The Macrosite for News, Analysis and Opinion about the Future of the Internet
Mary Jander

Terry Childs Conviction Holds Lessons for IT

Written by Mary Jander
4/29/2010 11 comments
no ratings
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

Nothing happens in a vacuum. So it may be worth asking what IT professionals can learn from Terry Childs.

The case, you'll recall, started back in July 2008, when Childs, then 43 and a longtime city employee, refused to hand over the passwords to the city's fiber optic network after his bosses requested them. Childs, who had helped build the network, had been making weird threats and acting strangely -- e.g., barring anyone but himself from administrative access.

Police carted Childs off to jail, where he was at first charged with data tampering and held on $5 million bail. There, he continued to refuse to give up the passwords to the city and county system. It took a jailhouse visit from San Francisco Mayor Gavin Newsom for Childs to relinquish the codes.

City officials said they spent hundreds of thousands of dollars attempting to retrieve the passwords, including paying hefty fees to security experts from network supplier Cisco Systems Inc. (Nasdaq: CSCO).

Childs's bail was never lowered, especially once a prior criminal record came to light, which included jail time spent for aggravated burglary and robbery with use of a knife.

Fast forward: Despite the many charges bandied about by lawyers, citizens, and interested observers, the jury this week found Childs guilty of just one felony count for denying computer access to the service he was entrusted to provide to the city.

Childs, who has already served 21 months of a possible five-year term, may even be released once sentencing takes place June 14.

Surely a case of this scale holds some lessons for anyone working in enterprise IT. Let's take a look at just a few of them:

Don't brook petty tyrants. There are some who claim that Terry Childs was a victim of poor management, an IT working stiff simply trying to do the best job he could. At least one of the real jurors in the case, along with someone representing himself as a juror on Slashdot, say the city had inadequate security policies. Whatever the truth, it's clear that somehow the organization supported the rise of Childs as a single point of human failure and threat.

"I think the biggest lesson for enterprises in this affair is the danger of allowing employees of any sort, not just IT staffers, to establish personal fiefdoms," states Charles King, principal analyst of Pund-IT Inc. , in an email today. "I believe that many if not most people have stories of co-workers who operated as if their corner of the office operated by different rules than the rest of the organization. Though Childs is certainly an extreme case, the problems he was allowed to create and the criminal results qualify as a great example of poor business practices gone disastrously bad."

Know your people. Terry Childs had plenty of time to behave bizarrely enough to prompt an investigation, with a clear track record for being temperamental to the point of criminality. Someone wasn't minding the HR store.

Watch for warning signs of IT trouble. Apparently, there was evidence that Childs was rocketing toward a confrontation with his management. But somehow, action was deferred until the situation had reached critical mass. As ThinkerNetter Ira Winkler noted last year, it's not uncommon for troubled people in IT to show signs of odd behavior far enough in advance for management to act.

Indeed, the power-driven IT maverick is a recognizable archetype, according to Mary E. Shacklett of Transworld Data. "As a technical discipline, IT has struggled for years to 'keep a balance' between not offending employees with highly specialized technical knowledge that no one else on staff knows. These employees understand their leverage and often are unwilling to share their knowledge with others. Like Terry Childs, they end up in positions where they can, not only contribute to, but threaten the functions of entire organizations. The issue is so difficult that it is now on the audit lists for most IT organizations under the topic of 'risk management.' "

Get your security act together, and set policies to keep it together. When the Childs case emerged, some observers, including ThinkerNetter Paul Doyle, viewed it as a security problem -- the "insider threat." It was a wakeup call for IT managers everywhere to focus on security inside as well as outside the firm.

Don't rely on vendors to manage IT problems. When Childs refused the network passwords, the city was helpless. It turned, not to other trusted workers in house, but to Cisco, which charged hundreds of thousands of dollars to hack out access. Sure, this was a sensible and understandable strategy; but in retrospect, it should not have been necessary. If the city had set up adequate policies and procedures, network access wouldn't have wound up in the hands of one person.

These aren't the only lessons from this case. Others will continue to play out. At least one industry observer thinks we may even find out there was more to the story. "The real story here is not being talked about," writes analyst Greg Schulz of the Server and StorageIO Group, in an email. "I’m more interested in the story behind the story, which is, What was Terry so concerned about, and why couldn’t the city enlist some resources to bypass the security?"

— Mary Jander, ThinkerNet Editor, Internet Evolution

This blog is part of Internet Evolution's IT Clan, which addresses the continuing impact of the Internet on enterprise networks, applications, and management. Register here to join the IT Clan's conversation, and you just might win something unspeakably cool.
DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
Page 1 of 2   Next >
Mary Jander
Thinkernetter
Monday August 9, 2010 1:08:34 PM
no ratings

It seems Terry Childs will be going to jail for at least a few months. He may appeal.

A strange case containing many lessons for IT pros.

Mary Jander
Thinkernetter
Tuesday May 4, 2010 10:53:37 AM
no ratings

Sorry, I don't buy these arguments. I think Childs seemed unnecessarily obstructionist. It seems his management was at fault more for letting him go rogue than anything else.

That said, there are two or three sides to every story. We don't know the whole context here, and I didn't find it documented anywhere to my satisfaction. Perhaps someone will write a book.

 

Rich Adler
IQ Crew
Friday April 30, 2010 2:05:17 PM
no ratings

I want to know the backstory on this. I admit, I have a tendency to want to fight the good fight and side with the working bees, being a proud member of the Freelancers Union and all...

And by "backstory" i dont mean the articles and the news coverage, i mean what actually promted this. What was Childs' day to day at this work environment?  What was going through his head when he clutched to his only means of power and used it as a weapon against his emloyer- the state in this case. After all, who hasn't had a day at work where they've nearly lost their sanity.

Check out a few interesting comments I found on an infoworld.com article:

This decision has just given every manager in America the right to call themselves engineers and proceed to configure the networks as they see fit with no interference from employees who know what they are doing. God help us all...  -Deepwater

I understand Child's view and actions. I also understand his manager's position/the city's position. For better or worse, when your boss demands something, provide it. Ticking off your boss is pretty much never a good thing. If you see his/her actions/demands as wrong, document like crazy. While at my previous employer, I had to adopt the attitude of 'I can build great networks or I can just see this as a paycheck.' When you are pushed into the latter option, it's time to keep the eyes on wider horizons and move when the future horizon is brighter. -mysticturner

Terry Childs made one, and only one, crucial mistake. He actually cared about what he was doing for his clients and employers. No punishment is enough for that. -blankreg

*Written by Paul Venezia, the source article can be found here: http://www.infoworld.com/t/insider-threat/rough-justice-terry-childs-066#talkback
  
Mary Jander
Thinkernetter
Friday April 30, 2010 10:30:10 AM
no ratings

Excellent point, chad.mcdonald. A lot of folk online are saying the city's management was at least as much at fault as he was, and perhaps more so, for allowing him so much personal power.

Here's what one person on the North American Network Operators (NANOG) mailing list wrote in today:

"What Childs did was wrong, but what his superiors did was ethically and morally inexcusable - they created a scenario where he could be criminally punished for their failure to manage their employee (and their network) appropriately. As far as I'm concerned, they're far more guilty, but of course they won't see the inside of a cell.

The precedents set by this case are a bit scary.

The lesson for operators should be clear: don't let a prima donna build your network without being thoroughly involved in the process."

 

chad.mcdonald
IQ Crew
Friday April 30, 2010 8:55:47 AM
no ratings

Every organization has "the guy".  That one person with some specialized knowledge that no one at the organization can duplicate.  Depending on how that person's knowledge relates to the business determines how tied to the inddividual the organization may find itself.   I think this could have been avoided given appropriate management and a requirement for documentation. 

If you look at "the guy" as a resource, it is easier to see that this is a single point of failure.  Most organizations have redundant servers, network gear, or colocated facilities.  There is no reason to depend entirely on a single resource to perpetually sustain your organization.  Build redundancy into key staff, not just your IT systems.

pcharles
IQ Crew
Thursday April 29, 2010 9:18:19 PM
no ratings

The main excuse (that you'll never hear out loud..) is that they don't care to know. They want to make more money, not worry about tech stuff and passwords.

knoxzoo
IQ Crew
Thursday April 29, 2010 5:44:50 PM
no ratings

Michael:

Most of them say they've never thought of it. 

Alternately, it's easy to forget to update the list when things change, or new goodies are added.

Michael Singer
IQ Crew
Thursday April 29, 2010 4:10:37 PM
no ratings

Great thoughts. And just for good measure, make sure there is a master password that only key stakeholders know. 

I'd be interested in the kinds of excuses that executives give for not locking down such preventative protocols.

knoxzoo
IQ Crew
Thursday April 29, 2010 4:00:07 PM
no ratings

Every place I've ever managed the networks for, I've insisted on a password list sealed in a safe, just in case.  And, I've cautioned I don't know how many C level folks over the years to do the same thing.  I even taught the practice to my students back when I was doing the professor thing.

I've called it the "Hit by a bus" theory of systems management, but it applies here equally.  Anybody can be incapacitated, or eliminated, at any time, by any number of possible causes.  If you don't plan for the possibility, you're a fool of the first order.

Mary Jander
Thinkernetter
Thursday April 29, 2010 2:56:35 PM
no ratings

Thanks Michael. This case kind of reminds me of the "going postal" trend a few years back, or the drummers in the old Spinal Tap movies who kept spontaneously combusting. Some jobs seem to attract bizarre behavior, for reasons that may not be immediately discernible.

Page 1 of 2   Next >
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from IT Clan Editor's Blog
Mary Jander
Mary Jander   9/2/2010   6 comments
In the wake of yesterday's product announcement blitz from Apple Inc. (Nasdaq: AAPL), it's worth pondering what message the unveiling of new iPods, a new iTunes-based social network, and a $99 Internet-connected Apple TV contain for enterprise IT professionals.
Mary Jander
Mary Jander   8/26/2010   7 comments
Web applications are the leading source of IT security vulnerabilities, according to a new report from IBM Corp. (NYSE: IBM).
Mary Jander
Mary Jander   8/19/2010   13 comments
Nearly two weeks have passed since Hewlett-Packard Co. (NYSE: HPQ)'s board announced the hasty resignation of CEO Mark Hurd. And in that time, we've learned more than some of us ever wanted to know about reality TV personality Jodie Fisher, Mark Hurd's management style, and the ongoing woes of HP's board.
Mary Jander
Mary Jander   8/12/2010   9 comments
Enterprise mainframe operators, often seen as an army of senior IT statesmen (and I do mean that in the gender-specific sense), are looking at Web-based clouds for a new lease on their favored technology -- even as they see an uphill battle in convincing fellow IT pros that mainframes are still viable.
Mary Jander
Mary Jander   8/5/2010   5 comments
One of the politically correct IT goals these days is to reduce the enterprise carbon footprint -- that is, the amount of greenhouse gas emissions required by an organization to power its computing and networking facilities.
5
of
IETV: the thinkerNet on film
5
of
2pm EDT
Thu
Sep 30th
an IBM information resource
sponsored content
big blue blog
Todd Watson
an IBM information resource
sponsored content
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things'
Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Cloud Computing Requires a Change of Mind
Sean Gallagher
In what now seems like the ancient history of the technology industry, Sun Microsystems Inc. co-founder Scott McNealy talked about a future with “application dial tone.” Virtualization and cloud computing are getting us closer to that today, but there are still some major obstacles -- and many of them aren't technical.
CLICK FOR MORE
Apple's 'Terrorware' Patent Could Turn 2010 Into 1984
Alan Reiter
Forget about Apple Inc. (Nasdaq: AAPL)’s announcements of the new Apple TV, iPods, and Ping. It's kid stuff compared to what Apple has in store for you.
CLICK FOR MORE
Cloud Copes With 'Special Order' Supply Chain
Scott Koegler
Say you're a retail auto supply store. You carry the standard batteries, brake parts, and seat covers along with an assortment of products that meet 99 percent of the requests you get from your daily customers. But then there's that occasional customer, that 1 percent who needs a carburetor rebuild kit for a '54 Buick Super straight 8. It's a $50 part that you don't stock and might bring you $5 in margin. Do you send the customer away, or spend the next hour on the phone placing a special order?
CLICK FOR MORE
Cisco-Skype Deal Rumors Run Rampant
Ron Miller
Last week, TechCrunch broke a rumor that Cisco Systems Inc. (Nasdaq: CSCO) has made a bid for Skype Ltd. Never mind that as recently as Friday, neither Cisco nor Skype would discuss the matter. Not that these noncommittal “official comments” mean much. The rumor was in the breeze, and that set people speculating about what this might mean for both companies.
CLICK FOR MORE
Reiter's Block
RIM Caving on Security
9|2|10   |   2:32   |   4 comments

RIM is giving in to demands by India to snoop on encrypted BlackBerry data. It's time to develop cheap or free encryption software for BlackBerrys and other cellular phones.
Singer at C-Level
Is There a Sequel to SQL?
8|24|10   |   2:03   |   1 comment

It’s time to get ready for the rise of noSQL databases. Michael is excited.
Second Shooter
Your Privacy vs. Google
8|11|10   |   2:10   |   2 comments

Google's problems in Korea and the leaked internal document on exploiting private data show that, if we want to avoid active regulation, we need more explicit disclosure of what companies do and don’t do with what they collect.
Reiter's Block
FBI Takes Cue From French Nobility
8|4|10   |   02:43   |   4 comments

The FBI wants authority to obtain certain Internet information from ISPs without a court order. What is this, the French nobility? Sacré bleu!
Mary E. Shacklett
Prepare for Next-Gen Virtualization
8|3|10   |   2:07   |   2 comments

Cisco's UCS and IBM's zEnterprise have upped the ante for virtualization and 21st century computing. In the future, look for integration of disparate operating systems at the firmware level, self-healing architectures, and workload optimization across entire data centers.
Second Shooter
What's in a Name? Not Enough!
7|20|10   |   2:07   |   6 comments

'What's in a name?' is more than rhetoric. It's a fundamental question about the real meaning of 'Identity' in a global, online world.
Cirque Du Solez
Want Net Happiness? Take Control!
7|19|10   |   2:00   |   6 comments

An email from Ukraine teaches us that perhaps those who complain about the Internet just haven’t figured out how to spam people’s inboxes with requests for pens and balloons… or something.
Singer at C-Level
Goldilocks & the Data Center
2|4|10   |   3:39   |   2 comments

What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Rob Salkowitz
The Use & Abuse of BI
2|1|10   |   2:19   |   4 comments

Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
John Soat
E-Discovery Limits Are Set. Maybe
11|30|09   |   3:04   |   4 comments

E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
Cirque Du Solez
Human-Machine Co-Evolution: Weird!
9|8|10   |   3:06   |   1 comment

To prove a point about human-machine co-evolution, Ol' Doc Solez co-evolves in the middle of this video blog. Maybe.
Aneesh Chopra
Top IT Challenges for the USA
9|8|10   |   02:52   |   1 comment

Supporting mobile broadband is the top IT challenge for the top IT guy in the nation.
Mary E. Shacklett
Wish List for Mobile Devices, Part 2
Part 2 of 2   |   See complete series
9|7|10   |   1:53   |   1 comment

High on the list of desired improvements from the mobile industry are: shared digital storage for the Internet; phone capability across borders; reduced electro-magnetic radiation; and rewards-based service plans.
Second Shooter
Less Competition, Lower Broadband Pricing?
9|7|10   |   2:13   |   No comments

Because 25% to 45% of broadband cost is due to sales and marketing, we could reduce our broadband prices by eliminating advertising and promotional spending by providers.
Reiter's Block
OED Heads for a Paperless Future
9|6|10   |   02:50   |   4 comments

The next edition of one of the greatest English language reference books, the "Oxford English Dictionary," might not be published in paper. Bibliophiles might mourn, but should they?
what.the.ferraro
Guilty of Foolish Facebookery
9|3|10   |   01:40   |   11 comments

Again we learn the hard way that people serving on jury duty should stay far away from the World Wide Web.
Reiter's Block
RIM Caving on Security
9|2|10   |   2:32   |   4 comments

RIM is giving in to demands by India to snoop on encrypted BlackBerry data. It's time to develop cheap or free encryption software for BlackBerrys and other cellular phones.
Wisdom of the Big Chair
More Texting, Less Bandwidth
9|2|10   |   1:56   |   1 comment

Nielsen’s recent numbers on the increasing use of texting bode well for enterprise networks. Shunning the phone in favor of text messaging could mean reducing bandwidth.
Second Shooter
Taking Copyright Protection Too Far
9|1|10   |   2:08   |   7 comments

Two studios have filed suit against an ad broker for placing ads to help monetize P2P sites suspected of copyright infringement. That's taking a dangerous step toward what might be a worthy goal.
Singer at C-Level
Video in the Cloud
9|1|10   |   2:16   |   3 comments

Software giants are looking for cloud solutions to support our insatiable appetite for video. There will be blood. Yum.

Enabling People and Organizations to Harness the Transformative Power of Technology