Users who Dugg This
Tiresias II
657 Followers
Eric Smith
981 Followers
adam jones
11736 Followers
Consumer Energy Report
1069 Followers
MediaSight
13125 Followers
kennykljAug 10, 2010
This account has been closed by the user
pbrbeerAug 10, 2010
Locking down the city's network must be just as damaging to the public as being in possession of more than 1 ounce of marijuana
norman619Aug 10, 2010
You obviously don't know the whole story.
texmexrexAug 10, 2010
Name a convicted murderer who got < 4 years.
noclss2000Aug 10, 2010
http://abclocal.go.com/wls/story?section=news/local&id=7427352
18 months for reckless homicide because she was painting her fingernails while driving.
I don't know what that looks like on paper, but that's murder to me.
lex0429Aug 10, 2010
"Name a convicted murderer who got < 4 years."
Donte Stallworth - Manslaughter, drinking and driving, 30 days in prison
rblancarteAug 10, 2010
Please find a murder conviction. Manslaughter & reckless homicide are not murder (it is killing someone while being stupid).
robbh66Aug 10, 2010
Manslaughter != Murder.
One has intent, the other does not.
jebediahtboneAug 11, 2010
In 1978 Tony Walker was convicted of murder in Texas. He was sentenced to 5 years and released after 2. That's the closest to "< 4 years" that I've found so far.
lazymojoAug 10, 2010
Making a politician look stupid to the public is guaranteed to bring down the full wrath of the justice system.
pbrbeerAug 10, 2010
This guy was a dips**t.... you're fired, get over it, give the passwords to the city's equipment to the new person in charge you big cry baby.
numbskiAug 10, 2010
The problem is that he did this for the better good. He knew what might happen if he handed those passwords over.
Sadly, the fact that he did the city a public service is getting him put in jail. He knew better than those in charge, but this is making an example out of someone who dared defy authority - for better or worse.Comment is buried, click here to see the rest.
rblancarteAug 10, 2010
What better good? Elaborate.
suprdaveAug 10, 2010
Do you even know what you're talking about? Did you read the article?
numbskiAug 10, 2010
Actually, I've been aware of this story for a very, very long time. The admin was in the right, regardless of how that article paints the picture.Comment is buried, click here to see the rest.
ryobiguyAug 10, 2010
Please enlighten us instead of saying "I know the answer buuut... I'M NOT TELLING!"
Yeah sure you know... Lets hear it!
sethprAug 10, 2010
The fact that he thought or knew that whomever he had to give the passwords to was under-qualified for the job or had no knowledge whatsoever does not justify him locking down the network. If my boss wants a list of all the passwords we use for every and all of the equipment I will give them to him, this is not my network; of course such a request have to come from an authorized person and in written.
Heck, I would even recommend they change all the passwords and remove my access from the system as a best-practice if I am leaving; If I am getting fired I would make a written request for them to remove my access, in case they break something I will not be liable.
rblancarteAug 10, 2010
Still waiting.
jaredennisclarkAug 10, 2010
Numbski = Troll
rblancarteAug 11, 2010
Hey man, it is tomorrow, where is my elaboration of "the better good" and doing "the city a public service"?
numbskiAug 12, 2010
Hey man, it's several days later and I almost never look at digg.
I don't recall how long ago I saw the original story. The basics of it were that he was being pressured to give up passwords while he was out on suspension. The people that wanted the information really only knew enough to do harm. You know those kinds of people - just enough to be dangerous. He took the passwords to the Mayor and explicitly warned him *not* to give the information to the people asking for it. He did what was the reasonably safe thing to do.
Listen, there are times, hopefully not many, and hopefully none that will land you in jail, where you have to do the right thing, consequences be damned. This is one of those situations. I refuse to demonize this guy - he stood his ground. I know at least a year ago the topic came up on TWiT, and to my surprise, even the pundits on that show were in agreement with me.
Sometimes you just have to suck it up and the right thing.
gordonvAug 10, 2010
It's sad knowing that bosses don't care how much work you've done for a company. PBRbeer is totally right on this.
Techs and Engineers are not like menial or retail jobs. There is a demand for them. Will the bosses know exactly what you are doing or even have a clue how important what you are doing is to the business? Most likely not.
Simply put, just worry about the following:
Do you have enough money to be unemployed for 6 months?
Can you find a job that makes what you are making now, or can @ least sustain a lifestyle that is stable?
Can you use your previous job as a reference?
If he was going to be let go for finance reasons, that means he could of used the city as a reference!
rmxzAug 10, 2010
Had he given up the passwords and the city got hacked, could he have been held responsible for improperly leaking passwords?
zomgondoAug 10, 2010
No. End of story.
zomgondoAug 10, 2010
Yeah, once you're fired you're no longer responsible for security, nor are you bound by company policy... but you ARE legally obliged to hand over and company property you may have, including passwords.
All his bulls**t claims aside, this guy just wanted to stick it to the man.
cimmerianxAug 10, 2010
That heavy fine and long jail time is more for the embarrassment to the city instead of the seriousness of the crime.
Ya, the network isn't his, it belongs to the city, just like any business. And when you leave the business, a true professional would make it as easy as possible to transfer knowledge to the replacement or new department.
rblancarteAug 10, 2010
In the end, as most point out, there is a lot of blame to go around. Childs for doing what he did. San Fran for allowing it to happen.
It doesn't change the fact that Childs was in the wrong.
Closed AccountAug 10, 2010
BOFH wannabe.
michichaelAug 10, 2010
I think that none of those people understood a thing about networking. He had insecure routers set without configurations written to flash, because you can pull configs with physical access. It's a security thing, not a "he's planning on sabotaging the network!"
He wasn't fired, he was suspended, and felt that the network would be harmed if he gave them the passwords, and he'd be blamed for it. So he gave them to the mayor, and low and behold the network got f**ked up by people not knowing what they were doing. Not his fault. Take a look at the configuration files and "evidence" and as an IT professional you can see how much of what he did was to maintain the integrity of the network.
clevercommenterAug 10, 2010
Except that he was in no authority to withhold the information from his superiors.
jeworldAug 10, 2010
Actually, he should have handed over the information and nothing more. If you're getting canned, wtf do you care if someone else that was "non-qualified" could cause substantial damage? You're canned. It's not your problem anymore.
norman619Aug 10, 2010
Exactly. Finally someone who has actually been paying attention to the real story behind this mess.
numbskiAug 10, 2010
Yup, any competent network engineer realizes he did the right thing, and now he's going to jail for it.
norman619Aug 10, 2010
Numbski:
Yup. It's funny reading the comments here from people who clearly have no idea.
insightfulAug 10, 2010
"I think that none of those people understood a thing about networking"
Except you are wrong. One of the persons in the jury was Chilton was a CCIE and a senior network engineer for ADP. He explains why he voted for conviction as well.
http://www.networkworld.com/news/2010/042910-terry-childs-juror-explains-why.html
rxbudianAug 10, 2010
I guess he hasn't worked for incompetents before...
michichaelAug 19, 2010
A "senior network engineer" for a consulting firm. Have you ever WORKED with people that brag about their CC__ and are consultants? They don't know s**t. This guy was a prime example of not knowing s**t, and because he thinks he does, a good network admin is not only out of work he's suffering penalties for it.
rblancarteAug 10, 2010
No, this guy thought that only he should have access to the network and was ticked off when he got a new boss that wanted to audit the system. He acted like a baby and wanted to take his toy and go home. The main problem, he didn't own what he was playing with and had no right to do any of that.
http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case/
zomgondoAug 10, 2010
I know an IT professional who was on the jury... this guy wasn't being a "professional", he was trying to stick it to The Man as revenge.
Seriously, what kind of "security professional" would rather go to jail than surrender the passwords of an organization that FIRED him?
rethreadAug 11, 2010
I didn't read the story, I "envisioned" it about 10 yrs ago. "This person was 'trusted' to watch the network and it didn't work, likely due to pay issues. Hey, you don't pay, it comes from somewhere, and trust comes from some very strange places. Pay me: I'll tell you where.
I can tell you where trust comes from. Just pay me. If it's not obvious yet, you deserve to quit your day job and do others a service.
doshindudeAug 10, 2010
He was wrongly jailed, he was following password protocols, that of which "don't ever f**king give passwords out to morons who know nothing about the system." Release him.
norman619Aug 10, 2010
No s**t plus over $1 million in "restitution? WTF?
tntbassAug 10, 2010
I agree, all up until the point he got fired.
When he got fired, he should have handed the passwords over. At that point in time, he won't be the one fixing the problem the morons create by having the passwords to the systems. In fact, I would be hoping that they would use the passwords and do something stupid, just so I could sit back and laugh.
He had nothing to gain by keeping the passwords after he was let go.
sethprAug 10, 2010
Maybe he got an excessive punishment for the crime, but he was not following password protocols, password protocol would be don't give passwords out to morons UNLESS that moron have the authority to have them, and/or is the person in charge now that you have been suspended/fired.
No matter how much effort, security, work and time you have invested in taking care of a network, if it is not YOUR network and/or you are not the maximum authority within it you have to give the password to the person in charge of the passwords once you are out of the picture. As a matter of fact in no respectable organization should only one person have the key/password for a sensible system, that is a SINGLE POINT OF FAILURE.
indigolife06Aug 14, 2010
Excellent observation about the single point of failure. While every system should have some provision for a secondary key/password holder (or ability to retrieve), there are limits to time and resources.
However, this was a critical network for city of San Francisco, and systems of that importance ALWAYS warrant a contingency plan for password/key recovery. (Sorry about terminology, I'm marginal infosec).
zomgondoAug 10, 2010
If I ever interview anyone with your attitude, they're not only not getting the job, I'm blacklisting them.
Passwords are not YOUR property, they are COMPANY property.
Closed AccountAug 10, 2010
HACK THE PLANET!
polartxAug 10, 2010
thats california for ya
bladzalotAug 10, 2010
Overkill...
probatusAug 10, 2010
The password was probably 'god'.
girldrinkdrunkAug 10, 2010
Reindeer Flotilla
el_jefeAug 10, 2010
hahahaha he fooled everyone. The password was blank.
Beep111Aug 10, 2010
So stupid. There's a reason you hire professionals to do your highly technical work. If you don't know what you're doing why is it logical to get access?
4 years for not giving passwords over? That's a ridiculous sentence! I mean fine, fire the man. But jail him? This is just going to make the city look even worse....Comment is buried, click here to see the rest.
lodcrappoAug 10, 2010
This account has been closed by the user
otaku244Aug 10, 2010
People in the IT industry are the gatekeepers to information and its integrity.
When the boss comes in and says, "Give me everything", you HAVE to give it to him.
You should always explain the danger of releasing such information and should have the boss sign a statement saying they understand the implication and sensitivity of that data. The boss owns/runs the company that gives you a job and you are there but for the whims of your superiors.
If they want to compromise security, that's their problem. CYA so you don't get hauled into court and find yourself a new job for when everything falls apart.
We in IT are held to a higher standards because of our access to sensitive information. He deserves what he got.
rmxzAug 10, 2010
"When the boss comes in and says, "Give me everything", you HAVE to give it to him."
Unless the boss isn't authorized to have it --- in which case you're in big trouble if you give it to him.
Just because someone's a middle manager doesn't mean he's supposed to have access to whatever he asks for.
If I understand correctly, this guy gave the info to the people high enough up in the management chain (the mayor?) that he knew they were supposed to have access. He didn't give it to random people in the middle..
clevercommenterAug 10, 2010
He only gave the information to the mayor after two weeks of being in jail.
rblancarteAug 10, 2010
You don't understand correctly.
otaku244Aug 10, 2010
@rmxz,
I do have to agree with you there... kinda. I cannot think of a situation where my direct boss(es) don't already know what I know, though.
I have been in a situation where a company executive (not CEO) wanted me to give him DBA access to some software we used. I didn't give him THE DBA access because I was worried about data integrity (we could get sued if the data was tampered with improperly), but his subcorporation was the one that paid for the software the company used. I explained to him the situation and compromised on a security policy that gave him only the DBA privileges he was looking for so that, if he did something that would cause problems (like messing with data), I could isolate him as the point of failure so it wouldn't come back on my department. If he didn't like it, he could request permission from the CEO. We agreed on the compromise and moved on.
The reality was, it was my job to make sure this guy got what he wanted WITHOUT compromising *ME* because the information in the software was my responsibility. If he wanted to fool with it, he needed his name on it. As a gatekeeper, I am only as good as my superiors let me be with THEIR information.
tntbassAug 10, 2010
My boss has asked a few times for elevated privileges to the network, access he doesn't need.
Of course, in my situation, I report to the CFO. Our CFO knows little about computers, but a lot about finance (hence being a CFO). Any time I've had this discussion it ends up being the guy wanted access to another shared drive or something and was annoyed about having to ask for access.
When push comes to shove though, the CEO knows I've handled the situation properly. He doesn't want his company to be open to someone who doesn't know what they are doing getting into the wrong area and making a mess.
If I leave or get fired though, there is someone else who has the same level of access I do, and he's in IT where someone with that level of access should be situated. If the company wants someone other than the one IT engineer to have access, make sure the person is in IT and at least knows enough to not change anything. If the manager in charge of IT needs to have access, the company should make damn sure the manager knows at least something about IT.
Also, I'm more than happy to give my passwords to an idiot in the company if I get fired. At best, they hire me to come in and fix the problems the idiot created, at worse I never hear from that company again. Win/Win.
johngalt750Aug 10, 2010
"Just following orders" isn't always a good enough excuse.
Your boss can ask for you to provide information that's unethical or illegal, or can ask for things that a higher up decided to deny them access to. It's very easy to put an IT person in a lose-lose situation, where people like you would put them in jail either way.
Lets say there is a pending sexual harassment suit and your boss is the defendent. He asks for access to the email backup tapes against standard security policy. If you provide access then you've aided a coverup and go to jail; if you don't provide access then you're fired and potentially go to jail.
enotswhatAug 10, 2010
I see a lot of non article readers in this post.
rodneyws1977Aug 10, 2010
How do you know that? (I'm serious... how do you know?)
rblancarteAug 10, 2010
It could be all the people defending him with a lot of bogus information (protecting the network, etc)
The fact was, this guy locked the network down and only he had the key to the lock. he got a serious god complex about it and when he was asked for information, he didn't want to give up his control.
atulineAug 10, 2010
Whether or not his boss (or co-workers) were competent was not the issue IMO. It was not his network and he should have handed the passwords over to his superiors upon request. If he had concerns, he should have documented and communicated them appropriately. Clearly, there needs to be improved policies, procedures, staffing and training, however he made several poor choices. /former CCNP, CCDP
premiercruAug 10, 2010
Sooo...was he subpoenaed to give up the passwords? The article mentioned nothing of this, but it seems like the first logical step to me. Refusing to tell your bosses the passwords = civil issue, not a crime. Refusing to give up passwords when subpoenaed to do so = contempt of court, criminal offense.
clevercommenterAug 10, 2010
The criminal offense was him adding the extra parameters when he knew he might be on his way out, specifically making the knowledge he held more valuable.
ashdrewnessAug 10, 2010
Regardless of how anyone feels about what the guy did, you have to agree that his management should have been fired for ever letting their network be put in such a vulnerable position where everything rested on the head of one individual. As the article said, what would have happened if he died? How much public funds would have been spent hiring consultants to reverse engineer that network?
deathcaptAug 10, 2010
That sucks, this guy got screwed.
dse78759Aug 10, 2010
Mustache....they should have known....
firewall1Aug 10, 2010
I worked with a dude exactly like that. He had the passwords for all the routers and switches - and refused to give them out. Big time loner nerd, and always paranoid that he was losing his job.
I blame management also -- they never demanded the passwords...I left that gig after a year or so. I'll bet that dude is still sitting in his dark little room, doing the same thing after all these years.
luke1h7Aug 10, 2010
So what if he gets paid 1.5m and then can't pay that back because he doesn't have enough money? Does it get paid or what? Who pays it?
eekranoAug 10, 2010
I don't know where I saw this, but it has served me well.
If anyone ever demands a password to something I don't believe they should have and I cannot talk them out of it I just write it down, put it in an envelope, and tell them if there's ever a problem the first thing I will look for is the envelope, and cannot take responsibility if it has been opened.
el_jefeAug 10, 2010
Except that you just unsecured whatever it was by doing so. By the simple act of making it accessible to everyone how could you not be held responsible? In essence you just removed all the security.
eekranoAug 10, 2010
So giving the password through email would be preferred? Where, if he left his computer, would be just as open to anyone as the envelope. Or should I just expect that they can memorize the password (doubt it)?
I never inferred he would tack this up on the company bulletin board next to the water cooler. They can store it in a desk, safe, or safety deposit box for all I care.
The simple fact that a computer is accessible via the internet can imply insecurity in numerous ways through many possible exploitations. I was just sharing a method that has worked well for me. No one has ever opened the envelope, why? Because they *know* they don't really need to- they don't *need* access. They just *wanted* it, and as a client (or boss) they should get what they want, as long as they know the repercussions. The envelope helps them realize that on their own, because people of authority usually don't take "no" very well.
el_jefeAug 10, 2010
Unless that envelope is locked in a safe that you two are the only ones that have access to then anyone could grab the envelope and open it. In essence you just posted on the bulletin board next to the cooler or sent in email. And yes, anyone that wants access to something that is in need of securing should memorize the password. That is my first requirement in determining if someone is responsible for having access.
Face with the same situation, I would show it to them on a piece of paper and then destroy the paper. If they choose to write it down after wards and the system is compromised from that then I truly have no liability because I transferred it securely.
All I was saying I was saying is that by writing it down sticking in an unsecured environment then you are liable because by doing so you removed the security. The security is broken the moment you wrote it down and put it in that envelope. When the s**t hits the fan and questions are asked about the origin of the envelope your name will be the only one on it. And as someone trusted to uphold the security of the system you should know better.
eekranoAug 11, 2010
Although your attempt to split hairs regarding the subject itself is admirable I believe you've missed the point entirely.
I'd love to force people to remember passwords, but go ahead and try to force your boss to do something they don't want to, or refuse to give them access to what they want and you'll quickly find yourself in this guys position.
rxbudianAug 10, 2010
you should ask why he didn't give the passwords, even until the police arrested him, but he gave them to the mayor.
Anyone who is in for job security or profit, would have given up when the police is involved because he knows that his career is already in ruins.
Plus, if there is no security policy in the department like the expert "Chilton" says, it would be natural for Childs to lock down the whole system. Who knows what moron the department hired.
el_jefeAug 10, 2010
Wasn't he fired? When my employment terminates at a location my loyalty is terminated immediately.
doublebaconsodaAug 10, 2010
When Digg fires me I won't give them the password to my account, ever. Take that Digg!
feverhostAug 10, 2010
I agree about the sentence, as long as *every single one of his supervisors* received the same sentence.
rethreadAug 11, 2010
Sure.. MS involved a "backup" operator account in windows XP. When the company asked for it, it was there, the trusted backup operator, the trusted installer, etc.
Trusted. The key word. Apparently he/she didn't get "trusted" to get paid for his duties. Failing that, he found other ways to make money for bills to get paid in his bank accnt. Ima guess, "trusted" means owned and do with what you want. Works making slaves and prisoners and not much place in a free society.
My state just put prisoners to work. Slavery is cheap labor. Food and board/place to stay.
And we have more non-violent prisoners than any other country in the known world. Why not use slave labor? This is a hint.. when the slaves are smarter than the master... There's going to be a problem.