How the Terry Childs case could harm password security

Judge McCarthy may be redefining the term "user" -- and that could make it harder for IT to safeguard passwords

A little over a week ago, Judge Kevin M. McCarthy dismissed three out of the four charges against Terry Childs. However, in the decision explaining why he retained one charge, for "denial of service," McCarthy may be redefining the term "user" as it applies to computer networks. In doing so, he could be opening up Pandora's Box that makes it impossible for IT to safeguard passwords.

The terms "user" and "administrator" have special significance in computing. A user-level account has significantly restricted access to all computing resources, and so can work only within the confines of their own set of files and documents and of those other documents to which they've been specifically granted access. They cannot alter or modify sensitive settings and configurations of any computing resource they encounter. An administrator-level account has full rights over some or all computing resources, and can view and alter files, settings, configurations, and such of any system to which those rights have been applied. This is a fundamental rule of computing in general, one that has existed essentially since the dawn of computing itself.

[ Read InfoWorld's jailhouse interview with Terry Childs. | Follow the Terry Childs saga in InfoWorld's special report: Terry Childs: Admin gone rogue. ]

But portions of McCarthy's decision turn this fundament on its head. It seems that because there is no clear statute to apply to the Childs situation, the prosecution and the judge are trying to shoehorn Childs' actions into a related statute that was designed to cover a denial of service of a computing resource to users, not administrators. It may be a fine line, but it's a line nevertheless.

The troubling line the Childs judge has crossed
Childs is charged with violating California statute 502(c) (5), specifically "[when a person] knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network."

This is the hot, molten core of this whole matter: Did Childs' withholding of the passwords deny computing services to an authorized user? The defense's argument is that there was no failure of the network, no computers or computing resources were denied to any user, and the network continued to operate normally throughout the 12-day period that Childs refused to divulge the passwords. No "authorized users" were prevented from using the network. The prosecution does not dispute this point. (Also, if you want to argue that Childs' superiors were "authorized users," recall that he was asked for the passwords in the presence of a police inspector and a handful of other people, some of whom were on a speakerphone. Were they all "authorized users"?)

Nowhere in the statute and definition of terms do the words "administrator," "administrative," or "management" appear -- there is no distinction, no definition, no mention of these terms or concepts whatsoever. The definition of "computer services" is "includes, but is not limited to, computer time, data processing, or storage functions, or other uses of a computer, computer system, or computer network." The judge interprets that to mean administrative functions as well as "normal" use.

The judge is very clear on his opinion here, stating, "the defendant's withholding the passwords caused DTIS [the San Francisco IT department] to be denied administrative access to the FiberWAN [the city and county's backbone network], which constituted a denial of computer services." He apparently believes that Childs is guilty of violating the statute. Therein lies the problem.

Let's look at a hypothetical: An IT employee with administrative access is confronted by the vice president of marketing. The VP demands that the IT employee divulge the administrative passwords to the VP, as the VP is the IT employee's superior. If the IT employee does not give up the information, he would technically be in violation of the statue as interpreted by McCarthy, as "user" and "administrator" are taken as synonyms. It might also seem that any non-IT employee -- even non-managers -- could request the administrative-level passwords from an IT employee and expect to receive that information. The failure of the IT employee to divulge that information would also be in violation of McCarthy's apparent interpretation of the "denial of service" statue, as there is no provision for levels of access or security in that statute.

Yes, I'm splitting hairs here, but so does the decision, where the Merriam-Webster definition of "use" is referenced: "The noun 'use' is defined as 'the privilege or benefit of using something ... the ability and power to use something ... the legal enjoyment of property that consists in its employment, occupation, exercise, or practice."

Unless these uses are synonymous -- normal use, as a regular employee accessing data across the network, and administrative access, as in a network engineer logging into routers and switches -- then the statue doesn't seem to apply. Did Childs' withholding of the passwords prevent administrative access to the network? Yes. Does that violate the wording of California 502(c) (5)? It does if you destroy the definitional barriers between "user" and "administrator."

The judge also asserts that this denial was highlighted by several other factors, including the fact that several departments requested to be connected to the FiberWAN during the time when Childs was holding onto the passwords. As anyone who works in the industry knows, the time between a request to be connected to a network and the time when it is physically possible to do so can be several weeks, if not months. If these requests were made on or about the time Childs was arrested, there is absolutely no way that they could be considered delayed solely by the lack of administrative access. Fiber needs to be run, routers need to be procured, designs need to be modified, possibly even IP subnets need to be changed -- a whole pile of work is required before anyone even logs into the routers to add the site.

Regardless, the judge's decision to dismiss the three modem counts is bittersweet -- the language used in the written decision clearly states that the judge believes that Childs violated the "denial of service" portion of the statute. This will hurt Childs at trial. However, when the trial begins, Childs will have been in jail for nearly 16 months for refusing to divulge passwords to anyone but the mayor of San Francisco -- the nominal owner of the network. If he's convicted, IT admins better start handing over passwords to whomever asks -- you wouldn't want the same treatment. (Case update: Following the dismissal of the three counts, another judge again denied Childs' bail reduction motion on Monday. He remains in jail on $5 million bail.)

Are the judge's arguments contradictory?
Another troubling aspect of McCarthy's decision is that some of the reasoning that he used to support the "denial of service" charge seems to be at odds with the reasoning he used to dismiss the other three charges.

For example, McCarthy dismissed as irrelevant a case the prosecution cited as a precedent: People v. Lawton, where a library patron was accused of violating the law by circumventing security measures in place on library computers and accessing internal library resources without authorization. The judge disagreed that Lawton has anything to do with the Childs case, as it involves a non-employee, among other considerations. But McCarthy used another case, Chrisman v. City of Los Angeles while discussing the three dismissed charges. The Chrisman case involved a police officer who used city resources to perform background checks on celebrities, his girlfriend, and acquaintances while on duty and without authorization.

However, the Chrisman ruling contains the statement "these cases show that an employer's disapproval of an employee's conduct does not cast the conduct outside the scope of employment. If the employer's disapproval were the measure, then virtually any misstep, mistake, or misconduct by and employee involving and employer's computer would, by respondent's reasoning, be criminal." This is essentially the core reasoning that caused McCarthy to dismiss the three counts related to the modems. You might think that it would also directly apply to the "denial of service" charge.


Copyright © 2009 IDG Communications, Inc.

How to choose a low-code development platform