Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Terry Childs Case Puts All Admins In Danger

kdawson posted more than 5 years ago | from the if-they-want-to-get-you dept.

The Courts 498

snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"

cancel ×

498 comments

Too bad "being an asshole" is not a crime (4, Funny)

winkydink (650484) | more than 5 years ago | (#26977821)

On second thought, I'd be in for a long stint.

Never mind.

Obligatory KITH link. (3, Funny)

ebbomega (410207) | more than 5 years ago | (#26977875)

This is a classic [youtube.com]

KDAWSON needs to have a HOT LUNCH (1, Troll)

TrisexualPuppy (976893) | more than 5 years ago | (#26978349)

KDAWSON, have you ever considered this? Eat it [urbandictionary.com] for the rest of us. We just *lovie dubbie* all of your HAYNUS news stories, LoL!

Re:Too bad "being an asshole" is not a crime (5, Insightful)

mabhatter654 (561290) | more than 5 years ago | (#26978005)

that's the point really. His keeping the passwords is really no different than a VP keeping a laptop or company automobile. There are several civil steps that need to be gone through before "keeping" something you were previously entitled to have and protect becomes "criminal".
Consider the case of loaning a car to your long term SO for many years, then the relationship goes south and you show up with the cops to take back the car she's had for several years. Yes, you can get it back, but the cops will tell you to get a judgment first and won't just let you take it. In the same way the new manager saw a "rogue" employee that was cut off, isolated, and anti-social and first tried to illegally fire him. When that didn't work, then he started harassing about the passwords and created a situation with the prosecutor to get the passwords or throw the guy in jail... a leap of about 6 other legal processes.

Like has been said before.. modems and back doors in your office or home office (if expected to work from home/call in) are quite common for admins. VPN access to servers for when they crash is common. Those don't really figure into the "criminal" part because they didn't ASK if he had them and didn't ASK him to return them... packing his cardboard box on the way out the door is not formally "asking". As far as wiping the configs, that was paranoid overkill, but considering how often city office property gets stolen, wiping the config keeps thieves from getting the network settings to the whole thing which is more valuable than any one office of downtime due to power failure.

"keys to the kingdom" passwords are quite common.. I'm the only person at my 1000 person company with ALL of a certain server's passwords plus some network ones. There's a small number of people I would release those to... if I was pre-accused of malicious intention before I even left I'd probably handle the transaction thru a lawyer.

Like he predicted, when the city hired consultants (again not thru a legal means, just some random company to "fix it") and they started breaking stuff they didn't understand isn't his problem... Remember he was accused of "damages" even though the manager had no cause to make that ... they only poor performance he demonstrated was being disgruntled. Assuming he was doing damage and calling the cops is bordering on criminal filing a false report.

The proper course of action would have been for the DA to sue him in small claims court for the password. Make a valid case and allow him his grievance before a judge, then honor the ruling. Then a judge would have thrown him in jail until he talked for contempt... there's no time limit on contempt, so no need to file other charges! Frankly they're not a good lawyer if they didn't think of the simplest legal thing first.

Re:Too bad "being an asshole" is not a crime (0)

Anonymous Coward | more than 5 years ago | (#26978045)

hear, hear

Re:Too bad "being an asshole" is not a crime (3, Interesting)

Anonymous Coward | more than 5 years ago | (#26978163)

Passwords are not property, the city should have gotten them before firing him. Once they let him go they had no reasonable expectation that he would give them any "knowledge" which is all that the passwords are.

Re:Too bad "being an asshole" is not a crime (0)

Anonymous Coward | more than 5 years ago | (#26978193)

Consider the case of loaning a car to your long term SO for many years, then the relationship goes south and you show up with the cops to take back the car she's had for several years. Yes, you can get it back, but the cops will tell you to get a judgment first and won't just let you take it.

Ummm, no. You don't need the cops, it's your car. Take your key and go get it (or hire a repo man). There are no squatter's laws for cars. The car has a registered owner. Setting aside the registered owner requires a judgment, but until then, you win by default.

The proper course of action would have been for the DA to sue him in small claims court for the password. Make a valid case and allow him his grievance before a judge, then honor the ruling.

Here's a hint: district attorneys do not sue in small claims court - they see in grown up court. Further, small claims courts can only award monetary damages - they can't compel action.

Re:Too bad "being an asshole" is not a crime (2, Interesting)

larry bagina (561269) | more than 5 years ago | (#26978237)

it's called a bailment [wikipedia.org] . Look into it.

Re:Too bad "being an asshole" is not a crime (4, Insightful)

zappepcs (820751) | more than 5 years ago | (#26978271)

Here is the deal as I see it. He's an admin with a bit of an attitude, yet he did his job well apparently. Everytime that I'm asked to do inane bs at work, I turn it into a paperwork exercise. That is to say that I am happy to paper the office of whichever vp wants reports and to be in charge. Soon, they ask me to 'just take care of it' as I see fit. Either you want a competent admin or you don't. Once you get one, you have to trust them and work with them, even if there are conflicts of personality. This is simply because you as a vp or cxo cannot replace that person. You are forced to work with them... deal with it.

Positional authority is a powerful thing. If you as a cxo are afraid to give it to someone, get some certs... or perhaps learn to delegate and deal with that.

The fact that this made the level it did in courts is indicative of the fact that management is not willing to give away any power to anyone. In much of this situation, they had no need for what they ask for, and should not have had it.

In the cold light of day, if they gave him that much control, they got what they deserve. When you give someone that much power/authority, you must be nice to them. This is a situation that repeats itself across the globe without end. This particular one just happened to make the news because Terry has big balls.

No matter what happens, this is a simple case of bad management. period.

Re:Too bad "being an asshole" is not a crime (1)

TubeSteak (669689) | more than 5 years ago | (#26978325)

The proper course of action would have been for the DA to sue him in small claims court for the password.

Small Claims Court is for... small claims.
Usually anything less than $5,000 in value.

Are you going to argue that those passwords were worth less than $5,000?

Re:Too bad "being an asshole" is not a crime (1)

jamstar7 (694492) | more than 5 years ago | (#26978433)

Consider the case of loaning a car to your long term SO for many years, then the relationship goes south and you show up with the cops to take back the car she's had for several years. Yes, you can get it back, but the cops will tell you to get a judgment first and won't just let you take it.

If the title & registration of the car is in your name, yeah, they will just let you go take it. It's proveably your property.

Free Terry Childs! (1)

zobier (585066) | more than 5 years ago | (#26978071)

Free Terry Childs!

Re:Free Terry Childs! (2, Funny)

Amazing Quantum Man (458715) | more than 5 years ago | (#26978263)

Free Terry Childs with purchase!

Re:Free Terry Childs! (2, Funny)

liquidsin (398151) | more than 5 years ago | (#26978347)

*Free Terry Childs must be of equal or lesser value to that of purchased Terry Childs. Must be a California resident to claim prize. Valid only while supplies last.

Re:Free Terry Childs! (1)

PiSkyHi (1049584) | more than 5 years ago | (#26978375)

Buy 2, get 1!

Re:Free Terry Childs! (0)

Anonymous Coward | more than 5 years ago | (#26978451)

2in1 ... lulz

Slacker!!(insert severe sarcasm here-It's a joke!) (1)

rts008 (812749) | more than 5 years ago | (#26978137)

Then you will never truly achieve 'BOFH' status, Grasshopper.

Open your mind, and the lusers files! It can be beau coup fun!

Transcend your permissions, and make backups of your PHB's pR0n folder-blackmail can be sooo fun!

Become One with the database, there is more exploitable info there than you have time to exploit!

Achieve One-ness with the Network, and your C*O's password-the benefits can be multi-million$'s if played right

Go forth in the world, and achieve greatness! Be Bold!, Be Brutal!, Be Unforgiving(log everything), and Exploit it!....It is the American(USA) Way[tm].

When modems are illegal... (5, Funny)

MrEricSir (398214) | more than 5 years ago | (#26977839)

Thankfully I'm stealing my neighbor's wifi, so I don't have to worry about being caught with a modem.

Re:When modems are illegal... (2, Insightful)

Anonymous Coward | more than 5 years ago | (#26977925)

Whoops! Looks like you forgot that you have to modulate and demodulate signals to connect to a wireless network!

the admin's response (4, Insightful)

commodoresloat (172735) | more than 5 years ago | (#26977843)

'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"

It still beats having to wear a suit to work.

Re:the admin's response (1)

mc1138 (718275) | more than 5 years ago | (#26977913)

I'd wear shackles over a tie any day!

Re:the admin's response (1, Funny)

Anonymous Coward | more than 5 years ago | (#26977961)

That's what she said!

Re:the admin's response (0)

Anonymous Coward | more than 5 years ago | (#26978069)

How about "wearing" a broom handle that your cellmate thinks is really cute as a handle?

Ouch. (0)

Anonymous Coward | more than 5 years ago | (#26977857)

.....(refusal to give up the passwords) actually prevented the disruption of normal network operation. >>

The truth hurts.

Re:Ouch. (1)

mabhatter654 (561290) | more than 5 years ago | (#26978027)

no, it didn't. The manager hired contractors to try to prove Childs was causing "harm". They couldn't crack the password, and when they unplugged the routers the settings were wiped and needed to be uploaded. They didn't have those either. The manager CHOOSE to break 2-3 offices and make the problem worse. That wouldn't hold up on Judge Judy, let alone actual court.

Re:Ouch. (1)

LittleRunningGag (1124519) | more than 5 years ago | (#26978133)

Is it common for router startup configs to be left blank like that?

Re:Ouch. (5, Informative)

doctorcisco (815096) | more than 5 years ago | (#26978397)

No. Wrong. Incorrect.

He used the Cisco IOS command "no service password-recovery." Normally, with physical access to the router and a reboot, you can gain access to the router configuration file. "no service password-recovery" turns that function off.

HOWEVER, it DOES NOT WIPE THE CONFIGURATION FILE. It simply makes it impossible to gain console access to the router unless you swap out the flash memory. When you reboot the router, the magic key combination doesn't work, the router boots up, and all is as it was before.

Sigh.

doctorcisco

This seems hard to swallow (2, Interesting)

Crashspeeder (1468723) | more than 5 years ago | (#26977863)

First, this story sounds very one-sided and has quite a bit of sensationalism. Ok, a lot. I'm sure they can charge him with something to the effect of unauthorized access to a government computer system. Nobody's going to be pointing out modems as tools of a crime. That's like saying having a car means you're a bankrobber because bankrobbers use getaway cars.

Re:This seems hard to swallow (2, Interesting)

Dun Malg (230075) | more than 5 years ago | (#26977965)

I'm sure they can charge him with something to the effect of unauthorized access to a government computer system.

You're sure? How can they charge him with unauthorized access when his only action was to not give them passwords? The passwords were set when he was still employed, and had the authority to do so.

Re:This seems hard to swallow (5, Interesting)

pavon (30274) | more than 5 years ago | (#26978031)

He maintained access to a system which he had no right to access, while refusing to give the owners of that system the means to remove his access in a manner that wouldn't significantly disrupt the service.

Still I have a hard time seeing this as a crime. If an employee won't give you the keys to your vault, then you fire them, call a locksmith and sue the ex-employee for damages. No criminal charges, just a civil liabilities. That is what should have happened to Childs, no more no less.

Re:This seems hard to swallow (1)

ani23 (899493) | more than 5 years ago | (#26978455)

thats the problem. you can replace have a locksmit make new keys for your vault but still maintain the valuables inside. not the same with routers. u lose the config

Re:This seems hard to swallow (1)

davester666 (731373) | more than 5 years ago | (#26977971)

Well, they can charge him with anything, but I from what I remember reading about the story, he didn't access the gov't computers after he was fired.

I believe the main complaint against him was that he had all the knowledge over how the overall system worked, had the main administrator passwords, and wouldn't turn them over to others. I'm iffy on whether he was claimed to have disabled others from accessing the system, and whether he did that before or after he was fired.

Re:This seems hard to swallow (1)

mysidia (191772) | more than 5 years ago | (#26978041)

Given the level of competence they've shown so far (as evidenced by the articles), I wouldn't be surprised if they accidentally locked themselves out of their own accounts trying to break security.

And blamed the automatic account lockout on the admin.

In some systems, automatic account lockout happens if you repeatedly attempt to exercise privileges not assigned to your user, i.e. maybe some users tried to 'guess' a god password and su or enable from their account, and some automatic system throttled them.

There are a lot of ways they could have gotten locked out that the sysadmin had nothing to do with (other than having configured it that way when the admin was still authorized to have full access and enter configuration decisions)

Re:This seems hard to swallow (5, Interesting)

mabhatter654 (561290) | more than 5 years ago | (#26978109)

he set the routers to return to default under power failure. Actually that was a really smart move, these are in city building, probably stolen all the time. The router is only worth a few bucks, access to the network from a stolen router is priceless. The "consultants" tried to unplug them and read the settings to hack in. The routers did EXACTLY what he told them to...

The biggest problem is procedural. This is why companies have audits, why SOX auditors demand documentation and cross training in public companies. The city management ALLOWED him to become more isolated and anti-social. They routinely pulled other people off helping him and allowed him to fly solo for several years and allowed the other employees and documentation to fall painfully behind.

They didn't realize this until a new manager with a "dotted line" to his position didn't like him and tried to summarily fire him.. Then they realized first, Childs won his job back, and second he got to be an employee you "can't fire" because he had keys nobody could take! The prosecutor was dead wrong to take on a case directly from a department manager and not from higher up the HR food chain. Now the prosecutor realizes they bet their career on some petty middle-manager pushing somebody around. They're trying to find something to pin on him so they don't get seriously censured by the court for keeping this guy in jail 7 months.

Re:This seems hard to swallow (1)

mysidia (191772) | more than 5 years ago | (#26978021)

The problem is they probably can't prove he gained unauthorized access, because most likely he didn't, he just had the means to.

And the access would have been unauthorized up to (and until) he was being re-assigned and removed as admin and got fired, etc, etc.

Re:This seems hard to swallow (1)

mabhatter654 (561290) | more than 5 years ago | (#26978057)

he had LEGAL means to have those, so the "hacking" point is moot. If they expected him to work late, or work from home, then it was part of his job tools. That access is a civil matter, unless it is PROVEN he caused actual, measurable harm... as he was in jail from the date of accusation, they have absolutely no trail to prove anything.

Again, if that was true your boss could fire you while your on vacation, and having taken your company laptop and cell for emergencies, then charge you with theft and hacking... again, would never hold up in court with out better, legal measures first.... calling you 10x a day or sending cops to your location is not "reasonable".

Re:This seems hard to swallow (1)

Grimbleton (1034446) | more than 5 years ago | (#26978195)

They charge gun owners in their own homes with possession of a tool of crime while serving warrants for other people, so that's not much of a leap.

popular trend in the courts lately (5, Insightful)

v1 (525388) | more than 5 years ago | (#26977871)

If you don't like what someone does, but strictly speaking it's not really illegal, then find something else they did, (something that maybe a lot of people do and get left alone for) that has some silly, overly-broad definitions you can twist, and soak him for that instead. (ether as substitute punishment for the former that you can't make stick, or just plain in retaliation for doing something you didn't like)

As usual, the legal system that makes me sick to my stomach some days.

Re:popular trend in the courts lately (1)

Anonymous Coward | more than 5 years ago | (#26978047)

"There's no way to rule innocent men. The only power government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws." - Ayn Rand

Re:popular trend in the courts lately (0)

Anonymous Coward | more than 5 years ago | (#26978295)

this happened a lot in the Dark Ages, I think it was called witch hunting...

I would love (1)

malkir (1031750) | more than 5 years ago | (#26977881)

For some outspoken person in the courtroom to just ask the judge and prosecuters if they even have rudimentary knowledge of network administration and the tools common for such a profession.

So will I now be eligible for lawsuit since I have multiple means of accessing my businesses networks?

Re:I would love (0)

Anonymous Coward | more than 5 years ago | (#26978017)

If I remember correctly in another case called something like "Apple vs. Microsoft" only two people in the jury had college degrees and none owned a personal computer.

But the Court thought them smart enough to understand the nuances of GUI design...

The point being, rudimentary knowledge of anything is of no interest to the court. They'll have Expert Witnesses for that.

Re:I would love (2, Interesting)

plover (150551) | more than 5 years ago | (#26978101)

During voir dire the lawyers probably asked if any of them were network professionals and dismissed those that were.

The court wants only the presented evidence and facts to enter the case, not the external, uncontrolled ideas of some hacker ranting in the jury room. When I served on jury duty, the judge made it plain that in that case the law was only what he told us it was. We weren't to consider things from outside of the courtroom.

It's kind of like designing code. He's trying to minimize external dependencies.

That said, it still seems pretty stupid.

Re:I would love (1)

I'm not really here (1304615) | more than 5 years ago | (#26978335)

Where is his jury of peers then? A guy who flips burgers at the local McDonald's and doesn't know a thing about networking or the tools of the trade is certainly not his "peer". Neither would a CEO of a multinational pharmaceutical company be his peer. Only others who have a general knowledge of his general field (various IT folks, engineers, and others who could readily understand the technology involved in the criminal case) should really be considered "peers." I'd file for a mistrial if no one on the jury knew anything about network administration in some form or another.

Re:I would love (0)

Anonymous Coward | more than 5 years ago | (#26978387)

the judge made it plain that in that case the law was only what he told us it was. We weren't to consider things from outside of the courtroom.

God forbid something like "truth" or "facts" snuck into the room through a juror's head.

Pinstripes? (1)

iminplaya (723125) | more than 5 years ago | (#26977885)

I haven't seen pinstripes on a prisoner since the Three Stooges.

But they get all this FREE: (0)

Anonymous Coward | more than 5 years ago | (#26978329)

Now that the convicted/condemned get cable, they don't want to leave. Notice the overcrowding (over?), that's not because more are coming in, but few are going out. They LOVE IT! FREE: Three square meals, medical and dental, sex out the ass *well, literally it would be sex in the ass*, so what more could a looser want? And all this is not only FREE as in BEER, it's FREE as in ... whatever that other FREE is -- freetards, help me out here.

Don't be rediculous... (2, Insightful)

Pichu0102 (916292) | more than 5 years ago | (#26977891)

All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"

Of course they wouldn't do that.
They'd use that fact as leverage to extract whatever they want from you first.

Wow (1)

yerktoader (413167) | more than 5 years ago | (#26977905)

Wow...7 months and the charge is dropped? That smacks of injustice, but IANAL.

I don't know what Venezia's background is...It would be interesting to hear from NewYorkCountryLawyer on this and the RAMBUS decision.

Re:Wow (1)

Concerned Onlooker (473481) | more than 5 years ago | (#26978111)

Just think of it as a short Gitmo stint.

Plus a quarter million to fix the problem... (2, Interesting)

mrbene (1380531) | more than 5 years ago | (#26977907)

So not only did he withhold passwords.

And have modems attached to computers.

But it's going to take 250,000$ [infoworld.com] to fix.

Can the defense claim insanity on behalf of the prosecution, 'cause I think we've just hit bat country!

Re:Plus a quarter million to fix the problem... (1)

dbIII (701233) | more than 5 years ago | (#26977953)

Oh really? I suggest reading Bruce Sterling's "The Hacker Crackdown" to get a history of how these costs are overstated when somebody wants a show trial.

Re:Plus a quarter million to fix the problem... (2, Interesting)

jamstar7 (694492) | more than 5 years ago | (#26978311)

Like AT&T trying to show that they had to buy a spendy mainframe for the exlusive use of one tech writer and then a supervisor for said tech writer so they could pad the 'damages' in a trial by the cost of the mainframe, 6 weeks 'work' by the tech writer at 40 hrs/week & the same for the supervisor, when the very same manual that was 'stolen' was for sale for like 10 bucks?

Re:Plus a quarter million to fix the problem... (0)

Anonymous Coward | more than 5 years ago | (#26978365)

That's a nice one. I also remember hearing that Sun accused Kevin Mitnick of stealing their entire software development budget for several years because he had a copy of Solaris kernel code that was floating around IRC at the time. It came out to an 8-digit figure, and they were selling it for three digits if not at the time then shortly afterward.

Section 502 (5, Informative)

russotto (537200) | more than 5 years ago | (#26977931)

Section 502(c) states in part

Except as provided in subdivision (h), any person who commits
any of the following acts is guilty of a public offense:

(6) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system, or
computer network in violation of this section.

OK, "knowingly" makes sense, but "without permission"? The man was the network administrator; he was authorized to make decisions about how the network is accessed, it goes along with the job. Who was he to get permission from, himself? If he made bad decisions, by all means dismiss him, but prosecuting him is unreasonable.

And since they dropped the most serious charge, can we admit his 8th amendment rights were stomped and pissed-upon by the 5 million dollar bail requirement?

Re:Section 502 (1)

Greventls (624360) | more than 5 years ago | (#26977959)

After he is let go, he no longer has permission.

Re:Section 502 (1)

russotto (537200) | more than 5 years ago | (#26978029)

He didn't set up the modems after he was let go, and these charges are for "providing a means of accessing", not "accessing".

Re:Section 502 (5, Insightful)

mysidia (191772) | more than 5 years ago | (#26978085)

After he is let go, he no longer has permission.

However, he cannot be prosecuted on the basis of actions he took at the time he had permission to take them.

There would be a 4 word phrase for that: ex post facto law. Explicitly prohibited by the constitution.

Along with Bills of Attainer, which is almost what throwing someone in jail without trial for a year with a $5 million bail amounts to, he has been declared guilty by the state and is being punished without trial.

A few years later when the finally gets a trial, they'll say "oops, my bad", and let him go, after using various means of persuasion to ensure he doesn't proceed with any lawsuit for the false imprisonment.

Re:Section 502 (4, Funny)

plover (150551) | more than 5 years ago | (#26978107)

I can't find the "Mod: +7 True, but fucking pathetic" button.

Re:Section 502 (0)

Anonymous Coward | more than 5 years ago | (#26978345)

There would be a 4 word phrase for that: ex post facto law. Explicitly prohibited by the constitution.

Explain that to Congress, who have been ex post facto passing copyright extensions for the past 70 years, then?

Fitting that the captcha that just came up was "lawless"...

Re:Section 502 (4, Interesting)

Entropy2016 (751922) | more than 5 years ago | (#26978415)

While I agree that what's happening to him is likely unjust, I would like to point out something...

However, he cannot be prosecuted on the basis of actions he took at the time he had permission to take them.

I have to call bullshit here. Ex post facto laws are explicitly unconstitutional but that doesn't prevent government from passing laws which have ex post facto effects. To anyone who claims that there isn't a distinction, I must say that you obviously are not a lawyer. A good example is CERCLA: The Comprehensive Environmental Response, Compensation, and Liability Act. If you dumped hazardous waste somewhere 50 years ago, hazardous waste which at the time was legal to dump where you dumped it, when you dumped it, you are NOT protected from legal action by the government. You WILL be held financially responsible for getting that mess cleaned up. Now in the case of CERCLA, I'd say that while it's harsh, it's necessary & justifiable. (Probably not so much so with the prosecution's case against Terry Childs).

Re:Section 502 (5, Informative)

mysidia (191772) | more than 5 years ago | (#26978461)

You're confounding civil law with criminal law. They are in entirely different ballparks.

New laws can always impose new responsibilities on you, financial or otherwise, and those responsibilities may be increased by your past actions. But they can't change something you did in the past that was within the law from being a legal action to being a crime.

It is either a crime at the time the act is performed, or not a crime.

They're not attempting to hold Childs financially liable. They're attempting to charge him with a crime.

Re:Section 502 (1)

nettdata (88196) | more than 5 years ago | (#26978053)

The man was the network administrator; he was authorized to make decisions about how the network is accessed, it goes along with the job. Who was he to get permission from, himself?

Oh please...

You have NO way of knowing that it was his decision. And it's a government... odds are that he was NOT allowed to make that decision.

I know that in my shop, the network admins do not have that kind of autonomy. They can make all the recommendations they want, but it's not their decision.

For all we know, he may have asked his superiors for permission and they failed to give it, and he went ahead and did it anyways.

Not necessiarly (1)

Sycraft-fu (314770) | more than 5 years ago | (#26978269)

Just because you are the administrator of something, doesn't mean you can do whatever you like with it, or that you have full decision making powers over it. Your employer, contractor, whatever ultimately gets to decide how things work. For example you might feel that SSH is the best way to access servers remotely. However your company might not like that, they want to monitor the traffic, so they insist on telnet over VPN only. You can argue with them, but if the ultimately say "This is the way it's going to be," you don't have the right to just go behind their backs.

You can look at it somewhat similarly to a bank's relationship to your money. When you deposit your money at the bank, you make them the custodian of it, the administrator of your account. However, you aren't giving it over to them to keep, it's still your money. They can do with it only what you allow. They couldn't for example, take your money out of an FDIC insured savings account and stick it in to an uninsured investment account. Even if they made you money doing so, it still wouldn't be ok if you didn't tell them that was what you wanted. They administer your accounts yes, but in the way you specify.

I'm not defending the city here, but just because he was the network administrator didn't give him the right to add access as he saw fit. Many companies (and government entities) have very strict rules on how access can be had to systems. The rules are often stupid, and often somewhat counterproductive, but it is their right to have those rules. You don't get to decide that you don't like them.

So if there was a "no modems" policy, or if the policy said "Any new access has to be approved by the board of whatever," then he wasn't doing what he was supposed to. Doesn't matter if they were to make his job easier, you don't get to skate policy just because of that.

Jeeezzzzzussss (1, Insightful)

MightyMartian (840721) | more than 5 years ago | (#26977949)

I can't believe this megomaniacal prima dona is now somehow the posterboy of the IT people. There were ways for this nutbar to get out of the quandary while still saving his ass. Instead, he holds a network [b]that does not belong to him[/b] for ransom.

Re:Jeeezzzzzussss (5, Insightful)

Dun Malg (230075) | more than 5 years ago | (#26978043)

I can't believe this megomaniacal prima dona is now somehow the posterboy of the IT people. There were ways for this nutbar to get out of the quandary while still saving his ass. Instead, he holds a network [b]that does not belong to him[/b] for ransom.

Well, it's just like 1st Amendment cases involving pornography, marching down the street in neo-Nazi uniforms or hooded bedsheets, or the like. You have to fight the idiots who would deny basic rights or make a mockery of law unilaterally, even when they go after the dirtbags. Letting them ignore the law when they beat down the unpopular is just giving them a free pass to do the same to you in the future, when it strikes their fancy.

Re:Jeeezzzzzussss (4, Funny)

socsoc (1116769) | more than 5 years ago | (#26978073)

Those damn IT people and their correct usage of HTML tags on a tech website, always holding BBCode tags hostage for ransom...

Re:Jeeezzzzzussss (1)

db32 (862117) | more than 5 years ago | (#26978151)

Just to play devil's advocate it WAS his network assuming he paid taxes. Arguably he was trying to protect the tax payers investment. I haven't exactly kept up on it, but I thought he even told the judge/lawyer something to that effect (I'm not giving him the passwords because he is an incompetent tool that will break it all). Now...whether he went about doing this in the correct fashion is certainly another issue, but if every citizen protected public investments like that we wouldn't have a 10 trillion dollar debt.

Someone needs a geography lesson ... (4, Insightful)

tomhudson (43916) | more than 5 years ago | (#26977951)

FTFA:

'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes

Even if convicted, the Childs case doesn't establish jurisprudence for 95% of the world.

Re:Someone needs a geography lesson ... (1, Insightful)

ElectricTurtle (1171201) | more than 5 years ago | (#26978123)

Yeah, too bad it's in the 5% that matters, given that CA has pretty much the highest tech density in the world, sets all the trends, and it's also home to ICANN.

Re:Someone needs a geography lesson ... (0)

Anonymous Coward | more than 5 years ago | (#26978447)

and every country out there seems to have a sexy relationship with adopting all of the US's failed policies like the DMCA

OR

that the US just assumes that the whole world is under its jusisdiction

bullshit (0)

Anonymous Coward | more than 5 years ago | (#26977957)

those guys should have learned to use a computer then. I would hire that guy back and fire the rest,...

Who's in charge? (5, Informative)

redkingca (610398) | more than 5 years ago | (#26978059)

While I haven't been in this specific situation(ie. jail), I have been in a similar situation.

At a previous employer(this is one of the reasons I no longer work there) my supervisor demanded that I give him all my passwords. I asked him why he needed them I could give him any specific access he needed on demand.

When I was hired I was given a number of NDAs to sign one of them specifically covered the process I used to connect to various remote systems, and the passwords I used. My supervisor(with no IT or technical background of course) continued with his demands for all my passwords, for days. After repeatedly trying to explain that even if I was to give him my passwords, without understanding how you use various access levels to accomplish tasks, he could end up causing massive problems.

In an attempt to meet these demands, I asked for a signed release from the specific NDA that covered my passwords and process. He informed me that he did not have that authority, so I asked him how I could honour my NDA if I gave him information I was not permitted to give anyone. BTW my supervisor did have his own passwords, and had a process to have new ones created.

Long story short, I refused and then a few days later I arranged to transfer to a different department. With this case as a guide I would legally have been wrong no matter what I did, glad I'm out of IT right now.
(If anyone cares, I later found out the reason my supervisor wanted my passwords was that his id/passwords had been burned through lack of use and using the wrong passwords. And he did not want his supervisor to find out he had had no access for weeks. His supervisor would have been notified if anyone requested a password reset or new ID.)

Re:Who's in charge? (1)

bullettech (1457827) | more than 5 years ago | (#26978389)

it is three faster's

Re:Who's in charge? (1)

Sycraft-fu (314770) | more than 5 years ago | (#26978403)

Well in your case, you'd be covered. The problem here isn't specifically with him not handing over his personal passwords, the problem is that he's locking people out by doing so. Now while it is a poor system where only one guy has top access, that doesn't change anything. If your passwords don't stop the lawful owners from getting at their stuff, then there's no problem. The problem is when your passwords are the only way to get at it. Then if you refuse to hand it over, you can be in trouble.

It would be the difference between a user account and an enable account on a switch. If everyone has their own user account then there is no reason for them to need yours. They can take it away from you, if they don't want you to have it, but they can't demand that they need it. However there's only one enable password. So suppose you are the only person who knows it, and you refuse to give it up. Now you've locked them out of their own switches. It isn't that they want your password, it is that they want the password to the privileged level of the switch. You can't refuse them access to their own hardware. You wouldn't necessarily have to give them your password, but you'd have to change it to one that you did give them.

Also in the case of any larger organization, the way it gets handled is decided higher up. If a supervisor demands something they shouldn't have access to, you take it up the chain. In large organizations it is probably HR that you'd talk to. You say "My supervisor is demanding my passwords, however company policy states I am not to give them out, what am I supposed to do?" They'll decide. At that point you are covered. If it is a decision you are worried about, you get it in writing. Either way, doesn't matter. If they say "Yep, you have to hand over your passwords," ok fine, you do that. If problems come up because of that you simply point to the decision and say "I am doing as I was ordered."

The problem in this case is it sounds like he decided to be a petulant jerk about it. They wanted to axe him, but couldn't because he was the only guy that knew the system. Ok well fair enough. So the decide that he shouldn't the the only one with the passwords. Maybe they were going to try and hire someone else, maybe just hedging their bets. He said no, and wouldn't give them the passwords. Things finally got escalated to the top, the COO of IT said "Hand them over" along with threat of arrest if he didn't. So he gave them fake passwords. Thus they made good on the arrest threat.

Basically he was being a dick. Maybe he really thought it was the right thing, but he was still being a dick about it. Well, they've decided to be dicks in return, and being the government, they've got a lot of ability and practice in that arena. You don't want to get in to a "Who's the biggest asshole," contest with someone who is willing and able to be a bigger asshole than you.

Regardless of what happens with the charges, the moral for admins is simple: You do what the powers that be tell you with regards to access. If they demand access, you give them access. You don't have the right to say no. If your supervisor, or someone else who probably shouldn't have access is making the demand, go to the powers that be and see what to do. However whatever their decision is, you abide by it. Make recommendations, tell them why it isn't a good idea, but in then end do what they say.

Analysis (4, Informative)

GiMP (10923) | more than 5 years ago | (#26978075)

First, I'll remind everyone that the code 502 in question is only applicable in California.

The phrasing of the law at the root of this discussion is, "Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section."

What I imagine the prosecution will argue is that Terry Childs had no right or explicit permission to configure remote access. The defense will likely counter with the fact that as their Systems Administrator he had implied permission as part of his job's duties. Depending on the outcome, this might trigger Systems Administrators to seek contracts shielding themselves from such risks, or seeking express, written permission for everything they do. Of course, considering how badly companies abuse their employees, and how many employees are naive enough to not protect themselves legally, it will likely just be ignored and we'll see more cases like this.

Re:Analysis (4, Interesting)

GiMP (10923) | more than 5 years ago | (#26978155)

The other possible outcome is that they'll say that he had permission to configure access, but when that privilege was renounced, that he should have removed remote access... in which case, I question how they would ever expect to let anyone go if they would have to go through such trouble each and every time?

The truth is that often enough, companies don't change passwords, or at least not all of them, when a Systems Administrator leaves. Even in very small shops, it is very difficult to keep track of all the places passwords might be hiding, where remote access might left enabled. For other employees, it isn't as tough, they might have access to one or two systems, but for an SA? You might never be able to lock them out completely, and simply rely on trust, morals, and the law. For instance, an SA might have set up a router just to test new IOS releases on, test, etc. Nobody else would have used it other than that SA, and nobody else would have known of it of it or thought of it. Such a router could be on the network for years without being noticed. Such issues will only become more apparent with "VM Sprawl", where you might have thousands of virtual machines. Without strict auditing, and even with it, you'll easily miss a stray virtual machine floating out there.

The point is, once you give someone access to your network and your systems, to the level that a CTO, Senior Systems Administrator, or Network Administrator might have access, you can't ever be certain of locking them out of your systems, and you shouldn't be able to punish them for not remembering to lock themselves out -- only because it is too easy to make such mistakes or to have such oversight.

Personally, whenever I've left a job, I've done my best to forget everything possible that was specific about their configuration. I'd rather not remember the IP addresses of their machines, their passwords, or anything else -- there is too much liability.

This is bad? (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#26978089)

then just about every network administrator in the world could be charged with the same "crime,"

Re:This is bad? (0)

Anonymous Coward | more than 5 years ago | (#26978143)

Paul Venezia is not a lawyer, but it sure looks like he stayed at Holiday Inn Express recently.

Every sysadmin is guilty of having modems? Is he high? Which sane sysadmin plugs in unauthorized modems into the production network and then actively tries to hide them?

welcome to slashdot (1, Insightful)

circletimessquare (444983) | more than 5 years ago | (#26978091)

where the most pedestrian news is given the most ridiculous fear-driven spin, made front page in breathless write up, and a bunch of yammering legal ignorants wlll ape right along

and then these same people will ridicule stereotypes outside their domain who supposedly fall for propaganda and hysteria all the time

take a look in the mirror friend

no, slashdot, this case does not set the precedent you believe it does

CONTEXT. its a magical concept. consider it some time

Re:welcome to slashdot (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26978425)

Context: This guy has already been in jail for seven months for what looks like normal sysadmin work.

Hysterical overreaction (1)

Stormie (708) | more than 5 years ago | (#26978093)

I posted this in response to the Groklaw Summarizes the Lori Drew Verdict [slashdot.org] article, but it's 100% valid here as well:

Look, the fact is, if The Man wants to get you, The Man will get you. It doesn't matter what the laws are, exactly - they'll find something to hit you with.

That was true before the Lori Drew trial (Terry Childs charges), and it's true now. The precedents set by this case in no way make being on the internet (owning a modem) one bit more "risky". If you don't do anything to bring down the wrath of The Man, you'll be fine. And if you do, you're screwed, online or off.

Re:Hysterical overreaction (1)

JohnFluxx (413620) | more than 5 years ago | (#26978113)

And complaining about that is a hysterical overreaction? WTF?

Re:Hysterical overreaction (1)

Stormie (708) | more than 5 years ago | (#26978175)

Complaining that this case "puts all admins in danger", or that you can now be thrown in jail for owning a modem, is a hysterical overreaction.

Re:Hysterical overreaction (1)

JohnFluxx (413620) | more than 5 years ago | (#26978257)

Not really. (Ab)using laws sets precedents. If the guy ends up going to jail for just owning a modem, then how is it an over reaction to say that you can be thrown in jail for owning a modem?

Re:Hysterical overreaction (1)

Stormie (708) | more than 5 years ago | (#26978355)

The overreaction is in believing that your situation is in any way different today to how it was yesterday, BEFORE this guy got thrown in jail for owning a modem.

Re:Hysterical overreaction (1)

dbIII (701233) | more than 5 years ago | (#26978219)

IMHO we're seeing Terry Childs in the hotseat here and not Nancy Hastings whose hard drive was taken away for no legitimate work purpose I can see becuase Terry was the one the caught the new security person exceeding their authority and kicked up a fuss about it. He is being sacked for taking photos as evidence to present to management, but now that has turned into "intimidation".

If I saw someone acting so suspiciously I would also confront them. If it isn't your job to pull apart computers full of confidential information I would object unless the people authorised to see that information agree. If the new "network security" person starts taking desktop hard drives to poke about on I would definitely take it up with their superiors.

The incredible overreaction makes me think somebody is being overprotective of an upset Jeana Pieralde, IMHO due to having to cover for appointing somebody that is acting innappropriately to show they did make a good choice, or due to some personal attachment and the want the young lady to owe them a favour. Office politics can be incredibly sordid and banal - I really do think this guy went to jail so that some sleazy arsehole can improve his chances to get into Jeana Pieralde's pants, or perhaps he was already there and she got the promotion (and the dismissal of Nancy Hastings who would have been senior) as a reward.

It amazes me that this has got as far as criminal action. There are often bizzare overreactions when computers are involved in what would otherwise be fairly trivial situations.

The citys also runs the jail system so that speeds (1)

Joe The Dragon (967727) | more than 5 years ago | (#26978099)

The citys also runs the jail system so that speeds that part up out side of a city things likely do not go that fast.

The passwords were the property of the city (1)

DJRumpy (1345787) | more than 5 years ago | (#26978159)

It seems to me that he has no legal standing. IANAL, but if his supervisor tells him to give them the passwords, it is not his place to decide who it is 'safe' to give them to and who is not safe. That is his employers decision.

His colored past aside, he could be a very upstanding citizen and he would still be completely in the wrong for not releasing the information that his employer tells him to. He gained that information in the employee of the city and that information is the city's property.

In my opinion, he has some sort of conflict with his employer and he's using the passwords to leverage grief against them, not trying to protect the fiber network.

That said, the charges about the modems seem a bit far fetched as it sounds like they were there for perfectly legitimate reasons. Hopefully he has documentation to back his claims up that they were job related. I don't think they'll be to forgiving given his past record.

IT laws are in conflict with each other (5, Interesting)

zerofoo (262795) | more than 5 years ago | (#26978183)

I've managed networks for regulated industries like Finance, Banking, and Medical industries. All of these industries have laws regarding access controls and information security.

SarbOx, GLBA, and HIPAA, all REQUIRE access controls on data and systems. As network admin, I can't know the CEO's password, and he can't know my password. This is essential for creating an audit trail and only allowing access to systems and data based on individual authority.

Laws that make it a crime to withhold passwords (or access) are in direct conflict with the above mentioned laws. If you leave your job and give your "admin" password to the CEO, you could be violating the above laws since you just gave the CEO a way to rob the company, and cover his/her tracks.

It's insanity to think that you could be committing a crime by doing your job.

-ted

Re:IT laws are in conflict with each other (1)

blitziod (591194) | more than 5 years ago | (#26978343)

besides it does not matter. Sharing a password that you know as a result of your employment is wrong. Using it without permission or after employment is wrong. Simply not telling people the passwords is your right( although it might be being a jerk). Analogy: I hire a locksmith to reset the combination to my vault. He knows the combination, he set it. I have a dispute with said locksmith over another matter and tell him i will no longer need his services. Then i lose, forget or whatever the combination. I call him up and ask him. He tells me to get lost and not call him anymore call somebody else. Is he a criminal no. i have a file clerk that uses her own system of filing at my company for years. I fire her. I can't find an important file. I call her up and ask where it is. She tells me to get lost..my tough luck.

And we have security because.. (0)

Anonymous Coward | more than 5 years ago | (#26978239)

"Initially Childs refused to hand over administrative passwords to the city's routers, which had been configured to wipe out all configuration information if they were reset. "

What point would there be to security if one could reset a router and only erase the password.

Puts all admins in danger of... (0, Troll)

jafiwam (310805) | more than 5 years ago | (#26978245)

looking like insufferable, arrogant assholes.

Look, any way you slice this, Terry Childs held something at ransom or rendered useless that didn't belong to him.

Period. No fucking more arguments about that. The routers were not in his living room, and therefore NOT HIS.

The code, hardware, and configuration all belong to his employer. By withholding information about the configuration, he stole from his employer on the way out.

I don't care if he feels like he was mistreated or they might screw up the network after he left. Maybe if he spent more time not being a shit while he was there, leaving would have been easier. Or, I don't know, acting less like a typical waste of biomass bureaucrat doing nothing but protecting his little fiefdom and doing his job properly.... Making sure the job and one's successors succeed is critical to any IT role (if just for the "hit by a bus" factor) and this guy failed miserably at that.

Let his dumb ass rot in jail. He fucked himself and he deserves what he is getting. Take his car, computers, and 70th level Wizard away too because he represents the WORST qualities of the computer professional he could possibly be.

A Moot Point ? (3, Funny)

shashark (836922) | more than 5 years ago | (#26978253)

Count 1: disrupting or denying computer services is moot

Joey: It's a moo point
Rachel: You mean a moot point ?
Joey: No...no, a moo point ... like a cows opinion, doesn't matter ... it's moo.

Information is not property. (1)

digitaltraveller (167469) | more than 5 years ago | (#26978277)

So what if Childs is an asshole, it's his right as an American to be one.

Boo-hoo if the SF IT dept risk management plan couldn't handle a rogue employee refusing to give up the password.

It's a pretty dangerous precedent if people can be legally forced to disclose information against their will.
Isn't that what the 5th amendment was for?

Prosecutor:
Does your mother have AIDS? YOU MUST ANSWER
Witness: ...Yes
Prosecutor:
BURN HER AT THE STAKE!!!!

Yay Mcarthyism

obama has you by the nut sack (0)

Anonymous Coward | more than 5 years ago | (#26978283)

and he's spending your money to try to get out of debt. he may as well be betting in vegas with tax payer cash.

Sounds kind of like the "Criminal tools" charges (1)

Cherveny (647444) | more than 5 years ago | (#26978305)

Sounds kind of like the "possession of criminal tools" charges so many cases have added on, when said "tools" are ANYTHING used to commit the crime. Always seemed to me just a way for prosecutors to add an extra set of random charges for extending a sentence, or extra bargaining room for a plea.

labor union for IT (1)

ub3r n3u7r4l1st (1388939) | more than 5 years ago | (#26978407)

We need a united labor union for IT. Somebody needs to start it. This union should provide legal assistance to its member, in return for its dues. Only that the serious, prolonged abuse of IT staff everywhere will be stopped.

What a crock of shit. (0, Flamebait)

DaveV1.0 (203135) | more than 5 years ago | (#26978453)

This article is a total crock of shit. This case does not put all admins in danger unless the author believes all admins are arrogant assholes. But, that might be the case as the author certainly appears to be one himself.

The fact is that by withholding the password, he denied access to the systems. ANY admin with integrity would have turned the passwords over to his boss when he left the company.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...