Withhold Passwords From Your Employer, Go To Jail? 599
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
Re:How, how HOW (Score:3, Informative)
Yep. He didn't even just conveniently "forget" the password after he was fired, but apparently set this all up well in advance to intentionally disrupt their business. Dumb move.
Re:Never getting a dime can do 4 years (Score:5, Informative)
Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.
Re:History rewritten (Score:4, Informative)
Re:Exactly Wrong (Score:5, Informative)
The people who need them should already have them at all times.
Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.
Or hey. Maybe your employer is a moron.
That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.
And keep in mind, the network in question included their 911 system.
The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.
Re:Seems fine with me. (Score:5, Informative)
Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.
Re:Back when I admined systems ... (Score:5, Informative)
When I left my last job (where I had root on a lot of servers), I had my replacement and staff watch my replacement enter the new root passwords (that only he knew), and delete my personal accounts.
I think that's a bit better than the person who's leaving continuing to know a shared secret.
Re:Seems fine with me. (Score:5, Informative)
Re:Passwords are property of the employer (Score:5, Informative)
Re:Passwords are property of the employer (Score:5, Informative)
No, seriously, YOUR argument is bullshit. Why? Because never once in that entire rant did you address any of the *specifics* of the actual case.
In the end Childs KNOWINGLY AND WITHOUT PERMISSION *changed* the passwords on a bunch of computers and then refused to give the owners of those devices (the city of San Francisco) those passwords. If for some bizarre and horrible reason by normal operational procedure he was just the only person who knew these passwords, was fired, and said "fuck you", that would be one thing, and I'd agree with you. But he intentionally locked down the systems and refused to unlock them - both before and after he was fired. He even claimed that the reason was because "he didn't trust his supervisors with them". That's pretty much a textbook application of the law, and could probably be extended to extortion if they wanted...
Re:Passwords are property of the employer (Score:5, Informative)
I don't know where you're from, but I live in sf and I remember what a big deal this was.
Re:Passwords are property of the employer (Score:5, Informative)
it basically shut down the city of san francisco for at least two weeks
I remember that. The BART stopped running, the metro stopped running, the traffic signals were out, the police had to stop policing, you couln't pay your traffic tickets, you couldn't renew your drivers licence. Fires raged out of control because of the lack of fireman. I think it cost the city close to a billion dollars just for this one guy. Lex Luthor took over as crime boss and extored money out of everyone. Meteors rained firey death on all San Francicicans. A plague of frogs of biblical preportions visited the city. Fuck.. then there were the locusts. Fucking locusts! Yeah, fuck that Childs guy!
Oh no, wait. I don't remember that because none of it happened at all! The city ran like normal like nothing happened.
Now I know why the mood has changed here at slashdot. The only people up are idiots who don't know what happened, and enjoy making things up.
Re:Passwords are property of the employer (Score:5, Informative)
http://www.courts.ca.gov/opinions/documents/A129583.PDF
In December 2007, the city‟s Human Services Agency (HSA) experienced a
power outage. When power was restored, its computers could not connect to
FiberWAN—the configurations of its CE device had been erased because they had been
saved to VRAM. Childs reloaded the configurations and got the system reconnected.
When the HSA information security officer learned that the CE configurations had been
stored in VRAM, he protested to Childs that this was unacceptable. Citing security
concerns, Childs explained that he wanted to prevent a physical connection to the CE that
would allow someone to obtain the configurations using the password recovery feature.
He suggested disabling the password recovery feature instead; the information security
officer agreed. Tong also agreed to this solution, as it would address a concern about
hacking into the HSA‟s CE device. Soon, Childs disabled the password recovery feature
on all CE devices citywide, and there were no backup configurations on any of the city‟s
CE devices. As the password recovery feature could not be disabled on core PE devices,
Childs erased their configurations that had been stored on NVRAM.
Re:Seems fine with me. (Score:5, Informative)
Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized. Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.
No, he went to jail because he deliberately setup the system so he was the only one that knew the passwords; and then refused to divulge them. He didn't simply forget his or refuse to violate procedures; he tried to use what he did as leverage and that is what he went to jail for. What he did is no different then any other type of extortion.