San Francisco Just As Guilty In Terry Childs Case 330
snydeq writes "Deep End's Paul Venezia follows up on the Terry Childs sentencing, stating that the City of San Francisco is as much at fault in this case as Childs is. 'The way that the San Francisco IT department has been run is nothing short of abysmal, and that has been pointed out time and again by anyone paying attention to this case,' Venezia writes. 'Plenty of dirty laundry was aired out in court as well, yet through it all, the city has had a full-court press on Childs, and being both the plaintiff and the prosecution it spared no expense to drill Childs into the ground.' Worse, perhaps, is the disproportion of the sentence, when compared with recent convictions for intended malfeasance on the part of several notable rogue IT admins."
It's a question of policy (Score:3, Insightful)
Frisco's policy in this case is: "Punish what you can't understand".
And people ask about my new sliver hat (Score:4, Insightful)
Bad Headline... TFA not much better. (Score:5, Insightful)
You can skip reading TFA; all of it that's relevant to the headline is in the article summary.
Most of the article is pointing out other people who did worse things and got lighter sentences. Frankly, I think that's a useless argument; for any crime, you can just about always find someone who committed a greater crime and received a lesser sentence. So what?
I think there's a lot of an interesting dialogue to be had about the Terry Childs case, but this particular article doesn't add anything to that discussion.
That May Be True But... (Score:5, Insightful)
Re:Not Surprising (Score:5, Insightful)
Did a good job? The guy was keeping passwords and router configs in his head. He may be the best IOS programmer around, but that isn't the mark of a good job, that's the mark of an incredible idiot.
History of the World (Score:5, Insightful)
It's good to be the king.
Re:It's a question of policy (Score:2, Insightful)
The major (presumably a valid password agent) asked for the password over an open speakerphone while in the presence of a half dozen other people who were not valid password agents.
The boss did something similar (asking for the password to be given to him in an invalid manner).
Childs was screwed no matter what he did. Was he paranoid and did he overreact (probably).
Is the punishment legal? (sure), fair? (obviously not).
It's legal to give you a ticket for doing 66 in a 65. And to do so with cameras so you don't even know you got it. And to give you another ticket another mile down the road for the same crime-- every mile all the way home.
There are lots of things that are legal but not right.
Childs was made an example of.
The lesson learned is... you don't want to work for the government without a strong union and clear policies backing you.
More than one person to blame -- that's unamerican (Score:5, Insightful)
Wow, a nuanced view of the problems.
Before this post gets modded as a troll or flamebait, it is my humble and sincere view as someone born and raised outside the USA, that Americans are often obsessed by finding a single cause for a problem and the idea that there might be multiple causes is rarely explored.
Why the sympathy?? (Score:2, Insightful)
Re:More than one person to blame -- that's unameri (Score:5, Insightful)
The problem lies in that most US people seem to equal justice with revenge.
Re:Not Surprising (Score:5, Insightful)
Worse it is the mark of a megalomaniac. He was convinced he has made himself indispensable, that by keeping knowledge to himself, and endangering the systems in doing so, made his job totally secure. He though he ruled the roost and nobody could fire him. He found out the very hard way he was wrong. As the saying goes "The graveyards are filled with indispensable men."
The most important think in an IT person is that they are trustworthy. They have amazing access, and this that comes amazing responsibility. They need to be trustworthy to not abuse that access. He did, badly so. As such he really should never work in IT again. He's shown that he can't set aside his ego and such a person has no business having system level passwords.
Re:It's a question of policy (Score:5, Insightful)
Re:More than one person to blame -- that's unameri (Score:3, Insightful)
Re:Not Surprising (Score:5, Insightful)
Re:Not Surprising (Score:5, Insightful)
Whether he does or doesn't will be up to his lawyer to convince on appeal. The broader point here is that a whole lot IT guys seem to blindly be supporting him because he followed the letter of his contract to insane degrees. They paper over the fact that if this guy had been hit by a bus, his employer, the City of San Francisco, would well and truly have been up a creek without a paddle.
If this was such a big concern for Childs, why didn't he have these key passwords and router configs in the Mayor's office. Surely the Mayor has a safe or some other secured storage whereby this critical data could be securely stored in the event that the Mayor had to appoint someone else responsible. Where I work we have a safety deposit box where the originals of all the purchased software is stored, as well as a CD and hardcopy of all the passwords are stored. While it would probably be a bit difficult to keep going without me around, the guy that comes in after me would have a reasonably decent head start.
However harsh the sentence may have been, the fact is that Childs was a shitty IT manager. Being an IT manager is about a helluva lot more than being a clever router hacker, it's about documentation, about appropriate systems, and just as importantly about assuring, for whatever reason, that a smooth transition of IT management from one person or another can be accomplished. Childs didn't set up that damned network to benefit his employer, he set it up so that he was the cornerstone, and while the city has to take a lot of blame for not keeping a better eye on him, he violated some very basic tenets of sound IT operations and management. AS I've said before, I wouldn't hire the guy to manage a popsicle stand, I don't give a crap how brilliant he is.
Re:Bad Headline... TFA not much better. (Score:3, Insightful)
The only thing I can really get behind in the article is the fact that Childs was in jail for two years before his trial began. That sounds very much like a violation of his right to a speedy trial to me.
The rest, though, is pointless rambling about the nature of the legal system (even though he doesn't frame it that way, that's the heart of his problem).
He mentions a murder case where the murderer received a 1 year sentence. However, nobody has ever been convicted of murder and gotten a 1 year sentence. The minimums vary by state, but they are generally in the 15-20 year range. What actually happened was a plea bargain for the lesser crime of manslaughter (basically, an unintentional killing), for which a 1 year sentence is not uncommon. Manslaughter has varying degrees, the least of which is essentially pure accident. Depending on the level, the sentence can and should be very light.
You may think that's ridiculous, and it very well may be, but perhaps the DA didn't think he could close the deal on a murder charge, and so was willing bargain it down to something. Is it better that he be considered guilty with a slap on the wrist, or that he be considered innocent? That, unfortunately (or fortunately, depending on your perspective) happens a lot.
It's easy to twist things so they fit your personal views, but the fact is people who go the full trial period and are convicted typically get the highest sentences. People who plea down typically get the lowest. It's just a fact of life in the system. Chances are Childs had the opportunity to plea down to a lesser crime and get out with time served, but he more than likely felt that the gains for such a bargain would be minimal, and he could still potentially win the whole thing if he saw the trial through to the end. That's how I would view things if I were him, anyway.
Re:More than one person to blame -- that's unameri (Score:1, Insightful)
I think idiots worldwide seem to equal justice with revenge. It's just that in the USA it is hard to avoid these people. They flaunt themselves in public and on TV. There is no stigma to being an idiot in the USA, outside of academic circles. It's encouraged.
Re:Yet another "There oughta be a law" rant (Score:3, Insightful)
Justice is not about fairness. It's "did you break the law, and if so what's the stated punishment?"
No. That isn't justice. Justice IS about fairness. Justice comes first, and laws are supposed to support justice.
If all you have is a set of laws and the stated punishment for breaking them, all you have is the worst kind of bureaucracy. Assuming that laws are always right is one of the worst things you can do.
Typically, laws are not based of facts or rational arguments. They are based on which direction the politics of the day is blowing.
Laws are written by lawyers and lobbyists for benefit the few and powerful, enacted by legislators who do not read them before voting, and enforced by prosecutors who only care about their conviction ratio.
Every good nerd knows that justice can never be as simple as a rulebook.
Re:Not Surprising (Score:2, Insightful)
What if he worked in a different field?
He works in IT. Specifically, as a sysadmin like myself. That is extremely relevant to the case, and the fact of the matter is, as sysadmin, the very first rule is to never be the only one with access. Maybe put the password in a sealed envelope in the CEO (or Mayor's) safe, but make sure that several people know about the envelope.
What if you worked at a nuke plan and your boss wa (Score:4, Insightful)
What if you worked at a nuke plan and your boss wanted the codes over the speakerphone and you did not know if people on the other end where able to run the system and you know that your boss was not able to run the systems.
Re:Why the sympathy?? (Score:4, Insightful)
Because we have more than a couple of Terry Childs like people on Slashdot. You may notice that there are a fair number of posters here who are quite anti-social, and anti-authority. You also many notice that they think their technical skill makes them much smarter than everyone else. This tends to lead to a mentality of "My boss is an idiot and I should be the only one who makes any decisions on the computers." Maybe they've even forced that in their work. So they are sympathetic because it is the kind of thing they either want to do or have done, and they are worried that they might get in trouble.
Basically they are like him, and thus that makes them feel that his actions were correct.
Re:It's a question of policy (Score:5, Insightful)
Precisely. Whatever else Childs is, he's a shitty administrator. Do you think the city's chief comptroller has the only set of keys to important confidential accounting files? Do you think the city's chief personnel/HR officer has the only set of keys to personnel files?
As much as all of us IT guys have our moments of self-delusional self-importance, we are, at the end of the day, simply another aspect of any given organization's total infrastructure, and are bound by the same rules, and by the same basic set of good practices. You keep copies of keys, passwords, pass codes, whatever in a secured place. You don't keep them on laptops. You don't keep them in your head. You make damned good and sure that if you were hit by lightning the next morning your employer can assure continuity of operations. That is the most fundamental job anyone in a position of any kind of managerial authority in any organization has.
Re:More than one person to blame -- that's unameri (Score:5, Insightful)
You mean kind of like how a lot of non-Americans like to find the property of "being an American" as somehow intrinsically to blame in so many situations?
All people need to simplify. You will never understand everything, so you research carefully the things that interest you, and everything else needs to be ignored or fit into a bite-sized piece of intellectualism that you don't need to give any thought to. Nationality has nothing to do with it.
So What???? (Score:4, Insightful)
What do you mean "so what"?
First there's the question of precedent [wikipedia.org].
Second there's the question of just punishment [usconstitution.net]
I think geeks are confused (Score:5, Insightful)
While the city may have a shitty IT setup, is that illegal? Probably not. However what Childs did WAS illegal.
That is the difference. I know that some geek types seem to think the law should be whatever strikes them personally as fair but that isn't how it works. Childs broke the law, he was tried and convicted of it (and one of his jurors had a CCIE so none of this "stupid jury" bullshit).
If the city is being negligent then a lawsuit can, and should, be brought against them. None of that makes what Childs did right or legal.
Please, please would all Slashdot posters go and READ UP ON THE CASE before posting. The facts please, not the opinions form mother Slashdotters. So much uninformed kneejerk here. Slashdot itself had some good links, including one to an interview with aforementioned CCIE juror. How are you any better than the people you like to look down upon if you cannot be bothered to get your facts straight for something you have strong emotions about?
Re:It's a question of policy (Score:3, Insightful)
Didn't the guy offer to give the passwords to the Mayor but not to his boss, by his bosses (or department's) own policy?
I've not seen any evidence that the policy actually existed, outside of his imagination. If it was in writing, did the defence subpoena a copy and present it as exhibit?
Jail time is ridiculous (Score:3, Insightful)
What's he going to do, get another IT job and offend again? They should have given him community service. The guy's career has already been wrecked.
We are way too much about jail in California and the US. You shouldn't go to jail unless you are violent, or an incorrigible repeat offender. California is bankrupting itself putting taxpayers in jail for crimes like these and for smoking, it is fucking crazy.
The Parent nailed it! (Score:5, Insightful)
Furthermore, justice AND revenge both do not mandate prison and/or being subject to physical or sexual abuse. There are many things that can be done in BOTH cases besides the obvious one. Prisons cost too much money and have too much lobbying pressure to maintain or grow the punishment/revenge system we have today.
Having pedophile tattooed on your forehead should be enough...
Terry Childs is going to have career problems for life, no need to waste money holding him in a cage as if he was a wild animal threatening the peace - or even put an invisible fence around his house is not worth it.
Re:Not Surprising (Score:4, Insightful)
I like that rule, I wish it could always be the case too! I'll give you a real life example of my situation. I created said envelope with all the key passwords and sensitive documentation to allow another to step in should I be hit by a bus. It was placed in the safe in the CFOs office.
You may or may not have guessed it but the CFO was fired and his position was removed. Since this was an executive decision they of course waited until way too late to tell me. The COO and Controller emptied the safe and now I do not know where that paperwork wound up. I changed my critical passwords and VPN encryption keys. Then the time came where they wanted the list of passwords. I asked them where the old list was and I haven't heard anything since.
Now for my own sanity I still keep a copy of the records but it is no small feat to change all the sensitive passwords so I keep them in the safe of the owner who has already twice forgotten that he has it. He asks me for it personally sometimes. If the time came I don't believe he would know its in his safe.
This is why I can feel at least some sympathy for Terry Childs although he definitely didn't act in any way professionally. He deserves to be punished but his punishment doesn't fit the crime given what's been brought to light about his management.
My other question is why in a city the size of SF was there only one person responsible for critical city infrastructure? If two people had been working together the whole time then the project would never have been in jeopardy unless Childs managed to corrupt the second guy which I guess is possible if some the ineptitude of management was in fact true.
Re:Not Surprising (Score:3, Insightful)
So 4 years is just and appropriate because he was a shitty admin and had a bad attitude?
I may not personally feel sorry for him (haven't given that aspect much thought), but this is clearly a gross miscarriage of justice, and that outrages me regardless of the target.
Re:It's a question of policy (Score:3, Insightful)
Childs's defenders keep bringing up this moronic argument, and I really don't understand why.
Here's how a competent human being handles that: "I can't give you the passwords over speakerphone, so after this meeting call me on a regular phone and I'll give them to you." Similar for all the other 'invalid' requests. You politely ask the boss to contact you in a more secure manner.
It's not like he was in some sinister Catch-22, and it's not like the 'speakerphone incident' was the only attempt his bosses made to get the passwords. The guy was an idiot who thought he was indispensable, so he massively overplayed his hand.
Re:What if you worked at a nuke plan and your boss (Score:3, Insightful)
"Boss, I can't give you those codes over speakerphone. Call me back on a regular phone and I'll give them to you.
Doesn't matter. It's his system. You hand over the codes. And if you truly believe he can't run it, you quickly drive out of the blast radius.
Re:Not Surprising (Score:3, Insightful)
OK, consider if he were to behave like that in a bank. In a bank, he could hold money hostage, and cost the bank a fortune. So most banks implement separation of duties policies to prevent stuff like this, and their procedures would prevent a megalomaniac from rising to this position in the first place.
So we know there are proven procedures to protect a company from malicious admins, and those procedures are not secret. They could have been implemented by his bosses in city hall. But they weren't. Yes, his boss should be held liable for not adequately ensuring safeguards existed, and he should have been fired as soon as they jailed Childs. (That he wasn't stinks of favoritism, but those kinds of shenanigans are pretty much how every corrupt city operates under the covers.)
I'm pretty sure the punishment wasn't levied for the refusal to cooperate while he was employed, or of how the system did or didn't work after he was gone. The reason he got four years was how he behaved after he was ordered to turn them over by the court. You can generally piss off your boss and risk only your job, but lesson 0 is don't mess with the courts. They are the exact set of people who have the authority and ability to get revenge, and they love to show it.
For that matter, I doubt that either the courts or the city wanted anything to rush in this case. I'm sure they figured he'd get off with time served, and they wanted to ensure that he got plenty of that to begin with. The longer he sat in a cell, the more punishment he'd receive, regardless of the eventual outcome. That part is a complete abuse of the justice system, but when it's perpetrated by the justice system itself, well, there's nothing an individual can do except run against the scumbags in the next election.
Re:Custodial sentences for non violent crimes (Score:5, Insightful)
Once, as a young prosecutor, I asked what the big deal was about child rape. I was so naive and ignorant. That naivete was extinguished (to my embarrassment) when I was told of infant rape victims.
We are all naive and ignorant about important things. You are no exception. So please don't take it too bad when I say the following:
You idiot! Don't you know that a HUGE proportion of the homeless are MENTALLY ILL? Their CHOICE is often between living on the street (cheaply) or living in an institution (at great cost)?
P.s. Ayn Rand was a hypocritical ASS!
Re:Why the sympathy?? (Score:3, Insightful)
In the Childs case, he did withhold them from his Manager, and the Mayor (CEO) at first.
Doesn't matter. It wasn't his network. Just like the network you manage is not your network. If your boss decides it's time for his incompetent son to manage the network, you say "Sure. I'll need you to send me the request in an email, and then I'll give him the passwords". Your CYA file is complete, and then you charge an enormous consulting fee to fix what the son breaks.
What you don't do, and what Childs did, is say "No, you are all incompetent! I am the only one who can properly administer this network!"
Re:Not Surprising (Score:3, Insightful)
And all of it could have been avoided if Childs actually knew what being a system/network administrator actually meant.
More importantly the four year sentence could have been avoided if the courts actually upheld the constitution and laws of this country. Instead its much more common for the 'authorities' in any branch to react on a personal level, and really stick it to the people they don't like regardless of whether or not its appropriate. THAT is the real crime here. Personally I keep that in mind- and stay out of trouble. It bothers me a lot that people in power are allowed to act is such a petty and spiteful manner and are given a pass because 'the guy was a jerk'. Right, cause its only ok to be an asshole when you're in charge...
Re:What if you worked at a nuke plan and your boss (Score:1, Insightful)
You protest, you make damn sure your protest is written down on paper so you have a copy and rejected, and then you hand them over. When the shit hits the fan, you're covered. As sad as that may sound, this case has proven exactly that.
Once said nuke codes have been turned over to the incompetent moron, all bets are off. My advice is to get as far the hell away from the potential fallout area as possible, as quickly as possible. When they question why, you explain "I was forced to give the passwords to the reactor to a guy I wouldn't trust with a potato gun, under protest. Once I was forced to comply, under law, I wanted the hell away."
Re:Run (Score:4, Insightful)
True. The servers were property and he was withholding access to that property.
Essentially what they got him on was "denying services to authorized users", which takes quite a bit of intellectual contortion, since no-one ever proved that his actions directly prevented services to any end-users, only that his inaction (i.e. his initial refusal to disclose passwords after his employment was terminated) temporarily inconvenienced administrators,
The administrators are authorised users as well. They are authorised at a higher level. Why does the anti-hacking statute not cover this?
But the law doesn't really work like that. Intent is quite important. It seems likely that Childs deliberately arranged things in such a way that it would be extremely difficult for his replacement to administer the servers he had a right to administer.
What is even more amazing is there was a (supposedly) tech-savvy member of the jury, who should have been able to explain what a crock this was, but was swayed by the tech-illiterate arguments of the prosecution and thus could not, or would not, prevent this travesty of justice. He's even posted here on
He had access to all the evidence, and had an explanation of how the law works rather than the interpretation of a computer user, expecting the law to work like a computer and have no flexibility in interpretation at all.
Re:Not Surprising (Score:3, Insightful)
Childs wasn't just a jerk. He was an incompetent. The big mistake was ever letting the guy have even the smallest amount of meaningful responsibility.
Re:Not Surprising (Score:3, Insightful)
So he was bad at his job. But here's the question you're only giving a brief nod to: is being bad at your job a crime worse than murder?!
Re:It's a question of policy (Score:5, Insightful)
That's right. If he had been smart he would have just "deleted all company email, caused the email servers to spew out spam, and intentionally crippled at least some servers, rendering them inoperable [infoworld.com]" like Stephen Barnes did and been out of jail a year ago. Or perhaps he could have "deliberately and painstakingly attempted to sabotage the company he worked for, intentionally writing scripts to destroy valuable data [infoworld.com]" like Yung-Hsun Lin did and he would be out of jail in three more months.
But he got a much harsher sentence despite having not caused a single minute of outages on the network he was accused of conducting a denial of service attack on. Maybe someone ought to write (or read) an article comparing these widely disparate sentences.
Re:Not Surprising (Score:3, Insightful)
exactly! He DID give the passwords to the network's "owner" that was the Mayor within "reasonable" time, less than a week after being locked in jail. And he did so without any kind of civil court order to turn over the "property" so the city never actually established in court that they OWNED the property they accused him of "stealing". The PROPER procedure to follow would have been to get a judge to issue an order for Childs to turn over the "property", then they would have easily had him for contempt of court and could have sweated him in jail for as long as it took. As the DA and IT manager never LEGALLY ASKED for the passwords in any kind of binding manner his prosecution was literally under false pretexts, a waste of money, and abuse of official power.
Re:Not Surprising (Score:3, Insightful)
Childs wasn't just a jerk. He was an incompetent.
Are still on that?
If being incompetent in IT is a felony, we need a hell of a lot more prisons.
He certainly sounds incompetent, but he's in jail because hes a jerk- and thats _wrong_.
Re:Not Surprising (Score:3, Insightful)
It what way is he worse than the person that started it all off - the woman the was caught by Terry Childs in an office she shouldn't have been in and removing the hard drive of the person responsible for network security? Certainly authority was given later after the person responsible for network security resigned, but it looks like Terry Childs is a very minor case of overstepping authority in his own department. The entire thing is petty office politics in a disfunctional workplace escalated to the point where they put someone that did not roll over instantly to an unusual instruction into jail.
Think about that stupid ambush meeting tactic and you'll see there was no way there could be a good outcome - hand over the passwords to unauthorised people and he's in deep trouble, and it turned out waiting until the unauthorised people were out of earshot was deeper trouble and a media circus (met by the Mayor and a publicity agent instead of his boss, technical consultant, or anybody else interested in doing the job instead of camera time).
While a notebook full of passwords in a safe would have answered this problem, consider that the entire password issue is mainly a beat up because he handed them over anyway, and that anyone competant enough to work on the devices that had physical access to them could change the passwords anyway. Configuration information gets lost, but nobody gets locked out forever and THEY HAD THE PASSWORDS IN LESS TIME THAN IT TOOK TO GET A REPLACEMENT FOR HIM ANYWAY.
So that's it - jail for not handing over passwords to the wrong people and sitting and waiting for somebody else to turn up. I think you need to reconsider whether overblown emotive words like "megalomaniac" actually fit the situation. I suspect you are bringing in a pile of your own baggage from IT restrictions you suffer from and demonising this man as a Bastard Operator from Hell.
Re:Not Surprising (Score:1, Insightful)
The US has gone well and truly insane. Really. People here are all bat-shit bonkers. Before my life is over, it's going to get world class ugly. Smile and have a nice day!