Slashdot Mirror
Withhold Passwords From Your Employer, Go To Jail?
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
I don't care if you made them up, they are the property of your employer.
Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.
A feeling of having made the same mistake before: Deja Foobar
I don't have a problem with this. The company may have been dumb to put this much power in one person's hands, and perhaps they got what they had coming in someone's eyes, but it doesn't excuse this behavior. If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.
-Ted http://www.freemathhelp.com/
HOW!(!) is this a surprise to anybody? It's extortion, plain and simple.
The passwords are like the key to the office. You have to return them.
I've simplified the submission:
Terry Childs did not want to divulge the passwords to an entity that didn't have the right to said passwords. There are several other red flags in this case but $1.5M to regain access over some routers? Seems like gross incompetence on various levels.
Custom electronics and digital signage for your business: www.evcircuits.com
"I don't remember."
Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.
There's far more significant knowledge you take with you that you're not legally required to give up (procedures setting stuff up, what vendor bugs to work around, what authentication scheme, whatever). No need to go to jail over passwords when there's plenty of other petards for a former employer to hoist themselves on.
Any sane organization of this size has a password policy that ensures critical passwords are recoverable. Any sane organization makes sure to not have a single-person dependency like that.
But Childs really lost context: It was not his network. He had no business trying to enforce anything. The SF IT department may run their networks as stupidly as they chose, and while this may lead to criminal and civil liability on their part, it does not lead to any accountability towards Childs.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
When I left, I handed him the key to my desk and said, "You know where they are."
Have gnu, will travel.
I know long before the terry childs case, I remember my IT teachers explaining that if you took off with passwords etc... to anything they didn't have an account over, the standard response is to hire some rediculously overpriced person who is paid by the hour to gradually break into it, then have the courts foot you the bill. I don't get why this is shocking. The Terry Childs case was a bit of an exception, namely because of his claim that the person who he was under the impression he was supposed to give the information too, was not present. IE childs was not saying he wouldn't give the password unless he was rehired or paid. He was explicitly saying he was going to give the password, but not to the middle manager who was asking him for it. Child's case he could have been screwed either way, giving the admin password to someone who shouldn't have it, makes you liable for the damages they cause... but refusing to give the password, is also a suable offense. If you know who has the rights to the password, and have access, there's no room for debate at all
The people who need them should already have them at all times.
Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.
Or hey. Maybe your employer is a moron.
That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.
And keep in mind, the network in question included their 911 system.
The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.
He did not just refuse in that one instance. He was then fired and still refused to give the passwords to his duly authorized replacement. Had he felt he was improperly fire a wrongful dismissal suit was in order not withholding passwords.
Which was what the security policy required of him. He was arrested for not turning the passwords over to unauthorized individuals.
"except that nobody ever loses their job as a bus driver. public unions ftw!"
Liar.
Google: "bus driver loses job".
About 1,840,000 results (0.32 seconds)
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
Your employer owns their hardware, including the "keys" to get into it.
Childs screwed up by withholding entirely the wrong sort of information. You don't pitch a fit and refuse to give them the passwords - You give them exactly what they've asked for and then watch in glee as they realize they don't have the faintest clue of what to do with those passwords.
Picture a fairly simple small-scale corporate WAN. Three separate subnets. Nothing massive in scale.
Now imagine they "no longer need your services" after three years of uninterrupted service.
Now imagine that you haven't persisted the router configs and they lose power.
Now imagine a non-technical city manager trying to figure out why he can't get to facebook, and demanding passwords from you.
When you stop laughing...
Yes, you can still thoroughly document your infrastructure for your successor, for the (most likely) scenario where you peacefully move on and want to help the poor bastard out. But if you suddenly find yourself "redundant", well, "here you go, all the passwords. Good luck, and I charge $1500/hr as my standard consulting rate".
After finding out that he concealed material information during a background check, my opinion is that his permission to touch the network at all, even within the scope of his employment duties, was procured fraudulently and his entire CAREER with the city has been one huge social engineering attack, starting when he lied about his criminal history to people who almost certainly would have had ample grounds to decline to have hired him in the first place.
Every router's configuration was only loaded into system memory, not NVRAM. The ASCII files the routers were configured from were all encrypted. Terry was very careful to make sure that no one could play with his toys.
There was no way to "root" or hack into the routers. Cisco's best could not do it and they tried.
He ended his temper tantrum by requiring then Mayor Newsom to come down to the jail so Terry could give him the passwords in person.
If they had physical access to the systems, they should have been able to reset the passwords. Now, if he was intentionally prohibiting them from accessing the systems, after being fired, then he was doing something criminal. If, on the other hand, he was withholding passwords while working there - and being tasked with security for the network - then he did nothing wrong.
Of course they had physical access. To hundreds of individual devices scattered throughout a large city, requiring weeks and hundreds of hours to touch them all. Don't forget you have to power-cycle the devices to do a password recovery, so all that work has to happen during non-critical hours. Terry decided that a poorly written internal security policy document would serve him as a legal shield while he stood on his, arguably, warped principals. Terry was very, very wrong.
Eagles may soar, but weasels don't get sucked into jet engines.
... go to jail. Go directly to jail. Do not pass Go, do not collect $200. Nobody's surprised by this. It's his employer's network, after all, it's their passwords. If they decide to replace you as sysadmin, the only right you have is to insure they and not you are responsible for any problems that ensue (eg. "I will not give you my current password. I will initiate the password change process, enter the current password, and then wait outside the room while my replacement enters his new password. If there are any difficulties, I will assist by re-entering my password and/or unlocking the system until my replacement has successfully changed the password to something not known to me. This is to insure that after the hand-off I no longer have any access to the system.").
And yes, I've done the moral equivalent of that. Not with a root account, obviously, but when leaving a job I would deliberately fail enough login attempts to lock my user account and made sure they had notice of this and I had a paper trail proving they did. I figure that way they don't have to worry about me accessing the systems, and I don't have to worry about being accused of messing with them after I've left (well, I could be accused but I had the evidence to counter the accusation).
> and not the complete idiots of the company for leaving there passwords with one person, and not having a way to access by way of a default password. his lawyer must have been an idiot as well if he didn't make that argument.
"The victim was stupid" isn't an excuse. If it were, we could legally do anything we want to you.
In fact, it's generally considered an aggravating factor to victimize the mentally challenged because we have a duty to look out for those who are defenseless.
There are two groups arguing here - I think both may be missing the point.
Group 1: The passwords belong to your employer, turn them over. It's his fault, because he refused.
Group 2: He may have been paranoid, but he was really just following policy: don't give passwords to unauthorized people.
Regardless of which side you are on, ask yourself this: How would this scenario have played out if he worked for a private company? Consider that, in the end, he *did* hand over the passwords to the mayor, i.e., the "big boss". What would a private company have done?
- They wouldn't be claiming $1.5 million in damages - an absurd figure.
- They wouldn't try to prosecute him and throw him in jail. Bitter firings happen, life goes on.
- The *only* likely retribution would be: "don't use us as a reference".
Sending the guy to jail and suing him for more than his net worth? It takes a government to waste resources on that sort of idiotic vengeance.
Enjoy life! This is not a dress rehearsal.
These articles show you that a lot of nerds really are totally incapable of dealing with normal society.
If you changed the locks on your employers buildings and refused to hand over the keys, what do you think would happen? So why should digital keys/passwords be any different?
Some dweebs seem to construct fantasy worlds around themselves and since they lack interaction with other people becomes convinced that these fantasy worlds are real. Childs seems to have done so, he believed he was the only one fit to access these systems, that they were his babies and only he could properly care for them.
I am not sure he should go to jail for it. He should however get mandatory treatment, if needed in a padded cell with a lock. If he asks for the keys, tell him you don't think he is capable of properly dealing with it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
To me, these two paragraphs from the court document are the most damning evidence against Childs:
It's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.
In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far.
What would you have them do to avoid this problem in the future? Perhaps they could hire someone who is a technical expert with overall responsibility for the department, whose job is to make sure something like this can't happen. Oh, wait...
Requiring the password? Sorry, that's their identity (and ass) on the line.
It's their identity on their employer's systems. If the employer makes a management decision to "compromise" that identity then that is 100% their decision to make, not IT's.
Of course, it also becomes management's responsibility. It's fair for the employee to want written confirmation to record the decision if he disagrees with it. But given that confirmation, the employee doesn't get a vote and has no right to object.
Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password.
I think "You're fired" is a pretty clear transfer of responsibility.
Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.
Seriously? Really? This guy is a high-level IT expert within his organisation, and we're supposed to have sympathy if he not only reuses a password (or something related closely enough to risk the secrecy of another one) but reuses them on completely different systems, when he knows in advance that some are personal and some are professional? Give me a break. Any risk to his own privacy here is entirely self-inflicted, and trying to hide behind legal safeguards created with important and legitimate goals in order to cover your own malice and incompetence is the worst kind of legal wrangling.
Don't risk it. Have plans for unavailability, termination, and death.
That's great, but if the guy who betrayed you is the guy who was responsible for making those plans, there isn't much you can do. At most, you could have hired multiple people to act as mutual checks and balances by auditing the system, but the reality is that even the most high-level IT infrastructure today is still quite simplistic in its security, and unfortunately it remains a pretty easy mark for a skilled inside job.
Of course, if a government department did hire extra people, good enough to maintain proper oversight and audit each other's work in this kind of context but who weren't otherwise needed, many people who didn't understand the reason would be crying foul over wasteful government spending. And they'd have a point, given how rare incidents like this are and how much such people cost.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The password is not the real issue here... it's a distraction. The real issue is that Terry Childs apparently deliberately caused a lot of unnecessary expense and hassle to his employer. It doesn't really matter whether he did it by withholding a password or going through the drop ceilings cutting ethernet cables... the net effect was the same.
staffing cuts lead to him being the only person doing the network work.