Update – It seems the same juror Jason Chilton that commented on slashdot is the real deal and gave a very compelling case as to why Childs was convicted. Childs had emailed passwords to the COO before but when he found out that he was being reassigned, he stopped being cooperative. The next day he even taunted his boss and COO that they didn’t have access.
“So he knew nobody else could get in, and I think he had the assumption that they would say, “We need you back to maintain this network.” And that obviously did not happen.”
So Childs was refusing to give access to the COO who he gave access in the past when his job wasn’t threatened. But because he didn’t want to be reassigned, he was now holding the network hostage and refused to give access despite demands from human resource, the police, his boss, and the Chief Operating Officer. This whole excuse that there was no formal policy in place is nonsense because most tasks in the workplace aren’t explicitly spelled out. If HR, the COO, and the police want you to relinquish custody, you do it unless you want to risk prison and that should be common sense.
Now Chilton said in the interview that Childs is a good trustworthy person and that it was his managers fault for giving him so much free reign. Well I’m sorry to disagree with Mr. Chilton, but loose management is not an excuse to be a punk. The fact that Childs had withdrew $10,000 and left for Nevada the day before his arrest tells me that this man is scum and should never be trusted with any company’s equipment.
The jury has found Terry Childs, a former network engineer for the city of San Francisco, guilty
. Childs had refused to grant the city access to the city’s Wide Area Network (WAN) and served several month in jail for his refusal to cooperate. Now if you’re a network engineer, you might ask why didn’t the city simply perform a password reset/recovery on the equipment and I’m wondering the same thing too. If I had to guess, they didn’t want to risk losing the configuration of the network and the easiest way was to get Terry Childs to give them the password.
Speaking as a former IT professional, nearly all of us with the exception of Mr. Childs have enough common sense to know that when the owner of the system or when a boss issues a direct order to grant access to the company system, we do it. For that matter if the boss asks for something within their authority (short of something criminal), and especially if they have the blessing of their boss and up, we do it. We might lodge a formal protest if the thing we’re asked to do will endanger the security of the company, or something that would cause the company to lose money because the boss is an idiot, but we do it after our formal protest is acknowledged. The other option, voluntary or not, is that we leave the company. But if we’re asked to leave the company, we have to hand the keys over. If we try to hold an IT system hostage, that’s against the law.
Yet despite this common sense, it seems that many in the slashdot community have rushed to Terry Child’s defense as some kind of “stick it to the man” cult hero. But one particular post form someone claiming to be a juror on the case, who actually looks the part judging by his comments, had some interesting things to say below. (Note that since this is an informal blog, I didn’t track the man down and verify authenticity like I would have when I was formally a journalist. Please excuse me for being lazy here.)
Now that I am able to speak about this case, I can give you my take on the matter as having been a juror on it. Having not been able to read about the case during its duration, I can’t replay to everything that’s been said about it, but I will at least provide my perspective.
This case should have never come to be. Management in the city’s IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.
This jury was not made up of incompetent people or idiots. Every single person on there was very educated and well-spoken. I myself am a network engineer with a CCIE and thirteen years experience in the field.
This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict. Terry Childs turned his life around and educated himself in the networking field on very complex technologies. One different decision by him, or more effective management by the city could have completely avoided this entire scenario. But those are not factors we could consider as a jury. We applied the law as it was provided to us and our verdict was the unfortunate, but inevitable result.
I’m sure many people posting are of the mindset that he’s not guilty because he shouldn’t reveal the passwords, some policy says this or that, or whatever. You’re entitled to your opinion, but let me tell you that I sat through FIVE MONTHS of testimony, saw over 300 exhibits, and personally wrote over 200 pages of notes. I will guarantee you that no matter what you think of the matter, you do not have the full story, or even 10% of it. I am confident that we reached the correct verdict, whether I like it or not.”
Later he added
“One really important thing to note here is that it wasn’t a concern that he did not provide “his” passwords. The real problem is that he did not provide access — in any form, even in the form of creating new accounts for those requesting it.”
The gentleman also added that he actually agreed with the law, and thought that Mr. Childs broke it. But as far as I’m concerned, if it takes the Mayor of the city to visit your jail cell and nearly two weeks to divulge the key to the city’s equipment, he’s legally and morally guilty of obstructing the city unless we’re talking about the city of Berlin circa 1944.
The thing that many IT people forget is that they don’t own the system. The owner of the system is the user of the system who report to their superiors who ultimately report to the owner of the company. The IT person is merely the Shepard of the system and they ultimately have to allow the owner make mistakes if the owner insists on it. IT people also forget that without the business, there would be no system to protect in the first place. Mr. Childs forgot this and he took ownership of a system that he did not own against direct orders of everyone in the chain of command above him.
It would be as if a limo driver refused to hand over the keys of the car to a 19 year kid who is prone to fast driving. But the kid doesn’t like that driver so he gets his father to fire the limo driver, but the driver refuses to hand the keys over to the father. The father fires the driver and hires a new limo driver, but the original driver even refuses to hand the keys to the new limo driver. At that point the limo driver has effectively commandeered a car that does not belong to him which makes him legally and morally wrong.
The driver has a moral and legal case to refuse the 19 year old, but he certainly can’t refuse the father much less the police even if the father might be wrong for spoiling his child. We simply cannot give employees that kind of power over their employer’s property. Imagine what every IT person in danger of losing their job would do if Childs had been vindicated by the courts. So it doesn’t matter if a few Internet geeks cheer him on as someone who “stuck it to the man”. If they were in a similar situation and I were on the jury, they would be convicted.