Forgot your password?
typodupeerror
The Courts Crime Government IT Your Rights Online

Rough Justice For Terry Childs 418

Posted by timothy
from the might-not-like-the-aftershocks dept.
snydeq writes "Deep End's Paul Venezia sees significant negative ramifications for IT admins in the wake of yesterday's guilty verdict for Terry Childs on a count of 'denial of service.' Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case? In particular, to the person or persons who released hundreds of passwords in public court filings in 2008 for causing a denial of service for the city's widespread VPN services? After all, once the story broke that a large list of usernames and passwords had been released to the public, the city had to take down its VPN services for days while they reset every password and communicated those changes to the users.' Worse, if upheld on appeal, the verdict puts a vast number of IT admins at risk. 'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.'"
This discussion has been archived. No new comments can be posted.

Rough Justice For Terry Childs

Comments Filter:
  • by Anonymous Coward on Wednesday April 28, 2010 @06:14PM (#32022812)

    originates from here [microsoft.com].

    I hope this helps your lawsuits from DDOS.

    Yours In St. Petersburg,
    Kilgore Trout

  • by Monkeedude1212 (1560403) on Wednesday April 28, 2010 @06:15PM (#32022826) Journal

    The only Superior he was supposed to give the password to is the Mayor. He was only supposed to do that in an environment deemed secure enough for no one else to get the password. He complied with that. He is basically being sued into oblivion because he didn't want the secretary, the press, and/or anyone else getting a hold of the password.

  • by Attila Dimedici (1036002) on Wednesday April 28, 2010 @06:23PM (#32022944)
    So, you get hired by Joe Schmoe. He gets fired. John (the guy in the next cubicle) comes in and tells you that he has been given Joe's job, your fired, and he wants you to give him all the company passwords that you have. What do you do? Oh yeah, when John did this, he came into your office with three people you have never met.
    That is what happened to Terry Childs.
  • Not DoS (Score:4, Informative)

    by guspasho (941623) on Wednesday April 28, 2010 @06:33PM (#32023082)

    Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case?

    Childs wasn't convicted of "denial of service", that's just rhetoric. He was convicted of computer tampering, as the linked Slashdot story explains in the summary.

  • by RichardJenkins (1362463) on Wednesday April 28, 2010 @07:08PM (#32023538)

    I understood that they had a set of policies for 'user-level' passwords (which this was not classed as) saying things like 'never diclose your password, even to your boss' and another set of policies for 'system-level' passwords, which these passwords were classed as. The policies for 'system-level' passwords say they must be stored in a centrally managed database: a policy that Childs violated by keeping them in a way only accessible to him. Under your model (assuming the above is correct) you wouldn't be absolved from prosecution in this case, because Childs hadn't followed procedures related to 'system-level' passwords.

    It's all rather moot though, there is a systemic problem in any organisation which lets its IT be run in a way where someone can hold it hostage like this. The real lesson here is that institutional incompetence can lead to individual criminal liability.

    If you're an IT admin working in the States then it's your geographic (not professional) situation that's putting you at risk of going to jail for something stupid like this.

  • by rufey (683902) on Wednesday April 28, 2010 @07:19PM (#32023680)

    If the person mentioned was on the jury, and there is nothing I've read of his to suggest otherwise, I highly recommend reading his recent posts on his slashdot user page: http://slashdot.org/~BengalsUF [slashdot.org]

    I learned more in 5 minutes about the case than I have over the past 2 years reading Slashdot and news stories. And, as it turns out, most of what I've read up until today has been embellished or simply was an opinion of someone who knew little about the case.

  • by parcel (145162) on Wednesday April 28, 2010 @07:24PM (#32023762)

    I've worked in the public sector a while and what I learned is - if the agency head(s) ask you to do something job related, even if it's against the policy that's printed out, you do it.

    In my experience (private sector, financial industry) that results in immediate termination of your employment. And that isn't theoretical, I'm aware of two instances at my current company. In both cases they had security guards escort them off the premises.

  • by TENTH SHOW JAM (599239) on Wednesday April 28, 2010 @07:28PM (#32023820) Homepage

    If the superintendent of a school district says - "Whats the password for root on the server?" You tell them.

    No you don't. Ever. You say "Go to the safe and get them yourself. Don't forget to sign the register." When Superintendent bleats that it is needed NOW! your answer is to point them to the safe. Terry Childs did not put the passwords in the safe and deserves to go down for that.

  • by biryokumaru (822262) <biryokumaru@gmail.com> on Wednesday April 28, 2010 @07:30PM (#32023834)
    Here [google.com] is the policy. I believe the relevant section (page 32) only really applies to user passwords, not system-level stuff.
  • by MushMouth (5650) on Wednesday April 28, 2010 @07:33PM (#32023884) Homepage

    According to the network engineer who was a juror on the case (so I am guessing that he knows far more details about it than you or I)....
    He didn't refuse to just give his "password" but to give any access at all to the core routers, removed any way of password retrieval without doing a full system reset, and would not provide the configurations to these routers.

    On top of that, there were emails and witnesses that made it appear that Childs was doing this all to make it such that only HE had access.

  • by mangu (126918) on Wednesday April 28, 2010 @07:35PM (#32023908)

    I read that post, and the replies, and it seems to me the jury did it wrong. Particularly this post [slashdot.org] seems to hit the nail on the head.

    A jury is *not* required to follow instructions to either absolve or condemn, otherwise what would be the meaning of it all? But too many jurors seem to be swayed by the judge's instructions, which should be mere guidelines. It's not the judge's privilege to make a decision in a trial by jury. In this case, the jury seems to have had a very technical interpretation based solely on the prosecution's version of what it means to deny access to a system.

    Terry Childs, if what we read in many reports is true, never denied access to anyone who actually needed to use the system. His only crime was to use his best judgment on who should be allowed to access the passwords. He never denied access to the *system*, he denied access to the *passwords*, which is a different thing. I don't need to give you the keys to my house in order to let you in. I think the jury reached a wrong decision, because the law is very clear on this point.

    It was his managers' duty to ensure that passwords were adequately managed, if they left that kind of decision entirely to Terry Childs then they shouldn't complain if his decisions weren't what they expected. When a manager lets a subaltern have total control of the passwords he cannot complain if that subaltern does exactly what he was ordered to do.

  • by TENTH SHOW JAM (599239) on Wednesday April 28, 2010 @07:36PM (#32023922) Homepage

    What Tony should have said is "The passwords are in the secure password repository. Look it up yourself." The problem is that he couldn't say that because it was a lie to. He dug his own hole.

  • Re: Initiative (Score:4, Informative)

    by biryokumaru (822262) <biryokumaru@gmail.com> on Wednesday April 28, 2010 @07:40PM (#32023978)
    These [infoworld.com] are [npr.org] pretty [computerworld.com.au] good. [google.com]
  • by Anonymous Coward on Wednesday April 28, 2010 @07:58PM (#32024212)

    Um, it clearly says "the scope of this police includes all personnel who have or are responsible for an account... on any system.... This clearly is not limited to "user passwords" only.

    page 34 specifically says to "avoid"
    - giving your password over the phone to anyone
    and
    - telling your boss your password

    Two of the things they tried to get him to do.

  • by hacksoncode (239847) on Wednesday April 28, 2010 @08:10PM (#32024338)
    The County policy stating that you are to avoid giving your password to your boss *explicitly* says that it applies both to user-level passwords, and to system level passwords such as root, network admin passwords, etc.
  • Re: Initiative (Score:5, Informative)

    by biryokumaru (822262) <biryokumaru@gmail.com> on Wednesday April 28, 2010 @08:10PM (#32024346)
    Actually, this [slashdot.org] is the best thing I've read on the subject, by far.
  • by nomadic (141991) <.nomadicworld. .at. .gmail.com.> on Wednesday April 28, 2010 @08:16PM (#32024428) Homepage
    The way I read it, he was following the policy (law) to the letter.

    He was required to store system passwords in a central repository. He violated the policy by failing to do this.
  • Re:Turn in your keys (Score:3, Informative)

    by gclef (96311) on Wednesday April 28, 2010 @09:49PM (#32025328)

    Yes, you are. They are not your property, and never were.

  • Re: Initiative (Score:2, Informative)

    by Anonymous Coward on Wednesday April 28, 2010 @09:59PM (#32025426)

    It didn't come down to "You hand it over or we arrest you" it came down to Terry getting ready to flee the state without telling anyone the passwords and the police having to arrest him to make sure he didn't.

  • by Zerth (26112) on Wednesday April 28, 2010 @10:49PM (#32025792)

    And when the person replacing him mucked things up, do you think they might not assume he sabotaged things?

    Considering the ineptitude the new staff has shown, I can see why he would have been concerned.

  • by westlake (615356) on Thursday April 29, 2010 @12:27AM (#32026380)

    That is what jury nullification is for. Unfortunately, most jurors don't know about it and the judges refuse to tell them

    The home town boy, the white bread kid, escaped the noose. The black man was lynched.

    That has always been the reality of jury nullification - and the geek - the outsider, the prick, the wierdo - who looks to nullification for his salvation is a a god-damned fool.

  • by SuperBanana (662181) on Thursday April 29, 2010 @01:38AM (#32026776)

    The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.

    That's pretty effin' funny, given that this country was founded after a revolution based on the simple concept of being taxed but not receiving representation in exchange.

    So, uh, yes- if you're taxed, you damn well do get a stake in deciding how it is used here in the US. Fun fact: in the state where the revolutionary war started (MA), we have "town meetings"- and they're not the kind of Town Meeting you see politicians holding, which are basically just "get some people in a high school gym and have them ask you some questions."

    No, see: town meetings are where the town (anyone who wants to show up) debates and votes on damn near everything from policies to budgets. The rest of the year, the town is run by a town council, also elected.

    It's impressive to see an entire basketball court full of chairs, and 15+ rows on each side, full of town residents. Democracy in action.

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."

Working...