Oh shut up (Score:5, Interesting)
But that isn't true. If the written security policy states that that person, even if it is -your boss- isn't to have the password. Then that person doesn't get the password, no matter how many times they ask. Written policies exist to lay down the foundation and rules.
I've been in similar situations back when I was working as a admin. We once had a executive VP demanding we give the password to a machine to someone not authorized to have it (And no, the VP did NOT have authorization or power to change that policy, he was NOT in charge of security). He threatened to fire us. We told him to go ahead, but that the only people who got the password were our replacements or other authorized individuals. He DID have the power to fire us. But that STILL didn't give him the power to demand that password, or that the security policy be changed.
Companies, and I'd imagine city governments too, have policies and chains of commands on all sorts of things. These things are usually written down somewhere so as to be enforceable. And THOSE are the things that matter. I don't remember ever working as a admin where my immediate supervisor had a root password to anything or his boss. But the good ones all knew that it wasn't their job to know those things, they paid me to keep those secure from people who asked. Even if that meant some pip-squeak with a highly placed friend.
Re:honestly... (Score:4, Interesting)
Welcome to America. My 18 year old daughter is getting charged with a FELONY for kicking a door. She was trying to get the jammed door open to get back to her work area, the asshole federal building superintendent called up his asshole brother cop and he wrote it up. She did no damage to the door, they have no evidence, the cop was not even there. (Illinois it's a level 4 felony for doing damage under $500.00 to a federal building. $0.00 is under $500.00)
I'm paying $400.00 an hour to get this dropped because of raging Police and Court stupidity. The DA in that district is a idiot that thinks he needs to be "tough on crime". This should have been thrown away the second the officer turned it in, but new laws require them to pursue everything a cop turns in.
I personally have nothing but contempt for the joke that is our judicial and legal system.
My solution in the past (Score:5, Interesting)
I have worked for small companies in the past where I was the sole administrator. My solution to this was to store a PGP encoded file on a shared drive with the passwords in it, locked with my asymmetric key and one with a random password. Either one would open it. I put the plaintext password in an envelope, sealed it, signed the envelope and had my boss sign it. The envelope got stored in the company safe and I could inspect it at will. If the seal was intact I knew I was the only one with the passwords and was still responsible for the system. If the seal was broken, it was agreed I did not have any responsibility for damage that might have been caused.
This gave my employers the confidence that they could recover from a disaster (hit by a bus, win the lottery, etc) and gave me the confidence that I didn't have to rule out assistance from well meaning but unskilled bosses when something broke.
Min
Re:Oh shut up (Score:5, Interesting)
Who owns those systems? Not his boss -- the City does. And the City did not give his boss authority to get the passwords directly from him. The City established a set of rules for transferring the passwords, and his boss tried to circumvent those rules.
This guy's boss was not acting within the rules established for him to act as a proxy for the City (if we're going to follow your ownership logic). So who's acting responsibly... the guy who chose to follow the rules despite the risk of adverse personal impact? Or the guy who wanted to ride roughshod over the rules in the interest of expediency?
Re:Really? (Score:3, Interesting)
Ultimately, Childs is, at best, technically correct. It doesn't change the fact that he rules lawyered himself a rather convenient bit of job security, even if it proved to be temporary. This case won't put "all IT admins in danger" unless "all IT admins" work in places where there are no sane, documented policies regarding password handling and sharing and where ownership of IT equipment is rhetorically ambiguous.
Re:I don't think so... (Score:1, Interesting)
Apparently you've never worked anywhere with a serious security policy. I've had a few jobs where I could only give my passwords to the security officer(in a sealed envelope, every time I changed them) or my replacement. Giving them to my immediate superior or his immediate superior would've gotten me canned or jailed, even if told I would be fired.
Indeed, not doing so once got me promoted to my boss's position after I reported it:)
Re:honestly... (Score:2, Interesting)
What I don't quite understand is how Childs was hired by The City to begin with given his criminal past.
http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case?pp=2&fp=&fpid= [cio.com.au]
Sure, he was convicted of burglary when he was only 17, so I'm not sure if he was classified as a juvenile under Kansas law. He was then charged with misdemeanor weapons possession years later.
The guy did his time, so I'm not holding anything against him peronsally....I just find it surprising that a government agency would hire someone with that kind of record.
Re:honestly... (Score:4, Interesting)
Who on earth modded this interesting??
For the record, people mod posts interesting because they find them "interesting" not because they are correct. And complaining about modding is childish.
This has been discussed many [slashdot.org] times [slashdot.org], and I regret to inform you that your argument does not hold water. While it's a nice story to imagine this 'geek hero' standing up against the system, it's an airbrushed, romanticized version of the truth. This dude was out of line, end of story. He decided to try to flex his muscles, and he got taught a very valuable lesson that many could learn from. It was not his place to determine who was "competent" enough for the information.
The important point is that he was asked to give up that information after he was fired. In a sane world, Childs would have been able to tell them to fuck off because he as no obligation what so ever to work for free for his former employer. Btw, this is one of the many reasons IT workers should be unionized. Unions could have layed down the ground rules to abusive workplaces like this and fined them for millions for their transgressions. Companies don't own you for life.
Re:Please Read the History... (Score:2, Interesting)
It's not always the people who disagree with you who are wrong. You shouldn't assume that other people must be ignorant and inane, because they happen to come to a different conclusion. That's sloppy thinking.
Re:I don't think so... (Score:3, Interesting)
I get the same thing here at my company in IT security - lower-level store managers across the country who (supposedly) decide that one of their employees is loafing off too much and want their Web history for the past week or so. Or maybe they just want to know, how can I tell?
Of course, we don't use proxy authentication so it's insanely hard and time-consuming to even find that data with a degree of certainty, but even if I can, no way am I giving that up to somebody who I don't even know is definitely that person's manager.
We finally decided enough was enough, and now we categorically refuse to provide any information whatsoever unless an actual investigation incident is created with Human Resources, and only Human Resources can make the request. Problem solved on that one!
Another great one: a few years ago I helped on a worldwide Active Directory deployment for a company made up of many sub-companies. Anyway, this bunch of Battlin' Business Units distrusted one another so much that they actually paid our consulting company to be the only entity with Enterprise Admin credentials - of THEIR own AD forest! So I've somewhat been in this situation, and believe me, we also specified very carefully how that credential would be turned over and to who. Luckily this company didn't press the issue at all.
Re:Really? (Score:5, Interesting)
No reference? Right in the middle of the "don't" list in the City's policy [sfgov.org] is "Do NOT disclose passwords to your boss".
Here, I'll quote it for you:
Re:Please Read the History... (Score:1, Interesting)
I've followed the story rather closely.
He did break the law.
He should pay.
You can write me off as 'not knowing the history' but that just makes you ignorant, not me.
Re:honestly... (Score:5, Interesting)
Does anybody actually have a copy of that contract? I keep hearing this, and I'm wondering whether it's true, or a distortion by his lawyer, or just some oft-repeated bullshit by those that want him to be a hero.
Re:Really? (Score:1, Interesting)
I think you're missing the point. The original policy is to give the passwords to no one except for the mayor in a secure setting. If it was me, I don't care if the President of the United States, or the Pope was asking for those passwords. It isn't happening. I will give those passwords to the mayor, in a secure setting. Only. Ever. Period. I work in a larger governmental institution than a city. If I were to simply pass the keys to my entire department to the head of Security and the CIO, I would be jailed for knowingly/willingly compromising the security of the organization. I'm sure this is a similar situation, damned if he did, damned if he didn't. It looks to me like the CIO and head of Security just got pissy that they were not considered competant enough to run the system in the minds of its designer.
Re:Oh shut up (Score:1, Interesting)
So you're saying that Childs had a duty to withold the passwords from Richard Robinson, the chief operations officer for the city's Department of Technology and Information Services.
Childs had ideas above his station, like other bad admins. When the IT COO asked with HR and cops in the room it should have been forthcoming. Even if it led to problems it was no longer his responsibility.
Re:honestly... (Score:2, Interesting)
(oh, and I'm posting with my ID, not as AC)
Re:Please Read the History... (Score:1, Interesting)
"I've never found any decent justification for Child's behavior. Punishing him seems appropriate; I certainly would pursue charges if he had been my employee."
He was fired to make way for cheaper employees...and people just plain didn't like him. He was the stereotypical hacker nerd...probably didn't use proper hygiene...think of the worst stereotypes you can. People didn't like him, couldn't relate to him...and regardless of the fact no one else understood how to do his job, he was canned. None of this is illegal, but it makes wanting rid of someone like this easier to accomplish.
His employer was incompetent. It was only after firing him that they asked for the passwords.
They didn't ask for network diagrams or otherwise. This should have been a functional requirement by his boss far far far ahead of being fired. Actually, it should have been a part of his day to day job and if he wasn't doing any of this, it should have been caught years before he was fired.
The city didn't know what he was doing and was happy not to know.
It was only AFTER he was fired, he was asked for all of this.
I'm sorry, but if I were in his situation, I would have told the city to go fuck themselves. I don't know if I would have gone to jail for it. I probably would have stated that I handed these to my employers years months ago and they should go find their records. And if I was still threatened with jail...I might have actually done what they asked...
I don't know how many servers I have that I am the sole keeper of the password...I know I've given my boss sealed envelopes with these, and asked that he not open the envelope. At one point, when I had two layers above me, I took the sheet and cut it in half and gave one half to each (the Director and AD) to ensure that no one was going to screw things up without at least a concerted effort. I asked for the passwords back at some point because I needed to update them, and he ended up telling me he gave them to the secretary to photocopy and give to other managers (technically below me...I run the tech team, but I also run the theoreticals through our R&D...I am second in command, but I don't really like to deal with the other managers if I can help it...I like dealing with my team who is at least competent).
Ended up telling him that if anything happened, he was solely responsible and produced legal guidelines for data disclosure both federal and state...and now he doesn't want these at all!
Point is, if you fire someone and you as an employer did not do due diligence to ensure that work could be performed in the event that an employee below you was hit by a bus? That's your fault. Smelly nerd and all the bad things about horrible social skills aside...it is your fault.
If anyone should be punished, it is the employer.
So, was there justification? Most certainly...he was fired. He was under no other obligations. Beyond that, he may have had other excuses, or bad manners...but the overarching guideline is that someone fired is under no obligation to continue working for you.
Re:My solution in the past (Score:4, Interesting)
I did something similar. Except I gave the President half the password, and the head of HR the other half. I figured since they didn't get along well, it would certainly have to be an emergency (and I would have to be dead) for them to get together and get the password.
Re:Ref (Score:1, Interesting)
Uh, it's 57 pages and I don't see the word "mayor" anywhere in it.
My dad the Lawyer always says... (Score:3, Interesting)
There is only one rule, The Golden one (He that has the Gold makes the rules; not the do unto others one), and after more than 20 years as a lawyer I think he holds the system in contempt as well, after being a True Believer, ultra straight edged, right wing, NRA/RNC boyscout for most of his life.
Re:honestly... (Score:3, Interesting)
No, I did not. The poster said "for kicking a door". That leaves out a considerable amount of context. She wasn't kicking just ANY door, it was a door into a federal office building.
Wow, you are amazing. What the poster wrote was, "My 18 year old daughter is getting charged with a FELONY for kicking a door. She was trying to get the jammed door open to get back to her work area,"
As in she kicked a jammed door that she had every right to pass through.
Sham debate tactic indeed, in your self-confident arrogance you couldn't have done a better job of demonstrating your point if you had tried.
Why should an employee get to kick in the door to a federal office building? The proper course of action is to call the maintenance people and report the door, not blast through it yourself.
Nobody is permitted to think or act for themselves. Exactly the kind of people we want working for the government. As the man also wrote, and which you also left out of your version of the 'context' was that absolutely no damage was done. Even more context you left out - the law is about damaging federal property not simply applying a bit of percussive maintenance.