Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Terry Childs's Slow Road To Justice

kdawson posted more than 4 years ago | from the exceeding-fine dept.

Government 253

snydeq writes "Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"

cancel ×

253 comments

Sorry! There are no comments related to the filter you selected.

Men like these... (5, Funny)

jdpars (1480913) | more than 4 years ago | (#31340432)

Men like these are all that stand between us and the terrorists who would destroy our internet-based communications.

Re:Men like these... (0)

Anonymous Coward | more than 4 years ago | (#31340586)

Oh, man, I don't know whether I should mod you Insightful of Funny! Could go either way, honestly.

Maybe I'll come back later and see what the other mods say.

How about men like that dumb mayor? (0, Flamebait)

Taco Cowboy (5327) | more than 4 years ago | (#31340632)

Why in the world that the good guy is thrown into jail and that idiot still remains the mayor?

Is this the good old U. S. of A. that stands for Justice, Liberty and Truth?

Re:How about men like that dumb mayor? (2, Interesting)

Fluffeh (1273756) | more than 4 years ago | (#31340746)

Is this the good old U. S. of A. that stands for Justice, Liberty and Truth?

I think it's been a really good while since it actually stood by that slogan. I think it's really the country that stands for what's best for it's corporations and lobby groups, where there is justice for either those with buckets of money and where the truth is whatever the winning side says at the end.

Re:How about men like that dumb mayor? (2, Insightful)

meerling (1487879) | more than 4 years ago | (#31340836)

So in other words, that phrase is just standard marketing schlock?

Re:How about men like that dumb mayor? (1)

solafide (845228) | more than 4 years ago | (#31340844)

It is interesting, but early legal doctrine was hugely tilted toward the rich; and much of the lack of Justice, Liberty, and Truth that you complain about occured with the movement toward more democratic (not republican) USA government. Nevertheless, it may be argued that the USA never stood for justice or truth, and perhaps not liberty either.

Re:How about men like that dumb mayor? (5, Insightful)

MrNaz (730548) | more than 4 years ago | (#31340958)

So you're saying it's time for a new national byline eh.

"Arbitrariness, Security and Hidden Agendas"
No, doesn't flow off the tongue right.

"Commercialized warfare, industrial subjugation and for-profit courts"
No, that's too wordy...

"Injustice, slavery and lies"
Hmm... I think we have a winner!

Re:How about men like that dumb mayor? (4, Informative)

deniable (76198) | more than 4 years ago | (#31340822)

The idiot wasn't the mayor, but someone in middle management. The mayor was brought in as an appropriate person to receive the passwords because the idiot that originally demanded them wasn't actually covered by the security policies.

Re:Men like these... (4, Funny)

jdpars (1480913) | more than 4 years ago | (#31340674)

Something tells me that at the very heart of this entire matter is someone's porn stash hidden on a city computer. Probably the mayor's.

Re:Men like these... (0, Flamebait)

fred133 (449698) | more than 4 years ago | (#31340712)

This is insane,isn't this the job of a sysadmin,protect the password?
Above all else,protect the password.
Just because his managerial superior demands the password,do you hand it over?
Do you give the keys to your 6000 lb. Hummer to a 9 year old because he demands them?

Re:Men like these... (1)

eosp (885380) | more than 4 years ago | (#31340804)

Agree. Even if they had the right to the passwords (and any admin worth his salt would ensure that someone else had them, in case he gets hit by a bus:
  • They demanded them over speakerphone. There's no way that he could verify that the people on the other end of the line were all able to have that password.
  • He is not liable to tell them how to let them in. If I don't document something, they have no ability to come back and make me do it. Their only recourse is not giving me a good reference for my next attempt at a job.

Re:Men like these... (1)

gandhi_2 (1108023) | more than 4 years ago | (#31340826)

Do you give the keys to your 6000 lb. Hummer to a 9 year old because he demands them?

Hmmm. Sure. Fuck it! [auto-novosti.ru]

Re:Men like these... (3, Insightful)

JWSmythe (446288) | more than 4 years ago | (#31341162)

    The difference in your car analogy is that the Hummer doesn't belong to you. It's more like leaving the vehicle with a valet. When you go to pick up the vehicle, the valet refuses because he doesn't think you can handle driving it.

    It was the cities network, not his personal playtoy, regardless of how he felt about it.

    I worked at a company for 8 years. I had set a policy that passwords were given to management in case something happened to me and my IT group. When they laid me off, I was locked out of everything, according to my own plan. The plan stated that if any admin with substantial rights were to leave the company, all keys and passwords must be changed immediately, preferably between the time they were brought into the office to told they were gone, and the time they walked out.

    Despite the fact that I was there for 8 years, and despite the fact that I felt all the servers were my electronic children, the moment I was laid off was the moment that it was no longer mine to say anything about. I was only a caretaker on behalf of the owners. If/when they choose that I am no longer the caretaker, I have no control nor responsibility to that network.

    Another company I worked for improperly terminated me. The moment I was told to "fuck off" was the moment that I had no responsibility to anything they owned. I was contacted later by someone for assistance on a project I worked on. The guy contacting me was a nice guy, and he wasn't asking for much. My responses were.

    1) I don't work there any more. Go away.
    2) They fired me, and I wouldn't help them with anything. Go away.
    3) You're a good guy, here's the answer.

    Those answers were in sequence in one email. He admitted that he expected the first two answers, but was pleased to get the third. They could have gotten another developer in there to figure out what I did. It really wasn't hard, and a good developer could have done it in about 10 minutes. It's not advantageous for anyone to burn bridges. My contacts there may land me my dream job sometime in the future. Terry Childs will have an awful hard time convincing anyone that he isn't a threat to the continuity of their projects.

I'd log in... (3, Funny)

Anonymous Coward | more than 4 years ago | (#31340452)

I'd log in to post a comment, but Terry Childs won't tell me my password...

Re:I'd log in... (0)

Anonymous Coward | more than 4 years ago | (#31340486)

And even if you did it would be too late for a first post.

Re:I'd log in... (0)

Anonymous Coward | more than 4 years ago | (#31340756)

Don't worry I'll just look it up for you. Ah yes, here it is:

boobs

Will ciso befored to let take the test with out ha (2, Funny)

Joe The Dragon (967727) | more than 4 years ago | (#31340460)

Will ciso before to let take the reup test with out having to do full lab test and is he able to get IT books / tests in jail?

Re:Will ciso befored to let take the test with out (1)

MyLongNickName (822545) | more than 4 years ago | (#31340590)

What am I missing? Why is this modded funny?

Re:Will ciso befored to let take the test with out (1)

Culture20 (968837) | more than 4 years ago | (#31340624)

When I read GP, I couldn't stop giggling. It's so poorly worded. I'm sure it's a meme of some sort, but it's funny in its own right.

Re:Will ciso befored to let take the test with out (3, Funny)

deniable (76198) | more than 4 years ago | (#31340838)

It looked like a memo from management to me. Very senior management.

Sure they could have been readily used. (5, Informative)

mysidia (191772) | more than 4 years ago | (#31340464)

'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. I

Don't use a non-specified IP address.

Or more specifically: graph a console cable, plug it into the device, and do what you need to do.

That an unskilled individual would not necessarily be able to easily use them does not mean Childs did anything wrong.

In fact, this is exactly how things should be -- in case the password is compromised, there should be additional layers of defense (IP access lists), to prevent convert abuse of accidentally leaked passwords.

No one password should ever give anyone free reign over a critical network, without at least also having physical access or passing through a designated management point.

Re:Sure they could have been readily used. (4, Insightful)

phantomfive (622387) | more than 4 years ago | (#31340560)

When he gave the passwords to the mayor, the mayor came with no one but his press secretary. There was no technical person to ask questions, so it is not completely surprising that they didn't get it figured out the first try (even if a reasonably competent person could have figured it out, apparently there were not many of them left in the department). The important thing is when they came back with followup questions, Childs did help them out.

Here is my question: is the entire city run this badly, or is it just the IT department?

Re:Sure they could have been readily used. (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31340634)

Incompetent? No, you misunderstand. They're very competent. At keeping their jobs and getting reelected that is, of course. You seem to assume that they want the truth or justice or something else. That's silly talk.

Had he gone in wanting to get the passwords then the city may have come out as idiots for putting Childs in jail in the first place. The goal is to make Childs look as bad as possible, innocent or guilty doesn't matter as long as the politicians don't look bad for being idiots for starting this whole mess.

Re:Sure they could have been readily used. (5, Insightful)

0WaitState (231806) | more than 4 years ago | (#31340664)

Most of the city is run worse. We kind of like it that way, except when the insider dealing takes out a treasured park or restaurant.

But, the prosecutor who slapped five million dollars bail on Terry Childs needs to be taken down, have his political career ended over this. The judge who approved the bail (different from the judge presiding over the trial) also has some explaining to do. ITS COMPUTERZ AND SCARY AND DIFFERENT AND I DONT UNDERSTAAAAAND is not sufficient reason to take away 2 years of a man's life, no matter how big an aspie asshole he might be.

Not to mention the 14-odd jurors who have to show up 8:30AM at the courthouse for 12-16 weeks while this idiocy unfolds. Part of their lives is being stolen away too.

Re:Sure they could have been readily used. (3, Insightful)

Fluffeh (1273756) | more than 4 years ago | (#31340792)

Not to mention the 14-odd jurors who have to show up 8:30AM at the courthouse for 12-16 weeks while this idiocy unfolds. Part of their lives is being stolen away too.

The thing that worries me the most is that if you are the defense, and you see a juror who is clearly totally non technical and "ITS COMPUTERZ AND SCARY", you kick them from the jury list. While if a juror is tech savvy, the prosecutor will kick them as you will no doubt side with the technical guy who was doing his sysadmin job.

I really wonder who that leaves to be on the jury for this. What is the jury comprised of? To really be a good juror on this, you should have at least some understanding of things technical, yet be impartial enough to be able to make the correct call on the legality of it.

Just who fits into that bucket? I can't think of anyone I know. Either all techies to the bone, or so nontechnical that I could not fathom how on earth they could hold this man's freedom in their hands without buckling.

Re:Sure they could have been readily used. (0)

Anonymous Coward | more than 4 years ago | (#31340866)

Twitter's engineers... I think they are as close as the world has to a mediocre middle.

Re:Sure they could have been readily used. (1)

deniable (76198) | more than 4 years ago | (#31341018)

In most situations, they can only challenge a limited number of jurors. They have to pick and choose carefully.

Re:Sure they could have been readily used. (3, Funny)

Man On Pink Corner (1089867) | more than 4 years ago | (#31341418)

Maybe they can get the people from Youtube that are in charge of overlapping volume controls and 360p-480p selectors. That might be a good middle ground between technically-literate jurors and barking morons.

Re:Sure they could have been readily used. (4, Insightful)

tsm_sf (545316) | more than 4 years ago | (#31341020)

Most of the city is run worse. We kind of like it that way, except when the insider dealing takes out a treasured park or restaurant.

The openness of the corruption in San Francisco is breathtaking. It's like you're in a noir movie. The mayors are all stock characters from central casting, the police department is on the take, the department of public transportation has a running scam going with the largest towing company, and there's a water scandal (google Raker Act) right out of Chinatown. All that's missing is a shifty little midget trying to slit your nose.

Hang on, someone's at the door.

Re:Sure they could have been readily used. (1)

MemoryDragon (544441) | more than 4 years ago | (#31341318)

Not sure how it works in SF but I worked in public places and often here in Europe it is like that that the entire departement is understuffed entirely and they try to get away as cheap as possible, due to the fact that they see IT as an afterthought. So they hire the cheapest guys and only as few of them as possible. The only ones getting a good pay usually are the ones above the departements (middle management, most of the times with some law degrees, because public service is a career option for them into politics)
From time to time there is one person in those IT departements who is really good who sticks to the job due to job security and having a big skin to cope with the dailiy sh*** which flies against the departement (Have in mind often fairly arrogant and stupid people work there usually worse the higher you get)
So from what I could read here this is fairly normal, thats how many cities are run. They are not run by the most intelligent brightest people but by the weasels with the biggest mouth.
Intelligent people usually flee after 2 years from public service departements or give up internally.

Re:Sure they could have been readily used. (2, Insightful)

sjames (1099) | more than 4 years ago | (#31340676)

In the case of a sweet target like a government network, it would be negligent to let anyone anywhere connect to try a few passwords. Sometimes it's best to restrict enable mode to serial console.

Re:Sure they could have been readily used. (1)

Bios_Hakr (68586) | more than 4 years ago | (#31340684)

This just goes to show how incompetent the other (were there other?) network managers were. If I encounter an unknown Cisco device, it takes maybe 20 minutes to recover to a full working state with MY passwords in-place. Most places run some sort of ACS. How hard would it be to break into the AAA and add a user/pass?

And anyone with even basic Cisco knowledge understands management VLANs.

The major problem is that the Mayor did not ask the right question in the right way. He probably asked, "what are the master usernames and passwords?" He should have asked, "what do we need to do to take control of B1024_CITY_CORE_6509?"

Of course, there was some shadiness in that Childs decided to only tell them what they asked for vice what they needed to know...

Re:Sure they could have been readily used. (1)

Fluffeh (1273756) | more than 4 years ago | (#31340816)

Of course, there was some shadiness in that Childs decided to only tell them what they asked for vice what they needed to know...

Yeah, he was being totally an asshat about it, but that's no reason to put a man into jail for two years if you ask me. How about put him in jail until control of the system is restored?

I am not totally sure how the American legal system works, but if he is found not guilty, which I sort of assume he will, won't that effectively give him carte blanche to sue for the time he spent in prison?

Re:Sure they could have been readily used. (1)

Bios_Hakr (68586) | more than 4 years ago | (#31340990)

As far as I know, you don't get any compensation for the time spent in jail awaiting trial.

Re:Sure they could have been readily used. (3, Insightful)

mysidia (191772) | more than 4 years ago | (#31340834)

He might have foregone AAA on some critical devices, since he was not distributing access to many people but keeping it solely to himself... or (rather) since he [was] the only person who had all the keys. The prosecution's theory would kind of fall apart, if he was using AAA on the network, and admins' could add additional router admins at any time...

Reportedly an initial issue was childs' use of no service password-recovery. As a security compromise to his preference of leaving startup config blank on certain devices, for security reasons.

If they had suspected he did this on the core routers, then there's no way they could risk rebooting them, without a lot of acceptable downtime and one hell of a disaster recovery plan...

However, that was likely a one-sided few favoring the prosecution. If Childs' in fact did not do that (and never said he did) remove startup configs or 'no service password-recovery' on physically secured core equipment, then their fears are not his fault..

Childs may have only told them what he was able to think about to mention.. kind of tough to fill someone in when you don't know what exactly they don't know, what they need to know, etc, etc, and they are impatient / arrogant (as many manager types can act, esp. when they think they are not getting what they want).

Also, you can't exactly search through your own notes, and write usable notes with access details intended for someone else, while sitting in a jail cell.

In other words, by overreacting, grabbing him, and throwing him in jail, they probably made it more difficult, or even impossible for him to provide the very type of information they were wanting....

Re:Sure they could have been readily used. (1)

slimjim8094 (941042) | more than 4 years ago | (#31340752)

graph a console cable

What is its function?

Re:Sure they could have been readily used. (1)

mysidia (191772) | more than 4 years ago | (#31340948)

What is its function?

I meant grab a console cable :)

One end of the cable plugs into the RJ45 port on the special port on the router / engine / supervisor module with the blue "Console" label

The other end plugs into a serial port (or more likely nowadays) a USB-to-Serial adapter connected to a PC or Laptop.

(Or the RJ45 port on a serial concentrator also refferred to as, terminal server / console server / serial console switch)

In any case, typically a command line prompt is presented to the serial port at a baud rate of 9600 (that makes old 14.4 modems seem fast).

And no network connectivity at all should be required to access this.

It's really the port used for emergencies, essential maintenance, or on secure devices (such as firewalls, especially) that are sometimes designated by the admin to be managed out of band only.

The Mayor's Testimony (5, Interesting)

zippthorne (748122) | more than 4 years ago | (#31340470)

I'm glad to see the mayor can be so jocular and jovial and downright chummy, cracking wise and generally campaigning when a man's freedom is at stake here.

Re:The Mayor's Testimony (2, Insightful)

l0ungeb0y (442022) | more than 4 years ago | (#31340726)

Newsom represents the best of breed in SF liberalism. They are only for protecting rights and freedoms when it's THEIR rights and freedoms.
Since this guy is a nobody who's being showed who his daddy in by the SF government workers, it's not Gavin's concern at all.
To him, this guy deserves to rot in jail at the behest of some ticked off department head.

The sad thing is, this guy's life has been irreparably harmed by this incident, an acquittal will do nothing but put him out on the streets.
By now I'm sure he's lost his home and possessions. And the lawyer will take whatever is left in the bank.
Frankly, he'd be better off being found guilty and being handed the life sentence he apparently deserves in accordance to that $5 million in bail.

Re:The Mayor's Testimony (3, Informative)

0WaitState (231806) | more than 4 years ago | (#31340796)

Realistically, Newsom wasn't involved in the debacle until they realized that the only way they were going to get the authentication credentials was to do it by the book, as Terry Childs was insisting, which meant the mayor, in person, receiving the credentials. Not over a freaking speakerphone as Childs' supervisor attempted. It's possible that Gavin Newsom appointed some of the idiot IT managers that let a single contractor have undivided ownership of the network...

And no, da mayor does not get to tell the prosecutor to drop a case. Maybe in Chicago, but not in most cities. The real question is why the prosecutor went balls-out for 5 million dollars bail. BTW, the trial judge already tossed 4 of the 5 indictments. Just arresting the guy for a few days was enough to send the message "don't be a prick".

Both sides behaved terribly (2, Interesting)

Toonol (1057698) | more than 4 years ago | (#31340484)

Childs doesn't deserve two years in jail, and further penalties heaped upon him. There is a lot of incompetence mixed with hurt pride among the city staff, which is to be expected from any government body.

But Childs himself behaved terribly as well. None of those passwords were his. None of those systems were his. It doesn't matter if his employers were competent or not; he should have let them have access to their own property. If he thought they were going to ruin things, speak out.

Re:Both sides behaved terribly (5, Informative)

FooAtWFU (699187) | more than 4 years ago | (#31340520)

It doesn't matter if his employers were competent or not; he should have let them have access to their own property.

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?

Re:Both sides behaved terribly (-1, Troll)

schnell (163007) | more than 4 years ago | (#31340584)

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor.

I can't say that I have read his official job description but I'm pretty sure that "keep the passwords to yourself and the mayor of a major metropolitan city" wasn't it. It was probably "to keep the passwords safe from people not authorized to have them." People authorized by city policy or law to have those passwords most likely included any number of his bosses on up the chain of command - people he did not provide them to when requested. Does every IT admin in a company think his job is to keep the passwords safe from everyone but themselves and the CEO?

Seriously - I know we all want to cheer for the IT guy here, and his case sounds terribly bungled by the city - but let's not try to pretend that he didn't violate rules and/or laws.

Re:Both sides behaved terribly (5, Informative)

Anonymous Coward | more than 4 years ago | (#31340628)

"People authorized by city policy or law to have those passwords most likely included any number of his bosses on up the chain of command"

You are guessing incorrectly, the actual county policy has been previously posted, and indeed, the mayor was the only person authorised. Whether that's an oversight or not, that was the policy.

"but let's not try to pretend that he didn't violate rules and/or laws."

He didn't. You are welcome to prove that he did, but so far you are only guess despite no evidence to support your case.

Re:Both sides behaved terribly (5, Informative)

Lord Kano (13027) | more than 4 years ago | (#31340678)

I can't say that I have read his official job description but I'm pretty sure that "keep the passwords to yourself and the mayor of a major metropolitan city" wasn't it. It was probably "to keep the passwords safe from people not authorized to have them."

If I remember correctly, they tried to get the passwords out of him after he was released from the city's employment. If that's the case, his job description no longer factored in.

"You're fired. Give me the network passwords."
"Sorry, that is no longer my job."
"I'm calling the police."

LK

Re:Both sides behaved terribly (2, Informative)

dbIII (701233) | more than 4 years ago | (#31340768)

That's exactly it - the people that asked were not in the chain of command and there were a lot of other witnesses from outside of the organisation in the stupid "ambush" meeting he was dragged into. In a previous article here someone quoted some of the rules for that workplace, one of which was not revealing the information to outsiders. It's beginning to look like a nasty trick to back him into a corner so that any response or even lack of response would have got him into trouble.
I'm still curious about the events leading up to this such as the other dismissals and the odd snooping around. It really looks like office politics and cleaning out the workplace to replace with cronies and putting an awkward obstacle in jail.
From looking at what's been released so far I can't see where he violated either the law or their rules.

Re:Both sides behaved terribly (2, Interesting)

eosp (885380) | more than 4 years ago | (#31340864)

Context: the first time they asked was also over speakerphone.

Epic win: he also put the passwords in public court records, so the new IT staff had to scramble.

Re:Both sides behaved terribly (1)

Fallen Kell (165468) | more than 4 years ago | (#31340906)

My boss doesn't have the passwords to the systems. He isn't cleared to have the passwords. There are briefings and paperwork that would need to be signed stating that he read the rules associated with that level of access and control, that he was trained in knowing how to operate with that access level, that he had technical certifications and/or a vetting process to approve that he could be trusted to not F everything up.... So yes, I would say very quickly that Childs may very well have been correct in his actions. I know that I can be put in jail for giving the passwords away to someone who hasn't gone through the above process, and I don't care if you are the president of the company, I am personally liable if the process is not followed, and not just to my company, but to the Federal Government, specifically several arms of the military and their oversight entities who dictate the rules that shall be followed.

Re:Both sides behaved terribly (1)

tnk1 (899206) | more than 4 years ago | (#31341214)

Chances are good that if there were statutory or regulatory reasons that he did not give up the passwords to uncleared individuals, he would not be sitting in jail. This isn't the Federal Government, it's definitely not the military.

I can't think of any reason his bosses were not cleared to have the passwords. Having said that, if they didn't ask him until after they fired him for the passwords or order him to tell them how they could change them at least, then I don't see why it is his problem. They've released him and didn't get the passwords. Their case should fail on that grounds alone.

On the other hand, there's no reason that he couldn't have remembered them and just given them up. The incompetence of his employers is no longer his problem when they are no longer his employers any more. The fact that he is sitting in jail for something so silly is a testament to his foolishness as much as the incompetence of his employers. I also think he talked himself into jail when his reason for not giving them up was "you are incompetent and I won't do it" instead of "sorry guys, I forgot them". At that point, he sounded like he was spewing manifestos, and we all know who spews manifestos... communists and terrorists. Now, being a communist is probably not a problem in SF, but terrorism is a problem for everyone, especially the guy you just called incompetent. Welcome to jail. I hope he gets some sort of speaking tour or something to make some cash after he gets out because he has otherwise become a martyr for a dumb cause. And if he does manage to get convicted, it's his own damn fault.

Re:Both sides behaved terribly (1, Interesting)

bertok (226922) | more than 4 years ago | (#31340654)

It doesn't matter if his employers were competent or not; he should have let them have access to their own property.

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?

I'm pretty sure that's not in his job description. The Mayor is not the 'head of IT', and normally most mayors would NOT know the network passwords. Why would they?

When Terry's immediate supervisors -- in the IT department -- asked for the passwords, he refused, which is flat out insubordination. The senior IT managers should have access to the network passwords. That is a part of their job description. It's the responsibility of administrators to make sure that the passwords are disseminated to the appropriate people, and stored securely. (e.g.: in a lockbox, safe, or whatever...)

Terry didn't do his job. He made sure that he was the only person with the passwords, for years! What happens if he gets run over by a bus? Or dies of a heart attack?

This is a guy who thought he somehow 'owned' a network paid for by the taxpayers, just because he was the lead designer! Nobody that crazy should be allowed sole control of anything even remotely important, let alone the core government WAN of a major US city!

Re:Both sides behaved terribly (5, Informative)

Anonymous Coward | more than 4 years ago | (#31340666)

It doesn't matter if his employers were competent or not; he should have let them have access to their own property.

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?

I'm pretty sure that's not in his job description. The Mayor is not the 'head of IT', and normally most mayors would NOT know the network passwords. Why would they?

It was in his contract.

Re:Both sides behaved terribly (1)

Mathinker (909784) | more than 4 years ago | (#31341066)

...

When Terry's immediate supervisors -- in the IT department -- asked for the passwords, he refused, which is flat out insubordination. The senior IT managers should have access to the network passwords. That is a part of their job description. It's the responsibility of administrators to make sure that the passwords are disseminated to the appropriate people, and stored securely. (e.g.: in a lockbox, safe, or whatever...)

Terry didn't do his job. He made sure that he was the only person with the passwords, for years! What happens if he gets run over by a bus? Or dies of a heart attack?

So you're saying, in effect, that the senior IT managers were not doing their jobs? Yes, that's clear to all of us here. What isn't clear, is whether we attribute this failure on the part of the managers on their own incompetence, or on some kind of Catch-22 where the managers were never given the proper funding which would be necessary to replace Childs properly with a more cooperative "widget" (making leaving the status quo the best possible thing to do). Since Childs did agree to give the passwords to the mayor (albeit under duress), one would think that it was likely that he could have been convinced to do this previous to the "crisis" situation. It is my opinion that it was the failure of his managers that they didn't require him to do it.

This is a guy who thought he somehow 'owned' a network paid for by the taxpayers, just because he was the lead designer! Nobody that crazy should be allowed sole control of anything even remotely important, let alone the core government WAN of a major US city!

Again, you're merely stating that Childs' managers were idiots. Why should he be in jail for that?

Re:Both sides behaved terribly (4, Insightful)

denobug (753200) | more than 4 years ago | (#31341248)

When Terry's immediate supervisors -- in the IT department -- asked for the passwords, he refused, which is flat out insubordination. The senior IT managers should have access to the network passwords. That is a part of their job description. It's the responsibility of administrators to make sure that the passwords are disseminated to the appropriate people, and stored securely. (e.g.: in a lockbox, safe, or whatever...)

If they have fired him first then ask him, that is no longer insubordination. At that point all he had to follow was the simple ethic rules govern the work of a professionals. At no point he is liable to give the password to people who he know will not put it to good use and worse possibly exposing records that were suppose to be kept secure. All I see was they are trying to get him one way or another. If the jury do not give him a not guilty verdit (after being in jain for more than 2 years) I hope the governor of California does. If not I certainly hope Obama will help the "weak in need" in this situation. Child do not deserve to be jailed for what he did. He may be a pain of you know what but he certainly is getting things done the correct way.

Speak of Obama. No one in the military should allow him to fly an F-22 solo (I'm pretty sure he does not have the necessary military training to operate such advanced plane that costs billions of dollars), even if him or Rhom demanded someone to let him fly. Should a colonel (or even a captain) denied Obama access to the cockpit they should not be jailed 2 years and then tried for that. They followed the rules and did their job. Simple as that. It would be endangering public safety to allow him to fly one, not to mention the extensive tax payer dollar that are at risk of being wasted unnecessarily.

Re:Both sides behaved terribly (1)

MindlessAutomata (1282944) | more than 4 years ago | (#31340528)

When it comes to security, it doesn't really matter--people's data, money, and potentially livelihoods may be at stake.

Re:Both sides behaved terribly (0)

Anonymous Coward | more than 4 years ago | (#31340532)

I disagree. Technically, doesn't that property belong to the citizens of San Fran? I believe he has partial ownership too. So if you joint own a house and you know one party just keeps leaving the door open all the time and letting random hippies (corporations) in, wouldn't you change the locks?

Re:Both sides behaved terribly (1)

kimvette (919543) | more than 4 years ago | (#31340812)

I disagree. Technically, doesn't that property belong to the citizens of San Fran?

What was he supposed to do - file a legal notice with area newspapers detailing the credentials of each device? Send out a mailer to all the registered voters?

Yes, it belongs to you ("you" meaning citizens living in San Francisco) but that doesn't mean you have the right to the passwords to those devices; it's not as though it's a public park or a library.

Re:Both sides behaved terribly (5, Interesting)

Anonymous Coward | more than 4 years ago | (#31340540)

His employer was the City, which, being a government, is not a private institution but a public service. In protecting the systems from incompetent individuals, Childs is fulfilling his duty to his fellow citizens.

Such a sense of Duty is rare these days.

Re:Both sides behaved terribly (2, Interesting)

tnk1 (899206) | more than 4 years ago | (#31341290)

If you applied the same reason to people cleaning up after poor police work, the word is vigilantism.

If you put the decisions about how things operate in the hands of government employees who become unaccountable to their bosses, ultimately that breaks the chain of responsibility back to the elected leaders. Mr. Childs may well have the best interests of the city in mind, but we've elected representatives to do that. If a legally constituted authority wants access to the city's servers, he should at the very least pretend to have forgotten them, as opposed to turning it into (almost literally) a federal case. If he wanted the mayor to know about the problems, for gods-sake, write a damn letter.

He should *not* be in jail, but that is merely because he should have no responsibility after his employment ended. That doesn't make him some sort of hero for turning this into some sort of revolution against the city IT department. I can't think of how that would be worth jail time to anyone sane.

Re:Both sides behaved terribly (2, Informative)

Nikker (749551) | more than 4 years ago | (#31340682)

He would have been liable if he gave it to anyone else so in this world of lawsuits he said the right answer, no. He gave them to the mayor so why didn't the proper owners come by and pick them up? Was the mayor involved in a conspiracy of some kind? You have to realize there are many contracts and legalities involved with a job like this so if he couldn't find someone that could be liable as per his contract and the mayor couldn't find anyone then who is legally responsible for them? The mayor is saying since he doesn't know how to administer the system there was nothing he could do with the passwords. This happened on July 12/08 and the mayor was given the passwords a week later. If he did just give them out and some data loss occurred he would be held liable on a federal level. So what would you do in that situation?

Ask the lawyers (1)

Sycraft-fu (314770) | more than 4 years ago | (#31341350)

Seriously. Any large organization has lawyers, and a city government certainly does. So you have someone who is higher up than you on the chain saying "Give me these passwords or else." You don't know if they should be allowed to have them legally. Say "I can't give them to you until I've consulted with the lawyers." Ask them what to do, who can have access, etc. If you are real nervous, get it in writing. At that point, you are in the clear more or less. I mean I suppose they can fire you, you can basically be fired for anything, but legally you are fine. If the legal group said "This is what you can do," then you can do it. If they are wrong, that's their problem.

Had he said "I don't know that I can give you this, I need to talk to the lawyers first," I doubt there would have been a problem. What started the trouble was he basically just flat out said "No."

Re:Both sides behaved terribly (5, Informative)

sjames (1099) | more than 4 years ago | (#31340704)

He did. There was a written policy from his employer that he was not to disclose those passwords under any circumstances and he followed that policy to the letter.

If that's not what was wanted, I guess it shouldn't have been the policy. Note that the incident where he was finally jailed was when he refused to disclose them on a conference call where he couldn't possibly know who might be listening.

Re:Both sides behaved terribly (1)

kimvette (919543) | more than 4 years ago | (#31340802)

I'm going to come at this from both angles since I don't know both sides and am reading up on it now. It seems that both sides are at fault here; I think they are FAR too hard on Childs (two years in prison? He didn't do anything to warrant that. Go arrest a child diddler instead and stop wasting tax money criminalizing this guy. It's obviously a civil matter). I think they should pursue it as a civil matter though, because of how he configured some items to be totally reliant on him (see below on flashing)

Firing

It's not his responsibility after being fired to guide city officials through administration of various components of the city infrastructure. His responsibility to them, aside from handing the password over to the respective individual (apparently the mayor in this case, but if that wasn't it, blame city council for not having a pecking order in place with a trustee assigned to this information) ended when he was fired. Why should he have to explain how to reconfigure routers, smart switches, servers, and the like, or how to enter passwords or to clear IP filter lists they tripped when they kept typing the passwords wrong (presumably with capslock on?). if they wanted all of that documented they should have paid him to document it (either as part of his job description or after the fact), or allowed him to hire enough assistants to document it all (which in turn can introduce security holes with more people than necessary knowing the passwords and the network architecture), or maybe they could have just visited www.google.com and do their own job.

Heck, if you read some of the older news on this, it appears Childs attempted to get policies in place for protecting and storing backups and credentials but city officials did not accept it (the "Not Invented Here" syndrome; if it's not done by overpaid hack officials, it's not good enough). From http://www.infoworld.com/d/adventures-in-it/why-san-franciscos-network-admin-went-rogue-286?page=0,3 [infoworld.com]

(When I asked Terry if we could get a copy of the City's network security policy some months ago, he told me, 'I've been trying to get them to approve one for years. I've written ones up and submitted them, but they don't want to do it, because they don't want to be held to it.')

Now granted, that is his word against theirs, but truly competent system administrators are often almost paranoid about whom they share passwords with, and are sticklers about following policy/procedure when it comes to handing over those credentials (and backups which may contain those credentials in easily retrievable format or otherwise provide an easy way to compromise a device).

Flashing

However, this should weigh against Childs in most people's minds, including the more technical (from http://www.infoworld.com/d/adventures-in-it/why-san-franciscos-network-admin-went-rogue-286?page=0,4 [infoworld.com] ):

“At one point he was concerned about the security of the FiberWAN routers in remote offices, so he had them set up without saving the config to flash. 'If they go down, I'll get alerted, and connect up to them and reload the config.' Great, except we have power outages all the time in this city, some of those devices aren't on UPSes, and what happens if you're on vacation? And what about the 15 to 60 minutes it might take you to connect up and reload? He eventually conceded and (ahem) decided that disabling password recovery was sufficient security.”

As you can see, Childs may have had the city's best interest at heart when it came to sharing the passwords and changing configurations on a moment's notice, but not writing the configurations to flash? How ridiculous is that? What would have happened if he became sick enough to not be able to work on call, had family issues to tend to, or whatever? Not having the configuration documented and not even writing them to flash would lead me to believe that he had them fully documented and backed up himself, maybe on his own PC or a PDA. There is no way he would re-write the config files from scratch every single time.

Now, they could have done (as he conceded) "no service password-recovery" to disable password recovery at the console port, but a seasoned CCNE or CCIE or even a CCNA who works with the routers regularly will likely have everything on hand to re-flash the router, and in either case it would require physical access. Once you have physical access to a device, it's game over (the key there is to place equipment in secured locations). So, I think he was (claiming to be) worrying about a non-issue there. So, not flashing everything to NVRAM is a problem. I could see the city pursuing him in a civil case to force him to spend the time to at minimum hand over his backups or log in to each router and write the configs to flash (under supervision of a court-appointed CCNE) or to cover the costs for another CCNE or CCIE to do the same.

As I said both sides are unreasonable, except Childs was not criminally unreasonable. I think though, that he is unreasonable enough that he may very well have made himself unemployable once all of this has played out. I can't figure out whether he did things they way he did (not writing configs to NVRAM) to either make himself indispensable (solely reliant upon him), as many government hacks do, or if he was truly that paranoid about security. Given that any admin knows that once anyone has physical access to a device all bets are off, I'm betting it's the former. Again, it's nothing that many other government employees don't do.

How can this be avoided in the future? Have a clear policy in place up front, or if dealing with new technology, make architecting the policy part of the job description of the individual in question (to be submitted to and approved by appointed officials). Obviously there needs to be a mechanism in place for storing passwords, backups, and the like, and as anyone in IT knows, complete documentation of any environment is a tremendously huge job, but on the other hand, it's not all that hard to document each device with the location, serial number, and a disc with a backup of the initial config on it. That info could easily be escrowed or kept in a safe deposit box, or worst case, a fireproof safe in the mayor's office.

Re:Both sides behaved terribly (2, Insightful)

denobug (753200) | more than 4 years ago | (#31341160)

But Childs himself behaved terribly as well. None of those passwords were his. None of those systems were his. It doesn't matter if his employers were competent or not; he should have let them have access to their own property. If he thought they were going to ruin things, speak out.

I beg to disagree. As an engineer public safety is top of our concerns and it is part of the ethics I abide by everyday. A safety concern overrides everything else, until the concerns has been addressed. I still remember I had a discussion with my boss basically he went "I won't stop you from doing anything unless it is unsafe or you are about to make a major mistake", and my reply was simply "I won't follow your order if I know in full will that it will creat an unsafe environment." He agreed with me that that is what I get paid to do, to do things right and make sure no one gets hurt.

I see Mr Childs did just that. Properly secure the network and only give the password to somone who can truely be trusted, when he knows in full will that his immediate supervisor and related management team has no clue and unqualified to make technical decision and is about to creat a major security vulnerability over major accounting information that should have been kept under guards! In a sense he IS protecting public safety and therefore should not, and truely cannot be tried to keep public safe and secure. Too bad that the jury probably won't truely understand it and Child will most likely be sentenced for a very long time with the keys thrown into the pacific ocean.

How ironic that this happens to the most liberal city of United States and is the hometown of our Speaker of the House, Nancy Peloci. I don't see her standing out to protect the weak who are truely in need in this incident.

$5 million bail (4, Insightful)

Anonymous Coward | more than 4 years ago | (#31340500)

How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?

Re:$5 million bail (5, Funny)

Anonymous Coward | more than 4 years ago | (#31340546)

How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?

that would be about 2 illegal song uploads or 23 killings.

Re:$5 million bail (0)

Anonymous Coward | more than 4 years ago | (#31340622)

How many children would you have to rape to get bail set that high? How many people would you have to kill? How many computer offenses would you have to commit?

that would be about 2 illegal song uploads or 23 killings.

and 5000 rapes (including the judge)

If he found not guilty is he still a city worker? (3, Interesting)

Joe The Dragon (967727) | more than 4 years ago | (#31340510)

If he found not guilty is he still a city worker? as I think union just don't let city fire some one like that and was he even fired?

Anyways he should get city payed health care (Full with no pre existing at the full cost that this) 2 years in jail = any pre existing that some one can think of.

His job back if he wants it or his full pay for 2 years in jail + 500K per year in jail.

Full unemployment if he can't get his job back.

Any one planing to give him job after this? (3, Insightful)

Joe The Dragon (967727) | more than 4 years ago | (#31340518)

As many HR people not look pass the 2 years in jail even if he is not guilty and even then they may not want to pay the health care costs for some like that.

Re:Any one planing to give him job after this? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31340572)

Nah, he's pretty much fucked. In an honest world he'd be rewarded for being such an upstanding citizen standing against corruption and incompetence.

In this world we've got whistleblower laws because nobody wants to hire an honest man.

Re:Any one planing to give him job after this? (4, Insightful)

dcollins (135727) | more than 4 years ago | (#31340748)

"As many HR people not look pass the 2 years in jail even if he is not guilty and even then they may not want to pay the health care costs for some like that."

PR like this puts him into a category beyond HR people. Speaking tours are one possibility. If he continues to work in IT, CEOs will be making cold calls to him personally.

Re:Any one planing to give him job after this? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31340762)

of course, everyone wants to hire someone who treats the systems they work on like there own property. I don't see what lessons he would have to teach on speaking tours.

Re:Any one planing to give him job after this? (1)

brennz (715237) | more than 4 years ago | (#31341108)

I would hire him. He knows how to secure a network.

Infoworld's mobile site (1)

socsoc (1116769) | more than 4 years ago | (#31340530)

The auto browser detection and print destination URL aside... It's an absolute mess and was a chore even finding the correct story from a mobile browser. Have they ever used it? That's what I get for trying to RTFA.

Bitter End (3, Funny)

pgn674 (995941) | more than 4 years ago | (#31340562)

This for a man who 'ultimately protected the [City's] network until the bitter end.'

Obligatory: xkcd: Devotion to Duty [xkcd.com]

Root of the problem (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31340578)

The problem here is one of who has the authority to what and what safe guards are in place. Haveing worked in serveral large companies, this would never have happend. The rule ussually amounts to the "root level" passwords must be varified by two people then two sealed evelopes containg the passwords with the signature of the people that varified them were placed in a high security safe that was not controlled by IT but by legal. People had differnt levels of access and either had access to the system password if needed however most anything was done with "extended" privilage accounts issued to individual users. System level login was highly discuraged as it lacks most of the AAA of network security. This proccess was part of a number of policies from "the bus crash" to the data center has been leveled by a force of nature. bottom line is that no one person should ever have oporation critial data only in thier head.

This guy gives network security and network oporations a very very bad name. Granted the jail term is a little over the top but what this guy did is wrong on so many functional levels.

Re:Root of the problem (1)

ffreeloader (1105115) | more than 4 years ago | (#31340658)

What Childs did as far as passwords. having two people know them, having them stored in some outside place, etc... can be right or wrong in his situation. We don't know what city policy was for that. He was most likely not the one who wrote any related policy either. It seems to me that if city policy was what you're saying it should be then this fact would have been trumpeted from the rooftops by those trying to make him look as bad as possible, and nothing of the sort has even been alleged by the powers that be in SF. Soooo, I think you're being unnecessarily harsh towards Childs, especially in the light of the incompetence shown by his supervisors in the resulting investigation.

Re:Root of the problem (0, Offtopic)

arose (644256) | more than 4 years ago | (#31341382)

The rule ussually amounts to the "root level" passwords must be varified by two people then two sealed evelopes containg the passwords with the signature of the people that varified them were placed in a high security safe that was not controlled by IT but by legal.

Physical security is outside of the domain of both IT and legal, I don't see why you give this as a positive example.

Linktacular (4, Funny)

pipingguy (566974) | more than 4 years ago | (#31340610)

Summary needs more links that won't be read.

Re:Linktacular (1)

T Murphy (1054674) | more than 4 years ago | (#31340782)

This is the first I have heard of this case, so the extra links helped me cover more of the backstory. That said, I may be the only one who found them helpful.

This story reminds me of NBC's Dateline (1, Insightful)

ClosedSource (238333) | more than 4 years ago | (#31340614)

It's been 8 weeks since Terry Childs' trial has started. Tonight on Dateline we will talk extensively about the trial and everyone even remotely connected to it, but true to our format, at the end of the hour you won't know if he's innocent or guilty because the trial isn't over.

We will only learn the truth over the course of future Dateline episodes and when we are finally done with the story you'll still wonder if he's guilty or innocent.

reading through the comments (3, Insightful)

phantomfive (622387) | more than 4 years ago | (#31340660)

encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes.

Actually reading through the comments on the article, it seems most of the emotion is coming from people upset at the mayor Gavin Newsom, more than they are based in any actual sympathy towards the defendant. Like this example comment FTA,

The computer hacker would have been treated with more dignity and respect if he were an undocumented alien with a murder wrap on his head. Kamala Harris would have backed him up.

It is nominally suggesting that Childs was treated badly, but in reality the commenter is more upset with the mayors immigration policies. The comments that look at Childs disfavorably also seem to be the ones that favor the mayor. In the court of public opinion, Newsom was on trial here, not Childs.

Re:reading through the comments (1)

l0ungeb0y (442022) | more than 4 years ago | (#31340876)

Very good assessment, as a resident of SF and frequenter of SFGate, I am well aware of Newsom's plummeting popularity.
And while I didn't read this particular article, anytime names such as Gavin Newsom, Chris Daly or Kamala Harris show up, it's a total bashfest.

System incapable of Justice. (5, Insightful)

Zaphod-AVA (471116) | more than 4 years ago | (#31340686)

"Amendment 6 - Right to Speedy Trial, Confrontation of Witnesses.
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence."

Sitting in jail waiting 2 years for a trial is not something that should happen in our country. The system is broken and needs to be fixed.

Re:System incapable of Justice. (1)

Low Ranked Craig (1327799) | more than 4 years ago | (#31340710)

Hopefully some hot shot lawyer will hit the city with a lawsuit.

Re:System incapable of Justice. (1)

l0ungeb0y (442022) | more than 4 years ago | (#31340904)

Ya, good luck with that. The sad fact is, even in cases where the government would seem to have harmed someone unduly, there is little if any recourse. Also, I believe Childs waived his right to a speedy trail, more than likely at the urging of his lawyer, such a move is not uncommon.

Re:System incapable of Justice. (0)

Anonymous Coward | more than 4 years ago | (#31340860)

I think that Kevin Mitnick proved that the 6th was no longer in effect.

Re:System incapable of Justice. (1)

Arguendo (931986) | more than 4 years ago | (#31341300)

In California, most defendants have a right to trial within 60 days. (Cal. Penal Code section 1382 [ca.gov] .) I'm not familiar with the details of this case, but he almost certainly waived his right to a speedy trial so that he could prepare. That's typical for defendants in high stakes cases, especially in highly technical cases or when you have an overworked public defender. You'd rather make sure you can get it right than push for trial and end up spending a lot longer behind bars.

His lawyer neve pushed the issue (1)

Sycraft-fu (314770) | more than 4 years ago | (#31341308)

You have to excessive your right to speedy trial. More or less your lawyer files a speedy trial motion and that sets things in motion. What sort of time limits there are depends on the jurisdiction (notice the Constitution doesn't specify a specific time) different states have different laws, and the judge in the case.

Generally, this isn't done. The defense wants time to prepare for trial. They don't try and push the trial date. That seems to have been the case here.

The Constitution says you have a right to a speedy trial, it doesn't say you can be forced to have one. If neither side push the issue, it can drag on.

Overstepped bounds (0)

georgewilliamherbert (211790) | more than 4 years ago | (#31340728)

I can understand Childs' frustration with some managers - but IT folks don't set corporate or city policy. Sometimes we are asked to write a draft policy for security - or participate in organizational efforts to draft one - but we don't get to arbitrarily impose one.

In particular, sitting on all access and passwords and refusing to share or divulge them is effectively the last refuge of someone who's on a power trip, or about to get let go and is trying to delay that.

They aren't your systems. The people who paid for them - the city, and its elected and hired management, the company, the shareholders of the company and their hired execs and management - they own the systems. When IT starts to assert ownership, it's wrong.

We need to assert responsibility - and that includes not giving out the passwords and access controls inappropriately. But appropriate sharing of that information is required. Any of us could have a heart attack or be hit by a bus tomorrow. If you haven't thought through the impact of the "Bus Test" on each of your coworkers, and yourself, then you're not doing your job. Your boss absolutely must be able to tell your emergency replacement how to do their job. If they can't do their job, or take an inordinate amount of time hacking in to everything to get access that you didn't share, you did your job wrong.

I don't think he should have been charged as he was. But he did wrong. He probably deserved to be suspended or fired for doing it as persistently as he did, even if his bosses were bozos (and I have no personal knowledge or opinion on that point). If he thought his bosses were doing wrong, he should have escalated within his management chain, ultimately to the mayor. But just saying no, until arrested, isn't responsible or reasonable.

Unless security policy already says "don't tell managers this" and management has already signed off on that - and there's another techie, or a envelope in the safe with the info, in case of Bus - when managers in the management chain insist on it, you give it up, or immediately escalate to more senior management. Period. Even if you think it's going to be a disaster. You are not the last and final judge of who gets it and who doesn't, and if you think you are, your career is likely not going to last that long.

Re:Overstepped bounds (4, Informative)

Moryath (553296) | more than 4 years ago | (#31340830)

In particular, sitting on all access and passwords and refusing to share or divulge them is effectively the last refuge of someone who's on a power trip, or about to get let go and is trying to delay that.

Except that the policy of SanFran (quoted in a response to previous article on Slashdot, so I'm going to be lazy and let you do your own damn research for once) SPECIFICALLY required that he not reveal the passwords to anyone but the mayor, and certainly not to someone on an open fucking conference call to which anyone else, especially the "spy girl" who he had turned in when he caught her rummaging through shit after hours, might have been party.

He delivered the passwords, AS PER WRITTEN SANFRAN POLICY, to the Mayor in a face-to-face meeting. That is what was required of him by SanFran code. The people who tried to get him to break that policy are the idiots who should lose their jobs and be on trial.

Re:Overstepped bounds (5, Informative)

georgewilliamherbert (211790) | more than 4 years ago | (#31341116)

Except that the policy of SanFran (quoted in a response to previous article on Slashdot, so I'm going to be lazy and let you do your own damn research for once) SPECIFICALLY required that he not reveal the passwords to anyone but the mayor, and certainly not to someone on an open fucking conference call to which anyone else, especially the "spy girl" who he had turned in when he caught her rummaging through shit after hours, might have been party.

He delivered the passwords, AS PER WRITTEN SANFRAN POLICY, to the Mayor in a face-to-face meeting. That is what was required of him by SanFran code. The people who tried to get him to break that policy are the idiots who should lose their jobs and be on trial.

This is rapidly becoming myth rather than fact-based.

The overall policy page is:
http://www.sfgov.org/site/coit_index.asp?id=56853 [sfgov.org]

The security policy is specifically:
http://www.sfgov.org/site/coit_page.asp?id=79251 [sfgov.org]

Which, basically, says "follow this inter-county planning document":
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf [sfgov.org]

The password policy in CCISDA states:

(pp 32 of the document)

4. Policy
4.1. General
  All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis.
  All production system-level passwords must be part of the security administered global password management database.

(removed)

B. Password Protection Standards
Do not use the same password for County accounts as for other non-County access (e.g., personal Internet Service Provider (ISP) account, option trading, benefits, etc.). Where possible, don’t use the same password for various County access needs. For example, select one password for the network systems and a separate password for application systems. Also, select a separate password to be used for a NT account and an AS400 or UNIX account.
Do not share County passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential County information.
Here is a list of things to avoid:
  Giving your password over the phone to ANYONE.
  Sending a password in an e-mail message.
  Telling your boss your password .
  Talking about a password in front of others.
  Hinting at the format of a password (e.g., “my family name”).
  Writing in your password on questionnaires or security forms.
  Sharing your password with family members.
  Telling your co-workers your passwordwhile on vacation.
If someone demands a password, refer him or her to this document or have him or her call someone in Information Security.
Never use the “Remember Password” feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
If you must your passwords down, store them is a secure place and never anywhere in your office.
Passwords stored in a file on ANY computer system (including Palm Pilots or similar devices) can be compromised if encryption isn’t used to secure them.
Change passwords at least once every three months (except system-level passwords, which must be changed monthly). Changing them more often is better.
If you suspect that your account or password is compromised, report the incident per the Incident Response Policy and change all passwords.
Password strength checking may be performed on a periodic or random basis by departmental or county IT or its delegates. Any passwords found out during one of these scans will require the user to change it.

Though the "Do not tell anyone your password" section exists, the entry in section 4.1 also exists, specifically instructing:

All production system-level passwords must be part of the security administered global password management database.

I.e., all system-level passwords are not to be kept only by an individual and not kept individual and secret - they have to be in the central password management database administered by the Security department. To prevent, exactly and precisely, what Childs did.

The requirement to not share YOUR password - including with your boss, or secretary, does not apply to root / enable passwords, which must be centrally available to other admins under the usual security management policies everyone expects to see (i.e., in case you're hit by a bus, at least it's in a safe or encrypted in a DB which security can pull out if need be).

Not sharing your router passwords with the central security password DB administrator violates 4.1.

Nowhere in the documents does it say, as far as I can tell, that the Mayor has explicit final authority over being given passwords. I believe Childs made that up. It's reasonable in one sense - if nothing else, the minimum person one would have to share it with as the elected Mayor - but ignores other policy specifically requiring other sharing at lower levels.

Childs not mentioning it in a meeting or conference call, where it might be overheard, is appropriate under the latter policy, but inappropriate given a failure to have initially shared it with the designated central security authority.

No, he just followed the contract (0)

Anonymous Coward | more than 4 years ago | (#31340884)

It was in his contract that only the mayor was authorized root access to everything. He repeatedly asked for the mayor to come, and he would share the information.

It is not his job to do his boss' job. If he gets hit by a bus, you can't sue a dead body for missing passwords.
His boss didnt do his job according to the contract (secure access controls and mitigation plans), but that is hardly this IT guy's fault.

He got fired. Then the unauthorized people starts asking him for passwords in the POLICE STATION.
When the mayor showed up on his request, he shared all the required passwords, even after having been fired (pure luxury on the city's behalf as he is free of any obligations at that point).

Of course if they were competent, the city would have made sure they got the access and authorizations BEFORE they fired him.
Heck, they would KEEP him instead, and not try to fire him illegally in the first place.

This mayor is criminal, and the city should be charged with false criminal complaint, and injustice of having imprisoned an innocent man for 2 years.

Re:Overstepped bounds (0, Redundant)

ixidor (996844) | more than 4 years ago | (#31340914)

yeah except the part lots of other people here have mentioned, where the contract specifically said to the mayor only. so he did exactly what he should have.

Re:Overstepped bounds (2, Interesting)

georgewilliamherbert (211790) | more than 4 years ago | (#31341176)

I've never found any press source with a contract quote that said that, or any filing in court.

If you have the source, post a reference, or at least the text of the contract.

As I said above - coverage of this case is largely myth-based. Bring actual facts - they work better.

SanFran is in deeper than they care to be (1)

rahvin112 (446269) | more than 4 years ago | (#31340764)

Childs isn't going to be convicted. Not only that but the personal injury lawyers in California are going to be falling over themselves to represent him in a civil suit against the city, manager that caused all this and the DA that went along with it. He's worth several million dollars for what they did to him. His job specifically required that he not disclose his password to anyone other than city management. He was confronted with a situation he handled badly with a room full of people demanding the passwords to the WAN. His response should have been that he couldn't legally provide them to the people in the meeting or that he needed an attorney present before answering any questions.

  But the past is the past, once the city went to the stage of prosecuting him and publicly demonizing him they had to go full court and try to convict him because they just opened themselves up to civil damages. Now two years later I'm willing to bet they have made at least one offer for a minor conviction to end it all simply so he can't sue them. He didn't fall for the trick and once this is over he's going to be paid a tidy sum, likely with an NDA so the political people involved don't get burned for what they did. Personally I hope he demands they fire the bitch that caused all this as part of the settlement with the city. I know I would.

Disagreeing with the majority here... (2, Interesting)

Kozar_The_Malignant (738483) | more than 4 years ago | (#31340770)

I have said this before here, and will say it again now. I believe Childs is in the wrong and has behaved badly. He seems to have a martyr complex and doesn't seem to remember who actually owns the network. I would never hire this guy to manage my network; and yes, I do have a network I hire people to manage. His actions show me he cannot be trusted. He is not Horatio at the Bridge; he is a complete asshat. For the record, I do live and work in the Bay Area, and I also believe Gavin Newsom is a complete asshat.

Re:Disagreeing with the majority here... (1)

grasshoppa (657393) | more than 4 years ago | (#31340918)

While I agree about Child's behavior, the specifics of the case are interesting. If he was fired and THEN asked for the passwords, there were fuck ups all up and down the chain of command.

Look at this way; it's obvious that he couldn't be trusted. I'm going to go ahead and guess that much was obvious to anyone working with him. Therefore, it was "management's" responsibility to check up on him and not leave him unsupervised ( or better; not put him in the position of power he was put in ). Properly supervised, he never would have been able to cause as much damage as he did.

It's hard to blame the peon here; yes he was an asshat, but the City failed to protect itself from the damage one peon could do. And ultimately, that's their responsibility.

Re:Disagreeing with the majority here... (0)

Anonymous Coward | more than 4 years ago | (#31340968)

this has nothing to do with whether or not he was 'in the wrong'. The trial is all about whether or not he broke the law. Two entirely different things.

he may well be an 'asshat', and he may have behaved badly, and he may also be incompetent, or even crazy - but none of these things warrants any time at all in jail unless he also broke the law

Re:Disagreeing with the majority here... (4, Informative)

eosp (885380) | more than 4 years ago | (#31341072)

  • He gave the password to the only person allowed by his contract, the mayor.
  • He did not give the password over the speakerphone to a room full of other people, including quite possibly some people to whom he was not allowed to give the password. This was the incident that got him arrested.
  • A supervisor should have had the password all along. If he was innocently hit by a bus, then the city's network would really be hurting. IT people need to learn that refusal to document does not make job security.
  • All people involved are asshats.

Competence (3, Insightful)

not_hylas( ) (703994) | more than 4 years ago | (#31340846)

Criminalization of competence. non story.
But seriously, see how things are taking shape?
I don't get it - with a bullet. This guy behaves appropriately and ends up in jail?

At some point you realize that it isn't incompetence. It's their goal.

Communication is only possible between equals.

You can't herd Cats ... but you can move their food.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>