Network admin gets jail time — for doing his job?

Your article does not provide enough information to allow an informed opinion about his actions. Is it correct to refuse to divulge passwords when unidentified parties are on a conference call? In most cases I would say absolutely, writing the password on a slip of paper and handing it to an authorized system owner would be one way to satisfy that concern.

When you provide more information and background about what lead up to the meeting, informed readers can give you informed opinions.

This can’t be the whole story. Refusing to broadcast the passwords in a conference call alone is justified. Surely someone with the correct authorization could have been given the required passwords privately? Also, in the spirit of ‘best practices’, wasn’t there anyone else with some if not all of the passwords needed, or was this truly a one-man show?

If you leave out the little details of “blocked access to critical parts of the network” and “employees were unable to access payroll data, police records, and other information”, then yes he was doing his job. With those details it seems more like blackmail.

If what is reported here is the unaltered truth, claiming that he cut off access (as it is stated it sounds on purpose and he knew what he was doing) then the guy is unethical and deserves what he gets.

The fact that he cut off critical communications from the network here is the real issue. He’s trying to justify a password policy as the real reason why he couldn’t provide the password, but in essence he was acting as a virus himself. An infection – if you will – that deserves to have himself a little alone time in a prison cell to think about the root of the situation (maliciously denying business required access).

What exactly is the purpose of passwords then ?

Putting Admins behing bars for doing their jobs ?

Extremely counterproductive to say the least… Unless you happen to be a lawyer or judge.

It was never the administrators (Childs) job to determine who has and who doesn’t have access. That up to the bodies that create and set policy. It was only his job to enforce the policy. And without the full details of said policy, I can presume that it didn’t give him sole and complete control over the network. Childs was simply trying to get away with not having to comply with the request to relinquish the passwords in a foolish attempt to save his job.

Without knowing some additional information, I don’t believe that it’s possible to give an opinion one way or the other. For instance… what does the security policy for the City of San Francisco require its IT personnel to enforce as it pertains to passwords? Was he acting on his own initiative and/or interpretation of best practices? Was he following procedures as set forth in the security policy? Did he consult with the IT Director for guidance? It seems to me that the details surrounding the whole incident, or series of incidents, were given to the jury at the trial but not the readers of this article. Without that data, the opinions of those readers are not valid.

It could go either way, depending on how you value this employee. Protecting a network from unauthorized use is a staple of a network admin’s job. Even if the folks attending that meeting were allowed to know those passwords shouting them to an open mike is not the preferred delivery method. There has to be some accountability with the password distribution. He could have sent them via email which would enable him to include a privacy statement, as well he would copy his superiors to ensure someone in charge is aware of what has transpired. The fact he didn’t do that could mean he is just inept at his job, or, he in fact is using this as an opportunity to bolster his value, OR, he is holding the company hostage. I’m not sure how you would ever know for sure. Based on the information you provided in the article, I think the jury may have been swayed by prior acts.

He should have said NO in the meeting, but explained why and then told the folks who wanted it that they would have to talk to his supervisor.

He then should have immediately doc’d the situation, called/e-mailed his supervisor (with the notes), cc’ing everyon in the meeting. This would have gotten it totally off of his plate.

Either his supervisor would agree or they’d disagree and he would then give the folks his supervisor had put in WRITING the passwds.

Unfortunately the bottom the line is CYA while trying to do the correct thing.

I think stupidity/inexperieince/reallyWantingToBeIndispencible makes him guilty :/

Give the guy a break, he was simply following the best practices for a network administrator.

I would have done the same thing had it been me. I would have agreed to give them up only to the authorized personal after ending the conference call. Not putting them out to just anyone!

The admin should have asked for the request in writing and countered with his written warnings that management’s actions were a bad idea (CYA). If management further insisted, he should have handed the passwords over. If he was truly disgruntled, giving management what they want is the safest and fastest way to punish them for being idiots. If management then gave out the passwords unwisely and the system was compromised, then the admin would be able to say I told you so and have lots of job security cleaning up managements actions. The problem is, most IT is on salary so the admin would likely spend days on his time, so management would not be sufficiently punished for their actions. Maybe in the CYA he should have a clause for OT if the admin was right and management was wrong.

Given that the prosecutors in the case entered into evidence a list of one hundred fifty usernames and passwords for the city’s networking infrastructure, thus placing that extremely sensitive information on the public record, I have a very hard time thinking Childs was wrong in his estimation of the security issues around divulging the passwords to begin with.

On the other hand, I’m not impressed with his action in unilaterally changing the credentials on the city’s networking infrastructure in the first place, something in which he presumably circumvented or ignored whatever policy exists for password management. That’s the sort of thing which makes me suspect that Childs really did find out he was going to be laid off (something which, as a network administrator responsible for the communications systems used by the city’s personnel department, he’d likely be in a position to hear about ahead of time) and decide to arrange himself some additional job security.

Or, to put it another way:

“Was Childs a disgruntled admin who held his employer hostage, or was he simply doing his civic duty in refusing to broadcast passcodes that would give a group of people access to the network he maintained?”

As far as I can tell — both!

Now every network in the world is unsecure. If their IT Admin has to give over Passwords to any one in his organization just for asking…

What Happens when the Banking industry gets screwed becuase some Scared IT GURU is influenced to give over passwords to just anyone in his organization..

I sugest: There should be a three man/woman team to handle passwords in an organization each one responcible for them as if they were top secret military documents and only disclosed when two or more are present and agree that those in need are authorized.

But in the above case, I would have to say he was doing his job. Its his employers job to implement policy was he following company policy, was he indeed the sole person responcible.. if so it was poor planning on his employers part.

But oh well.. Glad I am not an IT person..

I was always under the assumption that even a CEO could not get his companies Passwords unless he was authorized in advance in some way..

A password is like a key to a door.
If my employer gives me a key, or multiple keys, to doors that are owned by the employer and then later asks me to give those keys to someone else, I must give the keys to whomever the employer wants me to give them to.

I might disagree with the employer. I might worry that things will be stolen as the result of my actions. However, I have no right to refuse my employers wish. The employer may be doing something stupid or reckless but unless the action is illegal, I am required to do it.

Refusal could be grounds for dismissal and perhaps grounds for legal action against me for harming the public or the business. It is very possible that the person should do some time for his crime.

Terry Childs was wrong.

His job is to protect the network from UNauthorized access. It is not his network and he does not have authority to determine who is authorized and unauthorized. It is clear that he was not told to block access. Also refusing a direct request to allow access again is criminal.

If his superiors told him to allow access to the entire world he should do it. He should advise them that it would be a colossal mistake but he still has to do it.

As an Admin for my company, I store all passwords and other critical/sensitive information in a binder that is stored in a fireproof safe with very limited access. Those that have access have no idea what that binder is but understand why it is there and when it should be used.

AS far as the IT guy not giving out the passwords, IMO I would not have given them out either. I would have done a better job at making sure that what was being requested of me was on a higher level, and not dealing with a bunch of people, just those that needed it.

I think that there is more to this story than what is being told. As an IT guy for many years, I have learned to never trust upper management, for they will burn you for their own personal gains, and even a laugh.

Obviously holding SF hostage. I read more details on this story, and being a network admin, he had the city’s routers running from running config and never saved the configs to the NVRAM. If anyone had attempted to access the physical device for a password reset, the config was gone on reboot. This was a house of cards he built and holding a city hostage. TFTP and some startup configs would have reloaded the the running config, but never revealed the password. Its a very secure network. Agreed. But if your boss asked for the keys to the kingdom and you don’t relinquish, expect to be on the sidewalk. The logic is flawed that he’s protecting something that he obviously isnt going to have any control over.

If you ask me, it should not be up to the network admin to decide who is or is not privy to passwords, this is at the discretion of management. There should be policies in place to control who gets access to confidential information on the network so that it’s not left to be decided by the net admin. The network admin’s role here is to adhere to and enforce the policy, but not to make the policy. If there was no policy in place, he was still in the wrong to make the decision on his own, there needs to be upper management involved in the decision.

Good old America for you… apathy is encouraged and vigilance is punished. Gotta love that.

Terry’s manager appears to be missing in action here? The manager should have been able to give authorization to release passwords as appropriate. If Terry disobeyed his/her direct supervision then Terry desirves what Terry gets but otherwise this is a complete lack of leadership.

i think he was doing his job as an I.T. admin, after all it’s his responsability as to who would be authorized to get other users passwords, he should have asked for a signed doc giving him the ok to release those passwords to back himself up in case those passwords were let out later on.

I wonder -

Did he have a chance to say the he would turn them over to some single person, clearly above him in the management chain, if directed to in writing? Childs would write a memo clearly stating that he considered exposing the passwords more widely to be inappropriate but was transferring that decision, under orders, to his boss. Once Childs had that signed document, he had more than met his obligations.

That person could then decide who to share them with.

What i want to know is why don’t they show his face??? Why?

My Take,

This would appear to be a situation of the punishment being fitted to the intention not the crime. This guy, based upon his past, has questionable actions, however, if he is actually operating within the code and protocol of his position the guilty verdict is not appropriate. The flip of this would be a free pass for all keepers of the network gate to hand over access to whomever wants it as they would not want to violate the precedent of the law.

You don’t have to like a person to find them innocent. If after any trial a juror states “I went with an innocent verdict even though the defendant most likely committed the crime but the prosecution failed to prove so,” the legal system has worked.

Regards,

Cecil