Terry Childs Case Puts All Admins In Danger 498
snydeq writes "Paul Venezia analyzes the four counts San Francisco has levied against Terry Childs, a case that curiously omits the charge of computer tampering, the very allegation that has kept Childs in jail for seven months and now appears too weak to present in court. Count 1 — 'disrupting or denying computer services' — is moot, according to Venezia, as the city's FiberWAN did not go down due to Childs' actions. Venezia writes, 'Childs' refusal to give up the passwords for several days in no way caused a disruption of the normal operation of the FiberWAN. In fact, it could be argued that his refusal actually prevented the disruption of normal network operation.' Counts 2 through 4 pertain to modems Childs had under his control, 'providing a means of accessing a computer, computer system, or computer network in violation of section 502,' according to case documents. As Venezia sees it, these counts too are spurious, as such devices are essential to the fulfillment of admin job requirements. 'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
Too bad "being an asshole" is not a crime (Score:5, Funny)
On second thought, I'd be in for a long stint.
Never mind.
Obligatory KITH link. (Score:4, Funny)
This is a classic [youtube.com]
Re: (Score:3, Funny)
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
that's the point really. His keeping the passwords is really no different than a VP keeping a laptop or company automobile. There are several civil steps that need to be gone through before "keeping" something you were previously entitled to have and protect becomes "criminal".
Consider the case of loaning a car to your long term SO for many years, then the relationship goes south and you show up with the cops to take back the car she's had for several years. Yes, you can get it back, but the cops will tell you to get a judgment first and won't just let you take it. In the same way the new manager saw a "rogue" employee that was cut off, isolated, and anti-social and first tried to illegally fire him. When that didn't work, then he started harassing about the passwords and created a situation with the prosecutor to get the passwords or throw the guy in jail... a leap of about 6 other legal processes.
Like has been said before.. modems and back doors in your office or home office (if expected to work from home/call in) are quite common for admins. VPN access to servers for when they crash is common. Those don't really figure into the "criminal" part because they didn't ASK if he had them and didn't ASK him to return them... packing his cardboard box on the way out the door is not formally "asking". As far as wiping the configs, that was paranoid overkill, but considering how often city office property gets stolen, wiping the config keeps thieves from getting the network settings to the whole thing which is more valuable than any one office of downtime due to power failure.
"keys to the kingdom" passwords are quite common.. I'm the only person at my 1000 person company with ALL of a certain server's passwords plus some network ones. There's a small number of people I would release those to... if I was pre-accused of malicious intention before I even left I'd probably handle the transaction thru a lawyer.
Like he predicted, when the city hired consultants (again not thru a legal means, just some random company to "fix it") and they started breaking stuff they didn't understand isn't his problem... Remember he was accused of "damages" even though the manager had no cause to make that ... they only poor performance he demonstrated was being disgruntled. Assuming he was doing damage and calling the cops is bordering on criminal filing a false report.
The proper course of action would have been for the DA to sue him in small claims court for the password. Make a valid case and allow him his grievance before a judge, then honor the ruling. Then a judge would have thrown him in jail until he talked for contempt... there's no time limit on contempt, so no need to file other charges! Frankly they're not a good lawyer if they didn't think of the simplest legal thing first.
Re: (Score:3, Interesting)
Passwords are not property, the city should have gotten them before firing him. Once they let him go they had no reasonable expectation that he would give them any "knowledge" which is all that the passwords are.
Re:Too bad "being an asshole" is not a crime (Score:5, Informative)
Passwords are not property, the city should have gotten them before firing him. Once they let him go they had no reasonable expectation that he would give them any "knowledge" which is all that the passwords are.
Sorry. I'm a lawyer and you're only partly right. Passwords may not be "property" but it can still be potentially harmful to withhold them. If a plaintiff could prove harm or even better, immediate irreparable injury, a court would say give 'em up or go to jail, go directly to jail, do not pass go, do not collect two hundred dollars.
Re:Too bad "being an asshole" is not a crime (Score:4, Interesting)
If a salesman is fired, is he breaking the law if he refuses to work for free advising his old company about their customers (Who else do they buy from, What are their priorities, etc)? If a engineer leaves, does he have to produce detailed schematics for anything the company owns?
If the admin followed the rules he was employed under (assuming the company has a password policy) then I can't see why a password should be treated better than the job related knowledge required in most careers.
Re: (Score:3, Insightful)
Passwords are different because:
a) they are small and trivial to communicate (unlike your examples), and
b) they are (for all practical purposes) essential for the running and maintenance of an important and expensive part of many companies
When a sales company fires a salesman, they can try to recoup the salesman's loyal customers, or they can bear the losses. There will be plenty of others.
When an eng
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
Re: (Score:3, Insightful)
Firstly, the effort required to communicate the data isn't important. Either you work for the company or you don't, if you don't then you are free to choose to do what you wish. I could request that you put "N1AK is awesome" in your signature, is it a crime for you not to perform this trivial act? Would it be different if I used to employ you?
Secondly, there is plenty of things a Salesperson could t
Re:Too bad "being an asshole" is not a crime (Score:5, Interesting)
Sorry. I'm a lawyer and you're only partly right. Passwords may not be "property" but it can still be potentially harmful to withhold them. If a plaintiff could prove harm or even better, immediate irreparable injury, a court would say give 'em up or go to jail, go directly to jail, do not pass go, do not collect two hundred dollars.
Why should I be under any obligation to do something for an organisation that is no longer my employer to prevent harm from coming to them? Sure, if it's my job I have to do what they ask me to, and if my negligence causes them harm then I could be in trouble. But if I'm no longer under contract, why should I do anything? Why, in fact, can I not say, "Oh, those passwords? Well, when I left my job with you they were no longer useful to me so I destroyed my copies of them, as security best practices dictate I should do with any confidential information I no longer require?"
Re: (Score:3, Interesting)
Why should I be under any obligation to do something for an organisation that is no longer my employer to prevent harm from coming to them? Sure, if it's my job I have to do what they ask me to, and if my negligence causes them harm then I could be in trouble. But if I'm no longer under contract, why should I do anything? Why, in fact, can I not say, "Oh, those passwords? Well, when I left my job with you they were no longer useful to me so I destroyed my copies of them, as security best practices dictate I should do with any confidential information I no longer require?"
You are absolutely correct - once they fire you then you are no longer responsible to provide them with any services (unless you signed a contract stating otherwise). Even if it causes their system to fail it is no longer your responsibility. They can offer you money...or they should have thought of that BEFORE firing you (e.g. sending you an e-mail two days in advance stating "please document all systems you have access to, how you access them, including login credentials and all back-door access and g
Re: (Score:3, Insightful)
Also, the city had a responsibility to not fuck things up. If somebody steals your car keys and you smash your windscreen (rather than hiring a locksmith to jimmy your lock), you can't sue for damages you caused yourself.
(I'm not a lawyer, that's not advice.)
Re: (Score:3, Insightful)
What's wrong with that? Are you worried because a lawyer issues advice based on the potential for harm (and he therefore, in your opinion, is stupid)? Or are you worried because he seems to think there are situations when withholding passwords might not be harmful (and he therefore, in your opinion, is stupid)? I can't decide from your post, and both options seem absurd.
Re:Too bad "being an asshole" is not a crime (Score:5, Interesting)
Except from TFA -
Re: (Score:3, Insightful)
No one in the room was in Childs' chain of command. His boss wasn't there, nor was his boss' boss, etc. It was a group of random city employees (city police, HR) and random, unknown people on the other end of a phone.
What authority did anyone there have to order him to divulge passwords?
If someone from HR or Finance, even if they're a VP or C*O, came to me and said "Hand over all the network passwords now.", I'd tell them to fuck off too until someone to whom I report said otherwise.
Re: (Score:3, Insightful)
It's not about PERSONAL harm. It's about professional ethics and legal implications. If you were fired from a company, and subsequently went and posted every password you knew on a forum or email list, you'd be sued or charged in a heartbeat.
This is no different in the least -- even if he was already barred from accessing the system, it was still a random group of people whose authority over him and/or the systems was nonexistent, or questionable at best. If he HAD divulged the passwords in those circums
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
Here is the deal as I see it. He's an admin with a bit of an attitude, yet he did his job well apparently. Everytime that I'm asked to do inane bs at work, I turn it into a paperwork exercise. That is to say that I am happy to paper the office of whichever vp wants reports and to be in charge. Soon, they ask me to 'just take care of it' as I see fit. Either you want a competent admin or you don't. Once you get one, you have to trust them and work with them, even if there are conflicts of personality. This is simply because you as a vp or cxo cannot replace that person. You are forced to work with them... deal with it.
Positional authority is a powerful thing. If you as a cxo are afraid to give it to someone, get some certs... or perhaps learn to delegate and deal with that.
The fact that this made the level it did in courts is indicative of the fact that management is not willing to give away any power to anyone. In much of this situation, they had no need for what they ask for, and should not have had it.
In the cold light of day, if they gave him that much control, they got what they deserve. When you give someone that much power/authority, you must be nice to them. This is a situation that repeats itself across the globe without end. This particular one just happened to make the news because Terry has big balls.
No matter what happens, this is a simple case of bad management. period.
Re: (Score:3, Insightful)
I think you completely fail to understand something very specific about server administration: You don't own the boxes. Your employer does. Your knowledge of passwords, etc. is so that you can do your job. In every company I've ever worked for I never have the authority to grant or revoke access to a system. I had the capability since I had root access, but that didn't grant me authority. It's not the job of an administrator to decide who does and doesn't have access any more than it is the job of a securit
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
That's not necessarily true. Just like the security guard, if the policy said no one enters the building without ID and a company Badge, then not letting anyone in without either of those is appropriate.
The same can be said about a corporations bank account or credit card numbers. It's completely ethical and responsible to not disclose those things to anyone you cannot personally verify their right to access the information. Credibility is only a stones throw from socially engineering the information away from someone. The police in the room could have been attempting to get access to install illegal taps on a public official or anything other then what they were doing. Childs was probably within his rights to demand that he be contacted by the proper people in a manner that he could verify their identity. The mayor was most likely his point of contact and his superior which is why he refused to do anything until he could give it to them.
Here is a thought experiment. Suppose I walked into your building in a uniform of some sort and asked you for the passwords to your servers and access to the server rooms. I gave you ID that matched the name on my uniform and claim I was hired by the company to perform a security audit of the system.
Do you
A- give me access and the passwords
B- tell me to get lost
C- contact your superiors and verify that I am legit then give me the passwords and access
C- is the right answer (even though A happens all to often). But Childs wasn't in a position to contact his superiors or the mayor could have been his superior and instead stated that he would give the information to the mayor. When the mayor came around, he surrendered everything without hassle.
Re: (Score:3, Insightful)
Your rant is only accurate if policy is to give the golden keys that can shut the city's network down to any manager that asks for it. I HIGHLY doubt that such is the case.
Remember, this guy didn't just build a computer for a person and then not hand the passwords over, he was in charge of a public-owned network. I would be aghast if the city had network policies that gave root access to anyone who thought that they needed it, and especially those who were so cocky about it as to ask in a room full of peo
Re: (Score:2)
The proper course of action would have been for the DA to sue him in small claims court for the password.
Small Claims Court is for... small claims.
Usually anything less than $5,000 in value.
Are you going to argue that those passwords were worth less than $5,000?
Re: (Score:2)
If the title & registration of the car is in your name, yeah, they will just let you go take it. It's proveably your property.
Re:Too bad "being an asshole" is not a crime (Score:5, Insightful)
> As far as wiping the configs, that was paranoid overkill, but considering how often city
> office property gets stolen, wiping the config keeps thieves from getting the network
> settings to the whole thing which is more valuable than any one office of downtime due
> to power failure.
When I left my last job as Sr. SysAdmin (they laid me off, for someone cheaper), they were absolutely sure I had left back doors into the network, and that I could sabotage everything. They couldn't find the backdoors (because they didn't exist), and ended up changing the OS on every server. In that beautiful move, they screwed up an awful lot of stuff. Ha!
The funniest part was, some of the people who they kept on were thieves. They were stealing confidential data, and abusing the network for personal gains. It took two more years for them to figure that one out. All I can do now, since I have no involvement in that company, is sit back and laugh. :)
The "keys to the kingdom" were on file with senior management though. Shit happens. I could get hit by a bus. I could get shot in a botched convenience story robbery. I could just decide not to ever come to work because I got a better offer. Why cripple their company?
Re:Too bad "being an asshole" is not a crime (Score:4, Interesting)
I have servers that I set up 10 years ago for small businesses and I'm probably the only one with the passwords assuming they are still running (486 and Pentium II machines running either Netware 3.something or some dos app). I get calls every once in a while from companies I haven't done business with in over 5 years asking me if I could remember the pass words to the servers.
I generally type everything out and put it in a sealed envelope within a binder with all the server specs, applications, network diagrams and so on. The problem is that someone has either decided they didn't need it and tossed it or whoever replaced me did something with it and it can't be found anymore. Most of the times, someone changed them and they aren't the same anymore. I think one situation occurred where a company raided an office because a manager was embezzling and the cops never returned the binder. Management leaves or whatever. Sometimes they need it only for data recovery or some sort of migration to a newer system and sometimes they are still using the crap but need to change something.
Filing the "keys to the kingdom" with the management doesn't always work well so check that they are still there and still current every once in a while.
Re: (Score:3, Insightful)
I'm not really sure what dimension you live in, but in the one your are posting in, your are wrong.
If your SO has a car thats titled in your name and you break up and demand it back by calling it stolen, the police will make them turn it over immediately. There will be no waiting or courts involved as there is no need to be. They may not arrest your SO, they may not charge them, but you will certainly get your car back pretty much as soon as you prove its yours. It doesn't even matter if you are married,
Re: (Score:2, Interesting)
Re: (Score:2, Funny)
Don't confuse us with facts.
Re:Too bad "being an asshole" is not a crime (Score:4, Insightful)
More like an employee is charged with looking after the office and keeping it secure so they hide the keys. They then refuse to give up the keys to a person who has no need or reason to enter the office. Employee states that they will give up the keys if told to do so by an appropriate person in authority. Employee then gets arrested.
Free Terry Childs! (Score:2)
Free Terry Childs!
Re: (Score:3, Funny)
Free Terry Childs with purchase!
Re: (Score:3, Funny)
*Free Terry Childs must be of equal or lesser value to that of purchased Terry Childs. Must be a California resident to claim prize. Valid only while supplies last.
Re: (Score:3, Funny)
"Warning [physics.uwo.ca]: This Product Attracts Every Other Piece of Matter in the Universe, Including the Products of Other Manufacturers, with a Force Proportional to the Product of the Masses and Inversely Proportional to the Distance Between Them."
Slacker!!(insert severe sarcasm here-It's a joke!) (Score:2)
Then you will never truly achieve 'BOFH' status, Grasshopper.
Open your mind, and the lusers files! It can be beau coup fun!
Transcend your permissions, and make backups of your PHB's pR0n folder-blackmail can be sooo fun!
Become One with the database, there is more exploitable info there than you have time to exploit!
Achieve One-ness with the Network, and your C*O's password-the benefits can be multi-million$'s if played right
Go forth in the world, and achieve greatness! Be Bold!, Be Brutal!, Be Unforgiving(l
When modems are illegal... (Score:5, Funny)
Thankfully I'm stealing my neighbor's wifi, so I don't have to worry about being caught with a modem.
Re: (Score:2, Insightful)
the admin's response (Score:5, Insightful)
'If Childs is convicted on the modem charges, then just about every network administrator in the world could be charged with the same "crime,"' Venezia writes. All the authorities would have to do is 'point out that you have a modem or two, and suddenly you're wearing pinstripes of the jailhouse variety.'"
It still beats having to wear a suit to work.
This seems hard to swallow (Score:2, Interesting)
First, this story sounds very one-sided and has quite a bit of sensationalism. Ok, a lot. I'm sure they can charge him with something to the effect of unauthorized access to a government computer system. Nobody's going to be pointing out modems as tools of a crime. That's like saying having a car means you're a bankrobber because bankrobbers use getaway cars.
Re: (Score:3, Interesting)
I'm sure they can charge him with something to the effect of unauthorized access to a government computer system.
You're sure? How can they charge him with unauthorized access when his only action was to not give them passwords? The passwords were set when he was still employed, and had the authority to do so.
Re:This seems hard to swallow (Score:5, Interesting)
He maintained access to a system which he had no right to access, while refusing to give the owners of that system the means to remove his access in a manner that wouldn't significantly disrupt the service.
Still I have a hard time seeing this as a crime. If an employee won't give you the keys to your vault, then you fire them, call a locksmith and sue the ex-employee for damages. No criminal charges, just a civil liabilities. That is what should have happened to Childs, no more no less.
Re:This seems hard to swallow (Score:5, Informative)
He was sprung with a surprise secret audit, and claims he caught the auditor taking a hard-drive, at which point he confronted her. At which point she locked herself in, and called the CIO.
On July 9, 2008 and at all relevant times, Richard Robinson was the Chief Operations Officer of DTIS [the San Francisco Technology Information Services Department]. Defendant unwittingly found himself at a meeting with Robinson in a room at the police station at the Hall of Justice. Present at that meeting were Lt. Greg Yee and Vitus Leung from the City's Human Resources Dept. Waiting outside the room but joining the meeting midway was Inspector Ramsey. The meeting was unorthodox and short on civilities. Defendant was told that he was being reassigned and was asked to disclose the FiberWAN passwords in addition to other passwords. There was no advance notice to defendant of this request. The surrounding circumstances of this request were unnerving and troubling to defendant at best. He resisted this surprise request to disclose the passwords to the FiberWAN, telling Robinson that no one was qualified to have the passwords. Under the pressure of the situation, defendant gave password information that could not be validated. During this exchange wherein defendant was questioned regarding the passwords, a speakerphone was on the desk in meeting room and people were listening in on the other end of the phone connection in a different part of the City.
Would you have given over the root passwords for your network and servers in those circumstances? Especially since you're likely to take the blame and/or get sued if some monkey screws something up and then blames it on you.
As you say, a civil action would have been more than adequate to recover them - he only wanted to hand them over in secure fashion to someone qualified to know them. He did hand them over the Mayor, "the only person he felt he could trust," a few days later, after he was already in jail.
OK, Childs had a bit of a God complex, but after years designing something that intricate, and being the only 24/7/365 support for a few years due to budget cuts, it's understandable. They've basically charged him for having the tools, access and knowledge to actually do his job.
Ironically, after claiming he was the one threatening the network, the city put the list of vpn passwords they found in his house into evidence unredacted, thus compromising half of the vpn 2-factor security for the entire network, forcing them to reset them all 2 days later; locking everybody out of the vpn access entirely. This was the first network outage since they imprisoned Childs, and was directly caused by the incompetence of the city technical management.
Re: (Score:2)
he had LEGAL means to have those, so the "hacking" point is moot. If they expected him to work late, or work from home, then it was part of his job tools. That access is a civil matter, unless it is PROVEN he caused actual, measurable harm... as he was in jail from the date of accusation, they have absolutely no trail to prove anything.
Again, if that was true your boss could fire you while your on vacation, and having taken your company laptop and cell for emergencies, then charge you with theft and hacki
Re: (Score:2)
They charge gun owners in their own homes with possession of a tool of crime while serving warrants for other people, so that's not much of a leap.
Re: (Score:3, Insightful)
Re:This seems hard to swallow (Score:5, Interesting)
he set the routers to return to default under power failure. Actually that was a really smart move, these are in city building, probably stolen all the time. The router is only worth a few bucks, access to the network from a stolen router is priceless. The "consultants" tried to unplug them and read the settings to hack in. The routers did EXACTLY what he told them to...
The biggest problem is procedural. This is why companies have audits, why SOX auditors demand documentation and cross training in public companies. The city management ALLOWED him to become more isolated and anti-social. They routinely pulled other people off helping him and allowed him to fly solo for several years and allowed the other employees and documentation to fall painfully behind.
They didn't realize this until a new manager with a "dotted line" to his position didn't like him and tried to summarily fire him.. Then they realized first, Childs won his job back, and second he got to be an employee you "can't fire" because he had keys nobody could take! The prosecutor was dead wrong to take on a case directly from a department manager and not from higher up the HR food chain. Now the prosecutor realizes they bet their career on some petty middle-manager pushing somebody around. They're trying to find something to pin on him so they don't get seriously censured by the court for keeping this guy in jail 7 months.
popular trend in the courts lately (Score:5, Insightful)
If you don't like what someone does, but strictly speaking it's not really illegal, then find something else they did, (something that maybe a lot of people do and get left alone for) that has some silly, overly-broad definitions you can twist, and soak him for that instead. (ether as substitute punishment for the former that you can't make stick, or just plain in retaliation for doing something you didn't like)
As usual, the legal system that makes me sick to my stomach some days.
Re: (Score:3, Funny)
Don't be rediculous... (Score:3, Insightful)
Of course they wouldn't do that.
They'd use that fact as leverage to extract whatever they want from you first.
Plus a quarter million to fix the problem... (Score:2, Interesting)
So not only did he withhold passwords.
And have modems attached to computers.
But it's going to take 250,000$ [infoworld.com] to fix.
Can the defense claim insanity on behalf of the prosecution, 'cause I think we've just hit bat country!
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Very similar to the way that the "street value" of seized drugs are reported after a bust.
If a large pot grow gets busted, the total crop gets valued as if it were broken down into tens of thousands of nickel bags and sold at retail.
Section 502 (Score:5, Informative)
Section 502(c) states in part
OK, "knowingly" makes sense, but "without permission"? The man was the network administrator; he was authorized to make decisions about how the network is accessed, it goes along with the job. Who was he to get permission from, himself? If he made bad decisions, by all means dismiss him, but prosecuting him is unreasonable.
And since they dropped the most serious charge, can we admit his 8th amendment rights were stomped and pissed-upon by the 5 million dollar bail requirement?
Re: (Score:2)
The man was the network administrator; he was authorized to make decisions about how the network is accessed, it goes along with the job. Who was he to get permission from, himself?
Oh please...
You have NO way of knowing that it was his decision. And it's a government... odds are that he was NOT allowed to make that decision.
I know that in my shop, the network admins do not have that kind of autonomy. They can make all the recommendations they want, but it's not their decision.
For all we know, he may have asked his superiors for permission and they failed to give it, and he went ahead and did it anyways.
Not necessiarly (Score:2)
Just because you are the administrator of something, doesn't mean you can do whatever you like with it, or that you have full decision making powers over it. Your employer, contractor, whatever ultimately gets to decide how things work. For example you might feel that SSH is the best way to access servers remotely. However your company might not like that, they want to monitor the traffic, so they insist on telnet over VPN only. You can argue with them, but if the ultimately say "This is the way it's going
Re: (Score:2)
Re:Section 502 (Score:5, Insightful)
After he is let go, he no longer has permission.
However, he cannot be prosecuted on the basis of actions he took at the time he had permission to take them.
There would be a 4 word phrase for that: ex post facto law. Explicitly prohibited by the constitution.
Along with Bills of Attainer, which is almost what throwing someone in jail without trial for a year with a $5 million bail amounts to, he has been declared guilty by the state and is being punished without trial.
A few years later when the finally gets a trial, they'll say "oops, my bad", and let him go, after using various means of persuasion to ensure he doesn't proceed with any lawsuit for the false imprisonment.
Re:Section 502 (Score:5, Funny)
Re:Section 502 (Score:5, Interesting)
While I agree that what's happening to him is likely unjust, I would like to point out something...
However, he cannot be prosecuted on the basis of actions he took at the time he had permission to take them.
I have to call bullshit here. Ex post facto laws are explicitly unconstitutional but that doesn't prevent government from passing laws which have ex post facto effects. To anyone who claims that there isn't a distinction, I must say that you obviously are not a lawyer. A good example is CERCLA: The Comprehensive Environmental Response, Compensation, and Liability Act. If you dumped hazardous waste somewhere 50 years ago, hazardous waste which at the time was legal to dump where you dumped it, when you dumped it, you are NOT protected from legal action by the government. You WILL be held financially responsible for getting that mess cleaned up. Now in the case of CERCLA, I'd say that while it's harsh, it's necessary & justifiable. (Probably not so much so with the prosecution's case against Terry Childs).
Re:Section 502 (Score:5, Informative)
You're confounding civil law with criminal law. They are in entirely different ballparks.
New laws can always impose new responsibilities on you, financial or otherwise, and those responsibilities may be increased by your past actions. But they can't change something you did in the past that was within the law from being a legal action to being a crime.
It is either a crime at the time the act is performed, or not a crime.
They're not attempting to hold Childs financially liable. They're attempting to charge him with a crime.
Not quite as simple as that (Score:5, Informative)
He has a right to speedy trial (as per the Constitution). This is a right that defendants can and do exercise some times. Basically your attorney tells the court that you want to exercise your right to speedy trial and the judge tells the prosecution "Ok, get your shit ready, this moves forward soon." In California, the speedy trial statue is 60 days. Judges can set a shorter date, if there's good reason to do so, ie prosecution isn't gathering new evidence, just stonewalling. So, if his attorney pushed that, he'd have already gone to trial. However, it is also often not done. The defense often wants time to prepare a case, in particular if the prosecution has a good case and the defense needs time to poke holes in it. After all, you don't want to push for speedy trial if it means you won't be ready and you are just going to lose.
So the reason this hasn't gone to trial is almost certainly the decisions of his lawyer. Had the government really had zero case, a speedy trial motion would have been filed and granted and they'd have already lost. You don't see this very often because those cases are usually dropped. A DA would much rather drop a weak case they are going to lose than go to trial and lose it.
Jeeezzzzzussss (Score:2, Insightful)
I can't believe this megomaniacal prima dona is now somehow the posterboy of the IT people. There were ways for this nutbar to get out of the quandary while still saving his ass. Instead, he holds a network [b]that does not belong to him[/b] for ransom.
Re:Jeeezzzzzussss (Score:5, Insightful)
I can't believe this megomaniacal prima dona is now somehow the posterboy of the IT people. There were ways for this nutbar to get out of the quandary while still saving his ass. Instead, he holds a network [b]that does not belong to him[/b] for ransom.
Well, it's just like 1st Amendment cases involving pornography, marching down the street in neo-Nazi uniforms or hooded bedsheets, or the like. You have to fight the idiots who would deny basic rights or make a mockery of law unilaterally, even when they go after the dirtbags. Letting them ignore the law when they beat down the unpopular is just giving them a free pass to do the same to you in the future, when it strikes their fancy.
Comment removed (Score:5, Insightful)
Re:Jeeezzzzzussss (Score:5, Funny)
Re: (Score:2)
Someone needs a geography lesson ... (Score:5, Insightful)
FTFA:
Re: (Score:2, Insightful)
Who's in charge? (Score:5, Informative)
At a previous employer(this is one of the reasons I no longer work there) my supervisor demanded that I give him all my passwords. I asked him why he needed them I could give him any specific access he needed on demand.
When I was hired I was given a number of NDAs to sign one of them specifically covered the process I used to connect to various remote systems, and the passwords I used. My supervisor(with no IT or technical background of course) continued with his demands for all my passwords, for days. After repeatedly trying to explain that even if I was to give him my passwords, without understanding how you use various access levels to accomplish tasks, he could end up causing massive problems.
In an attempt to meet these demands, I asked for a signed release from the specific NDA that covered my passwords and process. He informed me that he did not have that authority, so I asked him how I could honour my NDA if I gave him information I was not permitted to give anyone. BTW my supervisor did have his own passwords, and had a process to have new ones created.
Long story short, I refused and then a few days later I arranged to transfer to a different department. With this case as a guide I would legally have been wrong no matter what I did, glad I'm out of IT right now.
(If anyone cares, I later found out the reason my supervisor wanted my passwords was that his id/passwords had been burned through lack of use and using the wrong passwords. And he did not want his supervisor to find out he had had no access for weeks. His supervisor would have been notified if anyone requested a password reset or new ID.)
Re: (Score:2)
Well in your case, you'd be covered. The problem here isn't specifically with him not handing over his personal passwords, the problem is that he's locking people out by doing so. Now while it is a poor system where only one guy has top access, that doesn't change anything. If your passwords don't stop the lawful owners from getting at their stuff, then there's no problem. The problem is when your passwords are the only way to get at it. Then if you refuse to hand it over, you can be in trouble.
It would be
Re: (Score:3, Insightful)
Yikes. Should I feel fortunate that I've never had a civilian job that required me to "follow orders"? Or am I merely to infer that you are an asshole boss?
Re: (Score:3, Insightful)
I can't tell if your joking or if you're a douche.
He was following orders. He had a legal agreement with the company not to share his passwords with ANYONE which presumably included his boss. What his boss was asking contradicted that agreement. Since his boss admitted that he didn't have the authority to override that agreement, what he did was 100% correct, even if it did cause his loser boss heart burn.
Had he been fired for that he would have had excellent cause for a big wrongful termination suit. Y
Analysis (Score:5, Informative)
First, I'll remind everyone that the code 502 in question is only applicable in California.
The phrasing of the law at the root of this discussion is, "Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section."
What I imagine the prosecution will argue is that Terry Childs had no right or explicit permission to configure remote access. The defense will likely counter with the fact that as their Systems Administrator he had implied permission as part of his job's duties. Depending on the outcome, this might trigger Systems Administrators to seek contracts shielding themselves from such risks, or seeking express, written permission for everything they do. Of course, considering how badly companies abuse their employees, and how many employees are naive enough to not protect themselves legally, it will likely just be ignored and we'll see more cases like this.
Re:Analysis (Score:5, Interesting)
The other possible outcome is that they'll say that he had permission to configure access, but when that privilege was renounced, that he should have removed remote access... in which case, I question how they would ever expect to let anyone go if they would have to go through such trouble each and every time?
The truth is that often enough, companies don't change passwords, or at least not all of them, when a Systems Administrator leaves. Even in very small shops, it is very difficult to keep track of all the places passwords might be hiding, where remote access might left enabled. For other employees, it isn't as tough, they might have access to one or two systems, but for an SA? You might never be able to lock them out completely, and simply rely on trust, morals, and the law. For instance, an SA might have set up a router just to test new IOS releases on, test, etc. Nobody else would have used it other than that SA, and nobody else would have known of it of it or thought of it. Such a router could be on the network for years without being noticed. Such issues will only become more apparent with "VM Sprawl", where you might have thousands of virtual machines. Without strict auditing, and even with it, you'll easily miss a stray virtual machine floating out there.
The point is, once you give someone access to your network and your systems, to the level that a CTO, Senior Systems Administrator, or Network Administrator might have access, you can't ever be certain of locking them out of your systems, and you shouldn't be able to punish them for not remembering to lock themselves out -- only because it is too easy to make such mistakes or to have such oversight.
Personally, whenever I've left a job, I've done my best to forget everything possible that was specific about their configuration. I'd rather not remember the IP addresses of their machines, their passwords, or anything else -- there is too much liability.
Re: (Score:3, Informative)
That is the second time I have seen ex-post facto used this way in this thread. I'm not a lawyer, but I have always understood ex-post facto to refer to laws that are enacted after an action occurs that changes the punishment for that action. That hasn't happened here - AFAIK the laws were already on the books when he setup the routers.
welcome to slashdot (Score:2, Insightful)
where the most pedestrian news is given the most ridiculous fear-driven spin, made front page in breathless write up, and a bunch of yammering legal ignorants wlll ape right along
and then these same people will ridicule stereotypes outside their domain who supposedly fall for propaganda and hysteria all the time
take a look in the mirror friend
no, slashdot, this case does not set the precedent you believe it does
CONTEXT. its a magical concept. consider it some time
Hysterical overreaction (Score:2)
I posted this in response to the Groklaw Summarizes the Lori Drew Verdict [slashdot.org] article, but it's 100% valid here as well:
Look, the fact is, if The Man wants to get you, The Man will get you. It doesn't matter what the laws are, exactly - they'll find something to hit you with.
That was true before the Lori Drew trial (Terry Childs charges), and it's true now. The precedents set by this case in no way make being on the internet (owning a modem) one bit more "risky". If you don't do anything to bring down the wrath
Re: (Score:2)
And complaining about that is a hysterical overreaction? WTF?
Re: (Score:2)
Complaining that this case "puts all admins in danger", or that you can now be thrown in jail for owning a modem, is a hysterical overreaction.
Re: (Score:2)
Not really. (Ab)using laws sets precedents. If the guy ends up going to jail for just owning a modem, then how is it an over reaction to say that you can be thrown in jail for owning a modem?
Re: (Score:2)
Re: (Score:2)
If I saw someone acting so suspiciously I would also confront them. If it isn't your job to pull apart computers full of confi
The citys also runs the jail system so that speeds (Score:2)
The citys also runs the jail system so that speeds that part up out side of a city things likely do not go that fast.
Comment removed (Score:5, Interesting)
Re: (Score:2)
A Moot Point ? (Score:4, Funny)
Count 1: disrupting or denying computer services is moot
Joey: It's a moo point ... like a cows opinion, doesn't matter ... it's moo.
Rachel: You mean a moot point ?
Joey: No...no, a moo point
Information is not property. (Score:2)
So what if Childs is an asshole, it's his right as an American to be one.
Boo-hoo if the SF IT dept risk management plan couldn't handle a rogue employee refusing to give up the password.
It's a pretty dangerous precedent if people can be legally forced to disclose information against their will.
Isn't that what the 5th amendment was for?
Prosecutor: ...Yes
Does your mother have AIDS? YOU MUST ANSWER
Witness:
Prosecutor:
BURN HER AT THE STAKE!!!!
Yay Mcarthyism
Sounds kind of like the "Criminal tools" charges (Score:2)
Future sys admin dialogue? (Score:3, Funny)
Tony: Hi Mike, how ya doin'? How was Joilet?
Mike: Oh, it was bad. Thursday night they'd serve a wicked pepper steak.
Tony: Can't be as bad as the cabbage roll at the Terra-Phelavo penn.
Steve: Or that oatmeal at the Cook County slammer.
Tony: Well, they're all pretty bad.
Re: (Score:2)
no, it didn't. The manager hired contractors to try to prove Childs was causing "harm". They couldn't crack the password, and when they unplugged the routers the settings were wiped and needed to be uploaded. They didn't have those either. The manager CHOOSE to break 2-3 offices and make the problem worse. That wouldn't hold up on Judge Judy, let alone actual court.
Re:Ouch. (Score:5, Informative)
No. Wrong. Incorrect.
He used the Cisco IOS command "no service password-recovery." Normally, with physical access to the router and a reboot, you can gain access to the router configuration file. "no service password-recovery" turns that function off.
HOWEVER, it DOES NOT WIPE THE CONFIGURATION FILE. It simply makes it impossible to gain console access to the router unless you swap out the flash memory. When you reboot the router, the magic key combination doesn't work, the router boots up, and all is as it was before.
Sigh.
doctorcisco
Re: (Score:3, Interesting)
During voir dire the lawyers probably asked if any of them were network professionals and dismissed those that were.
The court wants only the presented evidence and facts to enter the case, not the external, uncontrolled ideas of some hacker ranting in the jury room. When I served on jury duty, the judge made it plain that in that case the law was only what he told us it was. We weren't to consider things from outside of the courtroom.
It's kind of like designing code. He's trying to minimize external
Re: (Score:2)
Re: (Score:2)
jury of one's peers n. a guaranteed right of criminal defendants, in which "peer" means an "equal." This has been interpreted by courts to mean that the available jurors include a broad spectrum of the population, particularly of race, national origin and gender. Jury selection may include no process which excludes those of a particular race or intentionally narrows the spectrum of possible jurors. It does not mean that women are to be tried by women, Asians by Asians, or African Americans by African Americ [thefreedictionary.com]
Re: (Score:2)
I want you on my juries. It's good to know some people actually take their oaths and admonitions as jurors seriously.
In fact, the more I think about it, the more I would like a very technical oriented individual as a juror, since they're more likely to follow the rules given to them for a specific situation, and logically apply the facts they see to those rules.
Now if only jury venires tended to have people in them other than those without jobs.
Re: (Score:2)
Re: (Score:3, Insightful)
The Terry Childs case reminds me of 24. A corrupt government analyst exerts pressure on a techie to give up a password, which is promptly used for illegal activity. Then the innocent techie gets fucked and Jack Bauered. Yeah. Give the password to any boss figure who asks. That cannot go wrong.
Re:Puts all admins in danger of... (Score:5, Insightful)
"By withholding information about the configuration, he stole from his employer on the way out."
I don't know about this Terry Child fellow or anything to do with what he's alleged to have done. But that is one bat-shit insane sentence.
Are you saying that an individual cannot just quit his or her job and walk out the door? And if they do should rot in jail and be stripped of all possessions? On the basis of a private companies say-so? WTF?? Who the fuck modded this bullshit up??
They fired him, he walked...but he's forever beholden to them and every employer he's ever worked for because he holds some knowledge about their network?
What a fucked up world you live in, sorry but you're a little fascist, any individual, from the CEO to the Janitor has every right to leave a position and never look back, if the world implemented your policy we'd all be too terrified to work for anyone! Some HR schmuck wants to fuck with you after you leave, HE DIDNT TELL US SOMETHING WE NEED PUT HIM IN JAIL AND STRIP HIM OF HIS POSSESSIONS! Jafiwam demands it!
You the only IT person for a small company and want to quit? TO BAD! Don't dare walk out the door, if you do according to Jafiwam the little fascist you deserve to rot in jail and have all your possessions stripped away from you. Oops didn't document what that script does, STEALING! JAIL FOR YOU. Didn't tell them about that Cronjob before you left? STEALING! Didn't document that object properly, didn't let them know about that revision, didn't pass on that message? STEALING, STEALING, STEALING!
Didn't write a 2000 page manifesto brain dumping every tiny little bit of trivia and knowledge that you have about their business, STEALING!
The idiocy is truly unbelievable around here sometimes.
Re:Puts all admins in danger of... (Score:5, Insightful)
What was the ransom he demanded? How was a network with zero downtime rendered useless?
The code, hardware, and configuration all belong to his employer. By withholding information about the configuration, he stole from his employer on the way out.
They had the configuration. They could pull out the flash card with the configuration on it and put it in a new router and it would work great. Of course, without the passwords, they couldn't log in to see it, change it, or any of that, but that didn't prevent it from being 100% operational, as well as being something that could be backed up, replaced, and all that without problem.
He fucked himself and he deserves what he is getting.
He was fired, then after being fired, was asked to fulfill an obligation to an organization he no longer had an obligation to. He may not have been professional. He may have been an ass. But he did nothing illegal, let alone criminal. If they threw people in jail just for being asses, I'd nominate you to be at the front of the line.
Re: (Score:3, Informative)
No network administrator is going to be at risk for anything as long as they play nice and don't pull crap like bringing a city's network activity to a screeching halt just because they're pissed off or whatever.
If that was the case, then Terry Childs wouldn't be under arrest. Despite the impression you may have gotten, he didn't bring the "network activity to a screeching halt" - it carried on working perfectly, and I think even the city eventually admitted this. (You've probably been reading misleading news reports based on equally misleading press releases by the city.)