Forgot your password?
typodupeerror
Crime Security The Almighty Buck The Courts

Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M 488

Posted by timothy
from the rough-justice dept.
0WaitState writes "A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
This discussion has been archived. No new comments can be posted.

Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M

Comments Filter:
  • by L4t3r4lu5 (1216702) on Wednesday May 18, 2011 @07:17AM (#36164216)
    I forget a lot of what he said, but one of the points which stuck out for me was that Terry kept the keys / passwords out of the key management system, which was against policy. He kept the Keys to the Kingdom in his head, which is just bad IT policy. He also cleaned the backup configs on switches so that any reboots would essentially wipe them clean.

    Like I said, a /. poster was on the jury. He'll chip in with better information than anyone else. As for the fine... Well, if he doesn't have that money, he'll default like everyone else would and live off welfare. Shows the system works, eh?
  • by Moryath (553296) on Wednesday May 18, 2011 @07:21AM (#36164240)

    It's probably billing him for the temerity to actually take his case to trial.

    You know, exercising his constitutional rights. That's something the "justice" system has to punish at all costs.

    Here's some info for you. [fhsulaw.com]
    Here's more [slate.com].

    Or, to put it in a more sinister way: You get a heavier sentence if you insist on asserting your constitutional rights to a trial, to confront your accusers, to privacy from searches without probable cause, to avoid incriminating yourself, etc.

  • by Anonymous Coward on Wednesday May 18, 2011 @07:31AM (#36164318)

    Certainly the management of San Francisco has some responsibility for what happened.

    However, I disagree with the assessment that Terry Childs is without blame, as is implied in the article summary. If I hold hostages and demand ransom but later release the hostages, does that mean I did nothing wrong? While Childs didn't literally take hostages, figuratively that's exactly what he did.

    The justification for making Childs pay restitution is that the city of San Francisco attempted other means of gaining control of the systems while Childs refused to cooperate. Those attempts cost some money, and that's money that would otherwise be billed to taxpayers.

    Why should I feel that Childs is being treated unfairly? He had to know that if he fought those in power, they would find a way to take him down.

  • by Anonymous Coward on Wednesday May 18, 2011 @07:38AM (#36164374)

    How is it out of hand? It's been reported that the spent $900,000 [computerworld.com] trying to regain control of the network. The amount that he is being asked to pay is not particularly excessive. Would you prefer that $900,000 gets billed to taxpayers?

  • by seniorcoder (586717) on Wednesday May 18, 2011 @07:53AM (#36164508)
    Terry Childs was clearly on an excessive one-man power trip. I don't think too many on /. think that deserves jail time though. A firing for unprofessional conduct: sure. A $1.5M fine? This just adds to the farce. I'm sure the head of the IMF will get a fair trial. He has already been convicted (by the media) and is in jail. ... now all we need to do is to get most of Wall Street in jail. They have been tried in the media but not put in jail.
  • by doperative (1958782) on Wednesday May 18, 2011 @07:53AM (#36164512)

    Mr. Childs clashed with the new Security Manager [shortinfosec.net] on the subject of authentication and control, which led to poor formal review.

    Sorting out fact from fiction in the Terry Childs case [yahoo.com]

  • by hesiod (111176) on Wednesday May 18, 2011 @07:58AM (#36164546)

    he's paying it to the department of technology, not justice

    Just because it's not a court-ordered bribe doesn't mean it's definitely not a punishment verdict.

  • by Anonymous Coward on Wednesday May 18, 2011 @08:01AM (#36164564)

    He also cleaned the backup configs on switches so that any reboots would essentially wipe them clean.

    When I was fresh out of school, the first man who hired me turned into a total nightmare of an asshat after about 3 months (not just to me, essentially to all his new hires who were proving themselves to be more capable than himself - apparently, until this point in his life, he had always been the boy genius...) So, being barely 20 years old (read: immature) my response was to encrypt all my backups and create a wipe script for the work I had done, such that a 2 letter command would erase all my work for Sr. Asshat, and only execution of another two letter command plus password would restore it.

    It was not a professional or productive reaction, it was a human one, one that was brought out of me by serious injustices, i.e. being jerked around by an idiot in an attempt to make himself feel powerful. I never issued the kill command, in point of fact, Sr. Asshat's boss protected me from him and eventually gave me his job, but not everyone is so lucky.

    20 years later, a similar circumstance arose, except in the latter case I had absolutely no desire to hurt the larger organization and would never have created a kill script - even if the junior toad who was tasked with easing me out the door deserved it for the way he handled the situation, half a dozen other people in the organization, and all the potential future beneficiaries of the tech I "productized" over the last year, didn't.

    If society continues to depend on people who they marginalize and mistreat, there will be more Terry Childs in the future, and the potential for spectacular damages far in excess of $1.5M of court costs exists.

  • by Richard_at_work (517087) <richardprice AT gmail DOT com> on Wednesday May 18, 2011 @08:11AM (#36164646)

    How much is a full review of the network, from the bare bones upward, including reflashing all firmware, and checking all servers going to cost in a city wide network?

    $1.5m would be cheap for that.

  • by DrgnDancer (137700) on Wednesday May 18, 2011 @08:43AM (#36165018) Homepage

    The problem often comes in determining at what point "marginal and mistreated" ends and "sociopathic desire to hurt anyone who slights me" begins. For every anecdote like yours, there's another about a geek who was simply paranoid or antisocial enough to *feel* victimized by the normal churn of the day. A guy (or girl) who wrote your kill script, or something worse, with the full intention of using it. It's not even hard to imagine such a person (your old boss seems the type). Which is more common? Really hard to say, ask employees and they'll probably say your situation, ask managers, they'll probably say the opposite. Most people can't point to more than a handful of examples of either situation though.

    Businesses and governments clearly need to watch out for and prepare for either situation. Ironically, your anecdote shows that at least in the first of your two cases, your company was doing exactly that. Someone did notice your boss' bad behavior and did something about it. Management isn't *always* incompetent or out to get you. In this case their actions both protected the marginalized and mistreated workers, and hopefully avoided a future Terry Childs situation on the form of your obviously immature and potentially dangerous boss.

    In the case of Child's himself, there's a significant disconnect as to whether he was a marginalized victim, or a childish asshat lashing out at perceived injustice. To hear him talk sometimes, he was the former. Other times, he seems a lot more like the latter (obviously management thought he was the latter). I'm inclined to believe that, while he probably doesn't deserve the level of punishment he's gotten, his actions were blameworthy.

  • by fifedrum (611338) on Wednesday May 18, 2011 @08:56AM (#36165212) Journal
    It blows my mind that the guy spent any time at all in jail for this, especially after the city lied about the access (they had access several days before he tuned over the passwords). It's worse when the city again lied, time and time again, in fact, in painting his actions and configurations as nefarious when they're all common practice. The sniffer thing, the modem stuff, the paging issue. Those lies the city told should have been a get out of jail free card for him by painting the city as the scumbags they are.

    He did one thing wrong to his bosses, his bosses (via lawyer proxy, I assume) then turn around and lie in court, which is the real crime.
  • by jimrthy (893116) on Wednesday May 18, 2011 @09:24AM (#36165564) Homepage Journal

    Along the same lines, this is why so many innocent people wind up striking plea bargains.

    A friend of a friend is currently serving the second year of a one year sentence (!) for a crime he didn't commit. He didn't take it to trial, because the prosecutor threatened him with 10 years, and his lawyer convinced him that it just wasn't worth the risk.

    I'm not claiming he's an innocent man. Just that he didn't commit the particular crime he's actually serving time for. It's a "Sleep with the dogs and pick up their fleas" sort of thing.

  • Re:Perhaps.... (Score:4, Interesting)

    by suso (153703) * on Wednesday May 18, 2011 @09:54AM (#36166036) Homepage Journal

    It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.

    That's ok, you're equally annoying to work with because you don't take security seriously enough. There are some other people that I know of that didn't take security serious enough, who was that? Oh yeah, the security folk at Boston Logan International.

    And how about this guy from last month:

    http://www.geek.com/articles/news/man-wrongly-accused-of-child-porn-learns-to-password-protect-wifi-the-hard-way-20110426/ [geek.com]

    I bet he takes network security a lot more seriously now. Sysadmins that take security seriously are important because most other people aren't, except the malicious hackers.

  • Re:Perhaps.... (Score:4, Interesting)

    by powerlord (28156) on Wednesday May 18, 2011 @10:53AM (#36166898) Journal

    Part of the problem is that the level of Security or a System is inverse to its level of Accessibility.

    The more people can access systems and the more they can do with them, the less secure they can become.

    The trick is finding the balance people are willing to live with (short of unplugging the computer, which makes it REAL secure BTW), and finding ways to mitigate/lessen the threat left by vectors where you find yourself.

    I think the real problem is that too many non-security people don't view Computer Security as a serious issue, and too many security people view it as the major issue. This means when they both sit down at a table and try to find the balance point, neither side is happy and both sides feel the other one doesn't understand where they are coming from (which is often true).

When all else fails, read the instructions.

Working...