Terry Childs Case Puts All Admins In Danger 498
snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
This seems hard to swallow (Score:2, Interesting)
First, this story sounds very one-sided and has quite a bit of sensationalism. Ok, a lot. I'm sure they can charge him with something to the effect of unauthorized access to a government computer system. Nobody's going to be pointing out modems as tools of a crime. That's like saying having a car means you're a bankrobber because bankrobbers use getaway cars.
Plus a quarter million to fix the problem... (Score:2, Interesting)
So not only did he withhold passwords.
And have modems attached to computers.
But it's going to take 250,000$ [infoworld.com] to fix.
Can the defense claim insanity on behalf of the prosecution, 'cause I think we've just hit bat country!
Re:This seems hard to swallow (Score:3, Interesting)
I'm sure they can charge him with something to the effect of unauthorized access to a government computer system.
You're sure? How can they charge him with unauthorized access when his only action was to not give them passwords? The passwords were set when he was still employed, and had the authority to do so.
Re:This seems hard to swallow (Score:5, Interesting)
He maintained access to a system which he had no right to access, while refusing to give the owners of that system the means to remove his access in a manner that wouldn't significantly disrupt the service.
Still I have a hard time seeing this as a crime. If an employee won't give you the keys to your vault, then you fire them, call a locksmith and sue the ex-employee for damages. No criminal charges, just a civil liabilities. That is what should have happened to Childs, no more no less.
Re:I would love (Score:3, Interesting)
During voir dire the lawyers probably asked if any of them were network professionals and dismissed those that were.
The court wants only the presented evidence and facts to enter the case, not the external, uncontrolled ideas of some hacker ranting in the jury room. When I served on jury duty, the judge made it plain that in that case the law was only what he told us it was. We weren't to consider things from outside of the courtroom.
It's kind of like designing code. He's trying to minimize external dependencies.
That said, it still seems pretty stupid.
Re:This seems hard to swallow (Score:5, Interesting)
he set the routers to return to default under power failure. Actually that was a really smart move, these are in city building, probably stolen all the time. The router is only worth a few bucks, access to the network from a stolen router is priceless. The "consultants" tried to unplug them and read the settings to hack in. The routers did EXACTLY what he told them to...
The biggest problem is procedural. This is why companies have audits, why SOX auditors demand documentation and cross training in public companies. The city management ALLOWED him to become more isolated and anti-social. They routinely pulled other people off helping him and allowed him to fly solo for several years and allowed the other employees and documentation to fall painfully behind.
They didn't realize this until a new manager with a "dotted line" to his position didn't like him and tried to summarily fire him.. Then they realized first, Childs won his job back, and second he got to be an employee you "can't fire" because he had keys nobody could take! The prosecutor was dead wrong to take on a case directly from a department manager and not from higher up the HR food chain. Now the prosecutor realizes they bet their career on some petty middle-manager pushing somebody around. They're trying to find something to pin on him so they don't get seriously censured by the court for keeping this guy in jail 7 months.
Re:Analysis (Score:5, Interesting)
The other possible outcome is that they'll say that he had permission to configure access, but when that privilege was renounced, that he should have removed remote access... in which case, I question how they would ever expect to let anyone go if they would have to go through such trouble each and every time?
The truth is that often enough, companies don't change passwords, or at least not all of them, when a Systems Administrator leaves. Even in very small shops, it is very difficult to keep track of all the places passwords might be hiding, where remote access might left enabled. For other employees, it isn't as tough, they might have access to one or two systems, but for an SA? You might never be able to lock them out completely, and simply rely on trust, morals, and the law. For instance, an SA might have set up a router just to test new IOS releases on, test, etc. Nobody else would have used it other than that SA, and nobody else would have known of it of it or thought of it. Such a router could be on the network for years without being noticed. Such issues will only become more apparent with "VM Sprawl", where you might have thousands of virtual machines. Without strict auditing, and even with it, you'll easily miss a stray virtual machine floating out there.
The point is, once you give someone access to your network and your systems, to the level that a CTO, Senior Systems Administrator, or Network Administrator might have access, you can't ever be certain of locking them out of your systems, and you shouldn't be able to punish them for not remembering to lock themselves out -- only because it is too easy to make such mistakes or to have such oversight.
Personally, whenever I've left a job, I've done my best to forget everything possible that was specific about their configuration. I'd rather not remember the IP addresses of their machines, their passwords, or anything else -- there is too much liability.
Re:Too bad "being an asshole" is not a crime (Score:3, Interesting)
Passwords are not property, the city should have gotten them before firing him. Once they let him go they had no reasonable expectation that he would give them any "knowledge" which is all that the passwords are.
Comment removed (Score:5, Interesting)
Re:Too bad "being an asshole" is not a crime (Score:2, Interesting)
Re:Plus a quarter million to fix the problem... (Score:3, Interesting)
Re:Section 502 (Score:5, Interesting)
While I agree that what's happening to him is likely unjust, I would like to point out something...
However, he cannot be prosecuted on the basis of actions he took at the time he had permission to take them.
I have to call bullshit here. Ex post facto laws are explicitly unconstitutional but that doesn't prevent government from passing laws which have ex post facto effects. To anyone who claims that there isn't a distinction, I must say that you obviously are not a lawyer. A good example is CERCLA: The Comprehensive Environmental Response, Compensation, and Liability Act. If you dumped hazardous waste somewhere 50 years ago, hazardous waste which at the time was legal to dump where you dumped it, when you dumped it, you are NOT protected from legal action by the government. You WILL be held financially responsible for getting that mess cleaned up. Now in the case of CERCLA, I'd say that while it's harsh, it's necessary & justifiable. (Probably not so much so with the prosecution's case against Terry Childs).
Re:Plus a quarter million to fix the problem... (Score:3, Interesting)
Very similar to the way that the "street value" of seized drugs are reported after a bust.
If a large pot grow gets busted, the total crop gets valued as if it were broken down into tens of thousands of nickel bags and sold at retail.
Re:Too bad "being an asshole" is not a crime (Score:5, Interesting)
Except from TFA -
Re:Too bad "being an asshole" is not a crime (Score:1, Interesting)
Sounds simple, but could the judge really punish someone if they just used the Reagan ("I don't remember.") defense? This "get out of jail free" card worked again and again for various Bush cronies. I've promptly forgotten entire books of material immediately after final exams myself.
Re:Too bad "being an asshole" is not a crime (Score:4, Interesting)
I have servers that I set up 10 years ago for small businesses and I'm probably the only one with the passwords assuming they are still running (486 and Pentium II machines running either Netware 3.something or some dos app). I get calls every once in a while from companies I haven't done business with in over 5 years asking me if I could remember the pass words to the servers.
I generally type everything out and put it in a sealed envelope within a binder with all the server specs, applications, network diagrams and so on. The problem is that someone has either decided they didn't need it and tossed it or whoever replaced me did something with it and it can't be found anymore. Most of the times, someone changed them and they aren't the same anymore. I think one situation occurred where a company raided an office because a manager was embezzling and the cops never returned the binder. Management leaves or whatever. Sometimes they need it only for data recovery or some sort of migration to a newer system and sometimes they are still using the crap but need to change something.
Filing the "keys to the kingdom" with the management doesn't always work well so check that they are still there and still current every once in a while.
Re:Too bad "being an asshole" is not a crime (Score:4, Interesting)
If a salesman is fired, is he breaking the law if he refuses to work for free advising his old company about their customers (Who else do they buy from, What are their priorities, etc)? If a engineer leaves, does he have to produce detailed schematics for anything the company owns?
If the admin followed the rules he was employed under (assuming the company has a password policy) then I can't see why a password should be treated better than the job related knowledge required in most careers.
Re:Too bad "being an asshole" is not a crime (Score:5, Interesting)
Sorry. I'm a lawyer and you're only partly right. Passwords may not be "property" but it can still be potentially harmful to withhold them. If a plaintiff could prove harm or even better, immediate irreparable injury, a court would say give 'em up or go to jail, go directly to jail, do not pass go, do not collect two hundred dollars.
Why should I be under any obligation to do something for an organisation that is no longer my employer to prevent harm from coming to them? Sure, if it's my job I have to do what they ask me to, and if my negligence causes them harm then I could be in trouble. But if I'm no longer under contract, why should I do anything? Why, in fact, can I not say, "Oh, those passwords? Well, when I left my job with you they were no longer useful to me so I destroyed my copies of them, as security best practices dictate I should do with any confidential information I no longer require?"
Re:Too bad "being an asshole" is not a crime (Score:3, Interesting)
Why should I be under any obligation to do something for an organisation that is no longer my employer to prevent harm from coming to them? Sure, if it's my job I have to do what they ask me to, and if my negligence causes them harm then I could be in trouble. But if I'm no longer under contract, why should I do anything? Why, in fact, can I not say, "Oh, those passwords? Well, when I left my job with you they were no longer useful to me so I destroyed my copies of them, as security best practices dictate I should do with any confidential information I no longer require?"
You are absolutely correct - once they fire you then you are no longer responsible to provide them with any services (unless you signed a contract stating otherwise). Even if it causes their system to fail it is no longer your responsibility. They can offer you money...or they should have thought of that BEFORE firing you (e.g. sending you an e-mail two days in advance stating "please document all systems you have access to, how you access them, including login credentials and all back-door access and get this to us before XYZ date"). If they did that and you neglected to respond, while still employed, then they could have legal recourse. Otherwise....QQ PvP World