Withhold Passwords From Your Employer, Go To Jail?

ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."

Re:How, how HOW

[dukeblue219]

Yep. He didn't even just conveniently "forget" the password after he was fired, but apparently set this all up well in advance to intentionally disrupt their business. Dumb move.

Re:Never getting a dime can do 4 years

[Grishnakh]

Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.

Re:History rewritten

[Fallen Kell]

He was asked to give the passwords over during a meeting with several people who had not signed the appropriate papers for having said access and had not been documented by information/system security for having a right to the passwords. There was also a conference call being held on the phone in the room with unknown persons who would have then also been privy to the password divergence. Terry simple say "no" to diverging the passwords in that location, at that time, in that manner. In his contract, he had a duty to protect the passwords, and he was still an employee at that time. Giving up the passwords in that location at that time would have been a breach of his contract and he could have been fired on the spot for doing so. He was placed in an impossible situation, where they were firing him if he gave them the passwords or didn't give them the passwords. At that time, no one from security had authorize anyone else to have the passwords, and as such, Terry did the only thing he felt was correct, which was to attempt to give them to the only person who was in charge of the system, which was the mayor, who could then give them to whoever he felt like, in whatever manner he thought he should since it was not written in any contract that he had to protect the passwords or be fired for giving them to someone who had not filled out the proper paperwork and been given approval to have them and doing so in a location where only the person who had been authorized to have them would receive them.

Re:Exactly Wrong

[taustin]

The people who need them should already have them at all times.

Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.

Or hey. Maybe your employer is a moron.

That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.

And keep in mind, the network in question included their 911 system.

The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.

Re:Seems fine with me.

[Belial6]

Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized.

Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.

Re:Back when I admined systems ...

[DoofusOfDeath]

When I left my last job (where I had root on a lot of servers), I had my replacement and staff watch my replacement enter the new root passwords (that only he knew), and delete my personal accounts.

I think that's a bit better than the person who's leaving continuing to know a shared secret.

Re:Seems fine with me.

[Belial6]

When this went down, it was not reported that he refused to turn over the passwords. He refused to hand over the password to unauthorized individuals and in unauthorized ways.

Re:Passwords are property of the employer

[immaterial]

IIRC, Childs modified the system and changed the passwords in order to intentionally lock out the other sysadmins. This case was more like installing your own lock into the truck before quitting.

Re:Passwords are property of the employer

[Dahamma]

No, seriously, YOUR argument is bullshit. Why? Because never once in that entire rant did you address any of the *specifics* of the actual case.

In the end Childs KNOWINGLY AND WITHOUT PERMISSION *changed* the passwords on a bunch of computers and then refused to give the owners of those devices (the city of San Francisco) those passwords. If for some bizarre and horrible reason by normal operational procedure he was just the only person who knew these passwords, was fired, and said "fuck you", that would be one thing, and I'd agree with you. But he intentionally locked down the systems and refused to unlock them - both before and after he was fired. He even claimed that the reason was because "he didn't trust his supervisors with them". That's pretty much a textbook application of the law, and could probably be extended to extortion if they wanted...

Re:Passwords are property of the employer

[noh8rz10]

I don't know where you're from, but I live in sf and I remember what a big deal this was.

Re:Passwords are property of the employer

[Anonymous Coward]

it basically shut down the city of san francisco for at least two weeks

I remember that. The BART stopped running, the metro stopped running, the traffic signals were out, the police had to stop policing, you couln't pay your traffic tickets, you couldn't renew your drivers licence. Fires raged out of control because of the lack of fireman. I think it cost the city close to a billion dollars just for this one guy. Lex Luthor took over as crime boss and extored money out of everyone. Meteors rained firey death on all San Francicicans. A plague of frogs of biblical preportions visited the city. Fuck.. then there were the locusts. Fucking locusts! Yeah, fuck that Childs guy!

Oh no, wait. I don't remember that because none of it happened at all! The city ran like normal like nothing happened.

Now I know why the mood has changed here at slashdot. The only people up are idiots who don't know what happened, and enjoy making things up.

Re:Passwords are property of the employer

[jfalcon]

Wrong - it wasn't that simple.

http://www.courts.ca.gov/opinions/documents/A129583.PDF

In December 2007, the city‟s Human Services Agency (HSA) experienced a
power outage. When power was restored, its computers could not connect to
FiberWAN—the configurations of its CE device had been erased because they had been
saved to VRAM. Childs reloaded the configurations and got the system reconnected.
When the HSA information security officer learned that the CE configurations had been
stored in VRAM, he protested to Childs that this was unacceptable. Citing security
concerns, Childs explained that he wanted to prevent a physical connection to the CE that
would allow someone to obtain the configurations using the password recovery feature.
He suggested disabling the password recovery feature instead; the information security
officer agreed. Tong also agreed to this solution, as it would address a concern about
hacking into the HSA‟s CE device. Soon, Childs disabled the password recovery feature
on all CE devices citywide, and there were no backup configurations on any of the city‟s
CE devices. As the password recovery feature could not be disabled on core PE devices,
Childs erased their configurations that had been stored on NVRAM.

Re:Seems fine with me.

[Registered Coward v2]

Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized. Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.

No, he went to jail because he deliberately setup the system so he was the only one that knew the passwords; and then refused to divulge them. He didn't simply forget his or refuse to violate procedures; he tried to use what he did as leverage and that is what he went to jail for. What he did is no different then any other type of extortion.