You are here: Home » In this week's e-newsletter » Network admin gets jail time — for doing his job?

Network admin gets jail time — for doing his job?

April 28, 2010 By Sam Narisi 113 Comments

A former network admin is facing up to five years in prison. His crime? According to him, it was refusing to hand over passwords to folks who weren’t authorized to use them.

Terry Childs worked as a network administrator for the city of San Francisco. In 2008, he blocked access to critical parts of the city’s the network and refused to turn over the passwords to city officials. He was arrested, and revealed the passwords only after spending several days in jail.

In the meantime, employees were unable to access police records, payroll data and other information.

After the incident, it was discovered that Childs had several criminal convictions before San Fransisco hired him — including counts of robbery and theft. According to the city, Childs was disgruntled because he found out his job was in jeopardy and was trying to make himself indispensable to the city’s IT department.

But the admin painted a different picture of the situation: He was simply doing his job by protecting the network.

He claimed he was first asked for the passwords in a meeting that included a police representative, a Human Resources staffer and some unseen engineers on a telephone conference call. He refused, on the grounds that some of the folks present weren’t authorized to access the network, according to an InfoWorld interview.

In addition, he was afraid the passwords might be shared with other members of management or outside contractors.

In other words, Childs claimed he was simply following the best practices for a network administrator.

However, a jury didn’t see it that way. On April 28, Childs was found guilty of a felony charge of denying access to a computer system, the San Fransisco Chronicle reports. He faces a maximum prison of five years, though he’s expected to spend, at most, a few months in jail before parole. Sentencing is scheduled for June.

What’s your take on the story? Was Childs a disgruntled admin who held his employer hostage, or was he simply doing his civic duty in refusing to broadcast passcodes that would give a group of people access to the network he maintained?

Leave your thoughts in the comments section below.

Filed Under: In this week's e-newsletter, IT Security Tagged With: , , ,

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy

Related Posts

Older Comments
  • Chris

    Mike, yes…but it’s not that straightforward. The City certainly had the right to expect access to it’s property. The question is, who rightfully had the authority to request that access on behalf of the city?

    I don’t know the details of this case, and I don’t know what policies might exist for the City, but I’ve worked at plenty of organizations where by written policy and sometimes even explicit directive by the CEO/Board, my supervisors were NOT allowed access to resources that I had administrative oversight over. That’s not an uncommon situation for Admins. Under those circumstances if a supervisor comes to an Admin and demands access, and you give it to them….then the Admin exposes himself to liability for breach of policy.

    It’s a really crappy situation to be put in. That’s why it behooves management for organizations to have well designed and explicit access policy (something which alot of organizations fail at). It also serves as a cautionary tale for IT Admins….even though it’s really managements job…you want to make sure that there is a well defined access policy in place and that you are familiar with it. If there are areas of it that look problematic, then you probably want to proactively press for written clarifications of those areas before you get caught in a Catch-22.

    The bottom line is that regardless of whether Childs was guilty or not….It’s an utter failure of City management to have an Admin that even gets into that situation in the first place.

  • Brett

    There’s got to be more to the story. What preceded the conference call meeting? Why was a cop in the room? I suspect this meeting was preceded by aggravating circumstances.

  • Mara

    It is very obvious to me that the administrator overstepped boundries. It seems to me that authorized personnel were not permitted to access parts of the system that they already had access to, due to the block that the administrator placed on the system. Now, whether or not passwords were requested becomes inconsequential because by taking this action the administrator put himself in a worse position than just refusing to supply passwords.

  • Chris

    Best Practice would have been having the passwords available to another person designated by the process owner (he/she responsible for strategizing IT services to the company and developing policies). This person exercised *good practice*. Based on his role, he should have provided the passwords to his manager; his manager had them changed, and therefore removing himself of all accountability. In the end, it is the process owner who is accountable, and his boss who is responsible. I hear a lot about best practice these days, but rarely see any maturity showing consistent good practice (as a basis for even considering adopting best practices). So, from what information I can see here, he was definitely serving his own interests. The jury reached a correct verdict.

  • tony

    He’s an ex con so obviously not a good two shoes. Forget the good practice, bad practice bit. It’s obvious he’s playing games. If you end up in a meeting with police representives and no-one can access the network because you are the only one with the passwords, then you are either a fool for not sharing or you enjoy winding the authorities up. Either way he sounds like someone I wouldn’t want in my department.

  • Lawrence

    I also feel that there is more to this story. I feel that if he was able to give the passwords, he should have, but 5 years in prison from holding passwords? Not only that, but why is he the only one with these passwords? There is no other person (i.e supervisor, director, etc) who has access to this information. Fired yes! Jail time? No!

    LJ.

  • RB

    I can’t believe nobody remembers this story. I remember this being reported in the news. There were multiple people who had the passwords. He (Childs) changed all of the passwords and would not give them to anybody else, even those who should have had them. He was holding the City hostage because he was afraid he was going to lose his job. Bottom line, he got what he deserved!

  • John

    Two wrongs do not make a right and five is no closer.

    Wrong: Hiring a person with a felony theft background to manage public data systems.
    Wrong: Entrusting a single person with all of an organization’s IT security data.
    Wrong: Asking for admin passwords to be divulged verbally in a group setting.
    Wrong: Putting traps in place in a data system that block authorized activity.
    Wrong: Holding someone else’s data hostage until you spend a few days in jail.

  • Taye Cook

    I like what Joseph said….if one, or more of my supervisors was in the meeting, I’d have written the password(s) on a slip of paper, given it to my boss, then let him decide. If the password(s) had to be spoken, no one could say I’d opened my mouth.

  • Anonymous

    Insane. I agree with John – at every step of the way, it was an example of worst practices. Actually the only correct thing was not broadcasting sensitive passwords wholesale over a conference call….. however, that doesn’t mean he shouldn’t have shared them in a more discrete manner with the appropriate persons. He was looking for an opportunity to blackmail the city…. again, wrong, wrong, wrong.

    I think the whole lot of them should have been locked up together until they learned how to play nice.

  • Wyatt

    No one can make an informed opinion about this story. I personally think the writer had this question in mind before they even started writing this story in an attempt to create some form of buzz about it. Five years and found guilty by a jury, there are so many details left out, this is not even a story. What this story should be about is why this individual was put in a position of trust (portecting public records) based on his passed record.

    This is like one of those stories, my friend of a friend’s uncle’s wife’s sister worked in this building, we they said…. and you can make up the rest from there.

  • Pingback: ITManagerDaily.com » Blog Archive » Rogue network admin’s sentencing delayed

  • Pingback: ITManagerDaily.com » Blog Archive » Rogue network admin gets 4 years in jail

Older Comments