Slashdot Mirror
Withhold Passwords From Your Employer, Go To Jail?
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
I don't care if you made them up, they are the property of your employer.
Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.
A feeling of having made the same mistake before: Deja Foobar
I don't have a problem with this. The company may have been dumb to put this much power in one person's hands, and perhaps they got what they had coming in someone's eyes, but it doesn't excuse this behavior. If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.
-Ted http://www.freemathhelp.com/
HOW!(!) is this a surprise to anybody? It's extortion, plain and simple.
The passwords are like the key to the office. You have to return them.
good, justice served. usually I'm on the employee's side of things, but perp committed a crime, it's stealing, sabotage and extortion to do that
When you lose your job as a bus driver, you have to return the ignition keys to the vehicle. Duh.
Another sensationalist headline which suggests a far different story than the one in the actual story.
He should have just invoiced them for his time to document them as a contractor at a really ridiculous rate.
I've simplified the submission:
Terry Childs did not want to divulge the passwords to an entity that didn't have the right to said passwords. There are several other red flags in this case but $1.5M to regain access over some routers? Seems like gross incompetence on various levels.
Custom electronics and digital signage for your business: www.evcircuits.com
"I don't remember."
Get the passwords first then do the firing....
Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.
There's far more significant knowledge you take with you that you're not legally required to give up (procedures setting stuff up, what vendor bugs to work around, what authentication scheme, whatever). No need to go to jail over passwords when there's plenty of other petards for a former employer to hoist themselves on.
What system is there no way to reset the passwords? I'm having a hard time thinking of an OS/Embedded device that doesn't have a password reset mechanism or a means to overwrite the previous password with a boot disk
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
I'm sorry, but it's really a best practice to NOT have one person "holding all the keys" - EVER. As a consultant, I make sure ALL my clients have copies of everything, along with myself... just in case I get abducted by aliens or something!
Same should go for ANY IT situation.. that I can think of, at least.
just root the servers, give the passwords back the change them.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
...that ends with the NSA contractor refusing to give up the encryption keys to the vault, and us finding out later the NSA somehow managed to get through "unbreakable" crypto...and quickly.
Perhaps then we can all just absorb the true gravity of security these days instead of laughing at the tin-foil hatters still in shock over the wake of Snowden.
Doesn't this set dangerous precedent?
Plenty of organizations have dozens or hundreds of passwords. Is it really the employee's responsibility to remember each and every password and keep records of them indefinitely after employment? Should I be required by law to produce network diagrams?
Yes, this guy was a douchebag, but he shouldn't have to turn over anything.
Access control policy is the responsibility of the employer. If they fail to set policy or fire employees before it's too late, it's their own damn fault. This is just another example of mismanagement backed by a broken justice system.
Any sane organization of this size has a password policy that ensures critical passwords are recoverable. Any sane organization makes sure to not have a single-person dependency like that.
But Childs really lost context: It was not his network. He had no business trying to enforce anything. The SF IT department may run their networks as stupidly as they chose, and while this may lead to criminal and civil liability on their part, it does not lead to any accountability towards Childs.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
When I left, I handed him the key to my desk and said, "You know where they are."
Have gnu, will travel.
I know long before the terry childs case, I remember my IT teachers explaining that if you took off with passwords etc... to anything they didn't have an account over, the standard response is to hire some rediculously overpriced person who is paid by the hour to gradually break into it, then have the courts foot you the bill. I don't get why this is shocking. The Terry Childs case was a bit of an exception, namely because of his claim that the person who he was under the impression he was supposed to give the information too, was not present. IE childs was not saying he wouldn't give the password unless he was rehired or paid. He was explicitly saying he was going to give the password, but not to the middle manager who was asking him for it. Child's case he could have been screwed either way, giving the admin password to someone who shouldn't have it, makes you liable for the damages they cause... but refusing to give the password, is also a suable offense. If you know who has the rights to the password, and have access, there's no room for debate at all
Seriously, fuck him. Having been on the receiving end of this kind of crap before, I'm fine with this clown going to jail. A public beating wouldn't disappoint me either.
People who set things up so they're the only ones who can make it work need to face the same kinds of penalties for malpractice in other fields. There is nothing that will make me get rid of an employee faster than job security shenanigans.
The people who need them should already have them at all times.
Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.
Or hey. Maybe your employer is a moron. And he really really does expect you to know the password for $somedevice you never touched and never used.
But it's 'computer stuff' so you know all that stuff because thats your job. You're the computer guy.... Right?
I sure wouldn't want to be the 'computer guy' for anyplace that will send you to jail just because you forgot a password...
And they won't take 'i forgot' as an answer because not handing it over is a crime worthy of jail.
captcha:unjust
You get back at employers the old fashion way, make things overly complicated to the point where they need an army of techs or programmers to figure things out. Make it cost more to replace you than keeping you on the payroll.
Yeah, great idea, let one guy have all the control.Everyone involved got what they deserved.
Am I the only one wondering why he didn't just give them the wrong password? If it doesn't work, they can't prove he lied about it, he can claim that someone must have tried to change it or hacked into it or something.
In Soviet Russia, dot slashes YOU!
How the heck is he supposed to pay that back?
I've got better things to do tonight than die.
If you use a work computer, phone, PDA, or calculator, assume that whatever you do is owned by them.
As for passwords, a smart company would have set up a dual custody (http://www.fdic.gov/regulations/safety/manual/section4-2.html) relationship between multiple sysadmins, rendering the issue moot.
In fact, it's kind of required by standards like PCI-DSS and Sarbanes-Oxley
Nobody, least the writer remembers the exact circumstances of the sorry affair. Yes Terry was a fool, and could also have been accused of being self important.
BUT! This little man, a excellently competent network and systems manager, engineered a city network that in all the time he ran it never had a single serious failure. His two mistakes ware to care too much for his domain so that he never realised as he antagonised his superiors by demonstrating to them repeatedly that they were his technological inferiors, they would be all to keen to be rid of him, no matter what the cost to the city.
Fortunately, when the day came he held firm and refused to give up the keys to these drudges. He was eventually forced by weight of law to give up the keys and do you know since then there have been so many faults and failures of this network one would think it had been either deliberately damaged.
So I say the $1.5 restitution should more rightfully be paid by those same managers.
Hmm! even the CAPTCHA agreed (crucifix)
He did not just refuse in that one instance. He was then fired and still refused to give the passwords to his duly authorized replacement. Had he felt he was improperly fire a wrongful dismissal suit was in order not withholding passwords.
Gee, you don't think it could simply be a case of newsies swinging techies for fun and profit, do you?
After all, techies are educated, so it would be impossible to spin them, wouldn't it?
Of course, CS Levis wrote that it's easier to spin an educated person, possibly iibecause he listens for the key phrases, makes a rash judgement, and then holds onto it with all the wicked ego he's got... until he hears another key phrase.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Which was what the security policy required of him. He was arrested for not turning the passwords over to unauthorized individuals.
Childs was basically attempting to extort expensive employment privileges (job security, work assignments, working hours, co-worker assignments, physical access) from the City of San Francisco by concealing critical information if they didn't cooperate. The sentence for extortion is usually longer than two years so Childs should have gotten a longer sentence. The legal brief is a very sad read when you consider all of the bright people (both legal and technical) who have spent thousands of hours dealing with the machinations of one crooked jerk. The rest of the world must be amazed at the utter waste of talented people who could be employed in more useful activities.
If they had physical access to the systems, they should have been able to reset the passwords. Now, if he was intentionally prohibiting them from accessing the systems, after being fired, then he was doing something criminal. If, on the other hand, he was withholding passwords while working there - and being tasked with security for the network - then he did nothing wrong.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Sometimes someone has hurt you so bad that the situation is no longer about having leverage on that person or company. At that point hurting that other party can become more important than the harm that happens to you. I just hope that for this guy it's worth it. It's crazy it's stupid and it is so very human.
He should have just told them that he forgot the password.
Dano: I got the Perp in sight, charge cocked, finger on the trigger.
Jacko: Hold on there Dano. The Perp is and Ass-whipe for sure but maybe not the type for instant death. He was using the Windows Operating System from Microsoft ... "Micromanagement". Maybe he got confused about "Permissions" and "Rules" and "Profiles" and "Ownership" and things in the Microsoft Micromanagement world mind think.
Dano: Fuck You Jacko. I'm popp'n the Perp with my 45 and sending his rotten body to the morgue. Tag Toe the bastard when I'm done. I'll write up the report. And! Do not cross me!
Jacko: I loves my Dano. How Dat!
Dano: 'Nough said.
QED
Much simpler. Let the lawyer figure it out for you.
"The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords"
This is more a case of doing it wrong.
Simon Travaglia has shown us numerous times how to do it right.
I'd say something like a lastpass(tm no doubt) account, on the employer's nickel, so that each and every server could have a secure password (or class of server if its deemed more sensible to have all the servers in a rack or a room have the same password). Then the only thing the "magic envelope" has to be the username and password of the lastpass account.
No doubt folks with the responsibility for hundreds or thousands of servers have some better ideas about "best practice" ... so please share.
This is "scalable" in that admins could share (or not).
The tradeoff between ease of use, security, and ease of transfer to the next responsible party(ies) is not always a trivial one.
This isn't some pseudocrime like copyright infringement, this is an actual theft because it is depriving his employer of their own network.
Time is what keeps everything from happening all at once.
Your employer owns their hardware, including the "keys" to get into it.
Childs screwed up by withholding entirely the wrong sort of information. You don't pitch a fit and refuse to give them the passwords - You give them exactly what they've asked for and then watch in glee as they realize they don't have the faintest clue of what to do with those passwords.
Picture a fairly simple small-scale corporate WAN. Three separate subnets. Nothing massive in scale.
Now imagine they "no longer need your services" after three years of uninterrupted service.
Now imagine that you haven't persisted the router configs and they lose power.
Now imagine a non-technical city manager trying to figure out why he can't get to facebook, and demanding passwords from you.
When you stop laughing...
Yes, you can still thoroughly document your infrastructure for your successor, for the (most likely) scenario where you peacefully move on and want to help the poor bastard out. But if you suddenly find yourself "redundant", well, "here you go, all the passwords. Good luck, and I charge $1500/hr as my standard consulting rate".
After finding out that he concealed material information during a background check, my opinion is that his permission to touch the network at all, even within the scope of his employment duties, was procured fraudulently and his entire CAREER with the city has been one huge social engineering attack, starting when he lied about his criminal history to people who almost certainly would have had ample grounds to decline to have hired him in the first place.
He was backed into a corner given two bad choices - to break the rules and reveal in front of a crowd of unauthorised people or do it later - then rushed off to jail so that his only chance to do it was later was to the Mayer at a special press event when the Mayor came in to "save the day".
IMHO he was the victim of very petty workplace politics probably backed into that corner just for catching the new girl after hours removing the hard drive of the person that was supposed to be in charge of network security.
The lesson here is just roll over, let them win their petty little game and escape from such a sheltered workshop of baby vipers and get out into the real world. If that evil bunch had not had their own Police department on call but instead had to rely on an independent one under adult supervision we'd never see such a mess. I know Californian politics is supposed to be so fucked up that nothing works, but this arrest and long jail term for a simple workplace dispute shows things are far beyond a joke.
Is it really the employee's responsibility to remember each and every password and keep records of them indefinitely after employment? Should I be required by law to produce network diagrams?
No - if he forgot the passwords then it would be tough luck for the former employer. However what this idiot did was try to extort money before he would divulge the passwords. That's not the same thing.
Every router's configuration was only loaded into system memory, not NVRAM. The ASCII files the routers were configured from were all encrypted. Terry was very careful to make sure that no one could play with his toys.
There was no way to "root" or hack into the routers. Cisco's best could not do it and they tried.
He ended his temper tantrum by requiring then Mayor Newsom to come down to the jail so Terry could give him the passwords in person.
What happens if someone gets fined $1.5m but isn't worth that much and can't ever pay it back with everything they own?
... go to jail. Go directly to jail. Do not pass Go, do not collect $200. Nobody's surprised by this. It's his employer's network, after all, it's their passwords. If they decide to replace you as sysadmin, the only right you have is to insure they and not you are responsible for any problems that ensue (eg. "I will not give you my current password. I will initiate the password change process, enter the current password, and then wait outside the room while my replacement enters his new password. If there are any difficulties, I will assist by re-entering my password and/or unlocking the system until my replacement has successfully changed the password to something not known to me. This is to insure that after the hand-off I no longer have any access to the system.").
And yes, I've done the moral equivalent of that. Not with a root account, obviously, but when leaving a job I would deliberately fail enough login attempts to lock my user account and made sure they had notice of this and I had a paper trail proving they did. I figure that way they don't have to worry about me accessing the systems, and I don't have to worry about being accused of messing with them after I've left (well, I could be accused but I had the evidence to counter the accusation).
> and not the complete idiots of the company for leaving there passwords with one person, and not having a way to access by way of a default password. his lawyer must have been an idiot as well if he didn't make that argument.
"The victim was stupid" isn't an excuse. If it were, we could legally do anything we want to you.
In fact, it's generally considered an aggravating factor to victimize the mentally challenged because we have a duty to look out for those who are defenseless.
Room full of people on speaker phone. Reveal the password - maybe go to jail too, at least that's what the rules he was trying to follow said.
So how much time did the new girl who was caught removing the hard drive of the computer used by the head of network security get? Zero. Don't go trying to find some justice in this, it's all "might makes right" crap.
31 Hallelujah! God bless you all, my brothers and sisters! Holy shit! Amen and hallelujah!
Stop using "theft" analogies. He did not steal anything, he sabotaged the system, and he was the only one with knowledge on how to fix what was done.
"Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
He boo y trapped the system,locked out other authorized users, etc. :a) he'slying or
The judge or jury would look at that and determine that either
b) forgetting wouldn't be a problem if he hadn't set bobby traps etc., and locking out other users was an intentional criminal act.
It's interesting to me how often people say "just claim that [transparent bullshit]. 99% of the time, judges aren't stupid. Their law degree indicates they have above average intelligence, but sometimes people assume judges must be drooling morons.
Granted, occasionally there are rulings that seem pretty dumb, but even those are normally much less dumb than the headlines make them out to be.
This is California Pen. Code, 1 Â 502, subd. (c)(5) of which Terry was found guilty:
(5)Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
Operate a back hoe and go to jail? Pull the wrong patch cable and go to jail? Tell someone "no, you can't use this computer right now" and go to jail?
This law is ridiculously broad, glad I don't live in California!
There are two groups arguing here - I think both may be missing the point.
Group 1: The passwords belong to your employer, turn them over. It's his fault, because he refused.
Group 2: He may have been paranoid, but he was really just following policy: don't give passwords to unauthorized people.
Regardless of which side you are on, ask yourself this: How would this scenario have played out if he worked for a private company? Consider that, in the end, he *did* hand over the passwords to the mayor, i.e., the "big boss". What would a private company have done?
- They wouldn't be claiming $1.5 million in damages - an absurd figure.
- They wouldn't try to prosecute him and throw him in jail. Bitter firings happen, life goes on.
- The *only* likely retribution would be: "don't use us as a reference".
Sending the guy to jail and suing him for more than his net worth? It takes a government to waste resources on that sort of idiotic vengeance.
Enjoy life! This is not a dress rehearsal.
The city was functioning, but they couldn't change anything in their infrastructure. It was pretty nasty because from what I understand he locked everything up *after* he got in a conflict, but it wasn't shut down.
I was promised a flying car. Where is my flying car?
I think this case needs to be appealed in the federal courts. When a person is hired there exists some form of contract with the employer. When an employee is fired that contract ends. So if they told him or implied that he was no longer their employee I see no problem with him not responding in any way, leaving the building and immediately flying to a remote Pacific island leaving no address or way to contact him at all.
We do not know the details but was the request for passwords made after he was terminated? Was it made during the termination? Was it made before termination was made in any way? Worse yet what kind of idiots are in charge of this company? What if the man had stroked out and died suddenly? Is there any proof that they asked him to continuously keep them advised of passwords?
Maybe this fellow has a suit he can press against the former employer.
Whoever thought withholding passwords was a good idea is insane to begin with. Why is this presented as a rational choice to be made?
These articles show you that a lot of nerds really are totally incapable of dealing with normal society.
If you changed the locks on your employers buildings and refused to hand over the keys, what do you think would happen? So why should digital keys/passwords be any different?
Some dweebs seem to construct fantasy worlds around themselves and since they lack interaction with other people becomes convinced that these fantasy worlds are real. Childs seems to have done so, he believed he was the only one fit to access these systems, that they were his babies and only he could properly care for them.
I am not sure he should go to jail for it. He should however get mandatory treatment, if needed in a padded cell with a lock. If he asks for the keys, tell him you don't think he is capable of properly dealing with it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Bull shit he didn't booby trap it. The network was configured to run from RAM at his design and he was the only person with the configuration. Power to any site will go out and that site will be down until the "hero" comes to save the day.
Citation needed
Feel free to cite any reputable news outlet.
To me, these two paragraphs from the court document are the most damning evidence against Childs:
It's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.
Getting arrested for violating a policy that forces you to remember things sets a very dangerous precedent. This here idiot aside, I would much rather force corporations to setup dual key infrastructures, dead man switches etc. than to allow then to claim humans are robots and any failure is prosecutable.
Because people do forget things, and I would say ALL that worked with tech computers forgotten at least ONE password at one time. I for one would rot in password hell if forgetting was a sin.
I agree completely..I think it should be prosecuted as a denial of service attack would be...its defacto DOS.
Calling passwords property would lead to a slippery slope I think...
Though to be fair calling *anything* that leads to loss of access a DOS could lead to bad things too...
However this should definitely be at least a civil issue with punative damages...I wouldv even say this SHOULD be a criminal offense
In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far.
What would you have them do to avoid this problem in the future? Perhaps they could hire someone who is a technical expert with overall responsibility for the department, whose job is to make sure something like this can't happen. Oh, wait...
Requiring the password? Sorry, that's their identity (and ass) on the line.
It's their identity on their employer's systems. If the employer makes a management decision to "compromise" that identity then that is 100% their decision to make, not IT's.
Of course, it also becomes management's responsibility. It's fair for the employee to want written confirmation to record the decision if he disagrees with it. But given that confirmation, the employee doesn't get a vote and has no right to object.
Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password.
I think "You're fired" is a pretty clear transfer of responsibility.
Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.
Seriously? Really? This guy is a high-level IT expert within his organisation, and we're supposed to have sympathy if he not only reuses a password (or something related closely enough to risk the secrecy of another one) but reuses them on completely different systems, when he knows in advance that some are personal and some are professional? Give me a break. Any risk to his own privacy here is entirely self-inflicted, and trying to hide behind legal safeguards created with important and legitimate goals in order to cover your own malice and incompetence is the worst kind of legal wrangling.
Don't risk it. Have plans for unavailability, termination, and death.
That's great, but if the guy who betrayed you is the guy who was responsible for making those plans, there isn't much you can do. At most, you could have hired multiple people to act as mutual checks and balances by auditing the system, but the reality is that even the most high-level IT infrastructure today is still quite simplistic in its security, and unfortunately it remains a pretty easy mark for a skilled inside job.
Of course, if a government department did hire extra people, good enough to maintain proper oversight and audit each other's work in this kind of context but who weren't otherwise needed, many people who didn't understand the reason would be crying foul over wasteful government spending. And they'd have a point, given how rare incidents like this are and how much such people cost.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Should have used unmaintainable code and config files like everyone else.
Refusing something to a supervisor / manager can be doable. You are supposed to be able to escalate an issue to the next level(s) if your supervisor(s) may be doing something harmful or illegal. I've actually seen this happen with a multibillion dollar asset, and the top manager, a vice president, got fired after wrongfully trashing a first line supervisor so badly, and spending $2 million on internal investigation (personal vendetta), it also pissed off over 600 highly compensated employees with recorded call-ins. The sr officers *had to* put the vp down.
Yeah that's going to be a problem. It's gonna be a problem for them. This a clear violation of your rights as a consumer. It's an infringement on your constitutional rights. It's outrageous, egregious, preposterous.
Oh wait, that was Jackie Chiles. Never mind...
He was under orders not to divulge the passwords in front of third parties not under the agreements of confidentiality and signed to that effect.
He was then put under order to do so but was only given the VERBAL order to do so, therefore could have been taken for breech of contract and have no recourse.
and... if he actually 'did not know them' then what - get jailed indefinitely for no reason whatsoever? This whole country is going downhill fast.
There may have been some alarmist rhetoric, but such an event WAS NOT POSSIBLE.
The only option taken was that it was NOT possible to reset the passwords over the network. This is 100% CORRECT security procedure.
If someone has console access, then you're already stuffed, but if you have network access to a "reset root" command with an account that anyone could get the password to, then you have ZERO security.
Those documents are the CLAIMS of the accusation.
He was in charge of those systems. As far as those systems are concerned, NOBODY, NOT EVEN GOD is above him.
Is it merely this authoritarian bullshit is being done by one of the "peons" rather than the executive "masters" that has so many retards butthurt over this?
Another poster put down:
"whatever your interpretation of the law is, he is in jail. I think that is a good outcome"
WHATEVER THE LAW SAYS, he's in jail and this is good.
THAT, RIGHT THERE is the problem.
And I have ABSOLULTEY NO FUCKING IDEA why that sort of absolutist facist bullshit is getting so much play here with Childs. Did he steal everyone's candy or something?
The problem was that he tried to blackmail a government. If you try to blackmail a person with limited resources, it might turn out that the cheapest thing for them to do is to give into your demands, especially when the government is only really motivated to get their own money back and not other people's money back. If you try to blackmail someone very rich, you will probably just anger them enough to be willing to lose more money just to see you go down out of spite. You could try to make the blackmail consequences really severe, but chances are that there is a limit to the amount of damage you can really cause. If you try to blackmail a government that can levy taxes to generate revenue, controls the justice system and has a public image to uphold. You are really going to have to do something bigger than hijack some infrastructure passwords. You need to takeover Alcatraz and point some missiles with vx gas at the city.
Number 1: "his manager wasn't heavy handed regarding obtaining passwords due to the desire to keep the talent."
No, his manager had been caught taking a HDD out and introduced themselves as "Hi, I'm your new manager! Give me the passwords!".
Number 2: "he designed in backdoors into a critical system"
Nope, it's part of the Cisco iOS parameters: he never had to design a thing, let alone backdoor it.
Number 3: "where he was the only one who could access the network management."
Nope, three named people were on the list of "could request the passwords" and that list required that no other non-named person be able to hear the password. However, they fired him first for not giving the password to a person not on the list and then refused to get the authorized person(s) to him when they jailed him.
Or, rather, redirected.
This is a security device. A reset node that wasn't supposed to be reset will be given the default which means the segment goes down and the intrusion can be detected easily.
To bypass this, you need
1) Access to the physical device.
2) The correct routing system.
which even an intruder will not have easy access to #2.
What a bunch of morons for allowing a single point of failure.
The password is not the real issue here... it's a distraction. The real issue is that Terry Childs apparently deliberately caused a lot of unnecessary expense and hassle to his employer. It doesn't really matter whether he did it by withholding a password or going through the drop ceilings cutting ethernet cables... the net effect was the same.
I can't feel pity for this fool
You're not Mr. T, are you?
First, his "employment contract" went into minutiae on system security? Really? That'd be one strange contract for an individual IT Grunt... a contract w/ a Systems Integrator, sure, but not a front-lines civil servant. I've heard mention of this "contract" before on Slashdot, yet strangely nobody has ever provided a link to it, and news articles about the case are strangely bereft of it also.
In any case, in any employment situation, you don't get to refuse to do something your boss orders you to do unless you are being asked to do something illegal. You might ask to have your butt covered with an e-mail from your boss (as a civil servant it would have been enough to keep him from getting fired), but that's about the limit of your ability to refuse and keep your job.
And why did he decide the Mayor, and only the Mayor, had supreme authority? Was the CIO of the City of SF not good enough? Nope, he doesn't get to make that determination and hold IT assets hostage until he receives what he thinks to be proper authority.
You can still gain leverage. You just have to be willing to go to jail if your employer calls your bluff, and possibly afterwards even if you successfully extort something from them by withholding the passwords. The trick would be to make sure you retain whatever you managed to extort for when you get out of jail.
What would have happened if he just suddenly died instead of quitting? I think the employer deserves some fault here to not being prepared.
Also his superior was not the brightest bulb in the socket. The very FIRST thing you do when you employee gets single handed access to mission critical resources is to ensure you can take it back from him even without his cooperation. With passwords, this is trivially easy. Have him note it down, put the sheet of paper holding it into a sealed envelope. And when it's time to change passwords (according to your password changing strategy), rip the envelope open in front of him so he can verify it has not been tampered with, use the password he noted down and fire him on the spot if it doesn't match.
This is, in a nutshell, a fairly good solution where he won't be able to hold your servers for ransom.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It was rather sudden and my access was disconnected to all services of my employer. I had a list of passwords, I clearly outlined that while we had processes in place to share passwords with my staff, there's the possibility that I had passwords that nobody else had. They didn't care, so I wiped all of those passwords from my store (aided by the abysmal rollout of the latest SplashID which nuked your password database without warning).
It's called elite panic, and it's extremely dangerous.
The people in the world with real power--kings and princes, billionaires and CEOs--spend their lives worrying that the people that they took power from, and hold power over, are going to rise up and take that power back. That's how elites get power in the first place: by taking it from others. They naturally assume that everyone else is trying to do the same thing. They also spend their lives making sure this doesn't happen.
As long as the elites feel secure, you don't notice this so much, but when they feel threatened--or worse, humiliated--they panic, and go on a rampage. People go to prison. People die.
It used to be that power came from control of croplands. After the industrial revolution, power came from control of mines and factories. This suited the elites. They could enforce their control with armies and police.
Today, significant power comes from control of computers. But you can't control computers with armies and police. You can control the hardware--lock the server rooms, take the computers off-line--but that doesn't get you what you need. What you need is running systems, and that needs programmers and sys admins. All those people walk out the door every night, and unless they come back in the morning, your hardware is pretty much useless. You don't have control of the computers.
This change crept up on the elites while they weren't watching. (CEOs don't pay attention to computers. That's operations, right? That why I hired a COO, right?) So everything just rolls along from year to year and decade to decade, until a Randal Schwartz or a Terry Childs comes along, and the elites realize that they don't have control, and they panic, and then they crucify the object of their panic.
The Forbes article assumes that Childs withheld passwords in a bid for job security, which is absurd. Slackers and grifters don't face down police officers and go to prison on principle. They hand over the passwords and move on to their next scam.
Many of the Slashdot comments argue that withholding passwords is a kind of office theft, like stealing the keys to the safe. That's a fair analogy for explaining what a password is, but not really on point for the issues raised by this case.
The actual conviction was for disruption/denial of computer services, which is overblown, at best. The city of San Fransisco got control of their computers, with only minor inconvenience and substantially no loss of service.
My guess is that Childs suffers from some variety of asperger's, or paranoia, or obsessive-compulsive, or the like. The proximate reason that he is in prison is that this disorder--whatever it is--caused him to stumble into the maw of the legal system.
The ultimate reason that Childs is in prison is that he was the object of panic--the person in view--when one of the elites looked up and realized that they weren't in control of their computer systems. So they crucified him.
Whatever happened to the right to remain silent? I honestly don't understand how a court can FORCE you to give up information you don't want to give up. This all seems a bit draconian.
I'm a senior sysadmin for a medium sized business and we are constantly employing third parties to audit our systems making sure that we have enough documentation that if I get hit by a bus someone else can come in and hit the ground running. This is pretty standard procedure.
It sounds like the employer fucked up and didn't take their IT seriously (a common problem). Sure this guy was a dick, but 4 years in prison? Give me a break. What is the world coming to?
If it ain't broke, don't fix it.
Not in 'Murica we don't. Your kids are starving? Get a job you loser. There are no jobs? You're not working hard enough. You're mentally challenged? Read a book you idiot. That's the level of compassion we have in 'Murica nowadays. There is no longer such thing as social responsibility or taking care of those less fortunate. Other than that you've been spot on.
The core issue I see is he went at this like some sort of game. It's quite foreseeable that an organization that has a major police force, courts and prosecution would use those resources to get what they want. Give them the rope and you leave town on vacation. If they didn't have the due diligence to ask for something in the exit interview that's on them. It's reasonable to take a vacation and have time to think after a major life event (like getting fired). Once you're out of contact it's reasonable to assume that one cannot be uncooperative if they were unaware their cooperation was being requested. When you get back to town reefer them to your lawyer. There's no reason for one to have any interaction with a gov't official once it hits the fan. Using a lawyer keeps one from taking actions and making statements that would land one in jail.
I was all prepared to be outraged at a company that tried to strongarm employees into giving away personal passwords, and then found some pretense to send people that wouldn't agree, to jail. That would be news.
This isn't really news - it wasn't the guy's property, it was his ex-company's. Were his higher-ups retarded for leaving their whole IT at the mercy of a single guy, not making sure anyone else had any idea how to work their stuff, and then firing that guy? Yes. Yes, they were. But that's not really news, either, at least not if you read the daily WTF. Companies act incompetently with regards to their IT all the time.
staffing cuts lead to him being the only person doing the network work.
On one hand, he should have given the passwords because it's their network. On the other hand, corporations use their control over people to leverage what they want all the time, so why should he be any different towards them?
Forgetting isn't a crime. Reagan got out of charges of War Criminal behavior (secretly funding a terrorism campaign in El Salvador) by claiming he forgot.
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
Not actually kill them, but get in the mind set of a will; What would I do if Employee X died tonight?
I have a will, so if I die, there are instructions so that life can continue without me; how money is to be handled, where important documents are stored, and the top-level password to the password manager program. The same needs to be always thought of in regards to employees. How would the business carry on if someone was no longer an employee tomorrow; both long term AND short term. (Death, disability, family emergency, quit, kidnapping, blow-to-the-head induced amnesia, etc)
- What duties do they perform and who can we use as a backup?
- What information do they have that we'd need to keep things running?
- If a parasite crawled in their ear and they went rogue, who and how could we isolate them to prevent further damage?
You get the idea.
"Most employees think they are indispensable to their employers, but in fact, most employees are easily replaced."
Typical that Forbes will find it necessary to include completely unrelated anti-worker rhetoric at the head of their article to ensure the dominance of corporate employers over the population of wage-slaves.
Yes, but see the "Strongest Evidence" post above:
t's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.
That seems very fishy to me. I think he was trying to cause trouble.
Maybe, maybe not. But either way, "they" weren't fucked at all as the anonymous OP above said, since they got the passwords pretty quickly, and years in prison seems ridiculous for something like this where, regardless of his intentions, he didn't withhold the passwords for any long duration, but rather only insisted (it seems, correct me if I'm wrong) on following official policy to the letter (maybe to make things hard for them, but still, it was their policy, not his) and giving the passwords to the Mayor directly, and did so when presented with the opportunity. People have gone to prison for much less time for violent crimes, and this wasn't really a crime, it was a dispute. It should have been handled in Civil court, just like if someone takes your money and refuses to give you what you paid for, the police will refuse to arrest them for theft (even though that's exactly what it is), they'll just tell you to sue them in Civil court.
The actual story is that he did not feel authorized, legally, to provide them to the person requesting it from him.
That password is not something you give out to some person who will then email it in plain text with complete description as to why it is so important - sorta the same reason you don't give a loaded gun to your 5 year old to carry over to your wife in the next room. A loaded gun with safety off.
But clearly it's get-in-line to kick the guy day.. Oh, and gloss over the very complex security issues that we could be discussing here.
Perhaps later in the comments.
Let me make it clear, I'm not defending anyone here.
The question I have to raise is, why giving one guy too much control in the first place? Let's look at what if he got hit by a car and die instead? So, is the lawyer or the judge gonna force the password out of him? What if you were that admin and were using a USB keyboard password like ubikey, then reset/format that key after you got fired? This is legitimate. Also, we should look at password seperately from the network infrastructure. The employer should be looking at a way to get infrastructure back not the password. Eg: the judge have force him to create another admin account and give that to the employer instead of having to reveal his own password.
-=-=-=-=-=-=-=-=-=-=-=-=-=- If picture worth a thousand words, how many megapixels is it? -=-=-=-=-=-=-=-=-=-=-=-=-=-
...which was apparently the agreed upon policy for him disclosing them if asked.
Childs didn't just withhold passwords. He reconfigured the network settings to self-destruct on a power failure requiring his direct intervention to restore. He configured settings to self-destruct upon any intrusion. He added his own physical back door servers and modems to the network. He lied to management and HR about having passwords. He systematically excluded co-workers who used to have access to eventually have no access. He modified passwords on the morning of a meeting where he knew they would be requested. He boasted about being unfirable because he had the "keys to the kingdom". He feigned medical ailments and claimed hostile environment to dodge responsibility. He verbally abused authorized personnel for entering server rooms to audit assets. He perjured himself about his criminal history (multimple convictions).
Childs was a grade A asshole, the worst of the worst. This was not system administration, it was systematic abuse of trust to secure his exclusive control of critical City infrastructure and then hold them to ransom. He deserved to be convicted and he deserves to languish in jail.
The ruling explains there were others working on the project, but a) Childs didn't like sharing -- in his eyes, everyone's a moron, and b) Ybanez, who had been working with him, was moved to a different project for months leaving just Childs to run everything. When brought back to the project, he refused to provide access because he didn't want Ybanez giving the password(s) to anyone else. On top of that, he went full-on-rogue-sysadmin locking down access to only his select PC(s), disabling local access (console), erasing startup configs, disabling password recovery, and keeping the sole set of archived configs encrypted in his own possession. Despite having acknowledged the FiberWAN design as city property, and knowing full well disclosure was forbidden by Homeland Security, the arrogant ass twice submitted the plans for copyright registration -- claiming he didn't know they'd be public documents.
In light of all that, 4 years and 1.5mil$ is not a punishment. This fool should be taken out and shot. We may look at the $646,000 figure for a full audit and think it's excessive, but that ignores the level to which Childs went to be "King of the Mountain"; you cannot trust a single thing in the entire network. Even line of configuration has to be verified. Every single device, wire, screw, and power cord has to be documented and inspected. (who knows what he might have taped under a desk or floor tile or inside a wall.)
Sure I'll give you the passwords. But since I'm no longer employed by you, I'm an independent contractor, and my hourly rate is considerably more than my salaried rate. I'll send a contract over tomorrow and once executed I will help you document your security codes.
See, that would fix it all.
He could have changed those codes in less than an hour.
If you own hardware, and you employ people to watch after that hardware, the onus is on *YOU* the owner/employer to maintain access to that hardware, backups to admin accounts, passwords and so on.
For the three thousand reasons outlined in this body of comments, there's any number of reasons you can lose access to an employee, and if their knowledge of passwords is the fulcrum for your whole business model, well then sonny like the capitalist mantra goes, you deserve to go bankrupt, because you fucked yourself.
Once again, onus to maintain control of your owned hardware, yours. Not the judge, not the admin, not the police, not the gubberment. YOU.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
As was stated - The new employee was not that technically savvy,according to Childs - so what would cause more damage, giving the password to a person that probably has no clue as to what they are doing and with root access to all of your systems(remembering that these are 911 systems that at the time were working) - or vetting the person out and ensuring that they understood how the system worked.
As for a private company, My CIO asked for the admin password for our systems, once - I refused based on his qualifications - we passed our SOX security audit.
An important thing to remember that security audits also include social networking - so holding out for the mayor to release the passwords to him, in my estimation was the correct thing to do.
no matter how good it is, it is human nature always wants to make things better
It's bad enough we have to deal with hackers and cracker and just plain jerks,
but a situation like this gives all of us who work in I.T. a black eye.
"Farffel farffel pippick."
-- Pippo Popolino in "Casanova's Big Night"
That's what this is about? For a second there, I panicked. I thought this was because someone didn't give their boss their Facebook password or something.
What if you just plain forgot and didnt write it down?
yes its incompentent.. but thats why some people gets fired.
Oh, suddenly the admininstrators are important.. Paid them!
The password for administrative access is (when combined with the user name) essentially the key for the system. If you worked for a construction company and took the keys to the dump truck when you left, it's just as wrong as taking away the key for the system. There's a side story of why there was only ONE administrator account without dual controls, but that's... another story :)
I have no idea what you're talking about.
Oh, and that pic of your mistress? Priceless.
Be a shame if it ended up being mailed to all the news media ...
-- Tigger warning: This post may contain tiggers! --