Ex-SF Admin Terry Childs Gets 4-Year Sentence 432
Robert McMillan writes "You remember Terry Childs, right? He was
finally sentenced Friday. Childs got four years in prison for refusing to hand over passwords to his bosses. This is a denial of service under California law."
Re:So... (Score:5, Insightful)
What I'm going to be more interested in is the appeal. There's no way that he isn't going to try and appeal, and if as much of it has been glossed over or ignored as it seems to be at this time, he may get the conviction and any financial penalties overturned. As it stands now the city wants to bill him $900k for it.
Sounds pretty fair (Score:5, Insightful)
Especially when you read the story of one of the jurors who has a CCIE (http://www.networkworld.com/news/2010/042910-terry-childs-juror-explains-why.html). This wasn't a case of some PHB demanding access to something he shouldn't have. This was a case of an egomaniac sysadmin trying to make himself irreplaceable by locking everyone else out. When called on this he refused, bluffed, and finally lied.
For me, the lying part is where it clearly went to criminal levels. I suppose some of the other things he did (like store the WAN config only in memory, not saved to flash and keep the only backup on his laptop) could possibly be justified as just being paranoid and poorly educated in actual security practice. However when he gave his supervisors false passwords, lied to them, to me that showed clearly that he knew he was in the wrong. He knew he was supposed to give up the passwords but wouldn't.
Hopefully it'll be a lesson to other sysadmins to consider that at work, the computers are not yours. They don't belong to you. They belong to the organization you work for. Part of that means the origination gets to decide who has access. You can (and should) have input in to that, and should make sure it is all documented, but ultimately the systems belong to them and you need to do as they say.
As IT workers, our job to is provide service, not prevent it. We need to do what we can to ensure people can get what they need. It is a service industry, like it or no.
Re:Justice is Served (Score:4, Insightful)
Re:Justice is Served (Score:5, Insightful)
Agreed. America is supposed to be a civilized country. Why would anyone believe that it is appropriate to allow prisoners to be raped by other prisoners?
People joke about this and even seem to hope that it happens. This is disgusting and wrong. We have Enlightened articles about cruel and unusual punishments. Prison is supposed to be a loss of freedom, not a loss of basic human rights.
Re:Sounds pretty fair (Score:3, Insightful)
And then once you've been fired, you must always be available to your company to provide that service?
As IT workers, our job to is provide service, not prevent it. We need to do what we can to ensure people can get what they need. It is a service industry, like it or no.
My responsibilities and duties as an IT worker end the moment I quit or someone fires me. I do not like the precedence this trial sets. Because I am in IT, for some reason I must make myself available weeks or months after the fact to provide passwords. What about basic services that I created? Must I be available to provide those? What about not so basic services? "You are the one who designed the widget software and we do not think your documentation is complete. Come show us how this works or we will throw you in jail."
No, this Childs trial has created a dangerous precedence. The IT worker is held to a standard above that of officers, managers, and other employees. I am very not comfortable with that, and you should not be either.
Properly documented policies... (Score:3, Insightful)
A policy should have been in place that defined who the business owner (management) of the resource was (network in this case). It is the responsibility of management to ensure that they define who has a business need for access (and have it documented), and it's the responsibility of the tech grunt to run the system (or network) for the business owner.
The key point is that as a non-manager type person, if management says jump, get it in writing and jump. Management is ultimately responsible for the system and network to the business. If management has made bad choices or decisions, it's their fault and if the request or actions leading up to the failure are documented, that admin can refer to that.
All organizations should at least have a documented policy of who can have access to resources and that the business owner of the resource can be easily determined. The business owner needs to be someone who is legally responsible to the organization (i.e. an executive, or someone high enough in management).
As a system administrator, you should insist on having this documented just to protect yourself. If you suspect that there is some management decisions that could jeopardize the operation of the system, document it, report it to the business owner and let them make the final decision (with documentation).
In the case of Terry Childs, had this been documented, he would have been able to either say that the person who was requesting the passwords did not have a business need (and would be able to back that statement with documentation), -or- if the person did have authority to have access, he could have simply have documented why it was a bad decision, hand the passwords over and walk away from it.
Yes there is a pride element. You've spent years building up a system and making it shine, but unless you are running your own business, you are not the legal owner of that system.
Re:How is it a joke or funny? (Score:5, Insightful)
People joke about what they are scared of.
No but you have to give them access before you go (Score:5, Insightful)
Now ideally this is in the form of someone else having access, or there being a central password store. Read in to the Childs case and indeed there was a place where passwords were supposed to be stored and he didn't do it. However even if that's not the case, you have to relinquish the passwords when you leave. If you are the only one with the root password, you have to hand it over (or change it for them or whatever). Same shit as your keys, when you leave employment, you have to turn in your keys.
You don't have to help them figure anything out, but you are not allowed to lock them out of their own systems. If you cannot see the difference, you are being deliberately blind.
Re:Sounds pretty fair (Score:3, Insightful)
In short, it is good he is out of the profession that many of us dutifully carry out. Four years is a bit much, but he will do less. A year would be good if that's the amount of time he serves. I think it doesn't matter how stupid or unreasonable his bosses may have been. Once they ask for keys/passwords/information, it becomes their responsibility. They wanted to fire him. He only made things worse for himself by making the firing high profile. Can't stop getting fired if that's their intention. He should have been thinking of how all of this might look on his resume. This just proves how short-sighted he is.
It's good for all of us that he's out of the game.
Re:Sounds pretty fair (Score:2, Insightful)
If you are fired or quit, you must hand over the keys to the office, don't you? Even after you are fired. If you refuse to do this, you may well be liable for that.
Re:No but you have to give them access before you (Score:4, Insightful)
Now ideally this is in the form of someone else having access, or there being a central password store. Read in to the Childs case and indeed there was a place where passwords were supposed to be stored and he didn't do it. However even if that's not the case, you have to relinquish the passwords when you leave. If you are the only one with the root password, you have to hand it over (or change it for them or whatever). Same shit as your keys, when you leave employment, you have to turn in your keys.
You don't have to help them figure anything out, but you are not allowed to lock them out of their own systems. If you cannot see the difference, you are being deliberately blind.
You and I may see the difference, but can your luddite boss and his luddite lawyer? You might think that laws and court rulings are based on responsible understandings of the facts, but then you would be wrong.
Re:Justice is Served (Score:5, Insightful)
Making jokes the way Americans do about "pound me in the ass prison" indirectly condones the fact that such a prison system exists. Heck, how many tv shows have a cop quickly whispering into the ear of the just arrested (and hence not convicted eg innocent) perp about what's going to happen to him in jail?
Re:Sounds pretty fair (Score:5, Insightful)
Correct (Score:3, Insightful)
If things aren't well documented at your work, push to get them documented. This is better for everyone involved. Have it clearly spelled out who can have access to what and under what circumstances.
For example where I work, the policy is that all shared passwords have to be kept in a safe that my boss has. Under normal circumstances, he is the only one with access. I don't know the circumstances that someone higher up can get access, since that really isn't my problem. However it is all well laid out. So long as my boss keeps the passwords there, he's in the clear.
So if you are in a situation where you are one of the few, or the only person, with access to something critical, make sure it is done right. Check and see if there is a policy and if so follow it. If not, work to have one created. It'll keep you in the clear and make everything much easier. You then don't have to ponder "Should this person get access," you have a policy that states it.
Well (Score:2, Insightful)
The cost of bad policy (Score:3, Insightful)
Re:Technology / Hacking Laws (Score:4, Insightful)
I know this sounds very arrogant, but I would love to see trials change so you're actually judged by your peers instead of members of the public, so for example doctors by doctors, network admin by other network admin, and such. That way you can get a bunch of people who know how far this person has stepped out of line.
Wouldn't that create the situation where professional communities could just decide for themselves what the law was?
BP's CEO has broken pollution laws? Not according to a jury of oil company CEOs!
People are missing the point (Score:5, Insightful)
It isn't about PASSWORDS it is about ACCESS. He had sole access to some systems, including some very critical ones. He wouldn't turn over access. In some cases, this would have meant creating accounts for other people. In other cases, this would have meant handing over the password. Remember that some things like root or enable have only one password.
So the issue wasn't that he wouldn't give up his own personal password, the issue was that he was denying the rightful owners of the systems (the city) access to those systems.
Also please note this all started way before he got canned.
Re:Easy Time, Future Jobs (Score:3, Insightful)
They still ruined a mans life.. over a password.
No, they ruined his life over criminal interference. Read the court records.
did he steal or destroy anything of value? was anyones life put in danger? did he HARM anything at all but the ego of some of his asshole bosses?
His action directly resulted in over $200,000 in lost money. That money was spent cleaning up the problems he caused through purposeful effort on his part. Do you think that money has no value? If he'd done $200,000 dollars of damage by attacking the server room with a crowbar, would that have made it different? It doesn't matter that he didn't endanger anyone's life. Someone who forges a check and steals your bank account doesn't threaten your health.
Way to go americia. Just as bad as any 3rd world shithole dictatorship. But with a better PR department and a mcdonalds on every corner. And we don't kill you directly. We just ruin your life and put you with people who will kill you.
Oh, boo hoo. Maybe if he'd avoided breaking the law and doing nearly a quarter million dollars in damage he'd have avoided going to jail. The court records plainly show that he did this in an effort to keep everyone else, including his bosses, out of the systems, and that's not his place any more than he had the right to install locks on the doors and not let anyone into the building. If he didn't do it on purpose to make himself irreplaceable, then he'd have to be astonishingly bad at his job.
Makes me glad, Yet again. I got the fuck out of IT. When things work right you get no rewards. When things go wrong you get all the blame.
I have to say, based on this comment, that I'm glad you got out of IT as well.
Virg
Re:Technology / Hacking Laws (Score:2, Insightful)
You haven't thought this idea through very far. Politicians judged by fellow politicians, gang members judged by fellow gang members, need I go on?
Re:Well as it happens (Score:1, Insightful)
he was a stupid juror. He failed to use his experience to consider whether it was the right, or appropriate, or professional thing to do. He followed the judge's instruction that they were only to consider the law as written (which is not the case, and defeats the whole object of juries), and voted 'guilty'. Says it in the rather self-important spiel he wrote a few days later.
You can shout 'he wasn't stupid, he had a CCIE', but the fact is that he didn't think like a responsible juror and ignore the judge's instruction to not think like a responsible sysadmin. (I make no comment on what a responsible sysadmin ought to conclude about the situation, merely that the juror in question specifically didn't consider the situation in that light, despite being qualified to do so.)
Re:Justice is Served (Score:5, Insightful)
On the other hand, I rather doubt that refraining from making the jokes would lead to imminent abolition or reform of those institutions.
Re:Justice is Served (Score:5, Insightful)
America may be civilized in the broadest sense of the term, but it is anything but civil. When you have a "civilization" where keeping people imprisoned is a $40 billion a year industry, and prison wardens allowing criminal activity inside their institutions as a cost-effective means of self-policing, you're going to have people getting raped and your going to have people coming out of prison much worse off than when they went in.
"Turned Out" is an interesting and disturbing documentary about the dynamic of prison sex and rape http://www.youtube.com/watch?v=M4_uvvcaDqw [youtube.com]
Re:Technology / Hacking Laws (Score:5, Insightful)
You can very easily get more time in jail for, what most would consider a prank, than for rape or other violent crimes.
His actions ended up costing his employer a big pile of money. This wasn't a prank, it was a purposeful lockout to make himself indispensable.
I know this sounds very arrogant, but I would love to see trials change so you're actually judged by your peers instead of members of the public, so for example doctors by doctors, network admin by other network admin, and such.
There was a network admin with a CCIE on the jury. He got exactly what you wanted for him.
Just for clarity, what Terry Childs did was wrong - but he certainly didn't deserve jail. Even if he did deserve jail he already spent a year inside before the trial (for some ungodly reason) and that was more than enough time served for this. The only reason they kept pushing this is to avoid the huge lawsuit if they failed to get a sentence longer than the time he already spent inside.
It makes for a nice conspiracy, but the reason stated for holding him in jail (well, for applying for a very high bail so he'd have to stay in jail) is because he was a flight risk. He had already tried to flee the jurisdiction and at the time, he was suspected of having backdoor access points into the network. They were afraid that if he got out, he'd split and then attack the system remotely. Based on the case information (and the first attempt to flee) I'd say they were reasonably justified in holding him.
Virg
Re:Justice is Served (Score:5, Insightful)
This.
The people who really ought to be having a miserable time in prison get a free pass to carry on tormenting and hurting other people for their own amusement. Other people who have nowhere to escape and nobody to turn to for help.
Re:Justice is Served (Score:3, Insightful)
The problem isn't the joke, the joke is fine. The problem is that it's really going to happen, that we all know it and that we do nothing about it
That is because you are wrong (Score:5, Insightful)
1) gave back all physical object the firm loaned to you within the execution of your work (laptop, cars, etc...)
2) gave back all access key in your possession (be it physical, RSA keys, or electronics)
3) gave back all financial access you had to (firm credit card for example), and I may pass a few others.
If you do not think so, you are a "terry child in waiting", as in, risk prison if you think you can skimp on your responsability. being fired don't mean you can keep stuff from the firm, be it unique key knowledge (like passwords), or physical items.
It actually pretty dumb to think so. About as dumb as somebody keeping a laptop at home after being fired.
Re:So... (Score:2, Insightful)
Why should he be left-off? According to the article, "Childs repeatedly refused to hand over administrative passwords to his managers because he was concerned that the passwords would be indiscriminately shared with management and third-party contractors, thereby jeopardizing the security of the network"
That's basically theft of somebody else's property. For example I can't work at a diamond store, lock-up the diamonds in a safe, and then throw away the key so that the store own can't get to his own property. Neither should a sysadmin be able to lock-up computers and deny access to the owner.
And even if Child was correct, that the passwords would be leaked to others and compromise security, so what? It's the city's computers and if they want to screw it up, then so be it. It's their property to use or abuse as they see fit.
Re:Well as it happens (Score:5, Insightful)
The point of a jury isn't to selectively apply laws. It is to determine whether the evidence indicates that the law was broken, with intent, and without any mitigating circumstances.
Childs locked down systems without documenting the changes. He did not take any steps to ensure continuous service in his absence. He put extra effort towards implementing systems that others couldn't access. He broke the law.
He refused to turn over passwords when leaving. When asked, he lied. That strongly indicates intent.
There has been no mention of blackmail or extortion. Nothing has indicated a legally-relevant level of insanity. He was not tragically injured just moments before handing over the passwords. There were no mitigating circumstances.
Childs is pretty clearly guilty. The fact that he's in IT is irrelevant.
Re:Justice is Served (Score:3, Insightful)
correct, but you're supposed to keep all of the others. Also, you're not supposed to have them in a manner which is entirely notional because you don't have the means to force the issue (see restricting prisoners access to the courts).
Re:Sounds pretty fair (Score:3, Insightful)
Re:Sounds pretty fair (Score:3, Insightful)
All you people are insane.
It's one thing to argue what he should or shouldn't do.
But you do realize that if you had the key to a building, and were fired, and refused to hand those keys over, you wouldn't be going to prison, right?
Hell, you wouldn't be going to prison if failed to turn over actual valuable stuff. If the company says 'You must return our laptop', and you say 'No, I mustn't, our agreement says otherwise.', you don't end up in prison, you end up in court where you can debate it.
You'll get sued, and you might even spend a day or two in jail for contempt of court after a court ordered you to turn something over and you refused to do so. Which would be at the end of a long civil lawsuit, and isn't vaguely what happened here, and the courts wouldn't keep you after you turned them over.
And you would not be charged with a crime and convicted of it!
It's one thing to say 'He shouldn't do X', it's another thing to assert it's an actual criminal act.
Same with whether or not he had a 'contract'. In this country, if I have a contract that says I will turn over passwords, and I don't do so, I have not broken any laws. I'm in breach of contract, and could possibly be sued, but have not broken any laws. I don't know where the fuck you people live, but here in the US we don't throw people in prison for contractual breaches. Even contractual breaches with government agencies.
Justice? (Score:4, Insightful)
I am very critical of Terry Childs actions and think, that those can at least be interpreted as criminal act. But 4 years for such a bagatelle case? What do you do with a real criminal? There was a lot of incompetence on the city side walking around which enabled such a situation. I think he was afraid of loosing his job and overstepped his legal options. But what do you do who does this to steal money or with the intent to cause damage? Shoot him?
People who drive under the influence of alcohol and kill someone get away with less.
I think the punishment is out of proportion.
CU, Martin
Re:Sounds pretty fair (Score:5, Insightful)
My responsibilities and duties as an IT worker end the moment I quit or someone fires me. Because I am in IT, for some reason I must make myself available weeks or months after the fact to provide passwords.
Some here may remember the old Jerry Lewis comedy Don't Give Up the Ship. [imdb.com] (1959)
Lewis was the last to command a destroyer-escort on its way to join the mothball fleet - and mislaid it somewhere along the way.
Now the Navy wants it back - or restitution, paid in full.
The gag was familiar to any veteran of that era and it carries more than a grain of truth.
You aren't being paid the big bucks because you work harder than the kid on the loading dock. You are being paid the big bucks because someone believed you were both technically competent and responsible.
You do not build a puzzle box for your employers to decipher after you are gone.
Passwords are accessible in emergencies. They are surrendered before you exit the main gate. These things are basic.
The IT worker is held to a standard above that of officers, managers, and other employees.
It's not a different standard at all.
Re:Justice is Served (Score:3, Insightful)
Here's an interesting deconstruction [freetalklive.com] of the idea:
Re:Unfuckingbelievable. (Score:1, Insightful)
He may not have used the best judgment politically in dealing with this, and yes - people have pointed out the need for proper documentation, which I completely agree with, but ultimately he was just doing his job too well..
Really? You thought he did his job well? Look at it this way: he deliberately reconfigured the network so that he would be a single point of failure, and that his authority was needed to do anything significant. It looks very much like he did this so that he could make himself "unsackable" by extorting his employer when they tried to replace/transfer him (which they eventually did).
He refused to hand over the passwords (and hence control over the network), which caused massive problems. There would have been even larger problems if he had fallen under a bus or contracted Ebola, neither of which you can blame on "political games". Deliberately building a large network with a SPOF so you can use it as leverage over your employer is just about the least professional thing you can do, and yes he deserves to lose his CCIE.
Being a professional is (supposedly) about caring about things other than personal self interest. CPAs are not supposed to help people launder money or cheat on their taxes even if it would benefit the CPA. Engineers are supposed to blow the whistle on potentially dangerous constructions even if it costs them their job. Neither profession actually does this very well or consistently, but it is at least acknowledged as a duty. That's why sysadmin is not really currently a profession.
US Prisons (Score:5, Insightful)
Prisoners rape each other, commit assault against one another and occasionally murder each other. Extortion is even more prevalent than rape in US prisons, because it is also present in minimum and medium security prisons. You can scream and shout about how all of this violates human rights you want. And claim that we are turning a blind eye to a problem. But it is simple really, we do not have the capacity to imprison and monitor so many people. We've overloaded our prisons and understaffed them. We've lost control over our prison population and at this stage we're just trying to keep them from escaping or murdering each other too often, with only limited success.
If you have go to an American prison you'll just have to get used to violence, and tolerate things like rape to survive (although it is quite rare in a minimum security prison). Pretend you're taking a vacation to some lawless country.
Re:US Prisons (Score:3, Insightful)
Re:Justice is Served (Score:3, Insightful)
The answer to your question is that most people don't believe that prison rape is appropriate. Nor is it sanctioned under our law. It is a crime in every state, but where you have a concentration of criminals, you have a concentration of crime. Prison rape is not inevitable (except in movies). "Only" about 2% of prisoners in the US are raped.
That rate climbs over 10% when you are talking about juvenile prisoners -- boys -- who are incarcerated with adults. This is about the same rate of sexual assault perpetrated at juvenile detention facilities by staff (12%), but in adult prisons involves a much higher chance of HIV transmission. The rate in juvenile facilities also includes coercive but less violent abuse (e.g. threatening to extend the prisoner's sentence if he does not engage in sex acts). In any case Mr. Childs is unlikely to be raped in prison given his age and the type of facility he will likely be in.
I should point out that the prison rape figures are still alarming, especially serious given the extraordinarily high rates of incarceration we have in the US, especially of children. About 3/4 of a percent of the US population is in prison, by far the highest rate in the world.
I bring the juvenile issue up because surely this is a litmus test of barbarism. Proponents of more frequent and longer prison sentences often advocate trying juveniles in adult courts. However they do not (saving anonymous Internet fruitcakes) argue that sexual assault of child offenders is something that ought to be sanctioned. I have certainly met a few rare individuals who believe that rape is part of the "cure", but I don't think many law and order advocates endorse this view -- at least not in public. I'd say that their attitude to this problem is more one of indifference. All things being equal most would rather it didn't happen, but they consider it a tolerable problem if the apart from that public safety and justice for victims are promoted.
The argument advocates typically make is that the public good is served by removing criminals from society. In the case of transferring youth to adult prisons, it is also asserted that they will receive longer sentences, keeping them off the street longer, and that the harsher conditions in adult prisons will "scare them straight". There is intuitive appeal in these positions, but they are not confirmed by studies of states where juvenile "transfer" laws have been passed. Juvenile crime rates have not dropped relative to states not having such laws, so it is probable that not enough youths are removed from the streets to make a difference. While sentences in the adult system are indeed longer, time actually served is not, and when released youths who have been spent time in adult prisons actually re-offend at a higher rate. However, even where it can be shown that juvenile transfer laws don't keep young offenders off the street longer, expose them to prison rape, and discharge them with higher rates of recidivism and sometimes HIV, I would not expect such laws to be repealed. People want these laws to work.
This brings me back to the question of why the problem of prison rape is so much larger in the US than the rest of the civilized world. The appalling things that happen in US prisons (particularly to young people) aren't a sign of intentional barbarism in US laws. Nor are they a sign of the barbarism of Americans as a whole, although we certainly have our share of law abiding citizens who are depraved enough to enjoy the prospect of prisoners being raped (some states more than their share).
These abominations are the result of a culture that values problem solving, even in the case of problems that are unsolvable. When we are faced with a problem that must be managed rather than solved, we still look for a solution. If a rationally defensible solution evades us, we look for a dramatic action to take. In such cases a harsh action seems plausible to us, even if it costs a tremendous amount of money (as our huge prison systems do).
T
Re:Sounds pretty fair (Score:3, Insightful)
Except there are denial of service laws that are being violated here.
Which the jury found, but if you read what some members of the jury have written about the process of making that finding they themselves felt that it was a stretch. A stretch they were prepared to make, apparently, but not one I would have been comfortable with myself given the text of the laws and the context in which they were written.
Re:Sounds pretty fair (Score:3, Insightful)
You'll get sued, and you might even spend a day or two in jail for contempt of court after a court ordered you to turn something over and you refused to do so.
No.
You'll remain in the county lock-up until you turn over the keys or until hell freezes over.
Whichever comes first.
[For H. Beatty Chadwick, it was fourteen years]
But you do realize that if you had the key to a building, and were fired, and refused to hand those keys over, you wouldn't be going to prison, right?
Wrong.
Consider how "Obstruction of Justice" is defined in the federal system:
"Obstruction of justice is the frustration of governmental purposes by violence, corruption, destruction of evidence, or deceit. It is a federal crime. In fact, it is several crimes. Obstruction prosecutions regularly involve charges under several statutory provisions. Federal obstruction of justice laws are legion; too many for even passing reference to all of them in a single report." Obstruction of Justice: An Abridged Overview of Related Federal Criminal Laws [fas.org]
Interfering with government operations is broadly criminal.
I'm betting that if you hold the keys to a Catholic hospital - or to the server rooms within a Catholic hospital - you would also be looking at criminal charges.
The stakes are simply too high.
Re:US Prisons (Score:3, Insightful)