San Francisco Just As Guilty In Terry Childs Case 330
snydeq writes "Deep End's Paul Venezia follows up on the Terry Childs sentencing, stating that the City of San Francisco is as much at fault in this case as Childs is. 'The way that the San Francisco IT department has been run is nothing short of abysmal, and that has been pointed out time and again by anyone paying attention to this case,' Venezia writes. 'Plenty of dirty laundry was aired out in court as well, yet through it all, the city has had a full-court press on Childs, and being both the plaintiff and the prosecution it spared no expense to drill Childs into the ground.' Worse, perhaps, is the disproportion of the sentence, when compared with recent convictions for intended malfeasance on the part of several notable rogue IT admins."
Run Away! (Score:4, Informative)
FTA: "When faced with dangerously incompetent management, it's best to just look for another job."
I found this a very telling statement. If your management are bozos, don't try to change them or point out their bozo-ness. Just pack up and move on. They hold all the cards. You will be punished for trying to fix anything that makes them look bad.
How very sad and defeatist.
- Jasen.
Re:Not Surprising (Score:3, Informative)
This is a "productive. talented person"? Whether or not the city was run poorly (it is a city government, so it probably was) the fact is that he was holding the router and password configs hostage. Forget him getting fired and everything that happened, what would have happened if he got hit by a bus? He can claim that the other people were idiots, but idiots with access is better than a single person with access who dies, because then no one has access. I can even sympathize with holding the passwords, but what the hell would the purpose of not committing the router configs to memory be? So every time there is a power outage or a router needs to be rebooted they need to call him? That isn;t a good admin, no matter how stupid he thinks everyone else is.
Re:It's a question of policy (Score:5, Informative)
By that time, he'd already committed what he was convicted of.
Childs refused to record passwords, in direct violation of policy. When being moved from his current job, he refused to hand over passwords etc. in any environment, again in direct violation of policy. He then prepared to leave town without handing them over.
No competent sysadmin sets things up so he's the only person with the passwords, so that the network is simply screwed if he's hit by a bus. Childs went one further: he had the password for a file on his personal laptop that had the passwords in it. Had his laptop been destroyed, or the file system corrupted, the passwords would be lost.
Re:Heavy sentence? (Score:4, Informative)
That's actually not true.
http://slashdot.org/comments.pl?sid=1633482&cid=32008096 [slashdot.org]
one of us actually was on that jury
Re:Not Surprising (Score:3, Informative)
Re:Not Surprising (Score:3, Informative)
I wasn't attempting to measure the justice, or lack of justice, in the sentencing. You do bad enough to go to the courts, well, be ready for whatever comes down. There's nothing in most legal traditions that require every sentence for a crime be identical. It will be up to Childs' lawyer to try get the sentence overturned, reduced, new trial, whatever.
What I'm commenting on is the way in which a lot of guys around here just endlessly defend Childs, at best only giving a brief nod towards the fact that he had inadequately secured key data for a rather large organization's IT infrastructure. Part of the fault must surely be that there wasn't enough oversight, that he had been given too much power with too few strings, but even so, in his position, even taking his extreme view of the chain of command, a sensible IT administrator would have taken steps to assure the integrity of the infrastructure.
Imagine if Childs had been killed in a car accident days before city officials made their demands? Would you be defending him? Would any of the IT guys who post here be defending him? He's the classic model of a prima dona, a self-important delusional nutcase who whether out of some megamaniacal urge, or out of simple self-interest, made sure that he was indispensable. If I take the latter view, then yes, he deserves some judicial censure, whether jail time, or whatever. If the former, then what he needs is psychological help. Whatever the case, he's a shitty IT guy, pure and simple. I don't know him personally, but I know his type, the too-clever-by-half hacker types. These guys are dangerous to put in charge of any critical infrastructure.
Article 4 Section II Clause 2 (Score:4, Informative)
2) Having been convicted, I would have run away. There are a lot of decent IT jobs in the Northeast..... almost 3000 miles away from the SF Government's reach. No different than running from Spain to Poland to start a new life.
US Constitution, Article 4, Section II, Clause 2:
"A Person charged in any State with Treason, Felony, or other Crime, who shall flee from Justice, and be found in another State, shall on demand of the executive Authority of the State from which he fled, be delivered up, to be removed to the State having Jurisdiction of the Crime."
You achieve nothing in your interstate flight but a quarantee of conviction on a new and stiffer felony charge.
You will be doing hard time even if your prior conviction is overturned.
Re:Not Surprising (Score:4, Informative)
"They paper over the fact that if this guy had been hit by a bus, his employer, the City of San Francisco, would well and truly have been up a creek without a paddle."
Which is a management issue, not a technical one, so the one to blame must be a manager. Was Childs in a manager-level position or in a "mere" technical one?
"However harsh the sentence may have been, the fact is that Childs was a shitty IT manager."
Truly so. But was he in a managerial position to start with? All I can find about him is that he was a "network administrator", a "network engineer" or an "IT administrator", never a manager, so he was not the one to say how the passwords should have to be managed nor the one to deal with policy violations. In fact, as per this reference (http://blogs.sfweekly.com/thesnitch/2010/08/terry_childs_sentenced_hacker.php) it seems clear that upper SF management agree this being a case of bad management: both Terry's direct manager and the security manager were displaced (they are not fired -yet, probably not to ashame that very SF upper management).
Re:Not Surprising (Score:2, Informative)
I never said it was just. I'm trying to make the point that thumbing your nose all the way up the chain of command, whether to cover your own ass or because of delusions of grandeur, will guarantee that you have a less than sympathetic ear in court. He wrote the ending. Ask him why he did. The court is not bound in sentencing by the average that other IT administrators' malfeasance previously was set. Beyond that, as others have pointed out, none of these other situations are comparable; different jurisdictions, different criminal charges.
And all of it could have been avoided if Childs actually knew what being a system/network administrator actually meant.
Re:And people ask about my new sliver hat (Score:2, Informative)
Because other citizens agreed that for what he did, this was a fair sentence.
How do you know what he deserved if you weren't there at the trial listening to the arguments and evidence.
Remember, there was a slashdotter on the jury ... who thought he deserved it.
Does he deserve four years? I don't know, I wasn't there. Whats better, I dont' really care. He might have had my sympathy if it wasn't so crystal clear that he was a arrogant jackass trying to extort the city. He was on a power trip, so ... if the punishment for him is a little over the top ... well then it seems fitting considering his actions were most certainly way over the top and out of line.
Personally, I would have been happier if he was never allowed to take advantage of any device containing a microprocessor in it. No cars, electronics, medical help, voting ... pretty much the only thing he could do would be to become a farmer on his own land with hand tools just to survive.
Re:Custodial sentences for non violent crimes (Score:5, Informative)
But the United States the trend seems to be regressing thanks to grandstanding politicians and bloodthirsty voters who won't countenance even the slightest hint of being "soft on crime".
That's not even the end of the story. Don't forget that a growing number of prisons in the United States are being privatized. There have already been cases of judges who have been convicted for imposing harsh sentences without appropriate judicial review, because they were accepting kick-backs from the prison industrial complex.
Re:Not Surprising (Score:4, Informative)
" Then the time came where they wanted the list of passwords. I asked them where the old list was and I haven't heard anything since."
You realize that this is dangerously close to Childs' attitude.
When they asked you, you should have (as I would) informed tham that they had a list of the passwords from the CFO's safe. You have since changed them, knowing the safe was 'compromised', and you did not know the disposition of the contents. And then you should have delivered without hesitation, to the CEO, owner, or their authorized agent, the new passwords. And perhaps a written admonition to notify you whenever a critical exeuctive or manager is dismissed, so that you can take appropriate action.
When I was installing small-business systems, it was expected, mandatory, that I leave the business owner with those passwords and access details. When we provided access for our clients, the router configs were delivered on floppy (this is a while ago), and passwords again made delivered as well. Where they had a trustworthy or critical telecom or cable provider, they also got a copy of passwords. All of these also got a disclaimer, that if the passwords were compromised or given to unauthorized agents, or changed without notifying us, our responsibility for the functionality of the system, and SLAs, terminated as of the action, not on date of notification. I had two or three incidents where the passwords, etc., were misused or compromised, and we did not have any real difficulty with the client. Once they changed providers and the new provider ran roughshod through the network with predictable results. We explained the policy, and they clammed up. The owner blamed us, but in a year we were 'back in'... In anothe case, the owner changed consultants and ditched us, and made the changes in the middle of the night without notice. Hey, it's a 'Haitian divorce'. When he did notify us, we of course offered all asssistance, and saved the new player a lot of time figuring things out. That old boss saw no value in further annoying disgruntled customers or competitors. But if a client ever asked me for passwords, they got them. It's their system. If they really wanted to mess it up, they paid for it.
Oh well, my $.02
Re:It's a question of policy (Score:3, Informative)
Following his employers rules?
Okay, so you obviously haven't actually read anything but slashdot summaries.
Before the police were involved, he was given several VALID ways to turn over the passwords.
He broke policy FIRST but not using the City supplied configuration and password management system which he was supposed to be using ... according to city policy.
Had he followed ALL the rules, he'd have just been fired and there would be no story.
He selectively picked policies that suited his agenda and ignored the rest, using the ones that suited him to try and hide.
Unfortunately for him, the cities only real choice was to go after him for as much as they could to make it clear this sort of shit isn't tolerated in the future.
He's getting punished for conspiring to and eventually holding the cities network hostage. It was very clear during the trial that he planned to do what he did. It wasn't just one of those days where everything went wrong and he is being made out to be the bad guy.
He went out of his way, broke multiple city policies over an extended period of time in order to put himself in the explicit position of holding all the cards.
The city responded by simply pointing out that while he currently held the cards, they were simply going to shoot him and take what they wanted anyway.
Re:What if you worked at a nuke plan and your boss (Score:2, Informative)
If thats what happened we might consider thinking about it that way, but thats not what happened.
What happened is the nuke plants policy is to put all those codes in a known secured location so that authorized personal can get to them. Instead he didn't do that, then when they wanted to move him over to being a janitor since he clearly wasn't a good admin he continued to refuse to follow policy and then refused to do anything else citing policy as his excuse.
You don't get to not follow policy then use it as your excuse.
You either follow it or you don't, he was picking and choosing to suit his agenda at the time.
He also would never have been hired to work at such a location because they have better screening policies to prevent megalomaniacs from being that close to such potentially dangerous equipment.
This situation wouldn't arise at a nuclear plant ... they would have shot him much earlier on for all the shit he was doing against policy.
You might want to get some facts about the case ... like what he actually did and what policies he was/wasnt' following.
Re:Not Surprising (Score:3, Informative)
The point that I haven't heard anything since is pointing out that they screwed up and didn't want to admit it but couldn't point the finger anywhere else. I suggested to the COO and the CEO/Owner that we just keep it in a safe at his house. I regularly work up there too so it makes keeping the thing up to date relatively simple. Make no mistake, I am never the only person that has a production password.
I definitely hold the people responsible accountable and the chain of command is jacked here as I've been through four bosses in seven years. When the new IT director came aboard per the owner's instructions I did not give him full access. I slowly increased his access as I felt comfortable with his abilities and now he has the same level of access I have which coincidentally means I can finally take a vacation. This I very much enjoy!
Re:It's a question of policy (Score:3, Informative)
Almost always, I have mod points. And I use them as best I can. And I agree with your sentiments mostly. Problem is, your post leaves me wondering if I should mod it as insightful or flamebait. Tone down the rant a bit, and you'd get insightful, but imho this is flamebait. And stupid. Just an fyi.