How IT Pros Can Avoid Legal Trouble

snydeq writes "InfoWorld's Peter S. Vogel reports on the kinds of inadvertent transgressions that could land IT pros into legal trouble without realizing it. From confidentiality and privacy negligence, to copyright and source code violations, IT staff are legally liable for a lot more than they might think — in some cases because the law will not stop at your employer, instead holding individual IT employees responsible for violations even if the individuals are just 'doing their job.' Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do. 'That lack of understanding can lead them to conclude you're at fault or should have known better,' Vogel writes. 'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'" What legally questionable scenarios have cropped up at your job?

Liability

[nhaines]

I'm liable for first posts.

Re:Liability

[skids]

As long as you caught them forking children, I don't think anyone will mind.

Terry Childs was NOT an IT pro

He was a petulant child.

This narrative that this ruling could affect non-sociopaths is FUD.

Re:Terry Childs was NOT an IT pro

[Toonol]

Terry Childs is a terrible poster child for IT professionals. He did all sorts of things professionally and ethically wrong, and probably legally wrong, as well. I certainly would have pressed charges if he had been my employee.

However, there are some legal traps that even a well-behaved IT pro can fall into. For instance, monitoring too much can be a privacy invasion, monitoring not enough can be negligence. Because the IT word scales up so much, sometimes a minor mistake can end up with millions of dollars of consequences.

Re:Terry Childs was NOT an IT pro

[b4upoo]

Perhaps I am now misinformed but as I understand it liability for content never exists unless some censorship takes place on a network. Therefore it would seem to me that the very last thing one would ever want to do is look at any form of content flowing through a network.
              But I can not see failure to hand over a password being a crime. It may well have wreaked havoc with a system but that was not Terry's problem nor if he was dismissed did he have any obligation to hand over anything to a former employer. The fact that the employer did not have more than one way to access and control that network had nothing to do with Terry. The city was sloppy and negligent.

Re:Terry Childs was NOT an IT pro

he didn't do anything wrong from a legal standpoint

Denial of service and denial to an authorized user are both wrong from a legal standpoint. The jury, which included at least one professional network administrator, had no trouble concluding that a denial of service did, in fact, occur. And, while it was more difficult to determine that denial to an authorized user occurred, they did come to the conclusion that he definitely knew that the individuals for whom he was denying access were, in fact, authorized to have that access.

Then there's the whole business of locking down the system and then trying to flee the State with the passwords....

Licensing

[CaptSlaq]

It's such a gigantic PITA to track all of the licensing for everything that I weep for any small to medium sized shop that can't afford to have a dedicated person/dedicated people for it.

Re:Licensing

[h4rr4r]

The solution to that is to not buy such software.
If it is not free or simply licensed, just do not use it.

Re:Licensing

[Dr+Herbert+West]

I can't tell you how many shops I've worked at where it was obvious that all the software was cracked. My favorite was a print vendor who would encourage his staff (college interns) to "bring in" some of their school software/plugins to "test in a real-world environment". Anytime someone had to send a job to print, all the workstations would have to be disconnected from the network or else there would be licensing conflicts with all the cracked warez. This was more than a decade ago, and the vendor in question has been out of business for a long time. Scumbag-- everything he did somehow reeked of illegality.

I remember I came in once (this was right after I started) only to find the entire staff (except the interns) had quit without warning. Everyone from the production managers to the secretaries-- gone. I soon followed, natch!

Re:Licensing

[toastar]

The solution to that is to not buy such software.
If it is not free or simply licensed, just do not use it.

... tell that to my boss.

Re:Licensing

[Actually,+I+do+RTFA]

The solution to that is to not buy such software.

If it is not free or simply licensed, just do not use it.

If your word processing and checking your e-mail, fine. But some of us have real jobs. Jobs that require using the same tools as your customers, or simply access to specific applications.

Re:Licensing

[Brandee07]

Your job is to keep his copy of Microsoft Office working, not to tell him that he should switch to OpenOffice.

In my limited workplace experience, if you answer "Fix my software" with "Use this other software instead," you will either be ignored or fired. (I found myself ignored, but instilled with a profound desire to not attempt to be helpful again.)

Re:Licensing

[h4rr4r]

No, my job has no MS software involved. Helpdesk can go handle that.

We as a company have moved all non-managers over to openoffice. Money talks.

Re:Licensing

Your job is to keep his copy of Microsoft Office working, not to tell him that he should switch to OpenOffice.

In my limited workplace experience, if you answer "Fix my software" with "Use this other software instead," you will either be ignored or fired. (I found myself ignored, but instilled with a profound desire to not attempt to be helpful again.)

Depends on how your phrase the question. Say "Switch to OpenOffice" then you've already failed. Talk about reducing company wide 10-year Licensing Fees by 100% and you have them hooked. IT has no place for ideals sadly, so I just sell them at their game.

Re:Licensing

[ultranova]

The solution is simple: use only GPL- or BSD-licensed stuff. Problem solved.

Using proprietary software at all is asking for trouble.

Re:Licensing

[jimicus]

I agree, but I'd go further - and my comments apply equally to free and commercial software.

We're a small shop and part of my job is to keep on top of licensing. After doing this job for some years, I have reached an inevitable conclusion.

You are not supposed to get it 100% right. Indeed, you are being set up for failure .

While some licenses are fairly straightforward, enough of them are sufficiently complicated that it is wholly unrealistic to expect any organisation to be entirely perfect. Whether this is by accident or design I wouldn't like to say, but I am dead certain that there is no organisation on God's sweet earth that would come out of a BSA audit without at least something wrong.

Re:Licensing

[24-bit+Voxel]

I've seldom worked at a place that didn't pirate software. From fortune 500 to mom and pop shop, they all do it. The annoying part is I actually purchase mine, and in 3D that's not cheap. Ive spent easily 30K in the past 3 years keeping 'legal' with my software only to be underbid by these pirate shops. Now I am contracting at one because I can't win a bid against these pirates as their overhead is much lower than mine because of this.

My favorite part is negotiating my rate for a contract and I stipulate that it's cheaper if I can work from home because I have full support of my fully paid for software. They almost never get it at first, but when I mention my one caveat of not supporting or bug fixing/debugging scenes made with pirated versions. That wakes them up every time. Mostly because the first two weeks are at a preset lower rate while we get used to eachother. Only after those two weeks I am privy to all sorts of info (such as pirating) and then they are often afraid not to hire me in case I rat them out. It's a shitty system with a couple perks.

Re:Licensing

[bickerdyke]

Don't use N... that sounds too much like a countable, natural number.

It's usually more like: We have N employees, each of them has at least one workstation, plus 0 to M old/test machines under his desk. Half of those secondary machines have been reinstalled once or twice, again half of those re-installs included an OS upgrade. Those were done using the OEM licences included with the new primary machines, as on those primary machines software licencsed by the companys volume licence has been used.

Now triple that for OS, Office and the software you're doing your actiual work with. (probably MSDev or some CAD or whatever.)

As a bottom line, you may know how many licencses you have in your volume licence, but won't know how many licences came bundled or not bundled with the hardware. And you won't know how many you actually need..

Re:Licensing

[Luke+has+no+name]

Or network monitoring, or running a call center, or running any kind of website, e-commerce business, or accounting, etc..

The only places where I personally have seen open-source be woefully lacking is in the engineering fields. Most general business and IT-oriented tasks have a capable open-source commercially backed component. Managers and others who don't "get" FOSS think "Free? I'm not getting anything, because I'm not blindly throwing money at a vendor!"

Re:Licensing

[darkpixel2k]

...or a software licenced per concurrent user,controlled by a dedicated server.

Yeah--but then you run into the shitty software that does something like "INSERT INTO CurrentSessions WorkstationName VALUES ('BILLS-PC')"...and when the application crashes, there's no delete. So you have to call the vendor to get a special 'unlock' password to clear that crap out of the database (if you're the kind of person that doesn't know SQL)... It's so much easier when software companies don't treat their users like criminals--because the criminals don't care, and the users are the ones jumping through all the hoops.

Re:Licensing

[nosfucious]

First lesson: Developers never run with Admin rights.

Give your users admin rights before you give your developers admin rights.

How IT Pros Can Avoid Legal Trouble

[Michael+Kristopeit]

not post in this thread.

Terry Childs the new Mitnick?

[bsDaemon]

Are the same people claiming that Childs is some sort of mis-understood hero the same people who had "Free Kevin" schwag back in the day? If not, I'm not sure I get the mentality, because from what I know of the situation (maybe not enough), he did sort of grossly overstep the bounds. Maybe he didn't deserve jail time, but I'm not about to go emulating my career after him.

Re:Terry Childs the new Mitnick?

[FooAtWFU]

Whether Childs was ultimately right or wrong, I think the case *did* highlight concerns that "judges and juries are often not technically savvy enough to understand what IT pros do." So. There you go.

Re:Terry Childs the new Mitnick?

Umm no. I disagree entirely. Are we forgetting there was a network engineer on the jury? Seriously? This is exactly the sort of thing that SHOULD happen. A jury of his "peers!"

It was described to the engineer, and he was the de-facto explainer for the group, but seriously Childs was working for the gov't too long and had too many bad habits of "fiefdom" creation that are everywhere in city and state organizations. He created a world, then he took the keys away from everyone and didn't give it up. He's not the first, nor will he be the last, but the lesson here should be to all comers "hit by bus strategy... always." Otherwise, things that together could be suspect or could be best practice BECOME suspect without a backup and recovery plan.

And no, an encrypted that's tattoo'd to an admin's ass doesn't count. Especially if there's a likelyhood of a flame thrower being involved at some point.

Re:Terry Childs the new Mitnick?

[bws111]

Why is it a "concern" that judges and juries don't understand what IT pros do? Judges are supposed to understand the law. Period. Juries are supposed to be unbiased. Period. Is it a "concern" that judges and juries don't understand what police detectives do? Doctors? Hospital ethics boards? Accident reconstruction experts? Corporate officers? Accountants? Fund managers? Etc, etc. If the judge or jury needs to understand any of those things it is up to the parties in the case to educate them. There is nothing special about IT that makes it any more or less difficult to explain than anything else.

Re:Terry Childs the new Mitnick?

[XanC]

That network engineer, IIRC, said here something to the effect that he didn't think Childs had any criminal intent, and that he was doing what he thought was right for the city. The only reason for the conviction was that the letter of the law appeared to be against him.

This was a case where a fully informed jury should have acquitted, but unfortunately juries are not fully informed. A jury has the right, nay the responsibility, to judge the LAW as well as the FACTS.

Basically, put yourself in Childs' situation. You did what you thought was right. (Let's assume that's the case, since I believe that's what the juror said.) Wouldn't you hope that somebody would inject some common sense at some point rather than robotically reading the law?

That's why we have juries. But judges tell them all they can do is robotically read the law. It's awful.

http://fija.org/

Re:Terry Childs the new Mitnick?

[spire3661]

Good intentions rarely excuses malfeasance and is usually non-exonerating. You can have the best of intentions and still be found guilty. The law does take intent into account, but it isnt a free pass.

Re:Terry Childs the new Mitnick?

[XanC]

It certainly can be, depending on the situation. Especially in cases where the law and the situation are both so convoluted, like this one, that the defendant had no reasonable way to know ahead of time that he was committing a crime.

If it takes the jury more than a half hour to determine that a crime was even committed, and the defendant was in good faith attempting to fulfill all his obligations but struck a different, but still reasonable, balance from the one the jury would have picked, I don't see how anybody can possibly convict.

Re:Terry Childs the new Mitnick?

[MightyMartian]

Childs was a petulant prima dona with delusions of grandeur, and he paid the price, and so it should be. I know some folks seem to want to make the guy some martyr, but he was a complete twit, and I wouldn't hire the guy to wipe out floppies, let alone manage a large network. Not because he isn't skilled, but because he's a self-important ass hat.

Re:Terry Childs the new Mitnick?

[david_thornley]

From what I gathered, Childs (a) broke the law, (b) didn't do the right thing (specifically, the city was in real trouble if he got hit by a bus), and (c) tried to run away, suggesting he thought he'd be in trouble.

Lack of criminal intent and good intentions go only so far in mitigating breaches of the law, and my common-sense injection would have been that Childs had gone over the line and should be convicted. Had Childs provided for the possibility of his sudden demise, I'd feel a lot better towards him, and I'm not at all sure he'd have been convicted.

Re:Terry Childs the new Mitnick?

[slashqwerty]

Police and doctors are in the news and on TV all the time. Most people interact with doctors frequently. Many people interact with the police as well. That may not tell a person how doctors and police do their jobs but it is a pretty good start. Ethics boards are made up of people from the community. The job is pretty self-explanatory.

Accident reconstruction experts tend to be expert witnesses. It is not often that they are on trial for committing a crime on the job. They also tend to be well-trained and follow clear well-established guidelines.

You are correct that the other fields are not very well understood by juries. That is one reason it is so hard to hold corporate officers, accountants, and fund managers responsible for white-collar crime. The issues have been litigated, the weak points of the law are well-known, so that's where fund managers, et al focus their exploits.

Hard-sciences are different. People view hard-sciences as having the answer. When someone is accused of doing something that doesn't work out well people assume the suspect knew what was going to happen and that the suspect's intentions must have been malicious. People have been taught that computers are deterministic machines so IT is put in the category of a hard science.

From another perspective, there are few fields where someone can become an 'expert' from a four-hour class. IT is one of those fields. The police will send an officer off to a class to be trained on how to use EnCase. Since most people use computers in their day-to-day lives and since computers record information so well this so-called 'expert' will incriminate all kinds of people on shabby evidence. Few defendants can afford a real expert to counter the police so juries are left with little to go on.

Premeditated murder

[Peach+Rings]

I'm a medical equipment technician at a California corrections facility. My boss routinely asks me to kill people in cold blood, and I've been doing it for a few years now... there's a lot of paperwork and everything, but I'm not entirely sure it's legal.

Does anyone else have experience with being ordered to kill somebody as part of their IT duties?

Re:Premeditated murder

[DWMorse]

You get to do what Batman cannot!

Re:Premeditated murder

[cosm]

I'm a medical equipment technician at a California corrections facility. My boss routinely asks me to kill people in cold blood, and I've been doing it for a few years now... there's a lot of paperwork and everything, but I'm not entirely sure it's legal.

I can't tell if your're trolling or serious. Are you responsible for the lethal injection equipment? Or are you Therac-25ing cons to oblivion during simple 'treatment' procedures? I guess the key piece of missing information is the 'medical equipment' in question.

Re:Premeditated murder

[Surt]

When I had to do that, I couldn't live with the moral qualms, so what I did, I hooked up the kill mechanism to a web server, and created this animated ad where if you punched the monkey it would kill the person.

Blackberry Enterprise Server

[Monkeedude1212]

When someone at work has a blackberry, they are set up on the Blackberry enterprise server, which manages all their contacts and emails and calendar and such.

If they leave, or are terminated, we are told to send the kill command to their BES account. This will delete any emails off their phone AND their contact details. In some cases, a person will be let go - our IT staff will be let known first so their account can be disabled for security reasons. Then that recently laid off person has lost all of their contact details - including Mom and Dad and sweet Great Aunt Gertrude.

We haven't faced any legal suits yet - but it happened a couple times where people have gotten angry. As a precaution - we've started informing people that this happens - so anyone with a blackberry needs to back up their contacts constantly.

Re:Blackberry Enterprise Server

[grasshoppa]

If the device is hooked up to a corporate BES server, then they can already read all of your sms / email.

Always better for the corporation to completely own the device, from start to finish, to prevent confusion.

Re:Blackberry Enterprise Server

[Shakrai]

If the device is hooked up to a corporate BES server, then they can already read all of your sms / email.

I pointed this out to a friend that uses her personal blackberry to access her company e-mail. Her response was "So what?" Then I asked her, "Don't you use text messaging to order that dried up plant material that's illegal in all 50 states?"

She bought a droid the very next day.....

Re:Blackberry Enterprise Server

[Monkeedude1212]

If your company requires mobile access to email, then should the company not be providing them with the hardware to perform this task?

Ideally, yes - but when you work for a small to medium sized company that's too cheap to shell out - you get this "Oh, you can just use YOUR phone" mentality from upper management. That way they save money, the sales team only needs 1 phone on them at all times, and they get to snoop through emails whenever things go sour. Everyone is happy but the IT team who feels dirty for having to be involved.

Re:Blackberry Enterprise Server

[Surt]

Right, these are two completely separate theories for how one might arrive at a career in sales.

You're kidding...

[Un+pobre+guey]

What legally questionable scenarios have cropped up at your job?

You have got to be shitting me. This isn't phishing, this needs a new term all its own.

Har Har

[poliscipirate]

'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'

Obviously, they've never visited slashdot.

Legally questionable scenarios?

[girlintraining]

Here's one: I worked for one of the top national retail firms. Their POS systems were booted using PXE, and there was no firwalling between the stores and corporate HQ. In other words, the network topology was completely flat. Setup a PXE server at any store, distribution center, or headquarters, and you could respond to PXE requests sent by the POS systems. The store's location was coded into the DNS RR, and followed an easy to understand naming convention -- they also were powered down every evening. Which means, you had about a 10 minute window each day where if you disabled or DDoS'd the one PXE server on the network, you would be able to send a bootable image to every POS server in that timezone.

They fired me three days after reporting this flaw, calling me a security risk.

Re:Legally questionable scenarios?

[Frequency+Domain]

At first I thought POS meant "Point of Sale", but as I read through your post I realized it actually stands for "Piece of..."

Re:Legally questionable scenarios?

Here's one: I worked for one of the top national retail firms. Their POS systems were booted using PXE, and there was no firwalling between the stores and corporate HQ. In other words, the network topology was completely flat. Setup a PXE server at any store, distribution center, or headquarters, and you could respond to PXE requests sent by the POS systems. The store's location was coded into the DNS RR, and followed an easy to understand naming convention -- they also were powered down every evening. Which means, you had about a 10 minute window each day where if you disabled or DDoS'd the one PXE server on the network, you would be able to send a bootable image to every POS server in that timezone.

They fired me three days after reporting this flaw, calling me a security risk.

Maybe you shouldn't have informed them via a custom Windows splash screen...

Re:Legally questionable scenarios?

[idiot900]

They fired me three days after reporting this flaw, calling me a security risk.

What a brilliant idea by whoever fired you - producing a disgruntled former employee who knows how to steal money from the company.

Re:Legally questionable scenarios?

[FelixNZ]

Wow, that's incredible, unless you were a contractor, I am extremely glad to be in a country that has sane employment law right now.

Let Me Tell Ya 'Bout the Time We ...

[eldavojohn]

What legally questionable scenarios have cropped up at your job?

I'm a software developer for one of the big automotive companies and we almost got into some legal trouble a while back. We had another team that would test the embedded code we put in there and we were always playing pranks on each other between the two teams. So one time, I wrote a procedure that cause the accelerator to randomly speed up with no user interaction. It was very very rare that the procedure would trigger and then I called it right in the middle of the main block of the embedded code. Anyway, they run a bunch of tests a day and on the like the fortieth day, John drove his car right through the wall of the testing facility! Oh my, what a hoot, I haven't laughed so hard since they air lifted him out. But then there was all this legal BS about somebody getting hurt and this and that. Those law-talking guys have no sense of humor. So I realized I had to go in and comment out that procedure. So all I did was go in and comment out the signature block ... or at least I think that took care of it, but maybe it was that fancy ECC crap the smart guy put in ... I wonder if anyone ever went back in there and totally cleaned it up? Oh well ... dodged a bullet there ... am I right?

Has it shown that really???

[stephanruby]

Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do. 'That lack of understanding can lead them to conclude you're at fault or should have known better,'

Has it shown that really??? I recall the foreman of the jury for the Terry Childs case was a pretty smart IT guy. Also, the resumes of the other jurors were not all that bad technically either. If anything, I really do think that Terry Childs was judged by a jury of his peers (even if this doesn't always happen in other cases).

Terry Childs case not a good example

[linebackn]

Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do

As I recall, when the details finally came to light about what he did and how he went about it, the judge and jurry WERE technically savvy enough to understand what he did. It was all the people jumping to uninformed conclusions here on Slashdot that didn't understand.

I have no doubt there are plenty of cases where judges and juries fail to understand the facts at hand, but I don't think this was one of them.

Asked to use pirate software

[Rene+S.+Hollan]

I have often been either asked to use pirate copies of software (Borland Turbo C in the 1980s), or accept license agreements personally, where a corporate license would have been more fitting. Neither of these have occurred at my present place of employment, thankfully.

In other areas, I was once asked by a low-level manager at a client company of our contracting firm for my SSN for a "background check". I was told this person had a reputation of committing identity theft in the name of contractors, obtaining credit in their name, and threatening to insist they be removed from the assignment if they complained. I don't know if that was true, but did insist that any "background check" would be done by a recognized neutral party. I was requested removed from the assignment, and let go for lack of other work.

On the pirate software issue, I simply licensed my own copies, and took them with me when I left (well, wiped them off my work computer). Borland's license would let me use their compiler on any machine, even let someone else use it, one at a time.

The bottom line is that if your employer asks you to break the law, find another job... fast.

How about legally liable for the PHB and other hig

[Joe+The+Dragon]

How about legally liable for the PHB and other higher up people at the work place who don't know about IT but they buy stuff on the golf course buy they fail to buy the right licenses and they they tell the techs that proper license are done / the buying department took care of it.

In some places the IT guy do not buy any thing they just tell some what they need and hope to get it.

Re:how about makeing EULA that non legal types can

Most EULAs aren't actually that difficult to read. They're just long and boring...

Do to cut backs he was the only guy on the job24/7

[Joe+The+Dragon]

Do to cut backs he was the only guy on the job 24/7 and lot of the people there did not have a clue at all. And giving the out the network pass word over a open phone call in a big meting room?

Re:Do to cut backs he was the only guy on the job2

[h4rr4r]

You quit, explain why you are quiting then give it out over the phone call.
Is that the right answer?

Re:Do to cut backs he was the only guy on the job2

[Altus]

I get where you are coming from, and I totally agree that Childs was a toolbox and could easily have handled the situation better if he had any desire to do so.

However, if your boss tells you to violate the state policies on passwords and mail them off to someone (or provide them to a room full of people) and then something bad happens because of that, it is quite possible that you will be held legally liable for the damages caused. Just following orders may not be enough of an excuse.

Requirements vary by jurisdiction

[HikingStick]

One problem I see is that requirements may not be the same from state to state (in the US), and there are few formal resources available for IT professionals to know exactly what requirements apply. This is especially true for IT pros in smaller, or privately held firms that don't fall under the authority of some of the big bills that have been enacted. None of the college programs in my area even has a course addressing these issues, except for specific courses dealing with things like HIPPA. This seems to be a big gap, and I know I'd love to find a course (or even a website) that deals with specific requirements both at the State and Federal levels.

the president of the company

asked for a reprint of the customer listing. A couple of days later the two vp's asked for the same thing. The company was shut down about 3 months later and I was the only one hired by the parent company.

About two months later I was called in the attorney's office. I was asked if I distributed any unauthorized customer lists.

Damn.

Re:the president of the company

[Richard_at_work]

A former employer of mine spent thousands of hours, and thousands of GB Pounds putting together a very comprehensive list of commercial vehicle fleets in the UK. This list included such things as type of vehicle, maintenance history and periods, fleet age etc etc - the sort of stuff that you can only get from the long hard slog of research.

They sold access to this information for quite a large amount of money - it was a valued resource.

Now, my employer certainly didn't own the names and addresses, or even the fleet details - anyone can do the same research and invest the same time and money to gather the same information without issue - but they do own the collection of details that their investment resulted in.

Its not the individual facts that are valued, its the collection together that has value. A sorted and filtered marketing list is the same sort of deal.

Re:the president of the company

[Richard_at_work]

But nothing in my post relies on there being a law protecting the information - regardless of whether the US has a database rights law, the collection of information is still valuable and can indeed be sold on for lots of money, so it should be a protected asset of the company in liquidation circumstances, which was the original point.

Both wrong.

Both wrong.

(a): there was no law demanding he hand over the keys unsecurely
(b): he did the right thing. If he'd been hit by a bus, they could reset the passwords by getting an engineer out to the sites.

Terry did the RIGHT thing according to law and the thing demanded by his employment contract. That contract stated who he could give the passwords to, where and who could override those orders.

A general cannot order a Private on Guard Duty (assigned as such by the Duty Officer) to leave his post. Doing so would be a court martial offence (potentially one that could see him shot, if it's a war zone or in time of war). The General may or may not be able to order the Duty Sergeant to order the private to leave his post. But if the general is not the Base Officer, OD can demand that the correct channels be used and the Base CO would have to order the Duty Officer to order the Private (note: even the Base CO cannot order a private off Guard Duty at his post).

Similarly, the captain of a ship outranks any officer on board ship, even a Port Admiral. At port, the captain can be removed from command by the Port Admiral. This is why Barratry is such a severe offence in the Navy.

But short version: both your statements are wrong.

Re:Both wrong.

[jroysdon]

They could not just reset the password. The routers/switches were configured with "no service password-recovery" and could not just be reset. If they had been, it would have wiped out the configuration on all of the devices and all of the agencies depending on them would have been down.

If the device configurations had been properly backed up and documented somewhere, this would not have been a problem (I don't know one way or another, but clearly no one in charge knew if they were or had enough of a clue). I didn't follow the case that closely, but even Cisco was involved and couldn't solve the problem (which is a good thing, you don't want a vendor to be able to recovery a configuration in a situation like that).

The point of a "no service password-recovery" is to prevent unauthorized access to a router/switch and configuration tampering. It is required in more secure environments, especially ones with FIPS and other requirements.

no service password-recovery

There is nothing wrong with "no service password-recovery", so long as you have the configurations backed up and others know where those backups are (documentation), such that if you are hit by a bus things can be properly maintained.

Re:Both wrong.

[david_thornley]

(a) There was policy that he had to hand over the keys securely, which he refused to do earlier. That is one of the things that led to conviction.
(b) If he'd had been hit by a bus, there was no way known at the time to reset passwords without destroying the configuration, which was not satisfactorily documented. (Think about this - you don't want people to be able to walk up to such a device and pwn it. Routers like those cannot necessarily be kept physically secure.)

Nor, apparently, did his contract state who should have the passwords. The terms of employment did say that he had to have the passwords recoverable by somebody else, and he didn't.

I'm not referring to the events after his dismissal in particular. Childs left the network vulnerable should he be hit by a truck. That is not ethical behavior on the part of a sysadmin, and if he made demands afterwards that could be illegal extortion. I don't remember exactly what he was convicted of, but it's often a short step from unethical to illegal.

dont set up secret monitoring on childrens laptops

[mjwalshe]

A good recent example of how techs could get in trouble would be the techs that set up the spying on kids via webcam in Philadelphia. Congratulations you have just set up a child porn machine. I trust that all involved will never be able to work with kids and vunerable people again - and that would be getting off lightly, in the UK you would probaly have a tabloid lynch mob out for you.

Re:Obvious

yeah you're saying that's how it is and I"m saying that's not how it should be.

if the employee is expected by law to say NO, then he should be able to do so without repercussions. Otherwise he is under duress. telling someone he's fired if he doesn't do $ILLEGAL_ACTION when he's got a mortgage and a family to feed is akin to holding a gun to his head. he is powerless because he is now stuck between two entities who have total power over him and who want conflicting things. this powerlessness should grant him immunity to actions done either power's name. Perhaps this is a symptom of a larger problem: law conflicts too much with reality.

1. that's fine, but the liability should rest with those who are holding the mallets over the employee.

2. this wouldn't be an issue if he had immunity. he wouldn't have to complain.

3. so what is the probability that these two events will line up just so? are you serious?

I make hints or tell the client directly

[bAdministrator]

Working in IT, you're bound to come across pirated software from time to time.

a) When I find some pirated software or license misuses, I could for instance tell the client that "I'm not the police, but..."
I might also make them aware that there is this company that looks out for software vendors--the business software alliance, for instance.
b) When a client is aware that they're asking me to do something illegal, like ignoring license agreements etc, I tell them that I don't care what people do privately (nor do I assist them in that case either), but this is not the act of doing serious business--or tell them sorry, and explain that the company I work for won't allow me to do this, etc. If they still insist, they are a lost cause. You can only spend so much energy on these matters.

I'd prefer that more commercial business software would come with some activation mechanism. I've seen cases where clients have ordered one license, then gone ahead installing the software on most every PC, and when confronted about this, they've argued that only one of them uses it at the time--but the license agreement does not allow it to be installed on more than one PC.

You'll most often find that objectivity is the first thing to be sacrificed in business, so hang on to it, tight, or lose it.

I'm always close to violating copyright laws

[Opportunist]

Why?

Because I'm in IT security. My job is to analyze and dissect malware, not only to find out what it does but also how it does it, what attack vectors are used, what system flaws are exploited, what means of communication with a controlling server are used and, if possible, I should also try to cut those lines and render the malware useless, preferably create some kind of remedy or even protection against it. All this can usually only be done by taking a closer look at the software than is possible by simply watching it run. In other words, disassembly and protocol sniffing and decoding are two of the main parts of my work. Both already illegal in some countries.

Now, fortunately my country provides protection for this (albeit ... well, I have a law that I might pull out of my ass should I need it, but it's anything but a certain victory in case anyone ever goes to court for it). But in theory, any writer of malware could pull any IT security company to court and stand a pretty good chance to win. Though he'd first have to admit that it was him who created the malware.

In other words, as odd as it may be, I may violate that copyright because the one who could drag me to court for it certainly has no interest to come forwards and claim ownership of the code.

And now let's ponder for a moment what will change should ACTA become reality and copyright violations get shifted from civil to criminal code. Technically, the State Attorney would have to step forward and protect the copyright of the writers of malware without them asking for it (because the SA has to act even without prompting from the injured party) and prosecute those that analyze malware and design protection and remedies against it.

You see, you don't have to be the bad guy to think that ACTA is a really, really bad idea...