On Friday, more than a year after Terry Childs's arrest, the judge in the case threw out three of four charges against the former network admin for the City of San Francisco. The three dismissed charges were related to the modems that the prosecution claimed were clandestinely placed by Childs in order for him to control the network remotely. As I've been saying for the last year, these charges were simply ridiculous -- the modems used by Childs in this case were standard operating procedure for any network admin worth their salt. In fact, Childs would have been derelict in his duties if these modems weren't present. Finally, reason prevailed, and the charges pertaining to the modems were dismissed.
But one charge remains: the charge that Childs violated a California statute regarding illegal denial of service for the San Francisco FiberWAN. This is a sticky wicket. The statute was originally conceived and written to provide a legal platform to prosecute crackers who might bring down computing resources for the purposes of vandalism, profit, or other chicanery. The statute was meant to address a third party who knowingly disturbed and compromised the normal operating status of a computer system or network.
[ Read InfoWorld's jailhouse interview with Terry Childs. | Follow the Terry Childs saga in InfoWorld's special report: Terry Childs: Admin gone rogue. ]
The statute could address a cracker who organized a DDoS attack against a Web site or one that surreptitiously and illegally gained access to a server and crashed it, altered it, or otherwise interfered with the normal operation of that network or system. But can that statute apply to someone who was hired and paid by the government to build, maintain, and repair that network, especially given that no damage was done, no resources were denied to any employee, and the network suffered no downtime?
One could say that yes, Childs' refusal to divulge the passwords to his superiors was tantamount to a denial of service, for a narrow interpretation of "service," but the same argument might be made that Childs actually prevented a denial of service -- an illegal act -- by refusing to hand over those passwords.
Let's create a hypothetical using the trucking industry as a parallel: A trucking company owns many jointed trucks (semi-tractors) and trailers. It also employs many drivers, as well as managers for those drivers. In the United States, it's illegal to operate a jointed truck without a commercial driver's license (CDL). The operation of these large trucks is simply too complex and difficult to allow anyone without a CDL to drive them. These laws exist for the safety of everyone concerned -- nobody wants to be on the same highway as an 18-wheeler with an unlicensed and highly dangerous driver.
Now let's say that the trucking company has fired all the drivers, except for one. The remaining driver with a CDL is brought into a room with his manager (who doesn't have a CDL because his job doesn't involve driving these trucks), and his manager demands that the driver give him the keys to the truck, as the manager intends to drive the truck from now on. The driver is in a quandary: The company owns the truck and technically owns the keys. His manager is demanding that the trucker give him those keys so that the manager can drive, but the manager doesn't have the license, skills, knowledge, or experience to accomplish the task, and allowing the manager to do so many endanger many people, not to mention the truck.
What's the trucker to do? In this case, if the trucker gives the keys to the manager and the manager illegally operates the vehicle, causing harm or damage, the trucker could be considered an accomplice -- he allowed the manager to perform these acts by relinquishing the keys.
But trucking is an established industry, one that has laws requiring specific skills to operate the machinery that have long existed. There are no such laws preventing the unskilled and incompetent from operating high-end network equipment. Anyone with a computer and a password can log in and wreak havoc.
It's also quite interesting to compare the Childs case to Sheriff Joe Arpaio's armed takeover of Maricopa County's Integrated Criminal Justice Information System. The Maricopa (Arizona) County Sheriff's Office sent armed deputies to raid the offices of that computer network and gain administrative control. On the face of it, this would fit the bill of "denial of service" as put forth by the San Francisco DA in the Terry Childs case. While the network didn't go down, the deputies essentially gained sole control over the administrative functions of the network from the network's owners, much like Childs had when he refused to relinquish the passwords -- but they weren't employed to handle the operation and maintenance of the network, and they did it with armed force. Which is the real crime?
It's likely that Childs will be released from prison if his new bail reduction motion is granted. He's been in jail for 14 months on $5 million bail. He will go to trial for the remaining charge within 60 days, and it's possible that this story may finally come to a close.