Withhold Passwords From Your Employer, Go To Jail?

ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."

Re:Never getting a dime can do 4 years

[Grishnakh]

Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.

Re:Exactly Wrong

[taustin]

The people who need them should already have them at all times.

Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.

Or hey. Maybe your employer is a moron.

That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.

And keep in mind, the network in question included their 911 system.

The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.

Re:Seems fine with me.

[Belial6]

Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized.

Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.

Re:Back when I admined systems ...

[DoofusOfDeath]

When I left my last job (where I had root on a lot of servers), I had my replacement and staff watch my replacement enter the new root passwords (that only he knew), and delete my personal accounts.

I think that's a bit better than the person who's leaving continuing to know a shared secret.

Re:Passwords are property of the employer

[immaterial]

IIRC, Childs modified the system and changed the passwords in order to intentionally lock out the other sysadmins. This case was more like installing your own lock into the truck before quitting.

Re:Passwords are property of the employer

it basically shut down the city of san francisco for at least two weeks

I remember that. The BART stopped running, the metro stopped running, the traffic signals were out, the police had to stop policing, you couln't pay your traffic tickets, you couldn't renew your drivers licence. Fires raged out of control because of the lack of fireman. I think it cost the city close to a billion dollars just for this one guy. Lex Luthor took over as crime boss and extored money out of everyone. Meteors rained firey death on all San Francicicans. A plague of frogs of biblical preportions visited the city. Fuck.. then there were the locusts. Fucking locusts! Yeah, fuck that Childs guy!

Oh no, wait. I don't remember that because none of it happened at all! The city ran like normal like nothing happened.

Now I know why the mood has changed here at slashdot. The only people up are idiots who don't know what happened, and enjoy making things up.

Re:Passwords are property of the employer

[jfalcon]

Wrong - it wasn't that simple.

http://www.courts.ca.gov/opinions/documents/A129583.PDF

In December 2007, the city‟s Human Services Agency (HSA) experienced a
power outage. When power was restored, its computers could not connect to
FiberWAN—the configurations of its CE device had been erased because they had been
saved to VRAM. Childs reloaded the configurations and got the system reconnected.
When the HSA information security officer learned that the CE configurations had been
stored in VRAM, he protested to Childs that this was unacceptable. Citing security
concerns, Childs explained that he wanted to prevent a physical connection to the CE that
would allow someone to obtain the configurations using the password recovery feature.
He suggested disabling the password recovery feature instead; the information security
officer agreed. Tong also agreed to this solution, as it would address a concern about
hacking into the HSA‟s CE device. Soon, Childs disabled the password recovery feature
on all CE devices citywide, and there were no backup configurations on any of the city‟s
CE devices. As the password recovery feature could not be disabled on core PE devices,
Childs erased their configurations that had been stored on NVRAM.