×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Rough Justice For Terry Childs

timothy posted more than 3 years ago | from the might-not-like-the-aftershocks dept.

The Courts 418

snydeq writes "Deep End's Paul Venezia sees significant negative ramifications for IT admins in the wake of yesterday's guilty verdict for Terry Childs on a count of 'denial of service.' Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case? In particular, to the person or persons who released hundreds of passwords in public court filings in 2008 for causing a denial of service for the city's widespread VPN services? After all, once the story broke that a large list of usernames and passwords had been released to the public, the city had to take down its VPN services for days while they reset every password and communicated those changes to the users.' Worse, if upheld on appeal, the verdict puts a vast number of IT admins at risk. 'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

418 comments

In the (-1, Offtopic)

haderytn (1232484) | more than 3 years ago | (#32022720)

butt

Before everybody gets their shorts all twisted . . (3, Insightful)

pushf popf (741049) | more than 3 years ago | (#32023792)

The three cardinal rules if IT would have protected him:
  1. Remember: It's not your hardware, network or data. You just work there.
  2. When your boss asks you for the password, give it to him.
  3. Don't be a dick.

IMO, he got what he deserved, and nobody else has anything to worry about unless they plan on breaking the above rules. (Especially #3)

Re:Before everybody gets their shorts all twisted (5, Insightful)

Anonymous Coward | more than 3 years ago | (#32023950)

You're breaking rule #3.

If I were taking an IT Admin position... (5, Insightful)

Phrogman (80473) | more than 3 years ago | (#32022744)

I think I would want to draft up a very clear - and legally binding - agreement that I would want my superiors in management to sign on behalf of the company. It would spell out in specific details, the security policies, security review process, enforcement etc. It would absolve me from prosecution unless I violated any of the very specific rules that were listed. If my superior changed, they would have to sign the document when they took up their position etc.

I wouldn't likely get the job, they'd hire someone who wasn't so paranoid, but I don't think I would want to take a job where if someone in management decided to break the rules, and I tried to apply those rules for the sake of ensuring I didn't violate the trust that had been placed in me, then I wasn't liable for prosecution either way, like Childs was.

Now, he could have handled things differently I am sure, but he might have been prosecuted either way from what I have read so far. I would like more details in an objective report on the situation.

Re:If I were taking an IT Admin position... (2, Interesting)

Anonymous Coward | more than 3 years ago | (#32023018)

It's really not that complicated... You have a boss who makes the rules, if your boss later tells you to break the rules then you do it. If someone higher up on the chain of command than your boss asks you to break a rule you might ask them to ask you formally (via your boss) but then you still do it. If your boss tells you to break a rule that he set, and security is compromised, you wouldn't be liable (as long as your have the request is documented).

Re:If I were taking an IT Admin position... (4, Insightful)

SanityInAnarchy (655584) | more than 3 years ago | (#32023326)

You have a boss who makes the rules, if your boss later tells you to break the rules then you do it.

Just like Enron's accountants?

Sorry, no. If your boss later wants to change the rules, there's likely a procedure in place to do so, but they can't simply do that by fiat. That's the whole point of having a policy in the first place.

Re:If I were taking an IT Admin position... (5, Insightful)

SteveFoerster (136027) | more than 3 years ago | (#32023192)

I wouldn't likely get the job, they'd hire someone who wasn't so paranoid

That's crazy -- who wants a system administrator who isn't paranoid?

Re:If I were taking an IT Admin position... (3, Informative)

RichardJenkins (1362463) | more than 3 years ago | (#32023538)

I understood that they had a set of policies for 'user-level' passwords (which this was not classed as) saying things like 'never diclose your password, even to your boss' and another set of policies for 'system-level' passwords, which these passwords were classed as. The policies for 'system-level' passwords say they must be stored in a centrally managed database: a policy that Childs violated by keeping them in a way only accessible to him. Under your model (assuming the above is correct) you wouldn't be absolved from prosecution in this case, because Childs hadn't followed procedures related to 'system-level' passwords.

It's all rather moot though, there is a systemic problem in any organisation which lets its IT be run in a way where someone can hold it hostage like this. The real lesson here is that institutional incompetence can lead to individual criminal liability.

If you're an IT admin working in the States then it's your geographic (not professional) situation that's putting you at risk of going to jail for something stupid like this.

Not trying to be a troll here, but... (4, Insightful)

andrewme (1562981) | more than 3 years ago | (#32022754)

Not trying to be a troll here, but... and maybe I'm not understanding the whole case correctly. I've followed the articles on Slashdot for a while. In my opinion: if the city hires you, you are subservient to the city. You do not give passwords to your inferiors. Ever. You do, however, give passwords to your superiors when asked. Always. They hired you, after all. They are your bosses. If I hire a security guard for my building, he'd damn well better give me the key if I decide to fire him, or if I get locked out, or both. You don't hide data from your superiors, plain and simple, however *technologically* less advanced they might be. Maybe the city is making a mountain out of a molehill; I'm really not qualified to comment on that, since I don't know as much about the case as some of the people on here will. Honestly, though, my original point: you get hired by someone, you do what they want to do, provided it isn't illegal. I highly doubt that giving someone the password or passwords to their own systems would have been the wrong thing to do.

Re:Not trying to be a troll here, but... (3, Informative)

Monkeedude1212 (1560403) | more than 3 years ago | (#32022826)

The only Superior he was supposed to give the password to is the Mayor. He was only supposed to do that in an environment deemed secure enough for no one else to get the password. He complied with that. He is basically being sued into oblivion because he didn't want the secretary, the press, and/or anyone else getting a hold of the password.

Re:Not trying to be a troll here, but... (4, Insightful)

George Beech (870844) | more than 3 years ago | (#32022870)

No that's a twist on what happened to suit the ideas of slashdot. What happened was he was locked up and said "I'll only give these passwords to the Mayor" Now what he was required to do by the state policy was provide the passwords to Information Security for inclusion in the central password management database due to them being production passwords. He obviously did not do this as none of this would have happened if he did.

Re:Not trying to be a troll here, but... (1, Troll)

Wyatt Earp (1029) | more than 3 years ago | (#32023470)

I've worked in the public sector a while and what I learned is - if the agency head(s) ask you to do something job related, even if it's against the policy that's printed out, you do it.

If the superintendent of a school district says - "Whats the password for root on the server?" You tell them.

I have zero sympathy for Childs, he took ownership of something that didn't belong to him, sure he designed it, but it was bought and paid for by the City of San Francisco, and he turned into a control freak. When someone higher up the food chain started poking around "his" stuff he got whacky and tried to stand up to one of the biggest cities in the US. Well guess what, you will lose that fight.

Re:Not trying to be a troll here, but... (3, Informative)

parcel (145162) | more than 3 years ago | (#32023762)

I've worked in the public sector a while and what I learned is - if the agency head(s) ask you to do something job related, even if it's against the policy that's printed out, you do it.

In my experience (private sector, financial industry) that results in immediate termination of your employment. And that isn't theoretical, I'm aware of two instances at my current company. In both cases they had security guards escort them off the premises.

Re:Not trying to be a troll here, but... (4, Informative)

TENTH SHOW JAM (599239) | more than 3 years ago | (#32023820)

If the superintendent of a school district says - "Whats the password for root on the server?" You tell them.

No you don't. Ever. You say "Go to the safe and get them yourself. Don't forget to sign the register." When Superintendent bleats that it is needed NOW! your answer is to point them to the safe. Terry Childs did not put the passwords in the safe and deserves to go down for that.

Re:Not trying to be a troll here, but... (2, Insightful)

Khyber (864651) | more than 3 years ago | (#32023858)

"but it was bought and paid for by the City of San Francisco"

Excuse me, it was bought and paid for by THE PEOPLE OF SAN FRANCISCO.

Paid through our tax money, which also means it was paid for through *HIS* tax money.

The "taxpayers' money"... isn't. (5, Insightful)

Tetsujin (103070) | more than 3 years ago | (#32024082)

"but it was bought and paid for by the City of San Francisco"

Excuse me, it was bought and paid for by THE PEOPLE OF SAN FRANCISCO.

Paid through our tax money, which also means it was paid for through *HIS* tax money.

The government is supposed to serve the public trust and taxes are their main source of revenue - but I take exception to this attitude that, because someone pays taxes, government funds are somehow their money. It's not your money anymore, you gave it to the government. The fact that some of it once belonged to you (even if only on paper) does not entitle you to a stake in deciding how it is used.

So, for instance: yes, your taxes pay the wages of the police. This doesn't mean you get to boss them around.
Your taxes pay for the schools, but that doesn't entitle you to decide the curriculum.
Your taxes pay for government infrastructure, but that doesn't mean you can micro-manage the government.

That's not to say citizens in the US (or anywhere else, for that matter) have no stake in the government or its affairs - but the money paid in taxes has nothing to do with that. We have a stake in our government because the operation of the government affects our lives, in the short term and the long term. Would this stake not still exist even if the government could somehow operate without taxing its citizens? IMO bitching about "the taxpayers' money" is just a cheap way to get the attention of people who would otherwise not care.

Re:Not trying to be a troll here, but... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32023472)

Whaa whaa whaa. He was an employee, he was a huge liability to his employers by his own poor security protocol. Had the dweeb been killed, run away, whatever, no one would have had access to his employer's equipment without huge expense, down time etc. If he was that bothered by it, he should have quit there and then. But like most jumped-upped pathetic "admins", he believed he was uber-lord of the universe, all because he knew some passwords, changed paper printer, and performed other menial duties.

Stop defending this criminal, just because he configured some routers. HE DIDN'T FSCKING OWN ANY OF IT, DUH!

Re:Not trying to be a troll here, but... (4, Insightful)

beakerMeep (716990) | more than 3 years ago | (#32023140)

People keep saying this but where's the proof? I haven't seen any evidence of such a policy. But I admittedly have only been partially following the case.

From: http://www.ktvu.com/news/23283217/detail.html [ktvu.com] (emphasis mine).

Childs reportedly had a fractious relationship with some of his coworkers, attorneys on both sides said. He testified at trial that he never intended to harm the network but said that other employees, including his supervisors, were not qualified to have the passwords. Childs claimed he was merely following established industry guidelines for password protection. "You do not ever give up your username and password," Childs said.

That doesn't sound like you make it sound. Industry guidelines are not the same as company/government policy.

To be honest I think the Slashdot community is wrong to defend this guy. He sounds like an ego-maniac driven not by security, but by the sys-admin God complex. However, that's just what I think, and I could be wrong. Sans the full transcript of the trial it's really hard to say what happened. I'd love for groklaw to take a look at it too. They probably need a break from SCO shenanigans. :)

Re:Not trying to be a troll here, but... (0)

Anonymous Coward | more than 3 years ago | (#32023672)

And not following industry guidelines still leaves you open to charges of negligence or even assisting an attack.

Re:Not trying to be a troll here, but... (4, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#32023692)

Also they weren't asking for HIS username and password, they were asking for THE username and password. There is a difference as any competent sysadmin should know. I won't give up my password to any systems here at work. Policy requires that I do not. However my password is only for my accounts. There are other accounts I have the password for, that are not mine, share accounts. There would be root on the UNIX systems, the local administrator account on the Windows systems, the enable password on the switches, the SA password on the DB server, and so on. There is only one of those accounts (and in the case of things like root, can only be one). It isn't my password on them, it is a password all the IT staff share. That password isn't something I can change to one only I know and refuse to give out, I'd get in trouble for that.

Big, big difference. Had the city said "We want your password to log in to your personal e-mail account and bank account," well ya, I'd be supporting him for saying no. However they wanted the system passwords for various devices and services that have but one master password. If those passwords were the same as his personal password that is bad security practice on his part, however there is still a solution: Change the passwords and give them the new ones (or change the password on your account).

Re:Not trying to be a troll here, but... (3, Informative)

biryokumaru (822262) | more than 3 years ago | (#32023834)

Here [google.com] is the policy. I believe the relevant section (page 32) only really applies to user passwords, not system-level stuff.

Re:Not trying to be a troll here, but... (1)

nomadic (141991) | more than 3 years ago | (#32023856)

The only Superior he was supposed to give the password to is the Mayor. He was only supposed to do that in an environment deemed secure enough for no one else to get the password

Can you provide a cite to this rule?

Re:Not trying to be a troll here, but... (5, Informative)

MushMouth (5650) | more than 3 years ago | (#32023884)

According to the network engineer who was a juror on the case (so I am guessing that he knows far more details about it than you or I)....
He didn't refuse to just give his "password" but to give any access at all to the core routers, removed any way of password retrieval without doing a full system reset, and would not provide the configurations to these routers.

On top of that, there were emails and witnesses that made it appear that Childs was doing this all to make it such that only HE had access.

Re:Not trying to be a troll here, but... (3, Insightful)

blair1q (305137) | more than 3 years ago | (#32022892)

Well, no.

The rules made it so he could insist on giving the passwords only to the Mayor and only in a secure situation.

He used that as an excuse.

It's pretty clear from all I've read that he really was holding the city hostage because he was disgruntled at the changing employment situation, and in the process he prevented city personnel from accessing data they needed to do their jobs.

The Jury was sympathetic that the city acted like idiots once it all started, but they were also cognizant that he wasn't completely blameless in what followed.

So, in reality, when the rules say not to give the password to your boss, you don't. And when they say not to give the password out over unsecure communications, you don't. But you also don't make a pest of yourself; you take the initiative to find a way to get the password to the right person in a secure manner.

Re: Initiative (2, Interesting)

Phrogman (80473) | more than 3 years ago | (#32022980)

I think they took away the "initiative to find a way to get the password to the right person in a secure manner" when they locked him up in jail and left him there. He evidently requested to see the mayor, and when the mayor arrived, gave him the password. Unless that isn't the way it went, I don't really see what else he could have done.

Again though, I haven't read a good article that had significant details in it, just crappy links from /. and short articles that had few details. I want a time line, a copy of the relevant rules, links to a transcript of the court sessions etc :P

Re:Not trying to be a troll here, but... (1)

FooAtWFU (699187) | more than 3 years ago | (#32023116)

I appreciate this as the first well-reasoned, moderate opinion on the situation I've read that's not supporting Childs. If I had mod points I'd use them.

At the same time, we should all appreciate that unless we've gone to great lengths to become informed on the matter, our "everything you've read" (particularly in the newspapers) could easily have been the machinations of an administration which, as you put it, "acted like idiots once it all started" and were more interested in petty office-politics than anything else. (After all, they're the ones with the best access to the press).

Re:Not trying to be a troll here, but... (1)

sribe (304414) | more than 3 years ago | (#32023174)

Well, in my case, everything I've read has been on /. so I've got the opposite problem, I know that my information about the case is probably (wildly) biased in favor of Childs. One the one hand, I really cannot see what crime he was guilty of. On the other hand, prosecutors are not generally as vindictive, and juries not as stupid, as people here like to believe.

Re:Not trying to be a troll here, but... (1)

plover (150551) | more than 3 years ago | (#32023514)

It's easier to have a fair trial when it's not as public as this. Juries and prosecutors have less reason to be biased.

Re:Not trying to be a troll here, but... (1)

greenbird (859670) | more than 3 years ago | (#32023202)

in the process he prevented city personnel from accessing data they needed to do their jobs.

From everything I've read about the case this simple isn't true. From what I've read at no time were any network services disrupted. It was just that no one could access the equipment to make changes.

Re:Not trying to be a troll here, but... (1)

nomadic (141991) | more than 3 years ago | (#32023648)

So, in reality, when the rules say not to give the password to your boss, you don't. And when they say not to give the password out over unsecure communications, you don't. But you also don't make a pest of yourself; you take the initiative to find a way to get the password to the right person in a secure manner.

The copy of the rules I've seen was aimed at the average, everyday users, not IT staff, and simply meant that if you're in, say, accounting, you don't give your personal password to your boss. The IT department is different, and Childs wasn't withholding his personal password, but rather passwords to city systems.

Re:Not trying to be a troll here, but... (1, Informative)

Attila Dimedici (1036002) | more than 3 years ago | (#32022944)

So, you get hired by Joe Schmoe. He gets fired. John (the guy in the next cubicle) comes in and tells you that he has been given Joe's job, your fired, and he wants you to give him all the company passwords that you have. What do you do? Oh yeah, when John did this, he came into your office with three people you have never met.
That is what happened to Terry Childs.

Re:Not trying to be a troll here, but... (2, Interesting)

Skarecrow77 (1714214) | more than 3 years ago | (#32023458)

"I'm sorry John, you know I can't give that out without confirmation. Did Bob (Joe Schmoe's boss)authorize this? By the way, Why am I being fired, and who are these people?"

Doesn't that work?

Re:Not trying to be a troll here, but... (1)

Attila Dimedici (1036002) | more than 3 years ago | (#32023562)

See, you refused to give him the password, you are now a criminal.

Re:Not trying to be a troll here, but... (2, Insightful)

Skarecrow77 (1714214) | more than 3 years ago | (#32023746)

Nope, you never refused a thing. You reittereated what he already knew, or should know.

You don't say "No I will not do that". You say "I will do that as soon as I can confirm that I am allowed to."

Semantic difference, for sure, but the law is all about semantics and how things are worded/phrased. If it wasn't, we wouldn't need lawyers.

Re:Not trying to be a troll here, but... (1)

Wyatt Earp (1029) | more than 3 years ago | (#32023494)

You skipped the part where you chase Jill Schmoe into her office and threaten her.

Re:Not trying to be a troll here, but... (0)

Anonymous Coward | more than 3 years ago | (#32023668)

More like:

You get hired by Joe Schmoe. He gives you the company policy on passwords. The policy includes not revealing them to anyone except the CEO.
Later, Joe (or his replacement) comes to you and demands the passwords. You refuse, as policy says you can only hand them to the CEO.

Re:Not trying to be a troll here, but... (2, Informative)

TENTH SHOW JAM (599239) | more than 3 years ago | (#32023922)

What Tony should have said is "The passwords are in the secure password repository. Look it up yourself." The problem is that he couldn't say that because it was a lie to. He dug his own hole.

Re:Not trying to be a troll here, but... (0)

Anonymous Coward | more than 3 years ago | (#32022950)

Your point is pretty valid, However, it speaks volumes to the fact that you must have never worked in public service.

when a person get's a job with a public body, and is promoted up in charge of a project, it's often interesting to see how people deal with the trust others place in them.

in this case, Terry personally felt that the people that had hired him to do this job were not qualified to have the information that they already had access to. Whether it be because he had observed them doing things he felt were underhanded or just decided that he felt superior to them, is what was up for debate.

He may have handled the situation incorrectly, but he likely had a very valid reason for doing what he did.

Most of us in IT always know there's always the next project. Sometimes we mess up though!

The case is very simple (4, Insightful)

SmallFurryCreature (593017) | more than 3 years ago | (#32023088)

You got an upstart sysadmin who went on a powertrip and thought he was smarter then anyone else and therefor above any laws that only apply to lesser people.

This is not uncommon with people who are highly intelligent but not to well versed in social skills. Not so much nerds but Mensa people. Like that reiserfs guy, thought he could get away with murder because he was smart and the police is dumb, they must be because they ain't him.

Your assessment is 100% right and he had no call to judge the people asking for access to be unsuitable. His opinion simply did not matter at that time. It is like when a cop with a dog tells you to get down on the floor. That is not the time to start an argument. That is the time to get down on the floor and become part of how the justice system works, injustices included and part of the system, sucks to have it happen to you.

If you ever find yourself in the same position as Childs, document EVERYTHING, in paper, print all emails and insist on written instructions, never verbal, and then do as you are told and get the fuck out of there.

Do not argue with the system, you are not smarter. Do you know how you are not smarter then the system? If you think arguing with the system is a good idea.

Childs is an idiot and yes, idiots go to jail. lets see him argue with Bubba about access to his ass.

Re:The case is very simple (1)

SanityInAnarchy (655584) | more than 3 years ago | (#32023438)

thought he was smarter then anyone else and therefor above any laws that only apply to lesser people.

The way I read it, he was following the policy (law) to the letter. Seems like management were the ones who thought they were above any laws.

Like that reiserfs guy, thought he could get away with murder

Because not giving passwords over is exactly like murder.

It is like when a cop with a dog tells you to get down on the floor.

No, a cop with a dog is like a cop with a dog.

If you ever find yourself in the same position as Childs, document EVERYTHING, in paper, print all emails and insist on written instructions, never verbal,

Agreed.

and then do as you are told

I'd be less inclined to do as I'm told if I had everything documented that way.

and get the fuck out of there.

Oh, definitely -- though jail does make that harder.

Also, you haven't presented any evidence that he wasn't, in fact, smarter than the system. The fact that he fought the system and lost doesn't make the system right, and it certainly doesn't make him an idiot, it just makes him a loser, in the most literal sense of the word -- "someone who lost."

Re:Not trying to be a troll here, but... (0)

Anonymous Coward | more than 3 years ago | (#32023418)

Rules for sharing passwords:
1) Never share passwords.
2) (Experts only) Never share passwords.

Re:Not trying to be a troll here, but... (0)

Anonymous Coward | more than 3 years ago | (#32023508)

In my opinion: if the city hires you, you are subservient to the city. You do not give passwords to your inferiors. Ever.

Really? So, how does a lowly user get a password to log in? Think a little bit before making blanket statements.

Further, sometimes you DELEGATE IT admin tasks to other employees, even if they report to you. And sometimes, they need admin passwords to do the work you assign to them.

You do, however, give passwords to your superiors when asked. Always.

Really? SF had a written policy on passwords. The written policy was NOT to give passwords to ANYONE, even if they are your superior, unless they are specifically authorized to have those passwords.

And no, under the policy your superior does not automatically have the authority to authorize themselves to have those passwords.

you get hired by someone, you do what they want to do, provided it isn't illegal. I highly doubt that giving someone the password or passwords to their own systems would have been the wrong thing to do.

Correct. But who is the "SOMEONE"? The employer is the city of San Francisco, which has a large number of employees, with many different levels of access, trust, and responsibility. As part of that, there is a password policy which lays out which of the city employees should have IT passwords, and under what circumstances they can be disclosed and to who they can be disclosed.

Re:Not trying to be a troll here, but... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32023676)

It's one thing to not give anyone your password. It's another to refuse to create new accounts for people who are clearly authorized to request just that, which is what he did. He didn't just refuse to provide his password, he refused to provide access.

Re:Not trying to be a troll here, but... (1)

ObsessiveMathsFreak (773371) | more than 3 years ago | (#32023890)

In my opinion: if the city hires you, you are subservient to the city. You do not give passwords to your inferiors. Ever. You do, however, give passwords to your superiors when asked. Always.

Gainful Employment does not mean you have joined some kind of army, even if your employer is the Government. Though I understand a lot of American managers are actually ex-army, so perhaps the US view of management is coloured by this somewhat.

Actually (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#32022756)

They just made our jobs easier.

Hey, you want the password? yeah its p@ssw0rd. Tell your friends!

Before you know it, it'll be written into the next Windows shell and you won't even have to enter it anymore. No more managing passwords and user accounts and all the stuff that makes IT frustrating.

[/sarcasm ]

Re:Actually (1)

John Hasler (414242) | more than 3 years ago | (#32023918)

> Hey, you want the password? yeah its p@ssw0rd. Tell your friends!

Violating policy by giving passwords to people who are not authorized to have them? Obviously computer fraud and abuse. Off to prison you go.

FIRST (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#32022802)

FIRST!!!!!

The World's Largest DDOS (0, Informative)

Anonymous Coward | more than 3 years ago | (#32022812)

originates from here [microsoft.com].

I hope this helps your lawsuits from DDOS.

Yours In St. Petersburg,
Kilgore Trout

Sorry, but this dude had it coming. (2, Interesting)

Zexarious (691024) | more than 3 years ago | (#32022836)

He broke the law and he's going to do a few years in prison for it. I don't understand what the big deal is? Should I have sympathy for him because he is a sysadmin?

Justice system did exactly what it was designed to do, rehabilitate criminals and deter others from doing crimes.

Next time, is he going to deny people access who deserve that access because of some ideological nonsense? Doubt it.

Though he probably will never get hired in IT again, not just because he is a felon, but because you google his name and there it is, him keeping passwords away from his ex-employer.

He did 2 just waiting for court let him out now an (2, Interesting)

Joe The Dragon (967727) | more than 3 years ago | (#32022994)

He did 2 just waiting for court let him out now and give him the time that he did.

Re:Sorry, but this dude had it coming. (0)

Anonymous Coward | more than 3 years ago | (#32023170)

He broke the law and he's going to do a few years in prison for it. I don't understand what the big deal is?

The gist is:
He was given certain rules to follow as part of his job. One of those rules said he was not to divulge the passwords except in certain circumstances to certain people. His supervisor (who was not one of those people) ordered him to turn over the passwords. He refused.
(If I am wrong in my summary, please correct me.)

If the above is correct, he did nothing wrong.

Re:Sorry, but this dude had it coming. (0)

Anonymous Coward | more than 3 years ago | (#32023784)

Yes. Every situation regarding IT policy and network security operates as cold and inhuman as the law states. No one ever puts emotion or sacrifice into what they are doing in IT and to do so would be prohibited. Right?

The law often attempts to account for the human elements of emotion and self-preservation, but almost always fails.

The fact that powers that be let Childs build a network that became "his baby" shouts that they deserve this blame just as much as him. And upon viewing the political and assinine behavior of those above him, he did everything in his power to keep that system up and running. Which, from his point of view, would probably break if he divulged that informtion.

Did Childs go about it wrong? Obviously. He should have got legal involved and immunity the moment he gives those passwords to anyone else, since he created that network. To claim that 2-5 years in prison is valid for this situation is absurd. Probation, yes. Actual prison, and loss of freedom for what amounts to a internal political fuckup and power plays? Utter BULLSHIT!

If you think this situation deserves his loss of freedom, I hate to think what actual crimes and punishment standards you have.

Heading this off--see link to juror (5, Interesting)

Anonymous Coward | more than 3 years ago | (#32022846)

The juror has been interviewed some already, and is even on /.

I had many bad assumptions myself. But if the juror is being at all truthful...this guy did some bad things.

@see http://yro.slashdot.org/comments.pl?sid=1633482&cid=32010078

Re:Heading this off--see link to juror (4, Insightful)

bartle (447377) | more than 3 years ago | (#32023630)

Exactly. Quoting from this [slashdot.org] post on Slashdot:

As to these configuration backups, Mr. Childs kept these on a DVD he kept with him at all times. Furthermore, this DVD was encrypted and could only be decrypted using his laptop (as the encryption program required not only a password, but access to a specific file that existed on the laptop).

Can these actions be defended as anything other than job security? Unless someone has reason to think that BengalsUF is getting the story wrong, why is there so much popular defense for this guy?

Re:Heading this off--see link to juror (2, Insightful)

jafiwam (310805) | more than 3 years ago | (#32023844)

That sure violates the "what if I get hit by a bus / win the lottery" rule.

It's also the point at which it makes Childs a jackass that deserves jail over "just doing my job."

A few minutes of talk and a phone call could have given him sufficient CYA and probably job security to fix what they break. He chose a power trip instead. Let him rot.

Re:Heading this off--see link to juror (1)

Khyber (864651) | more than 3 years ago | (#32023916)

"Can these actions be defended as anything other than job security?"

I would do the exact same thing for backup purposes, and since that is sensitive information encryption is preferred.

In fact, that's *EXACTLY* how I make backups of my important business files.

No, absolutely not (2, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#32023980)

I mean the keeping of a backup with heavy encryption is certainly defensible. After all you might want to make sure you have the configurations in case you are away on vacation and get a panicked "Oh my god we blew up the network!" call. Of course you would want said data heavily encrypted, in case your laptop was stolen.

However when those are the ONLY copy, other than the running config? Hell no, that is a blatant attempt to lock others out. Reliability of the service must always come first. So for one, the configs should be stored on the system flash. There's no security risk there, to get at that you either have to have enable access to the system, or be at it physically. In either case you can already do what you want. Also, I'd want other backups stored on a local configuration server somewhere, in case a switch just shit itself and you had to restore to a completely new one.

The only result of the situation he set up was to make everything critical on him.

Re:Heading this off--see link to juror (3, Informative)

rufey (683902) | more than 3 years ago | (#32023680)

If the person mentioned was on the jury, and there is nothing I've read of his to suggest otherwise, I highly recommend reading his recent posts on his slashdot user page: http://slashdot.org/~BengalsUF [slashdot.org]

I learned more in 5 minutes about the case than I have over the past 2 years reading Slashdot and news stories. And, as it turns out, most of what I've read up until today has been embellished or simply was an opinion of someone who knew little about the case.

Re:Heading this off--see link to juror (2, Informative)

mangu (126918) | more than 3 years ago | (#32023908)

I read that post, and the replies, and it seems to me the jury did it wrong. Particularly this post [slashdot.org] seems to hit the nail on the head.

A jury is *not* required to follow instructions to either absolve or condemn, otherwise what would be the meaning of it all? But too many jurors seem to be swayed by the judge's instructions, which should be mere guidelines. It's not the judge's privilege to make a decision in a trial by jury. In this case, the jury seems to have had a very technical interpretation based solely on the prosecution's version of what it means to deny access to a system.

Terry Childs, if what we read in many reports is true, never denied access to anyone who actually needed to use the system. His only crime was to use his best judgment on who should be allowed to access the passwords. He never denied access to the *system*, he denied access to the *passwords*, which is a different thing. I don't need to give you the keys to my house in order to let you in. I think the jury reached a wrong decision, because the law is very clear on this point.

It was his managers' duty to ensure that passwords were adequately managed, if they left that kind of decision entirely to Terry Childs then they shouldn't complain if his decisions weren't what they expected. When a manager lets a subaltern have total control of the passwords he cannot complain if that subaltern does exactly what he was ordered to do.

California law (1, Interesting)

Anonymous Coward | more than 3 years ago | (#32022902)

thousands of IT workers all over the country that are now guilty
 
of violating a California law? I'll be worried once there's a California state court in New York City.

Re:California law (1)

Khyber (864651) | more than 3 years ago | (#32023926)

Apparently you haven't heard about a Florida community that sued a person in another state for offensive materials and won.

As an IT worker. (0)

Anonymous Coward | more than 3 years ago | (#32022934)

I learned something very important here in this case.

NEVER do the right thing. Cover your own ass.

Doing the right thing rarely pays off. And damm, Now it can get you put in jail.

Keep your head down, keep your mouth shut, dont make waves, and cover your own ass.
Cuz nobody else will.

Re:As an IT worker. (1)

Spacepup (695354) | more than 3 years ago | (#32023522)

It's never in your best interest to cover the ass of someone else.

Especially if they ate a big bean burrito from Taco Bell for lunch.

Re:As an IT worker. (1)

Skarecrow77 (1714214) | more than 3 years ago | (#32023576)

You just learned NOW that CYA is job number one for anybody that wants a career in IT?

Step 1: Document ANYTHING that may ever be contraversial, why you did it, and exactly why the other options were poor choices.
Step 2: Any time your superiors ask you to do anything, always mention "Per Supervisor Jane Peterson..." in your notes.
Step 3: Always make sure you have some good generic excises banked in the back of your head why you are not at fault for bad stuff, while still being responsible for the good things. It -will- save your ass at some point over the years.
Step 4: Make sure you especially keep an eye out for co-workers, and superiors(!) who are potentially likely to use YOU as THEIR CYA excuse. Be wary, and be prepared.

It doesn't matter if your company administrates servers, publishes novels, writes software or sells shoes. Business is business, and CYA is always important. Disregard

The sky is not falling. (3, Insightful)

Anonymous Psychopath (18031) | more than 3 years ago | (#32022990)

Prosecutors, judges and juries all consider intent. Making a mistake is not the same as malicious action. True, there are times when it's difficult to tell. This isn't one of them.

Re:The sky is not falling. (1)

phantomfive (622387) | more than 3 years ago | (#32023244)

In other words: it's ok to follow secure procedure and make everyone mad, but don't be a jerk about it. Make sure it is clear why you are doing what you are doing, and be calm.

Re:The sky is not falling. (4, Insightful)

Ossifer (703813) | more than 3 years ago | (#32023582)

In appropriate words: don't lie about you violent past, don't harass the person employed to do your background check, don't give false passwords to keep your boss' boss off your trail, don't admit to your co-worker that you're going to screw over your employer if they fire you, and most of all don't come afterward with the lame excuse of being the only IT God on the planet such that only you could ever possess the keys to the kingdom.

Re:The sky is not falling. (0)

Anonymous Coward | more than 3 years ago | (#32023480)

This is one of them. The biggest difference between Terry Childs doing his job and the bumbling fools who later took down the network is that the bumbling fools fit in perfectly with San Francisco city employee politics.

Re:The sky is not falling. (1)

Sycraft-fu (314770) | more than 3 years ago | (#32023768)

In particular you can see that because he gave out bogus passwords. When you read the news stories it turns out he stonewalled, but then finally handed over bogus passwords. Ok well that shows that in fact he intended to deceive people and keep control, not that he was just security concerned.

If a professor were to come up to me and demand the root password to our servers, my answer would be "no." I wouldn't give them a fake password. Why? Because policy says they can't have it, and that's what I'm following. However if my boss asked for the root password (not that he'd need to, he has it too) I'd give it to him, since he can have it. In neither case would I consider giving a fake password, that is underhanded and counterproductive.

To me is that right there is what really seals it as a case of him being malicious. He wasn't just concerned and/or misinformed about policy. He knew what he had to do and chose to try and deceive people.

ugh (4, Insightful)

nomadic (141991) | more than 3 years ago | (#32023076)

'There are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways.

Setting up and configuring system where they have sole access, locking out the actual owner of the system, arbitrarily deciding that their direct supervisors aren't "authorized users" (based not on any actual rules or policies but their own nebulous "best practices" decision and by the way anyone who thinks a network engineer should have the authority to lock whoever he wants out of the system, based entirely on his own discretion, is incompetent), and then refusing to provide system access when he was assigned other responsibilities not dealing with locked system, then repeatedly refusing to provide the information even after being imprisoned? Really? Thousands of IT workers guilty of that?

Re:ugh (0)

Anonymous Coward | more than 3 years ago | (#32023308)

arbitrarily deciding that their direct supervisors aren't "authorized users" (based not on any actual rules or policies but their own nebulous "best practices" decision

Actually, the existing written SF policy was that your direct supervisor is NOT by default an authorized user.

Re:ugh (0)

Anonymous Coward | more than 3 years ago | (#32023428)

For a normal user, perfectly valid, but in Childs' case his supervisor was the COO. Completely different story.

No kidding (3, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#32023610)

Only way I see you being "at risk" is if you are an asshole, or the policies are extremely unclear. In the event of the second case, well then take it upon yourself to get them clarified.

Personally, I'm not worried. Here our policy is that various critical information, including things like root passwords, has to be kept in a safe. My boss is responsible for all that. Also, all our IT staff has the passwords for everything (in theory, there are some I can't remember because I never use them). So, I'm not worried about a situation where I have sole access to a system an am being pressured to divulge the password. They are stored in a location per policy, and the people who can access them are specified by policy. All I need to do is look at the policy and make sure I follow it, and also make sure that should I set up a system that uses a special password for some reason, it gets documented.

Always remember: They aren't your systems, it's not your network. They belong to the organization that you work for. That means said organization gets to decide who gets what access. You can, and should, have input on that policy, but you can't unilaterally declare that you are the only one.

Re:ugh (1)

Vellmont (569020) | more than 3 years ago | (#32024086)

You do realize that the law isn't written specifically about this case, right? So why then, do you bring up every single detail of the case as a means to exclude the other ways the law could be interpreted to apply to?

The meat of it is about his refusing to provide passwords for 12 days. From what I hear the network remained up during that time. I think it's telling that when pressed, the people who want him in jail seem to focus on him being a dick (which he is), but fail to provide any real explanation as to what harm came to anyone during this period. The law is supposed to protect people from harm, right? Not just be an arbitrary set of rules set down from on high.

If this was so incredibly harmful that passwords weren't available for 12 days because ONE person was a being a dickweed control freak.. aren't the people who designed and approved such a crazy system at fault as well? Why aren't those people liable for such egregious incompetence? I don't agree with what Childs did, think he's a huge dick, should have been fired, tarred and feathered. But sicking the law after him was just a power play by the city, and had nothing to do with protecting the public, property, or anything but some elected officials reputations.

Not DoS (3, Informative)

guspasho (941623) | more than 3 years ago | (#32023082)

Assuming the verdict is correct, Venezia writes, 'shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case?

Childs wasn't convicted of "denial of service", that's just rhetoric. He was convicted of computer tampering, as the linked Slashdot story explains in the summary.

lesson learned (0)

Anonymous Coward | more than 3 years ago | (#32023162)

When you don't hand over the passwords, and the mayor comes to visit you in jail....you say "I'm sorry, but incarceration appears to have a profound effect on my memory. You know what would improve my memory considerably? MY IMMEDIATE RELEASE and a signed statement that you understand that I was just trying to DO MY JOB."

I'd not have handed over San Franciso backbone passwords in a teleconference either.

If they wanted a more secure and reliable mechanism for storage, they could have specified one. As an administrator, he believed that the systems were at risk and changed the passwords to secure them. Totally within scope of duties. Justice system is broken, but that's no surprise.

You know a study that no one will do? Study of the demographics, employment status, and intelligence level of your average jury these days as compared with the general populace. No matter how low an opinion you may have of humanity, I can assure you that what passes for a jury these days is scraping the VERY BOTTOM of that barrell.

Re:lesson learned (1)

Skarecrow77 (1714214) | more than 3 years ago | (#32023682)

Really? The last jury I served on, from the College student to the 69-year-old grandmother, seemed to have no problems comprehending pretty much exactly what each count against the defendant meant, and whether he voilated the letter of the law, even if he didn't mean to.

In the one instance we were confused as a whole, we just asked the Judge. You do know that the jusge is at your disposal to answer any legal questions you may have about how the law is written, right? We had to have him explain a subsection that was written in a confusing manner.

There were for sure some idiots and or biased people on the intial selection panel, but the Judge himself booted some of those for various reasons, and the prosecution and defense attorneys did a damn good job of getting rid of the rest. That's their -job- remember?

Obligatory analogy (1)

dingram17 (839714) | more than 3 years ago | (#32023200)

From the wording of the judgement, it sounds as if you were the City heavy vehicle supervisor and your manager came along and demanded the keys for a very large tip-truck and you refused because they didn't have a heavy vehicle licence that you would be charged with vehicle theft.

It sounds like the procedures in place at SF City were weak. In the truck analogy, the rules may require the keys be handed to management when requested, but only a suitably licensed driver could use those keys and operate the vehicle (there are rules like that, they're the Road Rules). Perhaps the IT Dept. needed something equivalent whereby management could possess username/password but were not permitted to use them unless appropriate qualifications/certifications/competencies were held.

Terry sounds a bit like the truckie that thinks no-one else can drive as well as he/she can so refuses to hand over the keys to 'their' truck. If there were IT admins working for the city that had the appropriate alphabet soup behind their name then management (which goes all the way to the mayor) could provide the access details to those people for specific tasks.

Now, for the Tui's advert [tui.co.nz]: 'Yeah, Right ...' The PHB is going to use the passwords to have a play themselves to remind themselves of the 'old days', forgetting that when they were trained in MIS they were using punchcards and teletypes, and networking was something that you did at parties. I can see why Terry did what he did, but the letter of the law can be a PITA sometimes. Does California have the equivalent of the GSA that could go through the SF City Council like a dose of the salts and clean things up?

It's his own damn fault. (0)

Anonymous Coward | more than 3 years ago | (#32023456)

Setup a common authentication scheme and disable your account as your last act.

qual application of justice??? LOL (5, Insightful)

CPE1704TKS (995414) | more than 3 years ago | (#32023608)

You've got to be kidding. Do you honestly think you can go back to prior cases and use that to show how something is or isn't a crime?

What matters is how good your lawyer is and what sort of strings they can pull. Obviously, this guy's lawyer wasn't as good as the other guy's lawyer.

The rules that apply to us DO NOT apply to rich people. Stop believing for one second that they do. Look at some black dude that goes to jail for 3 years for stealing bread vs. the Wall Street banksters that steal billions and get multi-million dollar bonuses.

Marc Rich was convicted of tax evasion, and fled to Switzerland. It took $250,000 in donations to Bill Clinton for him to pardon him on his last day in office.

There is no justice, all there is is how much money you have to spend to grease the wheels of the system.

This is not a threat (0)

Anonymous Coward | more than 3 years ago | (#32023642)

Unless you have your head firmly buried in your ass as Mr Childs did. Seriously his actions do not seem those of someone that should have any sort of power. He wielded his wand to say that no one else was worthy of the right to access the information that was not his. If at the point that it became obvious that he would be arrested he thought that somehow his actions were valiant and necessary to save the citizens of the city, his complex had blossomed out of control. A rational person would have cut their ties at that point and moved on. Anyone seeking to do real damage will still do it, most likely not someone that works in the department. Except for Mr Childs.

Can someone please explain the crime? (1)

junglebeast (1497399) | more than 3 years ago | (#32023688)

I have googled and read a dozen articles about Terry Childs and still cannot find a single article that actually explains what he has done wrong and what this means.

So far, all I can tell is that Terry Childs refused to give out passwords (private information) to somebody else who asked for those passwords. What is illegal about protecting the privacy of your users? How is this in any way related to denial of service or cyber crime?

Give me an effing break (0)

Anonymous Coward | more than 3 years ago | (#32023728)

The guy broke the law and deserves to be sentenced. When you are a system administrator for the city you lose the right to act like a bratty 5 year old child.

This verdict does NOTHING to affect other sysadmins. If other sysadmins break the law on purpose like Child Terry did, they will be sentenced.

If Child Terry wants to act like a 5 year old and hide password, he should hang out on Slashdot for a while. Plenty of other 5 year old attitudes here - such as the people who are saying he should not be charged! LOL, pathetic.

Jury Nullification (1, Offtopic)

John Hasler (414242) | more than 3 years ago | (#32023824)

If the letter of the law is what convicted Terry Childs, then the law is simply wrong.

That is what jury nullification is for. Unfortunately, most jurors don't know about it and the judges refuse to tell them. Thus the FIJA [wikipedia.org].

broad generalizations with no back up (0)

Anonymous Coward | more than 3 years ago | (#32023878)

the post is making very broad generalization with zero backup of any claims. Just exactly how are many IT professionals going to be affected? This is just false story to bait the readers. There is no story here. They guy was a nut-case who broke the law and common sense. All this warm and fuzzy talk of he built this network as his "baby". last I checked, babies need diapers and care. This is a bunch of inanimate iron with a goof-ball maliciously running it like a 5-year old.

SF is criminally stupid (4, Insightful)

unix_geek_512 (810627) | more than 3 years ago | (#32024030)

SF is criminally stupid, that's all there is to it. They've wasted taxpayer money over a case that should never have been brought.

Their own employees and contractors caused a ton of downtime trying to get control of the network. If they'd left things alone there wouldn't have been any downtime.

Not to mention they violated they guy's constitutional rights over something that could have been resolved amicably within 24 to 72 hours.

Instead, they acted like a totalitarian regime and threw the guy in jail to break his will to resist.

It's the people in charge of SF that should be prosecuted not this guy.

Did he act like a damn jerk? You Bettcha! Did the city act like Ioseb Besarionis dze Jughashvili in 1936-1938? Heck yeah!

Anyone in IT should be worried about ending up like this guy if they anger the SF city government in any way, this could be one heck of a bad precedent.

Semper Fi Comrades

Note that this involved a government. (1)

John Hasler (414242) | more than 3 years ago | (#32024052)

The city of San Francisco has cops, jails, and prosecutors. If the mayor gets mad at you, one of his employees, he can arrest you, throw you in jail, and prosecute you as he did Childs. A private company has to convince a disinterested prosecutor to go after you. While not impossible, that's much harder. I suspect that if the circumstances had been exactly the same except that Childs had been working for a private company he might have been sued but almost certainly not prosecuted.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...