San Francisco's rogue sysadmin Terry Childs, who refused to reveal passwords when he was sacked, could learn his fate later today. The jury has started deliberating on whether Childs is guilty of locking the city out of its own network. He faces up to five years in prison if found guilty. Childs refused to hand over passwords …
I wish him luck
Let's see what wins here..
Re: I wish him luck
Telling your boss that "actually, no, you can't have the password to the system because you're an idiot" might seem like a good idea at the time but when you step back from the situation and realise that you have just been fired for being a lazy self-entitled (and possibly criminal) prat, you start to re-evaluate just who the idiot in the situation is.
The only luck he deserves is a bar of soap and a cellmate named Dave.
The guy wasn't his boss...
Once they had sacked him, the "idiot" was no longer his boss. If he is no longer an employee, he has no obligation to tell them anything. The only mistake here was that the "City" didn't ask for the passwords BEFORE they sacked him. Once he was gone they decided to cry "we've been hacked" retrospectively.
This is the equivalent of me getting fired from work, being frogmarched off the premises, then a week later the police turning up at my house because my ex-boss realises he didn't ask me for my set of keys, so he's decided to report me for breaking and entering even tho I've been nowhere near the office since I drove out of the car-park that day.
So he can help Dave with his hygeine difficulties? Also, he'd have to be very lucky that he'll end up in just the cell with the right Dave with the afforementioned mallady with a bar of soap.
In the UK, he'd be sent to one of them there swanky hotels. I beleive they refer to them as 'open prisons'.....
Re: I wish him luck
In these days of data breaches, personal data flying round on USB sticks and in Excel spreadsheets, compromising the security and safety of your users by handing the keys to the kingdom by telephone to a retarded moron in a suit who thinks "The Internet" is a big blue "E" is bordering on criminal negligence .
Being an asocial fuckup is much less deserving of soap-bar treatment than overreaching and under-qualified bureaucracy. In my opinion he did the right thing the wrong way, that is all.
I'm not going to prison. Anyhow, I'd be a quite considerate cellmate.
Could you please stop tagging stories with BOFH when they aren't related to the ongoing fictional saga, or suggest a better method of keeping up to date on the BOFH fiction instead of the news?
It's not Friday, so I should have known better, but still guys.... .
What fictional saga?
You mean the ongoing undercover documentary.
That's not fiction, it's real life. Isn't it?
I think he is like me: I get el Reg via RSS, and for some reason Simon's BOFH doesn't report itself to the feed, so he would have (like me) created a custom search query for "BOFH" and used that for the RSS feed.
Serves them right for allowing this state of affairs.
What would the city have done if Mr. Childs had dropped dead while still an employee?
a good point
They would have sued his estate for damages. (Not a joke).
Title says it all. No one employee should be that critical for password retention.
Also, one wonders if they had it in writing that he was required to tell them the passwords after termination.
... comes before a fall.
Typical BOFH attitude though, he probably deserves prison time for being an arsehole - it's Karma.
another example case coming on here
Get all promises in writing
Too bad he didn't cut a deal and get it in writing.
Somebody please think of the Childs
Joke aside, sad to see a sysadmin facing jail for doing his job properly.
He's in trouble because he doubted the security know-how of his successors (who basically asked him straight out for the passwords)? OK, so by not turning them over, he effectively locked the city employees out of the IT infrastructure.
Here's the thing: why does one single sysadmin have all of the local government's IT infrastructure passwords? And were there any procedures in place for secure communication?
This is just incorrect
He handed over admin passwords as soon as he was in a room alone with his boss. He refused to hand them over in full view of a bunch of HR people and a couple of regular cops. Would you want HR to have the admin passes to your cities critical infrastructure?
Another good luck wish from me
Seriously can any system admin or engineer honestly say that they haven't come across a few people they'd rather not trust with admin level passwords?!
Respect to the guy for having the balls to say no, all too many times I've experienced some know-it-all numpty go charging in with admin rights, trash the system, then expect me to pick up the pieces when it all goes (inevitably) tits-up.
So glad I switched industry from IT to Science while the going was good!
of 1 is never a safe place.
He should be commended for illustrating how badly set up they are
refused to reveal passwords?
> San Francisco's rogue sysadmin Terry Childs, who refused to reveal passwords when he was sacked ..
Except the real story is a bit more complicated and he did ultimately reveal the passwords and the original dispute was something completely different. See Samuel_Clemens commment ...
what kind of security procedures are in place when only one guy has critical passwords stored in his head? ridiculous. any IT dept should have a system where these type of passwords are stored securely. like on an encrypted pen drive kept in a fireproof safe, for example..
because you never know when person(s) with passwords suddenly become unavailable (or hostile).
I can hardly believe
That his bail is still 5 million.
That some tech company didn't pay the bail.
That he's been in jail nearly 2 years, even though nothing broke and he did give up the passwords.
That at some point, somebody at the city did not step in and find a better way to handle this.
That he stayed so quiet.
All he needed was a few publicity hound lawyers to file lawsuits, and go on talk shows to point out every wasted dollar and paint everyone at the city as incompetent bozos.
He's not seeking publicity
The fact that he DIDN'T do all that makes me respect him all the more. The true geek shuns publicity (along with most forms of social contact, especially with idiots) and has too much respect for rules of justice to try to get himself sprung from jail by any such underhanded method.
Unfortunately I don't think common sense will prevail, and he will most likely be out-lawyered and have the book thrown at him. However, when he gets out the world's best IT companies will be queueing up to give him a job.
I'm not sure I understand his defence, I mean, if the owners of the equipment demand the passwords so they can fuck it up, then that's up to them isn't it ?
Having said that, I'm not sure why he's being prosecuted in the first place. If someone leaves with the passwords, and they were the *ONLY* person in the world to have root access, then you instigate some kind of password recovery, which is usually possible if you have physical access to the equipment.
Like someone said above, what if was struck dead?
This is going to end up weird whatever the result.
[JA] Or, he could have just told them to meet him on IRC where he would divulge the password to them in clear text on an open channel, like 4chan or something, along with the IP addresses and/or NAT addresses of something juicy plus then open ports, just to make sure the s'kiddies couldn't get it wrong :)
Muppets all round
You mean that all/any system passwords were not required to be written in a sealed envelope and kept in an off site safe?
Mines the coat with the post-it notes in the pocket :-)
Under a bus
That's how I've done it in the past when I've been responsible for important passwords. In the safe with a documented procedure for how someone can access it and what to do about changing the password once the envelope is opened. So far it's not been needed.
are you loyal to the Service you provide or the Company who employs you?
There is no straight answer, methinks. This is politics, not technics and he was naive to assume it only the latter.
...are you possibly a citizen of the entity employing you? Been there, done that - just lucky I never had to choose. Don't know how that would have ended...
Another facet to this complicated story...
Greetings and Salutations.
As other sites have reported, the issue was that Mr. Childs was bound by policy limitations as to who he could turn the passwords over to. The people that were demanding the passwords from him were, arguably, NOT authorized to have them, and, the fact that the person asking for them had a bunch of other random folks with them who were REALLY not authorized to have the passwords, made it even more important that Mr. Childs follow policy and NOT reveal the passwords in question. Had he done so, he would have been criminally liable for breaching policy, and, likely would be exactly where he is today. Now...when the Mayor visited him in his prison cell, Mr. Childs did turn over the passwords in question as the Mayor WAS authorized to receive them under the policy rules.
There has been a lot written about this, and a lot of it seems to be unhindered by consideration of the facts of the case.
As for the charges that lead to this trial, sadly enough, it looks far more as if it is that Mr. Childs' actions got publicized and embarrassed the DA and other highly placed officials in the government, so, the goal ceased to be justice, and, became "let's squash the snotty little bug".
I suspect that Mr. Childs is not the most pleasant person in the world, either, so, that simply added fuel to the fires...
Come on folks, answer some easy questions
"Would you employ him", and "Would you employ his manager"
For me the answers are "Like a shot" & "No bloody way"
Then you are a fool
Any smart, reasonably savvy person would have just said...at the very first meeting..."I can't reveal them at the moment because there are people in the room that can't and shouldn't have access to them, I think I would be breaking the law if I reveled them, I will only revel them to an authorised person" that would have been an end of it as the unauthorised people left and he then handed over the passwords...Clearly this is not what happend and he is now being made an example of due to the fact that he is a social lepper who thinks he is better than other people. Handing over the passwords when the mayor visted his cell stinks of him backing down rather than always having indended to hand them over. Otherwise why the hell didn't he just tell the Mayor in the first place before he was dragged off to prision?
If you'd hire him then that says alot about your personality and I for one would never even do buisness with you let alone work for you.
The title is required, and must contain letters and/or digits
He approached this wrongly. Had he been willing to oblige them in return for a new contract for $60k per day, this could have been sorted out quite amicably.
Teach him a lesson
The $5m bail and the criminal charges seem vindictive to me. This is how the "establishment" teaches you not to screw with them. I'm fairly sure Mr. Childs made no friends in his employment with the city, and this whole episode smacks of vindictiveness.
And to those who suggest a list of passwords in a sealed envelope in the safe; yes, that would be a very reasonable way of handling the situation. But, we're talking about politics, police and barely competent administrative employees here. Reasonableness seems to have been hung out to dry, along with Mr. Childs.
//at this rate, he will have served his sentence before he's ever convicted.
But what if you're also the only person with access to the safe? :)