Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
The Courts Crime IT

Terry Childs Found Guilty 982

Posted by kdawson
from the miss-carriage dept.
A jury in San Francisco found Terry Childs guilty of one felony count of computer tampering. The trial lasted four months. Childs now faces a maximum sentence of five years in prison.
This discussion has been archived. No new comments can be posted.

Terry Childs Found Guilty

Comments Filter:
  • by Wyatt Earp (1029) on Tuesday April 27, 2010 @06:10PM (#32005918)

    The man was already a felon from the 1980s, so it shows he tended not to follow the law.

    http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=209100472 [informationweek.com]

    "The Chronicle also reported on Wednesday that Childs has a 25-year-old felony criminal record in Kansas, where he was convicted of aggravated robbery and aggravated burglary stemming from charges filed in 1982. Childs was on probation or parole until 1987, according to records uncovered by the newspaper. Childs had disclosed the felony conviction when he applied for the San Francisco job five years ago."

  • by SudoGhost (1779150) on Tuesday April 27, 2010 @06:10PM (#32005920)
    From http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case?pp=2&fp=&fpid= [cio.com.au] "DTIS officials demanded that Childs relinquish the usernames and passwords used to access the FiberWAN network devices, and Childs refused to do so. He was suspended for insubordination on July 9. " He was arrested shortly thereafter. DTIS is the city's IT department. His refusing to disclose passwords to a public court has nothing to do with why he was arrested and found guilty.
  • by linebackn (131821) on Tuesday April 27, 2010 @06:11PM (#32005924)

    Sound like this could have some bad repercussions for IT folks. Of course all I know about the situation is what has been posted on Slashdot. There could be, and usually is, more to the story. Now that the trial is over with will the court records be posted somewhere?

  • by Un pobre guey (593801) on Tuesday April 27, 2010 @06:11PM (#32005942) Homepage
    Hear, hear. Just because the guy is a nerd doesn't mean we have to rally 'round him.

    Of course, if during the trial everyone's login credentials were exposed (I don't know if they were, I didn't RTFA) that would be pretty goddamn stupid indeed.
  • by Anonymous Coward on Tuesday April 27, 2010 @06:16PM (#32005996)

    Democracy is a form of government that ensures we are governed as well as we deserve.

    Explain that again. Do smart people deserve to be governed like idiots just because they're outnumbered by idiots?

  • by droopus (33472) * on Tuesday April 27, 2010 @06:26PM (#32006080)

    Ok the real lesson, sorry to say is: if the Feds want you they will have you. There is a reason why 95+% of indictees plead out. How do I know this? I just emerged from a five year fed sentence at a lovely FCI in Ohio.

    Without getting too detailed...I was a media consultant for a major media multinational. The Feds did not like that my focus was piracy but I would not divulge IPs, nyms or rat anyone. After some rather appalling disinformation was seeded (see Darknet...an utter load of made up BS) I was accused of damaging a portable toilet (I am not making this up) and faced life for 18 USC 844(i) and 18 USC 924(c). I was forced to plead out to a mandatory minimum of five years, which I just finished. (in fact, I'm still in a halfway house).

    The charges and the character assasination were ALL bullshit. But would you have thrown the dice with a jury and risked life? Me neither.

    The feds hate geeks, unless we work for them. Be VERY afraid and very careful. I'll get my life back but the past 52 months were not fun.

  • Re:Soooo (Score:3, Interesting)

    by SoupGuru (723634) on Tuesday April 27, 2010 @06:27PM (#32006090)
    If my boss asks me to do something, I generally do it. What if it violates policy? Well, he's more culpable than I am.

    That's the thing. That network is more Childs' boss' than it is his... his boss has more responsibility to it. He wants the password, give it to him and document that you did so. When the network comes crashing down, it's more his fault than yours.... and you're not in jail. Hopefully.
  • guilty of what? (Score:3, Interesting)

    by SoupGuru (723634) on Tuesday April 27, 2010 @06:34PM (#32006176)
    Are we getting too hung up on the password issue? Was his refusal to divulge the passwords what he's being found guilty of?

    Or is it the fact that if he stepped in front of a bus, the city had no hope of being able to manage the network? My place of employment has "the password list" and it's known to more than one person. If the city allowed Childs to hold all the keys, they're pretty stupid. If they had a policy prohibiting that, I could understand why violating it could get you jail time.
  • Re:He was an idiot (Score:5, Interesting)

    by Tiger4 (840741) on Tuesday April 27, 2010 @06:46PM (#32006308)

    Funny you should say that. The last jury I sat on, the woman sitting across from me was a programmer. Her exact words to the judge, when he asked her employment were, "I twiddle bits". He blinked, and she got a lot more formal afterward.

    By the way, she was also the first to vote to convict when we got back to the jury room. Binary logic was not working in the defendant's favor with her.

  • Job Offer (Score:2, Interesting)

    by Anonymous Coward on Tuesday April 27, 2010 @06:56PM (#32006450)

    To Terry Childs,

    When you finish your sentence, I will have a position waiting for you as an administrator of our large company network. Your devotion to network security, network policy, and willingness to defend them at all costs are a valuable commodity. My company and I would be very happy to employ you in a senior technical position. I can find network experts all over the internet, but it is much harder to find those that would defend their network at risk to their own liberty. I applaud you Mr. Childs.

  • Re:Boycott (Score:4, Interesting)

    by CorporateSuit (1319461) on Tuesday April 27, 2010 @06:58PM (#32006476)
    San Francisco's mayor is one of the most prominent douchebags of recent history. There's no way he would resign unless it meant that he could become governor, senator, or president of the USA by next election. He's an animated golemn, crafted of every negative stereotype of San Francisco there is. When he had every reason to defend Child's actions, he testified against him - condemning what he knew to be an innocent man. What would an egomaniac like that have to gain from stepping down or retracting his testimony against the man when he's busy patting himself on the back for helping put away a dangerous terrorist such as Terry Childs?

    If this was 200 years ago, I'd challenge the man to a duel. "You took 5 years of an innocent man's life away because you could. Just how many innocent men have you knowingly put away for 5 years? 10 years? 20 years? How many innocent lifetimes has your sick ego cost the world? I'm sure the devil will give you a full report when you reach Hell."

    But now, in 2010, I could probably get charges filed against me just for suggesting something like that! It's those damned everchanging laws of propriety...
  • Re:Poor jerk. (Score:5, Interesting)

    by geekmansworld (950281) on Tuesday April 27, 2010 @07:00PM (#32006488) Homepage

    A lot of differing opinions being tossed around here.

    But, Slashdot, can we please stop accepting "fuck off" as acceptable debate discourse? And then cheerfully modding it up?

    We're adults here, I think we can debate the pros and cons of this situation intellectually without resorting to hurling epithets at eachother.

    Thank you in advance for not modding me "Troll" and "Offtopic".

  • Re:Please appeal, (Score:2, Interesting)

    by baerm (163918) on Tuesday April 27, 2010 @07:02PM (#32006510)

    ...but I remember enough to say that holding a city's computer systems random [sic] (which is essentially what he was doing) certainly deserves a guilty verdict on a count of "computer tampering." You really think it's acceptable under any circumstances for someone to hijack a network like that? Yes, he works there and technically "administrates" those machines, but he has a duty to his employers (ultimately, the citizens), and he was not upholding that duty.

    I remember it differently. Either that or this is for some other definition of "hijack", "ransom", and "duty" than the definitions commonly used and found in the dictionary.

    "hijack" : He didn't take it over, he was the network admin.

    "ransom" : He didn't ask for any ransom, he stated he would only give the password to the Mayor.

    "duty" : According to how he interpreted the written job requirements, giving the password to anyone else much less a roomful of known, semi-known, unknown and a phone full of unknown people did not match the written security requirements.

    Frankly, from what I've read, I agree. Although, I would hope and expect that the jury has a good deal more information than I have. It does scare me that an ignorant jury could have just been afraid of a "Oh my god!, computer hacker" and convicted him on their emotional response rather than intelligent deliberation. I hope I'm just missing some of the info they had.

  • Re:Epic fail (Score:3, Interesting)

    by ClosedSource (238333) on Tuesday April 27, 2010 @07:06PM (#32006568)

    I don't know - taking a felon's job sounds like a pretty easy act to follow:

    PHB: "It took you that long? Why Terry could have done it .. Ugh never mind.

  • by phantomfive (622387) on Tuesday April 27, 2010 @07:07PM (#32006574) Journal
    According to this guy [barnesandnoble.com], the average person commits three felonies a day. I do not know how accurate that is, but here is another guy who says essentially the same thing [amazon.com].

    All I can say is fuck. At worst Mr. Childs deserved to be fired. There was a lot of incompetence involved, and clearly not all of it his.
  • Re:guilty of what? (Score:3, Interesting)

    by phantomfive (622387) on Tuesday April 27, 2010 @07:14PM (#32006670) Journal

    Or is it the fact that if he stepped in front of a bus, the city had no hope of being able to manage the network? My place of employment has "the password list" and it's known to more than one person

    That's incompetence, but he shouldn't go to jail for that. We had a sysadmin who left all the ports on the intranet open to the world, among other braindead things, and we fired him, but he didn't go to jail. You fire people for doing a bad job, you don't send them to jail. He should have been fired at worst.

    Anyway maybe being in jail will give him time to reflect and get away from the rat race crazy world for a while. And with jail capacity being what it is in California, he may get out on parole halfway or a quarter of the way through his sentence. It's been happening a lot lately.

  • by Anonymous Coward on Tuesday April 27, 2010 @07:38PM (#32006948)

    After he was arrested and placed in custody is when he stated that he would only give the password to the mayor, not becuase it was a rule or directive but becuase Mayor Newsom was "the only person he felt he could trust".

    I haven't followed this case very closely so forgive me if this has been answered elsewhere, but do you know why the mayor didn't just take the password from this guy and then hand it over to the new admins? It doesn't seem like too big a hassle for Mayor Newsom if 20 minutes on the phone would have actually helped the city avoid significant costs and problems.

    There's this little thing called "precedent". If Gavin Newsome had taken whatever piddling amount of time to deal with this idiot sysadmin then it would set a precedent for this sort of thing. Soon every little pissant city employee would have some chickenshit issue and would start bleating that they'd only deal with the mayor.

    Eventually instead of doing mayor stuff, all of the mayor's time would be tied up with having to deal with all sorts of insignificant chickenshit stuff because some self-important flunky wanted attention from the big boss man in order to feel important instead of sticking with the chain of command.

    Terry Childs wanted his ego stroked and wanted attention. Well he sure as hell got attention but probably not the sort he was hoping for. I hope he's happy now.

  • by Anonymous Coward on Tuesday April 27, 2010 @07:43PM (#32007018)

    Here is a list of things to avoid (from the policy document):
                Giving your password over the phone to ANYONE.
                Sending a password in an e-mail message.
                Telling your boss your password .
                Talking about a password in front of others.
                Hinting at the format of a password (e.g., “my family name”).
                Writing in your password on questionnaires or security forms.
                Sharing your password with family members.
                Telling your co-workers your password while on vacation.

    It would seem that giving your password out over a conference call would be against policy as well. The most striking thing about this case to me has always been this: He worked for the city. City cops assisted in the inappropriate, although not illegal, conference call and arrested him. He was held in a city jail. He was prosecuted by a city district attorney and tried by a city judge and jury. Now that he is convicted he will probably serve the remainder of his sentence in a city jail where he might be offered some form of community service for the city. I really hate to think that the jury could not see a pattern here. Moreover why didn't the state or feds step in and offer oversight.

    This so much reminds me of a time when i was going to school in a small Georgia town. After getting arrested for "Driving on a roadway laned for traffic" I realized that the cop, judge, bail bondsmen, my insurance agent and landlord all had the same last name. fortunately my lawyer was not so named and we had the case moved to another court.

  • Re:Ramifications (Score:5, Interesting)

    You: "Give me the password."
    Your employee: "No."

    Lets try this from the other persepective:

    Your Employer: Give me the password.
    You: But you told me I'd be liable for anything that happens if I give it to you.
    Your Employer: Give me the password!!
    You: No. I don't want to be liable.
    Your Employer: You're fired!!!
    You: Fine.
    Your Employer: Give me the password!!!!
    You: I don't work for you anymore. And I still don't want to be liable.
    Your Employer: Peon!!!! I own you!!!!!! I'll grind you into dust!!!!! Lawyers! Destroy him!!!

    And they did.

    You know what the moral of this story is? Don't work for anyone.

  • by droopus (33472) * on Tuesday April 27, 2010 @08:12PM (#32007308)

    Oh I did, trust me. Lemme pose this one to you...

    Know any good federal lawyers? How, exactly do you plan to "shop around" while in a fed lockup? Surely you know there are no computers, right? I hired three that had great reps. They cost six figures and achieved squat. I could have done the whole thing pro se and gotten the same result.

    I'm amazed at how arrogant ppl are about this. Unless you've been through it, you have NO idea.

  • by droopus (33472) * on Tuesday April 27, 2010 @08:15PM (#32007320)

    You perfectly illustrate why rolling the dice with a jury of "peers" like yourself is insane. Who cares about evidence, due process, Rules of Criminal Procedure or mens rea? "Shit, I can eliminate reasonable doubt with a 20 line /. post!"

    And I'm sure you would have refused a plea and gone to trial looking at a life bid.

    Look I had never been arrested before either. Tin foil hat?
    No, a very costly education. I hope you never have to face one.

  • by erroneus (253617) on Tuesday April 27, 2010 @08:27PM (#32007454) Homepage

    He might be a hero to some and a fool to others, but in the end, he has to live with himself... and survive with himself. Now he will be pretty lucky to have a normal life from this point forward. Odds are, he won't. There are lots of "wrong" things going on in the world every day. If you are asked to do the wrong thing in a similar circumstance, the one best option he could have taken was to quit and walk away giving whoever wanted/needed info is needed... to a point. Personally, if I was the only one with passwords to whatever, I'd just claim not to remember them and to tell them where all the devices are so they can seek them out and reset them manually. Frankly, why they didn't just hire someone to find all of these points of access and lock them out is beyond me. He was a jerk and simply needed to be cut off.

  • by Kaboom13 (235759) <kaboom108@@@bellsouth...net> on Tuesday April 27, 2010 @08:34PM (#32007522)

    Every little piss-ant city employee is not a highly paid professional who designed, built, and maintained the city governments entire network infrastructure. When the street sweepers refuse to turn their keys in to anyone but they Mayor, tell them to fuck off. When someone who you have given a lot of money and entrusted with the security and reliability of the systems that keep critical city infrastructure wants 10 minutes of your time, it's probably a good idea to fucking listen. If the city's top lawyer wanted a word with the mayor on a matter he considered urgent, do you think he'd wait?

    The whole thing is a farce. Terry Childs may have deserved to be fired. From the sounds of it, he allowed himself to become a critical, irreplaceable part of the infrastructure, which in of itself is a good reason to fire him. Clearly his ego and misguided sense of dedication to his job was clouding his judgment. His managers should be fired for being completely incompetent. They allowed a situation to develop where Childs was irreplaceable. They then decided to fire him, but developed no plan on how to smoothly transition away. And after they fired him, and realized how incredibly they had fucked up, they threw him in jail, turning a bad situation into a disaster. They passed over repeated chances to defuse the situation, all to save face. They proceeded to try their best to ruin a man's life just to avoid admitting they had made mistakes, and it looks like they have succeeded. By all accounts the city's network worked flawlessly the entire time. They were apparently convinced he would use his passwords to bring the network down just because he was upset about being fired, but there is no evidence he attempted to do so or would have attempted. To do so would have destroyed his career, that he clearly cared a lot about if he invested the time and effort into getting a CCIE. Furthermore, it's doubtful that had he given all the passwords, he would have lost his ability to do so. Given how much they relied on him, and his knowledge of the network, he couldn't have found a way even if they changed all the passwords he gave them? Theres always a backup account somewhere, or a forgotten out-of-band management tool, etc.

    The precedent this court case leaves is "support your former employers for free, forever, or go to jail". I for one am not looking forward to getting calls from a former employer at 3 am because even though I left 6 months ago, they forgot to ask me for the password to the backup system, and now it's on the fritz, and I refuse to answer and tell them how to login, and the account credentials, they will call the cops.

  • by BengalsUF (145009) on Tuesday April 27, 2010 @09:30PM (#32008096)

    Now that I am able to speak about this case, I can give you my take on the matter as having been a juror on it. Having not been able to read about the case during its duration, I can't replay to everything that's been said about it, but I will at least provide my perspective.

    This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.

    This jury was not made up of incompetent people or idiots. Every single person on there was very educated and well-spoken. I myself am a network engineer with a CCIE and thirteen years experience in the field.

    This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict. Terry Childs turned his life around and educated himself in the networking field on very complex technologies. One different decision by him, or more effective management by the city could have completely avoided this entire scenario. But those are not factors we could consider as a jury. We applied the law as it was provided to us and our verdict was the unfortunate, but inevitable result.

    I'm sure many people posting are of the mindset that he's not guilty because he shouldn't reveal the passwords, some policy says this or that, or whatever. You're entitled to your opinion, but let me tell you that I sat through FIVE MONTHS of testimony, saw over 300 exhibits, and personally wrote over 200 pages of notes. I will guarantee you that no matter what you think of the matter, you do not have the full story, or even 10% of it. I am confident that we reached the correct verdict, whether I like it or not.

  • by aaarrrgggh (9205) on Tuesday April 27, 2010 @10:28PM (#32008670)

    "We had a lot of sympathy for him," said juror Jason Chilton, who is a network engineer. "He was put in a position he should not have been put in.

    "Management did everything they possibly could wrong," Chilton said. "There was ineffective management, ineffective communication. I think that if they put the city on trial, they would be guilty, too."

    linky: [sfgate.com]

  • by Archangel Michael (180766) on Tuesday April 27, 2010 @11:13PM (#32009046) Journal

    Two Words .... Jury Nullification

    This is the worst part of our current system, is that juries are not informed of all the duties that are necessary for them to perform. In this case you were led to believe that your only duty was to judge the facts, and apply those facts to the law.

    However every member of society has every right, while on any jury, to judge not only the facts of the case, but the law and how they are being applied. This is the ONLY real safeguard to a free people, and the real power of the Jury.

    My biggest sadness is that you felt compelled to convict the man, because the fact and the law told you to. Just so you know, you've admitted that you've proven the state has enslaved us all to laws we can't possibly obey.

    Take a look here, and after that, I leave you with two questions ....

    The Average Person [wsj.com] Commits Three Felonies a Day" [amazon.com]

    Question one, are you willing to go to jail for doing something that is right, even if it is against the law?

    If not, why did you do that to someone else?

  • One question. (Score:3, Interesting)

    by Anonymous Coward on Tuesday April 27, 2010 @11:13PM (#32009052)

    During the time Childs was an employee, did the people requesting the passwords have authorization to do so?

  • Re:Poor jerk. (Score:3, Interesting)

    by nacturation (646836) * <`moc.liamg' `ta' `noitarutcan'> on Tuesday April 27, 2010 @11:32PM (#32009282) Journal

    Reminds me of that Feynman story where he goes down in the middle of the night and removes one of the doors. The next day everyone is upset and they demand people swear that they did not do it. So it goes around the room:

    Person 1: "I swear I did not remove the door."
    Person 2: "I swear I did not remove the door." ... and so on. Then it gets to Feynman:

    Feynman: "Yeah, *I* took the door."
    Upset Dude: "Oh, stop kidding around Feynman. Next!"

    Person n: "I swear I did not remove the door."

    Hit point was that afterward, even though he did admit to taking it, at the time they dismissed it as him not being serious and all they ultimately remembered was everybody denying taking the door.

  • by mabhatter654 (561290) on Tuesday April 27, 2010 @11:38PM (#32009360)

    except they pulled the POLICE in before even offering such a deal. That was the ENTIRE problem. They perp walked him out the door, then went to his house days later expecting to get the passwords. He's got enough for wrongful termination for all the crap they pulled.

    Basically you could be accused of his "crime" for nailing boards over the computer room. I think at sentencing, more of the truth will come out. The judge feels the need to get some kind of "serious verdict" because of the dog-n-pony-show but it's obvious even the judge isn't really on board with the charges either. I see him getting another year or two probation and "time served" because he's been sitting in jail for just about 2 years now,. I think the judge will throw out the "damage" claims as well as the malicious intent... the guy has been sitting in jail since a week after being fired with no access to the computers since he left his job.... he was set up and NOTHING HAPPENED. So all the money spent is the CITY'S fault for not properly running the department, Child's made no THREATS to cause damage, there was no valid reason for such an extensive audit. They have had nearly 2 years to fix their problems, I can't see a judge granting anymore arguments from the DA.

  • by BengalsUF (145009) on Wednesday April 28, 2010 @12:46AM (#32010050)

    The jury instructions specifically stated that whether or not we agree with the law in question cannot be a factor in determining if the law was actually broken. Regardless, I found nothing objectionable about the law itself and I don't believe any of the other jurors did either. There are plenty of protections within the law in question which protect people which may be acting under a misunderstanding of the facts or acting within the scope of their employment, all of which we weighed in making our decision.

  • by Anonymous Coward on Wednesday April 28, 2010 @12:53AM (#32010106)

    Was there no clearly identified chain of authorization here? Why didn't SF quickly provide evidence of who was authorized? You would think this would be the very first thing they would provide, the hammer that would efficiently drive the nail in Childs' legal coffin. The fact that you had to wade through reams of document and "divine" such a key piece of info is telling. If it took a group of 12 persons to sift through this, how was Child supposed to summon this knowledge too?

  • by BengalsUF (145009) on Wednesday April 28, 2010 @01:10AM (#32010292)

    Allow me to elucidate this for you. I won't give the full details, but essentially this juror went into deliberations, had already made up his mind, informed the rest of the jurors that he had thought about the matter on his own and made up his mind, and didn't want to hear anything more about it. This is before we even went through all the questions we were required to examine per the jury instructions! Furthermore, he would not explain his position to the other eleven jurors.

    He was not released for "having his own opinion" or being "a lone holdout". In fact, we welcomed a lively debate from both sides of the argument as that's a necessary part of jury deliberations. He was dismissed for other reasons, including outright refusal to follow the jury instructions and the law as provided to us by the judge.

  • by BengalsUF (145009) on Wednesday April 28, 2010 @01:29AM (#32010476)

    It was more difficult because there is no legal definition of "authorized user", and in that case we are left to use a common sense definition of the term. That may be easy to do, but the harder part is determining who those people are, because in different companies and organizations, policies in place many time determine who they are. So now we have another problem here in that there was no formal policy or procedure in place to determine who is an "authorized user", so we had to use the evidence available to us to determine who Terry Childs would reasonably believe an authorized user would be.

    To do that, we had to look through a lot of testimony, in addition to pieces of evidence which showed who he had previously determined to be "authorized users". In the end it was our determination that he knew the person requesting access was authorized to have it. Like I said, this was really the hardest question for us to answer, but after examining job descriptions, job vacancy bulletins, performance appraisals, numerous emails, etc., we were able to reach the conclusion we did.

    Terry Childs already had this knowledge (as evidenced in the emails). We had to spend the time to sift through all the information to make sure we were beyond a reasonable doubt about this conclusion.

  • by Entropy98 (1340659) on Wednesday April 28, 2010 @01:36AM (#32010546) Homepage

    It took you 5 months, 200 pages of notes, and days of deliberation to make a decision?

    How long did Terry Childs have to make his decision?

    I hope you go to jail for some ridiculous bullshit someday.

  • by Anonymous Coward on Wednesday April 28, 2010 @06:44AM (#32012318)

    > No large company runs like that.

    Good grief, how I wish that were true :-/

  • by Anonymous Coward on Wednesday April 28, 2010 @06:48AM (#32012350)

    Perhaps you can shed light on the fact that a disagreeing juror was dumped...
    This looks like jury tampering to me...
    If the state doesn't get the results it wants or the jurors don't follow the state mandated conviction-flowchart...
    then dump the juror and get one who will comply.

    So what's the deal about the "holdout" juror?

  • Re:One question. (Score:3, Interesting)

    by Aphoxema (1088507) * on Wednesday April 28, 2010 @07:14AM (#32012584) Homepage Journal

    This was one of the most difficult questions for us to answer. Specifically, who is an "authorized user", and who determines who those people are? I won't go through the mounds of evidence we went through to get beyond any reasonable doubt on this issue, but we did ultimately determine that the person requesting the access (his boss' boss) was an authorized user and should have access upon requesting it.

    One really important thing to note here is that it wasn't a concern that he did not provide "his" passwords. The real problem is that he did not provide access -- in any form, even in the form of creating new accounts for those requesting it.

    If it was so fucking hard for you to figure it out in five months what chance did Mr. Childs have in a stressful environment under coercion?

  • by catmistake (814204) on Wednesday April 28, 2010 @10:05AM (#32015052) Journal
    I thank you for your service and for posting slashdot. But I do have a question, and not having all the facts, I ask for your tolerance. One thing here gets repeated over and over, and I'm not sure it's true. Was Childs fired BEFORE he was asked to give up passwords? Doesn't this mean anything? Also, Child's is convicted, can you explain the law he broke and how he broke it (specifically what choice of action he made was illegal and a felony? One more thing... if Child's had better representation, do you think the outcome might have been any different? From what I know, and it isn't much, I can't understand why the case wasn't dismissed... wrong laws applied to a non-crime. But I must defer to your personal experience. And thanks again... sounds like shit work, and most would have done anything to get out of it. Your sense of civic duty is appreciated.
  • Simple Solution (Score:3, Interesting)

    by kenp2002 (545495) on Wednesday April 28, 2010 @10:32AM (#32015622) Homepage Journal

    I helped set up a simple solution to this scenario years ago for a local hear aid provider.

    The root password for their systems was double-blind. The CIO came in and set the password. The Lead network engineer changed the name of the root account (but didn't know the password).

    Each component was forwarded to legal records hold for archiving in separate email.

    Since no one was allowed to use the root\admin accounts (everything via sudo effectively, hence the double blind setup) in the event of an emergency a simple phone call to legal records hold would retrieve the information if the CIO and admin were not available. Add the two together and problem solved.

    Child's could have just as easily secured the password before hand with a policy doing something as simple as a 2-part cypher with 1 part in the hands of the govenor and the other part documented with instructions on retriving the 1st part from the govenor.

    e.g. passwd
    (Disable backspace key sequence)
    (Admin types first 4 characters, leaves room)
    (CIO types last 4 characters hit's enter.)

    Admin and CIO email legal record hold with their portions.

    This was about paranoid liability of someone busting the network, not securing a core password.

    I've had to L0phat more then one NT server that a rogue admin tried to lockout the system after getting canned during my career (retired geek now thank God). The most recent one was a net admin that had a $100,000 quarterly budget but we could only find 22k worth of assets at the company (And why did he need 3 22 inch monitors and had every workstation running NT Server edition even though they only paid for 4 licenses of Server....).

    From a liability standpoint Terry, or anyone can follow this simple guideline:

    If your company has a legal record hold service, periodically gather your configuration files and documentation and forward that information to legal record hold. If not periodically print them, label them as "Legal Record Hold" or "Legal Retain" and sign and date them.

    Most government offices have a legal record hold office. If you are terminated and they come back after you you can have your lawyer request the last copy of the configs you sent to legal records hold and compare the current config. Not only that but a quick check of the config's last modified date will confirm if you you have legitimately made that change. In addition if they try and come back and say you came into the system after being canned, the burden of proof is one them to show you had access. It would be a staggering embarrasment if they didn't change master passwords you had access to.

    If possible I would go further and use mandatory CVS\RCS\Git etc... for config files of any kind in your process with an audit. The RCS system should be in the hands of the legal records retainment (i.e. independent of netOps) for auditing. Liability then can be quickly determined (Jeff left the company on 3/12 and no issues. On 3/24 Eric made a change and all hell broke loose. No point in going after Jeff, no liability. Eric likely broke it... wait Eric was on vacation and lives in Utah, the VPN came from Washington... where Jeff lives with a similar IP as Jeff's last! Oh shit call the cops!)

    Network admins tend to forget\overlook the need to audit the configs, not just for operational purposes, but for legal due-dilligence reasons as well.

    Revision Control on Configs + Audits + Double Blind Root\Admin + Mandatory sudo = Reasonable Liability Tracker.

    I'm retired now ... almost 5 years now I think and I am sure things have changed so don't take my suggestions as gospel but at least out of this we can starting thinking a bit more on how we manage our networks, not just from an operational standpoint but Risk, Liability, Business Continuity, and Legal viewpoint as well.

    AND USE A RCS FOR CONFIGS!!! IT'S NOT JUST FOR TRACKING CODE CHANGES! IT'S AN AUDIT TRAIL AS WELL!

  • by painandgreed (692585) on Wednesday April 28, 2010 @11:44AM (#32017018)

    Two Words .... Jury Nullification

    The idea of jury nullification is great when it's used on a law you don't agree with, not so much when it goes the other way. The reason that lynchers and other civil right abusers could get away with what they did in the 20's and 30's was because of jury nullification. The phrase "no jury will convict me" was speaking about jury nullification. As they could control who got on the juries and that those people had similar morals that did not agree with the law, they did not have to follow the law. Once society loses the rule of law, there's no reason to follow the law for anything. While I don't agree with a lot of laws and would even hazard that some laws are probably even objectively bad, it would be better to change the laws that rely upon jury nullification.

  • by jefftp (35835) on Wednesday April 28, 2010 @12:41PM (#32018052)

    The law that he broke was a section CA Penal Code 502, specifically that he disrupted or denied computer service to an authorized user and he did so without permission.

    Refusing to provide a password is absolutely not a denial of service. That's like claiming losing keys to a rack in a data center is a denial of service.

    However, he made one of the biggest mistakes then that he could have. While under police surveillance, he decided then to leave the state and make cash withdrawals of over $10,000. He was arrested, and that's where it became a criminal matter instead of simply an employment matter.

    How this is a criminal act? Was he under court order to stay within the state of California and not touch his money? This whole case was never a criminal matter.

  • by Anonymous Coward on Wednesday April 28, 2010 @12:42PM (#32018070)
    I seriously fail to see how 12 'peers' of an IT professional could have called him guilty based on the public record. Now, with precedent set and the ability to show for a Jury, I fear that Professionalism in IT is now not worth the paper it's written on.

    I'd like to not commit an ad-hominem attack on the Jury, but sadly I cannot understand how 12 right-thinking people came to such a ridiculous conclusion. Unfortunately, people are rarely right-thinking.

    Allow me to elucidate this for you. I won't give the full details, but essentially this juror went into deliberations, had already made up his mind

    You just described the old lady who walks into the deliberation and and says "He's guilty."

    Why?

    "Because his charged with something, so he must be guilty."

    The Jury review is supposed to weed defective things like this out. But it is in the best interest of the prosecution, and horribly immoral, to get as many people who think like this in that Jury box as possible. Next to the 'person awed by the power of something they read in a detective novel' these people are their best friend.

    Humans judging other humans is about the worst possible thing you could ask for. Except for all the alternatives.

    People will trust authority over facts, judge bases on clothing and hairstyle and attitude over facts and ignore anything that disagrees with a pre-existing idea about the world (e.g. their religion.) The selection process is supposed to catch a lot of this. Sadly, stacking the Jury is as old and the Jury trial itself.

  • Re:He was an idiot (Score:3, Interesting)

    by BengalsUF (145009) on Wednesday April 28, 2010 @02:51PM (#32020220)

    Thanks. Yes there were tons of other issues involved in this matter which the press simply doesn't cover in their reports. I myself feel that five years is a rather extreme sentence for what he did, which is why I have been glad to read in news reports that they expect the judge to let him go with time served or possibly sentence him to just a few more months. He doesn't need to be kept away from the public or punished any more for what he did.

  • Re:better yet (Score:1, Interesting)

    by Anonymous Coward on Wednesday April 28, 2010 @08:57PM (#32025410)

    If you're really one of the jurors... I had thought that maybe there was some extra information that the Jury was privy to that just wasn't in the news reports. Something else that he'd done, some explicit threat he'd made rather than just paranoia on the part of the city employees ganging up on him. But it looks like there's nothing.

    So, as a juror in this case, can we ask you some questions? Frankly, I think it would be great if they'd do a Slashdot interview story with you and any other jurors who'd care to answer. But if you could answer some questions here, it would be great.

    First of all, the relevant bit of the law, skipping the definitions section and punishments:

    (c) Except as provided in subdivision (h), any person who commits
    any of the following acts is guilty of a public offense:
    (1) Knowingly accesses and without permission alters, damages,
    deletes, destroys, or otherwise uses any data, computer, computer
    system, or computer network in order to either (A) devise or execute
    any scheme or artifice to defraud, deceive, or extort, or (B)
    wrongfully control or obtain money, property, or data.
    (2) Knowingly accesses and without permission takes, copies, or
    makes use of any data from a computer, computer system, or computer
    network, or takes or copies any supporting documentation, whether
    existing or residing internal or external to a computer, computer
    system, or computer network.
    (3) Knowingly and without permission uses or causes to be used
    computer services.
    (4) Knowingly accesses and without permission adds, alters,
    damages, deletes, or destroys any data, computer software, or
    computer programs which reside or exist internal or external to a
    computer, computer system, or computer network.
    (5) Knowingly and without permission disrupts or causes the
    disruption of computer services or denies or causes the denial of
    computer services to an authorized user of a computer, computer
    system, or computer network.
    (6) Knowingly and without permission provides or assists in
    providing a means of accessing a computer, computer system, or
    computer network in violation of this section.
    (7) Knowingly and without permission accesses or causes to be
    accessed any computer, computer system, or computer network.
    (8) Knowingly introduces any computer contaminant into any
    computer, computer system, or computer network.
    (9) Knowingly and without permission uses the Internet domain name
    of another individual, corporation, or entity in connection with the
    sending of one or more electronic mail messages, and thereby damages
    or causes damage to a computer, computer system, or computer
    network.

    And, also, subdivision (h), since it seems relevant in this case:

    (h) (1) Subdivision (c) does not apply to punish any acts which
    are committed by a person within the scope of his or her lawful
    employment. For purposes of this section, a person acts within the
    scope of his or her employment when he or she performs acts which are
    reasonably necessary to the performance of his or her work
    assignment.
    (2) Paragraph (3) of subdivision (c) does not apply to penalize
    any acts committed by a person acting outside of his or her lawful
    employment, provided that the employee's activities do not cause an
    injury, as defined in paragraph (8) of subdivision (b), to the
    employer or another, or provided that the value of supplies or
    computer services, as defined in paragraph (4) of subdivision (b),
    which are used does not exceed an accumulated total of two hundred
    fifty dollars ($250).

    So, first of all (5) seems to be the relevant part of this law that Childs was convicted of. Did you convict solely on that part of the law, or was there some other part that you believe he is

  • by slashqwerty (1099091) on Wednesday April 28, 2010 @11:34PM (#32026414)
    There has been very little quality reporting on this case. Thanks for posting your comments on it. It would be really nice if you could take your 200 pages of notes and write up a summary of the key evidence (or maybe just post the notes).

    According to the linked article [ktvu.com] there must have been a finding that Mr. Childs caused at least $200,000 in damages. I have not seen this addressed anywhere*. Would you care to comment on that? How was this number arrived at? Would the damages have been different if he had been hit by a bus?

    *The article has been amended to indicate the city incurred $1 million in expenses to regain control of the network and do vulnerability testing.

Brain damage is all in your head. -- Karl Lehenbauer

Working...