Terry Childs’ guilty conviction struck a nerve with IT staffers this week.
Here was a man who, by all accounts, was good at his job, though lacking in interpersonal skills. Suddenly, on July 9, 2008, he’s pushed into a tense situation — a hostile conference call with the human resources department, his boss and even a police officer, all listening in, and told to hand over the passwords to the City of San Francisco’s FiberWAN network, which he helped build. He chokes and hands over bogus passwords. Later, he argues that he did this because nobody in the room was qualified to have administrative access to the network.
IT people are used to being held accountable for bad decisions made by their superiors, and some people who’ve read about the case feel some sympathy for Mr. Childs. After all, the city’s network never went down, and Childs eventually did hand over control of the FiberWAN to San Francisco Mayor Gavin Newsom — the only person Childs felt was competent to have the passwords.
“How exactly was he breaking the law?” wrote one Slashdot poster, reacting to news of Childs’ conviction. “[H]e refused to disclose the passwords when the person requesting them did not follow proper protocols.”
While the City of San Francisco apparently did a poor job in spelling out the protocols for handing over administrative control of its network, Childs was still guilty of a crime. A jury found him guilty of breaking California’s hacking laws on Tuesday, and when he is sentenced on June 14, he will be facing a possible five-year prison term.
So how did Childs break the law? We put the question to one of the best people able to answer it: Juror # 4, also known as Jason Chilton. In addition to having listened to countless hours of courtroom testimony, he also happens to be a Cisco Certified Internetwork Expert (CCIE) and a senior network engineer with payroll administrator Automatic Data Processing. (ADP) He’s spent the past five months of his life on the trial, which began jury selection in late November. According to him, there’s much more to the Terry Childs case than most people realize. Following is an edited version of an interview he gave the IDG News Service on Wednesday, the day after the verdict was handed down.
IDG News Service: Why did you find Terry Childs guilty?
Chilton: The law was clearly spelled out for us. Within it there are very specific questions that you have to answer in order to reach a guilty verdict. And within those questions there are certain terms such as computer network, computer service, and those are given legal definitions, which you have to follow.
The questions were, first, did the defendant know he caused a disruption or a denial of computer service. It was rather easy for us to answer, “Yes there was a denial of service.” And that service was the ability to administer the routers and switches of the FiberWAN.
That was the first aspect of it, the second aspect was the denial to an authorized user. And for us that’s what we really had to spend the most time on, defining who an authorized user was. Because that wasn’t one of the definitions given to us.
IDGNS: People who followed the case heard about this conference call with Cisco engineers, and the defense said he was reluctant to hand over passwords to people who were not authorized to have them. There was an HR person in the room, a police detective, and the chief operating officer of his division, Richard Robinson.
Chilton: It was really hard for us to get through that part. We said, “OK, what policies may there have been that defined an authorized user?” Well, the city didn’t have any procedures. There was no policy that was formally adopted that people were supposed to follow. It was this amorphous thing.
Eventually we looked at it and we saw that in late June his manager had requested certain accounts to be created that would have access to certain routers and switches. And he did create those accounts, and he sent that back in an email with the user IDs and passwords, to which Richard Robinson was also copied. If his big concern was that Richard Robinson was not authorized to be a user, why — just a week before — did he copy him on an email that has user IDs and passwords?
IDGNS: If you’re doing this stuff in the course of your job, it’s not criminal. There must have been a point at which you decided that what he was doing was outside of his job description?
Chilton: Essentially, one of his job duties was to allow the network to be maintained. So when he went into that meeting on July 9th, he was told he was being reassigned, therefore he was not going to be working on the FiberWAN any more. Somebody has to get access, and he refused to provide that. So he’s leaving this very critical network in the city’s hands, but saying that nobody can maintain it.
IDGNS: What do you think he was thinking at that point? The defense made it sound like this was a high pressure meeting and he choked.
Chilton: I think he went into that meeting probably thinking he was being fired. Definitely he knew that there were some employment changes coming. He had received an email the week prior from his manager saying, “We’re about to go through organizational changes.” So that was proof to us he knew something was going to happen organizationally that would affect his employment. That very morning before he went into the meeting, he received a phone call from one of his co-workers saying, “We’ve just been told you’ve been reassigned.”
I think he was used to, over the years, dealing with Herb Tong, his manager, who didn’t understand how to deal with him effectively. He would let him get away with everything, and he was kind of weak-willed and would let things slide. And I think Terry Childs was used to that and not thinking that the consequences of what he was about to do would be greater than what they normally would be if he was dealing with Herb Tong. Now he’s dealing with Richard Robinson [Tong’s boss] and the police.
And I think he left that meeting honestly thinking, “OK, they’re going to try to get into this network and they’re not going to be able to.” He even sent an email the next day, saying, “I know you all are trying to figure out how I can get into this network.”
So he knew nobody else could get in, and I think he had the assumption that they would say, “We need you back to maintain this network.” And that obviously did not happen.
IDGNS: Since the verdict you’ve finally been able to read what people are saying about the case. Any surprises there?
Chilton: No, not really. Most of the news stories that covered it really boiled it down to something simple such as he was in a meeting and asked to give up his passwords and refused. There were so many other things happening that don’t get put in the news that really led to the whole situation happening. It wasn’t simply he wouldn’t give up his username and password. It was two years of building up to this point.
IDGNS: What do you think of Terry Childs?
Chilton: I think he’s a decent guy. Like many IT people, protective of his work. Possibly a little paranoid. But the problem he had was that he didn’t have good management to keep that in check. He was allowed free rein, which allowed engineering decisions over the years that made things worse and worse, and locked people out of possibly getting into this network.
IDG News: Going back, what was the one step he could have done to avoid prison?
Chilton: If he would have simply said, “I will create you an account and you can go in and you can remove my access if you want.” If he had created access for someone else, I think that would have resolved it. If he had not decided to leave and go to Nevada a few days later and withdraw US$10,000 in cash, [Childs did this the day before his arrest, while under police surveillance] I think the police may have let it continue on as an employment issue and not a criminal matter.
IDGNS: Do you think Terry Childs deserves another chance?
Chilton: Yes I do. He has a lot of knowledge and he has the ability to learn this stuff on his own. I think with what’s happened, he’s probably not going to get himself hired by an AT&T or a Bank of America, but he could probably do stuff on his own. Because he definitely has the knowledge.