Rough Justice For Terry Childs 418
snydeq writes "Deep End's Paul Venezia sees significant negative ramifications for IT admins in the wake of yesterday's guilty verdict for Terry Childs on a count of 'denial of service.' Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case? In particular, to the person or persons who released hundreds of passwords in public court filings in 2008 for causing a denial of service for the city's widespread VPN services? After all, once the story broke that a large list of usernames and passwords had been released to the public, the city had to take down its VPN services for days while they reset every password and communicated those changes to the users.' Worse, if upheld on appeal, the verdict puts a vast number of IT admins at risk. 'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.'"
The World's Largest DDOS (Score:0, Informative)
originates from here [microsoft.com].
I hope this helps your lawsuits from DDOS.
Yours In St. Petersburg,
Kilgore Trout
Re:Not trying to be a troll here, but... (Score:3, Informative)
The only Superior he was supposed to give the password to is the Mayor. He was only supposed to do that in an environment deemed secure enough for no one else to get the password. He complied with that. He is basically being sued into oblivion because he didn't want the secretary, the press, and/or anyone else getting a hold of the password.
Re:Not trying to be a troll here, but... (Score:2, Informative)
That is what happened to Terry Childs.
Not DoS (Score:4, Informative)
Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case?
Childs wasn't convicted of "denial of service", that's just rhetoric. He was convicted of computer tampering, as the linked Slashdot story explains in the summary.
Re:If I were taking an IT Admin position... (Score:4, Informative)
I understood that they had a set of policies for 'user-level' passwords (which this was not classed as) saying things like 'never diclose your password, even to your boss' and another set of policies for 'system-level' passwords, which these passwords were classed as. The policies for 'system-level' passwords say they must be stored in a centrally managed database: a policy that Childs violated by keeping them in a way only accessible to him. Under your model (assuming the above is correct) you wouldn't be absolved from prosecution in this case, because Childs hadn't followed procedures related to 'system-level' passwords.
It's all rather moot though, there is a systemic problem in any organisation which lets its IT be run in a way where someone can hold it hostage like this. The real lesson here is that institutional incompetence can lead to individual criminal liability.
If you're an IT admin working in the States then it's your geographic (not professional) situation that's putting you at risk of going to jail for something stupid like this.
Re:Heading this off--see link to juror (Score:4, Informative)
If the person mentioned was on the jury, and there is nothing I've read of his to suggest otherwise, I highly recommend reading his recent posts on his slashdot user page: http://slashdot.org/~BengalsUF [slashdot.org]
I learned more in 5 minutes about the case than I have over the past 2 years reading Slashdot and news stories. And, as it turns out, most of what I've read up until today has been embellished or simply was an opinion of someone who knew little about the case.
Re:Not trying to be a troll here, but... (Score:4, Informative)
I've worked in the public sector a while and what I learned is - if the agency head(s) ask you to do something job related, even if it's against the policy that's printed out, you do it.
In my experience (private sector, financial industry) that results in immediate termination of your employment. And that isn't theoretical, I'm aware of two instances at my current company. In both cases they had security guards escort them off the premises.
Re:Not trying to be a troll here, but... (Score:5, Informative)
If the superintendent of a school district says - "Whats the password for root on the server?" You tell them.
No you don't. Ever. You say "Go to the safe and get them yourself. Don't forget to sign the register." When Superintendent bleats that it is needed NOW! your answer is to point them to the safe. Terry Childs did not put the passwords in the safe and deserves to go down for that.
Re:Not trying to be a troll here, but... (Score:4, Informative)
Re:Not trying to be a troll here, but... (Score:5, Informative)
According to the network engineer who was a juror on the case (so I am guessing that he knows far more details about it than you or I)....
He didn't refuse to just give his "password" but to give any access at all to the core routers, removed any way of password retrieval without doing a full system reset, and would not provide the configurations to these routers.
On top of that, there were emails and witnesses that made it appear that Childs was doing this all to make it such that only HE had access.
Re:Heading this off--see link to juror (Score:2, Informative)
I read that post, and the replies, and it seems to me the jury did it wrong. Particularly this post [slashdot.org] seems to hit the nail on the head.
A jury is *not* required to follow instructions to either absolve or condemn, otherwise what would be the meaning of it all? But too many jurors seem to be swayed by the judge's instructions, which should be mere guidelines. It's not the judge's privilege to make a decision in a trial by jury. In this case, the jury seems to have had a very technical interpretation based solely on the prosecution's version of what it means to deny access to a system.
Terry Childs, if what we read in many reports is true, never denied access to anyone who actually needed to use the system. His only crime was to use his best judgment on who should be allowed to access the passwords. He never denied access to the *system*, he denied access to the *passwords*, which is a different thing. I don't need to give you the keys to my house in order to let you in. I think the jury reached a wrong decision, because the law is very clear on this point.
It was his managers' duty to ensure that passwords were adequately managed, if they left that kind of decision entirely to Terry Childs then they shouldn't complain if his decisions weren't what they expected. When a manager lets a subaltern have total control of the passwords he cannot complain if that subaltern does exactly what he was ordered to do.
Re:Not trying to be a troll here, but... (Score:3, Informative)
What Tony should have said is "The passwords are in the secure password repository. Look it up yourself." The problem is that he couldn't say that because it was a lie to. He dug his own hole.
Re: Initiative (Score:4, Informative)
Re:Not trying to be a troll here, but... (Score:1, Informative)
Um, it clearly says "the scope of this police includes all personnel who have or are responsible for an account... on any system.... This clearly is not limited to "user passwords" only.
page 34 specifically says to "avoid"
- giving your password over the phone to anyone
and
- telling your boss your password
Two of the things they tried to get him to do.
Re:Not trying to be a troll here, but... (Score:3, Informative)
Re: Initiative (Score:5, Informative)
Re:The case is very simple (Score:5, Informative)
He was required to store system passwords in a central repository. He violated the policy by failing to do this.
Re:Turn in your keys (Score:3, Informative)
Yes, you are. They are not your property, and never were.
Re: Initiative (Score:2, Informative)
It didn't come down to "You hand it over or we arrest you" it came down to Terry getting ready to flee the state without telling anyone the passwords and the police having to arrest him to make sure he didn't.
Re:If I were taking an IT Admin position... (Score:3, Informative)
And when the person replacing him mucked things up, do you think they might not assume he sabotaged things?
Considering the ineptitude the new staff has shown, I can see why he would have been concerned.
Re:Jury Nullification (Score:4, Informative)
That is what jury nullification is for. Unfortunately, most jurors don't know about it and the judges refuse to tell them
The home town boy, the white bread kid, escaped the noose. The black man was lynched.
That has always been the reality of jury nullification - and the geek - the outsider, the prick, the wierdo - who looks to nullification for his salvation is a a god-damned fool.
taxation without representation (Score:3, Informative)
The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
That's pretty effin' funny, given that this country was founded after a revolution based on the simple concept of being taxed but not receiving representation in exchange.
So, uh, yes- if you're taxed, you damn well do get a stake in deciding how it is used here in the US. Fun fact: in the state where the revolutionary war started (MA), we have "town meetings"- and they're not the kind of Town Meeting you see politicians holding, which are basically just "get some people in a high school gym and have them ask you some questions."
No, see: town meetings are where the town (anyone who wants to show up) debates and votes on damn near everything from policies to budgets. The rest of the year, the town is run by a town council, also elected.
It's impressive to see an entire basketball court full of chairs, and 15+ rows on each side, full of town residents. Democracy in action.