August 24, 2009

Terry Childs still faces one charge -- one he shouldn't face

After 14 months in jail, Childs now stands accused of a single charge of violating a 'denial of service' statute that shouldn't apply here

On Friday, more than a year after Terry Childs's arrest, the judge in the case threw out three of four charges against the former network admin for the City of San Francisco. The three dismissed charges were related to the modems that the prosecution claimed were clandestinely placed by Childs in order for him to control the network remotely. As I've been saying for the last year, these charges were simply ridiculous -- the modems used by Childs in this case were standard operating procedure for any network admin worth their salt. In fact, Childs would have been derelict in his duties if these modems weren't present. Finally, reason prevailed, and the charges pertaining to the modems were dismissed.

But one charge remains: the charge that Childs violated a California statute regarding illegal denial of service for the San Francisco FiberWAN. This is a sticky wicket. The statute was originally conceived and written to provide a legal platform to prosecute crackers who might bring down computing resources for the purposes of vandalism, profit, or other chicanery. The statute was meant to address a third party who knowingly disturbed and compromised the normal operating status of a computer system or network.

[ Read InfoWorld's jailhouse interview with Terry Childs. | Follow the Terry Childs saga in InfoWorld's special report: Terry Childs: Admin gone rogue. ]

The statute could address a cracker who organized a DDoS attack against a Web site or one that surreptitiously and illegally gained access to a server and crashed it, altered it, or otherwise interfered with the normal operation of that network or system. But can that statute apply to someone who was hired and paid by the government to build, maintain, and repair that network, especially given that no damage was done, no resources were denied to any employee, and the network suffered no downtime?

One could say that yes, Childs' refusal to divulge the passwords to his superiors was tantamount to a denial of service, for a narrow interpretation of "service," but the same argument might be made that Childs actually prevented a denial of service -- an illegal act -- by refusing to hand over those passwords.

White Paper

D2D Virtual Tape Library Replication Primer

This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.

Download now »

White Paper

An Alternative to Virtualization for Datacenter Cost Savings

Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.

Download now »

White Paper

Why Your Firewall, VPN, and IEEE 802.11i Aren't Enough to Protect Your Network

The emergence of WLANs has created a new breed of security threats to enterprise networks.

Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation

Download now »

White Paper

Bringing the Edge to the Data Center

Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.

Download now »
richij 24-Aug-09 8:28am
There's a roundup of reactions to this story -- including this one -- over at Computerworld.
fushigi 24-Aug-09 9:52am
"He will go to trial for the remaining charge within 60 days, and it's possible that this story may finally come to a close."

It may go away for us, but let's face it: Childs will be black-listed and probably for life. I wonder what kind of civil suit will be filed once the final charge is thrown out in court.

DL 24-Aug-09 10:40am
What a massive display of management incompetence and prosecutorial abuse. If Childs did not commit a crime, he has been wrongly imprisoned by the city of San Francisco for over a year and there will certainly be some sort of compensation paid by the city to offset the violation of his rights. If the city is wise they will drop the remaining charge and try to buy him off. Hopefully, the district attorney will get some significant face time with the ethics committee of the California Bar Association.
OldTechie 24-Aug-09 12:02pm
1 reply
I don't know the details here, but following the analogy offered about the truck driver, someone is due for a long stretch in jail. If I am the owner of the truck and request the keys, you MUST give them to me. You are not complicit with what I do with them unless you have clear knowledge I would perform an illegal act (and then there are other avenues to be pursued). It appears he was an employee and not the owner of the network, and must surrender control to the duly authorized organization's representative. Gosh, there are so many important issues in front of us, let this petulant fellow deal with this mess on his own.
Paul Venezia 24-Aug-09 2:04pm
1 reply
Ah, but who is the owner of the truck? The manager, or the owner of the company (in this case, at least the CIO or the mayor)? Note that he did give the information directly to the mayor...
ehloise 1-Sep-09 11:19pm
1 reply
Really, dude, you flew across the country to interview TC and became his punk through an inch of bullet proof glass. Surely you must have wanted the relationship. Maybe you are just a sucker for any guy with a california demeanor, bro. His boss owns the truck more than he does. No, not the CIO or mayor is required. I mean really dude. If a CIO had to handle every IT complaint and password issue, and the mayor? His IT supervisor had every right to ask for root passwords to the network devices. It is very clearly stated in the SF password policy that system passwords are to be kept in the global password management database. It only says to keep your personal password private.
dudewhackbro 3-Sep-09 8:30pm
1 reply
???? There is no "global password management database." Like lots of things in SF government, it exists only as a concept. I work there. I know.
ehloise 6-Sep-09 12:58pm
That isn't the point. Of course there's no such thing. Usually this is just an envelope with a piece of paper in a safe or locked manager's drawer someplace. The point is that the spirit of the policy is that system passwords should shared so there isn't a single point of failure. The root password to a company network is not "your" password. This is key to understand where he crossed the criminal and civil liability line. Even if you are the fire truck head driver, the key to the truck is not yours. It belongs to the city. TC was negligent in not following the policy and keeping this password someplace shared among the management. It went from negiglence to criminality when he refused to give it over.
RPA 24-Aug-09 1:00pm
Mr Venezia, I really appreciate the fact that you've dug into this case, and gotten below the tabloid headlines. I don't buy your truck analogy, though. You could simplify the analogy to some degree, and postulate what would happen if Mr. Childs was asked for the physical keys to the server closet by his manager, knowing that his manager was likely to go in there and accidentally kick the plugs out. The bottom line is that, even assuming the best intentions on Mr. Childs part, he has no authority to refuse that request -- it's not "his" network. That said, I'm really glad to have your perspective on this story, and I do sympathize with Mr. Childs. Thanks for your coverage.
BigRonG 24-Aug-09 1:25pm

It is NOT the equivalent of giving someone the keys to the IT closet. Handing passwords over is the equivalent of permission to use. In the truck example, the manager had explicitly said that he/she intended to 'use' the truck. It will be interesting to see if the same standard is applied to the sheriff. Of course, the court must take into account that the sheriff has guns and a small army whereas the network administrator was simply a geek. Where was Homeland Security when the sheriff was on the rampage? Seems like it might be construed as 'home-grown terrorism'. Anyways, I also disagree that Childs will be black-listed. I have known many asshole quirky wizards whose technical expertise kept them employed even in down times.

Regaug 24-Aug-09 1:50pm
As someone with 18 years experience in IT administration, I thought the truck driving analogy was fairly accurate, if you compare the safety of the public on the road to the needs to the users on the network. However, it should be noted that the quandary situation does not exist until the manager creates it by asking for the keys. When you analyze things down to brass tacks, the only crime that Mr. Childs is really guilty of is insubordination, and the manager(s) in question were too incompetent to handle the situation as such.
Carl Street 24-Aug-09 2:10pm
1 reply

The truck analogy is totally flawed. For it equates operation of a motor vehicle with that of network admnistration.

A more apt analogy would be should the captain of an airliner turn the operation of an airliner in mid-flight over to the head of the company just because he owns the plane?

Or should a surgeon allow the non-MD administrative head of the hospital perform brain surgery because of his rank?

If you agree to the latter, let us see you book yourself into SF General for brain surgery -- you need it... :)

Paul Venezia 24-Aug-09 2:32pm
I entertained those analogies and a few others, but they're missing a critical component: the key, or password.
KEN 24-Aug-09 3:31pm
As someone who has had to work with the City of San Francisco and read this whole story I feel for Childs. The entire bureaucracy is filled with incompetents that are trying to build personal empires with no thought to the outcome. No one there seems smart just political and ambitious. I can see why he would become defensive of his network.
GreeneConsulting 24-Aug-09 4:18pm

It still seems to me that one thing read early on was that Childs wasn't just support tech he was the MAIN tech and partly the designer on that net work and was the only guy on call for that system so that's a lot for one guy in the city the size of SF and trust me I done some of the same on smaller scale but still anyone can see this guy was doing his job but for the pass word fiasco, Now early this year I had something of the same problem i was ask to set up server to small business but it was like we need it now and so i did what they asked adn gave them my list of need parts like a VPN Router adn Appiance fire wall adn a top of the line secuirty suite I got Blink in stall on the main 4 billing systems and the server and all was working well but the server was not fully on line till i got the hardware I wanted adn was said i was going to get .
They plan out to add 8 laptops to the mix for field work and they wanted them set up in a few hours i told them no that isn't how you send any laptop that will have personal client info on them or access and they agreed to let me set securing them. the next day I got note about the server not giving them access to the internet and told them I need more info but came in and look at the system after hours the system was fine an I could not see any problems but for still the need to get the hardware. The next day the Admin and CEO called asking for the passwords to add to the list as he was updating it. I saw no problem in this as he is the guy who owns the company and i did not think he would use them as he was not very computer savvy and I did think anything wrong with it ..Later that day I remote in as I did everyday to find Blink was gone from the Server.I was in shock the main protection was gone and one of the main billing systems was still showing attacks that night and we had showed him this. i called him and said the is problem and that Blink was gone and he said yes i de-installed it I was speechless I didn't scream till i got off the phone i said that is wrong you just don't open you self up why did he do this and he said because one program couldn't get online for doing billing ...WT!!! I said sir all you need to do was tell Blink to let go online .. he said I didn't know how .. I didn't even go in i just wrote it off as this was a medical billing and if anything was hacked I wasn't going to to go down for it we cancel the contract and that hurt at is a good 20K to 30K but I don't go to jail for some else being stupid. this why Childs didn't want to give the passwords that have no clue as to how the system runs and what is need to run it Childs did right in my eye and I hope sues till SF bleeds lets 14 month and he could bill how much an hour? oh that's going to hurt SF HARD! this last charge isn't going to hold as the system never went down and all the hard ware and account her had were normal and I can understand how he want to make sure people that didn't even know why modem would be hook to that system or why he had a pager to tell him a system need to be looked at I mean if these people were some who never have driven a car would you give them keys to drive off a city like SF?
these people want the passwords to a system that runs everything in SF and they had no clue as to what was need to make it run and it shows by not knowing why Childs had the right equipment set up to run thing from anywhere as he show be able to. I just tempted to just show up at the court to testify to this fact and I think ANY of those of us that are Tech's and in charge of Any large system needs to be there as well as what ever is the out come we will be effected as well and we need to make sure Childs Wins and get his day to sue their butts.

MahatmaGandu 24-Aug-09 7:28pm
1 reply
Well, the argument about the truck driver being licensed brings up something I've been arguing for sometime now: IT techs should be licensed professionals just like engineers, CPA's, doctors, and etc. It's amazing that an auto mechanic has to be licensed to work on a $1,500 used car but literally anyone can find their way into working with millions of dollars worth of computer equipment that can affect millions of people. The investment bank I used to work at had totally uncertified people working on systems responsible for billions of dollars in daily transactions. Common sense calls for a common standard for IT and that means licensing. It would increase the value of our work and it would also serve to prevent unlicensed asshats called 'management' from pursuing ego-driven agendas like what Terry Childs tried to defend from. Childs, IMHO, is a hero and I hope the city of San Francisco pays dearly for what they have put him through.
zornwil 25-Aug-09 2:01am

I would say "common sense" shows how we you're right, it's absurd a mechanic has to be licensed to work on a $1,500 used car (and my father was a mechanic). And in the IT world, I've seen little if any advantage to certified staff versus non-certified staff, as well as little real sense to requiring certification for most positions. But that just shows how common sense isn't the same for everyone.

However, in regard to public systems which have real impact on life and death functions and such, there is a solid notion here in requiring some form of certification or evidence of suitable skills/achievement for operators.

None of this justifies Child's actions, in a job sense, though. He may escape legal action as there is no applicable statute (I don't think the denial of service law should be misused in the fashion it seems to be here, just as I don't think RICO should have been misused beyond its intent despite its clear success in legal terms, laws should be used as intended, not stretched and distorted), but I'd think simple property laws would apply here, although as the state I would drop the charges for an absurd 14 months in jail - this absurdity is a common, serious problem with the legal system.

cmr1060 25-Aug-09 6:32am
I had the same type of situation when leaving a law firm. I would not receive my last paycheck unless I gave the Office Administrator/business partner the passwords. I had the senior partner step in and asked him what should be done. He suggested that they be in a sealed envelope and given to a qualified person. The QUALIFIED person used them to gain access to the Admin server and proceeded to let people know what the partners were being paid along with year-end bonuses. I had warned them about that.
maryannf 27-Aug-09 6:38pm
1 reply
It's obvious why Paul V panders to disgruntled admins; it's his readership in this second tier "news" source. It's yellow journalism, certainly, sensationalizing something so blatantly criminal as martydom by a sysadmin. Sure the modem issue is like proving rape; you have to prove malice/lack of consent. He said; she said. But as soon as he refused to turn over the keys to, metaphorically speaking, the town's fire trucks, he became guilty of a crime. He knew the effect of what he was doing, and he did it anyway. Of course, you service includes the ability to respond to network problems. All networks, generally run 99% of the time. Our job is to be there the 1% they don't, and if a fire had started in the network, it could have been even more disruptive. But all work stopped to respond to what this knucklehead did knowingly, and he is culpable for it. His lack of cooperation also means he has caused a serious outage while they change every password at the very least to every service, application, device, user, and computer. They really need to do more to stop some one with insider knowledge and proven premeditated maliciousness. It is the precisely the password issue that sealed his fate. But in a civil trial, the full context of what he did, what was found in his house, testimony can be heard in full. The larger scale of his malice will be proven there. Remember, OJ got off on the criminal charges, but he was proven culpable in the civil trial. No, the only person making the ridiculous argument that he was actually maybe stopping a DoS by not giving the passwords to his boss is Paul V. It is nonsense. You do not own the network, the organization and it's agents do, as in your superiors...not just the mayor. If Obama had to respond to every disgruntled postal worker's daily complaints because they didn't like their boss, what would happen to government? Yeah, whenever I go on vacation, I give the boss a sealed envelope with my critical passwords that are not commonly known by the team. That's just professionalism. If I told the boss I am not giving you the passwords when the switches are password change resistent, or a folder is encrypted with the password, I am guilty of a criminal offense. This is precisely what TC did, and it seems obvious it is the issue that the judge is going to convict on.
Elstubert 14-Sep-09 4:19am
1 reply
Maryann, I am curious about your comments, I had to look pretty hard to find information about this story as it has a lot to do with my job and dilema's I experience daily. It would seem to me that you would have to as well and that make me curious since you labeled this a 'second tier "news" source'. If you don't give the story credence why are you looking into it? What is your vested interest in following this story through an alternative new source? If you agree with the party line why search this story out? Also who would you have held accountable had Terry given his passwords up and someone unauthorized was able to gain access to Government databases of Personal, finacial, or even Criminal information?
maryannf 1-Oct-09 9:22pm
2 replies
I'm as vested as any other worker that has to face these issues daily. The problem is that due process means that reputable news sources only report the facts, such as SF Gate. The bloggers take advantage of the fact that the police, SF, or DA aren't going to talk about the case so they create this idea of government conspiracy. It is nonsense. Thousands of people have lost their jobs, homes, everything, and this guy thinks he didn't do anything wrong. The real problem is not even that TC got egomanical for me...that happens...rarely to this extent of criminality...but the job can be stressful. My problem is that cult following that can't see the criminality in this. It is hard enough to enforce ethics in something managers don't understand without bloggers telling a bunch of half truths when the reputable sources who follow jouralistic practices, writing of who, what, where, when and leave the bias out and for due process, much of the details. You can google and find tons of hits for Terry Childs. You don't have to search far for this story or the bits and pieces of testimony that have been posted. Your question about "unauthorized" is irrelevant. As you can find in his assistant's testimony, the management spent months trying to get the passwords out of TC. When they finally said give them up or else, he had to or he was breaking the law. It doesn't matter if a secretary was in the room. Once the mgmt had them, they could change them to something secure where the secretary wouldn't know them...chicken or the egg...
Elstubert 7-Oct-09 11:24pm

Mary Ann,

I am now confused. Thousands of people lost their jobs? homes? everything? Do you blame Terry Childs for the economic slump? What Terry Childs are you talking about. Most people here are aware of the particulars regarding the evidence "or lack there of" in this case. I would be willing to bet that more jobs were made then lost, since so far as I know only Terry Childs himself lost his job. I am sure they had to hire minimum 2 if not more people to do his job. Of course since the people that would be hired probably were worried about working somewhere that doesn't just fire you, but has you arrested, surely they negotiated top dollar at the taxpayers expense before taking the job.
As far as the exact timeline I would like to see an info graph on the events that took place, as far as I know though Terry gave up his passwords to the SF executive on his very first opportunity.
I see you don't understand the concept of secret information so try this out, when you are at the bank shout out your SSN#, account#, address, birthday, maiden name, and whatever other private information of yours to the teller. This will insure that some other bystanders hear and introduce you to the wonders of identity theft, of course this is only your private information that you will be giving up. But it will give you an idea at what was potentially at stake. Terry Childs network had thousands of peoples lives, their accounts, their jobs, their critically important data running on the network he was charged with safe guarding. You would have him turn this over to people who had no idea what to do with it? They needed his help just to enter the passwords.
Terry didn't cost thousands of peoples jobs or home, but his actions at a detriment to himself may have saved their jobs, homes, and lively hood.
Say hi to Gilligan for me.

Paul Venezia 8-Oct-09 9:28pm
"Maryannf" please do contact me directly. I'm very interested in your take on this and your stated positions, and perhaps what has caused you to comment on this story and only this story over the past few months.
Elstubert 14-Sep-09 4:08am
Paul, Thank you for covering this story, there are a lot of people who are ignorant of issue's IT's face. A "manager" usually does not understand the technical complexities of a network and an IT's good judgement frequently comes into play on what is right or wrong. I haven't seen anyone mention it but what about the legal ramifications had he given up the passwords and the data on the network was made public or attained by shady character. Privacy data, social security information, criminal trial information financial accounts for the city. Did the manager requesting the data have any idea what they would be accountable for just by have the keys to the kingdom? More then likely they got their jobs through the good ol boy network, or attrition and didn't know what they were getting into. But thanks to Terry's actions the only tradgedy was that his life has been severly harmed, and the state, i.e tax payers will likely be paying him some deserved recompence.
conanhw 19-Oct-09 3:33pm
I agree that the Bail is probably too high. On the other hand, I would not as senior Network admin, ever hire him or approve work with any firm or company which did. If my non-technical manager asked for passwords or keys and I didn't provide them, I would expect to be fired and prosecuted and blacklisted. No admin should have the power or ability to hold a company or city hostage.

Sign up to receive InfoWorld Resource Alerts

Subscribe to the Today's Headlines: First Look Newsletter

Find out what will be news for the day, with our first-thing-in-the-morning briefing.

©1994-2009 Infoworld, Inc.