Rough Justice For Terry Childs 418
snydeq writes "Deep End's Paul Venezia sees significant negative ramifications for IT admins in the wake of yesterday's guilty verdict for Terry Childs on a count of 'denial of service.' Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case? In particular, to the person or persons who released hundreds of passwords in public court filings in 2008 for causing a denial of service for the city's widespread VPN services? After all, once the story broke that a large list of usernames and passwords had been released to the public, the city had to take down its VPN services for days while they reset every password and communicated those changes to the users.' Worse, if upheld on appeal, the verdict puts a vast number of IT admins at risk. 'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.'"
If I were taking an IT Admin position... (Score:5, Insightful)
I think I would want to draft up a very clear - and legally binding - agreement that I would want my superiors in management to sign on behalf of the company. It would spell out in specific details, the security policies, security review process, enforcement etc. It would absolve me from prosecution unless I violated any of the very specific rules that were listed. If my superior changed, they would have to sign the document when they took up their position etc.
I wouldn't likely get the job, they'd hire someone who wasn't so paranoid, but I don't think I would want to take a job where if someone in management decided to break the rules, and I tried to apply those rules for the sake of ensuring I didn't violate the trust that had been placed in me, then I wasn't liable for prosecution either way, like Childs was.
Now, he could have handled things differently I am sure, but he might have been prosecuted either way from what I have read so far. I would like more details in an objective report on the situation.
Re: (Score:2, Interesting)
Re:If I were taking an IT Admin position... (Score:4, Insightful)
You have a boss who makes the rules, if your boss later tells you to break the rules then you do it.
Just like Enron's accountants?
Sorry, no. If your boss later wants to change the rules, there's likely a procedure in place to do so, but they can't simply do that by fiat. That's the whole point of having a policy in the first place.
Re:If I were taking an IT Admin position... (Score:5, Insightful)
Changing the rules isn't always the same as breaking the law. If you boss tells you to never give out passwords, and then asks you for a password, and when you refuse says he's changing that rule, it is whole different thing than your boss ordering you to break a law regarding financial accounting laws. Especially if that boss was the owner of the company (which isn't the case in either your example or Childs, of course.
Though I've seen so many different things on this case I'm not sure where I stand. It seems to depend on the specifics. If the rules were such that it actually said he couldn't release the passwords except to the Mayor himself in person then I'm probably on his side. But otherwise someone like the Mayor likely does many things by proxy, so he may have just been acting the fool (to quote Judge Joe Brown). The devil's in the details I guess.
Re: (Score:3, Interesting)
I think the overall issue is that you can't take an IT Admin position working for the a Local, State or Federal public entity in the US since you're damned if you do (give the passwords) because of laws and regulations and damned if you don't since they'll take you to court and have you convicted anyway.
Either stay away from those positions or ask for a significant premium on your salary/rate to cover the legal risk.
Re:If I were taking an IT Admin position... (Score:4, Insightful)
If you're not comfortable doing what you're told, then quit. (Or, in the case of Enron, go to the SEC or whatever.) Even if you believe that all people have a right to a job, nobody has a right to a particular job.
It's a great theory, but it's also hopelessly naive. The rules don't apply equally to everyone. It sucks that the world works this way, but it does, and that's never, ever going to change. Behaving as if the rules your boss tells you apply equally to him is an exercise in frustration, and also a good recipe for getting fired. Or, as in this case, sent to jail.
That's politics, my friend, and any time you have more than two people in a room you get politics. There is no avoiding it. Which is why policies and procedures are worthless. The people who write them can change them any time they choose. They can be enforced selectively or not at all. And you can be accused of not following a procedure, even though you did, because the person interpreting the procedure is the same person who wants to punish you for some other reason.
Seriously, learn from my experience in corporate America. (Which, I am told, is nothing compared to the politics that goes on in public service jobs, and I'm not even talking about politicians.) This is the way the world works. The good news is that you don't have to be an active participant, and in fact taking the passive approach makes your life easier in many ways. But you do have to be aware of it, and Childs was not. Either that or he very badly overestimated his clout with the mayor (it's probably a combination of the two).
Re: (Score:3, Insightful)
"the owners of the equipment are asking for the password to their own gear"
They are not the owners of the equipment, the public is or their representative -- the currently elected jackass of the week. I would guess that's the mayor. Childs called it right. Childs bosses are under the same policy as Childs and don't have the authority to change it without following standardized procedures from their higher ups and letting Childs know about it and acknowledge the change.
Re: (Score:3, Insightful)
Re:If I were taking an IT Admin position... (Score:4, Insightful)
Agree entirely. From what little we've heard, it sounds like there was plenty of opportunity for Childs to avoid this. On several occasions he was asked to divulge the passwords and like a petulant child he just kept saying "No. Want the mayor".
While I don't have any inside knowledge of the case, it seems to me the sensible thing to do would have been to explain to his lawyer the quandary (give the passwords : criminal offence, don't give the passwords : criminal offence) and have the lawyer whip up some sort of agreement whereby the passwords could be handed over and Childs would be let go with no further action. Hell, by all accounts he was offered almost exactly this opportunity by the police - so it's not like it never occurred to anyone.
Re: (Score:3, Insightful)
People were asking for the passwords. People who may even have had the authority to have them. However the only person who Terry was certain legitimately represented the owners that he would be able to identify was the Mayor, to whom he gave the passwords.
How hard is this to understand? I guess very, since it seems Terry has had a difficult time explaining it, or assuming it was obvious.
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
"if your boss later tells you to break the rules then you do it."
Is it needed any more to invoke Godwin's law?
Re: (Score:3, Insightful)
> You have a boss who makes the rules, if your boss later tells you to break the rules then you do it.
Except it isn't quite like that.
Whenever I see one of these "Mad Max" style posts, I wonder if these people have ever been employed anywhere.
In all likelihood, your boss doesn't create policy. He enforces it just like you do. He doesn't make the
rules either. He also doesn't get to break them arbitrarily.
Piss off the boss or break the rules? That's certainly a dilemma to show what kind of man you are.
Re: (Score:3, Insightful)
It's really not that complicated... You have a boss who makes the rules, if your boss later tells you to break the rules then you do it.
Or you resign.
Re: (Score:3, Funny)
Ahhh... The Nuremberg defense.
Re: (Score:3, Interesting)
The boss can change the rules the boss makes, within limits imposed by law and corporate policy. There may be rules from higher up that your boss must obey. For example, if corporate policy is that nobody tells anybody else their password, the boss has no right to demand your password.
Now, if you're in a position where your boss demands something that's either illegal or against corporate policy, after you've explained it, you've got a problem. I'd probably ask for the request in writing. That may no
Re: (Score:3, Insightful)
It's really not that complicated... You have a boss who makes the rules
Oh yeah. With your logic, here is a small sample of what can happen and the sweet consequences that follow.
I reckon my examples are a little extreme, but the sheep mentality such as yours causes more troubles than
Re: (Score:3)
Re:If I were taking an IT Admin position... (Score:5, Insightful)
I wouldn't likely get the job, they'd hire someone who wasn't so paranoid
That's crazy -- who wants a system administrator who isn't paranoid?
Re: (Score:2)
Re:If I were taking an IT Admin position... (Score:5, Insightful)
Re:If I were taking an IT Admin position... (Score:5, Insightful)
That's crazy -- who wants a system administrator who isn't paranoid?
I don't want system administrators who are paranoid. I want system administrators who understand what risk is, what the real risks are, and are able to weigh one risk against another. Being paranoid usually entails the inability to weigh risks, since you think "everyone is out to get me". Anyone who can't weigh risks against another is a fool.
Re:If I were taking an IT Admin position... (Score:5, Insightful)
I guess I don't find it funny because I know paranoid system administrators, and they do indeed suck at what they do.
Re: (Score:3, Insightful)
The paranoid ones arent neccisarily good, but the good (security) admins are paranoid.
Re:If I were taking an IT Admin position... (Score:4, Informative)
I understood that they had a set of policies for 'user-level' passwords (which this was not classed as) saying things like 'never diclose your password, even to your boss' and another set of policies for 'system-level' passwords, which these passwords were classed as. The policies for 'system-level' passwords say they must be stored in a centrally managed database: a policy that Childs violated by keeping them in a way only accessible to him. Under your model (assuming the above is correct) you wouldn't be absolved from prosecution in this case, because Childs hadn't followed procedures related to 'system-level' passwords.
It's all rather moot though, there is a systemic problem in any organisation which lets its IT be run in a way where someone can hold it hostage like this. The real lesson here is that institutional incompetence can lead to individual criminal liability.
If you're an IT admin working in the States then it's your geographic (not professional) situation that's putting you at risk of going to jail for something stupid like this.
Re:If I were taking an IT Admin position... (Score:5, Insightful)
If, after you've been fired, you refuse to disclose the passwords necessary for your successor to do your job, then it is no longer something they can simply "fire" you for, (as you no longer work there) so it becomes something you need to take to court, not "theft" in this case, but "denial of service" because his action of refusing to release the passwords denied them access to administer those systems.
Re:If I were taking an IT Admin position... (Score:4, Insightful)
Which is where this gets all goofy; he's already been fired, but he's expected to do *work* for them, in the form of enumerating passwords and associating them with what systems they're for and how to use them and how to get access to the systems in order to use them, etc.? Documentation of that sort could be very lengthy and quite a bit of work to write up.
If he had gone out binge drinking and incapacitated himself for a day after being fired, would this be considered "denial of service?"
If the city wished to be able to have unimpeded access to their network after firing the person who apparently held the only set of electronic master keys to the system, why wasn't it their responsibility to make sure that they had those keys - before firing him?
There are multiple failures on both sides of this issue, but in the end, the city (a large entity that presumably has many lawyers and expertise in dealing with human resources) has punished the employee (an individual who appears to be eccentric but probably harmless, and probably less-than-fully-informed about the legal aspects to it all). When considering the city vs the individual, the city had all the resources, but royally screwed the pooch, and yet it's still the individual left picking up the tab.
His boss should be the one heading to jail.
Re:If I were taking an IT Admin position... (Score:4, Interesting)
If you've never built a large network, it's easy to underestimate what I'm saying. It's not just the passwords, but also how to use them. This isn't like sitting down in front of a Linux box and logging in. It probably includes needing to know the topology of the network, such as "if jonesville router 1a is down, its console is connected to the aux port on jonesville router 1b, but to get to that when the routing protocol has imploded, you might need to first dial in to the out-of-band modem on barton router 2a, ssh over to barton router 1b, then use the link address of jonesville router 1b to ssh to, then connect up to the console port."
As for harm, what actual harm did he actually do? Did he down the entire network? Did he allow criminals access to their network? Take a look at the "harm" claimed and see what portions of it you can actually attribute to him INSTEAD of the city.
His boss can head to jail for the very same reason he is; his boss caused denial of service by failing to guarantee that the city had unimpeded access to the network. What's good for the goose is good for the gander and all that.
Re: (Score:3, Informative)
And when the person replacing him mucked things up, do you think they might not assume he sabotaged things?
Considering the ineptitude the new staff has shown, I can see why he would have been concerned.
Re:If I were taking an IT Admin position... (Score:4, Insightful)
It would absolve me from prosecution unless I violated any of the very specific rules that were listed.
The geek isn't always very good at distinguishing between civil and criminal actions. The question then becomes prosecution by who and under what set of rules.
The computer networks that sustain the city of San Francisco belong to the city of San Francisco. No court can allow them to be held hostage to any single individual. Not the system administrator. Not the mayor. Not anyone.
Really? What if you boss says 'setup that new server' and you say 'Yes sir'. You follow the standard practice of giving it a secure password because it's connected to the internet. Then you say to your boss "We really need a place to document the password". Your boss gives you no reply and immediately sends you out to your next assignment. There's also no formal documentation system in your organization. After a few weeks of being scheduled on assignments non-stop from 8 AM until 5 PM, you get fired. Whose fault is it that your boss doesn't know the password? Should you be required or forced to work for free for a few hours to cough up passwords because of a failing of your boss?
Not trying to be a troll here, but... (Score:4, Insightful)
Re: (Score:3, Informative)
The only Superior he was supposed to give the password to is the Mayor. He was only supposed to do that in an environment deemed secure enough for no one else to get the password. He complied with that. He is basically being sued into oblivion because he didn't want the secretary, the press, and/or anyone else getting a hold of the password.
Re:Not trying to be a troll here, but... (Score:5, Insightful)
Re:Not trying to be a troll here, but... (Score:4, Informative)
I've worked in the public sector a while and what I learned is - if the agency head(s) ask you to do something job related, even if it's against the policy that's printed out, you do it.
In my experience (private sector, financial industry) that results in immediate termination of your employment. And that isn't theoretical, I'm aware of two instances at my current company. In both cases they had security guards escort them off the premises.
Re:Not trying to be a troll here, but... (Score:5, Informative)
If the superintendent of a school district says - "Whats the password for root on the server?" You tell them.
No you don't. Ever. You say "Go to the safe and get them yourself. Don't forget to sign the register." When Superintendent bleats that it is needed NOW! your answer is to point them to the safe. Terry Childs did not put the passwords in the safe and deserves to go down for that.
Re:Not trying to be a troll here, but... (Score:5, Insightful)
No you don't. Ever. You say "Go to the safe and get them yourself. Don't forget to sign the register." When Superintendent bleats that it is needed NOW! your answer is to point them to the safe. Terry Childs did not put the passwords in the safe and deserves to go down for that.
I disagree. The decision to put passwords in a safe in the first place is above his pay-grade.
It seems nobody instructed him to do so, so you can't blame him for not following a procedure that didn't exist.
If anything, the blame lies on his superior(s) who failed to adequately implement a "sysadmin gets hit by bus (or fired)" plan.
Re:Not trying to be a troll here, but... (Score:5, Insightful)
Re: (Score:3, Insightful)
"but it was bought and paid for by the City of San Francisco"
Excuse me, it was bought and paid for by THE PEOPLE OF SAN FRANCISCO.
Paid through our tax money, which also means it was paid for through *HIS* tax money.
The "taxpayers' money"... isn't. (Score:5, Insightful)
"but it was bought and paid for by the City of San Francisco"
Excuse me, it was bought and paid for by THE PEOPLE OF SAN FRANCISCO.
Paid through our tax money, which also means it was paid for through *HIS* tax money.
The government is supposed to serve the public trust and taxes are their main source of revenue - but I take exception to this attitude that, because someone pays taxes, government funds are somehow their money. It's not your money anymore, you gave it to the government. The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
So, for instance: yes, your taxes pay the wages of the police. This doesn't mean you get to boss them around.
Your taxes pay for the schools, but that doesn't entitle you to decide the curriculum.
Your taxes pay for government infrastructure, but that doesn't mean you can micro-manage the government.
That's not to say citizens in the US (or anywhere else, for that matter) have no stake in the government or its affairs - but the money paid in taxes has nothing to do with that. We have a stake in our government because the operation of the government affects our lives, in the short term and the long term. Would this stake not still exist even if the government could somehow operate without taxing its citizens? IMO bitching about "the taxpayers' money" is just a cheap way to get the attention of people who would otherwise not care.
Re: (Score:3, Insightful)
The government is supposed to serve the public trust and taxes are their main source of revenue - but I take exception to this attitude that, because someone pays taxes, government funds are somehow their money. It's not your money anymore, you gave it to the government. The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
You are completely wrong on this point. You are entitled to decide how it is used. How much worse would government be if they could just do whatever the fuck they wanted with tax money with absolutely no opposition whatsoever? Pessimists and/or cynics will say that that is already the case, but even now there are at least *some* people fighting things they disagree with for whatever reason.
You do have a say in how government resources are used because it is your money. Use the boxes - soap box, ballot box,
taxation without representation (Score:3, Informative)
The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.
That's pretty effin' funny, given that this country was founded after a revolution based on the simple concept of being taxed but not receiving representation in exchange.
So, uh, yes- if you're taxed, you damn well do get a stake in deciding how it is used here in the US. Fun fact: in the state where the revolutionary war started (MA), we have "town meetings"- and they're no
Re:Not trying to be a troll here, but... (Score:5, Insightful)
From: http://www.ktvu.com/news/23283217/detail.html [ktvu.com] (emphasis mine).
Childs reportedly had a fractious relationship with some of his coworkers, attorneys on both sides said. He testified at trial that he never intended to harm the network but said that other employees, including his supervisors, were not qualified to have the passwords. Childs claimed he was merely following established industry guidelines for password protection. "You do not ever give up your username and password," Childs said.
That doesn't sound like you make it sound. Industry guidelines are not the same as company/government policy.
:)
To be honest I think the Slashdot community is wrong to defend this guy. He sounds like an ego-maniac driven not by security, but by the sys-admin God complex. However, that's just what I think, and I could be wrong. Sans the full transcript of the trial it's really hard to say what happened. I'd love for groklaw to take a look at it too. They probably need a break from SCO shenanigans.
Re:Not trying to be a troll here, but... (Score:5, Insightful)
Also they weren't asking for HIS username and password, they were asking for THE username and password. There is a difference as any competent sysadmin should know. I won't give up my password to any systems here at work. Policy requires that I do not. However my password is only for my accounts. There are other accounts I have the password for, that are not mine, share accounts. There would be root on the UNIX systems, the local administrator account on the Windows systems, the enable password on the switches, the SA password on the DB server, and so on. There is only one of those accounts (and in the case of things like root, can only be one). It isn't my password on them, it is a password all the IT staff share. That password isn't something I can change to one only I know and refuse to give out, I'd get in trouble for that.
Big, big difference. Had the city said "We want your password to log in to your personal e-mail account and bank account," well ya, I'd be supporting him for saying no. However they wanted the system passwords for various devices and services that have but one master password. If those passwords were the same as his personal password that is bad security practice on his part, however there is still a solution: Change the passwords and give them the new ones (or change the password on your account).
Re:Not trying to be a troll here, but... (Score:4, Informative)
Re:Not trying to be a troll here, but... (Score:5, Informative)
According to the network engineer who was a juror on the case (so I am guessing that he knows far more details about it than you or I)....
He didn't refuse to just give his "password" but to give any access at all to the core routers, removed any way of password retrieval without doing a full system reset, and would not provide the configurations to these routers.
On top of that, there were emails and witnesses that made it appear that Childs was doing this all to make it such that only HE had access.
Re: (Score:3, Insightful)
Well, no.
The rules made it so he could insist on giving the passwords only to the Mayor and only in a secure situation.
He used that as an excuse.
It's pretty clear from all I've read that he really was holding the city hostage because he was disgruntled at the changing employment situation, and in the process he prevented city personnel from accessing data they needed to do their jobs.
The Jury was sympathetic that the city acted like idiots once it all started, but they were also cognizant that he wasn't com
Re: Initiative (Score:3, Interesting)
I think they took away the "initiative to find a way to get the password to the right person in a secure manner" when they locked him up in jail and left him there. He evidently requested to see the mayor, and when the mayor arrived, gave him the password. Unless that isn't the way it went, I don't really see what else he could have done.
Again though, I haven't read a good article that had significant details in it, just crappy links from /. and short articles that had few details. I want a time line, a cop
Re: Initiative (Score:4, Informative)
Re: Initiative (Score:5, Informative)
Re: Initiative (Score:4, Insightful)
Ummm that was way, way later in the proceedings. Read the news stories about it and BengalsUF's information. It wasn't like the came in to his office one day and arrested him. He was, repeatedly, asked for access and he wouldn't give it. He had created an extremely locked down system that only he could get in to. He refused to give others access, and gave out false passwords to try and throw people off. Finaly yes, it came down to a "You hand it over or we arrest you." He wouldn't so they did.
Re: (Score:2)
I appreciate this as the first well-reasoned, moderate opinion on the situation I've read that's not supporting Childs. If I had mod points I'd use them.
At the same time, we should all appreciate that unless we've gone to great lengths to become informed on the matter, our "everything you've read" (particularly in the newspapers) could easily have been the machinations of an administration which, as you put it, "acted like idiots once it all started" and were more interested in petty office-politics than a
Re: (Score:2)
Well, in my case, everything I've read has been on /. so I've got the opposite problem, I know that my information about the case is probably (wildly) biased in favor of Childs. One the one hand, I really cannot see what crime he was guilty of. On the other hand, prosecutors are not generally as vindictive, and juries not as stupid, as people here like to believe.
Re: (Score:3, Interesting)
I'm perplexed why some people on Slashdot who are so willing to trash the performance of their fellow geeks, rally around one who is charged with a crime.
If we assume this guy is innocent of a crime without knowing the facts, why can't we assume everybody else is competent until it is proven otherwise?
Re: (Score:2)
in the process he prevented city personnel from accessing data they needed to do their jobs.
From everything I've read about the case this simple isn't true. From what I've read at no time were any network services disrupted. It was just that no one could access the equipment to make changes.
Re: (Score:3, Informative)
Re: (Score:2, Informative)
That is what happened to Terry Childs.
Re: (Score:3, Informative)
What Tony should have said is "The passwords are in the secure password repository. Look it up yourself." The problem is that he couldn't say that because it was a lie to. He dug his own hole.
The case is very simple (Score:5, Insightful)
You got an upstart sysadmin who went on a powertrip and thought he was smarter then anyone else and therefor above any laws that only apply to lesser people.
This is not uncommon with people who are highly intelligent but not to well versed in social skills. Not so much nerds but Mensa people. Like that reiserfs guy, thought he could get away with murder because he was smart and the police is dumb, they must be because they ain't him.
Your assessment is 100% right and he had no call to judge the people asking for access to be unsuitable. His opinion simply did not matter at that time. It is like when a cop with a dog tells you to get down on the floor. That is not the time to start an argument. That is the time to get down on the floor and become part of how the justice system works, injustices included and part of the system, sucks to have it happen to you.
If you ever find yourself in the same position as Childs, document EVERYTHING, in paper, print all emails and insist on written instructions, never verbal, and then do as you are told and get the fuck out of there.
Do not argue with the system, you are not smarter. Do you know how you are not smarter then the system? If you think arguing with the system is a good idea.
Childs is an idiot and yes, idiots go to jail. lets see him argue with Bubba about access to his ass.
Re: (Score:2)
I fail to see what this has to do with upstart.
Re: (Score:2)
thought he was smarter then anyone else and therefor above any laws that only apply to lesser people.
The way I read it, he was following the policy (law) to the letter. Seems like management were the ones who thought they were above any laws.
Like that reiserfs guy, thought he could get away with murder
Because not giving passwords over is exactly like murder.
It is like when a cop with a dog tells you to get down on the floor.
No, a cop with a dog is like a cop with a dog.
If you ever find yourself in the same position as Childs, document EVERYTHING, in paper, print all emails and insist on written instructions, never verbal,
Agreed.
and then do as you are told
I'd be less inclined to do as I'm told if I had everything documented that way.
and get the fuck out of there.
Oh, definitely -- though jail does make that harder.
Also, you haven't presented any evidence that he wasn't, in fact, smarter than the system. The fact that he fought the system and
Re:The case is very simple (Score:5, Informative)
He was required to store system passwords in a central repository. He violated the policy by failing to do this.
Actually (Score:2)
They just made our jobs easier.
Hey, you want the password? yeah its p@ssw0rd. Tell your friends!
Before you know it, it'll be written into the next Windows shell and you won't even have to enter it anymore. No more managing passwords and user accounts and all the stuff that makes IT frustrating.
[/sarcasm ]
Re: (Score:2)
Re: (Score:2)
Where do you work that DOS is the prefered OS across the entire company?
Re: (Score:2)
Sorry, but this dude had it coming. (Score:2, Interesting)
Justice system did exactly what it was designed to do, rehabilitate criminals and deter others from doing crimes.
Next time, is he going to deny people access who deserve that access because of some ideological nonsense? Doubt it.
Though he probably will never get hired in IT again, not just because he is a felon, but because you google
He did 2 just waiting for court let him out now an (Score:3, Interesting)
He did 2 just waiting for court let him out now and give him the time that he did.
Heading this off--see link to juror (Score:5, Interesting)
The juror has been interviewed some already, and is even on /.
I had many bad assumptions myself. But if the juror is being at all truthful...this guy did some bad things.
@see http://yro.slashdot.org/comments.pl?sid=1633482&cid=32010078
Re:Heading this off--see link to juror (Score:5, Insightful)
As to these configuration backups, Mr. Childs kept these on a DVD he kept with him at all times. Furthermore, this DVD was encrypted and could only be decrypted using his laptop (as the encryption program required not only a password, but access to a specific file that existed on the laptop).
Can these actions be defended as anything other than job security? Unless someone has reason to think that BengalsUF is getting the story wrong, why is there so much popular defense for this guy?
Re: (Score:3, Insightful)
That sure violates the "what if I get hit by a bus / win the lottery" rule.
It's also the point at which it makes Childs a jackass that deserves jail over "just doing my job."
A few minutes of talk and a phone call could have given him sufficient CYA and probably job security to fix what they break. He chose a power trip instead. Let him rot.
No, absolutely not (Score:3, Insightful)
I mean the keeping of a backup with heavy encryption is certainly defensible. After all you might want to make sure you have the configurations in case you are away on vacation and get a panicked "Oh my god we blew up the network!" call. Of course you would want said data heavily encrypted, in case your laptop was stolen.
However when those are the ONLY copy, other than the running config? Hell no, that is a blatant attempt to lock others out. Reliability of the service must always come first. So for one, th
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
"In fact, that's *EXACTLY* how I make backups of my important business files."
Point being that they were not *his* important business files but San Francisco's ones.
Re: (Score:3, Insightful)
maybe was too limiting to really be practical, but I don't necessarily think it equates to a matter of ensuring job security as has been claimed.
there's a simple test for that... If he had suddenly vanished off the face of the earth one day, can the business keep on going without interruption, has he documented all necessary information for someone equally qualified to him to simply step in and maintain what he started.
The answer here is clearly no, there was no way for someone else to get in to administer those systems because he refused to let the password be known to anyone other than himself. That is not the way ANY successful company operates.
T
Re:Heading this off--see link to juror (Score:4, Informative)
If the person mentioned was on the jury, and there is nothing I've read of his to suggest otherwise, I highly recommend reading his recent posts on his slashdot user page: http://slashdot.org/~BengalsUF [slashdot.org]
I learned more in 5 minutes about the case than I have over the past 2 years reading Slashdot and news stories. And, as it turns out, most of what I've read up until today has been embellished or simply was an opinion of someone who knew little about the case.
The sky is not falling. (Score:4, Insightful)
Prosecutors, judges and juries all consider intent. Making a mistake is not the same as malicious action. True, there are times when it's difficult to tell. This isn't one of them.
Re: (Score:2)
Re:The sky is not falling. (Score:5, Insightful)
ugh (Score:5, Insightful)
Setting up and configuring system where they have sole access, locking out the actual owner of the system, arbitrarily deciding that their direct supervisors aren't "authorized users" (based not on any actual rules or policies but their own nebulous "best practices" decision and by the way anyone who thinks a network engineer should have the authority to lock whoever he wants out of the system, based entirely on his own discretion, is incompetent), and then refusing to provide system access when he was assigned other responsibilities not dealing with locked system, then repeatedly refusing to provide the information even after being imprisoned? Really? Thousands of IT workers guilty of that?
No kidding (Score:4, Insightful)
Only way I see you being "at risk" is if you are an asshole, or the policies are extremely unclear. In the event of the second case, well then take it upon yourself to get them clarified.
Personally, I'm not worried. Here our policy is that various critical information, including things like root passwords, has to be kept in a safe. My boss is responsible for all that. Also, all our IT staff has the passwords for everything (in theory, there are some I can't remember because I never use them). So, I'm not worried about a situation where I have sole access to a system an am being pressured to divulge the password. They are stored in a location per policy, and the people who can access them are specified by policy. All I need to do is look at the policy and make sure I follow it, and also make sure that should I set up a system that uses a special password for some reason, it gets documented.
Always remember: They aren't your systems, it's not your network. They belong to the organization that you work for. That means said organization gets to decide who gets what access. You can, and should, have input on that policy, but you can't unilaterally declare that you are the only one.
Re: (Score:3, Insightful)
Childs wasn't dragged in just because he refused to give a password, he was convicted because of a series of arrogant and illegal decisions he made over a period of time.
Please be specific. What were these illegal decisions he made over a period of time?
Childs designed the system. He designed it to the people who actually paid for it didn't have ownership of it.
Pure nonsense. Nobody else knew what a password was? Nobody else understood the concept of multiple people having access? Sorry, but this is jus
Not DoS (Score:4, Informative)
Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case?
Childs wasn't convicted of "denial of service", that's just rhetoric. He was convicted of computer tampering, as the linked Slashdot story explains in the summary.
qual application of justice??? LOL (Score:5, Insightful)
You've got to be kidding. Do you honestly think you can go back to prior cases and use that to show how something is or isn't a crime?
What matters is how good your lawyer is and what sort of strings they can pull. Obviously, this guy's lawyer wasn't as good as the other guy's lawyer.
The rules that apply to us DO NOT apply to rich people. Stop believing for one second that they do. Look at some black dude that goes to jail for 3 years for stealing bread vs. the Wall Street banksters that steal billions and get multi-million dollar bonuses.
Marc Rich was convicted of tax evasion, and fled to Switzerland. It took $250,000 in donations to Bill Clinton for him to pardon him on his last day in office.
There is no justice, all there is is how much money you have to spend to grease the wheels of the system.
SF is criminally stupid (Score:4, Insightful)
SF is criminally stupid, that's all there is to it. They've wasted taxpayer money over a case that should never have been brought.
Their own employees and contractors caused a ton of downtime trying to get control of the network. If they'd left things alone there wouldn't have been any downtime.
Not to mention they violated they guy's constitutional rights over something that could have been resolved amicably within 24 to 72 hours.
Instead, they acted like a totalitarian regime and threw the guy in jail to break his will to resist.
It's the people in charge of SF that should be prosecuted not this guy.
Did he act like a damn jerk? You Bettcha! Did the city act like Ioseb Besarionis dze Jughashvili in 1936-1938? Heck yeah!
Anyone in IT should be worried about ending up like this guy if they anger the SF city government in any way, this could be one heck of a bad precedent.
Semper Fi Comrades
Re: (Score:3, Insightful)
Bad Laws? (Score:3, Insightful)
"I know no method to secure the repeal of bad or obnoxious laws so effective as their stringent execution." - Ulysses S. Grant
interview with the netword engineer on the jury (Score:5, Insightful)
The juror lays out the legal issues pretty effectively, and makes a compelling case for conviction on those issues, while also discussing the incompetence of the city's IT department. Apparently he does not believe in jury nullification.
Personaly I disagree with the outcome on the basis that I think the City of San Francisco illegitimately used its combined capabilities as employer, and owner of a court system and police force to escalate a civil employment matter into a criminal case, and then jailed a man for 2 years pre-trial on a laughable pretext. But I appreciate this juror's willingness to discuss the issues.
Before everybody gets their shorts all twisted . . (Score:3, Insightful)
IMO, he got what he deserved, and nobody else has anything to worry about unless they plan on breaking the above rules. (Especially #3)
Re:Before everybody gets their shorts all twisted (Score:5, Insightful)
You're breaking rule #3.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Could I please have your password?
Re:Before everybody gets their shorts all twisted (Score:5, Insightful)
Re:Before everybody gets their shorts all twisted (Score:5, Funny)
Don't worry, you probably won't be hiring anyone until you stop calling yourself shitdrummer.
Re: (Score:3, Insightful)
I'm not in the US, so I can't really talk about US bank security. But there is a difference between customer security and internal security.
I'm dealing with systems that entire banking sectors use to transfer funds between each other. Many billions of dollars passing through these systems daily.
Compare the risk associated with those systems to the risk of a customer losing thousands (even hundreds of thousands) of dollars. Many banks choose to wear the risk of fraud to make customer interaction easier.
Re: (Score:3, Interesting)
Wasn't the mayor his boss? I seem to recall that it has been stated many times that Childs would have given the passwords to the mayor and the mayor only just as he has been told to do. Unless new facts in regards to this have come to light then it is my opinion that he was doing his job.
Re: (Score:3, Informative)
Yes, you are. They are not your property, and never were.
Re: (Score:3, Interesting)
Building keys != sys admin passwords.
Back when I left Boeing, I gave my replacement the passwords (root and others) for all the systems I was responsible for. Plus instructions on changing them as well as revising some configuration settings that directed system maintenance messages to my personal pager. For four years thereafter, I'd continue to get messages for various system events. Inspection of the message headers indicated that they had never disabled my various system accounts from which these messa
Re:Jury Nullification (Score:4, Informative)
That is what jury nullification is for. Unfortunately, most jurors don't know about it and the judges refuse to tell them
The home town boy, the white bread kid, escaped the noose. The black man was lynched.
That has always been the reality of jury nullification - and the geek - the outsider, the prick, the wierdo - who looks to nullification for his salvation is a a god-damned fool.
Re:The dictionary definition of tragedy (Score:4, Insightful)
Terry Child's crime was being a borderline psychotic control freak, ensuring that no one other than himself had access to any system and that they could not easily recover the system and then refusing to turn over any of the passwords or configuration.
This was not a system designed to resist sustained viscious attack. Apparently the switches all came back up from a power cut without any configuration and he was the only person who knew where the configurations or how to decrypt them. You could guarantee major downtime for the city just by cutting the power and hitting this guy with a crowbar.
Re:Lesson learned. (Score:4, Insightful)
Then - there's no nice way to put this - you are an idiot.
There are established protocols for preventing this situation for coming up in the first place. Well, actually they're there in the event of you getting run over by a bus but they'd work just as well if you got fired.
The established protocol is that the passwords are encrypted and a brief written explanation for how to decrypt them (be it key, file or passphrase) is kept somewhere secure such as a bank deposit box or in a sealed envelope in a safe to which few others have access.
Yes, it does open the organisation to a certain degree of risk. But the risk is substantially lower than setting things up so that if you get run over by a bus, your former employer is totally screwed.