Networking

Terry Childs -- Will the true story ever be told?

Terry Childs, the net admin arrested on July 12, 2008 for disrupting San Francisco's wide-area network, still sits in the City of San Francisco's county jail. But is he guilty of what he is accused of, or was he just doing his job?

Terry Childs, the net admin arrested on July 12, 2008 for disrupting San Francisco's wide-area network, still sits in the City of San Francisco's county jail. He says he did nothing illegal while working for the city and argued that his actions, depicted as criminal, were in line with standard network security practices.

According to this piece from InfoWorld, a court filing made back in late July opposing the bail for Childs claimed the following:

  • Childs configured a number of routers and switches with 'no service password-recovery,' which would prevent anyone from recovering the passwords without losing the IOS image and configuration.
  • He removed the start-up configuration from some devices, leaving them operational via the running config, but they would be lost during a power outage or reboot.
  • There were various methods that Childs could have used to gain access to the FiberWAN, including "wireless access devices to different departments."
  • In his work area and home, they found lists of usernames and passwords, including the password of his supervisor. He also apparently had installed sniffers on the network.

The author of the InfoWorld piece, Paul Venezia, makes some great points both in support of and against these claims. Venezia followed the case closely, which culminated in his actually conducting an interview with Childs at the jail.

It makes some interesting reading and poses the ultimate question: Was Childs actually committing a crime, or was he just doing his job, becoming a victim of the worst case ever of company executives not understanding just what IT does?

Related TechRepublic resources

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

141 comments
hemanruss
hemanruss

I can tell that the above comments are made by people that do NOT understand networks.

lordtemporal
lordtemporal

Terry Childs may be incompetent, but the first 2 charges don't make any sense (at least on Cisco routers). He should get a medal for the 1st charge (I didn't think this was even possible), so long as there was some backup image (if not, then he's an idiot). I don't believe the second claim - sounds like he just forgot to save the settings (copy config). Thirdly, you NEED sniffers on the network. The "list" of usernames passwords were probably electronic, but because he did not save them in a secure file (I presume), then he should just be fired. Since most routers have only 1 or 2 passwords and they are often shared with multiple admins to ease the great burden of management and reduce downtime (caused by spending inordinate amounts of time looking for a password!), most NW managers will know the same PWs. I have some of my boss's passwords by necessity (for troubleshooting account-profile-specific problems on machines that an admin account will not do - this is unfortunately still necessary today). The other charges are speculative and sound like BS coming from an over eager prosecutor more interested in brownie points than the Law. A darker motive for pressing charges is to get rid of him by discrediting him to replace with someone else (perhaps a relative of the family in power - I mean, we are talking about the same insidiously corrupt San Franciso, right?)

pgabhart
pgabhart

I read the story about Childs here http://weblog.infoworld.com/venezia/archives/017938.html I thought it was interesting that among the other things the city claims they found at Childs' house was "... a 9mm clip and .45 caliber ammunition." Are we in the U.S. now living in a world where it is inherently suspicious to have ammunition? What was the point of the city adding that comment? Oh, I forgot. In San Francisco you are a suspect character if you believe you have a constitutional right to protect yourself from criminals.

melekali
melekali

...I would want my admin to be knowledgeable enough to have sniffers on the network which can be used to actually protect the network. These charges really reflect a lack of understanding of security and of security policy. Did they have a written security policy that outlined these configurations? That could make all the difference. If not, this does not prove he was doing anything wrong. The burden of proof is on the accuser, not the accused. This is bogus! I find it odd that he would need a list of usernames and passwords at his house. The other setups are fine assuming he has the configurations locked up somewhere should there be a problem so he could reload them. This would definately increase security.

nateorme
nateorme

If this were done in another city, the liberal powers of San Francisco would deem Childs a "people's hero." He does it to SF, and he's thrown in jail, just like any "conservative" city would do.

dcollins
dcollins

His bosses need to be sitting in jail with him. It is negligent to allow someone to be the sole gatekeeper of the IT information. They allowed him to run the network in this fashion and forced the situation to stay this way by relying solely on him. It will probably cost a ton to recover from being "locked out" of their own systems, but they deserve to pay if he is to be held in jail. Having been the system administrator of a bank, and now the manager of a large IT support firm, I can say this scenario is not uncommon.

ScarF
ScarF

From what I have read about this case so far, it looks that Childs did his job and he also did some mistakes - I also wrongly configured one router once being unable to access it without resetting to the factory defaults. This doesn't make him a criminal. This is only in the minds of the persons without technical knowledge. That is why I am actually amazed about the IT techies who run to convict him as a felon. And, I am sure that the bigger the voice, the lesser the IT knowledge. In my opinion, Child did nothing else than any other netadmin is doing in his normal work. Following a gray line dictated by the need of efficiency and trust. Keeping a list of passwords? Normal practice in many businesses to avoid filling your memory with junk. Modems connected to some routers? Mandatory practice for gaining access to a unresponsive network. The point is: did he actually did something he may be convicted for? The network wasn't down a single second. There is no information lost or given to third parties. The only thing I see here, is the big lack of tech knowledge proved by his supervisors. Another bunch of idiots trying to cover their own stupidity by pointing fingers to a scape goat. I've seen so many guys like these supers doing nothing else but rotten in chairs and fighting to hide their inability for anything. Anyway, a lesson is to be drawn from the Childs's story: From now on I will call my lawyer for every job, for every company - private or public. F*ck'em. FYI: http://weblog.infoworld.com/venezia/

scarville
scarville

One and two above are not that uncommon in high security systems. Configurations are revision controlled with the hardware configured to load individual configs with bootp or dhcp. See below for the wireless access. The password lists seem suspicious until I considered what password are talking about? Are the network systems configured to use telnet? AFAIK, the city's network is Cisco which has has supported ssh V2 since 12.1. That was at least four years ago. Did the supervisor know the difference between telnet and ssh? If not why the frell is he supervising the Networking Department? That doesn't pass the smell test. Childs is actually being charged with one count of "disrupting or denying computer services" and three counts of "providing a means of accessing a computer, computer system, or computer network in violation of section 502". The first charge describes a DoS even though the WAN was never down during the time in question. Refusing to give up the passwords for several days caused no disruption of the normal operation of the FiberWAN. It did prevent the network from being modified or extended but, if you recall, Childs believed the people demanding the passwords were not compotent. Cause for termination maybe but a crime? The last three charges stem from his having two analog and one DSL modem. The first analog modem was used to send pages to a city-issued pager if there was a problem. That is certainly not unusual. The DSL modem predates Childs' employment and was used to test VPN connections and other resources offered to telecommuters. Childs stated this was never connected to the FiberWAN and one of his former assistants verified this. The last analog modem was there to communicate with a disaster recovery site. Childs argues that it was a fallback in case of a failure of other connections. This is a bit unusual but, if you've ever designed a DR site for a earthquake prone region (I have), you probably added a modem and for the same reason. No mention of "wireless access devices" and significantly, the computer tampering charge which originally justified the $5 million bail is missing. A lot of what a sysadmin does is based on trust. Bruce Schneier once observed that the difference between a burglar in your house and the cleaning lady is trust. Maybe Childs deserved to be fired -- I don't know -- but as near as I can tell the criminal charges are bogosity squared. I think the City and the DA's office tried this case in the press and, now that they cannot come up with the evidence, are desperate to cover their butts.

bernalillo
bernalillo

The passwords are the property of the city, not Childs, just as the combination to the vault belongs to the bank, not the locksmith. Just as the corporate credit card numbers belong to the company not the executive they are assigned to. Ever read an accepable use policy? All work done on business/gov/etc systems belongs to the business/gov/etc. This applies to the IT department too. If the city council wants every password posted on the internet I would hand them the list on my way out the door. We are custodians of the technology not higher authorities. It disturbs me to see so many people here supporting him. Maybe the public needs to crack down on our industry a little just to prevent the runaway ego effect IT seems to have on a small but significant percentage of it's members. Childs just confirms some of the uglier things sometimes said about our occupation. If an accountant wre to change the pin numbers to the government bank accounts he sould be in jail to. On the face of it Childs is a paranoid, geek, crybaby with delusions of grandure. Enjoy yor stay Childs.

PVBenn
PVBenn

Terry Childs got caught doing what I've seen a lot of insecure, controlling and incompetent Net admins do, try to make themselves indispensable and looking at data/information they have no reason too. Both are signs of trouble. He went too far and has gotten what he deserved.

wscogg9
wscogg9

Even in a small company make sure someone else knows everything you do and has admin access to everything you do in case you die unexpectedly. Sounds like a smart guy with no ethics or business sense who should have had supervision and evaluation a long time ago.

Zpunky
Zpunky

When something in this city stinks, it's almost ALWAYS this city's dysfunctional politics (e.g., sanctuary for illegal immigrant criminals, prioritizing the health care of illegals over citizens, allocating mass transit funds to minority-bicyclists, instead of the majority-mass transit users, the Board of Supervisors negating a citywide 2/3 majority vote on condo conversion rules, and on and on and on). We will never get the whole story, but the moral is (thanks Will Nelson) "Know when to hold 'em and know when to fold 'em." It appears he took his job seriously but didn't know when to say F*** 'em, and let them screw themselves because clearly, he really could have. He just ended up screwing himself. I'd be interesting seeing an independent panel of security experts evaluate his security plan, without knowledge of his antics, and read their opinion.

jeno.mozes
jeno.mozes

Reading the article for a second time. I am curious how many of you do this? Have other username/password written down (non infrasturcture)

chaz15
chaz15

Good network practice 'requires' recording essential information for someone else if necessary to take over the job. BUT day to day pressure often results in senior network staff not having the time to keep full records and instructions because of lack of funding for extra staff. In Terry's case, the real point is whether he handed enough information over, or agreed to provide this promptly when he was removed from his post, or whether he was indeed even ever given this opportunity. However, being placed so it seems in an impossible position by his employer, may have made him naturally hostile to his employer. BUT the crux of the matter is that his employer is obviously VERY ignorant of commonplace network practice, and falsely accused him in the first place of improper and criminal practices. That is manifestly NOT so, but we seem to have a legal system that is also almost entirely ignorant of common (and sometimes best...) IT practice. Securing networks adequately seems to carry risks of criminal prosecution by a vindictive (or ignorant of IT)employer. This seems to be criminal ignorance by his ex-employer in NOT FINDING OUT if such practices are a normal (or even best practice)part of large network operations. No he should not be in jail, and no, he is not a criminal, perhaps just naive (or very time-pressured, as seems MOST likely) in not keeping full on-paper records....

drbayer
drbayer

From what little I've followed this story, it sounds like he is an old school admin/engineer. He is probably the type that is very good with the equipment but lacking in soft skills like personal communication. To address some of what I've read here: If this was a pre-production environment that was prematurely forced into production, that mitigates some of the debated technical issues. If the physical security of the equipment was insufficient or non-existent, I can understand removing the configs from the equipment. For better or worse, documentation of pre-production environments typically leaves a lot to be desired. Was that on his to-do list? It sounds as if security policy was poorly documented and/or communicated. If change management policy was in the same boat, I can see why he may have been lax in communicating changes and documenting implemented security, particularly in someone with less-than-optimal interpersonal skills. Having password lists is a big no-no, particularly in an off-site unsecured location. For today's engineers it's expected that we know not to do that. Old-school engineers frequently were motivated more by the "let's see what I can see" mentality. This does not make it acceptable, but gives a possible non-nefarious explanation for the actions. All in all, we (the public) don't have enough info for informed opinions. Media tends to be biased (for or against, doesn't matter), and the city is loud making it difficult for Mr. Childs to be heard (particularly if he really is lacking in social niceties as I suggest above).

john
john

I think that he was doing his job. You can say that he went a little overboard with security but maybe he had some slow time at work witch allowed him to think about how to better secure "his" network. Thing appears to bring up 2 problems with people. I agree there should have been a second person with the password or maybe even his wife (assuming he had one) may of had a in case I die give this to the mayor kind of thing. Why did he give the mayor the password? Well if he felt the management was too incompetent to handle the network and didn't want to give the password to them so he told the highest person in the chain the mayor. Of course people say well he is going to turn around and give it to the same people he didn't want to give it to. Yes your right but now he can not be held accountable for giving monkeys the key to the city... the mayor did.

david.reed77
david.reed77

I can see where he was following orders from his superiors. I depends on what kind of relationship he had with those or that one person over him. Also what was his attitude toward the subject. If he thought it was dangerous to do what it was they were asking he could have found an outlet for his concerns.

bryan_es
bryan_es

It truly sounds to me like Mr. Childs brought much of this on himself. For starters, he has absolutely no legal right to purposefully configure and withhold access information demanded by his management. Deleting the startup config is NOT a standard security practice. The fact that he purposefully configured the devices to be unrecoverable (ignoring common authentication tools such as TACACS and configuration management) demonstrates his malicious intent. That fact that he is a CCIE only further evidences that he willfully and knowingly violated best practices in an attempt to secure his own little kingdom. Had he shown some leadership in addition to an ability to pass tests, he would not have had to work those long hours. No sympathy there. However I'm not sure they will get a felony computer tampering charge to stick for a guy trying to hide his way into job security. His access was authorized and I believe they will have trouble proving motive and intent. I think at most, the city might have a successful civil case here. What ever the outcome, it will set a precedent. That said, to all of us in IT, this is proof positive that hoarding knowledge and being the only one who can do something is no guarantee of job security. Being exceptionally good at what you do and being seen as a leader will help ensure large paychecks well into the future. Unfortunately for Mr. Childs, he was neither.

harrylal
harrylal

In spite of the limited facts available, there is enough blame to go around for him and his supervisor. The old adage of absolute power corrupts... comes to mind. What responsible company has an employee take in cash receipts also make the bank deposit (with the exception of the owner perhaps)? It is just a bad idea and too much temptation for wrongdoing. There should have been more than just one individual who had that kind of ability over a system and a way to be properly audited. It's unfortunate that it happened but provides an opportunity for all to learn and make adjustments to avoid this situation in the future.

Bob Raffo
Bob Raffo

Child's alleged actions are not "standard" in any well run IT environment. The role of an IT professional is to mitigate risk. If the "facts" bear out that he purposefully created risk and vulnerability - then perhaps a criminal charge is appropriate. However, if the facts bear out that he acted in good faith - no matter how incompetent he may have been - then criminal charges are out of the question. Criminalizing poor job performance will lead to very serious consequences. Think about the next time your backup does not restore properly - will you go to jail?

jszivos
jszivos

Just an admin on a powertrip. He deserved to be fired not thrown in jail...

trichardson
trichardson

It was obvious he was bent on revenge. I think his supervisor should be fired for incompetence because with a network like that outside security auditors should have been dropping in unexpected to audit security on the network.

ppostma
ppostma

As an admin, you can't make up your own rules. You can't take passwords home. You must voice your concerns and plans to your boss and have the organization create a policy for security. No one person can make up the rules. If the password system is weak, tell you boss you want to run a cracker to check it and provide a report of the results. I am not sure he deserves jail, but I would be comfortable firing someone that went this far beyond the rules. No rogue admins! You can't mail someone anthrax just to show how weak the system is.

dawsfive1
dawsfive1

In the grand scheme, he was just an employee, not the owner. Negligence is grounds for termination, malicious actions and intent are liable. In jail is where Terry belongs!

ITAuditGuy
ITAuditGuy

On point one and two. Does he have permission to do take those actions? Was it specified in the policies, standards, or procedures allowing him to take such actions? If not mention in those documents, did he obtain permission from someone with authority or, in the worst case, at least from his immediate superior? These are simple concepts of InfoSec. He is just not allow to do those activities without authority or without the knowledge and approval of someone with authority. On point number three. Out of the top of my head, I can't think of nothing wrong about him being able to gain access to the FiberWAN unless there is specific reason he is not allow to. Was it specified in the policies, standards, or procedures disallowing him to take such action? Did his superior specifically deny him access? On point number four. There isn't really any good reason why he should have lists of usernames and passwords. To know others' username and password is just wrong in the concept of InfoSec. Use it or not, it is hard to prove that you did not use it or that you have no intention of using it. So it is just plain better to not have a prove that you know them. Finally, the case of installing sniffers on the network is just like the point I made on point one and two. Surely it not on the approval software list, without any string attached. By just relying on the information above, I would said he did a lot of things wrong. His actions, clearly, were not inline with the concept of InfoSec and I highly doubt that they are inline with any standard network security practices. His motive is in question and it is just hard to prove that it is innocent.

niko.stas
niko.stas

In my eyes it is absurd to lock somebody up for such actions. It's not even clear if he was doing (trying to do) his job or trying to do something ilegal. It looks like he was up to something. But still... jail? I mean, just fire him and when it is proven he was trying something illegal, a big fine would be a big enough punishment, but jail breaks people's lives forever. He was working for the government, and when we look at for example the police, when they use excessive violence (which is a much greater crime IMHO), they almost always just get transferred (even with decisive evidence) to do it all over somewhere else. This punishment is way out of proportion, especially since the alleged crimes do not seem proven. This is also a very dangerous precedent... when you make mistakes (willingly or not) at your job, you end up in jail... good luck, network admins.

zamorajz
zamorajz

If he followed the practice of change management and release management then you would not be writing this article. A solid change management process would have gotten the appropriate approvals to make these changes.

Dr_Zinj
Dr_Zinj

First, the sources of the allegations, the sources of the so-called evidence, and the descriptions of the situation are horribly biased, self-serving, incomplete; let's just say there is a heavy heaping of the government of San Francisco doing its best to bury the truth and cover their own butts. Second, the entire SF metropolitian area network was, and still is, a massive work in progress. There is no handbook or set of hard and fast rules for every situation in the system. Every knowledgeable network engineer and administrator knows that in a large system, there are going to be places where you make deviations, either temporarily or permanently, trying to find a combination that works. There may be valid reasons for the config files being removed from some systems. I'd look for sticky notes around Child's offices, or shirt or pants pockets, or maybe next to his washing machine at his home. Third, from very personal experience, good documentation is the first thing to go out the window when management cuts I.T. positions. When managers get into the "just fix it mode" and there aren't enough bodies around to give you the time between crises to write up the problem, much less the fix, it doesn't get done. This is EXACTLY the situation with the managers over Mr Childs; and is perfect motive for them to set him up as the fall guy. From what I've gleaned out of all this, Terry Childs is not a meglamaniac with delusions of godhood or granduer. He's a good engineer, with a conscience, and enough personal integrity and guts to stand up for what's right at great personal cost. And he's going to be destroyed by the corrupt people in charge as soon as they feel confident that he's been forgotten by the world. How many of you would REALLY risk your jobs, your homes, your family's livelihood, your freedom to take a stand about deliberate, unethical behavior of your employers?

Bill_CA
Bill_CA

Did he lock it up so that if he was hit by a bus, no other admin would be able to get into the network? If so, he did some improper things. However, if another network admin was able to administer the network in his absence, that's a different story. As to the passwords kept at home, one wonders why that would be. I'm not sure if he's a crimminal, but maybe a control freak.

HAL 9000
HAL 9000

And even scarer is the way that these people believe what they are told by one side with a Vested Interest in not looking Guilty or just stupid and [b]Expensively Incompetent.[/b] :D Trial be media is certainly alive and well with the majority of the above posters being unable to comprehend that the Media may be getting things wrong or just maybe that those making the claims may not be all that Knolled able and then with that error is being compounded by the way that the Media is Interpreting their Outlandish Claims. :^0 But I like the way that to many [b]Network[/b] means what they work on and not what was in use here. :) Col

julian.white
julian.white

He needs to Document his deployment - even now. If Child is none other than a paranoid and perhaps lazy admin that crossed wire's with his managers - then this case should be dismissed. No criminal intent/activity = no case for your crown. Negligent employee perhaps with best intentions wokring with a non existant supervisory structure. But he should be made to document why he did things the way he did. And the employers should be ordered to review their management / Entreprise policys. Any good lawyer knows one must write things down. I find his stragety to "hose" the IOS interesting, but before we judge, were some of the routers in question like someone said secure physically? Perhaps he had a system in place in case of theft or power outage , the later he could load the config via remote console in seconds and system is away again. And if theived then hes' saved city from some crim knowing the about the wan. Lets face is not hard to break an IOS, *nix or NT with physicall access. As for passwords, again this may come down to policy (or likely lack of) in place and mutual trust. I once was the chief sys admin of a govt institution and they explicity told me not to store passwords on the system and theres to be 2 "train smash scenario's" hard copys, one for the director and one for myself to store securely. My company has passords stored (securely) offsite, in case our office burns down and require using backup etc. My manager knows this, and also knows i dont know peoples passwords either - someone mentioned any good amdin doesn't need user passwords to troubleshoot and i agree. Besides if he only had passwords to wan then whats the big deal unless he's was "hiding" some torrent/dodgy ssh box somewhere on the wan (aka criminal intent) - he's merely a complete idiot for not documentating his deployment and not cooperating with his employer in good faith. IT may turn out he was hiding dodgy behaviour or simply just being overly protective of the wan and had public safety interests to protect. Be interesting to see where this case goes. All admins/analyst's must document their work, this protects us but also protects the company(think emplyeee's and public here too) in a disaster aswell.

scarville
scarville

Unless Cisco added boot from DHCP recently

DSCtsuru
DSCtsuru

As mentioned before, T Childs is No Angel. However, the disfunctional Board of Supervisors (you know, the ones that wanted the free City-wide WiMax rollout... and found no one wanted to pay for it...duh... and the city-wide rollout of free public-access Internet terminals in all public "gathering and business locations" that...again...no one wanted to pay for). Teen Angel Childs may have done them a favor and forced them to give a professional look at the existing IT structure...but for all the wrong reasons and methods.

bernalillo
bernalillo

Keeping user passwords at home is something I would campaign actively against. I find people start getting better at managing passwords after about 3 months. 1 onth if it takes a bit for their passwords to be reset. I know of managers that store backups (of unencrypted sensitve date) at their homes. Again, I actively campaign against it, but folks, inertia sucks!

drbayer
drbayer

We have policies in place (and systems to make them viable) which prohibit anyone knowing another user's password. I know server & workstation admin account passwords, but nothing for individual users. Technology has become sophisticated enough that admins don't need to know user's passwords, and that aids in audit trails, indemnification of administrators, etc. Anyone needing access to the same resources as another user gets those permissions assigned to their own ID, and in my opinion this is how it should be. Even local admin accounts are only used as a last resort.

Zpunky
Zpunky

I administer ALL of the systems and user support in our company... just me. So yes. Not only do have them written down in a secure place (really helps when configuring customized desktops) I assign the passwords for everyone, from the top down. As for the system passwords (routers, servers, etc.) they reside in a security restricted directory in a password protected file, along with the user password and passwords to all important vendor accounts on a system that appears to be on the network but isn't. And because it is not on the network, this digital file is also kept in a secure location in my home... in case the non-networked system dies. The CFO and one other trusted person have access to this list.

bernalillo
bernalillo

The police may be inept but they could easily charge him with theft in that he stole the passwords to the network. If nothing else the city should file a civil case for that same theft. I cant believe anyone would buy the "He wouldn't give the passwords to anyone who he thought was a danger to the network.".

Beoweolf
Beoweolf

Its not unheard of for minimally qualified persons to be forced down upon IT managers, maybe nepotism or your replacement? At any rate, any mistakes they make are still your respnsiblity to clean up. Locking down the system, enforcing Least privilege to do the job is not always a bad thing or an indication of bad management. I'm sure all of us at one time or another have been called into the office to mitigate the results of some "wanna-be" exceeding his pay scale by attempting to "fix" something that he broke while doing something he had marginal rights to do, but had been instructed not to do without supervision. There are situations that crop up over time which - in a perfect world, should have happened only once. But thats not how business is done in many Govt. shops, there are reviews and politics to impose remedial actions before you can hire or fire. Until that time, a prudent administrator - might, attempt to limit the capacity of the miscreant to damage the system or network.

zamorajz
zamorajz

If he followed the practice of change management and release management then you would not be writing this article. A solid change management process would have gotten the appropriate approvals to make these changes.

HAL 9000
HAL 9000

Through the DA has not shown that the person who asked for the passwords was authorized to have them to begin with. If that is the case here Child's did absolutely the correct thing in refusing to hand this person over the passwords. This person them claimed to feel [b]Threatened[/b] by Child's so using the internal complaints mechanisms abused her position and made an official complaint and added that Child's refused to give her the Information that she asked for. At this point weather she had any right to access this system became moot as those tasked with investigating the complaint had no idea of what should and should not have access to this person they just worked on the complaint as given and it became fact at this point. I will find the eventual outcome interesting if it ever comes to trial but I honestly think that things will be dropped long before that stage and child's will be given a Enormous Golden Handshake with a Nondisclosure requirement to keep his mouth shut. I did find it interesting from reading the Public Documents lodged just what has been claimed and just how little those pushing this case actually know about what they are claiming but from what has been lodged so far Child's has done no wrong in the legal sense and I would be interested in seeing any internal correspondence from Child's to his superiors in relation to this matter before his removal. It is possible that when the woman freaked out Child's left her alone and was using Photographic Evidence to support his claims. While I don't know this I also don't know that he did anything wrong either and I chose to reserve my opinion till there is more known if that ever happens. Col

bernalillo
bernalillo

Yes, even my two year old has a side when she's caught in the cookies. It's still BS and it does not change anything.

consultmed
consultmed

It doesn't make much sense to store them on site, does it? If there were to be some disaster at the site all backups may be lost, although I am in agreement that storing the user passwords is a big mistake.

jeno.mozes
jeno.mozes

You're reply is concise and right to the point. I have never felt comfortable knowing or keeping other users passwords.

HAL 9000
HAL 9000

He stole nothing at all and there was no Data at all involved. The only thing involved was some Cisco Setup Routines which where on the computer that was seized by the Authorities and held as Evidence when they Arrested this person. So effectively the City had the setup Procedures buy chose not to use them. The City was manufacturing their own case here and they where prepared either through incompetence or on purpose to go without to make a better case. In a worst case scenario here all that would have happened in a city wide Blackout is that segments of the Optical Fiber Backbone would have drooped out because the devices that enabled these to work where not on Protected power Circuits. There would be no possibility of any of the data getting stolen and if Child's is to be held responsible for not having those Cisco Routers on Protected Power Circuits that would be judicious as the City was the one supposed to supply those Backed up Power Circuits and it's not the developers fault for the city failing to provide sufficient funds to keep a System like this working through Power Outages. You my friend a Paper Happy and believe that everything can be cured by Suing. Well I have news for you Suing people solves nothing and if anything holds back Technological Developments. Col

Datacommguy
Datacommguy

Change management and documentation are admirable and wonderful things - *IF* you're given time and resources to do what's right instead of being forced to constantly scramble in react mode. Did he do things what most of us would not do or would have done differently if given a choice? Probably, but the 'facts' we've been given are very likely laundered, filtered and spun by those who had access to the press and the hints that requests for management involvement were ignored or denied hit close to home and make me want to hear 'the rest of the story'.

bernalillo
bernalillo

Backups inevitably store sensitive information. Storing that information at home is insecure and exposes the owner of that information to loss of confidentiality. Offsite storage needs to be with a bonded and insured business who specializes in itr or in another secure facility in a fireproof safe.

melekali
melekali

There is no need for admins to have the passwords of any use accounts that are not admin or their own user accounts. Having them at their home really compromises security, as does having them in a password protected file on the network somewhere. This is very poor security practice and in my opinion is reflective of a lack of experience.

seanferd
seanferd

I don't know what kind of theft could be involved in a non-production network, even though the inciting incident involved trying to move the network to production when it was not yet ready under the orders of people who did not have the proper authority.

Editor's Picks