Terry Childs conviction
I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/04/27/BA4V1D5Q22.D TLtsp=1 -JFO
Re: Terry Childs conviction
On Apr 29, 2010, at 4:11 PM, Olsen, Jason wrote: I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). === I'm not surprised. It has little or no direct operational impact. James R. Cutler james.cut...@consultant.com
Re: Terry Childs conviction
Anytime you mess with a government entity, without legal guidance, you are at great risk. Mr.Childs took a risk and jury decided he was wrong. He faces 5 years in prison. -henry From: Olsen, Jason jol...@devry.com To: nanog@nanog.org Sent: Thu, April 29, 2010 1:11:07 PM Subject: Terry Childs conviction I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/04/27/BA4V1D5Q22.D TLtsp=1 -JFO
Re: Terry Childs conviction
On Thu, 2010-04-29 at 15:11 -0500, Olsen, Jason wrote: I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I fail to see the operational relevance to this conviction; it's basic common sense. William
Re: Terry Childs conviction
On Thu, 29 Apr 2010 16:47:02 CDT, William Pitcock said: On Thu, 2010-04-29 at 15:11 -0500, Olsen, Jason wrote: I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. Unfortunately, Terry Childs was withholding the passwords because he thought (with some justification) that they'd adger up the net if they had the passwords. So if you want to make an analogy, it's more like taking the keys away from a drunk so they can't drive. Good luck finding a DA who will indict you for grand theft auto for taking the keys to prevent a DWI. Operational content: What design, procedure, and policy errors did the network owners make that Childs was able to do that to them? (The cynic in me says that if the net management was that screwed up that he *could* do it, he was justified in doing it... :) pgpKHXLySE42Y.pgp Description: PGP signature
Re: Terry Childs conviction
Henry Linneweh wrote: Anytime you mess with a government entity, without legal guidance, you are at great risk. Mr.Childs took a risk and jury decided he was wrong. He faces 5 years in prison. Unlikely. From the article: However, Judge Teri Jackson is expected to impose a sentence under which Childs would serve a few additional months at most, after she gives him credit for the nearly two years he has spent in county jail since being arrested in July 2008 I didn't know jury trials went this way, if a juror doesn't agree you simply kick the person out. You learn something new every day. :-) The jury deliberated for several days before a lone holdout against conviction was removed from the panel, for reasons that were not disclosed. After an alternate was put in that juror's place, the panel started over and reached a decision in a matter of hours. And one can argue he behaved like any security conscious IT person should behave, although I'm sure in this case the truth lies more in the middle: Shikman acknowledged that Childs may have been paranoid about protecting the system and undiplomatic with his bosses, but nothing worse (..) All they had to do was ask him (for the passwords) in a secure and professional way, consistent with policy and standards, Shikman told the jury. Regards, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/
Re: Terry Childs conviction
On Thu, Apr 29, 2010 at 7:15 PM, valdis.kletni...@vt.edu wrote: So if you want to make an analogy, it's more like taking the keys away from a drunk so they can't drive. Good luck finding a DA who will indict you for grand theft auto for taking the keys to prevent a DWI. According to news reports in this case it was not a charge of theft, but a charge of criminal Denial of Service.The service denied being the ability to administer their network devices by their authorized admins: in this case that Childs had been ordered by people with management authority over him on various occasions to provide some access to equipment they owned, and he had refused on all occasions, or deceived them by intentionally providing incomplete or useless access details. It was well within management's authority to demand this, and not in violation of any laws (not equivalent to DWI). It may be of concern to some individuals, but the operational impact to well-managed networks should be zero. Make sure the collective management of the organization that owns the network has a means of directly conveying full access at all times to any user they authorize, that is provided on demand, or that there is a clear password policy that ensures that administration cannot be denied to authorized users ? Theft of keys does not equal theft of vehicle, and restraining someone who is not acting rationally and is intent upon committing a crime, directly endangering lives, is completely different Courts might take a much more dim view towards a valet/driver re-assigned to a different job refusing to surrender the keys to the owner's new valet, out of fear the vehicle might get treated in a way they considered poor or reckless. -- -J
Re: Terry Childs conviction
On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. http://www.infoworld.com/t/insider-threat/terry-childs-still-faces-one-charge-one-he-shouldnt-face-746 The more-informed reporting on this says that the charge was actually illegal denial of service. I'm guessing this is what my father-in-law was getting at, or that this is what illegal control means when applied to computer equipment. dk
Re: Terry Childs conviction
On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote: On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. William
Re: Terry Childs conviction
Illegal control = Conversion = at least a tort, but could also be a crime. On Apr 29, 2010, at 10:05 PM, William Pitcock wrote: On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote: On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. William
Re: Terry Childs conviction
On Thu, 29 Apr 2010, William Pitcock wrote: Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. Hi William. I have to agree that it does seem he committed an offence but we will have to agree to disagree on the penalty. Two years (or more) in jail for withholding a password for one week seems disproportionate to me. I wonder how expensive the trial was. Rob -- Email: rob...@timetraveller.org IRC: Solver Web: http://www.practicalsysadmin.com Open Source: The revolution that silently changed the world
Re: Terry Childs conviction
On Thu, 2010-04-29 at 21:23 -0500, Larry Sheldon wrote: On 4/29/2010 21:05, William Pitcock wrote: On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote: On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. I beg to differ (the archives may reflect my objection last time around). I agree that a crime was committed. It was committed by the management that allowed this situation to exist. It is a pretty easy matter to maintain controls that make the passwords secure but still available to management when they need it. The simplest system was one of sealed envelopes in several different District Managers locked desks. Every now and again a manager would take his or her envelope out and test the passwords to see if they worked (usually just before the scheduled password change each month). I don't disagree, but he should not have withheld passwords to devices that were not his direct property when asked by a superior. William