Judge Teri Jackson sentenced Terry Childs to 4 years in prison last week. Childs took sole control of San Francisco’s city network for nearly two weeks claiming he was the only person certified for such access.  He eventually provided administrative access to the mayor who negotiated with Childs after his arrest.

Childs will next receive a hearing on financial penalties on August 13, which could require him to cover the city’s US $900,000 bill, spent on trying to regain control of its network.

The four year sentence for hacking is on the high end on the available five year sentencing range.

More details in CSO’s Security and Risk Blog.

Related Posts:

• San Francisco City Network Held Hostage by ‘Maniacal’ Network Engineer <July 18, 2008>
• Rogue Admin Returns Control of San Francisco Network <July 24, 2008>
• Terry Childs, ‘Maniacal’ City Network Engineer, Found Guilty of Hacking <April 28, 2010>

Back in July of 2008 we covered the story of Terry Childs, a network administrator for the City of San Francisco, who was imprisoned after taking sole control of the city’s network.  Though services were not interrupted, he locked out the rest of the city’s IT staff from the city’s network.

After the Mayor of San Francisco  secretly met with him in prison, Mr. Childs provided the new password, which allowed other city employees access after nearly two weeks of being closed out.

Information Week has details of the conviction and sentencing, which could range from release to a five-year prison sentence for computer crime.

Judge George O’Toole Jr has lifted the gag order preventing three MIT students from publicly discussing MTBA security flaws. As noted here, the MBTA made the student’s report public in their petition to gain the restraining order in question.

The MBTA, which had earlier denied that security flaws existed, had asked the judge to prevent the students from discussing their findings for five additional months. They also today said that the assessment by MIT students Alessandro Chiesa, R.J. Ryan, and Zack Anderson has persuaded them that the Charlie Card security system is flawed.

This of particular concern since the contract for Charlie Cards was awarded through a no-bid process to a former government employee. Janice Loux, a member of the MBTA’s board of director is on record as having lost confidence in MBTA General Manager, Dan Grabauskas.

The MBTA board is set to discuss an audit in light of security breaches, which included unlocked turnstile controls, unattended control rooms, and keys left in view which could be photographed and copied.

The Sanfrancisco Chronicle reports that after a secret visit by the mayor of San Francisco, the network administrator who locked the cities technology staff out of the network surrendered his password.
See earlier coverage of this story.

Terry Child’s defense attorney, Erin Crane, claimed that Mr. Childs was merely protecting the network from incompetent staff, and there was no clear policy who he was authorized to release the systems master password to in such a situation.

“Mr. Childs had good reason to be protective of the password,” Crane said. “His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it … and shown complete indifference to maintaining it themselves.

“He was the only person in that department capable of running that system,” Crane said. “There have been no established policies in place to even dictate who would be the appropriate person to hand over the password to.”

There has been commentary, criticism, and even worry about ICANN’s proposed laissez-faire policy to allow a broad range of top-level domains. Our friends at Circle ID try to calm the waters by reminding us that ICANN’s byzantine committee structure, and its tendency to avoid both conflict and even the clearest paths of action, can make its proceedings downright glacial.

Besides, ICANN has challenges beyond running the world’s domains. Lately, just running their own domain has been a challenge. Shortly after the announcement of the new gTLD’s, Turkish hackers seized control of ICANN’s website by … changing their domain record and redirecting ICANN’s traffic.

This is embarrassing for ICANN. Organizations that control the Internet need to appear to be highly reliable and trustworthy, not slow and technically inept. Losing control of their own website tarnishes that reputation, if even only temporarily.

The copyrighted statement from the hackers read:

# NeTDevilz #

You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN!

Don’t you believe us?

haha
(Lovable Turkish hackers group)

©2008 NetDevilz Co.
We’re not first,But We’re the BEST!

ICANN plans to raise US$10 million though high registration fees for the new gTLDs. This makes it almost certain that they’ll improve the infrastructure and security of the world’s domain names, which apparently could use some attention.

Who controls the software you use: you, or the software’s producer? That’s the question at the heart of a lawsuit by Blizzard, creator of World of Warcraft (WoW), against MDY Industries. Apparently, MDY has developed software called Glider that allows a WoW player to cheat by having their computer play for them in their stead. In other words, it enables players to gain experience points without playing or experience.

Blizzard maintains that the creator of a software application retains legal control over how it is used, and if anyone attempts to break or circumvent that control, they are in violation of copyright.

Seems to me that such a legal precedent would be quite detrimental to the software industry – particularly its future in light of mash-ups and other yet-to-be-discovered techniques of innovation. The EFF weighs in on this, as does Public Knowledge.

In this case, it’s unclear to me why Blizzard is trying to use legal control over their application, when they should be exerting application control. Why not change the software to prevent this cheat – freeze it out like a bricked iPhone?

It does bring up the question of who actually owns software. The End User License Agreement (EULA) stipulates a license for the use of the software. That implies the software manufacturer still owns the software; you purchase the right to use it, but not to change it without permission. And if I truly believed that as a consumer, I would consider web versions of applications like Photoshop. But since I don’t, you’ll never pry my Adobe CS3 discs from my hands. They are mine.

The idea of preventing non-approved uses sounds more like pharmaceuticals; that framework is for pharma companies’ own indemnification purposes, and is not intended to stifle innovation and discovery. If it were, aspirin would not be prescribed for thinning blood.

Blizzard is using the courts to skew software licensing in their favor when they should be spending their resources engineering a more secure product.

Credit card numbers were selling for as little as 40 cents each and access to bank accounts was going for $10 in the second half of 2007, according to the latest twice-yearly Internet Security Threat Report from Symantec, which you may download here.

As highlighted in our earlier article, Big Business Big Brother, data breaches now take place on a nearly daily basis. Last month, my grocery store leaked my credit card information; this month my ISP allowed access to another site’s domain record. While I’d rather be funny than alarmist, the falling price for stolen data suggests that access to your personal information is so easy, it’s becoming a commodity. That’s not funny.

However, also today, The New York Times reports that, nationally, burglary is down by 50% from 1980 figures. Isn’t breaking and entering simply the 20th-century analogue to identity theft? It seems criminals are opting for a less physically risky version of the same crime. What do you think?