Fate of Terry Childs Now In Jury's Hands 530
snydeq writes "Closing arguments concluded Monday in the city of San Francisco's case against Terry Childs, the network administrator charged with violating California hacking laws by refusing to hand over network passwords for the city's FiberWAN during a 12-day period in 2008. Childs was charged in July 2008 and has been held on $5 million bail ever since. The highly technical trial, which featured testimony from San Francisco Mayor Gavin Newsom and Cisco Chief Security Officer John Stewart, has dragged on for nearly six months. By Monday, five of the 18 jurors and alternates selected for the trial had dropped out, and the remaining jurors seemed relieved to see the arguments wrap up as they left the courtroom Monday afternoon. They will return Tuesday to start their deliberations. Childs faces five years in prison if he is convicted for disrupting service to the city's computer system by withholding administrative passwords — a verdict that, if rendered, puts all IT admins in danger."
Please Read the History... (Score:5, Insightful)
...before posting. The frenzy's already started. People - there's a long story here. Do not rely on this summary to tell you the details. Don't litter the thread with inane "he broke the law and should pay" comments. Your fellow non-readers in-spirit have done so on a minimum of twenty prior threads on this issue.
Please, please learn the backstory before commenting. Think of the children. Plus, some readers are getting on in years (35+). They can't handle the spiking blood pressure.
Re: (Score:2, Insightful)
Ok... I gotta know. Why troll? Whoever modded this - I don't mind a genuine disagreement of opinion. But seriously - I entreated the readers to actually know the story. Yes, I'm new here. But why troll? Post anonymously if you have to, but please explain - why did you think I was trolling?
Re: (Score:2, Interesting)
It's not always the people who disagree with you who are wrong. You shouldn't assume that other people must be ignorant and inane, because they happen to come to a different conclusion. That's sloppy thinking.
Re:Please Read the History... (Score:5, Informative)
Helpful links:
Jul 15, 2008 [slashdot.org]
Aug 23, 2009 [slashdot.org]
Dec 15, 2009 [slashdot.org]
Mar 03, 2010 [slashdot.org]
My solution in the past (Score:5, Interesting)
I have worked for small companies in the past where I was the sole administrator. My solution to this was to store a PGP encoded file on a shared drive with the passwords in it, locked with my asymmetric key and one with a random password. Either one would open it. I put the plaintext password in an envelope, sealed it, signed the envelope and had my boss sign it. The envelope got stored in the company safe and I could inspect it at will. If the seal was intact I knew I was the only one with the passwords and was still responsible for the system. If the seal was broken, it was agreed I did not have any responsibility for damage that might have been caused.
This gave my employers the confidence that they could recover from a disaster (hit by a bus, win the lottery, etc) and gave me the confidence that I didn't have to rule out assistance from well meaning but unskilled bosses when something broke.
Min
Re:My solution in the past (Score:4, Interesting)
I did something similar. Except I gave the President half the password, and the head of HR the other half. I figured since they didn't get along well, it would certainly have to be an emergency (and I would have to be dead) for them to get together and get the password.
It's hard to believe Child's will lose this thing (Score:3, Insightful)
That Child's acted maliciously, that he was trying to cause harm to the network. I have seen no real evidence that supports this idea. The city tried to say that he did it to keep them from firing him.
They also have to prove that his actions actually caused damage. This is problematic because the network never actually went down, his actions didn't cause damage. The city uses the twisted argument that the fact that they were unable to prevent Childs from accessing the network was damage enough, that Childs was the one they needed to defend against.
I did not sit through the trial, but it's hard for me to believe that many juries would find this to be true beyond reasonable doubt.
Re:It's hard to believe Child's will lose this thi (Score:3, Insightful)
Nope, he need merely say "evil hacker", blow a lot of smoke, and the jury will convict.
He's fucked (Score:3, Insightful)
Wait, you mean his fate is in the hands of 12 clueless "average" citizens?
He is truly fucked.
Re: (Score:3, Insightful)
These people are hardly average. Juries consist of 12 people who are not smart enough to get out of Jury Duty.
You assume that everyone is a self-absorbed shithead who doesn't give a fuck about his country or the justice system, and not just you. It's also worth noting that the easiest way to not be selected for the jury was to be a dumbass.
I've served on a Jury, and except for the filling out forms and waiting around part, I was interested, honored, and proud to be entrusted with that kind of responsibility. Self-important assholes who think they are a lot smarter than they actually are better off not being selec
Think Duress (Score:3, Insightful)
The moment Childs was threatened with jail by a credible governmental threat, then he should have surrendered the passwords.
Dude is a hardhead.
Re:honestly... (Score:5, Insightful)
They didn't "allow this person to get complete control of essentially EVERYTHING", they paid him to do it and not tell anyone the password except the mayor.
Technically, he should get a bonus instead of boned
Re:honestly... (Score:4, Interesting)
Welcome to America. My 18 year old daughter is getting charged with a FELONY for kicking a door. She was trying to get the jammed door open to get back to her work area, the asshole federal building superintendent called up his asshole brother cop and he wrote it up. She did no damage to the door, they have no evidence, the cop was not even there. (Illinois it's a level 4 felony for doing damage under $500.00 to a federal building. $0.00 is under $500.00)
I'm paying $400.00 an hour to get this dropped because of raging Police and Court stupidity. The DA in that district is a idiot that thinks he needs to be "tough on crime". This should have been thrown away the second the officer turned it in, but new laws require them to pursue everything a cop turns in.
I personally have nothing but contempt for the joke that is our judicial and legal system.
Re: (Score:3, Insightful)
Wow... Just wow.
In times like this, I think the media is your best friend. Surely, there has to be some local investigative TV reporter who likes going after government excesses. If I were involved, I'd play it to the max and do everything humanly possible to get this retarded governmental behavior plastered all over the the 6:00 news, and use the investigator to go after the state reps and senators to put pressure on these buffoons.
You and your daughter deserve public apologies and reparation from everyone
Re: (Score:3, Insightful)
Which media?
There was a time when reporters really cared about getting stories to the public. They even attempted to elucidate some measure of "truth", using certain ethics and journalistic principles which they held dear.
Today, thanks to the concentration of media ownership in the hand of a very few corporations, and the subsequent gutting of news departments and purging of investigative journalists, the news has become little more than a collecti
My dad the Lawyer always says... (Score:3, Interesting)
There is only one rule, The Golden one (He that has the Gold makes the rules; not the do unto others one), and after more than 20 years as a lawyer I think he holds the system in contempt as well, after being a True Believer, ultra straight edged, right wing, NRA/RNC boyscout for most of his life.
Re: (Score:3, Interesting)
No, I did not. The poster said "for kicking a door". That leaves out a considerable amount of context. She wasn't kicking just ANY door, it was a door into a federal office building.
Wow, you are amazing. What the poster wrote was, "My 18 year old daughter is getting charged with a FELONY for kicking a door. She was trying to get the jammed door open to get back to her work area,"
As in she kicked a jammed door that she had every right to pass through.
Sham debate tactic indeed, in your self-confident arrogance you couldn't have done a better job of demonstrating your point if you had tried.
Why should an employee get to kick in the door to a federal office building? The proper course of action is to call the maintenance people and report the door, not blast through it yourself.
Nobody is permitted to think or act for themselves. Exactly the kind of people we want working for
Re: (Score:3, Insightful)
Re:honestly... (Score:5, Insightful)
But he wasn't in charge of the network (Score:2)
At least, not anymore. And he refused to hand the passwords over to those who were. Consider what a finding in favour of Childs would mean; any admin upset about termination could hold on to their passwords out of spite.
The city does have some culpability. They should have ensured at least one other person had the passwords, in case Childs was hit by a bus.
Re: (Score:2)
Actually, the rules stated that he could only hand it over to the Mayor- which is what he did. Violating the rules could have had him facing similar charges they're trying to level on him.
Screwed if you don't, screwed if you do, I suppose. I know I wouldn't want to work for SF's city gov't now over this stuff.
Re:But he wasn't in charge of the network (Score:5, Insightful)
True enough.
The way we do it:
We have 5 USB tokens. To override a root login requires 3 of the 5 keys. Done deal.
In addition, I have a sealed envelope. My boss's boss has it locked in his desk. If I go AWOL all he as to do is open it and he's golden, keys to the castle are in there. I take the old one and replace it every 90 days.
Point is that if an admin wants to be a dick there is little you can do to stop them, however, an admin refusing to give out keys to anyone but pre-authorized people is admirable, not criminal. In the same boat I've done similar, but fortunately for me my boss had my back, rather than knifing it.
Re:But he wasn't in charge of the network (Score:5, Insightful)
Do you really want to go down the rabbit hole of advocating that a company has the legal right to enter a person's memory to retrieve/remove their "intellectual property"? Because if so, please go find some other universe and don't come back.
Re: (Score:3, Insightful)
I think, what most lay people don't understand is that the rule: 'Don't give out passwords indiscriminately' is equivalent to the Hippocratic oath for some IT admins
No kidding; every time I get a user who starts saying "do you need may passsword? It's Fluf-", I start plugging my ears and loudly saying "NO NO NO NO NO". Once they stop, I explain: 1) never share your password 2) when it is absolutely truly necessary, like life or death, never say it out loud unless you're in a cone of silence, watch the person you shared it with, and change your password immediately after they're done. 3) I don't ever want to know your passwords, ever.
Re:honestly... (Score:5, Funny)
Ten bucks says if he gets off the case he'll have a job as an iPhone hardware tester at Apple.
APPLE EXEC: "Where's the 5G prototype?!"
CHILDS: "I will personally hand it to Mr. Jobs and only Mr. Jobs only, as I can't trust the rest of you with such sensitive technology!"
Re:honestly... (Score:4, Insightful)
Well, when someone at a C-level asks the IT admin person for some password there are really three choices:
Those are pretty much the choices. There is no #4 where you get to "do the right thing" and walk away a free man. The fact that he had already left the organization meant his real responsibility was over. Trying to "save the organization from itself" almost never gets you anywhere and carries huge risks. Terry is about to experience the result of these huge risks.
My guess is the jury takes about 10 minutes to return a guilty verdict.
Re:honestly... (Score:5, Insightful)
> No, I haven't read the links or anything else. But it needs to be said.
Yes, ignorance always leads to well-reason opinions.
Re: (Score:2)
If decisions needed to be well-reasoned, virtually no politicians, journalists, CEOs or financial executives would be permitted within a mile of their workplace, advertising in its current form would be outlawed, and the Sci Fi channel would be showing Doctor Who.
Re:honestly... (Score:5, Funny)
Re: (Score:2)
With your aptly demonstrated lightning fast reasoning and judgment skills, I think you'll go far in life my friend...
Have you ever considered politics?
Re: (Score:2, Interesting)
The city of San Fran was luck to get someone that has a backbone and some moral fiber. He was protecting the citizens of the city against complete IT ignoramuses who happened to hold positions of authority and leadership. If they were even a quarter as competent as him, his actions would have posed no threats what so ever.
The situation is kind of like you closing the front door of your apartment and the landlord can't figure out how to turn the door knob. Why did you close the front door? Cause the land
Re: (Score:2, Interesting)
What I don't quite understand is how Childs was hired by The City to begin with given his criminal past.
http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case?pp=2&fp=&fpid= [cio.com.au]
Sure, he was convicted of burglary when he was only 17, so I'm not sure if he was classified as a juvenile under Kansas law. He was then charged with misdemeanor weapons possession years later.
The guy did his time, so I'm not holding anything against him peronsally....I just find it surprising that a government age
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Actually your landlord argument varies by area and contract.
In my experience, with apartments, the management is generally allowed to come inspect as needed. They frequently are checking smoke detectors, leaks from other units, etc. They run into, for example, situations where a leaking pipe in an upper unit causes water damage in a lower unit.
With homes, it's less common for the open access verbage to exist. The more you spend on a rental home, the better (ge
Re: (Score:3, Informative)
Woo! Big miss! The landlord (by default) CANNOT just come in without proper notice, at least by PA Landlord-Tenant Law.
Either way, the analogy doesn't apply at all. Childs wasn't leasing anything here. It would be as if the landlord here had a maintenance man who changed all the locks, and then wouldn't hand over the master keys to another maintenance man because the landlord wasn't there to say it was OK.
And that is still simplifying it WAY too much.
Re:honestly... (Score:4, Interesting)
Who on earth modded this interesting??
For the record, people mod posts interesting because they find them "interesting" not because they are correct. And complaining about modding is childish.
This has been discussed many [slashdot.org] times [slashdot.org], and I regret to inform you that your argument does not hold water. While it's a nice story to imagine this 'geek hero' standing up against the system, it's an airbrushed, romanticized version of the truth. This dude was out of line, end of story. He decided to try to flex his muscles, and he got taught a very valuable lesson that many could learn from. It was not his place to determine who was "competent" enough for the information.
The important point is that he was asked to give up that information after he was fired. In a sane world, Childs would have been able to tell them to fuck off because he as no obligation what so ever to work for free for his former employer. Btw, this is one of the many reasons IT workers should be unionized. Unions could have layed down the ground rules to abusive workplaces like this and fined them for millions for their transgressions. Companies don't own you for life.
Re:honestly... (Score:5, Informative)
The important point is that he was asked to give up that information after he was fired.
Incorrect. Please read the case history [itworld.com] before repeating misinformation.
Re: (Score:2)
The city should be smacked upside the head for sure over this case, but not for the "reason" you mentioned - and while your smacking hand is still warm, smack yourself one for not reading "the links or anything else" and then commenting that "it needs to be said," and clearly not understanding Child's job (or seemingly much else about this case).
Re: (Score:2)
No, that would be "flamebait".
Flamebait is a subset of troll. Trolls, according to the original interpretation (by my reckoning) are people who make disingenuously ignorant or incorrect posts in order to elicit corrective responses. Really, trolling is just making posts to get responses out of other people.
Good trolls make posts that seem like sincere opinions or sincere misundersta
Re: (Score:2, Insightful)
Re: (Score:2)
Re:honestly... (Score:5, Interesting)
Does anybody actually have a copy of that contract? I keep hearing this, and I'm wondering whether it's true, or a distortion by his lawyer, or just some oft-repeated bullshit by those that want him to be a hero.
Re: (Score:2, Informative)
Re: (Score:3, Insightful)
What 12 guys in a room decide they collectively think happened has no bearing whatsoever on what actually happened.
Re: (Score:2)
Are any actual facts in dispute? This seems to be purely a matter of law. Are 12 undereducated laymen really the right venue for this?
Re: (Score:2)
they are a far better choice than 12 college graduate lawyers that think they are educated but really know nothing about technology.
Honestly, I have met a lot of lawyers and they firmly believe they know everything because they went to a lot of college.
Re: (Score:2)
FTFY.
But ya, a few years of school doesn't mean you know everything on all topics. That's why competent employers like experience. ... and staying with the topic, a jury of your "peers" doesn't mean that they are actually educated in the topic being discussed. I would be a competent peer on a whole variety of topics, but if I was on a jury for medical malpractice I w
Re:I don't think so... (Score:5, Insightful)
Re: (Score:2)
The dumber the jurors, the more it comes down to who can afford the best lawyer.
Re: (Score:2)
Apparently you've not participated in Voir Dire...
In theory, you're right. In practice, however, it's not quite the same thing.
Re: (Score:2)
A number of facts are in dispute, or at least the interpretation of a number of facts, and that's why this case potentially "...puts all IT admins in danger..."
The city claims that Terry took a number of nefarious actions that endangered the network. They claim that he installed multiple modems connected to the network to allow him to access it without logging or auditing. Connecting a modem to the console port of a router or switch is a common back-up access method. It's the only way you can remotely ge
Re: (Score:2)
No I'm not.
Re: (Score:2)
Did he really? (Score:5, Insightful)
The fact that the case has dragged on this long and that some of the charges have already been dropped seem to highlight the fact that there is some doubt as to whether or not he actually broke the law.
Re:I don't think so... (Score:4, Insightful)
It's not as clear cut as that. From what I understand, we was operating under a specific protocol for release of the passwords, that excluded the possibility of him handing them over to his bosses at their request.
So what's more important -- following the established rules, or doing as your boss says? In a perfect world (not that we operate in one), the rules are more important than the individual. If the boss wanted the passwords directly handed over, then the boss should have gotten the rules changed to allow that.
Just because someone is your boss doesn't make you their slave. And if you believe your boss is doing something wrong, it is morally incorrect to do as you are told, even if you document your protests.
Although, it does seem likely the guy was being a jerkwad... that doesn't mean he was an incorrect jerkwad, or a jerkwad acting illegally.
Re: (Score:2)
given that he was already fired, I would say the rules are more important that the boss. The rules are usually binding even after you are fired.
It does sound like he went about it the wrong way and that probably had a lot to do with him having a chip on his shoulder. If his boss had asked and he had said "Im sorry, but your own policy dictates that I give these passwords only to the mayor under these circumstances" then this probably would have been cleared up that day. I'm sure he was more of an ass abo
Re: (Score:3, Interesting)
I get the same thing here at my company in IT security - lower-level store managers across the country who (supposedly) decide that one of their employees is loafing off too much and want their Web history for the past week or so. Or maybe they just want to know, how can I tell?
Of course, we don't use proxy authentication so it's insanely hard and time-consuming to even find that data with a degree of certainty, but even if I can, no way am I giving that up to somebody who I don't even know is definitely t
Re:Really? (Score:5, Informative)
The written policy was that he only gave the passwords to the mayor in a secure setting.
People besides the mayor tried to get the passwords.
The mayor tried to get the passwords in a non-secure setting.
They grossly over-reacted and were probably trying to violate their own written policies.
If they can force you to violate policies or go to jail for up to 5 years, then you don't want to be in that job since the penalty for violating written policies may be just as draconian.
Re: (Score:2, Informative)
His supervisors wanted the passwords.
The Mayor wanted the passwords - secure or not if the Mayor of the city you work for wants a password, you give it to them. I work in the public sector and while the head of the agency isn't my supervisor, if she asked for a password that she didn't need, I'd write it down for her.
http://www.cio.com.au/index.php?q=article/255165/sorting_facts_terry_childs_case&fp=&fpid= [cio.com.au]
"First, despite the many news reports claiming that Childs had shut down all or part of the cit
Re: (Score:2)
Re:Really? (Score:5, Interesting)
No reference? Right in the middle of the "don't" list in the City's policy [sfgov.org] is "Do NOT disclose passwords to your boss".
Here, I'll quote it for you:
City policy? (Score:4, Informative)
Though hosted on a San Francisco government site, that document self-identifies as being the product of a trade organization composed of County sysadmins (and it does not list the "City and County of San Francisco" as one of the Counties whose members contributed.) Indeed, "San Francisco" doesn't appear in the document at all.
Can you also post a link to a place on the site where the city says they adopted this document as their policy?
(Also the quoted text doesn't support the allegation that the password was only to be "disclosed to the mayor in a secure setting". "Mayor" doesn't appear in the document, and "chief" only appears as part of "chief information security officer", not "chief executive".)
Re:City policy? (Score:5, Informative)
Sure:
The overall policy page is:
http://www.sfgov.org/site/coit_index.asp?id=56853 [sfgov.org]
The security policy is specifically:
http://www.sfgov.org/site/coit_page.asp?id=79251 [sfgov.org]
Which basically says "follow the County security policy until we come up with something different"
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf [sfgov.org] [sfgov.org]
It could be the case that the committee has since eliminated/altered that paragraph, but if they have, they haven't updated that section of their website.
Re: (Score:2)
Which thing? Google was able to quickly verify what he said about giving the passwords to the mayor.
Re: (Score:2)
I think people are arguing over whether this was an actual written policy, or just a policy he made up. (I don't claim to know).
Re: (Score:3, Informative)
It was a written policy. You can find the base document here: http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf [sfgov.org]
Re:Really? (Score:4, Informative)
He was just being a dick. He used the policy as an excuse but 'the mayor tried to get the passwords in a non-secure setting' is just fucking bullshit.
Following policy is not an excuse, it's the right thing to do. If the mayor tried to get the passwords with 15 unauthorized personnel within earshot, it's a non-secure setting and he should not have given it up.
The city policy expressly states that you should not give your passwords out to your boss. The only people who were to receive the passwords were those who required the passwords to fulfill their daily job duties. Childs was the only person on staff who fit that description, and as such, it was against policy to give out the passwords to anybody else (except the mayor in a secure setting).
He may well have been a dick, and he probably could have diffused the whole situation, but that doesn't mean he isn't right, and it doesn't mean his bosses should be allowed to throw him in jail for following policies that could very well have landed him in jail for not following.
They aren't nuclear launch codes and it was the highest man on the totem pole.
There very well could have been legal ramifications for handing out those passwords to unauthorized personnel. That includes his bosses.
I've got a news flash for you - in 12 days, management that doesn't know shit about networks can really fuck things up bad if they are allowed to mess with it. They were the last people he should have been giving access to, and anybody who actually works with this equipment knows that.
Imagine what would have happened if he had immediately turned over the passwords, management started mucking about, and they accidentally shut down half the network? You know what would happen then? This guy would have been fired for violating City policy, and possibly held legally responsible for the costs incurred. God forbid anybody should die in the process, then he's really fucked.
The fact is, from what I can tell anyway, Childs did the responsible thing but his bosses went on a fricking power trip and had him thrown in jail without ever following the proper procedure for any of this. The assholes here are the management, even if the guy is a dick.
Admins should just run the country rather than doing their jobs as their told.
Just want to point out that this guy is on trial precisely because he was doing his job as he was told.
Re: (Score:3, Insightful)
He may well have been a dick, and he probably could have diffused the whole situation, but that doesn't mean he isn't right, and it doesn't mean his bosses should be allowed to throw him in jail for following policies that could very well have landed him in jail for not following.
True. But it does mean that I and many others like me aren't going to get all up in arms about it, because most people don't feel sorry for dicks.
Re:Really? (Score:4, Informative)
Mod parent down. His job was to keep the network secure, and the people demanding the passwords didn't have a right to know them. He told the mayor instead.
This is, of course, after they fired him without demanding the passwords first.
Re: (Score:2)
The people who demanded the passwords were Terry Child's supervisors.
Not if he had already been fired.
Re: (Score:2)
I cant say for sure what the policy was in this case, but there are plenty of places that have a policy that would preclude you telling your direct supervisor your password. In a federal, top secret environment doing so could easily land you in prison.
Re:Really? (Score:5, Insightful)
"He was an employee and this was the city's property and he refused to give up the passwords. Sweet Zombie Jesus"
The city's property? Who the hell is "The city"? Did "The city" appeared and he refused to give the passwords to him (or is it her?)? Or are you implying that since it was "the city's property" he should give the passwords to any citizen that would happen to ask for? Because as soon as he was asked for the passwords by the proper person (the major) at the proper environment (face to face with him without unknown people at sight) he indeed promptly passed them out.
"then IT Managers will be able to hold sway with the passwords."
You can bet no IT Manager would tell the passwords to the janitor no matter how much "the company's janitor" it is.
Re: (Score:2)
The City. Townsville. Where the Powerpuff girls live. You know.
You really think the mayor should step? (Score:2)
Just for him, or for every disgruntled former employee who's petulantly holding on to city property?
Re: (Score:3, Insightful)
Yes, The City did appear, or at least its duly elected representative, 'The Mayor of The City', who told him to give up the keys, to which he refused sighting some more bullshit about it being an unsecured facility ....
There are also several other people that represent the city and most likely are legally allowed to assume responsibility of infrastruction in the case of emerg
Re: (Score:3, Interesting)
Re:Really? (Score:5, Insightful)
technically correct; The best kind of correct.
Re:Oh shut up (Score:4, Insightful)
You are not a real, proper IT geek until you've either been fired or quit over this sort of nonsense.
Securing systems from morons is just part of the job.
Re: (Score:2)
Re:Oh shut up (Score:5, Insightful)
Imagine that you're a general contractor, doing home improvement work for Bob and you hire a locksmith to install locks. Whey they finish the job, they refuse to give the keys to you, and only to Bob, because they're worried that you might make your own copies before you give them to Bob? Do you have them arrested and thrown into jail, or do you just have Bob get the key from them?
How about the same situation, but now you're Bob. You come home, your general contractor is out to lunch, and the locksmith has just finished up, but he doesn't actually know you, just the general contractor and so he won't give you the keys? Once again, do you treat this as a criminal situation, or do you just call your contractor and have him sort it out with the locksmith?
Once again, same situation, but now you're the locksmith. You've just finished up. Neither the contractor, nor Bob is around, but Bobs ex-wife arrives. You've met her before, so you know who she is. She seems to be free to come and go when she comes by shuttling their child back and forth. She even was even in charge of the renovation project, even picking out the new doors and doorhandles you've just installed locks in. However you've never actually seen her there when Bob wasn't home and you don't know if she's actually supposed to have her own key. She insists that you give her the key. Company policy says that you're only supposed to give the key to the homeowner, and she doesn't seem to quite fit that definition. So, you insist that you'll give the key to Bob and he can make her a copy. So, she calls the police and has you arrested and thrown in jail. Then Bob comes to your cell and you give him the key as you said you would. Then you get held over for trial with bail set ridiculously high even though you're not a flight risk, on the justification that you could break into Bob's house even though the locks have been changed again. Let's face it, of course you could break in, you're a locksmith, but what have you done that makes anyone think you'd be likely to?
Re:Oh shut up (Score:5, Interesting)
But that isn't true. If the written security policy states that that person, even if it is -your boss- isn't to have the password. Then that person doesn't get the password, no matter how many times they ask. Written policies exist to lay down the foundation and rules.
I've been in similar situations back when I was working as a admin. We once had a executive VP demanding we give the password to a machine to someone not authorized to have it (And no, the VP did NOT have authorization or power to change that policy, he was NOT in charge of security). He threatened to fire us. We told him to go ahead, but that the only people who got the password were our replacements or other authorized individuals. He DID have the power to fire us. But that STILL didn't give him the power to demand that password, or that the security policy be changed.
Companies, and I'd imagine city governments too, have policies and chains of commands on all sorts of things. These things are usually written down somewhere so as to be enforceable. And THOSE are the things that matter. I don't remember ever working as a admin where my immediate supervisor had a root password to anything or his boss. But the good ones all knew that it wasn't their job to know those things, they paid me to keep those secure from people who asked. Even if that meant some pip-squeak with a highly placed friend.
And are irrelevant on termination (Score:3, Insightful)
The organization's policies are no longer any of your business once you leave their employ. They're not law. If they want to violate them, that's their concern, not yours.
Re: (Score:2)
Re: (Score:2)
A written policy can't fire you and won't be there to help you get your job back. When in doubt, do your job (though it helps if you can get the request in writing to CYA later).
Re:Oh shut up (Score:5, Insightful)
It is real simple: Whoever owns the systems, and their designated agents, have a right to have access.
Yeah, say that with a straight face to the guy demanding the root password because he read "it was important", and you got a call last week from him asking you to change his desktop wallpaper because "it got stuck". IT admins not going in for that kind of non-sense is a compelling reason why large sections of the internet don't slide off the side of the planet in a dribble-like fashion.
This guy was responsible for critical public infrastructure -- infrastructure that kept working for months after they fired him. They broke it repeatedly after gaining access, and it took hundreds, if not thousands, of billable hours to repair the damage that happened when those owners and their "designated agents" got their hands around the gooey core of the network.
Justice is about harmony, not law and order.
Re: (Score:2)
> his guy was responsible for critical public infrastructure -- infrastructure that kept working for months after they fired him.
But he wasn't responsible for it after he was terminated.
Re:Oh shut up (Score:5, Informative)
Under the very same anti-hacker law that Childs is being tried for breaking, had he given the passwords to the wrong people after his termination he could be held criminally responsible.
In other words, you don't give the keys over to the janitor when you are terminated, you give the keys over to the authorized representative. If he is in a situation where he doesn't know exactly who is authorized, then the right thing to do is to hang on to them until he knows that the person he is giving access to really is supposed to have access. You can get yourself in an assload of trouble for not doing this. To get in an assload of trouble even if you do it puts IT administrators between a rock and a hard place.
Once an authorized representative requested the passwords, he gave them to him. The mayor was almost certainly higher than necessary to get this done, but he may have been the only person Childs knew for a fact was authorized and could and whom he could also verify the identity.
These were passwords to Cisco routers and switches. He didn't lock anybody out, nobody else was ever authorized access in the first place! The first article to come out about this case said Childs changed everyone else's password and only granted himself access. That's patently absurd - the Cisco equipment they were using only takes two passwords - one to get into the router/switch, and one to make configuration changes. That's it. There are no other passwords to change, and he kept them the same accross the entire network. Because there are no other passwords to change, it is absolutely critical that only those who need to know the password know the password. According to company policy, nobody else needed to know the passwords, since he was the only one who worked on the equipment, and therefore nobody else was authorized to know the passwords. The city policy expressly forbids giving the passwords to your boss if your boss is not already authorized to know them.
The way it sounds to me like it happened was something like this: Childs's bosses wanted the passwords because they did not trust him having sole possesion of the passwords. He refused to give them the passwords because they were not authorized to know the passwords. At this point, instead of calling up someone who was authorized to receive the passwords (the CISO, according to city policy) and having Childs give them the passwords, they held a big meeting - including a teleconference - and demanded he give up the passwords or they would fire him. They may have done this because Childs was being a dick about the whole situation, but the fact is even if there was an authorized individual he could give the passwords to at this meeting, he couldn't share because there were unauthorized people present. At this point, they fired him, and when he refused to give the passwords up (because the people asking were still not authorized) they had him arrested under California's anti-hacking laws. They drummed up all sorts of nonsense charges, but the only thing that had any chance of sticking was the password issue, and even then it took a year and a half to build the case. In any case, as soon as he was able to give the passwords to an authorized individual - and only an authorized individual - he readily gave them up.
It's worth noting that things were running smoothly until the guy's bosses were finally able to access the system, at which point things started to break because they didn't know what the hell they were doing.
Kinda makes you think the policy was there for a reason, huh?
Re:Oh shut up (Score:4, Insightful)
It is real simple: Whoever owns the systems, and their designated agents, have a right to have access. If they ask you for access, give it to them. It's that simple.
It so simple, it sounds like that's exactly what Terry Childs did. He may have withheld access from a "designated agent" for a while, but he had no way of verifying exactly who the designated agents were. Would you suggest he just take their word for it?
Re:Oh shut up (Score:5, Interesting)
Who owns those systems? Not his boss -- the City does. And the City did not give his boss authority to get the passwords directly from him. The City established a set of rules for transferring the passwords, and his boss tried to circumvent those rules.
This guy's boss was not acting within the rules established for him to act as a proxy for the City (if we're going to follow your ownership logic). So who's acting responsibly... the guy who chose to follow the rules despite the risk of adverse personal impact? Or the guy who wanted to ride roughshod over the rules in the interest of expediency?
Re:Oh shut up (Score:5, Insightful)
Horseshit. Refusing to comply with an order when that order is illegal or against the rules that both parties operate under is definitely justified.
So it's all about CYA? That's weak, man. What if Terry was truly interested in maintaining security over the systems? What if Terry suspected his boss would plant evidence to condemn him?
I don't want to invoke Godwin's law, so I won't directly. But you do understand the implications of what you're saying, right? That as long as you're following orders and documenting that you believe it's against the rules, then you're OK, because it's the easiest way out for yourself?
Screw that. Principles are more important than CYA, and I've put my money where my mouth is on that issue on more than one occasion.
Re: (Score:2)
So, if your boss said give me access to erase all the fraud I been doing, you are ok with that, cause the policy said so? Wait till shareholders get a bead on that and you end up in the same boat as this guy. That's pretty much what Fastow did in the Enron case.
Re: (Score:2)
If you know your boss is doing fraud, but didn't say anything about it.. either you're IN on it, or you should have already called the Feds.
PS: That's what backups are for.
Re:Oh shut up (Score:5, Insightful)
Just that simple, huh? So let's say the Dean for Admissions demands you give him the organization-wide root or domain admin password. Will you? What if it's the dean for admissions, two members of the board of trustees, the chief of campus police, and a computer lab tech from the biology department, and all want you to give the password to the lab tech?
If the policy states you shall not give the password to anybody but the CIO, and all of these "designated agents" come to you and demand the password... are you going to give it to them?
Let's say you quit your job, and three days afterward they call you asking for the passwords. How do you know if the policy changed? Maybe the CIO was fired. How do you know these are still the "designated agents"?
These are the types of problems that arrise from this prosecution. The law gives organizational policy the force of law, without realizing its limitations. So before you tell us to "shut up", you might want to think about the ramifications of that first.
Re:Oh shut up (Score:4, Informative)
Oh, but that won't happen to anybody else, right?
Re: (Score:3, Funny)
It is real simple: Whoever owns the systems, and their designated agents, have a right to have access. If they ask you for access, give it to them. It's that simple. You don't have to give them your password, you do have to give them a password that gives them access.
Let me provide you with a real world example:
Edward Diego should have never been given access to Shodan. Sure, a hacker gave him access, not one of the station admins, but that's quibbling. The main point is that stupid people shouldn't mess with AIs controlling space mining lasers and robots.
Re:Oh shut up (Score:4, Informative)
This keep cropping up in this thread, and I don't know why. The policy is online, and does not contain the word "Mayor", or the phrase "designated agent", or any of the many other things that are supposedly in it. So he did not follow policy in this respect.
What is in the policy is the actual policy for system level passwords, and the enable password for network kit is definitely a system level password. It states:
"All production system-level passwords must be part of the security administered global password management database."
Simple, clear, and Childs was definitely in breach of it: only he has these enable passwords, and did not put them in the database.
For him to argue that the rules for personal passwords applied to system-level passwords and take it to ridiculous extremes - well, this was always bound to end in tears.
Re: (Score:3, Insightful)
This guy took over this system because he felt entitled and a sense of ownership. He created a little fiefdom which grew in power as the department was gutted due to budge cuts.
http://www.cio.com.au/index.php?q=article/255165/sorting_facts_terry_childs_case [cio.com.au]
Then he got all uppity because someone else was auditing the network, oh someone of higher rank than he was. And then he threatened that supervisor into running away from him and hiding in their office.
It sounds like he was full of himself, the hard work
Re: (Score:3, Insightful)
I wish I were on the jury so I could vote guilty.
Is this the kind of justice you have down under? All it takes is just one guy writing a story based on one long email that he received from an anonymous source, and you're ready to hang the defendant despite the fact that you haven't heard anything from his side yet. Wow!
Re:I fail to see how this puts me in danger (Score:5, Insightful)
(which btw, people further up the food chain, including the highest ranking person there, told him to ignore in this case)
The highest ranking person there doesn't mean shit if the highest ranking person there isn't authorized by the city to make such a decision.
What happens if you give the passwords to someone who, according to the IT Security policy which you had to sign a binding legal agreement to uphold, is not authorized to have the password and it leaks out, putting the entire infrastructure at risk?
What then? That's pretty much exactly what happened here. The people who were telling him to ignore the policy did not have the authority to tell them to ignore policy - it was binding on them too!
I'll tell you what happens if he gives the passwords to people he shouldn't. In the case of a private entity, not only can you be fired (and rightly so), but if your actions led to the leaking of information that must be kept secret by federal privacy guidelines then you can be held criminally and civilly liable as well. In the case of a government entity, it's almost a certainty that you can be held criminally liable. This system absolutely had sensitive data on it, and it was part of his job to make sure it did not get out.
So what the hell are you supposed to do? Give up the passwords in spite of security policy and go to jail when stuff breaks or private data leaks, or refuse to give up the passwords and go to jail anyway? What the fuck man? I'll admit, it sounds like Childs was being a dick about the whole situation, and had he been more diplomatic he could have diffused the whole thing early on, but what if it's your bosses being dicks, and nothing you do to try to do things the right way works. I've seen office politics, and some people know how to stir up a shit storm in a hurry to get rid of someone they don't like.
In any case, nobody should lose two years of their life for no better reason than they were being a bit of a dick at work.
There are REALLY simple ways to handle these solutions.
You're right, and they were laid down in policy format, and his bosses didn't follow them.
When are admins going to realize they are nothing more than computer janitors?
That's funny, they get paid a hell of a lot more than janitors do.
Re:Here let me fix that for you (Score:5, Informative)
County policy document [sfgov.org]
Section 4.1, page 32.
"All production system-level passwords must be part of the security administered global password management database."