A San Francisco jury found Terry Childs guilty of one count of felony denial of service yesterday. The count carries a maximum sentence of five years in prison. Considering that he's already served nearly two years to date, he may actually be released on parole at his June 14 sentencing hearing, or he may be facing another three years behind bars. His lawyers stated that they will appeal.
Regardless of the particulars of the case, or the deeply technical concepts that probably eluded many of the jurors, he has been convicted of a specific crime referenced by a specific California statute. I've read a few quotes from jurors, in particular:
"Being able to administer the FiberWAN services themselves is a service," said Jason Chilton, one of the jurors, in an interview after the verdict was announced.
[ InfoWorld Contributing Editor Paul Venezia has led the way in reporting the bizarre case of Terry Childs. Consult our InfoWorld special report for a complete index of that coverage. ]
Another apparent juror posted on Slashdot. Naturally, this could be complete BS, but the post appears to be legitimate. The juror claims to be a CCIE with 13 years of experience in the field. He also says that this case should never have been brought to trial:
This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.
He continues:
This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict.
So assuming this is true, shouldn't the letter of the law be applied to other "denial of service" problems caused by the city while they pursued this case? In particular, the person or persons who released hundreds passwords in public court filings in 2008 be tried for causing a denial of service for the city's widespread VPN services? After all, once the story broke that a large list of usernames and passwords had been released to the public, the city had to take down its VPN services for days while they reset every password and communicated those changes to the users.
The kicker is that the VPN password debacle had immediate and widespread negative effects on the users and clearly caused a service outage, while Childs' actions did not effect users in any way. In light of the Childs decision, it seems to me that this is a chargeable offense, as a service was rendered inoperable due to their actions. You may argue that the release of those documents was a mistake, but people go to prison for mistakes all the time. Negligence is not a defense.
The Slashdot juror concluded his comments:
I am confident that we reached the correct verdict, whether I like it or not.
That may be true, but if so, there are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.
This story, "Rough justice for Terry Childs," was originally published at InfoWorld.com. Follow the latest developments in security, and read more of Paul Venezia's The Deep End blog at InfoWorld.com.