Forgot your password?
typodupeerror
Crime IT

Withhold Passwords From Your Employer, Go To Jail? 599

Posted by Unknown Lamer
from the bad-plan-with-expected-results dept.
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
This discussion has been archived. No new comments can be posted.

Withhold Passwords From Your Employer, Go To Jail?

Comments Filter:
  • by ackthpt (218170) on Monday November 04, 2013 @11:06PM (#45332799) Homepage Journal

    I don't care if you made them up, they are the property of your employer.

    Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.

  • by dukeblue219 (212029) <[moc.loa] [ta] [912eulbekud]> on Monday November 04, 2013 @11:07PM (#45332815) Homepage

    I don't have a problem with this. The company may have been dumb to put this much power in one person's hands, and perhaps they got what they had coming in someone's eyes, but it doesn't excuse this behavior. If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.

  • How, how HOW (Score:5, Insightful)

    by Anonymous Coward on Monday November 04, 2013 @11:07PM (#45332819)

    HOW!(!) is this a surprise to anybody? It's extortion, plain and simple.

  • Exactly right (Score:5, Insightful)

    by Pirulo (621010) on Monday November 04, 2013 @11:08PM (#45332825)
    The passwords are like the key to the office. You have to return them.
  • by Anonymous Coward on Monday November 04, 2013 @11:11PM (#45332843)

    I've simplified the submission:

    Withhold Passwords From Your Employer, Go To Jail?

    Yes

  • History rewritten (Score:5, Insightful)

    by guruevi (827432) <evi@smokingcCOFFEEube.be minus caffeine> on Monday November 04, 2013 @11:12PM (#45332849) Homepage

    Terry Childs did not want to divulge the passwords to an entity that didn't have the right to said passwords. There are several other red flags in this case but $1.5M to regain access over some routers? Seems like gross incompetence on various levels.

  • by Ukab the Great (87152) on Monday November 04, 2013 @11:14PM (#45332875)

    There's far more significant knowledge you take with you that you're not legally required to give up (procedures setting stuff up, what vendor bugs to work around, what authentication scheme, whatever). No need to go to jail over passwords when there's plenty of other petards for a former employer to hoist themselves on.

  • by gweihir (88907) on Monday November 04, 2013 @11:17PM (#45332911)

    Any sane organization of this size has a password policy that ensures critical passwords are recoverable. Any sane organization makes sure to not have a single-person dependency like that.

    But Childs really lost context: It was not his network. He had no business trying to enforce anything. The SF IT department may run their networks as stupidly as they chose, and while this may lead to criminal and civil liability on their part, it does not lead to any accountability towards Childs.

  • by Livius (318358) on Monday November 04, 2013 @11:21PM (#45332933)

    What kind of idiot

    Management.

  • by Riceballsan (816702) on Monday November 04, 2013 @11:26PM (#45332983)
    I know long before the terry childs case, I remember my IT teachers explaining that if you took off with passwords etc... to anything they didn't have an account over, the standard response is to hire some rediculously overpriced person who is paid by the hour to gradually break into it, then have the courts foot you the bill. I don't get why this is shocking. The Terry Childs case was a bit of an exception, namely because of his claim that the person who he was under the impression he was supposed to give the information too, was not present. IE childs was not saying he wouldn't give the password unless he was rehired or paid. He was explicitly saying he was going to give the password, but not to the middle manager who was asking him for it. Child's case he could have been screwed either way, giving the admin password to someone who shouldn't have it, makes you liable for the damages they cause... but refusing to give the password, is also a suable offense. If you know who has the rights to the password, and have access, there's no room for debate at all
  • by Anonymous Coward on Monday November 04, 2013 @11:27PM (#45332999)

    This is subtly different. In my eyes, once the employee has been fired, they are really under no obligation to help their now ex-employer with much of anything. Of course, having a password in your head and a key in your pocket are different things, the company has the burden of due diligence to be sure you turn in the key, security badge, whatever before you walk out the door. If they don't have a password, that's their own fault. The key and lock equivalent would be I get home, having just been fired, and all the keys, security badges, whatever I have should (morally and legally) be shredded, burned, or otherwise destroyed.

    HOWEVER, this isn't a case of due diligence. This guy went to great lengths to not only ensure no one else had access, but actually booby trap the system. That in and of itself should be grounds for firing and criminal charges. The only difference here is that they didn't find out what he had done until after he was fired, which doesn't change the fact that he was committing a crime in the first place.

  • by s.petry (762400) on Monday November 04, 2013 @11:28PM (#45333009)

    While funny, the issue is not with a personal password. These are passwords for infrastructure. It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

    Could the company get a new set of passwords? Sure, same as the truck company could get a new set of keys made. But while they were waiting to access their property they lost money at a minimum. Since they were not _your_ trucks or devices you have no right to refuse to give them their keys back.

  • by Anonymous Coward on Monday November 04, 2013 @11:31PM (#45333023)

    How could the company not have the right to the passwords?

    The company DID have the right to the passwords, Childs simply tried to argue that since he "built" the system and all it entailed, it was his personal property.

    Which was a fucking stupid argument.

  • by noh8rz10 (2716597) on Monday November 04, 2013 @11:34PM (#45333035)

    It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

    it basically shut down the city of san francisco for at least two weeks. they held the guy in jail, but he refused to divulge. the mayor even went to the jail to ask him personally. he deserves prison.

  • by PlusFiveTroll (754249) on Monday November 04, 2013 @11:51PM (#45333137) Homepage

    Well, first a bunch of time has passed giving people time to think. It's not an 'unfolding story' either, all the details are out there. And lastly, 5 years is time for many slashdotters to get older/grow up. It's easy to make a weird judgement on property when you're young and don't have any, but all of a sudden you're 30 and you have a house, car, and a well paying job you tend to look at things differently.

  • by ArchieBunker (132337) on Monday November 04, 2013 @11:58PM (#45333177) Homepage

    He was getting fired anyhow so why would breach of contract even matter? He was a self entitled neckbeard and dug his own grave. Give out the passwords and wash your hands of it.

  • by Anonymous Coward on Tuesday November 05, 2013 @12:10AM (#45333251)

    Couple of observations.

    1: Taken to it's logical conclusion, the right to own the knowledge in someone Else's head is tantamount to slavery. Please do not attempt to extend property rights in this direction; teachers owning the knowledge in students heads is perverse usury; is demonstrably destructive to the progress of society and technology and you know it.

    2: It has been ruled time and time again, it's the Employers sole responsibility and privilege to define, audit, move, add, change, and revoke security systems access; an employer the size of San Francisco has no excuse to strictly control such. There is no implicit lawful requirement for computer users to retain Login information during or after termination of employment unless the employer writes a contract and even then, it's a civil requirement. There's a perfectly plausible reason for an employee to destroy such information; namely to exonerate oneself from the use of such logins against the company after their termination by other individuals within the company (E.G. Other Techs hacking your logins and going payroll fishing from a vpn with it). Even while employed, There's a fine line between will-full destruction of property and incompetence.

    3: Quoting the law:
    "(5)Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network."

    That's what he was found guilty under. What systems administrator or programmer would do business in the state of California with such a vague law? Be Incompetent, Fuck up, have a vengeful boss, go to jail. That's what this case is really about; the ability of state officials to fail to routinely document and confirm systems access by employee's whom make 100k+ a year who's job responsibility is to configure and maintain tens of millions of dollars of mission critical gear to toss your ass in jail on the flimsiest of reasons because they don't want to be bothered with kindergarten simple shit.

    Even if he really was a malicious, self-serving, rent-seeking prick, being convicted under that law is complete and total bullshit.

  • by Belial6 (794905) on Tuesday November 05, 2013 @12:28AM (#45333343)
    Which was what the security policy required of him. He was arrested for not turning the passwords over to unauthorized individuals.
  • by Zemran (3101) on Tuesday November 05, 2013 @12:31AM (#45333359) Homepage Journal

    Not in anyway similar. If you take the keys to their trucks you are stealing but if you stop work there is no theft involved. If you want me to talk to you then that is work and I no longer work for you. You should have implemented a better system when I was employed for you. To take this into the real world, what would have happened if he had been killed in a traffic accident? The same procedure that would go into place in such an event should also work during a dismissal. If you do not have such a procedure do not blame the guy that you just sacked as that would make as much sense as blaming a dead guy. It is your fault.

  • by Cramer (69040) on Tuesday November 05, 2013 @12:38AM (#45333391) Homepage

    Except he didn't take the keys to a truck, he took the keys to all the trucks. One truck... easy enough to deal with. Thousands of trucks that people are currently driving... not quite so easy to recover.

  • by pla (258480) on Tuesday November 05, 2013 @12:46AM (#45333435) Journal

    Your employer owns their hardware, including the "keys" to get into it.

    Childs screwed up by withholding entirely the wrong sort of information. You don't pitch a fit and refuse to give them the passwords - You give them exactly what they've asked for and then watch in glee as they realize they don't have the faintest clue of what to do with those passwords.

    Picture a fairly simple small-scale corporate WAN. Three separate subnets. Nothing massive in scale.

    Now imagine they "no longer need your services" after three years of uninterrupted service.

    Now imagine that you haven't persisted the router configs and they lose power.

    Now imagine a non-technical city manager trying to figure out why he can't get to facebook, and demanding passwords from you.

    When you stop laughing...

    Yes, you can still thoroughly document your infrastructure for your successor, for the (most likely) scenario where you peacefully move on and want to help the poor bastard out. But if you suddenly find yourself "redundant", well, "here you go, all the passwords. Good luck, and I charge $1500/hr as my standard consulting rate".

  • by Cramer (69040) on Tuesday November 05, 2013 @12:58AM (#45333481) Homepage

    In any sane enterprise, it never would have gotten to such a point. The wack-job would've been fired long before he took the entire infrastructure hostage. (which was the case long before his termination.) He's a nut, pure and simple; everyone who's had more than 5s to look at the case knew exactly where this was going. The only thing that bugs me is the fact that the managers who allowed this mess to grow aren't even mentioned, much less held accountable for it.

  • by Anonymous Psychopath (18031) on Tuesday November 05, 2013 @12:59AM (#45333493) Homepage

    Not in anyway similar. If you take the keys to their trucks you are stealing but if you stop work there is no theft involved. If you want me to talk to you then that is work and I no longer work for you. You should have implemented a better system when I was employed for you. To take this into the real world, what would have happened if he had been killed in a traffic accident? The same procedure that would go into place in such an event should also work during a dismissal. If you do not have such a procedure do not blame the guy that you just sacked as that would make as much sense as blaming a dead guy. It is your fault.

    That's an incredibly simplistic and incorrect understanding of intellectual property and work ownership. What you do for your employer while you work for them belongs to them, unless you have a specific agreement stating otherwise. Just because you don't work there anymore doesn't relieve you of your obligation to give them back their property, which in this case was the command and control of their own network infrastructure.

    But good luck with that.

  • by dbIII (701233) on Tuesday November 05, 2013 @01:09AM (#45333527)

    it basically shut down the city of san francisco for at least two weeks

    Excuse me?

    they held the guy in jail, but he refused to divulge

    You missed the bit where nobody came to ask him until the Mayor's photo opportunity.

  • by raymorris (2726007) on Tuesday November 05, 2013 @01:39AM (#45333657)

    > and not the complete idiots of the company for leaving there passwords with one person, and not having a way to access by way of a default password. his lawyer must have been an idiot as well if he didn't make that argument.

    "The victim was stupid" isn't an excuse. If it were, we could legally do anything we want to you.

    In fact, it's generally considered an aggravating factor to victimize the mentally challenged because we have a duty to look out for those who are defenseless.

  • by schnell (163007) <<me> <at> <schnell.net>> on Tuesday November 05, 2013 @01:47AM (#45333697) Homepage

    ...a password is transient knowledge and not a thing a single one person can possess. To me, a more apt analogy might be an employer trying to force a former employee to write down any thoughts they might have had related to their former position.

    Huh? It's more like if you had a safe containing your money and paid one of your employees to maintain the safe and its contents, and he refused to tell you the combination of the safe.

    [Karma suicide coming]

    Reading about this whole Terry Childs thing on Slashdot has always amazed me. For what seemed like years, whenever this topic came up every post was flooded with "zOMG Terry Childs was justified because the mayor didn't know how to secure his servers!!!!" rhetoric. It seemed to make no sense except for geeks rooting for a fellow geek, regardless of what the real issues at stake were. Same goes for the teeming Slashbot hordes who insisted for months and months on Hans Reiser's innocence and how he was FRAMED, I TELL YOU. Or the people who previously would have condemned Kim Dotcom as a fraudster and spammer but who lionized him because the copyright police came after him. And frankly the same goes for the "zOMG Julian Assange was FRAMED by the CIA and the NSA because the MPAA owns Sweden or whatever" crowd. Occam's razor folks - if the US government wants to get their hands on somebody, they do what they tried to do to Edward Snowden, i.e. attempt to extradite them, not somehow make up fake rape charges in a separate country that doesn't even really like the US anyway.

    Look, it's hardly a unique failing or blindness - most humans exhibit bad confirmation bias and cognitive dissonance. But I just find it disappointing to find such prevalence of this behavior in a group that prides itself on its capacity for critical thinking.

  • by BrookHarty (9119) on Tuesday November 05, 2013 @01:50AM (#45333727) Homepage Journal

    It's no different than physically walking out with the hardware.

    Bullshit.

    The hardware sat in the racks the entire time. Any tech could walk up and reset the passwords.
    The manager should have sent out his techs to reset passwords and then put a password policy in place.

    Bad management, but the employee didn't STEAL anything.

  • by Anonymous Psychopath (18031) on Tuesday November 05, 2013 @02:05AM (#45333787) Homepage

    I disagree. It's dangerous to give a blanket statement that all the work belongs to them by default.

    What work?

    I've been in several situations in which I participated on other projects outside of work which used not a single work resource. It's too damn easy to claim you did it while on site or using work property.

    That's why it went all the way to the board one time when I steadfastly refused to sign any agreement with them since the language was so overwhelmingly vague and if I patented a coffee napkin idea at home it was theirs. Nothing happened since I they could not afford to let me go at all.

    I would prefer that nothing is decided in anyone's favor by default and must be proved in a court of law (no arbitration).

    A non-compete agreement does not work for me as an independent contractor. Unless you pay me extremely well i'm not going to lock myself out of an entire market.

    Ohh, and I guess that since I only work in Open Source it's kind of a moot point. It's rather funny when I explain that they don't actually own anything I make for them at all, and I don't either :)

    What I said is what you do for your employer, in the context of this discussion around Terry Childs. Configuring routers and assigning administrative access controls to them is definitely not a personal project, even though Terry acted like it was. He even attempted to copyright his configurations.

    Point taken on personal projects, and everyone I've worked for has been fine with the ones I've worked on, including my own meager and forgettable contributions to FOSS.

  • by EdIII (1114411) on Tuesday November 05, 2013 @02:08AM (#45333801)

    I still feel the same way I did when I read it the first time.

    Passwords are not property. They're information and they protect access to property. That's all they do.

    Setting a password to deliberately restrict access and gain leverage is not theft. It's insubordinate and grounds for termination. If damage occurs since personnel are not able to access systems then it is property damage, defamation of character, tortuous interference with contracts, etc. A plethora of other ways to punish someone or seek remediation.

    He never had any kind of ownership claim over the devices he was administrating and was at all times operating under the employ of those that do.

    He willfully set passwords to restrict access to everyone. Not just below him, but above him as well.

    When being terminated he did not hand over everything he knew and had. That goes both ways too. His work should only have had a reasonable time period to ask him everything, and most assuredly should have had policies in place to know it all anyways.

    Afterwards, his work should have had ZERO recourse.

    However, his biggest mistake, was in letting his ego run rampant and delude him into thinking that the entire network was his to protect and he was the rightful guardian and no one was going to take it away from him.

    That was what hung him. He fully admitted that he set the passwords and never even attempted to write them down or hand them over during his exit interview. It was premeditated and willful, which is why he should be punished.

    This had nothing to do with intellectual property and everything to do with his behavior before, during, and after termination by the city.

  • by bradley13 (1118935) on Tuesday November 05, 2013 @02:58AM (#45333945) Homepage

    There are two groups arguing here - I think both may be missing the point.

    Group 1: The passwords belong to your employer, turn them over. It's his fault, because he refused.

    Group 2: He may have been paranoid, but he was really just following policy: don't give passwords to unauthorized people.

    Regardless of which side you are on, ask yourself this: How would this scenario have played out if he worked for a private company? Consider that, in the end, he *did* hand over the passwords to the mayor, i.e., the "big boss". What would a private company have done?

    - They wouldn't be claiming $1.5 million in damages - an absurd figure.

    - They wouldn't try to prosecute him and throw him in jail. Bitter firings happen, life goes on.

    - The *only* likely retribution would be: "don't use us as a reference".

    Sending the guy to jail and suing him for more than his net worth? It takes a government to waste resources on that sort of idiotic vengeance.

  • by Anonymous Coward on Tuesday November 05, 2013 @03:14AM (#45333977)

    In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far. Compelling someone to grant you access? Okay. Requiring the password? Sorry, that's their identity (and ass) on the line. Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password. Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.

    That said, Childs is an idiot, and he handled this poorly. He *should* have offered to change his credentials for a consulting fee (returning engineer post termination) to close the book on it.

    But computer fraud and abuse? Please... What a joke. A bunch of idiots wasted weeks puffing their chests out at each other and the city utterly failed to learn from a teachable moment. Audit your fucking system designs and don't allow for single credential systems, ever. Given the way they drive around here, your admin stands a good chance of getting hit by a bus.

    Don't risk it. Have plans for unavailability, termination, and death.

  • Exactly (Score:5, Insightful)

    by SmallFurryCreature (593017) on Tuesday November 05, 2013 @03:57AM (#45334059) Journal

    These articles show you that a lot of nerds really are totally incapable of dealing with normal society.

    If you changed the locks on your employers buildings and refused to hand over the keys, what do you think would happen? So why should digital keys/passwords be any different?

    Some dweebs seem to construct fantasy worlds around themselves and since they lack interaction with other people becomes convinced that these fantasy worlds are real. Childs seems to have done so, he believed he was the only one fit to access these systems, that they were his babies and only he could properly care for them.

    I am not sure he should go to jail for it. He should however get mandatory treatment, if needed in a padded cell with a lock. If he asks for the keys, tell him you don't think he is capable of properly dealing with it.

  • by gnasher719 (869701) on Tuesday November 05, 2013 @04:33AM (#45334159)

    When this went down, it was not reported that he refused to turn over the passwords. He refused to hand over the password to unauthorized individuals and in unauthorized ways.

    He refused to hand over the password to people who were full authorised but in his opinion couldn't be trusted. He refused to hand over the keys in a way that was insecure, but then didn't make any effort to hand over the keys in a secure way, which would have been his duty (because at the time he _was_ employed and _was_ asked by someone who was authorised).

  • by bickerdyke (670000) on Tuesday November 05, 2013 @04:37AM (#45334169)

    Then - at last when you're already in jail - the proper thing to do would have been to hand the passowrd over to the judge along with a letter explaining the illegal stuff that's going to happen and ask the judge (or if he sees neccessary: a court) to decide on the legal status. That's what the judical system is for and cleans you of the idea that you're extorting someone

  • by JDG1980 (2438906) on Tuesday November 05, 2013 @04:41AM (#45334185)

    To me, these two paragraphs from the court document are the most damning evidence against Childs:

    Disabling Console Ports. The jury learned that if the console port – the physical means of access to the network on the device itself – is disabled, then the administrator cannot login to the system using what is regarded as the "port of last resort." On July 8 – the day before he was placed on administrative leave – Childs disabled the console ports on all five core devices, preventing the possibility of any password recovery.

    Applying Access Controls. Childs also applied access controls to core devices that required that all administrative access had to be achieved by means of one particular computer, even if the access codes were known. He set up these access controls on core devices on the morning of July 9.

    It's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.

  • by Anonymous Brave Guy (457657) on Tuesday November 05, 2013 @05:38AM (#45334329)

    In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far.

    What would you have them do to avoid this problem in the future? Perhaps they could hire someone who is a technical expert with overall responsibility for the department, whose job is to make sure something like this can't happen. Oh, wait...

    Requiring the password? Sorry, that's their identity (and ass) on the line.

    It's their identity on their employer's systems. If the employer makes a management decision to "compromise" that identity then that is 100% their decision to make, not IT's.

    Of course, it also becomes management's responsibility. It's fair for the employee to want written confirmation to record the decision if he disagrees with it. But given that confirmation, the employee doesn't get a vote and has no right to object.

    Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password.

    I think "You're fired" is a pretty clear transfer of responsibility.

    Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.

    Seriously? Really? This guy is a high-level IT expert within his organisation, and we're supposed to have sympathy if he not only reuses a password (or something related closely enough to risk the secrecy of another one) but reuses them on completely different systems, when he knows in advance that some are personal and some are professional? Give me a break. Any risk to his own privacy here is entirely self-inflicted, and trying to hide behind legal safeguards created with important and legitimate goals in order to cover your own malice and incompetence is the worst kind of legal wrangling.

    Don't risk it. Have plans for unavailability, termination, and death.

    That's great, but if the guy who betrayed you is the guy who was responsible for making those plans, there isn't much you can do. At most, you could have hired multiple people to act as mutual checks and balances by auditing the system, but the reality is that even the most high-level IT infrastructure today is still quite simplistic in its security, and unfortunately it remains a pretty easy mark for a skilled inside job.

    Of course, if a government department did hire extra people, good enough to maintain proper oversight and audit each other's work in this kind of context but who weren't otherwise needed, many people who didn't understand the reason would be crying foul over wasteful government spending. And they'd have a point, given how rare incidents like this are and how much such people cost.

  • by HeckRuler (1369601) on Tuesday November 05, 2013 @11:35AM (#45335977)

    Unprofessional ? UNPROFESSIONAL?
    Listen here kid, being a professional means that you tell the boss to go suck eggs when he orders you to do something stupid. Being a professional at a critical job means you finish your shift and await your replacement, even when they fired you earlier in the day. Because someone has to do the job. Being a professional means you refuse to sign off on the untested software because the plane might crash and people will die. Being a professional means you don't let the bosses idiot son steer the boat, because he's incompetent and would steer it into shore.

    Being a professional means you're not just there for the paycheck to be a yes-man to your superior. You're there, in part, to do a good job. Because doing a bad job will get people killed and/or cost millions.

    People like to throw the "unprofessional" term about when people don't have the right cut of dress, or speak with the proper tone, but if you want to play hardball with professionalism, you need to realize that it's more important than shmoozing with the boss and climbing that corporate ladder.

  • by Archangel Michael (180766) on Tuesday November 05, 2013 @12:04PM (#45336289) Journal

    You're Fired means transfer of authority, you're right. At that moment, Childs should have told SF to pound sand, and walked away. He owes them nothing at that point, including the password. What crime did he commit by not revealing the password?

You can bring any calculator you like to the midterm, as long as it doesn't dim the lights when you turn it on. -- Hepler, Systems Design 182

Working...