Slashdot Mirror
Withhold Passwords From Your Employer, Go To Jail?
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
I don't care if you made them up, they are the property of your employer.
Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.
A feeling of having made the same mistake before: Deja Foobar
I don't have a problem with this. The company may have been dumb to put this much power in one person's hands, and perhaps they got what they had coming in someone's eyes, but it doesn't excuse this behavior. If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.
-Ted http://www.freemathhelp.com/
HOW!(!) is this a surprise to anybody? It's extortion, plain and simple.
The passwords are like the key to the office. You have to return them.
When you lose your job as a bus driver, you have to return the ignition keys to the vehicle. Duh.
Another sensationalist headline which suggests a far different story than the one in the actual story.
He should have just invoiced them for his time to document them as a contractor at a really ridiculous rate.
I've simplified the submission:
Terry Childs did not want to divulge the passwords to an entity that didn't have the right to said passwords. There are several other red flags in this case but $1.5M to regain access over some routers? Seems like gross incompetence on various levels.
Custom electronics and digital signage for your business: www.evcircuits.com
"I don't remember."
Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.
There's far more significant knowledge you take with you that you're not legally required to give up (procedures setting stuff up, what vendor bugs to work around, what authentication scheme, whatever). No need to go to jail over passwords when there's plenty of other petards for a former employer to hoist themselves on.
What system is there no way to reset the passwords? I'm having a hard time thinking of an OS/Embedded device that doesn't have a password reset mechanism or a means to overwrite the previous password with a boot disk
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
I'm sorry, but it's really a best practice to NOT have one person "holding all the keys" - EVER. As a consultant, I make sure ALL my clients have copies of everything, along with myself... just in case I get abducted by aliens or something!
Same should go for ANY IT situation.. that I can think of, at least.
just root the servers, give the passwords back the change them.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Doesn't this set dangerous precedent?
Plenty of organizations have dozens or hundreds of passwords. Is it really the employee's responsibility to remember each and every password and keep records of them indefinitely after employment? Should I be required by law to produce network diagrams?
Yes, this guy was a douchebag, but he shouldn't have to turn over anything.
Access control policy is the responsibility of the employer. If they fail to set policy or fire employees before it's too late, it's their own damn fault. This is just another example of mismanagement backed by a broken justice system.
Any sane organization of this size has a password policy that ensures critical passwords are recoverable. Any sane organization makes sure to not have a single-person dependency like that.
But Childs really lost context: It was not his network. He had no business trying to enforce anything. The SF IT department may run their networks as stupidly as they chose, and while this may lead to criminal and civil liability on their part, it does not lead to any accountability towards Childs.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
When I left, I handed him the key to my desk and said, "You know where they are."
Have gnu, will travel.
I know long before the terry childs case, I remember my IT teachers explaining that if you took off with passwords etc... to anything they didn't have an account over, the standard response is to hire some rediculously overpriced person who is paid by the hour to gradually break into it, then have the courts foot you the bill. I don't get why this is shocking. The Terry Childs case was a bit of an exception, namely because of his claim that the person who he was under the impression he was supposed to give the information too, was not present. IE childs was not saying he wouldn't give the password unless he was rehired or paid. He was explicitly saying he was going to give the password, but not to the middle manager who was asking him for it. Child's case he could have been screwed either way, giving the admin password to someone who shouldn't have it, makes you liable for the damages they cause... but refusing to give the password, is also a suable offense. If you know who has the rights to the password, and have access, there's no room for debate at all
The people who need them should already have them at all times.
Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.
Or hey. Maybe your employer is a moron.
That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.
And keep in mind, the network in question included their 911 system.
The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.
Am I the only one wondering why he didn't just give them the wrong password? If it doesn't work, they can't prove he lied about it, he can claim that someone must have tried to change it or hacked into it or something.
In Soviet Russia, dot slashes YOU!
How the heck is he supposed to pay that back?
I've got better things to do tonight than die.
He did not just refuse in that one instance. He was then fired and still refused to give the passwords to his duly authorized replacement. Had he felt he was improperly fire a wrongful dismissal suit was in order not withholding passwords.
Gee, you don't think it could simply be a case of newsies swinging techies for fun and profit, do you?
After all, techies are educated, so it would be impossible to spin them, wouldn't it?
Of course, CS Levis wrote that it's easier to spin an educated person, possibly iibecause he listens for the key phrases, makes a rash judgement, and then holds onto it with all the wicked ego he's got... until he hears another key phrase.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Which was what the security policy required of him. He was arrested for not turning the passwords over to unauthorized individuals.
Childs was basically attempting to extort expensive employment privileges (job security, work assignments, working hours, co-worker assignments, physical access) from the City of San Francisco by concealing critical information if they didn't cooperate. The sentence for extortion is usually longer than two years so Childs should have gotten a longer sentence. The legal brief is a very sad read when you consider all of the bright people (both legal and technical) who have spent thousands of hours dealing with the machinations of one crooked jerk. The rest of the world must be amazed at the utter waste of talented people who could be employed in more useful activities.
I'd say something like a lastpass(tm no doubt) account, on the employer's nickel, so that each and every server could have a secure password (or class of server if its deemed more sensible to have all the servers in a rack or a room have the same password). Then the only thing the "magic envelope" has to be the username and password of the lastpass account.
No doubt folks with the responsibility for hundreds or thousands of servers have some better ideas about "best practice" ... so please share.
This is "scalable" in that admins could share (or not).
The tradeoff between ease of use, security, and ease of transfer to the next responsible party(ies) is not always a trivial one.
This isn't some pseudocrime like copyright infringement, this is an actual theft because it is depriving his employer of their own network.
Time is what keeps everything from happening all at once.
Your employer owns their hardware, including the "keys" to get into it.
Childs screwed up by withholding entirely the wrong sort of information. You don't pitch a fit and refuse to give them the passwords - You give them exactly what they've asked for and then watch in glee as they realize they don't have the faintest clue of what to do with those passwords.
Picture a fairly simple small-scale corporate WAN. Three separate subnets. Nothing massive in scale.
Now imagine they "no longer need your services" after three years of uninterrupted service.
Now imagine that you haven't persisted the router configs and they lose power.
Now imagine a non-technical city manager trying to figure out why he can't get to facebook, and demanding passwords from you.
When you stop laughing...
Yes, you can still thoroughly document your infrastructure for your successor, for the (most likely) scenario where you peacefully move on and want to help the poor bastard out. But if you suddenly find yourself "redundant", well, "here you go, all the passwords. Good luck, and I charge $1500/hr as my standard consulting rate".
After finding out that he concealed material information during a background check, my opinion is that his permission to touch the network at all, even within the scope of his employment duties, was procured fraudulently and his entire CAREER with the city has been one huge social engineering attack, starting when he lied about his criminal history to people who almost certainly would have had ample grounds to decline to have hired him in the first place.
He was backed into a corner given two bad choices - to break the rules and reveal in front of a crowd of unauthorised people or do it later - then rushed off to jail so that his only chance to do it was later was to the Mayer at a special press event when the Mayor came in to "save the day".
IMHO he was the victim of very petty workplace politics probably backed into that corner just for catching the new girl after hours removing the hard drive of the person that was supposed to be in charge of network security.
The lesson here is just roll over, let them win their petty little game and escape from such a sheltered workshop of baby vipers and get out into the real world. If that evil bunch had not had their own Police department on call but instead had to rely on an independent one under adult supervision we'd never see such a mess. I know Californian politics is supposed to be so fucked up that nothing works, but this arrest and long jail term for a simple workplace dispute shows things are far beyond a joke.
Is it really the employee's responsibility to remember each and every password and keep records of them indefinitely after employment? Should I be required by law to produce network diagrams?
No - if he forgot the passwords then it would be tough luck for the former employer. However what this idiot did was try to extort money before he would divulge the passwords. That's not the same thing.
Every router's configuration was only loaded into system memory, not NVRAM. The ASCII files the routers were configured from were all encrypted. Terry was very careful to make sure that no one could play with his toys.
There was no way to "root" or hack into the routers. Cisco's best could not do it and they tried.
He ended his temper tantrum by requiring then Mayor Newsom to come down to the jail so Terry could give him the passwords in person.
As far as I'm concerned, any permission he had been given by being hired was procured by fraud since he concealed material information from them during his background check.
If they had physical access to the systems, they should have been able to reset the passwords. Now, if he was intentionally prohibiting them from accessing the systems, after being fired, then he was doing something criminal. If, on the other hand, he was withholding passwords while working there - and being tasked with security for the network - then he did nothing wrong.
Of course they had physical access. To hundreds of individual devices scattered throughout a large city, requiring weeks and hundreds of hours to touch them all. Don't forget you have to power-cycle the devices to do a password recovery, so all that work has to happen during non-critical hours. Terry decided that a poorly written internal security policy document would serve him as a legal shield while he stood on his, arguably, warped principals. Terry was very, very wrong.
Eagles may soar, but weasels don't get sucked into jet engines.
... go to jail. Go directly to jail. Do not pass Go, do not collect $200. Nobody's surprised by this. It's his employer's network, after all, it's their passwords. If they decide to replace you as sysadmin, the only right you have is to insure they and not you are responsible for any problems that ensue (eg. "I will not give you my current password. I will initiate the password change process, enter the current password, and then wait outside the room while my replacement enters his new password. If there are any difficulties, I will assist by re-entering my password and/or unlocking the system until my replacement has successfully changed the password to something not known to me. This is to insure that after the hand-off I no longer have any access to the system.").
And yes, I've done the moral equivalent of that. Not with a root account, obviously, but when leaving a job I would deliberately fail enough login attempts to lock my user account and made sure they had notice of this and I had a paper trail proving they did. I figure that way they don't have to worry about me accessing the systems, and I don't have to worry about being accused of messing with them after I've left (well, I could be accused but I had the evidence to counter the accusation).
> and not the complete idiots of the company for leaving there passwords with one person, and not having a way to access by way of a default password. his lawyer must have been an idiot as well if he didn't make that argument.
"The victim was stupid" isn't an excuse. If it were, we could legally do anything we want to you.
In fact, it's generally considered an aggravating factor to victimize the mentally challenged because we have a duty to look out for those who are defenseless.
Room full of people on speaker phone. Reveal the password - maybe go to jail too, at least that's what the rules he was trying to follow said.
So how much time did the new girl who was caught removing the hard drive of the computer used by the head of network security get? Zero. Don't go trying to find some justice in this, it's all "might makes right" crap.
Stop using "theft" analogies. He did not steal anything, he sabotaged the system, and he was the only one with knowledge on how to fix what was done.
"Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
He boo y trapped the system,locked out other authorized users, etc. :a) he'slying or
The judge or jury would look at that and determine that either
b) forgetting wouldn't be a problem if he hadn't set bobby traps etc., and locking out other users was an intentional criminal act.
It's interesting to me how often people say "just claim that [transparent bullshit]. 99% of the time, judges aren't stupid. Their law degree indicates they have above average intelligence, but sometimes people assume judges must be drooling morons.
Granted, occasionally there are rulings that seem pretty dumb, but even those are normally much less dumb than the headlines make them out to be.
There are two groups arguing here - I think both may be missing the point.
Group 1: The passwords belong to your employer, turn them over. It's his fault, because he refused.
Group 2: He may have been paranoid, but he was really just following policy: don't give passwords to unauthorized people.
Regardless of which side you are on, ask yourself this: How would this scenario have played out if he worked for a private company? Consider that, in the end, he *did* hand over the passwords to the mayor, i.e., the "big boss". What would a private company have done?
- They wouldn't be claiming $1.5 million in damages - an absurd figure.
- They wouldn't try to prosecute him and throw him in jail. Bitter firings happen, life goes on.
- The *only* likely retribution would be: "don't use us as a reference".
Sending the guy to jail and suing him for more than his net worth? It takes a government to waste resources on that sort of idiotic vengeance.
Enjoy life! This is not a dress rehearsal.
The city was functioning, but they couldn't change anything in their infrastructure. It was pretty nasty because from what I understand he locked everything up *after* he got in a conflict, but it wasn't shut down.
I was promised a flying car. Where is my flying car?
I think this case needs to be appealed in the federal courts. When a person is hired there exists some form of contract with the employer. When an employee is fired that contract ends. So if they told him or implied that he was no longer their employee I see no problem with him not responding in any way, leaving the building and immediately flying to a remote Pacific island leaving no address or way to contact him at all.
We do not know the details but was the request for passwords made after he was terminated? Was it made during the termination? Was it made before termination was made in any way? Worse yet what kind of idiots are in charge of this company? What if the man had stroked out and died suddenly? Is there any proof that they asked him to continuously keep them advised of passwords?
Maybe this fellow has a suit he can press against the former employer.
He rigged it to go against best practices to prevent other skilled engineers to maintain a critical network. This wasn't by accident. Everything he did was intentional to make him a "critical irreplaceable employee"... no one is irreplaceable.
boom goes the dynamite....
These articles show you that a lot of nerds really are totally incapable of dealing with normal society.
If you changed the locks on your employers buildings and refused to hand over the keys, what do you think would happen? So why should digital keys/passwords be any different?
Some dweebs seem to construct fantasy worlds around themselves and since they lack interaction with other people becomes convinced that these fantasy worlds are real. Childs seems to have done so, he believed he was the only one fit to access these systems, that they were his babies and only he could properly care for them.
I am not sure he should go to jail for it. He should however get mandatory treatment, if needed in a padded cell with a lock. If he asks for the keys, tell him you don't think he is capable of properly dealing with it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Bull shit he didn't booby trap it. The network was configured to run from RAM at his design and he was the only person with the configuration. Power to any site will go out and that site will be down until the "hero" comes to save the day.
Citation needed
Feel free to cite any reputable news outlet.
To me, these two paragraphs from the court document are the most damning evidence against Childs:
It's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.
I agree completely..I think it should be prosecuted as a denial of service attack would be...its defacto DOS.
Calling passwords property would lead to a slippery slope I think...
Though to be fair calling *anything* that leads to loss of access a DOS could lead to bad things too...
However this should definitely be at least a civil issue with punative damages...I wouldv even say this SHOULD be a criminal offense
In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far.
What would you have them do to avoid this problem in the future? Perhaps they could hire someone who is a technical expert with overall responsibility for the department, whose job is to make sure something like this can't happen. Oh, wait...
Requiring the password? Sorry, that's their identity (and ass) on the line.
It's their identity on their employer's systems. If the employer makes a management decision to "compromise" that identity then that is 100% their decision to make, not IT's.
Of course, it also becomes management's responsibility. It's fair for the employee to want written confirmation to record the decision if he disagrees with it. But given that confirmation, the employee doesn't get a vote and has no right to object.
Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password.
I think "You're fired" is a pretty clear transfer of responsibility.
Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.
Seriously? Really? This guy is a high-level IT expert within his organisation, and we're supposed to have sympathy if he not only reuses a password (or something related closely enough to risk the secrecy of another one) but reuses them on completely different systems, when he knows in advance that some are personal and some are professional? Give me a break. Any risk to his own privacy here is entirely self-inflicted, and trying to hide behind legal safeguards created with important and legitimate goals in order to cover your own malice and incompetence is the worst kind of legal wrangling.
Don't risk it. Have plans for unavailability, termination, and death.
That's great, but if the guy who betrayed you is the guy who was responsible for making those plans, there isn't much you can do. At most, you could have hired multiple people to act as mutual checks and balances by auditing the system, but the reality is that even the most high-level IT infrastructure today is still quite simplistic in its security, and unfortunately it remains a pretty easy mark for a skilled inside job.
Of course, if a government department did hire extra people, good enough to maintain proper oversight and audit each other's work in this kind of context but who weren't otherwise needed, many people who didn't understand the reason would be crying foul over wasteful government spending. And they'd have a point, given how rare incidents like this are and how much such people cost.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Should have used unmaintainable code and config files like everyone else.
Those documents are the CLAIMS of the accusation.
The problem was that he tried to blackmail a government. If you try to blackmail a person with limited resources, it might turn out that the cheapest thing for them to do is to give into your demands, especially when the government is only really motivated to get their own money back and not other people's money back. If you try to blackmail someone very rich, you will probably just anger them enough to be willing to lose more money just to see you go down out of spite. You could try to make the blackmail consequences really severe, but chances are that there is a limit to the amount of damage you can really cause. If you try to blackmail a government that can levy taxes to generate revenue, controls the justice system and has a public image to uphold. You are really going to have to do something bigger than hijack some infrastructure passwords. You need to takeover Alcatraz and point some missiles with vx gas at the city.
The password is not the real issue here... it's a distraction. The real issue is that Terry Childs apparently deliberately caused a lot of unnecessary expense and hassle to his employer. It doesn't really matter whether he did it by withholding a password or going through the drop ceilings cutting ethernet cables... the net effect was the same.
First, his "employment contract" went into minutiae on system security? Really? That'd be one strange contract for an individual IT Grunt... a contract w/ a Systems Integrator, sure, but not a front-lines civil servant. I've heard mention of this "contract" before on Slashdot, yet strangely nobody has ever provided a link to it, and news articles about the case are strangely bereft of it also.
In any case, in any employment situation, you don't get to refuse to do something your boss orders you to do unless you are being asked to do something illegal. You might ask to have your butt covered with an e-mail from your boss (as a civil servant it would have been enough to keep him from getting fired), but that's about the limit of your ability to refuse and keep your job.
And why did he decide the Mayor, and only the Mayor, had supreme authority? Was the CIO of the City of SF not good enough? Nope, he doesn't get to make that determination and hold IT assets hostage until he receives what he thinks to be proper authority.
You can still gain leverage. You just have to be willing to go to jail if your employer calls your bluff, and possibly afterwards even if you successfully extort something from them by withholding the passwords. The trick would be to make sure you retain whatever you managed to extort for when you get out of jail.
Also his superior was not the brightest bulb in the socket. The very FIRST thing you do when you employee gets single handed access to mission critical resources is to ensure you can take it back from him even without his cooperation. With passwords, this is trivially easy. Have him note it down, put the sheet of paper holding it into a sealed envelope. And when it's time to change passwords (according to your password changing strategy), rip the envelope open in front of him so he can verify it has not been tampered with, use the password he noted down and fire him on the spot if it doesn't match.
This is, in a nutshell, a fairly good solution where he won't be able to hold your servers for ransom.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It was rather sudden and my access was disconnected to all services of my employer. I had a list of passwords, I clearly outlined that while we had processes in place to share passwords with my staff, there's the possibility that I had passwords that nobody else had. They didn't care, so I wiped all of those passwords from my store (aided by the abysmal rollout of the latest SplashID which nuked your password database without warning).
It's called elite panic, and it's extremely dangerous.
The people in the world with real power--kings and princes, billionaires and CEOs--spend their lives worrying that the people that they took power from, and hold power over, are going to rise up and take that power back. That's how elites get power in the first place: by taking it from others. They naturally assume that everyone else is trying to do the same thing. They also spend their lives making sure this doesn't happen.
As long as the elites feel secure, you don't notice this so much, but when they feel threatened--or worse, humiliated--they panic, and go on a rampage. People go to prison. People die.
It used to be that power came from control of croplands. After the industrial revolution, power came from control of mines and factories. This suited the elites. They could enforce their control with armies and police.
Today, significant power comes from control of computers. But you can't control computers with armies and police. You can control the hardware--lock the server rooms, take the computers off-line--but that doesn't get you what you need. What you need is running systems, and that needs programmers and sys admins. All those people walk out the door every night, and unless they come back in the morning, your hardware is pretty much useless. You don't have control of the computers.
This change crept up on the elites while they weren't watching. (CEOs don't pay attention to computers. That's operations, right? That why I hired a COO, right?) So everything just rolls along from year to year and decade to decade, until a Randal Schwartz or a Terry Childs comes along, and the elites realize that they don't have control, and they panic, and then they crucify the object of their panic.
The Forbes article assumes that Childs withheld passwords in a bid for job security, which is absurd. Slackers and grifters don't face down police officers and go to prison on principle. They hand over the passwords and move on to their next scam.
Many of the Slashdot comments argue that withholding passwords is a kind of office theft, like stealing the keys to the safe. That's a fair analogy for explaining what a password is, but not really on point for the issues raised by this case.
The actual conviction was for disruption/denial of computer services, which is overblown, at best. The city of San Fransisco got control of their computers, with only minor inconvenience and substantially no loss of service.
My guess is that Childs suffers from some variety of asperger's, or paranoia, or obsessive-compulsive, or the like. The proximate reason that he is in prison is that this disorder--whatever it is--caused him to stumble into the maw of the legal system.
The ultimate reason that Childs is in prison is that he was the object of panic--the person in view--when one of the elites looked up and realized that they weren't in control of their computer systems. So they crucified him.
Whatever happened to the right to remain silent? I honestly don't understand how a court can FORCE you to give up information you don't want to give up. This all seems a bit draconian.
I'm a senior sysadmin for a medium sized business and we are constantly employing third parties to audit our systems making sure that we have enough documentation that if I get hit by a bus someone else can come in and hit the ground running. This is pretty standard procedure.
It sounds like the employer fucked up and didn't take their IT seriously (a common problem). Sure this guy was a dick, but 4 years in prison? Give me a break. What is the world coming to?
If it ain't broke, don't fix it.
The core issue I see is he went at this like some sort of game. It's quite foreseeable that an organization that has a major police force, courts and prosecution would use those resources to get what they want. Give them the rope and you leave town on vacation. If they didn't have the due diligence to ask for something in the exit interview that's on them. It's reasonable to take a vacation and have time to think after a major life event (like getting fired). Once you're out of contact it's reasonable to assume that one cannot be uncooperative if they were unaware their cooperation was being requested. When you get back to town reefer them to your lawyer. There's no reason for one to have any interaction with a gov't official once it hits the fan. Using a lawyer keeps one from taking actions and making statements that would land one in jail.
I was all prepared to be outraged at a company that tried to strongarm employees into giving away personal passwords, and then found some pretense to send people that wouldn't agree, to jail. That would be news.
This isn't really news - it wasn't the guy's property, it was his ex-company's. Were his higher-ups retarded for leaving their whole IT at the mercy of a single guy, not making sure anyone else had any idea how to work their stuff, and then firing that guy? Yes. Yes, they were. But that's not really news, either, at least not if you read the daily WTF. Companies act incompetently with regards to their IT all the time.
staffing cuts lead to him being the only person doing the network work.
Forgetting isn't a crime. Reagan got out of charges of War Criminal behavior (secretly funding a terrorism campaign in El Salvador) by claiming he forgot.
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
Not actually kill them, but get in the mind set of a will; What would I do if Employee X died tonight?
I have a will, so if I die, there are instructions so that life can continue without me; how money is to be handled, where important documents are stored, and the top-level password to the password manager program. The same needs to be always thought of in regards to employees. How would the business carry on if someone was no longer an employee tomorrow; both long term AND short term. (Death, disability, family emergency, quit, kidnapping, blow-to-the-head induced amnesia, etc)
- What duties do they perform and who can we use as a backup?
- What information do they have that we'd need to keep things running?
- If a parasite crawled in their ear and they went rogue, who and how could we isolate them to prevent further damage?
You get the idea.
Yes, but see the "Strongest Evidence" post above:
t's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.
That seems very fishy to me. I think he was trying to cause trouble.
Maybe, maybe not. But either way, "they" weren't fucked at all as the anonymous OP above said, since they got the passwords pretty quickly, and years in prison seems ridiculous for something like this where, regardless of his intentions, he didn't withhold the passwords for any long duration, but rather only insisted (it seems, correct me if I'm wrong) on following official policy to the letter (maybe to make things hard for them, but still, it was their policy, not his) and giving the passwords to the Mayor directly, and did so when presented with the opportunity. People have gone to prison for much less time for violent crimes, and this wasn't really a crime, it was a dispute. It should have been handled in Civil court, just like if someone takes your money and refuses to give you what you paid for, the police will refuse to arrest them for theft (even though that's exactly what it is), they'll just tell you to sue them in Civil court.
The actual story is that he did not feel authorized, legally, to provide them to the person requesting it from him.
That password is not something you give out to some person who will then email it in plain text with complete description as to why it is so important - sorta the same reason you don't give a loaded gun to your 5 year old to carry over to your wife in the next room. A loaded gun with safety off.
But clearly it's get-in-line to kick the guy day.. Oh, and gloss over the very complex security issues that we could be discussing here.
Perhaps later in the comments.
Let me make it clear, I'm not defending anyone here.
The question I have to raise is, why giving one guy too much control in the first place? Let's look at what if he got hit by a car and die instead? So, is the lawyer or the judge gonna force the password out of him? What if you were that admin and were using a USB keyboard password like ubikey, then reset/format that key after you got fired? This is legitimate. Also, we should look at password seperately from the network infrastructure. The employer should be looking at a way to get infrastructure back not the password. Eg: the judge have force him to create another admin account and give that to the employer instead of having to reveal his own password.
-=-=-=-=-=-=-=-=-=-=-=-=-=- If picture worth a thousand words, how many megapixels is it? -=-=-=-=-=-=-=-=-=-=-=-=-=-
They had physical access to the *hardware*, not the software running it. Childs disabled the serial ports, which to me proves he was trying to shore up his "job security". Also, he only had the configs running in active memory, not saved on NVRAM like you're supposed to so if there was a power blip *ZAP* that switch is down. That's criminally stupid, the only reason for doing so is to try and prevent Cisco from physically getting into it.
And it is STUPID to disable the serial ports. All you're doing is making the poor tech from Cisco your bitch while he's there trying to do his job. It's petty and mean. One day, he's going to be the guy to save your bacon. Making his life difficult serves no purpose what so ever.
Yes you're making the switches more secure, but secure from what? Terrorists? Look buddy, if they're standing in your data center, your security is blown and they have better targets than the switches. I'd blow the AC and let everything cook.
I am Homer of Borg, resistance is - Ooo Donuts!
The ruling explains there were others working on the project, but a) Childs didn't like sharing -- in his eyes, everyone's a moron, and b) Ybanez, who had been working with him, was moved to a different project for months leaving just Childs to run everything. When brought back to the project, he refused to provide access because he didn't want Ybanez giving the password(s) to anyone else. On top of that, he went full-on-rogue-sysadmin locking down access to only his select PC(s), disabling local access (console), erasing startup configs, disabling password recovery, and keeping the sole set of archived configs encrypted in his own possession. Despite having acknowledged the FiberWAN design as city property, and knowing full well disclosure was forbidden by Homeland Security, the arrogant ass twice submitted the plans for copyright registration -- claiming he didn't know they'd be public documents.
In light of all that, 4 years and 1.5mil$ is not a punishment. This fool should be taken out and shot. We may look at the $646,000 figure for a full audit and think it's excessive, but that ignores the level to which Childs went to be "King of the Mountain"; you cannot trust a single thing in the entire network. Even line of configuration has to be verified. Every single device, wire, screw, and power cord has to be documented and inspected. (who knows what he might have taped under a desk or floor tile or inside a wall.)
Uhhhh, there were plenty of people above Childs. Plenty.
The citizens - We pay his salary.
The Mayor
Some department head somewhere in San Francisco or California.
I don't exactly know the organizational structure, but there is ALWAYS somebody above you. Even the President of the United States.
If there is truly nobody above you... then there is damn well somebody right next to you.
Unless you are an army of one. Most people don't conduct business like that.
He could have changed those codes in less than an hour.
If you own hardware, and you employ people to watch after that hardware, the onus is on *YOU* the owner/employer to maintain access to that hardware, backups to admin accounts, passwords and so on.
For the three thousand reasons outlined in this body of comments, there's any number of reasons you can lose access to an employee, and if their knowledge of passwords is the fulcrum for your whole business model, well then sonny like the capitalist mantra goes, you deserve to go bankrupt, because you fucked yourself.
Once again, onus to maintain control of your owned hardware, yours. Not the judge, not the admin, not the police, not the gubberment. YOU.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
As was stated - The new employee was not that technically savvy,according to Childs - so what would cause more damage, giving the password to a person that probably has no clue as to what they are doing and with root access to all of your systems(remembering that these are 911 systems that at the time were working) - or vetting the person out and ensuring that they understood how the system worked.
As for a private company, My CIO asked for the admin password for our systems, once - I refused based on his qualifications - we passed our SOX security audit.
An important thing to remember that security audits also include social networking - so holding out for the mayor to release the passwords to him, in my estimation was the correct thing to do.
no matter how good it is, it is human nature always wants to make things better
I have no idea what you're talking about.
Oh, and that pic of your mistress? Priceless.
Be a shame if it ended up being mailed to all the news media ...
-- Tigger warning: This post may contain tiggers! --