Terry Childs Case Puts All Admins In Danger 498
snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
Section 502 (Score:5, Informative)
Section 502(c) states in part
OK, "knowingly" makes sense, but "without permission"? The man was the network administrator; he was authorized to make decisions about how the network is accessed, it goes along with the job. Who was he to get permission from, himself? If he made bad decisions, by all means dismiss him, but prosecuting him is unreasonable.
And since they dropped the most serious charge, can we admit his 8th amendment rights were stomped and pissed-upon by the 5 million dollar bail requirement?
Who's in charge? (Score:5, Informative)
At a previous employer(this is one of the reasons I no longer work there) my supervisor demanded that I give him all my passwords. I asked him why he needed them I could give him any specific access he needed on demand.
When I was hired I was given a number of NDAs to sign one of them specifically covered the process I used to connect to various remote systems, and the passwords I used. My supervisor(with no IT or technical background of course) continued with his demands for all my passwords, for days. After repeatedly trying to explain that even if I was to give him my passwords, without understanding how you use various access levels to accomplish tasks, he could end up causing massive problems.
In an attempt to meet these demands, I asked for a signed release from the specific NDA that covered my passwords and process. He informed me that he did not have that authority, so I asked him how I could honour my NDA if I gave him information I was not permitted to give anyone. BTW my supervisor did have his own passwords, and had a process to have new ones created.
Long story short, I refused and then a few days later I arranged to transfer to a different department. With this case as a guide I would legally have been wrong no matter what I did, glad I'm out of IT right now.
(If anyone cares, I later found out the reason my supervisor wanted my passwords was that his id/passwords had been burned through lack of use and using the wrong passwords. And he did not want his supervisor to find out he had had no access for weeks. His supervisor would have been notified if anyone requested a password reset or new ID.)
Analysis (Score:5, Informative)
First, I'll remind everyone that the code 502 in question is only applicable in California.
The phrasing of the law at the root of this discussion is, "Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section."
What I imagine the prosecution will argue is that Terry Childs had no right or explicit permission to configure remote access. The defense will likely counter with the fact that as their Systems Administrator he had implied permission as part of his job's duties. Depending on the outcome, this might trigger Systems Administrators to seek contracts shielding themselves from such risks, or seeking express, written permission for everything they do. Of course, considering how badly companies abuse their employees, and how many employees are naive enough to not protect themselves legally, it will likely just be ignored and we'll see more cases like this.
Re:Ouch. (Score:5, Informative)
No. Wrong. Incorrect.
He used the Cisco IOS command "no service password-recovery." Normally, with physical access to the router and a reboot, you can gain access to the router configuration file. "no service password-recovery" turns that function off.
HOWEVER, it DOES NOT WIPE THE CONFIGURATION FILE. It simply makes it impossible to gain console access to the router unless you swap out the flash memory. When you reboot the router, the magic key combination doesn't work, the router boots up, and all is as it was before.
Sigh.
doctorcisco
Re:Section 502 (Score:5, Informative)
You're confounding civil law with criminal law. They are in entirely different ballparks.
New laws can always impose new responsibilities on you, financial or otherwise, and those responsibilities may be increased by your past actions. But they can't change something you did in the past that was within the law from being a legal action to being a crime.
It is either a crime at the time the act is performed, or not a crime.
They're not attempting to hold Childs financially liable. They're attempting to charge him with a crime.
Not quite as simple as that (Score:5, Informative)
He has a right to speedy trial (as per the Constitution). This is a right that defendants can and do exercise some times. Basically your attorney tells the court that you want to exercise your right to speedy trial and the judge tells the prosecution "Ok, get your shit ready, this moves forward soon." In California, the speedy trial statue is 60 days. Judges can set a shorter date, if there's good reason to do so, ie prosecution isn't gathering new evidence, just stonewalling. So, if his attorney pushed that, he'd have already gone to trial. However, it is also often not done. The defense often wants time to prepare a case, in particular if the prosecution has a good case and the defense needs time to poke holes in it. After all, you don't want to push for speedy trial if it means you won't be ready and you are just going to lose.
So the reason this hasn't gone to trial is almost certainly the decisions of his lawyer. Had the government really had zero case, a speedy trial motion would have been filed and granted and they'd have already lost. You don't see this very often because those cases are usually dropped. A DA would much rather drop a weak case they are going to lose than go to trial and lose it.
Re:Too bad "being an asshole" is not a crime (Score:5, Informative)
Passwords are not property, the city should have gotten them before firing him. Once they let him go they had no reasonable expectation that he would give them any "knowledge" which is all that the passwords are.
Sorry. I'm a lawyer and you're only partly right. Passwords may not be "property" but it can still be potentially harmful to withhold them. If a plaintiff could prove harm or even better, immediate irreparable injury, a court would say give 'em up or go to jail, go directly to jail, do not pass go, do not collect two hundred dollars.
Re:Analysis (Score:3, Informative)
That is the second time I have seen ex-post facto used this way in this thread. I'm not a lawyer, but I have always understood ex-post facto to refer to laws that are enacted after an action occurs that changes the punishment for that action. That hasn't happened here - AFAIK the laws were already on the books when he setup the routers.
Re:This seems hard to swallow (Score:5, Informative)
He was sprung with a surprise secret audit, and claims he caught the auditor taking a hard-drive, at which point he confronted her. At which point she locked herself in, and called the CIO.
On July 9, 2008 and at all relevant times, Richard Robinson was the Chief Operations Officer of DTIS [the San Francisco Technology Information Services Department]. Defendant unwittingly found himself at a meeting with Robinson in a room at the police station at the Hall of Justice. Present at that meeting were Lt. Greg Yee and Vitus Leung from the City's Human Resources Dept. Waiting outside the room but joining the meeting midway was Inspector Ramsey. The meeting was unorthodox and short on civilities. Defendant was told that he was being reassigned and was asked to disclose the FiberWAN passwords in addition to other passwords. There was no advance notice to defendant of this request. The surrounding circumstances of this request were unnerving and troubling to defendant at best. He resisted this surprise request to disclose the passwords to the FiberWAN, telling Robinson that no one was qualified to have the passwords. Under the pressure of the situation, defendant gave password information that could not be validated. During this exchange wherein defendant was questioned regarding the passwords, a speakerphone was on the desk in meeting room and people were listening in on the other end of the phone connection in a different part of the City.
Would you have given over the root passwords for your network and servers in those circumstances? Especially since you're likely to take the blame and/or get sued if some monkey screws something up and then blames it on you.
As you say, a civil action would have been more than adequate to recover them - he only wanted to hand them over in secure fashion to someone qualified to know them. He did hand them over the Mayor, "the only person he felt he could trust," a few days later, after he was already in jail.
OK, Childs had a bit of a God complex, but after years designing something that intricate, and being the only 24/7/365 support for a few years due to budget cuts, it's understandable. They've basically charged him for having the tools, access and knowledge to actually do his job.
Ironically, after claiming he was the one threatening the network, the city put the list of vpn passwords they found in his house into evidence unredacted, thus compromising half of the vpn 2-factor security for the entire network, forcing them to reset them all 2 days later; locking everybody out of the vpn access entirely. This was the first network outage since they imprisoned Childs, and was directly caused by the incompetence of the city technical management.
Re:This seems hard to swallow (Score:1, Informative)
he set the routers to return to default under power failure. Actually that was a really smart move, these are in city building, probably stolen all the time. The router is only worth a few bucks, access to the network from a stolen router is priceless. The "consultants" tried to unplug them and read the settings to hack in. The routers did EXACTLY what he told them to...
Has this ever been verified?
When this was originally claimed, the city did not yet have the passwords. They hired consultants to gain access to the routers, but the consultants warned them that IF he had set the routers to return to default, they would have a problem.
You claim the consultants tried to unplug the routers, but if they had done so, the network would have been down. It has been reported that the network had zero downtime until he gave the passwords to the Mayor (rather than some random middle manager who he probably wasn't even allowed to give the passwords to).
Re:I'm almost about to side with the City. (Score:3, Informative)
No network administrator is going to be at risk for anything as long as they play nice and don't pull crap like bringing a city's network activity to a screeching halt just because they're pissed off or whatever.
If that was the case, then Terry Childs wouldn't be under arrest. Despite the impression you may have gotten, he didn't bring the "network activity to a screeching halt" - it carried on working perfectly, and I think even the city eventually admitted this. (You've probably been reading misleading news reports based on equally misleading press releases by the city.)