Withhold Passwords From Your Employer, Go To Jail? 599
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
Next time (Score:2, Interesting)
just root the servers, give the passwords back the change them.
Precedent? (Score:1, Interesting)
Plenty of organizations have dozens or hundreds of passwords. Is it really the employee's responsibility to remember each and every password and keep records of them indefinitely after employment? Should I be required by law to produce network diagrams?
Yes, this guy was a douchebag, but he shouldn't have to turn over anything.
Access control policy is the responsibility of the employer. If they fail to set policy or fire employees before it's too late, it's their own damn fault. This is just another example of mismanagement backed by a broken justice system.
Back when I admined systems ... (Score:5, Interesting)
When I left, I handed him the key to my desk and said, "You know where they are."
Re:Passwords are property of the employer (Score:0, Interesting)
It's worse than that. He threw all of the spare keys into the ocean and then took the keys. The problem isn't that he wasn't saying his password, but that he had modified the system so that only his password worked, which was the malicious action. If it had been some oversight on the part of the employer that they fired the only employee without asking that such password be divulged or a second admin account be created he wouldn't have that obligation communicate his password.
Re:Passwords are property of the employer (Score:5, Interesting)
It's interesting that this seems to be the prevailing opinion now. But when this all went down, Terry Childs was the Slashdot Poster Child. Why have opinions changed?
I think that the main reason opinions changed was because when the story was first reported, the journalists got almost every fact wrong.
Re:History rewritten (Score:5, Interesting)
His lack of finesse and social skills coupled by the complete (technical) incompetence of those at city hall definitely contributed to his downfall.
If I recall, didn't Kamala Harris put the passwords into public record, thus forcing the city IT department to go around and changing passwords on all devices to prevent from someone from "f*cking sh*t up"?
The funny thing is that the statute (California Penal Code Sec. 502(c)(5)) mentions "disrupts or causes the disruption of computer services or denies or causes the denial of computer services" yet....during this whole fiasco, the network was rock-f-ing-solid (at least until the passwords were put into public record without seal).
Not sure why the attorney didn't bring this point up.
If I was Terry Childs, I'd fire the attorney and then sue the city for breach of contract (oddly, for at least the same amount).
social engineering from hire (Score:4, Interesting)
After finding out that he concealed material information during a background check, my opinion is that his permission to touch the network at all, even within the scope of his employment duties, was procured fraudulently and his entire CAREER with the city has been one huge social engineering attack, starting when he lied about his criminal history to people who almost certainly would have had ample grounds to decline to have hired him in the first place.
Re:Passwords are property of the employer (Score:4, Interesting)
A password is not property and it cannot be "taken" as if it were a physical object. It merely represents a shared secret between one or more parties and a backend system that attempts to authenticate access.
To say theft is wildly inaccurate and illogical.
If the employee is the only one in possession of the shared secret and refuses to divulge that information to a party that does have physical ownership over the devices being protected I have a very hard time understanding how it's theft.
Those responsible parties should have maintained access at all times. In this case, he had established that password while gainfully employed by them, and was perfectly in his rights (work policies outlining what they are) to establish the password. If no policy was in place for him to print it out, hand it to his superiors, and let them secure it, then some accountability rests with the management.
Once he was let go I see no difference between "I don't remember" and "I don't wish to say". I've quit before and was asked on many occasions if I remembered passwords, specifics of certain processes, etc. My answer was simple, "I don't work for you anymore and this conversation is not appropriate". I never set any passwords to restrict access higher up than me. I also made sure that all of the passwords were known by my superior.
Did he specifically set a password in a premeditated fashion to prevent proper operation of the networks? In this case, he did and then admitted that he did . That's what the legal focus should be on. Not theft or some intellectual property mangled interpretation bullshit. Those arguments are quite frankly extremely detrimental to our overall freedom at this point. We need to swing that pendulum over the other way with a more sophisticated understanding of what is actually going on.
I don't have a problem that he is going to prison for about a year. What I have a problem is that he is going to prison for not divulging a shared secret that should have never been set by policy, and one he is not obligated to reveal once terminated.
Put him in prison for willful property damage or some other infraction designed to punish somebody by damaging property past a certain extent. Not theft.
The vast majority of these cases, especially these so called intellectual property cases, need to be decided in civil court, not criminal.
Re:Passwords are property of the employer (Score:5, Interesting)
It's interesting that this seems to be the prevailing opinion now. But when this all went down, Terry Childs was the Slashdot Poster Child. Why have opinions changed?
More of the relevant facts have been made public. It turns out that Childs wasn't the overzealous network administrator that he was made out to be, but he was a sociopathic, somewhat psychotic criminal [packetpushers.net] who carved a mini-empire for himself out of wires and electricity. He was even denying appropriate requests for service, just because of his own personal hangups.
On the other hand, my opinion of the City and County of San Francisco has not been improved, either. The situation should not have been allowed to turn into full-on criminal prosecution. Even Jason Chilton, the famous Juror #4 who is also a network engineer, thought the criminal charges should have been dropped. [slashdot.org] Successive mayors have used the position to grant kickbacks to various friends, yet the IT department was being downsized and Childs was left with no job security and nobody overseeing his work. At the same time, District Attorney (now California Attorney General) Kamala Harris [wikipedia.org] was facing accusations of being soft on murder, so she apparently took the Childs case as a gift from heaven to demonstrate her toughness on technology crime. When Childs did surrender the passwords, and she immediately put them into the public record as evidence, that was just amazing work. Amazing for the wrong reasons.
So, my opinion of Childs deteriorated, and my opinion of San Francisco did not improve.
Re:Passwords are property of the employer (Score:5, Interesting)
I think that is a very dangerous precedent for intellectual property though.
It's most assuredly very different than walking out with the physical hardware. It still exists. It's still in the hands of the owners. The challenge is that the device is storing a piece of information that only that single person is aware of. For whatever reason.
Your viewpoint is dangerous because it's easily possible to forget that shared secret between you and the devices. Trust me. Very easy to do. I've done it. I've been asked about passwords long after I stopped working for someone. Since I make it a point to write them down securely and not remember them, it was no surprise that I didn't. I shredded/deleted the documents too, so there was no way to retrieve them.
I don't think forgetting or refusing should ever be criminalized since in many cases you cannot truly tell which one it is. Why should I go to prison because I can't remember something that they were too stupid to have written down by policy while I was working there, and too stupid to ask about it during the exit interview or when the contract was done?
This case was different. He admitted to not only setting it, but doing it for a specific purpose. Focus on that and don't start messing up understanding of intellectual property in such a dangerous way.
Please. You won't like the world that gets created with those ideas. Not one bit.
Re:Passwords are property of the employer (Score:5, Interesting)
I suspect it's because we "tech geeks" as a group tend to self-identify and tend to think of us as "smarter than the rest of them". Except of course, we're not. Sure we know our ways around everything technological, but I'm sure there's plenty that don't know law (try getting the three sides of IP law straight - a lot of /. flamewars erupt from confusing patents with copyright and trademarks). Or medicine. Or any other thing, really.
It's not unique to geeks either - I'm sure your local doctor's group or lawyer's group also think they as a whole are so much smarter than the rest of the world. Except of course, they're not - they know their field really well, but enter another field (try helping a doctor or lawyer with computer problems?) and boy are they clueless.
It's the same with geeks.
And unfortunately, sometimes this plays out badly - we think we know "the system" better than everyone, but then get slapped and made a fool of (see Hans Reiser, Terry Childs - ZOMG they know how to work the system!). Of course, all that happens is the prosecution takes advantage of this and easily paints a negative image on the person before the trial even begins. Of course, they were probably guilty, but damn, we didn't have to make it easier for them. (See Aaron Schwartz on how NOT to behave - you can be "on the right side" but if you act in ways the general public knowingly disproves of, you get vilified in the court of public opinion and make a prosecutor's job REALLY easy.).
Some advice - learn etiquette and how "the proles" want you to behave (if that means having to wear a suit and dressing up, so be it), Even though everyone shouldn't "judge a book by its cover" guess what? Juries and prosecutors do. Don't make their life simpler by making it easy to paint you as an outcast who believes they're above social norms. And especially don't act smarter than the group, because you'll just come along and sound like a smartass instead.
Re:Passwords are property of the employer (Score:4, Interesting)
Very simple response to the whole thing. You had 1 guy that was in charge of knowing ALL the passwords AND the ability to reset/change them AND you fired him? Whether or not the guy KNOWS the passwords by heart (and I don't even know my WiFi password by heart), my contract ends with you the day you fire me. If you want to hire me back as a contractor at a 1k/day rate, I will gladly find and open the password spreadsheet. Or you can pay the helpdesk guy to search my desktop and my fileshares.
If you do not have the technical foresight to have a plan in case I get hit by a bus then you deserve to live with the consequences of me disappearing off the face of the earth, even if it's at your own doing. Especially if it's your doing.
On the actual specifics of this one case, Terry probably was committing carreer suicide by not ensuring he left the place on good terms. You don't jerk with the CITY you live in. You might be able to pull that crap with some small companies, but throwing both fingers high in the sky at the entire CITY is asking for some rebuttal.
Re:Passwords are property of the employer (Score:5, Interesting)
he was basically just going about his job, doing the right thing, but forgot they weren't HIS computers.
Isn't that the most unprofessional thing a sysadmin can do? Doesn't everyone in the business know that that is precisely the behavior that gets you in trouble?
Re:Passwords are property of the employer (Score:5, Interesting)
Oh... and it did NOT shut down the city. Go back and read the original story. What it did was leave the city management in a situation they didn't know how to handle... and still don't. They wanted it easy, didn't get it and they got angry and abused their powers to seek retribution.
I said it previously and I'll say it again. If this guy died instead of being fired, they would face the EXACT same problem but without the recourse of being able to persecute. But I hold that in either situation, the response should be the same. Setting about the task or regaining control over the systems.
Re:Passwords are property of the employer (Score:2, Interesting)
The major difference is he didnt walk off with the set of keys only the knowledge in his head.
Re: Passwords are property of the employer (Score:2, Interesting)
it is absolutely unforgivable to allow a system design allowing for single authority.
Every OS I can think of - Windows, Linux, MacOS, Solaris and every descendent of Unix - has a single root account, with a single root password, which can change every other password on the system. The tablet/phone OSes (iOS and Android) are similar but worse - they give administration privileges to the one and only *user* account, with an optional-and-rarely-set password, and completely block the ability to log in as root.
Got any examples of a system design that does NOT allow for a single authority?
Re:Passwords are property of the employer (Score:3, Interesting)
I'm not saying what Terry did was right/wrong, but if they didn't have procedures/process in place, then it's there own fault a cocky sys admin grabbed them by the cohones.
On a separate note, would you really re-grant sysadmin access to someone that wasn't "pleasant" about handing over the keys?