Slashdot Mirror

← Back to Stories (view on slashdot.org)

Withhold Passwords From Your Employer, Go To Jail?

Posted by Unknown on from the bad-plan-with-expected-results dept.

ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."

58 of 599 comments (clear)

  1. Passwords are property of the employer by ackthpt · · Score: 5, Insightful

    I don't care if you made them up, they are the property of your employer.

    Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Passwords are property of the employer by s.petry · · Score: 5, Insightful

      While funny, the issue is not with a personal password. These are passwords for infrastructure. It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

      Could the company get a new set of passwords? Sure, same as the truck company could get a new set of keys made. But while they were waiting to access their property they lost money at a minimum. Since they were not _your_ trucks or devices you have no right to refuse to give them their keys back.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    2. Re:Passwords are property of the employer by noh8rz10 · · Score: 5, Insightful

      It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

      it basically shut down the city of san francisco for at least two weeks. they held the guy in jail, but he refused to divulge. the mayor even went to the jail to ask him personally. he deserves prison.

    3. Re:Passwords are property of the employer by PlusFiveTroll · · Score: 5, Insightful

      Well, first a bunch of time has passed giving people time to think. It's not an 'unfolding story' either, all the details are out there. And lastly, 5 years is time for many slashdotters to get older/grow up. It's easy to make a weird judgement on property when you're young and don't have any, but all of a sudden you're 30 and you have a house, car, and a well paying job you tend to look at things differently.

    4. Re:Passwords are property of the employer by ShanghaiBill · · Score: 4, Interesting

      It's interesting that this seems to be the prevailing opinion now. But when this all went down, Terry Childs was the Slashdot Poster Child. Why have opinions changed?

      I think that the main reason opinions changed was because when the story was first reported, the journalists got almost every fact wrong.

    5. Re:Passwords are property of the employer by Cramer · · Score: 3, Insightful

      Except he didn't take the keys to a truck, he took the keys to all the trucks. One truck... easy enough to deal with. Thousands of trucks that people are currently driving... not quite so easy to recover.

    6. Re:Passwords are property of the employer by immaterial · · Score: 5, Informative

      IIRC, Childs modified the system and changed the passwords in order to intentionally lock out the other sysadmins. This case was more like installing your own lock into the truck before quitting.

    7. Re:Passwords are property of the employer by Cramer · · Score: 4, Insightful

      In any sane enterprise, it never would have gotten to such a point. The wack-job would've been fired long before he took the entire infrastructure hostage. (which was the case long before his termination.) He's a nut, pure and simple; everyone who's had more than 5s to look at the case knew exactly where this was going. The only thing that bugs me is the fact that the managers who allowed this mess to grow aren't even mentioned, much less held accountable for it.

    8. Re:Passwords are property of the employer by Anonymous+Psychopath · · Score: 4, Insightful

      Not in anyway similar. If you take the keys to their trucks you are stealing but if you stop work there is no theft involved. If you want me to talk to you then that is work and I no longer work for you. You should have implemented a better system when I was employed for you. To take this into the real world, what would have happened if he had been killed in a traffic accident? The same procedure that would go into place in such an event should also work during a dismissal. If you do not have such a procedure do not blame the guy that you just sacked as that would make as much sense as blaming a dead guy. It is your fault.

      That's an incredibly simplistic and incorrect understanding of intellectual property and work ownership. What you do for your employer while you work for them belongs to them, unless you have a specific agreement stating otherwise. Just because you don't work there anymore doesn't relieve you of your obligation to give them back their property, which in this case was the command and control of their own network infrastructure.

      But good luck with that.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    9. Re:Passwords are property of the employer by dbIII · · Score: 4, Insightful

      it basically shut down the city of san francisco for at least two weeks

      Excuse me?

      they held the guy in jail, but he refused to divulge

      You missed the bit where nobody came to ask him until the Mayor's photo opportunity.

    10. Re:Passwords are property of the employer by Dahamma · · Score: 4, Informative

      No, seriously, YOUR argument is bullshit. Why? Because never once in that entire rant did you address any of the *specifics* of the actual case.

      In the end Childs KNOWINGLY AND WITHOUT PERMISSION *changed* the passwords on a bunch of computers and then refused to give the owners of those devices (the city of San Francisco) those passwords. If for some bizarre and horrible reason by normal operational procedure he was just the only person who knew these passwords, was fired, and said "fuck you", that would be one thing, and I'd agree with you. But he intentionally locked down the systems and refused to unlock them - both before and after he was fired. He even claimed that the reason was because "he didn't trust his supervisors with them". That's pretty much a textbook application of the law, and could probably be extended to extortion if they wanted...

    11. Re:Passwords are property of the employer by schnell · · Score: 5, Insightful

      ...a password is transient knowledge and not a thing a single one person can possess. To me, a more apt analogy might be an employer trying to force a former employee to write down any thoughts they might have had related to their former position.

      Huh? It's more like if you had a safe containing your money and paid one of your employees to maintain the safe and its contents, and he refused to tell you the combination of the safe.

      [Karma suicide coming]

      Reading about this whole Terry Childs thing on Slashdot has always amazed me. For what seemed like years, whenever this topic came up every post was flooded with "zOMG Terry Childs was justified because the mayor didn't know how to secure his servers!!!!" rhetoric. It seemed to make no sense except for geeks rooting for a fellow geek, regardless of what the real issues at stake were. Same goes for the teeming Slashbot hordes who insisted for months and months on Hans Reiser's innocence and how he was FRAMED, I TELL YOU. Or the people who previously would have condemned Kim Dotcom as a fraudster and spammer but who lionized him because the copyright police came after him. And frankly the same goes for the "zOMG Julian Assange was FRAMED by the CIA and the NSA because the MPAA owns Sweden or whatever" crowd. Occam's razor folks - if the US government wants to get their hands on somebody, they do what they tried to do to Edward Snowden, i.e. attempt to extradite them, not somehow make up fake rape charges in a separate country that doesn't even really like the US anyway.

      Look, it's hardly a unique failing or blindness - most humans exhibit bad confirmation bias and cognitive dissonance. But I just find it disappointing to find such prevalence of this behavior in a group that prides itself on its capacity for critical thinking.

      --
      "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
    12. Re:Passwords are property of the employer by BrookHarty · · Score: 3, Insightful

      It's no different than physically walking out with the hardware.

      Bullshit.

      The hardware sat in the racks the entire time. Any tech could walk up and reset the passwords.
      The manager should have sent out his techs to reset passwords and then put a password policy in place.

      Bad management, but the employee didn't STEAL anything.

    13. Re:Passwords are property of the employer by EdIII · · Score: 3, Interesting

      A password is not property and it cannot be "taken" as if it were a physical object. It merely represents a shared secret between one or more parties and a backend system that attempts to authenticate access.

      To say theft is wildly inaccurate and illogical.

      If the employee is the only one in possession of the shared secret and refuses to divulge that information to a party that does have physical ownership over the devices being protected I have a very hard time understanding how it's theft.

      Those responsible parties should have maintained access at all times. In this case, he had established that password while gainfully employed by them, and was perfectly in his rights (work policies outlining what they are) to establish the password. If no policy was in place for him to print it out, hand it to his superiors, and let them secure it, then some accountability rests with the management.

      Once he was let go I see no difference between "I don't remember" and "I don't wish to say". I've quit before and was asked on many occasions if I remembered passwords, specifics of certain processes, etc. My answer was simple, "I don't work for you anymore and this conversation is not appropriate". I never set any passwords to restrict access higher up than me. I also made sure that all of the passwords were known by my superior.

      Did he specifically set a password in a premeditated fashion to prevent proper operation of the networks? In this case, he did and then admitted that he did . That's what the legal focus should be on. Not theft or some intellectual property mangled interpretation bullshit. Those arguments are quite frankly extremely detrimental to our overall freedom at this point. We need to swing that pendulum over the other way with a more sophisticated understanding of what is actually going on.

      I don't have a problem that he is going to prison for about a year. What I have a problem is that he is going to prison for not divulging a shared secret that should have never been set by policy, and one he is not obligated to reveal once terminated.

      Put him in prison for willful property damage or some other infraction designed to punish somebody by damaging property past a certain extent. Not theft.

      The vast majority of these cases, especially these so called intellectual property cases, need to be decided in civil court, not criminal.

    14. Re:Passwords are property of the employer by noh8rz10 · · Score: 4, Informative

      I don't know where you're from, but I live in sf and I remember what a big deal this was.

    15. Re:Passwords are property of the employer by Anonymous+Psychopath · · Score: 4, Insightful

      I disagree. It's dangerous to give a blanket statement that all the work belongs to them by default.

      What work?

      I've been in several situations in which I participated on other projects outside of work which used not a single work resource. It's too damn easy to claim you did it while on site or using work property.

      That's why it went all the way to the board one time when I steadfastly refused to sign any agreement with them since the language was so overwhelmingly vague and if I patented a coffee napkin idea at home it was theirs. Nothing happened since I they could not afford to let me go at all.

      I would prefer that nothing is decided in anyone's favor by default and must be proved in a court of law (no arbitration).

      A non-compete agreement does not work for me as an independent contractor. Unless you pay me extremely well i'm not going to lock myself out of an entire market.

      Ohh, and I guess that since I only work in Open Source it's kind of a moot point. It's rather funny when I explain that they don't actually own anything I make for them at all, and I don't either :)

      What I said is what you do for your employer, in the context of this discussion around Terry Childs. Configuring routers and assigning administrative access controls to them is definitely not a personal project, even though Terry acted like it was. He even attempted to copyright his configurations.

      Point taken on personal projects, and everyone I've worked for has been fine with the ones I've worked on, including my own meager and forgettable contributions to FOSS.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    16. Re:Passwords are property of the employer by RR · · Score: 4, Interesting

      It's interesting that this seems to be the prevailing opinion now. But when this all went down, Terry Childs was the Slashdot Poster Child. Why have opinions changed?

      More of the relevant facts have been made public. It turns out that Childs wasn't the overzealous network administrator that he was made out to be, but he was a sociopathic, somewhat psychotic criminal who carved a mini-empire for himself out of wires and electricity. He was even denying appropriate requests for service, just because of his own personal hangups.

      On the other hand, my opinion of the City and County of San Francisco has not been improved, either. The situation should not have been allowed to turn into full-on criminal prosecution. Even Jason Chilton, the famous Juror #4 who is also a network engineer, thought the criminal charges should have been dropped. Successive mayors have used the position to grant kickbacks to various friends, yet the IT department was being downsized and Childs was left with no job security and nobody overseeing his work. At the same time, District Attorney (now California Attorney General) Kamala Harris was facing accusations of being soft on murder, so she apparently took the Childs case as a gift from heaven to demonstrate her toughness on technology crime. When Childs did surrender the passwords, and she immediately put them into the public record as evidence, that was just amazing work. Amazing for the wrong reasons.

      So, my opinion of Childs deteriorated, and my opinion of San Francisco did not improve.

      --
      Have a nice time.
    17. Re:Passwords are property of the employer by EdIII · · Score: 4, Insightful

      I still feel the same way I did when I read it the first time.

      Passwords are not property. They're information and they protect access to property. That's all they do.

      Setting a password to deliberately restrict access and gain leverage is not theft. It's insubordinate and grounds for termination. If damage occurs since personnel are not able to access systems then it is property damage, defamation of character, tortuous interference with contracts, etc. A plethora of other ways to punish someone or seek remediation.

      He never had any kind of ownership claim over the devices he was administrating and was at all times operating under the employ of those that do.

      He willfully set passwords to restrict access to everyone. Not just below him, but above him as well.

      When being terminated he did not hand over everything he knew and had. That goes both ways too. His work should only have had a reasonable time period to ask him everything, and most assuredly should have had policies in place to know it all anyways.

      Afterwards, his work should have had ZERO recourse.

      However, his biggest mistake, was in letting his ego run rampant and delude him into thinking that the entire network was his to protect and he was the rightful guardian and no one was going to take it away from him.

      That was what hung him. He fully admitted that he set the passwords and never even attempted to write them down or hand them over during his exit interview. It was premeditated and willful, which is why he should be punished.

      This had nothing to do with intellectual property and everything to do with his behavior before, during, and after termination by the city.

    18. Re:Passwords are property of the employer by Anonymous Coward · · Score: 5, Informative


      it basically shut down the city of san francisco for at least two weeks

      I remember that. The BART stopped running, the metro stopped running, the traffic signals were out, the police had to stop policing, you couln't pay your traffic tickets, you couldn't renew your drivers licence. Fires raged out of control because of the lack of fireman. I think it cost the city close to a billion dollars just for this one guy. Lex Luthor took over as crime boss and extored money out of everyone. Meteors rained firey death on all San Francicicans. A plague of frogs of biblical preportions visited the city. Fuck.. then there were the locusts. Fucking locusts! Yeah, fuck that Childs guy!

      Oh no, wait. I don't remember that because none of it happened at all! The city ran like normal like nothing happened.

      Now I know why the mood has changed here at slashdot. The only people up are idiots who don't know what happened, and enjoy making things up.

    19. Re:Passwords are property of the employer by EdIII · · Score: 5, Interesting

      I think that is a very dangerous precedent for intellectual property though.

      It's most assuredly very different than walking out with the physical hardware. It still exists. It's still in the hands of the owners. The challenge is that the device is storing a piece of information that only that single person is aware of. For whatever reason.

      Your viewpoint is dangerous because it's easily possible to forget that shared secret between you and the devices. Trust me. Very easy to do. I've done it. I've been asked about passwords long after I stopped working for someone. Since I make it a point to write them down securely and not remember them, it was no surprise that I didn't. I shredded/deleted the documents too, so there was no way to retrieve them.

      I don't think forgetting or refusing should ever be criminalized since in many cases you cannot truly tell which one it is. Why should I go to prison because I can't remember something that they were too stupid to have written down by policy while I was working there, and too stupid to ask about it during the exit interview or when the contract was done?

      This case was different. He admitted to not only setting it, but doing it for a specific purpose. Focus on that and don't start messing up understanding of intellectual property in such a dangerous way.

      Please. You won't like the world that gets created with those ideas. Not one bit.

    20. Re:Passwords are property of the employer by tlhIngan · · Score: 4, Interesting

      Reading about this whole Terry Childs thing on Slashdot has always amazed me. For what seemed like years, whenever this topic came up every post was flooded with "zOMG Terry Childs was justified because the mayor didn't know how to secure his servers!!!!" rhetoric. It seemed to make no sense except for geeks rooting for a fellow geek, regardless of what the real issues at stake were. Same goes for the teeming Slashbot hordes who insisted for months and months on Hans Reiser's innocence and how he was FRAMED, I TELL YOU. Or the people who previously would have condemned Kim Dotcom as a fraudster and spammer but who lionized him because the copyright police came after him. And frankly the same goes for the "zOMG Julian Assange was FRAMED by the CIA and the NSA because the MPAA owns Sweden or whatever" crowd. Occam's razor folks - if the US government wants to get their hands on somebody, they do what they tried to do to Edward Snowden, i.e. attempt to extradite them, not somehow make up fake rape charges in a separate country that doesn't even really like the US anyway.

      I suspect it's because we "tech geeks" as a group tend to self-identify and tend to think of us as "smarter than the rest of them". Except of course, we're not. Sure we know our ways around everything technological, but I'm sure there's plenty that don't know law (try getting the three sides of IP law straight - a lot of /. flamewars erupt from confusing patents with copyright and trademarks). Or medicine. Or any other thing, really.

      It's not unique to geeks either - I'm sure your local doctor's group or lawyer's group also think they as a whole are so much smarter than the rest of the world. Except of course, they're not - they know their field really well, but enter another field (try helping a doctor or lawyer with computer problems?) and boy are they clueless.

      It's the same with geeks.

      And unfortunately, sometimes this plays out badly - we think we know "the system" better than everyone, but then get slapped and made a fool of (see Hans Reiser, Terry Childs - ZOMG they know how to work the system!). Of course, all that happens is the prosecution takes advantage of this and easily paints a negative image on the person before the trial even begins. Of course, they were probably guilty, but damn, we didn't have to make it easier for them. (See Aaron Schwartz on how NOT to behave - you can be "on the right side" but if you act in ways the general public knowingly disproves of, you get vilified in the court of public opinion and make a prosecutor's job REALLY easy.).

      Some advice - learn etiquette and how "the proles" want you to behave (if that means having to wear a suit and dressing up, so be it), Even though everyone shouldn't "judge a book by its cover" guess what? Juries and prosecutors do. Don't make their life simpler by making it easy to paint you as an outcast who believes they're above social norms. And especially don't act smarter than the group, because you'll just come along and sound like a smartass instead.

    21. Re:Passwords are property of the employer by Lodlaiden · · Score: 4, Interesting

      Was debating on modding (up)...

      Very simple response to the whole thing. You had 1 guy that was in charge of knowing ALL the passwords AND the ability to reset/change them AND you fired him? Whether or not the guy KNOWS the passwords by heart (and I don't even know my WiFi password by heart), my contract ends with you the day you fire me. If you want to hire me back as a contractor at a 1k/day rate, I will gladly find and open the password spreadsheet. Or you can pay the helpdesk guy to search my desktop and my fileshares.

      If you do not have the technical foresight to have a plan in case I get hit by a bus then you deserve to live with the consequences of me disappearing off the face of the earth, even if it's at your own doing. Especially if it's your doing.

      On the actual specifics of this one case, Terry probably was committing carreer suicide by not ensuring he left the place on good terms. You don't jerk with the CITY you live in. You might be able to pull that crap with some small companies, but throwing both fingers high in the sky at the entire CITY is asking for some rebuttal.

      --
      Suborbital [spaceflight] is the special olympics of spaceflight. - Rei
    22. Re: Passwords are property of the employer by Anonymous Coward · · Score: 5, Insightful

      In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far. Compelling someone to grant you access? Okay. Requiring the password? Sorry, that's their identity (and ass) on the line. Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password. Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.

      That said, Childs is an idiot, and he handled this poorly. He *should* have offered to change his credentials for a consulting fee (returning engineer post termination) to close the book on it.

      But computer fraud and abuse? Please... What a joke. A bunch of idiots wasted weeks puffing their chests out at each other and the city utterly failed to learn from a teachable moment. Audit your fucking system designs and don't allow for single credential systems, ever. Given the way they drive around here, your admin stands a good chance of getting hit by a bus.

      Don't risk it. Have plans for unavailability, termination, and death.

    23. Re:Passwords are property of the employer by jfalcon · · Score: 5, Informative

      Wrong - it wasn't that simple.

      http://www.courts.ca.gov/opinions/documents/A129583.PDF

      In December 2007, the city‟s Human Services Agency (HSA) experienced a
      power outage. When power was restored, its computers could not connect to
      FiberWAN—the configurations of its CE device had been erased because they had been
      saved to VRAM. Childs reloaded the configurations and got the system reconnected.
      When the HSA information security officer learned that the CE configurations had been
      stored in VRAM, he protested to Childs that this was unacceptable. Citing security
      concerns, Childs explained that he wanted to prevent a physical connection to the CE that
      would allow someone to obtain the configurations using the password recovery feature.
      He suggested disabling the password recovery feature instead; the information security
      officer agreed. Tong also agreed to this solution, as it would address a concern about
      hacking into the HSA‟s CE device. Soon, Childs disabled the password recovery feature
      on all CE devices citywide, and there were no backup configurations on any of the city‟s
      CE devices. As the password recovery feature could not be disabled on core PE devices,
      Childs erased their configurations that had been stored on NVRAM.

      --
      boom goes the dynamite....
    24. Re:Passwords are property of the employer by Linzer · · Score: 4, Interesting

      he was basically just going about his job, doing the right thing, but forgot they weren't HIS computers.

      Isn't that the most unprofessional thing a sysadmin can do? Doesn't everyone in the business know that that is precisely the behavior that gets you in trouble?

      --
      Gravitation is a theory, not a fact.
    25. Re:Passwords are property of the employer by bickerdyke · · Score: 3, Insightful

      Then - at last when you're already in jail - the proper thing to do would have been to hand the passowrd over to the judge along with a letter explaining the illegal stuff that's going to happen and ask the judge (or if he sees neccessary: a court) to decide on the legal status. That's what the judical system is for and cleans you of the idea that you're extorting someone

      --
      bickerdyke
    26. Re:Passwords are property of the employer by erroneus · · Score: 5, Interesting

      Oh... and it did NOT shut down the city. Go back and read the original story. What it did was leave the city management in a situation they didn't know how to handle... and still don't. They wanted it easy, didn't get it and they got angry and abused their powers to seek retribution.

      I said it previously and I'll say it again. If this guy died instead of being fired, they would face the EXACT same problem but without the recourse of being able to persecute. But I hold that in either situation, the response should be the same. Setting about the task or regaining control over the systems.

    27. Re:Passwords are property of the employer by Lodlaiden · · Score: 3, Interesting

      I come from at a place where if you were an IT professional and either party (You or Management) determined you weren't going to work there anymore, you were done. Accounts were locked. No more database, fileshare, email access. We had a DBA attempt to leave under good terms with 2 week notice and all. 30 mins later his acct was locked, management supervision while he cleaned his desk, then escorted out. Nevermind he'd done his hard time (4+years) fixing/maintaining/enhancing the database/server structure. No one asks for passwords or what the combination to ther server room was.

      I'm not saying what Terry did was right/wrong, but if they didn't have procedures/process in place, then it's there own fault a cocky sys admin grabbed them by the cohones.
      On a separate note, would you really re-grant sysadmin access to someone that wasn't "pleasant" about handing over the keys?

      --
      Suborbital [spaceflight] is the special olympics of spaceflight. - Rei
    28. Re:Passwords are property of the employer by canadian_right · · Score: 3

      Childs was in the wrong, and should have handed over the passwords, but as is often the case in the "land of the free" the punishment was grossly disproportionate to the crime. In most of the rest of the western world this would have been a civil case: a judge would have ordered him to hand over the passwords, and given him a small fine for being a doofus. On refusing to hand over the fines he would been sent to jail until he handed them over, and be given a contempt of court fine,.

      Only in a country that prides itself on "three strikes", "zero tolerance", and jails more people than any other country (both per capita and raw number in jail) could any person in the justice system think his punishment was reasonable.

      --
      Anarchists never rule
    29. Re:Passwords are property of the employer by HeckRuler · · Score: 5, Insightful

      Unprofessional ? UNPROFESSIONAL?
      Listen here kid, being a professional means that you tell the boss to go suck eggs when he orders you to do something stupid. Being a professional at a critical job means you finish your shift and await your replacement, even when they fired you earlier in the day. Because someone has to do the job. Being a professional means you refuse to sign off on the untested software because the plane might crash and people will die. Being a professional means you don't let the bosses idiot son steer the boat, because he's incompetent and would steer it into shore.

      Being a professional means you're not just there for the paycheck to be a yes-man to your superior. You're there, in part, to do a good job. Because doing a bad job will get people killed and/or cost millions.

      People like to throw the "unprofessional" term about when people don't have the right cut of dress, or speak with the proper tone, but if you want to play hardball with professionalism, you need to realize that it's more important than shmoozing with the boss and climbing that corporate ladder.

  2. Seems fine with me. by dukeblue219 · · Score: 5, Insightful

    I don't have a problem with this. The company may have been dumb to put this much power in one person's hands, and perhaps they got what they had coming in someone's eyes, but it doesn't excuse this behavior. If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.

    --
    -Ted http://www.freemathhelp.com/
    1. Re:Seems fine with me. by Livius · · Score: 3, Insightful

      What kind of idiot

      Management.

    2. Re:Seems fine with me. by Belial6 · · Score: 5, Informative

      Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized.

      Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.

    3. Re:Seems fine with me. by Belial6 · · Score: 4, Informative

      When this went down, it was not reported that he refused to turn over the passwords. He refused to hand over the password to unauthorized individuals and in unauthorized ways.

    4. Re:Seems fine with me. by gnasher719 · · Score: 3, Insightful

      When this went down, it was not reported that he refused to turn over the passwords. He refused to hand over the password to unauthorized individuals and in unauthorized ways.

      He refused to hand over the password to people who were full authorised but in his opinion couldn't be trusted. He refused to hand over the keys in a way that was insecure, but then didn't make any effort to hand over the keys in a secure way, which would have been his duty (because at the time he _was_ employed and _was_ asked by someone who was authorised).

    5. Re:Seems fine with me. by Registered+Coward+v2 · · Score: 4, Informative

      Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized. Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.

      No, he went to jail because he deliberately setup the system so he was the only one that knew the passwords; and then refused to divulge them. He didn't simply forget his or refuse to violate procedures; he tried to use what he did as leverage and that is what he went to jail for. What he did is no different then any other type of extortion.

      --
      I'm a consultant - I convert gibberish into cash-flow.
  3. How, how HOW by Anonymous Coward · · Score: 5, Insightful

    HOW!(!) is this a surprise to anybody? It's extortion, plain and simple.

    1. Re:How, how HOW by dukeblue219 · · Score: 3, Informative

      Yep. He didn't even just conveniently "forget" the password after he was fired, but apparently set this all up well in advance to intentionally disrupt their business. Dumb move.

      --
      -Ted http://www.freemathhelp.com/
  4. Exactly right by Pirulo · · Score: 5, Insightful

    The passwords are like the key to the office. You have to return them.

  5. Something about Betteridge by Anonymous Coward · · Score: 5, Insightful

    I've simplified the submission:

    Withhold Passwords From Your Employer, Go To Jail?

    Yes

  6. History rewritten by guruevi · · Score: 4, Insightful

    Terry Childs did not want to divulge the passwords to an entity that didn't have the right to said passwords. There are several other red flags in this case but $1.5M to regain access over some routers? Seems like gross incompetence on various levels.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:History rewritten by Anonymous Coward · · Score: 3, Insightful

      How could the company not have the right to the passwords?

      The company DID have the right to the passwords, Childs simply tried to argue that since he "built" the system and all it entailed, it was his personal property.

      Which was a fucking stupid argument.

    2. Re:History rewritten by Fallen+Kell · · Score: 4, Informative

      He was asked to give the passwords over during a meeting with several people who had not signed the appropriate papers for having said access and had not been documented by information/system security for having a right to the passwords. There was also a conference call being held on the phone in the room with unknown persons who would have then also been privy to the password divergence. Terry simple say "no" to diverging the passwords in that location, at that time, in that manner. In his contract, he had a duty to protect the passwords, and he was still an employee at that time. Giving up the passwords in that location at that time would have been a breach of his contract and he could have been fired on the spot for doing so. He was placed in an impossible situation, where they were firing him if he gave them the passwords or didn't give them the passwords. At that time, no one from security had authorize anyone else to have the passwords, and as such, Terry did the only thing he felt was correct, which was to attempt to give them to the only person who was in charge of the system, which was the mayor, who could then give them to whoever he felt like, in whatever manner he thought he should since it was not written in any contract that he had to protect the passwords or be fired for giving them to someone who had not filled out the proper paperwork and been given approval to have them and doing so in a location where only the person who had been authorized to have them would receive them.

      --
      We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
    3. Re:History rewritten by MoFoQ · · Score: 4, Interesting

      His lack of finesse and social skills coupled by the complete (technical) incompetence of those at city hall definitely contributed to his downfall.
      If I recall, didn't Kamala Harris put the passwords into public record, thus forcing the city IT department to go around and changing passwords on all devices to prevent from someone from "f*cking sh*t up"?

      The funny thing is that the statute (California Penal Code Sec. 502(c)(5)) mentions "disrupts or causes the disruption of computer services or denies or causes the denial of computer services" yet....during this whole fiasco, the network was rock-f-ing-solid (at least until the passwords were put into public record without seal).

      Not sure why the attorney didn't bring this point up.
      If I was Terry Childs, I'd fire the attorney and then sue the city for breach of contract (oddly, for at least the same amount).

  7. Use the "Politician's Friend" by Anonymous Coward · · Score: 3, Funny

    "I don't remember."

  8. Re:Never getting a dime can do 4 years by Grishnakh · · Score: 5, Informative

    Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.

  9. More important knowledge by Ukab+the+Great · · Score: 4, Insightful

    There's far more significant knowledge you take with you that you're not legally required to give up (procedures setting stuff up, what vendor bugs to work around, what authentication scheme, whatever). No need to go to jail over passwords when there's plenty of other petards for a former employer to hoist themselves on.

  10. This is also an epic fail on the other side by gweihir · · Score: 4, Insightful

    Any sane organization of this size has a password policy that ensures critical passwords are recoverable. Any sane organization makes sure to not have a single-person dependency like that.

    But Childs really lost context: It was not his network. He had no business trying to enforce anything. The SF IT department may run their networks as stupidly as they chose, and while this may lead to criminal and civil liability on their part, it does not lead to any accountability towards Childs.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  11. Back when I admined systems ... by PPH · · Score: 5, Interesting

    ... passwords were in a sealed envelope in my desk drawer, locked. That way, if I got hit by a bus, the boss could break into the desk and hand envelope over to my replacement.

    When I left, I handed him the key to my desk and said, "You know where they are."

    --
    Have gnu, will travel.
    1. Re:Back when I admined systems ... by DoofusOfDeath · · Score: 5, Informative

      When I left my last job (where I had root on a lot of servers), I had my replacement and staff watch my replacement enter the new root passwords (that only he knew), and delete my personal accounts.

      I think that's a bit better than the person who's leaving continuing to know a shared secret.

  12. Re:Exactly Wrong by taustin · · Score: 5, Informative

    The people who need them should already have them at all times.

    Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.

    Or hey. Maybe your employer is a moron.

    That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.

    And keep in mind, the network in question included their 911 system.

    The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.

  13. Wrong thing to withold. by pla · · Score: 3, Insightful

    Your employer owns their hardware, including the "keys" to get into it.

    Childs screwed up by withholding entirely the wrong sort of information. You don't pitch a fit and refuse to give them the passwords - You give them exactly what they've asked for and then watch in glee as they realize they don't have the faintest clue of what to do with those passwords.

    Picture a fairly simple small-scale corporate WAN. Three separate subnets. Nothing massive in scale.

    Now imagine they "no longer need your services" after three years of uninterrupted service.

    Now imagine that you haven't persisted the router configs and they lose power.

    Now imagine a non-technical city manager trying to figure out why he can't get to facebook, and demanding passwords from you.

    When you stop laughing...

    Yes, you can still thoroughly document your infrastructure for your successor, for the (most likely) scenario where you peacefully move on and want to help the poor bastard out. But if you suddenly find yourself "redundant", well, "here you go, all the passwords. Good luck, and I charge $1500/hr as my standard consulting rate".

  14. social engineering from hire by shentino · · Score: 3, Interesting

    After finding out that he concealed material information during a background check, my opinion is that his permission to touch the network at all, even within the scope of his employment duties, was procured fraudulently and his entire CAREER with the city has been one huge social engineering attack, starting when he lied about his criminal history to people who almost certainly would have had ample grounds to decline to have hired him in the first place.

  15. "I stole from an idiot" isn't an excuse, it's wors by raymorris · · Score: 3, Insightful

    > and not the complete idiots of the company for leaving there passwords with one person, and not having a way to access by way of a default password. his lawyer must have been an idiot as well if he didn't make that argument.

    "The victim was stupid" isn't an excuse. If it were, we could legally do anything we want to you.

    In fact, it's generally considered an aggravating factor to victimize the mentally challenged because we have a duty to look out for those who are defenseless.

  16. Compare to private industry? by bradley13 · · Score: 3, Insightful

    There are two groups arguing here - I think both may be missing the point.

    Group 1: The passwords belong to your employer, turn them over. It's his fault, because he refused.

    Group 2: He may have been paranoid, but he was really just following policy: don't give passwords to unauthorized people.

    Regardless of which side you are on, ask yourself this: How would this scenario have played out if he worked for a private company? Consider that, in the end, he *did* hand over the passwords to the mayor, i.e., the "big boss". What would a private company have done?

    - They wouldn't be claiming $1.5 million in damages - an absurd figure.

    - They wouldn't try to prosecute him and throw him in jail. Bitter firings happen, life goes on.

    - The *only* likely retribution would be: "don't use us as a reference".

    Sending the guy to jail and suing him for more than his net worth? It takes a government to waste resources on that sort of idiotic vengeance.

    --
    Enjoy life! This is not a dress rehearsal.
  17. Exactly by SmallFurryCreature · · Score: 4, Insightful

    These articles show you that a lot of nerds really are totally incapable of dealing with normal society.

    If you changed the locks on your employers buildings and refused to hand over the keys, what do you think would happen? So why should digital keys/passwords be any different?

    Some dweebs seem to construct fantasy worlds around themselves and since they lack interaction with other people becomes convinced that these fantasy worlds are real. Childs seems to have done so, he believed he was the only one fit to access these systems, that they were his babies and only he could properly care for them.

    I am not sure he should go to jail for it. He should however get mandatory treatment, if needed in a padded cell with a lock. If he asks for the keys, tell him you don't think he is capable of properly dealing with it.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  18. The strongest evidence by JDG1980 · · Score: 5, Insightful

    To me, these two paragraphs from the court document are the most damning evidence against Childs:

    Disabling Console Ports. The jury learned that if the console port – the physical means of access to the network on the device itself – is disabled, then the administrator cannot login to the system using what is regarded as the "port of last resort." On July 8 – the day before he was placed on administrative leave – Childs disabled the console ports on all five core devices, preventing the possibility of any password recovery.

    Applying Access Controls. Childs also applied access controls to core devices that required that all administrative access had to be achieved by means of one particular computer, even if the access codes were known. He set up these access controls on core devices on the morning of July 9.

    It's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.

  19. It's tough to protect against inside jobs by Anonymous+Brave+Guy · · Score: 5, Insightful

    In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far.

    What would you have them do to avoid this problem in the future? Perhaps they could hire someone who is a technical expert with overall responsibility for the department, whose job is to make sure something like this can't happen. Oh, wait...

    Requiring the password? Sorry, that's their identity (and ass) on the line.

    It's their identity on their employer's systems. If the employer makes a management decision to "compromise" that identity then that is 100% their decision to make, not IT's.

    Of course, it also becomes management's responsibility. It's fair for the employee to want written confirmation to record the decision if he disagrees with it. But given that confirmation, the employee doesn't get a vote and has no right to object.

    Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password.

    I think "You're fired" is a pretty clear transfer of responsibility.

    Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.

    Seriously? Really? This guy is a high-level IT expert within his organisation, and we're supposed to have sympathy if he not only reuses a password (or something related closely enough to risk the secrecy of another one) but reuses them on completely different systems, when he knows in advance that some are personal and some are professional? Give me a break. Any risk to his own privacy here is entirely self-inflicted, and trying to hide behind legal safeguards created with important and legitimate goals in order to cover your own malice and incompetence is the worst kind of legal wrangling.

    Don't risk it. Have plans for unavailability, termination, and death.

    That's great, but if the guy who betrayed you is the guy who was responsible for making those plans, there isn't much you can do. At most, you could have hired multiple people to act as mutual checks and balances by auditing the system, but the reality is that even the most high-level IT infrastructure today is still quite simplistic in its security, and unfortunately it remains a pretty easy mark for a skilled inside job.

    Of course, if a government department did hire extra people, good enough to maintain proper oversight and audit each other's work in this kind of context but who weren't otherwise needed, many people who didn't understand the reason would be crying foul over wasteful government spending. And they'd have a point, given how rare incidents like this are and how much such people cost.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.