I'm a bit surprised that after the furor here on NANOG when the story
first broke (in 2008) that there's been no discussion about the recent
outcome of his trial (convicted, one count of felony network tampering).

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/04/27/[..]
TL&tsp=1

-JFO

I'm a bit surprised that after the furor here on NANOG when the story
first broke (in 2008) that there's been no discussion about the recent
outcome of his trial (convicted, one count of felony network tampering).
===
I'm not surprised. It has little or no direct operational impact.

James R. Cutler
james.cutler*******

Anytime you mess with a government entity, without legal guidance, you are at
great risk. Mr.Childs took a risk and jury decided he was wrong. He faces
5 years in prison.

-henry

Surely even at DeVry they teach that if you refuse to hand over
passwords for property that is not legally yours, that you are
committing a crime.  I mean, think about it, it's effectively theft, in
the same sense that if you refuse to hand over the keys for a car that
you don't own, you're committing theft of an automobile.

I fail to see the operational relevance to this conviction; it's basic
common sense.

William

Unfortunately, Terry Childs was withholding the passwords because he thought
(with some justification) that they'd adger up the net if they had the passwords.

So if you want to make an analogy, it's more like taking the keys away from
a drunk so they can't drive.  Good luck finding a DA who will indict you for
grand theft auto for taking the keys to prevent a DWI.

Operational content: What design, procedure, and policy errors did the
network owners make that Childs was able to do that to them? (The cynic
in me says that if the net management was that screwed up that he *could*
do it, he was justified in doing it... :)

Unlikely.
From the article:

"However, Judge Teri Jackson is expected to impose a sentence under
which Childs would serve a few additional months at most, after she
gives him credit for the nearly two years he has spent in county jail
since being arrested in July 2008"

I didn't know jury trials went this way, if a juror doesn't agree you
simply kick the person out. You learn something new every day. :-)

"The jury deliberated for several days before a lone holdout against
conviction was removed from the panel, for reasons that were not
disclosed. After an alternate was put in that juror's place, the panel
started over and reached a decision in a matter of hours."

And one can argue he behaved like any security conscious IT person
should behave, although I'm sure in this case the truth lies more in the
middle:

"Shikman acknowledged that Childs may have been "paranoid" about
protecting the system and undiplomatic with his bosses, but nothing worse
(..)
"All they had to do was ask him (for the passwords) in a secure and
professional way, consistent with policy and standards," Shikman told
the jury."

Regards,
Jeroen

-- http://goldmark.org/jeff/stupid-disclaimers/

According to news reports in this case it was not a charge of theft,
but a charge of criminal Denial of Service.    The service denied
being the ability to administer their network devices by their
authorized admins:  in this case that Childs had been ordered by
people with management authority over him on various occasions to
provide some access to equipment they owned, and he had refused  on
all occasions,   or deceived them  by intentionally providing
incomplete or useless access details.

It was well within management's  authority to demand this, and not in
violation of any laws  (not equivalent to DWI).

It may be of concern to some individuals,  but the operational impact
to well-managed networks should be zero.     Make sure the collective
management of the organization that owns the network has a means of
directly conveying full access at all times to any user they
authorize,  that is provided on demand,  or that there is a clear
password policy  that ensures  that  administration  cannot be denied
to authorized users ?

"Theft" of keys does not equal theft of vehicle,  and  restraining
someone who is not acting rationally and is intent upon committing a
crime, directly endangering lives,  is completely different

Courts might take a much more dim view towards a valet/driver
re-assigned to a different job refusing to surrender the keys to the
owner's new valet,  out of fear the vehicle might get treated in a way
they considered poor or reckless.

--
-J

I've seen a dismissed employee withhold a password. The owner of the
company threatened legal action, considering it, like you, theft. My
father-in-law is an attorney, so I asked him about the situation. He
said that it wouldn't be called "theft," rather "illegal control."

http://www.infoworld.com/t/insider-threat/terry-childs-still[..]

The more-informed reporting on this says that the charge was actually
"illegal denial of service." I'm guessing this is what my father-in-law
was getting at, or that this is what "illegal control" means when
applied to computer equipment.

dk

Same difference, he still committed a crime and anyone who is defending
him seems to not understand this.  Whatever we want to call that crime,
it's still a crime, and he got the appropriate penalty.

William

Illegal control = Conversion = at least a tort, but could also be a crime.

Hi William.  I have to agree that it does seem he committed an offence but
we will have to agree to disagree on the penalty.  Two years (or more) in
jail for withholding a password for one week seems disproportionate to me.
I wonder how expensive the trial was.

Rob

--
Email: robert*******
IRC: Solver
Web:  http://www.practicalsysadmin.com
Open Source: The revolution that silently changed the world

I beg to differ (the archives may reflect my objection last time around).

I agree that a crime was committed.

It was committed by the management that allowed this situation to exist.

It is a pretty easy matter to maintain controls that make the passwords
secure but still available to management when they need it.  The
simplest system was one of sealed envelopes in several different
District Managers locked desks.  Every now and again a manager would
take his or her envelope out and test the passwords to see if they
worked (usually just before the scheduled password change each month).

--
A democracy is two wolves and a lamb voting on what to have for dinner.

Freedom under a constitutional republic is a well armed lamb contesting
the vote.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:   http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml

I don't disagree, but he should not have withheld passwords to devices
that were not his direct property when asked by a superior.

William

Agree.

Agree.

On the other hand, this gets strange.  Once you're fired, just how much
can you reasonably be compelled to produce for your former employer's
convenience?  And that's all this is, because no one has suggested that
the network was left nonfunctional, or that it wasn't possible for
competent engineers to gain access and control of the system.

I've seen people try to compare this to returning a cell phone or laptop,
but the fact of the matter is, those are physical devices that can be
returned.  I remember passwords dating back decades.  I'm not going to
forget some of them short of brain surgery or Alzheimer's.  On the other
hand, there are many passwords I've forgotten entirely.  If my employer
from last week comes to me today, and says, "hey, we need access to this
resource, hand over your password," maybe I still remember it, or maybe
it was written on a sheet of paper that went to the shredder when I quit.
What if it's a month, or a year, or a decade?  Where does this obligation
to regurgitate information end?  What if it's not simple?  (Childs was
accused of handing over "useless" information, which I am interpreting to
mean that it was probably a valid password, but not the full context of
how to use it.)  Need I provide information on how to dial into a remote
access server, log into a router, connect via its aux port to another
gizmo, and then from there to my final destination?  To cover all possible
scenarios could be a heck of a lot of documentation to write up.  Am I
expected to do that for free?  What if I forgot it all?  What if I went
and shredded any documentation I had at home, wiped all the data from my
laptop, all because I was trying to do the right thing by not retaining
any intellectual property?

What Childs did was wrong, but what his superiors did was ethically and
morally inexcusable - they created a scenario where he could be criminally
punished for their failure to manage their employee (and their network)
appropriately.  As far as I'm concerned, they're far more guilty, but of
course they won't see the inside of a cell.

The precedents set by this case are a bit scary.

The lesson for operators should be clear:  don't let a prima donna build
your network without being thoroughly involved in the process.

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI -  http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.