Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M 488
0WaitState writes "A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs, unless they're billing Terry Childs for the City's own failure to set up division of responsibility and standby emergency access procedures?"
Queue the dude who was on the jury (Score:5, Interesting)
Like I said, a
Re:Take that Terry Childs (Score:5, Interesting)
It's probably billing him for the temerity to actually take his case to trial.
You know, exercising his constitutional rights. That's something the "justice" system has to punish at all costs.
Here's some info for you. [fhsulaw.com]
Here's more [slate.com].
Or, to put it in a more sinister way: You get a heavier sentence if you insist on asserting your constitutional rights to a trial, to confront your accusers, to privacy from searches without probable cause, to avoid incriminating yourself, etc.
How is Childs being treated unfairly? (Score:2, Interesting)
Certainly the management of San Francisco has some responsibility for what happened.
However, I disagree with the assessment that Terry Childs is without blame, as is implied in the article summary. If I hold hostages and demand ransom but later release the hostages, does that mean I did nothing wrong? While Childs didn't literally take hostages, figuratively that's exactly what he did.
The justification for making Childs pay restitution is that the city of San Francisco attempted other means of gaining control of the systems while Childs refused to cooperate. Those attempts cost some money, and that's money that would otherwise be billed to taxpayers.
Why should I feel that Childs is being treated unfairly? He had to know that if he fought those in power, they would find a way to take him down.
Re:Restitution more fair than the jail time... (Score:2, Interesting)
How is it out of hand? It's been reported that the spent $900,000 [computerworld.com] trying to regain control of the network. The amount that he is being asked to pay is not particularly excessive. Would you prefer that $900,000 gets billed to taxpayers?
A fine example of American justice (Score:5, Interesting)
what really happened? (Score:5, Interesting)
Mr. Childs clashed with the new Security Manager [shortinfosec.net] on the subject of authentication and control, which led to poor formal review.
Sorting out fact from fiction in the Terry Childs case [yahoo.com]
Re:I thought the exact same thing (Score:5, Interesting)
he's paying it to the department of technology, not justice
Just because it's not a court-ordered bribe doesn't mean it's definitely not a punishment verdict.
Re:Queue the dude who was on the jury (Score:2, Interesting)
He also cleaned the backup configs on switches so that any reboots would essentially wipe them clean.
When I was fresh out of school, the first man who hired me turned into a total nightmare of an asshat after about 3 months (not just to me, essentially to all his new hires who were proving themselves to be more capable than himself - apparently, until this point in his life, he had always been the boy genius...) So, being barely 20 years old (read: immature) my response was to encrypt all my backups and create a wipe script for the work I had done, such that a 2 letter command would erase all my work for Sr. Asshat, and only execution of another two letter command plus password would restore it.
It was not a professional or productive reaction, it was a human one, one that was brought out of me by serious injustices, i.e. being jerked around by an idiot in an attempt to make himself feel powerful. I never issued the kill command, in point of fact, Sr. Asshat's boss protected me from him and eventually gave me his job, but not everyone is so lucky.
20 years later, a similar circumstance arose, except in the latter case I had absolutely no desire to hurt the larger organization and would never have created a kill script - even if the junior toad who was tasked with easing me out the door deserved it for the way he handled the situation, half a dozen other people in the organization, and all the potential future beneficiaries of the tech I "productized" over the last year, didn't.
If society continues to depend on people who they marginalize and mistreat, there will be more Terry Childs in the future, and the potential for spectacular damages far in excess of $1.5M of court costs exists.
Re:Take that Terry Childs (Score:5, Interesting)
How much is a full review of the network, from the bare bones upward, including reflashing all firmware, and checking all servers going to cost in a city wide network?
$1.5m would be cheap for that.
Re:Queue the dude who was on the jury (Score:5, Interesting)
The problem often comes in determining at what point "marginal and mistreated" ends and "sociopathic desire to hurt anyone who slights me" begins. For every anecdote like yours, there's another about a geek who was simply paranoid or antisocial enough to *feel* victimized by the normal churn of the day. A guy (or girl) who wrote your kill script, or something worse, with the full intention of using it. It's not even hard to imagine such a person (your old boss seems the type). Which is more common? Really hard to say, ask employees and they'll probably say your situation, ask managers, they'll probably say the opposite. Most people can't point to more than a handful of examples of either situation though.
Businesses and governments clearly need to watch out for and prepare for either situation. Ironically, your anecdote shows that at least in the first of your two cases, your company was doing exactly that. Someone did notice your boss' bad behavior and did something about it. Management isn't *always* incompetent or out to get you. In this case their actions both protected the marginalized and mistreated workers, and hopefully avoided a future Terry Childs situation on the form of your obviously immature and potentially dangerous boss.
In the case of Child's himself, there's a significant disconnect as to whether he was a marginalized victim, or a childish asshat lashing out at perceived injustice. To hear him talk sometimes, he was the former. Other times, he seems a lot more like the latter (obviously management thought he was the latter). I'm inclined to believe that, while he probably doesn't deserve the level of punishment he's gotten, his actions were blameworthy.
Re:How much will the morons in administration (Score:4, Interesting)
He did one thing wrong to his bosses, his bosses (via lawyer proxy, I assume) then turn around and lie in court, which is the real crime.
Re:Take that Terry Childs (Score:4, Interesting)
Along the same lines, this is why so many innocent people wind up striking plea bargains.
A friend of a friend is currently serving the second year of a one year sentence (!) for a crime he didn't commit. He didn't take it to trial, because the prosecutor threatened him with 10 years, and his lawyer convinced him that it just wasn't worth the risk.
I'm not claiming he's an innocent man. Just that he didn't commit the particular crime he's actually serving time for. It's a "Sleep with the dogs and pick up their fleas" sort of thing.
Re:Perhaps.... (Score:4, Interesting)
It annoys me when certain admins feel that they are freedom fighters when operating their boxes, makes them incredibly annoying to work with.
That's ok, you're equally annoying to work with because you don't take security seriously enough. There are some other people that I know of that didn't take security serious enough, who was that? Oh yeah, the security folk at Boston Logan International.
And how about this guy from last month:
http://www.geek.com/articles/news/man-wrongly-accused-of-child-porn-learns-to-password-protect-wifi-the-hard-way-20110426/ [geek.com]
I bet he takes network security a lot more seriously now. Sysadmins that take security seriously are important because most other people aren't, except the malicious hackers.
Re:Perhaps.... (Score:4, Interesting)
Part of the problem is that the level of Security or a System is inverse to its level of Accessibility.
The more people can access systems and the more they can do with them, the less secure they can become.
The trick is finding the balance people are willing to live with (short of unplugging the computer, which makes it REAL secure BTW), and finding ways to mitigate/lessen the threat left by vectors where you find yourself.
I think the real problem is that too many non-security people don't view Computer Security as a serious issue, and too many security people view it as the major issue. This means when they both sit down at a table and try to find the balance point, neither side is happy and both sides feel the other one doesn't understand where they are coming from (which is often true).