Wow, just wow...

The Prosecution is really showing that Terry is in the right. They, the Prosecution, do not understand network principals and that what Terry was doing is normal for someone that has enterprise level administration over large networks.

From reading through this article, I can already see where Terry was using the principles of least access, making sure that there were alternate ways to administer equipment that could not be contacted through normal means (modems attached to networking equipment if the network is not functioning properly), and making sure that passwords for accounts with high level access were kept securely. Terry's lawyer is going to have a field day with the Prosecution's court filings and I can see that Terry will likely be found not guilty in the end and the City of San Fransisco is going to have a huge civil case brought against it.

Don't be pathetic. Nobody gives a damn in court how he set up the network. He abused his privileges and locked down a network he was entrusted to support. He is one sorry ass.

What you missed in cdigan's words is that he could argue now that the Prosecutors' knowledge about security is lower than it should be, so he did what he could to keep that information secret.

Of course this is a twist of events, but what we know so far is what the media has told us, so we know nothing actually.

Let me ask you a serious question preinterpost, do you work in IT as a network admin? If you did, you would realize that some of the things the prosecution is accusing Terry of are standard procedures so you can maintain the integrity of your network. Likewise, superusers (enterprise admins) have to have full access to the network in order to perform a number of duties. Superusers have to have access to data in order to back it up, decrypt it if someone loses their decryption keys, and be able to get to any location on the network to tell if the network is functioning properly. What superusers also have to have is the ethics to realize what data they *should* actually look at vs. what they *shouldn't* look at.

If Terry's lawyer plays her cards right, she's going to show that Terry was doing everything right and that the management of San Fransisco's IT deparement is incompetient and negligent. Doing that and Terry will get off and Terry will then be able to turn around and sue the City of San Fransisco for wrongful jail time, ruining his reputation, and a few other things, and he'll win that as well if his lawyers play things right.

Amazing.

At least we can be encouraged that the the more things change there, the more they will stay the same.

The Chamber of Commerce is definitely building brand equity: "The Land of Fruits and Nuts" Indeed!

Well, it looks like Terry was right; no one in the IT dept in SF is qualified to have control of network security in the county. BTW, access to the county domain is so hard, try parking near one of their buildings with a Pringles can and log into their wireless.

If the accounts they published are now locked, lookup the names of other employees and use their names as the password.

Do they know they can set rules to prevent users from using easy passwords?

NEWSFLASH: supposedly when Gavin asked Childs what the password was, he replied "byte me" and sure enough, it worked!

there is now somee speculation that Gavin will meet with Childs again to comply...

This article is written with great irresponsibility. I can assure all those accounts had access turned off immd. and the users have to appear in person to submit a new form for a VPN account, same as usual. The old and previous names and passwords are useless to any criminal, the accounts were turned off, and only moved to new accounts after in-person creation of a new account, this is standard practice, remember, the users may only be floor away from the IT department that performs these functions.

How do you know this for sure? Seriously I think you're just trying to think positive. People screw up all the time and sticking your head in the sand ignoring it isn't going to help.

Even if the accounts were turned off, this still gives crackers reconnaissance information. Basically, a cracker would know the style of user names, for example, TChilds could be Terry Childs user name. If all the names are set up this way, it's easy to guess what someone else's user name will be. Also, if the list shows a commonality among initial passwords, then you might as well open up your network.

Basically, just because those accounts are disabled, there are probably other accounts with similar style initial passwords. Also, are they changing the user names?

I'm gonna have a beer tonight for you Terry. Good work. If those in charge were dumb enough to allow this to happen, they deserve every bit of embarrassment they got and then some.

Once again bravo to you.

So.... you are saying that he shouldn't be charged with the four felonies for obviously and blatantly breaking the law? You would actually not mind working with/for him? What he did was not only illegal but was very piss-poor judgment on his part. This was not the way to get a point across, just like people who post security exploits simply because Company X wouldn't listen. If I were hiring IT people, I sure as hell would not hire this guy. He gets angry or disgruntled and then blows up your entire infrastructure LOL.

It's my 'be nice' week but this is the best I can do... Since the majority of the people affected by this incident (such as getting their pay check) have nothing to do with the IT department except using a computer I hope irresponsible kids like you will never have meaningful a career in IT. Good luck with your fake ID tonight.

LOL

As a secrity centric IT person I was laghing so hard I was crying reading this. From what Ive seen of others networks this is standard practice in the industry, and people still wonder out loud how there credit card, medical and other personal information could get comprimised on corporate networks.