Withhold Passwords From Your Employer, Go To Jail?

ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."

Passwords are property of the employer

[ackthpt]

I don't care if you made them up, they are the property of your employer.

Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.

Re:Passwords are property of the employer

[s.petry]

While funny, the issue is not with a personal password. These are passwords for infrastructure. It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

Could the company get a new set of passwords? Sure, same as the truck company could get a new set of keys made. But while they were waiting to access their property they lost money at a minimum. Since they were not _your_ trucks or devices you have no right to refuse to give them their keys back.

Re:Passwords are property of the employer

[noh8rz10]

It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

it basically shut down the city of san francisco for at least two weeks. they held the guy in jail, but he refused to divulge. the mayor even went to the jail to ask him personally. he deserves prison.

Re:Passwords are property of the employer

[PlusFiveTroll]

Well, first a bunch of time has passed giving people time to think. It's not an 'unfolding story' either, all the details are out there. And lastly, 5 years is time for many slashdotters to get older/grow up. It's easy to make a weird judgement on property when you're young and don't have any, but all of a sudden you're 30 and you have a house, car, and a well paying job you tend to look at things differently.

Re:Passwords are property of the employer

[schnell]

...a password is transient knowledge and not a thing a single one person can possess. To me, a more apt analogy might be an employer trying to force a former employee to write down any thoughts they might have had related to their former position.

Huh? It's more like if you had a safe containing your money and paid one of your employees to maintain the safe and its contents, and he refused to tell you the combination of the safe.

[Karma suicide coming]

Reading about this whole Terry Childs thing on Slashdot has always amazed me. For what seemed like years, whenever this topic came up every post was flooded with "zOMG Terry Childs was justified because the mayor didn't know how to secure his servers!!!!" rhetoric. It seemed to make no sense except for geeks rooting for a fellow geek, regardless of what the real issues at stake were. Same goes for the teeming Slashbot hordes who insisted for months and months on Hans Reiser's innocence and how he was FRAMED, I TELL YOU. Or the people who previously would have condemned Kim Dotcom as a fraudster and spammer but who lionized him because the copyright police came after him. And frankly the same goes for the "zOMG Julian Assange was FRAMED by the CIA and the NSA because the MPAA owns Sweden or whatever" crowd. Occam's razor folks - if the US government wants to get their hands on somebody, they do what they tried to do to Edward Snowden, i.e. attempt to extradite them, not somehow make up fake rape charges in a separate country that doesn't even really like the US anyway.

Look, it's hardly a unique failing or blindness - most humans exhibit bad confirmation bias and cognitive dissonance. But I just find it disappointing to find such prevalence of this behavior in a group that prides itself on its capacity for critical thinking.

Re: Passwords are property of the employer

In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far. Compelling someone to grant you access? Okay. Requiring the password? Sorry, that's their identity (and ass) on the line. Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password. Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.

That said, Childs is an idiot, and he handled this poorly. He *should* have offered to change his credentials for a consulting fee (returning engineer post termination) to close the book on it.

But computer fraud and abuse? Please... What a joke. A bunch of idiots wasted weeks puffing their chests out at each other and the city utterly failed to learn from a teachable moment. Audit your fucking system designs and don't allow for single credential systems, ever. Given the way they drive around here, your admin stands a good chance of getting hit by a bus.

Don't risk it. Have plans for unavailability, termination, and death.

Re:Passwords are property of the employer

[HeckRuler]

Unprofessional ? UNPROFESSIONAL?
Listen here kid, being a professional means that you tell the boss to go suck eggs when he orders you to do something stupid. Being a professional at a critical job means you finish your shift and await your replacement, even when they fired you earlier in the day. Because someone has to do the job. Being a professional means you refuse to sign off on the untested software because the plane might crash and people will die. Being a professional means you don't let the bosses idiot son steer the boat, because he's incompetent and would steer it into shore.

Being a professional means you're not just there for the paycheck to be a yes-man to your superior. You're there, in part, to do a good job. Because doing a bad job will get people killed and/or cost millions.

People like to throw the "unprofessional" term about when people don't have the right cut of dress, or speak with the proper tone, but if you want to play hardball with professionalism, you need to realize that it's more important than shmoozing with the boss and climbing that corporate ladder.

Seems fine with me.

[dukeblue219]

I don't have a problem with this. The company may have been dumb to put this much power in one person's hands, and perhaps they got what they had coming in someone's eyes, but it doesn't excuse this behavior. If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.

How, how HOW

HOW!(!) is this a surprise to anybody? It's extortion, plain and simple.

Exactly right

[Pirulo]

The passwords are like the key to the office. You have to return them.

Something about Betteridge

I've simplified the submission:

Withhold Passwords From Your Employer, Go To Jail?

Yes

The strongest evidence

[JDG1980]

To me, these two paragraphs from the court document are the most damning evidence against Childs:

Disabling Console Ports. The jury learned that if the console port – the physical means of access to the network on the device itself – is disabled, then the administrator cannot login to the system using what is regarded as the "port of last resort." On July 8 – the day before he was placed on administrative leave – Childs disabled the console ports on all five core devices, preventing the possibility of any password recovery.

Applying Access Controls. Childs also applied access controls to core devices that required that all administrative access had to be achieved by means of one particular computer, even if the access codes were known. He set up these access controls on core devices on the morning of July 9.

It's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.

It's tough to protect against inside jobs

[Anonymous+Brave+Guy]

In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far.

What would you have them do to avoid this problem in the future? Perhaps they could hire someone who is a technical expert with overall responsibility for the department, whose job is to make sure something like this can't happen. Oh, wait...

Requiring the password? Sorry, that's their identity (and ass) on the line.

It's their identity on their employer's systems. If the employer makes a management decision to "compromise" that identity then that is 100% their decision to make, not IT's.

Of course, it also becomes management's responsibility. It's fair for the employee to want written confirmation to record the decision if he disagrees with it. But given that confirmation, the employee doesn't get a vote and has no right to object.

Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password.

I think "You're fired" is a pretty clear transfer of responsibility.

Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.

Seriously? Really? This guy is a high-level IT expert within his organisation, and we're supposed to have sympathy if he not only reuses a password (or something related closely enough to risk the secrecy of another one) but reuses them on completely different systems, when he knows in advance that some are personal and some are professional? Give me a break. Any risk to his own privacy here is entirely self-inflicted, and trying to hide behind legal safeguards created with important and legitimate goals in order to cover your own malice and incompetence is the worst kind of legal wrangling.

Don't risk it. Have plans for unavailability, termination, and death.

That's great, but if the guy who betrayed you is the guy who was responsible for making those plans, there isn't much you can do. At most, you could have hired multiple people to act as mutual checks and balances by auditing the system, but the reality is that even the most high-level IT infrastructure today is still quite simplistic in its security, and unfortunately it remains a pretty easy mark for a skilled inside job.

Of course, if a government department did hire extra people, good enough to maintain proper oversight and audit each other's work in this kind of context but who weren't otherwise needed, many people who didn't understand the reason would be crying foul over wasteful government spending. And they'd have a point, given how rare incidents like this are and how much such people cost.