Withhold Passwords From Your Employer, Go To Jail?

ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."

Passwords are property of the employer

[ackthpt]

I don't care if you made them up, they are the property of your employer.

Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.

Re:Passwords are property of the employer

[s.petry]

While funny, the issue is not with a personal password. These are passwords for infrastructure. It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

Could the company get a new set of passwords? Sure, same as the truck company could get a new set of keys made. But while they were waiting to access their property they lost money at a minimum. Since they were not _your_ trucks or devices you have no right to refuse to give them their keys back.

Re:Passwords are property of the employer

[noh8rz10]

It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

it basically shut down the city of san francisco for at least two weeks. they held the guy in jail, but he refused to divulge. the mayor even went to the jail to ask him personally. he deserves prison.

Re:Passwords are property of the employer

[PlusFiveTroll]

Well, first a bunch of time has passed giving people time to think. It's not an 'unfolding story' either, all the details are out there. And lastly, 5 years is time for many slashdotters to get older/grow up. It's easy to make a weird judgement on property when you're young and don't have any, but all of a sudden you're 30 and you have a house, car, and a well paying job you tend to look at things differently.

Re:Passwords are property of the employer

[immaterial]

IIRC, Childs modified the system and changed the passwords in order to intentionally lock out the other sysadmins. This case was more like installing your own lock into the truck before quitting.

Re:Passwords are property of the employer

[schnell]

...a password is transient knowledge and not a thing a single one person can possess. To me, a more apt analogy might be an employer trying to force a former employee to write down any thoughts they might have had related to their former position.

Huh? It's more like if you had a safe containing your money and paid one of your employees to maintain the safe and its contents, and he refused to tell you the combination of the safe.

[Karma suicide coming]

Reading about this whole Terry Childs thing on Slashdot has always amazed me. For what seemed like years, whenever this topic came up every post was flooded with "zOMG Terry Childs was justified because the mayor didn't know how to secure his servers!!!!" rhetoric. It seemed to make no sense except for geeks rooting for a fellow geek, regardless of what the real issues at stake were. Same goes for the teeming Slashbot hordes who insisted for months and months on Hans Reiser's innocence and how he was FRAMED, I TELL YOU. Or the people who previously would have condemned Kim Dotcom as a fraudster and spammer but who lionized him because the copyright police came after him. And frankly the same goes for the "zOMG Julian Assange was FRAMED by the CIA and the NSA because the MPAA owns Sweden or whatever" crowd. Occam's razor folks - if the US government wants to get their hands on somebody, they do what they tried to do to Edward Snowden, i.e. attempt to extradite them, not somehow make up fake rape charges in a separate country that doesn't even really like the US anyway.

Look, it's hardly a unique failing or blindness - most humans exhibit bad confirmation bias and cognitive dissonance. But I just find it disappointing to find such prevalence of this behavior in a group that prides itself on its capacity for critical thinking.

Re:Passwords are property of the employer

it basically shut down the city of san francisco for at least two weeks

I remember that. The BART stopped running, the metro stopped running, the traffic signals were out, the police had to stop policing, you couln't pay your traffic tickets, you couldn't renew your drivers licence. Fires raged out of control because of the lack of fireman. I think it cost the city close to a billion dollars just for this one guy. Lex Luthor took over as crime boss and extored money out of everyone. Meteors rained firey death on all San Francicicans. A plague of frogs of biblical preportions visited the city. Fuck.. then there were the locusts. Fucking locusts! Yeah, fuck that Childs guy!

Oh no, wait. I don't remember that because none of it happened at all! The city ran like normal like nothing happened.

Now I know why the mood has changed here at slashdot. The only people up are idiots who don't know what happened, and enjoy making things up.

Re:Passwords are property of the employer

[EdIII]

I think that is a very dangerous precedent for intellectual property though.

It's most assuredly very different than walking out with the physical hardware. It still exists. It's still in the hands of the owners. The challenge is that the device is storing a piece of information that only that single person is aware of. For whatever reason.

Your viewpoint is dangerous because it's easily possible to forget that shared secret between you and the devices. Trust me. Very easy to do. I've done it. I've been asked about passwords long after I stopped working for someone. Since I make it a point to write them down securely and not remember them, it was no surprise that I didn't. I shredded/deleted the documents too, so there was no way to retrieve them.

I don't think forgetting or refusing should ever be criminalized since in many cases you cannot truly tell which one it is. Why should I go to prison because I can't remember something that they were too stupid to have written down by policy while I was working there, and too stupid to ask about it during the exit interview or when the contract was done?

This case was different. He admitted to not only setting it, but doing it for a specific purpose. Focus on that and don't start messing up understanding of intellectual property in such a dangerous way.

Please. You won't like the world that gets created with those ideas. Not one bit.

Re: Passwords are property of the employer

In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far. Compelling someone to grant you access? Okay. Requiring the password? Sorry, that's their identity (and ass) on the line. Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password. Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.

That said, Childs is an idiot, and he handled this poorly. He *should* have offered to change his credentials for a consulting fee (returning engineer post termination) to close the book on it.

But computer fraud and abuse? Please... What a joke. A bunch of idiots wasted weeks puffing their chests out at each other and the city utterly failed to learn from a teachable moment. Audit your fucking system designs and don't allow for single credential systems, ever. Given the way they drive around here, your admin stands a good chance of getting hit by a bus.

Don't risk it. Have plans for unavailability, termination, and death.

Re:Passwords are property of the employer

[jfalcon]

Wrong - it wasn't that simple.

http://www.courts.ca.gov/opinions/documents/A129583.PDF

In December 2007, the city‟s Human Services Agency (HSA) experienced a
power outage. When power was restored, its computers could not connect to
FiberWAN—the configurations of its CE device had been erased because they had been
saved to VRAM. Childs reloaded the configurations and got the system reconnected.
When the HSA information security officer learned that the CE configurations had been
stored in VRAM, he protested to Childs that this was unacceptable. Citing security
concerns, Childs explained that he wanted to prevent a physical connection to the CE that
would allow someone to obtain the configurations using the password recovery feature.
He suggested disabling the password recovery feature instead; the information security
officer agreed. Tong also agreed to this solution, as it would address a concern about
hacking into the HSA‟s CE device. Soon, Childs disabled the password recovery feature
on all CE devices citywide, and there were no backup configurations on any of the city‟s
CE devices. As the password recovery feature could not be disabled on core PE devices,
Childs erased their configurations that had been stored on NVRAM.

Re:Passwords are property of the employer

[erroneus]

Oh... and it did NOT shut down the city. Go back and read the original story. What it did was leave the city management in a situation they didn't know how to handle... and still don't. They wanted it easy, didn't get it and they got angry and abused their powers to seek retribution.

I said it previously and I'll say it again. If this guy died instead of being fired, they would face the EXACT same problem but without the recourse of being able to persecute. But I hold that in either situation, the response should be the same. Setting about the task or regaining control over the systems.

Re:Passwords are property of the employer

[HeckRuler]

Unprofessional ? UNPROFESSIONAL?
Listen here kid, being a professional means that you tell the boss to go suck eggs when he orders you to do something stupid. Being a professional at a critical job means you finish your shift and await your replacement, even when they fired you earlier in the day. Because someone has to do the job. Being a professional means you refuse to sign off on the untested software because the plane might crash and people will die. Being a professional means you don't let the bosses idiot son steer the boat, because he's incompetent and would steer it into shore.

Being a professional means you're not just there for the paycheck to be a yes-man to your superior. You're there, in part, to do a good job. Because doing a bad job will get people killed and/or cost millions.

People like to throw the "unprofessional" term about when people don't have the right cut of dress, or speak with the proper tone, but if you want to play hardball with professionalism, you need to realize that it's more important than shmoozing with the boss and climbing that corporate ladder.

Seems fine with me.

[dukeblue219]

I don't have a problem with this. The company may have been dumb to put this much power in one person's hands, and perhaps they got what they had coming in someone's eyes, but it doesn't excuse this behavior. If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.

Re:Seems fine with me.

[Belial6]

Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized.

Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.

How, how HOW

HOW!(!) is this a surprise to anybody? It's extortion, plain and simple.

Exactly right

[Pirulo]

The passwords are like the key to the office. You have to return them.

Something about Betteridge

I've simplified the submission:

Withhold Passwords From Your Employer, Go To Jail?

Yes

Re:Never getting a dime can do 4 years

[Grishnakh]

Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.

Back when I admined systems ...

[PPH]

... passwords were in a sealed envelope in my desk drawer, locked. That way, if I got hit by a bus, the boss could break into the desk and hand envelope over to my replacement.

When I left, I handed him the key to my desk and said, "You know where they are."

Re:Back when I admined systems ...

[DoofusOfDeath]

When I left my last job (where I had root on a lot of servers), I had my replacement and staff watch my replacement enter the new root passwords (that only he knew), and delete my personal accounts.

I think that's a bit better than the person who's leaving continuing to know a shared secret.

Re:Exactly Wrong

[taustin]

The people who need them should already have them at all times.

Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.

Or hey. Maybe your employer is a moron.

That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.

And keep in mind, the network in question included their 911 system.

The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.

The strongest evidence

[JDG1980]

To me, these two paragraphs from the court document are the most damning evidence against Childs:

Disabling Console Ports. The jury learned that if the console port – the physical means of access to the network on the device itself – is disabled, then the administrator cannot login to the system using what is regarded as the "port of last resort." On July 8 – the day before he was placed on administrative leave – Childs disabled the console ports on all five core devices, preventing the possibility of any password recovery.

Applying Access Controls. Childs also applied access controls to core devices that required that all administrative access had to be achieved by means of one particular computer, even if the access codes were known. He set up these access controls on core devices on the morning of July 9.

It's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.

It's tough to protect against inside jobs

[Anonymous+Brave+Guy]

In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far.

What would you have them do to avoid this problem in the future? Perhaps they could hire someone who is a technical expert with overall responsibility for the department, whose job is to make sure something like this can't happen. Oh, wait...

Requiring the password? Sorry, that's their identity (and ass) on the line.

It's their identity on their employer's systems. If the employer makes a management decision to "compromise" that identity then that is 100% their decision to make, not IT's.

Of course, it also becomes management's responsibility. It's fair for the employee to want written confirmation to record the decision if he disagrees with it. But given that confirmation, the employee doesn't get a vote and has no right to object.

Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password.

I think "You're fired" is a pretty clear transfer of responsibility.

Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.

Seriously? Really? This guy is a high-level IT expert within his organisation, and we're supposed to have sympathy if he not only reuses a password (or something related closely enough to risk the secrecy of another one) but reuses them on completely different systems, when he knows in advance that some are personal and some are professional? Give me a break. Any risk to his own privacy here is entirely self-inflicted, and trying to hide behind legal safeguards created with important and legitimate goals in order to cover your own malice and incompetence is the worst kind of legal wrangling.

Don't risk it. Have plans for unavailability, termination, and death.

That's great, but if the guy who betrayed you is the guy who was responsible for making those plans, there isn't much you can do. At most, you could have hired multiple people to act as mutual checks and balances by auditing the system, but the reality is that even the most high-level IT infrastructure today is still quite simplistic in its security, and unfortunately it remains a pretty easy mark for a skilled inside job.

Of course, if a government department did hire extra people, good enough to maintain proper oversight and audit each other's work in this kind of context but who weren't otherwise needed, many people who didn't understand the reason would be crying foul over wasteful government spending. And they'd have a point, given how rare incidents like this are and how much such people cost.