Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M

0WaitState writes "A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"

Take that Terry Childs

[seeker_1us]

We will make an example out of you, who cares about justice?

Re:Take that Terry Childs

[Moryath]

It's probably billing him for the temerity to actually take his case to trial.

You know, exercising his constitutional rights. That's something the "justice" system has to punish at all costs.

Here's some info for you. [fhsulaw.com]
Here's more [slate.com].

Or, to put it in a more sinister way: You get a heavier sentence if you insist on asserting your constitutional rights to a trial, to confront your accusers, to privacy from searches without probable cause, to avoid incriminating yourself, etc.

I thought the exact same thing

[way2trivial]

so I looked myself and found this article
http://sfappeal.com/news/2011/05/sf-network-engineer-convicted-of-witholding-passwords-ordered-to-pay-15-million-restitution.php [sfappeal.com]
"No city services were ever affected, but officials said they could have been crippled if power had somehow been shut off.

A jury convicted Childs in April 2010 of a computer tampering-related charge, and today San Francisco Superior Court Judge Teri Jackson ordered him to pay $1,485,791 in restitution to the Department of Technology,"

he's paying it to the department of technology, not justice.. so... no...

Re:I thought the exact same thing

[hesiod]

he's paying it to the department of technology, not justice

Just because it's not a court-ordered bribe doesn't mean it's definitely not a punishment verdict.

Re:

[clang_jangle]

he's paying it to the department of technology, not justice.. so... no...

Do you have any idea how much money you can burn through in just one day of providing network services to an entire city's government? Wouldn't surprise me in the slightest if the SF Dept of Technology spent that much or more trying to deal with the "rogue admin who absconded with all the data/access". The taxpayers *do* need to be reimbursed for that. This might actually be an example of the system working properly, though I do not kn

Re:

[Predius]

That hardware toggle wouldn't work in this case. The confs weren't saved to nvram. To use that toggle you have to reload first, which would toss the conf as you don't have access to write mem first.

Re:

[speculatrix]

it is possible to make password recovery much harder if not impossible on cisco devices, it is advised against of course in all but the most security paranoid installations where physical access may be a problem.

Re:

[JoeMerchant]

He caused no damage in the "real world," but he tied up the courts and the city's lawyers, and you know, at $500 per billable hour, 1.5M is only 3000 man hours, or 3 lawyers for 6 months, plus expenses.

Essentially, the judge has handed him a bankruptcy sentence - something he may not have been far from anyway.

Re:Take that Terry Childs

[scubamage]

Not really, just a financial ruin sentence. You can't get out of legal penalties by declaring bankruptcy :(

Re:

[nomadic]

Eh, you can't garnish every single penny someone has. He'll have this over his head for the rest of his life but doesn't necessarily mean he'll be homeless.

Re:

[Cwix]

The point is you cant get rid of the judgment with a bankruptcy.

He will be paying that off for the rest of his life. (I haven't paid enough attention to decide if he should or shouldn't be held responsible.)

Re:

[sgt scrub]

It's probably billing him for the temerity to actually take his case to trial.

Exactly! It is for letting the public know just how stupid the people working for the gooberment are. Including himself.

Re:

[Dcnjoe60]

It's probably billing him for the temerity to actually take his case to trial.

You know, exercising his constitutional rights. That's something the "justice" system has to punish at all costs.

Here's some info for you. [fhsulaw.com]
Here's more [slate.com].

Or, to put it in a more sinister way: You get a heavier sentence if you insist on asserting your constitutional rights to a trial, to confront your accusers, to privacy from searches without probable cause, to avoid incriminating yourself, etc.

He had no constitutional right to do what he did. Free speech does not apply in the workplace. Well, it does, you are free to exercise it, but there is nothing that precludes the employer for terminating you for do so. Most employees think they have all of these "rights," but they should quit relying on TV shows. In all states, save Oregon (I think), all employees are at will employees and can be let go for no reason whatsoever. The only "rights" that employees have are those actually outlined by law

Re:Take that Terry Childs

[jimrthy]

Along the same lines, this is why so many innocent people wind up striking plea bargains.

A friend of a friend is currently serving the second year of a one year sentence (!) for a crime he didn't commit. He didn't take it to trial, because the prosecutor threatened him with 10 years, and his lawyer convinced him that it just wasn't worth the risk.

I'm not claiming he's an innocent man. Just that he didn't commit the particular crime he's actually serving time for. It's a "Sleep with the dogs and pick up their fleas" sort of thing.

Re:Take that Terry Childs

[Richard_at_work]

Some of us do and some of us do consider Childs to be guilty. He acted like a prick and suffered for it, but imho he was guilty of what he was found guilty of.

Re:Take that Terry Childs

[Richard_at_work]

How much is a full review of the network, from the bare bones upward, including reflashing all firmware, and checking all servers going to cost in a city wide network?

$1.5m would be cheap for that.

Re:

[Errol backfiring]

Unless you only hire one admin to do it.

Re:

[GooberToo]

Using you're logic, that's something they would be forced to do every time there is admin turnover. That's uninformed to say the least. He was not charged for compromising the network. He simply refused to hand over passwords, to which he was lawfully empowered, because his contract had very specific stipulations. The problem came in that the city attempted (non-legally binding which still kept him liable) to wave those stipulations and he became a dick attempting to hold them to it.

He was convicted and see

Re:

[moronoxyd]

Using you're logic, that's something they would be forced to do every time there is admin turnover.

Quite the opposite: They (may have) had to do it because Childs behaved the way he did.
The way he was acting, they had to make sure there are no more backdoors for him.

If an admin leaves on good terms, gives his superior all the relevant information, keys et. al., then it's most probably not necessary to check the network.

Childs, on the other hand, made sure that he was the only one who could keep the network

Re:

[dr2chase]

This is the same logic that has the TSA harassing people who complain too much about their crotch feel and nudie photos -- because everyone knows, that's how we catch all the terrorists.

Rule #1: be sure to leave your job (apparently) graciously, if you leave any backdoors for later (am)use.

Re:

[jedidiah]

It's really quite bizzare. People don't seem to grasp that standards of this kind can be turned and used against them any time the state decides to. They live in this sort of disconnected fantasy land where actions and consequences only ever happen to "other people" and the stupid things they tolerate or even clamour for can never be used against them. ...almost pathological to go in the DSM-IV.

How much will the morons in administration

[unity100]

... who had had exposed hundreds of LIVE login/passwords to city administration system as 'proof', endangering the public system and the private information of citizens and even more, will pay ?

nothing ? i guessed as much. its all ok if you are a moron at the helm of a company or a public office. no really - i am much more polite and eloquent than what wordage you read here, but, i am at a loss to find any word other than moron for publicly exposing hundreds of live login/passwords in a public court. really. morons.

it appears terry childs was right.

Re:How much will the morons in administration

[fifedrum]

It blows my mind that the guy spent any time at all in jail for this, especially after the city lied about the access (they had access several days before he tuned over the passwords). It's worse when the city again lied, time and time again, in fact, in painting his actions and configurations as nefarious when they're all common practice. The sniffer thing, the modem stuff, the paging issue. Those lies the city told should have been a get out of jail free card for him by painting the city as the scumbags they are.

He did one thing wrong to his bosses, his bosses (via lawyer proxy, I assume) then turn around and lie in court, which is the real crime.

That explains it...

[gman003]

That explains why American culture is so obsessed with vigilante justice - the actual judicial system is fucking retarded .

Re:

[MickyTheIdiot]

it's run by simpletons just like everything else in the U.S. right now...

Re:

[smelch]

Well, also sometimes the only way to get real justice is as a vigilante, and nobody wants to admit that they would go too far with it. Americans tend to view things in absolutes. There is true justice, true good and true evil independent of what society says, thinks or does. If somebody rapes your child it would be true justice to remove that guy's balls and feed them to him, but no court would ever allow that to happen.

Re:That explains it...

[sco08y]

Any actual evidence that Americans are "obsessed" with vigilante justice? I'm trying to recall the last time I heard of any notorious vigilante actions, and I'm drawing a blank. Even when the WBC crowd protested military funerals, the worst anyone did was slash their tires.

Re:

[gman003]

Sure, Americans are too lazy to actually do anything themselves, but that doesn't mean we're not obsessed with fictional vigilantes. Pretty much every superhero comic/movie/game/whatever. Most Westerns. The entire "loose-cannon cop on the edge" genre (Dirty Harry, etc) differs from vigilante justice only on a technicality. And look at the way (certain) Americans look at foreign policy: "Someone needs to do something about $COUNTRY, so we'll do it, even though we've got no justification and no permission for

Re:

[travdaddy]

I'm trying to recall the last time I heard of any notorious vigilante actions, and I'm drawing a blank.

You've never heard of Batman?!?!

Re:

[EvilStein]

"Even when the WBC crowd protested military funerals, the worst anyone did was slash their tires."

That's because the WBC is full of lawyers that love to sue everyone they can. If the WBC was full of non-legal types, they would probably have all been beaten to a retarded pulp by now.

Re:

[SQLGuru]

Just last week. There was the reclaimation of a laptop by a group of vigilantes.....at least that's how it was sensationalized in the headlines.

The actual story was that a guy found his laptop through tracking software. A group went to the bar where it was and asked for it back. The guy who had it let them take it back.

Re:

[nomadic]

What? Someone on SLASHDOT made a completely unsupportable generalization? Impossible.

Restitution more fair than the jail time...

[mseeger]

Terry Childs did some mistakes. I think the restitution for damages is more justified than the criminal punishment he got.

CU, Martin

Re:

[Jeff DeMaagd]

Even the restitution is out of hand, what are the chances that he can ever repay that?

Re:

[Anonymous Coward]

How is it out of hand? It's been reported that the spent $900,000 [computerworld.com] trying to regain control of the network. The amount that he is being asked to pay is not particularly excessive. Would you prefer that $900,000 gets billed to taxpayers?

Re:

[satch89450]

No, I'd rather the $900,000 be billed to the person who approved the expense. Personally. This was a power play, pure and simple. Witness the original article: "If the power had failed, we would have lost the network." BULLSHIT. That's what flash memory in Cisco equipment is for. The network would have come back up, and worked perfectly, if Mr. Childs did the job that a CCIE is expected to do, if Mr. Childs had backup of all configuration information so that flash failures could be fixed quickly (ass

Re:

[mseeger]

None, but this is not the issue of the court. The court has to determine the damage caused and award restitution accordingly.

Queue the dude who was on the jury

[L4t3r4lu5]

I forget a lot of what he said, but one of the points which stuck out for me was that Terry kept the keys / passwords out of the key management system, which was against policy. He kept the Keys to the Kingdom in his head, which is just bad IT policy. He also cleaned the backup configs on switches so that any reboots would essentially wipe them clean.

Like I said, a /. poster was on the jury. He'll chip in with better information than anyone else. As for the fine... Well, if he doesn't have that money, he'll default like everyone else would and live off welfare. Shows the system works, eh?

Re:Queue the dude who was on the jury

[Syberz]

Although I do agree that Terry was in the wrong, so was the City for its bad procedures. I just don't think that the wrongness he did is worth 1.5 million dollars.

Guy locks out everyone from the City network after losing his job due to his perceived moral implications: gets a 1.5 million dollar fine.

Guys cause Worldwide economical downturn, massive job loss, massive wealth reduction to the middle and lower classes: get multi-million dollar government jobs.

Wait, what?

Re:Queue the dude who was on the jury

[Americano]

Although I do agree that Terry was in the wrong, so was the City for its bad procedures.

Mr. Childs was in a position to implement better procedures, and in fact, had a professional obligation to improve the bad procedures which you point out. He did not do this. At a bare minimum, he could have simply done this: "Hey boss, since I'm a single point of failure, if I'm ever hit by a bus, here's a sealed envelope with passwords and critical access information for all of the systems I work with. I'll update this once a month, and make sure you receive a new copy. I'll also do the same with $some_guy_who_covers_for_me_when_im_on_vacation, and if you like, a third manager who you deem appropriate." This is cheap and easy to implement, and requires absolutely no "new policies" or politicking. He's simply setting up a failsafe in case he's incapacitated or turfed out - the sort of failsafe any sysadmin should implement ASAP in any new job where they find that they're the only person who knows the appropriate access passwords to critical systems.

He failed to do anything like this, and elected to keep everything in his head. We can only conclude from this that he was just as incompetent as the rest of the people implementing "bad procedures" on behalf of the city, or he was deliberately trying to set up a chokehold on city infrastructure. Either way, I have very little sympathy with him for obstructing access to the systems under the guise of "caring so deeply" about them. If he cared so deeply about the systems, he never would have set himself up as a single point of failure.

Re:

[Anonymous Coward]

He also cleaned the backup configs on switches so that any reboots would essentially wipe them clean.

When I was fresh out of school, the first man who hired me turned into a total nightmare of an asshat after about 3 months (not just to me, essentially to all his new hires who were proving themselves to be more capable than himself - apparently, until this point in his life, he had always been the boy genius...) So, being barely 20 years old (read: immature) my response was to encrypt all my backups and create a wipe script for the work I had done, such that a 2 letter command would erase all my work for

Re:Queue the dude who was on the jury

[DrgnDancer]

The problem often comes in determining at what point "marginal and mistreated" ends and "sociopathic desire to hurt anyone who slights me" begins. For every anecdote like yours, there's another about a geek who was simply paranoid or antisocial enough to *feel* victimized by the normal churn of the day. A guy (or girl) who wrote your kill script, or something worse, with the full intention of using it. It's not even hard to imagine such a person (your old boss seems the type). Which is more common? Really hard to say, ask employees and they'll probably say your situation, ask managers, they'll probably say the opposite. Most people can't point to more than a handful of examples of either situation though.

Businesses and governments clearly need to watch out for and prepare for either situation. Ironically, your anecdote shows that at least in the first of your two cases, your company was doing exactly that. Someone did notice your boss' bad behavior and did something about it. Management isn't *always* incompetent or out to get you. In this case their actions both protected the marginalized and mistreated workers, and hopefully avoided a future Terry Childs situation on the form of your obviously immature and potentially dangerous boss.

In the case of Child's himself, there's a significant disconnect as to whether he was a marginalized victim, or a childish asshat lashing out at perceived injustice. To hear him talk sometimes, he was the former. Other times, he seems a lot more like the latter (obviously management thought he was the latter). I'm inclined to believe that, while he probably doesn't deserve the level of punishment he's gotten, his actions were blameworthy.

Re:

[chemicaldave]

You mean this interview [networkworld.com]? Yeah, it has some interesting points. Such as:

• If Terry Childs didn't think his boss's boss wasn't an authorized user, why did he CC him in emails containing user IDs and passwords for the same network?
• If his job is to maintain the network, and he's told he is being reassigned, why would he hand over the network with no way for the city to maintain it?

It seems that Terry Childs made some mistakes, thought he was being fired, and dug himself into a hole.\

IDG News: Going back, what was the one step he could have done to avoid prison? Chilton: If he would have simply said, "I will create you an account and you can go in and you can remove my access if you want." If he had created access for someone else, I think that would have resolved it. If he had not decided to leave and go to Nevada a few days later and withdraw US$10,000 in cash, [Childs did this the day before his arrest, while under police surveillance] I think the police may have let it continue on as an employment issue and not a criminal matter. IDGNS: Do you think Terry Childs deserves another chance? Chilton: Yes I do. He has a lot of knowledge and he has the ability to learn this stuff on his own. I think with what's happened, he's probably not going to get himself hired by an AT&T or a Bank of America, but he could probably do stuff on his own. Because he definitely has the knowledge. IDGNS: Do you think he's a trustworthy person? Chilton: I think for the most part, yes. If he's given clearly defined rules, he could be. I think he's also very stubborn and a little egotistical.

Repay city?

[rackeer]

I just RTFA. It says the money is to
repay the city for its efforts in trying to regain control over the FiberWAN network and later test it for vulnerabilities. City officials had been worried that Childs, who helped set up the network but clashed with his supervisors, might try to sabotage it.
Mind, he already spent 2 years in custody and was convicted to 4 years of jail.

Re:

[Moryath]

If they weren't already testing for vulnerabilities, they're bigger idiots than we thought.

Someone explain why he should, merely for having the temerity to assert his right to a trial, have to pay for something they should already have been doing?

Re:

[bws111]

Gee, I wonder whose job it would have been to test for vulnerabilities? The guy had root access and has already demonstrated he couldn't be trusted, therefore EVERYTHING he touched must be considered suspect. For example, how did they know he didn't install any rootkits which would make normal vulnerability testing invalid?

Not difficult at all

[imamac]

"it is difficult to understand how they came up in $1.5 million in costs" If you read the article..."Prosecutors had sought the money from Terry Childs, a former Department of Technology network engineer, to repay The City for its efforts in trying to regain control over the FiberWAN network and later test it for vulnerabilities."

Re:

[cdrudge]

Shouldn't "testing it for vulnerabilities" be part of their normal operating costs anyways? If my company gets hit by a virus, is part of the economic damages the cost to install antivirus on all the computers?

Re:

[Bill_the_Engineer]

I think they meant testing for any vulnerabilities (eg. backdoors, time bombs) left by Terry Childs. Being system admin, Terry Childs could have left exploits behind that would not be detectable in log files, etc. You'd pretty much would have to manually inspect each configuration, since you couldn't trust the audit software since the checksums being compared could be checksums of configuration files that were already compromised in the previous audit.

Nonsense

[Errol backfiring]

That is part of a job for a sys admin. If they were happy with one admin and no backup, the damage is at most a part of his salary for the amount of time that it would normally have cost him.

Re:

[Raumkraut]

I have no idea how audit and disaster recovery did not pick this up earlier.

I'll give you three guesses as to who was most likely responsible for running those audits...

Oh thank god..

[whois]

At first I thought the citizens were going to have to pay for the cleanup and fixing of all the problems, along with the trial and all that. Now that I know this criminal with no job prospects will be paying the $1.5M I can sleep better at night.

My personal ideas about job integrity end at or a little before the threat of getting arrested so I could argue I don't think what he did was wise (I would've made the guy wanting the passwords put it in writing and then quietly laughed when they broke things), but I don't think the punishment fits the crime at all. Why is there never a middle ground in the justice system between ruining someones life and letting them go free?

And why can't the city just let this one go? They won a long time ago.. back when he was fired, jailed, etc and he surrendered the passwords without the network ever going down.

Re:

[Bill_the_Engineer]

And why can't the city just let this one go? They won a long time ago..

It's not the city's fault that the justice systems moves slowly. Everybody has to wait for their day in court.

You could have easily said "Why didn't the city just force him to pay $1.5 million dollars after his arrest?" Who needs courts?

Re:Oh thank god..

[Myopic]

Why is there never a middle ground in the justice system between ruining someones life and letting them go free?

Just to be clear, there is a middle ground, and the middle ground is used in the vast majority of prosecutions. It's called a plea bargain. Most people charged with crimes are guilty, and most guilt can be demonstrated at trial. So, everyone can save a lot of trouble with a guilty plea, and a negotiated punishment. That's the middle ground.

Some people are guilty and yet won't bargain. In this case, prosecutors will generally take a big sigh and go to trial, demonstrate guilt, and try to get the maximum punishment. That's NOT the middle ground, because the middle ground was already passed by.

There is plenty of room for legitimate criticism of the system, but there are sliding scales in the different dimensions of justice.

Re:Oh thank god..

[Anonymous Coward]

Which is why so many people who are innocent of crimes plead guilty. Often the thought of the "maximum" sentence and the fear that your defense will not pay out are enough to make someone choose guilty. This is generally true for those who can't afford a defense. Prosecutors don't care about innocence or guilt, they will work to scare you into a bargain so they get an easy win. Public defenders don't care much either, a bargain is less work and doesn't look as bad as a loss.

Re:

[jedidiah]

You're joking.

A plea bargain is no "middle ground".

A plea bargain is simply some poor schmuck trying to play the prisoner's dilemma because he knows there's no real justice.

Inflammatory summary, anyone?

[jimicus]

From TFS:

"it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"

Come on, we shouldn't be defending this guy otherwise we're no better than the corrupt politicians that occasionally crop up on /. stories.

We all know he was in charge of much of the city's network infrastructure and that ultimately the city dealt with him and his role rather badly - that's not particularly unusual in the public sector anywhere in the world. What's important is how he reacted to it. From what I've heard, his reaction was to say "Fine, if that's going to be your attitude I'll take the passwords to my network and go home!" like a petulant child. But it wasn't his network to take - and I don't believe the arguments that to hand over access to someone unqualified would have put him in greater trouble than refusal to. Faced with an enemy with so much more resources, the sensible thing to do would be to negotiate a way out of any possible repercussions instead of throwing a tantrum.

Re:Inflammatory summary, anyone?

[SJHillman]

The problem isn't that we're defending him. Most people on Slashdot think he's an idiot and a criminal. The problem is the $1.5 million fine. That's around 20 years of his salary (at a comfortable $75k/yr). It's not a matter of whether or not he's guilty or deserves punishment, it's a matter of letting the punishment fit the crime. That pesky eighth amendment that mentions no excessive fines.

Re:Inflammatory summary, anyone?

[dwandy]

yes, withhold passwords on a network resulting in no measurable loss, get 20yrs of income as fine. Damage and destroy an ecosystem causing loss of animal life and depressing an entire area economically; get fines that amount to about 7~mos [guardian.co.uk] of income. That's called justice.

Re:

[nomadic]

I know you just hired me as your chauffeur to drive your car, but I really don't think you take proper care of it, so I'm just going to take it for myself.

How is Childs being treated unfairly?

[Anonymous Coward]

Certainly the management of San Francisco has some responsibility for what happened.

However, I disagree with the assessment that Terry Childs is without blame, as is implied in the article summary. If I hold hostages and demand ransom but later release the hostages, does that mean I did nothing wrong? While Childs didn't literally take hostages, figuratively that's exactly what he did.

The justification for making Childs pay restitution is that the city of San Francisco attempted other means of gaining contr

Re:

[hesiod]

He had to know that if he fought those in power, they would find a way to take him down.

So, "stop struggling, and take it up the ass like a good little victim" is your approach to government oppression?

(Note that I'm not saying he IS a victim, but that your reasoning there is morally offensive)

Re:

[Skapare]

Mr. Childs demanded no ransom. He demanded the network be kept solidly secure. Management (not sure which parts in particular) has ALL of the responsibility for this. But just like any political aspiring person, they will never, ever, admit to it. And I bet you are one of those types.

There was nothing wrong with the network. Mr. Childs planted no bombs in it. I didn't create any backdoors that were there for any purpose besides proper management. It is entirely unjustified to assume he did anything b

Never give any one admin that much power

[digitaldc]

Lesson learned?

A better punishment would have been to make him perform community service where he has to work for free for a certain number of hours fixing people's networks and eliminating THEIR downtime. That might have been a better solution.

1.5 Million?

[Xacid]

"it is difficult to understand how they came up in $1.5 million in costs"

Asshole tax?

Two entirely separate issues

[goldspider]

"...unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"

What exactly is being insinuated here? That it's the City's fault that Childs decided to commit a crime?

Sorry, pal, it doesn't work that way. Yes, the city has a lot of work to do to clean up its IT policies, but that has no bearing whatsoever on Childs' decision to commit a criminal act.

Re:Two entirely separate issues

[jaymz666]

If he had been hit by a bus and killed the city would have been even more screwed, so yes, the city is partially to blame for not having a backup plan to begin with.

Re:

[Qzukk]

The whole issue could be resolved by him giving the password to someone who he thought was qualified to run the system.

The issue was that he thought he was the only person who was qualified.

A fine example of American justice

[seniorcoder]

Terry Childs was clearly on an excessive one-man power trip. I don't think too many on /. think that deserves jail time though. A firing for unprofessional conduct: sure. A $1.5M fine? This just adds to the farce. I'm sure the head of the IMF will get a fair trial. He has already been convicted (by the media) and is in jail. ... now all we need to do is to get most of Wall Street in jail. They have been tried in the media but not put in jail.

Re:

[catmistake]

If he had just stuck around and worked with his employer to resolve the issue, he likely wouldn't ever have seen the inside of a jail cell.

I think I am missing something... once Childs was fired, he was no longer employed. Under what obligation was he under to continue to work with a former employer to resolve any issue?

what really happened?

[doperative]

Mr. Childs clashed with the new Security Manager [shortinfosec.net] on the subject of authentication and control, which led to poor formal review.

Sorting out fact from fiction in the Terry Childs case [yahoo.com]

nt

[shentino]

He's already been crucified.

They're just casting lots for his robes.

Guilty of not having a competent lawyer

[spectro]

I can't figure out how this guy got convicted. He was an asshole and lacked common sense but 4 years in jail?, 1.5M? talk about "cruel or unusual punishment", 8th amendment anyone?

Are they appealing this case?, why is the EFF not involved?, this is the kind of case they should be looking at. This case sets the scary precedent that admins are criminally liable for the network they maintain.

Say YES to Union

[ub3r n3u7r4l1st]

Another case why we need unionization of IT workers. The National ACM will be a good start of leading the movement.

Re:Guilty of not having a competent lawyer

[spectro]

The punishment for not doing your job or doing it wrong by violating procedures or otherwise is getting fired. He was fired, that's plenty of punishment.

Anything else they are adding on top of it is a violation of his 8th amendment protections, any competent lawyer should get these extra penalties overturned.

Typical IT attitude - makes all of us look bad

[ErichTheRed]

Disclaimer: I'm a systems engineer who spent many years as an admin. I don't do as much daily firefighting as I used to, but I sure have tons of experience in that department.

How many of you (good natured) IT folk looked at the Terry Childs case and said, "Hey, that sounds like X, the total jerk I used to work with!" I know I did... We had a guy like this who (a) did the passive-aggressive thing when asked to take care of something, (b) kept all the secrets in his head so that it would be hard for anyone to

Good luck

[Charliemopps]

I'm sure they'll have a real easy time finding a talented individual to replace him. There's nothing like the threat of imprisonment, humiliation and millions in fines to attract IT staff.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Cost

[erroneus]

He did not care about security other than his own job security. He was one of 'those' types of IT people. You know the ones I mean -- they think "job security" means keeping all the secrets locked away so that only he can fix things when they are broken. Furthermore, they tend to behave as if they own the networks and servers they maintain and they tend to hide their limitations of knowledge and experience from others as well as being unwilling to share what little knowledge they actually have. There might have been a time when that was common enough to be acceptable, but today's business and government leaders see through this.

Good riddance to bad rubbish. "Vendor lock-in" is evil regardless of who practices it.

Re:

[satch89450]

I'd be curious how may CCIE (Cisco Certified Internetwork Engineers) you know. Now, my company helps network engineers around the world win their certifications, so I've had to deal with a lot of both CCIEs and wanna-bes. Also, the CCIE community was very, Very, VERY interested in this whole affair, because -- of the ones I talked with -- they thought that Mr. Childs did the right thing by keeping the keys to the network close to the vest. You may be right, erroneus, that Mr. Childs acted out of selfish

Re:

[erroneus]

No, those people are in the minority now -- I rarely run into those any longer. Sounds like you have been bullied by one of these former victims in the past. Still stings?

Re:Let the guy come here...

[nedlohs]

That scratching sound is onda technology getting added to the "don't use" list all around the world.

Re:

[joaommp]

I was aiming for a "Funny" moderation, but hey, the network he set up kept running even with him away from it...

Re:

[The Moof]

the network he set up kept running even with him away from it

Actually, it wouldn't. It was specifically designed to fail if he wasn't around any *anything* went wrong. The configs all wiped themselves on boot, and he had the only encrypted backups of them. He also was the only person with the admin passwords and refused to relinquish them to anyone.

Re:

[powerlord]

That scratching sound is onda technology getting added to the "don't use" list all around the world.

+1 insightful

Wether he was right or wrong in being the only person with admin access, and wether that was a situation he created, or was thrust upon him, I am APPALLED by the fact that he attempted to hold the system for ransom.

There should be a System Admin "Code of Ethics". The closest is the IEEE "Code of Ethics" [ieee.org], or the ACM "Code of Conduct" [acm.org] if they happen to have joined.

The first is "bite sized", the second is probably more relevant but way more wordy, but how many people even bother joining either?

We

Re:

[JoeMerchant]

Might want to wait seven years before you pay him... until then all his earnings will be garnished.

Re:

[shentino]

Tell me who you are so I can add you to my shitlist.

Guilt by association, isn't it lovely?

Don't take it personally, it just means I don't trust the judgement of someone who would trust an asshole like that.

Re:

[JoeMerchant]

to fine him more money than he will ever make is too much.

Sure, the city already won when they got the passwords, but they wanted to make the point that they can run up the score. It probably makes little to no difference in Terry Childs life whether he was released or fined $1.5M at this point in time, either way he's not going to get more than subsistence pay for the next seven years.

But... just incase there's somebody with more means (read: more to lose) than Terry in the future, they're hoping for a deterrent effect.

I'd like to remind the audience about the e

Re:

[conspirator57]

An IT guy on a power trip acted like a prick and that resulted in serious consequences. Let's see what the slashdot community thinks. ;)

This might as well be a story about getting arrested for living in mom's basement.

he's paying the price for embarrassing the powerful?

Re:

[MBGMorden]

He is paying the price of trying to be a decent sysadmin. Next time he will not try to be the nice guy,

No. He, once his employment was terminated, WAS NO LONGER A SYSTEM ADMINISTRATOR. As much as you might feel like the network and servers are your "baby", you don't own them. You work for the owner. You cannot legally lock them out of it.

As to "next time", trust me - this guy has made himself unemployable in the IT sector for life. The worse anyone has to worry about for a "next time" from him is whether or not he spits on the burgers.

Re:

[stanlyb]

You are missing the point, next time, he, or any other sysadmin, when he faces the termination letter, he/she will follow the law to the letter. Which could mean that he could "forget" to inform you about some tricky passwords, terminals, systems, etc., and when YOUR system crashes, you could blame only YOURSELF, not the already terminated sysadmin that gave you "all the passwords", and who did not try to protect the public. You understand me? The difference between protecting yourself and the public? If no

Re:Perhaps....

[tnk1]

The solution to that is to:

a) have more than one admin with access to passwords
b) not to act like a jerk to the admins you currently have
c) put a firm stop to people who try and take complete control of a system "for its own good"

Make no mistake, the City of SF is responsible for their own issues.

Still, Childs was just plain stupid. He should have:

a) not admitted to having passwords, since he could have easily said that he forgot them since he no longer works there
b) failing that, immediately given any and all passwords up
c) written a letter to the city or a newspaper, if he wanted to complain about the city, like any other citizen, instead of trying to be a martyr.

$1.5m is a little steep, I was leaning more towards a month or two in jail for being a dumbass, which would be time served. It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.

Re:Perhaps....

[suso]

It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.

That's ok, you're equally annoying to work with because you don't take security seriously enough. There are some other people that I know of that didn't take security serious enough, who was that? Oh yeah, the security folk at Boston Logan International.

And how about this guy from last month:

http://www.geek.com/articles/news/man-wrongly-accused-of-child-porn-learns-to-password-protect-wifi-the-hard-way-20110426/ [geek.com]

I bet he takes network security a lot more seriously now. Sysadmins that take security seriously are important because most other people aren't, except the malicious hackers.

Re:Perhaps....

[powerlord]

Part of the problem is that the level of Security or a System is inverse to its level of Accessibility.

The more people can access systems and the more they can do with them, the less secure they can become.

The trick is finding the balance people are willing to live with (short of unplugging the computer, which makes it REAL secure BTW), and finding ways to mitigate/lessen the threat left by vectors where you find yourself.

I think the real problem is that too many non-security people don't view Computer Security as a serious issue, and too many security people view it as the major issue. This means when they both sit down at a table and try to find the balance point, neither side is happy and both sides feel the other one doesn't understand where they are coming from (which is often true).

Re:

[Midnight Thunder]

Why is he not simply given jail time? I could understand being charged this amount if he stole something or benefited financially from this, but the only crime he committed was possibly being arrogant and holding the network hostage. If the state wants to punish him, then they should put him behind bars for a few months and possibly get some of the politicians to join him.

Re:

[milkmage]

call it whatever you want, but I believe hismotive for holding the pwd was reasonable: he was protecting the integrity of the system because he was surrounded by incompetence. case in point:

in April, during a fire, emergency system crashed. they couldn't bring it back up because nobody had the password. 50 people lost their apartments.
http://my.firefighternation.com/forum/topics/review-finds-san-franciscos [firefighternation.com]
emergency services responds with: "That's what we have pencils and paper for."
Childs didn't have the sa

Re:Perhaps....

[Americano]

he was surrounded by incompetence

Oh bullshit. He was part of the incompetence . At what point do we admit that Mr. Childs was just as irresponsible for neglecting to create an appropriate backup and contingency plan for outages, disaster recovery, etc. that allowed for someone else to get access to the passwords?

Where I'm sitting, any sysadmin with half a brain knows that a single point of failure is a no-no. Let's not pretend he was some white knight, if there were no adequate plans for password access in place, then he's just as incompetent as his managers were. Only difference is, he was incompetent, and broke the law in the process, by refusing to turn over the password to his management chain when he was reassigned and holding the network he was "protecting" hostage.

Re:

[milkmage]

part of it? how?

he's in fucking jail yet the administrators still can't login to the web?

SPOF? what if he was the only person QUALIFIED to run the system.. ?

http://news.oreilly.com/2008/07/coverage-of-terry-childs.html [oreilly.com]

Re:

[nomadic]

Having an affair isn't a crime. What Childs did, is.