Slashdot Mirror
What To Do After You Fire a Bad Sysadmin Or Developer
Esther Schindler writes "The job of dealing with an under-performing employee doesn't end when the culprit is shown the door. Everyone focuses on security tasks, after you fire the idiot, such as changing passwords, but that's just one part of the To Do list. More important, in the long run, is the cleanup job that needs to be done after you fire the turkey, looking for the hidden messes and security flaws the ex-employee may have left behind. Otherwise, you'll still be cleaning up the problems six months later."
The answer has been widely discussed here: http://serverfault.com/questions/171893/how-do-you-search-for-backdoors-from-the-previous-it-person
a long rope and hang yourself! Seriously you should've put a lot more thought into this as sysadmins mostly hold the keys to your kingdom!
oh, first post btw :-p
This is one of those things that there are no easy answers for. The Right Answer(tm) is to have good policies, compartmentalization of duties, and mandatory time off (to allow for auditing) so that problem scenarios can be avoided before the fact.
It takes time. You have to audit everything. He could have installed a keylogger on the CEO's machine, for all you know. Or a hidden modem line on a server. If you really expect sabotage, you have to inspect everything, and that takes time, or lots of money.
Learn to love Alaska
After all, everything wrong with the place is the fault of the last person to leave!
... wait, what?
Real mature there guy... With an attitude like that. You'd better have alot of backup plans in place. It sounds like you are a shit place to work for.
Do us ALL a favor. Name your company. So we can avoid it.
Been there done that, tried my best to clean up but every now and then you would find another "dropping" - the reaction I had was exactly the same as when you are wandering down the street and suddenly step in a dog dropping, same sort of revulsion and disgust at the filthy mess you just blundered into and now have to clean up.
In fact, your entire corporate structure is at risk. How do you know he didn't engineer a brain virus that allows him to use the company's board members as flesh puppets?
He might have even used telepathy to cause major investment banks to sell him all of their shares of the company for pennies on the dollar. He might already own the company. It's best to double check.
In fact, he might be standing behind you right now, brainwashing you with lasers.
There's no -1 for "I don't get it."
Hmm, maybe he wasn't such an idiot.
I saw people fired after they asked for more money. Which they could very well have deserved.
In my opinion, based on the extensive history of watching the corporate reality, people who learned the rules of the game best survive the longest. They aren't necessarily the brightest, just learned how to play the system.
I'm going to take a "good people turn bad" approach to this one.
Scan for intentional backdoors and accidental gaping, well-known flaws with a fine-tooth comb. They may not have seemed too bright on the job but even an underperformer has enough insight into operations to find a way to mess up your day.
Perhaps pose it as a question to your better admins. "Knowing what you know, if you had to crack our system/application, how would you go about it?" Whatever their answer is, find a solution and implement it.
Changing passwords after? Change them while they're in HR's office or just before.
...it's hard to imagine the relationship went sour,
"...after you fire the idiot, such as changing passwords, but that's just one part of the To Do list. More important, in the long run, is the cleanup job that needs to be done after you fire the turkey,.. "
"Culprit"? What? This means that the bad developer has no process to back him up (testing etc.). Or are every bad developer handled by "you #" created a bug! you are fired!"
You hired this employee. Chances are you started off with a relationship of mis-trust: .. And you still were too stupid to figure out whether or not you had someone who could do the job right.
- You did a criminal check on the hire
- You did a drug check.
- You did a credit check.
- You did personality test.
- You used Shockley style brain-teasers to see if they could do things other than what their jobs entail because you don't know how to measure skill, intelligence, or talent.
- You interviewed in a style of hazing akin to a gang-bang.
Sorry, but the tone of the summary makes you look like an asshole, and you deserve whatever you get. This is your wake-up call.
The article points out many obvious pitfalls on letting an underperforming employee go, but very few of these problems are unique to the particular situation of letting an obviously underperforming employee go. Most IT departments are pummeled to death with impossible deadlines and demands and management thinks that the complaints and warnings are just "the way it is with those lazy bastards". Truth is, anyone who's worked with IT knows that you have to test your backups and failover procedures, do security audits, tear down setups that are no longer used and keep documentation and automation up to date. BUT first we have to finish this project that was dreamed up by the top level management with absolutely no understanding of the technical hurdles involved. And it needs to be finished yesterday. If you want things to be neat and tidy, you're pretty much expected to take care of it on your own time.
Time flies when you don't know what you're doing
...you wouldn't be asking this question.
Before hiring on to a company, it's important to check if it's a Pump-n-Dump shop. In these cases, a lynch-man will fire and must protect himself from backlash from his victims. Better to first check and not work for such shops, which are common. If you know going in that you're a temp, ask for a higher salary / comission and don't get emotionally attached. Plan your own escape.
It's one thing to complain about how the guy is worthless and not getting anything to done. It's another thing when he is finally shown the door and the reality that he was worthless and not getting anything done sinks in. Those projects that he was responsible for are still there, and now 6-12 months behind schedule. True story.
under-performing or metrics may them seem to be under-performing??
Made to do the work of 2-3 people??
Pulling 80 hour weeks that lead to errors and under-performing over time.
If this person left back doors and other traps, perhaps they were smarter than you give them credit for. Idiots are easy to clean up after.
Next, you've got to ask yourself why a smart person would build themselves these back doors in the first place.
My first reaction (before RTFA) was that the problem might not have been the employee, but the person doing the name calling. However, the link is to a blog that lists a generic list of precautions to take. Whoever wrote that blog still has some growing up to do, but I'll give him/her the benefit of doubt and assume they were going for humor.
In any case, I notice that HP paid for the content. Now we know why they are in such trouble.
Companies are large organizations. Each person in the organizaton may concienciously do their job with good intent but without seeing the bigger picture (not their job) and therefore without knowing the consequences of their actions. The people at the top who, in principle, see the bigger picture, are often so far removed from the details of what is happening that they too do not know what the company is doing, except in respect of the shareholders and overall finanical performance. So, the company runs on policy and no one knows what it is doing. The company can be uber-evil when everyone in it is as nice as can be.
The company is more/other than the sum of its parts.
The real dangers are often not the fired employee themselves(if you aren't stupid about it) but the employees that remain. Most people will not install any insidious backdoors just on their own initiative, but if you fire someone in a way that upsets the remaining employees, i.e. publicly embarass them, screw them out of money they earned etc., then odds are someone else IS going to try to install something to make sure that they don't befall a similar fate.
I hope he reads this. After a bunch of expensive equipment disappeared under his watch we fired him. The day after, standing around the coffee room I mentioned. "Too bad they fired him, he owed me 50". Three other people suddenly said, "He owed us 50 also." It turned out the same story for everyone. He borrowed 100 and returned 50. (note: some of my best friends are sysadmins so don't get me wrong)
The submitter comes off as an angry, abusive tool. Maybe he should fire himself for having a hand in hiring an "idiotic turkey" to begin with.
It's likely that the developer wasn't all that bad, but stopped giving a shit after being berated by an abusive asshole for umpteenth time.
All the comments I see so far give examples of people being charged with being incompetent and maybe it was not the case.
Lets focus on the real case, where the person being fired is in fact a major problem. Just like airliner catastrophies these seldom have one cause, the person probably has multiple major problems. For example he can't code and he is an arrogant loud mouthed prick, and he is also one of those jackasses who thinks he is very very smart but is actually never right. Perhaps he is one of the worst forms of IT prick, a nazi druid.
I tend to side with the critics here, asking if maybe management (including possibly the person posting the original question) are really the ones to blame?
I've worked in I.T. for something like 25 years now, for companies big and small, though the only times I've held a title of "manager", I was really only tasked with managing outside consultants or developers. I've always preferred being relatively "hands on" with the problem solving and system/network administration tasks at-hand, vs. spending my day in meetings and typing up Excel spreadsheets trying to explain what the "team" was doing.
Bottom line? Sure, there are a LOT of people out there trying to get hired in I.T. as support people or sysadmins who REALLY don't know what they're doing. If more companies would let the people actually DOING those jobs interview these people, they'd be able to weed out far more of the bad seeds before they even started. What I see, time and time again, is some I.T. manager who thinks he's simply "too busy" to interview some potentially really good people who apply for positions, and then he gets in a panic when it comes down the wire and he absolutely can't go without employing another person any longer. He winds up asking H.R. to find him someone good, and of course they don't know squat about I.T. so they pick through the resume submissions based on "standard issue" criteria like the college degree they claim to have, or the number of certifications they list. If he does "second interviews" with these pre-selected people, he may just be trying to pick the best of a bad bunch at that point.
But another problem is with how the I.T. workers are managed. You can have some really top-notch people working for you, yet they're made out to be clueless, inefficient screw-ups because they're actually trying to use their brains to decide which tasks on their plates are REALLY most important to the company. Meanwhile, some upper management character is throwing fits about relatively inconsequential items his ego demands be put "front and center". If you're busy working a difficult problem affecting a whole division of the company and by doing so, you didn't get some new computer issued to somebody first thing in the morning ... guess what usually happens? It's that idiot in I.T. who caused the employee not to have that shiny new PC on their desk on time. Nobody's even aware of the work the I.T. guy was actually in the middle of doing.
And here's the kicker.... You can say all you like about this simply being a "lack of communications" issue. "If management was simply kept informed about what I.T. was doing, everyone would be better off." But so many computer problems are of a "need to fix this yesterday!" level of importance, your good I.T. rank and file employees are going to concentrate on getting that done -- not on getting sidetracked with emailing status updates to key people. Management needs to realize that a certain level of TRUST is required here. You have to say, "I don't really know what Joe Q. has been doing the last few days, but that's ok. I trust Joe Q. because when I make an effort to find out if anyone feels Joe helped them with their issues, I get loads of positive feedback that he did." Micro-managing I.T. is almost never wise....
Usually "under-performance" is due to a bad motivator. :-)
Fire his boss, he probably spend more time shoveling papers or making "Strategies " than handling his subjects.
Culprit? Idiot? Turkey?
Oh, and "under-performing" instead of "incompetent"? (Which is the word the article used.)
Trying to figure out if submitter is PMSing or just bad at paraphrasing.
Anybody who did that might just as easily have left a dead fish or even time bomb up inside the drop ceiling. Or they might just come back and shoot you. All your stuff should be committed in some kind of revision control. Go back and check his commits from the weeks leading up to dismiss, or when the trouble started if you can pinpoint it. Good luck finding the time to do that though.
By using terms such as "culprit", "idiot", and "turkey" you indicate that you are a big part of the problem.
Only gross mismanagement would let you get into such a mess in the first place.
It sounds like he is well rid of you.
There isn't really any practical way to be completely sure, but one thing that can help is to not give him reason to want to attack the company.
Lay him off and pay him out a good severance pay and he is much less likely to leave disgruntled. There may also be other parting perks besides pay that can generate good will depending on the person.
This also give the added benefit of when something breaks in the old obscure undocumented part of the system only one person knows, that one person may be more willing to help. Tho how beneficial this is depends on how useless he is.
As for the technical stuff, only way to be sure with sysadmin is rebuild all the servers from scratch (an extremely time consuming task of course).
For programmer, the whole team should be doing regular code reviews anyway looking for any security bugs. Maybe an extra code audit would be a good idea.
1984 was not supposed to be an instruction manual.
Give me a gazillions boxes and I will fix everything.
Achille Talon
Hop!
How can incompetent people can get into technical roles if appropriate hiring practices are followed?
Prepare, and execute quickly.
After too many actual shouting conflicts with others, and numerous lies ("even I will have trouble upgrading X11") he had to go. First I arranged for our previous guy, who had gone off to be a consultant while finishing his PhD, to return (at his new rate+housing) for continuity. Then I spent 3 hours with the firee, discussing in detail why he had screwed up in so many ways. I gave him the option of quitting or being fired, he chose the latter for unemployment benefits.
We went to his office, I told his assistant to change all the root passwords, and said clearly that I knew he could screw us anyway. That helped a little, and he was so unaware of his misbehavior that no bombs were left behind. My previous guy was on site the next day.
We eventually hired an excellent professional. He's still doing a great job there through many changes after 20 years, although I left that organization a few years after that hire.
you'll still be cleaning up the problems six months later.
The real issue is not the low productivity techie. It's that there's no manager with enough knowledge and skills to ... manage techies.
Techies are seen somehow as "lone wolves" or "wizards" that "just do the (right) things".
My solution?
Hire a manager with the real knowledge (an former techie) and let him both manage and work with the younger techies.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
I have been in IT for nearly 25 years now and have learned a few things along the way. The first rule is that most employees referring to others as idiots, turkeys, incompetent etc need to look first in their own seat.
It is generally a reaction I expect from a dev or sysadmin covering his own faults by passing blame to others. I find most people just want to do what they where hired to do and do it well and given the proper chance and assistance will do just that.
In the last 5 - 10 years though it is generally a result of understaffing and insane deadlines causing less than desired results.
Got Code?
the most important is the before you fire any System Admins, they must reveal all super user passwords and remote access system must be all secured...all router and customer datafiles protected before you fire him. He must not have no backdoors or rogue wifi to your system and the after the actual fired bit... it is very important that you use that flashy thingy that Men in Black has.
Organize a party, day and night, with a lot of drinks, and women. And Beeeee haapppyyyy, no more woooorrriiieesss.
I'd start by sacking the turkey that hired the turkey in the first place, and/or the turkey whose piss poor management skills allowed the situation to get so far out of control that someone needed to be sacked.
when the culprit is shown the door.
But the person who hired him still works at the firm... that's the real "culprit".
Seven puppies were harmed during the making of this post.
...correct question: ...then look there, if there is nothing either your imagination is bad or the man is not a real threat... ...oh wait, there is no case B.
What would you do if you were a bad admin and wanted to destroy the company if you were fired ?
case A. ask someone more paranoid than you (and btw. you are then not competent for the job)
case B.
That's when things got interesting.
My manager and I started the process of handing over all my projects -- most to the rest of my team, but a few went to the OFFH. It didn't take long for the OFFH to piss off one of my soon to be ex-clients to the extent where top level management got involved, the OFFH was finally pulled into a disciplinary hearing (wasn't fired, but received a final written warning), and I had to step back in and clean out the mess. The next day, the OFFH put in for leave on the Friday coming up, went away... and never came back. It was formally dismissed for absconding shortly afterwards.
That's when we found what was really going on. To summarise:
So, while we thought we were dealing with mere incompetence, in truth, the OFFH was a malevolent fucktard.
All of us involved has learned our lessons -- personally, I'm far more security conscious, and the folks I worked with are far stricter regarding who they hire, development practices and policies, and that kind of thing. As for the OFFH, it seems to have vanished into thin air...
We fired a database admin who seemed to leave without issue. Did the usual steps to check for everything, no problems found until... The police turned up three years later armed with a search warrant for the CIO's office and the IT department. They knew right where to look in the hidden nooks and crannies of the server room, under the lift out floors for example and above the door frame of the CIO office. What did they find you ask? USB pen drives loaded with child porn! The CIO is arrested the manager is arrested the IT staff put through the ringer. Upper management cleans house. We, what was left of the IT staff, always suspected the fired database admin who had access to all these locations. The police got an anonymous tip. We suspect that at some point he planted all these drives around as insurance then waited several years and informed the authorities telling them just where they should look. Cases against the CIO and manager are still pending.
If they were evil: did some bad things, sabotaged the operations, stole money/data/reputation etc. then your security people should be able to detect the weaknesses ('cos if they were good, yet evil, they'd still be working; undetected). If not, then it sounds like you have a secondary problem as well. Consider yourself top have just been the target of an unscheduled audit - oh yes: you failed.
However the one thing you should do is to review your hiring procedures.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Malice is one thing, but if you're hiring someone so incompetent they can ruin your IT this way, and don't find out before they've had time to do so, then both your IT and your HR departments are probably being managed by incompetent people. (Not to mention the guy's supervisor.)
Backdoors from the current IT person aren't important?
Instead of calling him idiot or making joking references, you might consider the circumstances of his troubles and travails. It might be that some of his responses were actually fit for some out-of-norm situations. Also, people now and then make mistakes and if someone has had some file erased, well, people should make their own backups and not just rely on the server one.
Anyway, it's always good practice to review his work and even try to end the relation on good terms, e.g. by giving a reasonable recommendation letter, so that he can have a fair chance on his next job. That will also create a positive climate among the workers that remain.
Sorry for the inconvenience -- that's what he must be thinking now, the poor fellow...
And please keep posting here, because, uh, people here might have had the exact same kind of problem you're having. And we love to help.
Have a nice day!
For starters, referring to people as turkeys just makes me not want to take it seriously. Being sponsored by HP puts nails in its coffin.
When sys admins put back doors in for themselves it is usually to get around ridiculous amounts of bureaucracy that stop them from getting anything done. A competent sys admin also does not 'add patches as they become available' willy nilly because those patches need tested, you need to understand what is in them and you need to make a decision as to whether you are affected by it and the disruption is warranted. It also seems to be about security companies selling their wares and installing 'data loss prevention systems', whatever the hells those are. Would I trust and outside set of consultants to come in and do that? No I wouldn't.
Basically, if you're at a point where you are doing what this article says then your own company is incompetent and shooting blanks in the dark.
You hire an independent, outside, third party to do a full security audit.
It won't be cheap, but if anything goes wrong after the audit, your company can lay blame squarely at the auditor (and more importantly the auditor's insurance will pay for your co.'s damages)
Slashdot: where everyone is a CEO or manager.
Shouldn't this be what to do BEFORE you fire one?
I thought they were sent to management.
No good deed goes unpunished.
What incompetent managed this person?
They are so over emotional they use five deprecating descriptions in just one paragraph:
"the culprit"
"the idiot"
"the turkey"
"looking for the hidden messes and security flaws the ex-employee may have left behind"
Why weren't they checking up on this employee?
Their communication to the employee of their expectations should have been clear and the employees' deliverables specific.
I'd say their problems as a supervisor are irredeemable.
Blame everything on the guy that left. That's standard practice. Insert stock "three envelope" jokes here.
It's the good ones. The bad ones can't set up a back door, or subtly corrupt data, and haven't frobbed any SSL keys.
Design for Use, not Construction!
Without actually discussing just what 'underperforming' means (hint: it's a wiggle word used by horrible managers that means 'I can't be bothered to get money for my budget so the guy who won't come in over Christmas is fired') I'd like to suggest these options of what to do after letting an underperfoming sysadmin go.
1) Change all of your passwords and locks
2) Don't bother looking for uber-secret shit because, if he/she really were underperforming, there won't be any
3) Call a big meeting of the rest of the (by now) shit-scared underlings and explain to them in the nicest possible way that if they don't toe the line, they are next. Use the word 'underperforming' -- they'll get it.
4) Go into your office and plan out the vacation you will be having with your performance bonus for getting more work out of fewer people.
5) Buy some asbestos underwear for your trip to Hell.
..."idiot" "turkey", etc...
OP needs help - and not just a new sysadmin.
I think that this really be generalized to "when any employee leaves the company."
The issue of under whose choice the departure occurred is pretty minor.
I am an incident handler by trade, and I have worked several cases regarding unauthorized access by former employees. While it certainly is not a representative sample of all such incidents, nor does it cover all possibilities, every case that I worked involved the former employee using either A) Their old workstation(s) as a point of entry using 3rd party remote desktop software as a backdoor or B) Re-entering using VPN credentials that had not yet been revoked. These actions usually took place within 48 hours of termination. Based upon these specific experiences, I would recommend the following. Note that the key with many of these items is actually doing it right away. Having "revoke terminated employee's remote access" in your IT policies does not help if you wait 2 days to implement. I have seen former employees re-enter the network immediately after termination, and by immediately I mean you fire me, I drive home and VPN right back in.
- Immediately disable all credentials used by the former employee in such a way that the employee will not be able to access them, but where you WILL be able to log any attempts to authenticate using those same accounts throughout your network(s).
- Immediately revoke remote access privileges. This may seem obvious to most people on this thread, but not everyone does it.
- Removing the former employee's workstations from your network immediately upon termination. These are the computers where the employee spent most of his or her time and had the most control, AND the most privacy. If a backdoor has been left, it is most likely to be here. While an admin could for example leave a backdoor on a server, it is least likely to be noticed on a workstation by other staff. I can't overemphasize this one. Don't think you can audit their workstations to find a backdoor, just take it offline. I have seem a former employee come back in through his former workstation and wipe customer data.
- Do preserve a copy of the drives from the former employee's workstation so that they can be examined down the road if the employee ever tries anything funny, or if you end up getting sued. If the drives need to go back into circulation, create an exact duplicate using any of the DD variants out there (dc3dd for example) or FTK imager. Don't forget to save the contents of the user's network shares as well, such as a network home directory.
- Make sure you audit logon successes and failures to other information systems on which the former employee had access. These could be servers, databases, source code repositories. Whatever. If this set is too broad, focus on the projects where the employee spent most of his/her time. You don't necessarily have to chase down every successful auth to make sure that it's valid. That would not be possible in many cases. But check for the usual suspicious patterns such as authentications in off hours, blocks of auth failures, attempts to use the former employees account name, etc.
- If there are any highly critical machines that the employee had access to that you are worried about him or her possibly having placed a back door onto, you could do a quick audit for suspicious activity. Just do a quick run with the Sysinternals tools on those boxes and look for suspicious processes, handles, open files, open sockets or network connections. You could even run rootkit detectors if you think the employee was extremely technical and capable of not only installing a backdoor and hiding it. If you're super paranoid and have a lot of time on your hands you could even dump memory and do a more thorough rootkit search using tools such as Volatility.
- Any other additional logging/auditing never hurts, if you have the time.
Even if an under-performing employee is not at risk of becoming hostile on dismissal, their incompetence requires time for someone else to figure out what the hell they did.
So here's what you do: promote them to a management role (with extra pay), and bring on 1-2 interns for them to "manage." Make sure said interns are headstrong and willing to meticulously document everything. Once they figure out the system enough, send out the pinkslip, change the passwords, and bring on one or both of the interns to full time.
Idiot? Turkey? Are you 5?
can also put a box near a printer and make it look like it's part of the printer or even a fake network to usb printer box (that can be a mini pc) just say on this printer there is some stuff that can only be done over USB.
Hire a sysadmin new sysadmin good enough to pick up on any flaws, vulnerabilities, and poor system design.
Let him wipe the servers and do a hard shut down and delete any production.
It's all the same to me, I only collect a paycheck, let the investors and weenie managers worry about it.
There's a Thanksgiving joke somewhere in there that I didn't get.
How about training under-performing or incompetent employees before the situation necessitates termination?
Competition Good, Monopoly Bad.
and make sure that the next one is a good one
The level of entitlement in the OP is staggering, but, unfortunately, not unusual. At least in the USA, companies seem to be convinced that they have a divine right to treat their employees like liabilities and traitors (and generally like shit), even in the absence of any proof whatsoever. Mandatory drug testing. Credit checks. Background checks. Interviews that are more like an inquisition than a productive effort towards a common goal. And if they even get the slightest whiff of their employees being dissatisfied with the quality of the shit they're being fed, out the door they go, with no explanation whatsoever. "Security will meet you at your desk and escort you from the premises. No, we're not going to tell you, you just don't work here any more. Your belongings will be mailed to you, at your expense. Here's some information that the fascist state we live in DEMANDS that we give people when we fire them, and since they're so incredibly anti-business, they also DEMAND that we actually give you the wages you've earned AND vacation pay. BASTARDS!"
Companies treat their employees like the enemy. Labor relations resemble a banana republic civil war more than a professional interaction. A hostile environment makes people feel insecure and defensive, and when you threaten someone's livelihood for the mortal sin of not wanting to be treated like a garbage bin, they tend to take drastic steps to protect themselves (like using the resources they have access to to make it harder to fire them). Most people will choose continuing to be able to feed their families over ethics, especially when it's made clear to them that the people calling the shots have no ethics whatsoever and will not hesitate to throw them under whatever bus happens to be rolling by if it makes them look good (or covers for their own astounding incompetence).
Firing people SHOULD be painful. Most of the time, it's not painful ENOUGH. Most of the time, the fired employee is hurt so much more drastically than the former employer; after all, the company can just scare the remaining employees into doing the ex-employee's job in addition to theirs.
If you fire a key IT employee, and as a result your company burns, well, tough shit. You have nobody but yourself to blame for either hiring the wrong guy, or allowing an incompetent to run things for so long unsupervised, or treating a competent employee like garbage.
Never underestimate the power of stupid people in large groups.
...And, of course you are the one and only quality operator. There are bad operators, of course, but lots of readers will think of someone who simply arrives at a different solution as the type you mean to refer to. Our business is loaded to the gills with my way or the highway types. It is a shame that we don't mingle our ideas more freely - we would consistently build better solutions if we did.
Unless you're development team is one stand alone developer, using practices like code reviews from peers, a strong source control system, and so forth should make it difficult for the employee to check in broken / malicious code. Also you should remind the employee when they're leaving that if they did leave backdoors open they're subject to legal action, arrest, and other bad things that shouldn't make it worthwhile.
When you fire him, you'd better be prepared to have him leave as soon as he picks up his personal belongings. Everything else can be mailed. You don't want a bitter, empowered employee sitting around for even 5 minutes with access.
I swear to God...I swear to God! That is NOT how you treat your human!
How about a verbal deal that gets around the problem that a lot of "fired" employees are dealing with nowadays?
"We will show your position as terminated due to 'lack of work' so that you can get full unemployment benefits, as well as a wonderful job reference where we tell potential employers how great you are as a person and as a worker if you agree not to leave anything dangerous or possibly harming in place. If you choose not to comply, we will extend every power we have to ensure you are terminated for reasonable cause with no chance of unemployment OR job reference. We will also find any future employer you end up with and inform them of the dangers they face, unofficially, quietly, and without your knowledge of how we do it. You will have to watch your back professionally for the rest of your living years."
I know, I know. No one would do that. But hey.....
Whenever you hear someone say 'we are all in this together' put your hand on your wallet and back away from the motherfucker. He thinks his problems are yours and your money is his.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
No one suggested it, yet ... why not?
Just make him clear, if there are any backdoors and he uses them to do bad to the company, he will be responsible.
When you come over one of the backdoors, remove it. But as long as you do not, just trust that he will be sued, if he uses them. He knows this, too.
Telling this in this place is like going to the black's place and say "how do I kill this nigga?". Who is the idiot here? Go deal with that. We are developers here and we have dealt with an insensitive dominant bitches that sit in a chair claiming things are other ppl's fault before. I hope your systems get penetrated/destroyed and the rest for being such a bad/evil person. And that recovery costs you all your money. I wish the best of the lucks for the developer and to get a good job than the crap you offered. This all reminds me about a job that the jerk just made promises while I used to reach the edge working around the clock and then sometimes didn't even got paid completely. The stupid ignorant that knew nothing about software development called me at times snail. I wasn't fired but had to quit. Later the jerk wanted to re-hire me again. Then I said sorry idiot you lost the thing. Go find a better developer if you can. To date he haven't :D.