Terry Childs Case Puts All Admins In Danger 498
snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
the admin's response (Score:5, Insightful)
'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
It still beats having to wear a suit to work.
popular trend in the courts lately (Score:5, Insightful)
If you don't like what someone does, but strictly speaking it's not really illegal, then find something else they did, (something that maybe a lot of people do and get left alone for) that has some silly, overly-broad definitions you can twist, and soak him for that instead. (ether as substitute punishment for the former that you can't make stick, or just plain in retaliation for doing something you didn't like)
As usual, the legal system that makes me sick to my stomach some days.
Don't be rediculous... (Score:3, Insightful)
Of course they wouldn't do that.
They'd use that fact as leverage to extract whatever they want from you first.
Re:When modems are illegal... (Score:2, Insightful)
Jeeezzzzzussss (Score:2, Insightful)
I can't believe this megomaniacal prima dona is now somehow the posterboy of the IT people. There were ways for this nutbar to get out of the quandary while still saving his ass. Instead, he holds a network [b]that does not belong to him[/b] for ransom.
Someone needs a geography lesson ... (Score:5, Insightful)
FTFA:
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
that's the point really. His keeping the passwords is really no different than a VP keeping a laptop or company automobile. There are several civil steps that need to be gone through before "keeping" something you were previously entitled to have and protect becomes "criminal".
Consider the case of loaning a car to your long term SO for many years, then the relationship goes south and you show up with the cops to take back the car she's had for several years. Yes, you can get it back, but the cops will tell you to get a judgment first and won't just let you take it. In the same way the new manager saw a "rogue" employee that was cut off, isolated, and anti-social and first tried to illegally fire him. When that didn't work, then he started harassing about the passwords and created a situation with the prosecutor to get the passwords or throw the guy in jail... a leap of about 6 other legal processes.
Like has been said before.. modems and back doors in your office or home office (if expected to work from home/call in) are quite common for admins. VPN access to servers for when they crash is common. Those don't really figure into the "criminal" part because they didn't ASK if he had them and didn't ASK him to return them... packing his cardboard box on the way out the door is not formally "asking". As far as wiping the configs, that was paranoid overkill, but considering how often city office property gets stolen, wiping the config keeps thieves from getting the network settings to the whole thing which is more valuable than any one office of downtime due to power failure.
"keys to the kingdom" passwords are quite common.. I'm the only person at my 1000 person company with ALL of a certain server's passwords plus some network ones. There's a small number of people I would release those to... if I was pre-accused of malicious intention before I even left I'd probably handle the transaction thru a lawyer.
Like he predicted, when the city hired consultants (again not thru a legal means, just some random company to "fix it") and they started breaking stuff they didn't understand isn't his problem... Remember he was accused of "damages" even though the manager had no cause to make that ... they only poor performance he demonstrated was being disgruntled. Assuming he was doing damage and calling the cops is bordering on criminal filing a false report.
The proper course of action would have been for the DA to sue him in small claims court for the password. Make a valid case and allow him his grievance before a judge, then honor the ruling. Then a judge would have thrown him in jail until he talked for contempt... there's no time limit on contempt, so no need to file other charges! Frankly they're not a good lawyer if they didn't think of the simplest legal thing first.
Re:Jeeezzzzzussss (Score:5, Insightful)
I can't believe this megomaniacal prima dona is now somehow the posterboy of the IT people. There were ways for this nutbar to get out of the quandary while still saving his ass. Instead, he holds a network [b]that does not belong to him[/b] for ransom.
Well, it's just like 1st Amendment cases involving pornography, marching down the street in neo-Nazi uniforms or hooded bedsheets, or the like. You have to fight the idiots who would deny basic rights or make a mockery of law unilaterally, even when they go after the dirtbags. Letting them ignore the law when they beat down the unpopular is just giving them a free pass to do the same to you in the future, when it strikes their fancy.
Re:Section 502 (Score:5, Insightful)
After he is let go, he no longer has permission.
However, he cannot be prosecuted on the basis of actions he took at the time he had permission to take them.
There would be a 4 word phrase for that: ex post facto law. Explicitly prohibited by the constitution.
Along with Bills of Attainer, which is almost what throwing someone in jail without trial for a year with a $5 million bail amounts to, he has been declared guilty by the state and is being punished without trial.
A few years later when the finally gets a trial, they'll say "oops, my bad", and let him go, after using various means of persuasion to ensure he doesn't proceed with any lawsuit for the false imprisonment.
welcome to slashdot (Score:2, Insightful)
where the most pedestrian news is given the most ridiculous fear-driven spin, made front page in breathless write up, and a bunch of yammering legal ignorants wlll ape right along
and then these same people will ridicule stereotypes outside their domain who supposedly fall for propaganda and hysteria all the time
take a look in the mirror friend
no, slashdot, this case does not set the precedent you believe it does
CONTEXT. its a magical concept. consider it some time
Re:Someone needs a geography lesson ... (Score:2, Insightful)
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
Here is the deal as I see it. He's an admin with a bit of an attitude, yet he did his job well apparently. Everytime that I'm asked to do inane bs at work, I turn it into a paperwork exercise. That is to say that I am happy to paper the office of whichever vp wants reports and to be in charge. Soon, they ask me to 'just take care of it' as I see fit. Either you want a competent admin or you don't. Once you get one, you have to trust them and work with them, even if there are conflicts of personality. This is simply because you as a vp or cxo cannot replace that person. You are forced to work with them... deal with it.
Positional authority is a powerful thing. If you as a cxo are afraid to give it to someone, get some certs... or perhaps learn to delegate and deal with that.
The fact that this made the level it did in courts is indicative of the fact that management is not willing to give away any power to anyone. In much of this situation, they had no need for what they ask for, and should not have had it.
In the cold light of day, if they gave him that much control, they got what they deserve. When you give someone that much power/authority, you must be nice to them. This is a situation that repeats itself across the globe without end. This particular one just happened to make the news because Terry has big balls.
No matter what happens, this is a simple case of bad management. period.
Re:welcome to slashdot (Score:1, Insightful)
Context: This guy has already been in jail for seven months for what looks like normal sysadmin work.
Re:This seems hard to swallow (Score:3, Insightful)
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
> As far as wiping the configs, that was paranoid overkill, but considering how often city
> office property gets stolen, wiping the config keeps thieves from getting the network
> settings to the whole thing which is more valuable than any one office of downtime due
> to power failure.
When I left my last job as Sr. SysAdmin (they laid me off, for someone cheaper), they were absolutely sure I had left back doors into the network, and that I could sabotage everything. They couldn't find the backdoors (because they didn't exist), and ended up changing the OS on every server. In that beautiful move, they screwed up an awful lot of stuff. Ha!
The funniest part was, some of the people who they kept on were thieves. They were stealing confidential data, and abusing the network for personal gains. It took two more years for them to figure that one out. All I can do now, since I have no involvement in that company, is sit back and laugh. :)
The "keys to the kingdom" were on file with senior management though. Shit happens. I could get hit by a bus. I could get shot in a botched convenience story robbery. I could just decide not to ever come to work because I got a better offer. Why cripple their company?
Re:This seems hard to swallow (Score:2, Insightful)
Re:Puts all admins in danger of... (Score:3, Insightful)
The Terry Childs case reminds me of 24. A corrupt government analyst exerts pressure on a techie to give up a password, which is promptly used for illegal activity. Then the innocent techie gets fucked and Jack Bauered. Yeah. Give the password to any boss figure who asks. That cannot go wrong.
Re:Ouch. (Score:2, Insightful)
I expect he will be able to find more than one Cisco certified security professional who will point out that devices with limited or no physical security can and should be configured with "no service password-recovery". Proper administrative policies would have had version control archiving router and switch configurations, thereby completely alleviating the impact of disabling break key recognition.
I don't call it secure until at the very least, I can't break in without extraordinary measures.
Re:Too bad "being an asshole" is not a crime (Score:3, Insightful)
I think you completely fail to understand something very specific about server administration: You don't own the boxes. Your employer does. Your knowledge of passwords, etc. is so that you can do your job. In every company I've ever worked for I never have the authority to grant or revoke access to a system. I had the capability since I had root access, but that didn't grant me authority. It's not the job of an administrator to decide who does and doesn't have access any more than it is the job of a security guard to decide who has the privilege of entering the building. You are the implementor of the policy, not the creator of the policy.
Childs is totally wrong here.
Re:Who's in charge? (Score:3, Insightful)
Yikes. Should I feel fortunate that I've never had a civilian job that required me to "follow orders"? Or am I merely to infer that you are an asshole boss?
Re:I would love (Score:2, Insightful)
How does that get rated "interesing". Par is the Latin word for equal (still used with that spelling for things like golf), and peer is the modern English derivative. The Romans came somewhat before the British Peerage.
I assume British Peers they are called that because they are expected to treat each other as equals, even if they have contempt for the poor suckers.
Re:Puts all admins in danger of... (Score:5, Insightful)
"By withholding information about the configuration, he stole from his employer on the way out."
I don't know about this Terry Child fellow or anything to do with what he's alleged to have done. But that is one bat-shit insane sentence.
Are you saying that an individual cannot just quit his or her job and walk out the door? And if they do should rot in jail and be stripped of all possessions? On the basis of a private companies say-so? WTF?? Who the fuck modded this bullshit up??
They fired him, he walked...but he's forever beholden to them and every employer he's ever worked for because he holds some knowledge about their network?
What a fucked up world you live in, sorry but you're a little fascist, any individual, from the CEO to the Janitor has every right to leave a position and never look back, if the world implemented your policy we'd all be too terrified to work for anyone! Some HR schmuck wants to fuck with you after you leave, HE DIDNT TELL US SOMETHING WE NEED PUT HIM IN JAIL AND STRIP HIM OF HIS POSSESSIONS! Jafiwam demands it!
You the only IT person for a small company and want to quit? TO BAD! Don't dare walk out the door, if you do according to Jafiwam the little fascist you deserve to rot in jail and have all your possessions stripped away from you. Oops didn't document what that script does, STEALING! JAIL FOR YOU. Didn't tell them about that Cronjob before you left? STEALING! Didn't document that object properly, didn't let them know about that revision, didn't pass on that message? STEALING, STEALING, STEALING!
Didn't write a 2000 page manifesto brain dumping every tiny little bit of trivia and knowledge that you have about their business, STEALING!
The idiocy is truly unbelievable around here sometimes.
Re:Someone needs a geography lesson ... (Score:1, Insightful)
Even if convicted, the Childs case doesn't establish jurisprudence for 95% of the world.
Standard IANAL disclaimer here.
Even though there is no legal hold over say, China, it will establish precedence. So the legislatures over ther can then point to the Childs case as a basis for their laws
Re:Who's in charge? (Score:1, Insightful)
He was following orders - the NDA he signed, the text hardcopy, stating that he wasn't to give out his password.
Perhaps you should fire yourself for contravening orders, even though you feel that they may be bad.
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
That's not necessarily true. Just like the security guard, if the policy said no one enters the building without ID and a company Badge, then not letting anyone in without either of those is appropriate.
The same can be said about a corporations bank account or credit card numbers. It's completely ethical and responsible to not disclose those things to anyone you cannot personally verify their right to access the information. Credibility is only a stones throw from socially engineering the information away from someone. The police in the room could have been attempting to get access to install illegal taps on a public official or anything other then what they were doing. Childs was probably within his rights to demand that he be contacted by the proper people in a manner that he could verify their identity. The mayor was most likely his point of contact and his superior which is why he refused to do anything until he could give it to them.
Here is a thought experiment. Suppose I walked into your building in a uniform of some sort and asked you for the passwords to your servers and access to the server rooms. I gave you ID that matched the name on my uniform and claim I was hired by the company to perform a security audit of the system.
Do you
A- give me access and the passwords
B- tell me to get lost
C- contact your superiors and verify that I am legit then give me the passwords and access
C- is the right answer (even though A happens all to often). But Childs wasn't in a position to contact his superiors or the mayor could have been his superior and instead stated that he would give the information to the mayor. When the mayor came around, he surrendered everything without hassle.
Re:Who's in charge? (Score:1, Insightful)
Bull. You aren't required to accept bad decisions from a supervisor when they violate company policy.
Re:Who's in charge? (Score:3, Insightful)
I can't tell if your joking or if you're a douche.
He was following orders. He had a legal agreement with the company not to share his passwords with ANYONE which presumably included his boss. What his boss was asking contradicted that agreement. Since his boss admitted that he didn't have the authority to override that agreement, what he did was 100% correct, even if it did cause his loser boss heart burn.
Had he been fired for that he would have had excellent cause for a big wrongful termination suit. You can't ask an employee to do something (don't share their passwords), then fire them for doing it (not sharing their passwords) without consequences.
Comment removed (Score:5, Insightful)
Re:Puts all admins in danger of... (Score:5, Insightful)
What was the ransom he demanded? How was a network with zero downtime rendered useless?
The code, hardware, and configuration all belong to his employer. By withholding information about the configuration, he stole from his employer on the way out.
They had the configuration. They could pull out the flash card with the configuration on it and put it in a new router and it would work great. Of course, without the passwords, they couldn't log in to see it, change it, or any of that, but that didn't prevent it from being 100% operational, as well as being something that could be backed up, replaced, and all that without problem.
He fucked himself and he deserves what he is getting.
He was fired, then after being fired, was asked to fulfill an obligation to an organization he no longer had an obligation to. He may not have been professional. He may have been an ass. But he did nothing illegal, let alone criminal. If they threw people in jail just for being asses, I'd nominate you to be at the front of the line.
Re:Too bad "being an asshole" is not a crime (Score:4, Insightful)
More like an employee is charged with looking after the office and keeping it secure so they hide the keys. They then refuse to give up the keys to a person who has no need or reason to enter the office. Employee states that they will give up the keys if told to do so by an appropriate person in authority. Employee then gets arrested.
Re:Too bad "being an asshole" is not a crime (Score:3, Insightful)
Also, the city had a responsibility to not fuck things up. If somebody steals your car keys and you smash your windscreen (rather than hiring a locksmith to jimmy your lock), you can't sue for damages you caused yourself.
(I'm not a lawyer, that's not advice.)
Re:Too bad "being an asshole" is not a crime (Score:3, Insightful)
Your rant is only accurate if policy is to give the golden keys that can shut the city's network down to any manager that asks for it. I HIGHLY doubt that such is the case.
Remember, this guy didn't just build a computer for a person and then not hand the passwords over, he was in charge of a public-owned network. I would be aghast if the city had network policies that gave root access to anyone who thought that they needed it, and especially those who were so cocky about it as to ask in a room full of people who SHOULDN'T have it in any case.
In short, manager != owner. Without a copy of SF network policy here, your declaration of him being totally wrong is pure baseless speculation.
Re:This seems hard to swallow (Score:1, Insightful)
If there's nobody to replace you, due to budget constraints which are beyond your influence, then there's nobody to replace you, period. It wasn't a matter of keeping the "other guy" out of the loop. There was no other guy. Whether or not he had a dead man's switch (instructions in his will, etc.) is unknown, because he was still in the position to hold and use the access credentials. He was questioned by people unknown to him (some even outside the room) and without the legal authority to have those keys. It was right not to give up the credentials without the proper formal request from an authorized person. A system which works until someone with hardware access changes all access credentials isn't fragile, btw.
Re:Too bad "being an asshole" is not a crime (Score:3, Insightful)
Passwords are different because:
a) they are small and trivial to communicate (unlike your examples), and
b) they are (for all practical purposes) essential for the running and maintenance of an important and expensive part of many companies
When a sales company fires a salesman, they can try to recoup the salesman's loyal customers, or they can bear the losses. There will be plenty of others.
When an engineer leaves, if he's worth keeping, he'll have kept some reasonable schematics of his work. If he decides to steal or vandalise them before he goes, well, then he's liable.
I can't see why this is so difficult to grasp.
Re:Too bad "being an asshole" is not a crime (Score:3, Insightful)
What's wrong with that? Are you worried because a lawyer issues advice based on the potential for harm (and he therefore, in your opinion, is stupid)? Or are you worried because he seems to think there are situations when withholding passwords might not be harmful (and he therefore, in your opinion, is stupid)? I can't decide from your post, and both options seem absurd.
Re:Too bad "being an asshole" is not a crime (Score:3, Insightful)
No one in the room was in Childs' chain of command. His boss wasn't there, nor was his boss' boss, etc. It was a group of random city employees (city police, HR) and random, unknown people on the other end of a phone.
What authority did anyone there have to order him to divulge passwords?
If someone from HR or Finance, even if they're a VP or C*O, came to me and said "Hand over all the network passwords now.", I'd tell them to fuck off too until someone to whom I report said otherwise.
Re:Too bad "being an asshole" is not a crime (Score:3, Insightful)
It's not about PERSONAL harm. It's about professional ethics and legal implications. If you were fired from a company, and subsequently went and posted every password you knew on a forum or email list, you'd be sued or charged in a heartbeat.
This is no different in the least -- even if he was already barred from accessing the system, it was still a random group of people whose authority over him and/or the systems was nonexistent, or questionable at best. If he HAD divulged the passwords in those circumstances, he should have been charged, not the other way around.
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
Re:Too bad "being an asshole" is not a crime (Score:3, Insightful)
Firstly, the effort required to communicate the data isn't important. Either you work for the company or you don't, if you don't then you are free to choose to do what you wish. I could request that you put "N1AK is awesome" in your signature, is it a crime for you not to perform this trivial act? Would it be different if I used to employ you?
Secondly, there is plenty of things a Salesperson could tell his ex-employer very easily and quickly. How long would it take to say "Oh, I heard that our competitor is releasing a product which improves x by % but at a cost to y". That information could arguably be far more important to the long term success of the company than a single password, why should it be treated differently?
His boss should of ensured that the critical information wasn't lost with him. The company was at fault for not ensuring that the passwords would be available if something happened to Mr Childs, that is not his responsibility. Compliance with Sarbanes-Oxley is vital for businesses in America, if an accountant was fired before he had properly processed some information relevant to SO it could have far more damaging consequences than a typical admin password.
The point here is not whether Terry's actions were damaging to the company or not, regardless of how damaging they might be. He was obviously being as difficult as he could. The issue is whether someone can be punished for choosing not to do work for someone who no longer employs them?
Re:Too bad "being an asshole" is not a crime (Score:3, Insightful)
I'm not really sure what dimension you live in, but in the one your are posting in, your are wrong.
If your SO has a car thats titled in your name and you break up and demand it back by calling it stolen, the police will make them turn it over immediately. There will be no waiting or courts involved as there is no need to be. They may not arrest your SO, they may not charge them, but you will certainly get your car back pretty much as soon as you prove its yours. It doesn't even matter if you are married, if the title isn't in your name, its not your car, and you have to turn it over immediately. If the car is titled in both names, THEN you end up in a situation you describe, but thats cause you both legally own the car. Your analogy doesn't, in any way, apply here, +2 points for using a car analogy. -several billion for being stupid.
Its nice that you live in a fantasy world which thinks that the guy has any excuse what so ever to not turn over those passwords to his boss, but your world is just that. His employement is a priveledge, not a right, and so is his holding of those passwords. Once his boss demanded them, he should have turned them over. The instant he didn't, for ANY reason, he should have been terminated. What he got was EXACTLY what he should have got. He's an arrogant twit who took advantage of his situation to make other peoples jobs a royal pain in the ass. Now I'm sure somewhere in your head you can justify that as being OK, but in my mind, thats about the most perfect reason to fire someone as you can come up with.
You, with your passwords should be fired for being an absolutely shitty admin. There is no excuse for you haveing the only passwords to anything other than your own personal account. If that account is an admin account not only should you be fired but you should be tatooed in such a way that no other company makes the mistake of hiring your incompetent ass.
Those passwords should be stored securely within the company by someone trustworthy OTHER than yourself for several reasons. The first of which is in case you get hit by a bus and die. The second is that you are a shitty admin and need to be replaced for pulling the bullshit you're pulling. I could go on, but the point is made I think. Your ignorance is practically criminal, you're using your power as a control point in case something happens that you don't like. I'd fire you on the spot if I were your boss.
The proper course of action would have been to wait 6 months for a court slot to open up, only to go to small claims court and be told that you're in the wrong court because the potential dollar value involved for damage is massive? Or to be told that you're supposed to go to a criminal court because the guy has unauthorized access to computers which is most certainly a criminal offense. The guy broke the law in several ways, this isn't a civil matter, it wasn't the instant he refused to turn over said passwords.
Its funny that you talk about them not being a good lawyer, you really have no clue what the hell you are talking about.