Withhold Passwords From Your Employer, Go To Jail? 599
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
Passwords are property of the employer (Score:5, Insightful)
I don't care if you made them up, they are the property of your employer.
Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.
Re: (Score:2)
It's no different than physically walking out with the hardware.
In fact, I think it already falls under some form of trespass.
Re:Passwords are property of the employer (Score:4, Insightful)
It's no different than physically walking out with the hardware.
Bullshit.
The hardware sat in the racks the entire time. Any tech could walk up and reset the passwords.
The manager should have sent out his techs to reset passwords and then put a password policy in place.
Bad management, but the employee didn't STEAL anything.
Re:Passwords are property of the employer (Score:5, Informative)
http://www.courts.ca.gov/opinions/documents/A129583.PDF
In December 2007, the city‟s Human Services Agency (HSA) experienced a
power outage. When power was restored, its computers could not connect to
FiberWAN—the configurations of its CE device had been erased because they had been
saved to VRAM. Childs reloaded the configurations and got the system reconnected.
When the HSA information security officer learned that the CE configurations had been
stored in VRAM, he protested to Childs that this was unacceptable. Citing security
concerns, Childs explained that he wanted to prevent a physical connection to the CE that
would allow someone to obtain the configurations using the password recovery feature.
He suggested disabling the password recovery feature instead; the information security
officer agreed. Tong also agreed to this solution, as it would address a concern about
hacking into the HSA‟s CE device. Soon, Childs disabled the password recovery feature
on all CE devices citywide, and there were no backup configurations on any of the city‟s
CE devices. As the password recovery feature could not be disabled on core PE devices,
Childs erased their configurations that had been stored on NVRAM.
Re:Passwords are property of the employer (Score:5, Interesting)
I think that is a very dangerous precedent for intellectual property though.
It's most assuredly very different than walking out with the physical hardware. It still exists. It's still in the hands of the owners. The challenge is that the device is storing a piece of information that only that single person is aware of. For whatever reason.
Your viewpoint is dangerous because it's easily possible to forget that shared secret between you and the devices. Trust me. Very easy to do. I've done it. I've been asked about passwords long after I stopped working for someone. Since I make it a point to write them down securely and not remember them, it was no surprise that I didn't. I shredded/deleted the documents too, so there was no way to retrieve them.
I don't think forgetting or refusing should ever be criminalized since in many cases you cannot truly tell which one it is. Why should I go to prison because I can't remember something that they were too stupid to have written down by policy while I was working there, and too stupid to ask about it during the exit interview or when the contract was done?
This case was different. He admitted to not only setting it, but doing it for a specific purpose. Focus on that and don't start messing up understanding of intellectual property in such a dangerous way.
Please. You won't like the world that gets created with those ideas. Not one bit.
Re: (Score:3)
I could only be sued for negligence if I did not make sure that the owner possessed an updated copy at all times, and that I had not made reasonable attempts to do so.
That is why I always have typed out all the details for whatever I did into a set of notes. I made it a point on temporary projects (even configuring a router for somebody) that I turned it over to them, explained what it was, and that they should change the passwords after I left.
If a contract was involved I turned over all my notes at the e
Re: (Score:3)
Once a job is done, for good or bad, just walk away completely and let it go. Terry had a God complex and could not let his little empire slip away from him
Divulging the passwords to unauthorised people would be a criminal act in itself.
He didn't try and access the system. He merely refused to break the law and enable unauthorised individuals to access secure systems.
That's what fucks me off about this entire case. Childs may or may not be an arrogant cock with a god complex, but I just haven't heard anything that suggests he's done anything actually wrong here.
Re:Passwords are property of the employer (Score:4, Insightful)
In any sane enterprise, it never would have gotten to such a point. The wack-job would've been fired long before he took the entire infrastructure hostage. (which was the case long before his termination.) He's a nut, pure and simple; everyone who's had more than 5s to look at the case knew exactly where this was going. The only thing that bugs me is the fact that the managers who allowed this mess to grow aren't even mentioned, much less held accountable for it.
staffing cuts lead to him being the only person do (Score:3)
staffing cuts lead to him being the only person doing the network work.
Re: (Score:3)
As an attorney, I could easily see prosecuting these under traditional property crimes, as well: a password is a type of property, and taking it could be larceny, for example.
Such laws certainly make the prosecution easier (to the dismay of my criminal law partner)
hawk, esq.
Re: (Score:3)
As a non-lawyer this seems odd to me given a password is transient knowledge and not a thing a single one person can possess. To me, a more apt analogy might be an employer trying to force a former employee to write down any thoughts they might have had related to their former position.
I can't recall the details of this case and honestly don't really care, but the city ought to have a had a policy about shared passwords from the start not only to avoid this situation but also scenarios where the sole passw
Re:Passwords are property of the employer (Score:5, Insightful)
...a password is transient knowledge and not a thing a single one person can possess. To me, a more apt analogy might be an employer trying to force a former employee to write down any thoughts they might have had related to their former position.
Huh? It's more like if you had a safe containing your money and paid one of your employees to maintain the safe and its contents, and he refused to tell you the combination of the safe.
[Karma suicide coming]
Reading about this whole Terry Childs thing on Slashdot has always amazed me. For what seemed like years, whenever this topic came up every post was flooded with "zOMG Terry Childs was justified because the mayor didn't know how to secure his servers!!!!" rhetoric. It seemed to make no sense except for geeks rooting for a fellow geek, regardless of what the real issues at stake were. Same goes for the teeming Slashbot hordes who insisted for months and months on Hans Reiser's innocence and how he was FRAMED, I TELL YOU. Or the people who previously would have condemned Kim Dotcom as a fraudster and spammer but who lionized him because the copyright police came after him. And frankly the same goes for the "zOMG Julian Assange was FRAMED by the CIA and the NSA because the MPAA owns Sweden or whatever" crowd. Occam's razor folks - if the US government wants to get their hands on somebody, they do what they tried to do to Edward Snowden, i.e. attempt to extradite them, not somehow make up fake rape charges in a separate country that doesn't even really like the US anyway.
Look, it's hardly a unique failing or blindness - most humans exhibit bad confirmation bias and cognitive dissonance. But I just find it disappointing to find such prevalence of this behavior in a group that prides itself on its capacity for critical thinking.
Re:Passwords are property of the employer (Score:5, Interesting)
I suspect it's because we "tech geeks" as a group tend to self-identify and tend to think of us as "smarter than the rest of them". Except of course, we're not. Sure we know our ways around everything technological, but I'm sure there's plenty that don't know law (try getting the three sides of IP law straight - a lot of /. flamewars erupt from confusing patents with copyright and trademarks). Or medicine. Or any other thing, really.
It's not unique to geeks either - I'm sure your local doctor's group or lawyer's group also think they as a whole are so much smarter than the rest of the world. Except of course, they're not - they know their field really well, but enter another field (try helping a doctor or lawyer with computer problems?) and boy are they clueless.
It's the same with geeks.
And unfortunately, sometimes this plays out badly - we think we know "the system" better than everyone, but then get slapped and made a fool of (see Hans Reiser, Terry Childs - ZOMG they know how to work the system!). Of course, all that happens is the prosecution takes advantage of this and easily paints a negative image on the person before the trial even begins. Of course, they were probably guilty, but damn, we didn't have to make it easier for them. (See Aaron Schwartz on how NOT to behave - you can be "on the right side" but if you act in ways the general public knowingly disproves of, you get vilified in the court of public opinion and make a prosecutor's job REALLY easy.).
Some advice - learn etiquette and how "the proles" want you to behave (if that means having to wear a suit and dressing up, so be it), Even though everyone shouldn't "judge a book by its cover" guess what? Juries and prosecutors do. Don't make their life simpler by making it easy to paint you as an outcast who believes they're above social norms. And especially don't act smarter than the group, because you'll just come along and sound like a smartass instead.
Re:Passwords are property of the employer (Score:4, Interesting)
Very simple response to the whole thing. You had 1 guy that was in charge of knowing ALL the passwords AND the ability to reset/change them AND you fired him? Whether or not the guy KNOWS the passwords by heart (and I don't even know my WiFi password by heart), my contract ends with you the day you fire me. If you want to hire me back as a contractor at a 1k/day rate, I will gladly find and open the password spreadsheet. Or you can pay the helpdesk guy to search my desktop and my fileshares.
If you do not have the technical foresight to have a plan in case I get hit by a bus then you deserve to live with the consequences of me disappearing off the face of the earth, even if it's at your own doing. Especially if it's your doing.
On the actual specifics of this one case, Terry probably was committing carreer suicide by not ensuring he left the place on good terms. You don't jerk with the CITY you live in. You might be able to pull that crap with some small companies, but throwing both fingers high in the sky at the entire CITY is asking for some rebuttal.
Re: (Score:3, Interesting)
Re: (Score:3)
Re: (Score:3)
There is evidence that the charges against Assange are bullshit, and the US government did in fact try something similar with Snowden early on by trying to make out his girlfriend was some kind of undesirable. We actually know that is Standard Operating Procedure thanks to previous leaks of internal CIA manuals.
I agree with your general point, but there is such a thing as being too sceptical and making no effort to find out about things you have dismissed as paranoid ranting early on.
Re:Passwords are property of the employer (Score:4, Interesting)
A password is not property and it cannot be "taken" as if it were a physical object. It merely represents a shared secret between one or more parties and a backend system that attempts to authenticate access.
To say theft is wildly inaccurate and illogical.
If the employee is the only one in possession of the shared secret and refuses to divulge that information to a party that does have physical ownership over the devices being protected I have a very hard time understanding how it's theft.
Those responsible parties should have maintained access at all times. In this case, he had established that password while gainfully employed by them, and was perfectly in his rights (work policies outlining what they are) to establish the password. If no policy was in place for him to print it out, hand it to his superiors, and let them secure it, then some accountability rests with the management.
Once he was let go I see no difference between "I don't remember" and "I don't wish to say". I've quit before and was asked on many occasions if I remembered passwords, specifics of certain processes, etc. My answer was simple, "I don't work for you anymore and this conversation is not appropriate". I never set any passwords to restrict access higher up than me. I also made sure that all of the passwords were known by my superior.
Did he specifically set a password in a premeditated fashion to prevent proper operation of the networks? In this case, he did and then admitted that he did . That's what the legal focus should be on. Not theft or some intellectual property mangled interpretation bullshit. Those arguments are quite frankly extremely detrimental to our overall freedom at this point. We need to swing that pendulum over the other way with a more sophisticated understanding of what is actually going on.
I don't have a problem that he is going to prison for about a year. What I have a problem is that he is going to prison for not divulging a shared secret that should have never been set by policy, and one he is not obligated to reveal once terminated.
Put him in prison for willful property damage or some other infraction designed to punish somebody by damaging property past a certain extent. Not theft.
The vast majority of these cases, especially these so called intellectual property cases, need to be decided in civil court, not criminal.
Exactly (Score:5, Insightful)
These articles show you that a lot of nerds really are totally incapable of dealing with normal society.
If you changed the locks on your employers buildings and refused to hand over the keys, what do you think would happen? So why should digital keys/passwords be any different?
Some dweebs seem to construct fantasy worlds around themselves and since they lack interaction with other people becomes convinced that these fantasy worlds are real. Childs seems to have done so, he believed he was the only one fit to access these systems, that they were his babies and only he could properly care for them.
I am not sure he should go to jail for it. He should however get mandatory treatment, if needed in a padded cell with a lock. If he asks for the keys, tell him you don't think he is capable of properly dealing with it.
Re: (Score:3)
I want to believe you on this, but there are some realities in this which are being overlooked. Each device is 'vulnerable' to physical access. You could say this was by design. If Childs had died instead of being fired, how would they have handled this differently? What they would do if he had died is exactly what they should have done when he was fired.
There are some realities about IT which some people are unwilling to face. First and foremost of this is that IT should be considered to be an area in
Re:Passwords are property of the employer (Score:5, Insightful)
While funny, the issue is not with a personal password. These are passwords for infrastructure. It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).
Could the company get a new set of passwords? Sure, same as the truck company could get a new set of keys made. But while they were waiting to access their property they lost money at a minimum. Since they were not _your_ trucks or devices you have no right to refuse to give them their keys back.
Re:Passwords are property of the employer (Score:5, Insightful)
It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).
it basically shut down the city of san francisco for at least two weeks. they held the guy in jail, but he refused to divulge. the mayor even went to the jail to ask him personally. he deserves prison.
Re: (Score:3, Insightful)
Except he didn't take the keys to a truck, he took the keys to all the trucks. One truck... easy enough to deal with. Thousands of trucks that people are currently driving... not quite so easy to recover.
Re:Passwords are property of the employer (Score:5, Insightful)
Excuse me?
You missed the bit where nobody came to ask him until the Mayor's photo opportunity.
Re: (Score:3)
I think if you go back and read stories of the day, he THOUGHT he was doing the right thing, he wasn't trying to extort anything.
The city wanted to start doing stupid/illegal things with their network, and he decided not to let them. I don't remember the
details, but he was basically just going about his job, doing the right thing, but forgot they weren't HIS computers.
Re:Passwords are property of the employer (Score:5, Interesting)
he was basically just going about his job, doing the right thing, but forgot they weren't HIS computers.
Isn't that the most unprofessional thing a sysadmin can do? Doesn't everyone in the business know that that is precisely the behavior that gets you in trouble?
Re:Passwords are property of the employer (Score:4, Insightful)
Then - at last when you're already in jail - the proper thing to do would have been to hand the passowrd over to the judge along with a letter explaining the illegal stuff that's going to happen and ask the judge (or if he sees neccessary: a court) to decide on the legal status. That's what the judical system is for and cleans you of the idea that you're extorting someone
Re:Passwords are property of the employer (Score:5, Insightful)
Unprofessional ? UNPROFESSIONAL?
Listen here kid, being a professional means that you tell the boss to go suck eggs when he orders you to do something stupid. Being a professional at a critical job means you finish your shift and await your replacement, even when they fired you earlier in the day. Because someone has to do the job. Being a professional means you refuse to sign off on the untested software because the plane might crash and people will die. Being a professional means you don't let the bosses idiot son steer the boat, because he's incompetent and would steer it into shore.
Being a professional means you're not just there for the paycheck to be a yes-man to your superior. You're there, in part, to do a good job. Because doing a bad job will get people killed and/or cost millions.
People like to throw the "unprofessional" term about when people don't have the right cut of dress, or speak with the proper tone, but if you want to play hardball with professionalism, you need to realize that it's more important than shmoozing with the boss and climbing that corporate ladder.
Re: (Score:3)
Obviously, you don't work in Sales.
given that this is slashdot and not linkedIN or MyTwitFace I would take that as a given
Re:Passwords are property of the employer (Score:5, Informative)
I don't know where you're from, but I live in sf and I remember what a big deal this was.
Re: Passwords are property of the employer (Score:5, Insightful)
In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far. Compelling someone to grant you access? Okay. Requiring the password? Sorry, that's their identity (and ass) on the line. Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password. Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.
That said, Childs is an idiot, and he handled this poorly. He *should* have offered to change his credentials for a consulting fee (returning engineer post termination) to close the book on it.
But computer fraud and abuse? Please... What a joke. A bunch of idiots wasted weeks puffing their chests out at each other and the city utterly failed to learn from a teachable moment. Audit your fucking system designs and don't allow for single credential systems, ever. Given the way they drive around here, your admin stands a good chance of getting hit by a bus.
Don't risk it. Have plans for unavailability, termination, and death.
It's tough to protect against inside jobs (Score:5, Insightful)
In a city of techies like SF (where I live), it is absolutely unforgivable to allow a system design allowing for single authority. The city was negligent for ever letting it get this far.
What would you have them do to avoid this problem in the future? Perhaps they could hire someone who is a technical expert with overall responsibility for the department, whose job is to make sure something like this can't happen. Oh, wait...
Requiring the password? Sorry, that's their identity (and ass) on the line.
It's their identity on their employer's systems. If the employer makes a management decision to "compromise" that identity then that is 100% their decision to make, not IT's.
Of course, it also becomes management's responsibility. It's fair for the employee to want written confirmation to record the decision if he disagrees with it. But given that confirmation, the employee doesn't get a vote and has no right to object.
Until he has a clearly recorded transfer of responsibility, he shouldn't relinquish his password.
I think "You're fired" is a pretty clear transfer of responsibility.
Additionally, if his password is related to his personal passwords, releasing the password may constitute a legitimate risk to his privacy and fifth amendment rights.
Seriously? Really? This guy is a high-level IT expert within his organisation, and we're supposed to have sympathy if he not only reuses a password (or something related closely enough to risk the secrecy of another one) but reuses them on completely different systems, when he knows in advance that some are personal and some are professional? Give me a break. Any risk to his own privacy here is entirely self-inflicted, and trying to hide behind legal safeguards created with important and legitimate goals in order to cover your own malice and incompetence is the worst kind of legal wrangling.
Don't risk it. Have plans for unavailability, termination, and death.
That's great, but if the guy who betrayed you is the guy who was responsible for making those plans, there isn't much you can do. At most, you could have hired multiple people to act as mutual checks and balances by auditing the system, but the reality is that even the most high-level IT infrastructure today is still quite simplistic in its security, and unfortunately it remains a pretty easy mark for a skilled inside job.
Of course, if a government department did hire extra people, good enough to maintain proper oversight and audit each other's work in this kind of context but who weren't otherwise needed, many people who didn't understand the reason would be crying foul over wasteful government spending. And they'd have a point, given how rare incidents like this are and how much such people cost.
Re: (Score:3)
Re: (Score:3, Insightful)
You're Fired means transfer of authority, you're right. At that moment, Childs should have told SF to pound sand, and walked away. He owes them nothing at that point, including the password. What crime did he commit by not revealing the password?
Re:Passwords are property of the employer (Score:5, Informative)
it basically shut down the city of san francisco for at least two weeks
I remember that. The BART stopped running, the metro stopped running, the traffic signals were out, the police had to stop policing, you couln't pay your traffic tickets, you couldn't renew your drivers licence. Fires raged out of control because of the lack of fireman. I think it cost the city close to a billion dollars just for this one guy. Lex Luthor took over as crime boss and extored money out of everyone. Meteors rained firey death on all San Francicicans. A plague of frogs of biblical preportions visited the city. Fuck.. then there were the locusts. Fucking locusts! Yeah, fuck that Childs guy!
Oh no, wait. I don't remember that because none of it happened at all! The city ran like normal like nothing happened.
Now I know why the mood has changed here at slashdot. The only people up are idiots who don't know what happened, and enjoy making things up.
Re:Passwords are property of the employer (Score:5, Interesting)
Oh... and it did NOT shut down the city. Go back and read the original story. What it did was leave the city management in a situation they didn't know how to handle... and still don't. They wanted it easy, didn't get it and they got angry and abused their powers to seek retribution.
I said it previously and I'll say it again. If this guy died instead of being fired, they would face the EXACT same problem but without the recourse of being able to persecute. But I hold that in either situation, the response should be the same. Setting about the task or regaining control over the systems.
Re: (Score:3)
it basically shut down the city of san francisco for at least two weeks ... he deserves prison.
So you're saying that congress should be sent to prison?
Re: (Score:3)
When I left my last job, I changed all passwords on the system. Each team member that would be taking a responsibility from me got their own unique password. I then set every system they needed access to to that password.
So they knew if they were logging in to a system that was now under their control, the password would be X. That also encouraged them to change the passwords asap so I wouldn't know them.
Lastly, I changed all root passwords to randomly generated 14 character passwords and provided that list
Re:Passwords are property of the employer (Score:5, Informative)
Re:Passwords are property of the employer (Score:5, Insightful)
Not in anyway similar. If you take the keys to their trucks you are stealing but if you stop work there is no theft involved. If you want me to talk to you then that is work and I no longer work for you. You should have implemented a better system when I was employed for you. To take this into the real world, what would have happened if he had been killed in a traffic accident? The same procedure that would go into place in such an event should also work during a dismissal. If you do not have such a procedure do not blame the guy that you just sacked as that would make as much sense as blaming a dead guy. It is your fault.
That's an incredibly simplistic and incorrect understanding of intellectual property and work ownership. What you do for your employer while you work for them belongs to them, unless you have a specific agreement stating otherwise. Just because you don't work there anymore doesn't relieve you of your obligation to give them back their property, which in this case was the command and control of their own network infrastructure.
But good luck with that.
Re:Passwords are property of the employer (Score:5, Insightful)
I disagree. It's dangerous to give a blanket statement that all the work belongs to them by default.
What work?
I've been in several situations in which I participated on other projects outside of work which used not a single work resource. It's too damn easy to claim you did it while on site or using work property.
That's why it went all the way to the board one time when I steadfastly refused to sign any agreement with them since the language was so overwhelmingly vague and if I patented a coffee napkin idea at home it was theirs. Nothing happened since I they could not afford to let me go at all.
I would prefer that nothing is decided in anyone's favor by default and must be proved in a court of law (no arbitration).
A non-compete agreement does not work for me as an independent contractor. Unless you pay me extremely well i'm not going to lock myself out of an entire market.
Ohh, and I guess that since I only work in Open Source it's kind of a moot point. It's rather funny when I explain that they don't actually own anything I make for them at all, and I don't either :)
What I said is what you do for your employer, in the context of this discussion around Terry Childs. Configuring routers and assigning administrative access controls to them is definitely not a personal project, even though Terry acted like it was. He even attempted to copyright his configurations.
Point taken on personal projects, and everyone I've worked for has been fine with the ones I've worked on, including my own meager and forgettable contributions to FOSS.
Re: (Score:3)
If you want me to talk to you then that is work and I no longer work for you.
True enough, but it would be surprising if the standard employment contract he signed up to didn't include a clause that says he has to give everything that belongs to the employer back at the end of his employment. IME, that kind of clause usually specifically covers both physical property and knowledge/electronic data, too.
You should have implemented a better system when I was employed for you.
This whole thing appears to have started when someone else with responsibilities for security/oversight was brought in, and she was investigating how the systems had been set up.
To take this into the real world, what would have happened if he had been killed in a traffic accident?
If he h
Re: (Score:3)
Buts its not your accounts we're talking about here. It's account belonging to the employer that you were hired to manage.
Re:Passwords are property of the employer (Score:5, Insightful)
Well, first a bunch of time has passed giving people time to think. It's not an 'unfolding story' either, all the details are out there. And lastly, 5 years is time for many slashdotters to get older/grow up. It's easy to make a weird judgement on property when you're young and don't have any, but all of a sudden you're 30 and you have a house, car, and a well paying job you tend to look at things differently.
Re: (Score:3)
Holy shit, that was 5 years ago! Great, now you've made me feel old...
Re:Passwords are property of the employer (Score:5, Insightful)
I still feel the same way I did when I read it the first time.
Passwords are not property. They're information and they protect access to property. That's all they do.
Setting a password to deliberately restrict access and gain leverage is not theft. It's insubordinate and grounds for termination. If damage occurs since personnel are not able to access systems then it is property damage, defamation of character, tortuous interference with contracts, etc. A plethora of other ways to punish someone or seek remediation.
He never had any kind of ownership claim over the devices he was administrating and was at all times operating under the employ of those that do.
He willfully set passwords to restrict access to everyone. Not just below him, but above him as well.
When being terminated he did not hand over everything he knew and had. That goes both ways too. His work should only have had a reasonable time period to ask him everything, and most assuredly should have had policies in place to know it all anyways.
Afterwards, his work should have had ZERO recourse.
However, his biggest mistake, was in letting his ego run rampant and delude him into thinking that the entire network was his to protect and he was the rightful guardian and no one was going to take it away from him.
That was what hung him. He fully admitted that he set the passwords and never even attempted to write them down or hand them over during his exit interview. It was premeditated and willful, which is why he should be punished.
This had nothing to do with intellectual property and everything to do with his behavior before, during, and after termination by the city.
Re:Passwords are property of the employer (Score:4)
Childs was in the wrong, and should have handed over the passwords, but as is often the case in the "land of the free" the punishment was grossly disproportionate to the crime. In most of the rest of the western world this would have been a civil case: a judge would have ordered him to hand over the passwords, and given him a small fine for being a doofus. On refusing to hand over the fines he would been sent to jail until he handed them over, and be given a contempt of court fine,.
Only in a country that prides itself on "three strikes", "zero tolerance", and jails more people than any other country (both per capita and raw number in jail) could any person in the justice system think his punishment was reasonable.
Re:Passwords are property of the employer (Score:5, Interesting)
It's interesting that this seems to be the prevailing opinion now. But when this all went down, Terry Childs was the Slashdot Poster Child. Why have opinions changed?
I think that the main reason opinions changed was because when the story was first reported, the journalists got almost every fact wrong.
Re:Passwords are property of the employer (Score:5, Interesting)
It's interesting that this seems to be the prevailing opinion now. But when this all went down, Terry Childs was the Slashdot Poster Child. Why have opinions changed?
More of the relevant facts have been made public. It turns out that Childs wasn't the overzealous network administrator that he was made out to be, but he was a sociopathic, somewhat psychotic criminal [packetpushers.net] who carved a mini-empire for himself out of wires and electricity. He was even denying appropriate requests for service, just because of his own personal hangups.
On the other hand, my opinion of the City and County of San Francisco has not been improved, either. The situation should not have been allowed to turn into full-on criminal prosecution. Even Jason Chilton, the famous Juror #4 who is also a network engineer, thought the criminal charges should have been dropped. [slashdot.org] Successive mayors have used the position to grant kickbacks to various friends, yet the IT department was being downsized and Childs was left with no job security and nobody overseeing his work. At the same time, District Attorney (now California Attorney General) Kamala Harris [wikipedia.org] was facing accusations of being soft on murder, so she apparently took the Childs case as a gift from heaven to demonstrate her toughness on technology crime. When Childs did surrender the passwords, and she immediately put them into the public record as evidence, that was just amazing work. Amazing for the wrong reasons.
So, my opinion of Childs deteriorated, and my opinion of San Francisco did not improve.
Re: (Score:3)
I just looked at all the old stories, and couldn't see a single post by on any of them that I'd made. It's impossible to accurately remember what I thought back then, as I'll just project my current views onto my former self. It would be interesting to see if anyone who has expressed a strong opinion historically has now changed tack.
Personally, I think he gives those who work in the same industry as me a bad name. He probably has fanta
Re:Passwords are property of the employer (Score:5, Informative)
No, seriously, YOUR argument is bullshit. Why? Because never once in that entire rant did you address any of the *specifics* of the actual case.
In the end Childs KNOWINGLY AND WITHOUT PERMISSION *changed* the passwords on a bunch of computers and then refused to give the owners of those devices (the city of San Francisco) those passwords. If for some bizarre and horrible reason by normal operational procedure he was just the only person who knew these passwords, was fired, and said "fuck you", that would be one thing, and I'd agree with you. But he intentionally locked down the systems and refused to unlock them - both before and after he was fired. He even claimed that the reason was because "he didn't trust his supervisors with them". That's pretty much a textbook application of the law, and could probably be extended to extortion if they wanted...
Re: (Score:3)
That's idiotic. It had nothing to do with HIPAA (what the heck is HIIPA?), but it did have to do with systems like employee pensions and 911 service. Your BOSS, and then (eventually) the mayor (you boss's boss's boss's boss) asks you to turn over the passwords and you refuse, you deserve what you get.
So to answer your question, yes, I'd obviously hand over the passwords in those cases. But in this case you have no clue about what actually happened, which was he changed the passwords *without* permission
Re: (Score:3)
Yeah. If an employee of mine "refused to hand over the password" to a system for which I had fiscal responsibility, I suspect he'd be terminated so fast not even security would let him empty out his cube.
"I stole from an idiot" isn't an excuse, it's wors (Score:4, Insightful)
> and not the complete idiots of the company for leaving there passwords with one person, and not having a way to access by way of a default password. his lawyer must have been an idiot as well if he didn't make that argument.
"The victim was stupid" isn't an excuse. If it were, we could legally do anything we want to you.
In fact, it's generally considered an aggravating factor to victimize the mentally challenged because we have a duty to look out for those who are defenseless.
Seems fine with me. (Score:5, Insightful)
I don't have a problem with this. The company may have been dumb to put this much power in one person's hands, and perhaps they got what they had coming in someone's eyes, but it doesn't excuse this behavior. If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.
Re: (Score:3)
"The company" in this case was San Francisco city hall. Local governments aren't exactly known for their IT prowess.
Re: (Score:2, Insightful)
This is subtly different. In my eyes, once the employee has been fired, they are really under no obligation to help their now ex-employer with much of anything. Of course, having a password in your head and a key in your pocket are different things, the company has the burden of due diligence to be sure you turn in the key, security badge, whatever before you walk out the door. If they don't have a password, that's their own fault. The key and lock equivalent would be I get home, having just been fired,
Re:Seems fine with me. (Score:4, Insightful)
What kind of idiot
Management.
Re: (Score:3)
Re:Seems fine with me. (Score:5, Informative)
Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.
Re: (Score:3)
I read the court report (~40 pages) and that was not the information given. He was asked many times outside of the one incident of the conference call at the end to give his manager the passwords. If there was ONLY that one time, that would be different.
Re:Seems fine with me. (Score:5, Informative)
Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized. Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.
No, he went to jail because he deliberately setup the system so he was the only one that knew the passwords; and then refused to divulge them. He didn't simply forget his or refuse to violate procedures; he tried to use what he did as leverage and that is what he went to jail for. What he did is no different then any other type of extortion.
Re:Seems fine with me. (Score:5, Informative)
Re:Seems fine with me. (Score:4, Insightful)
When this went down, it was not reported that he refused to turn over the passwords. He refused to hand over the password to unauthorized individuals and in unauthorized ways.
He refused to hand over the password to people who were full authorised but in his opinion couldn't be trusted. He refused to hand over the keys in a way that was insecure, but then didn't make any effort to hand over the keys in a secure way, which would have been his duty (because at the time he _was_ employed and _was_ asked by someone who was authorised).
How, how HOW (Score:5, Insightful)
HOW!(!) is this a surprise to anybody? It's extortion, plain and simple.
Re: (Score:3, Informative)
Yep. He didn't even just conveniently "forget" the password after he was fired, but apparently set this all up well in advance to intentionally disrupt their business. Dumb move.
Exactly right (Score:5, Insightful)
Re:Exactly Wrong (Score:5, Informative)
The people who need them should already have them at all times.
Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.
Or hey. Maybe your employer is a moron.
That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.
And keep in mind, the network in question included their 911 system.
The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.
Something about Betteridge (Score:5, Insightful)
I've simplified the submission:
History rewritten (Score:5, Insightful)
Terry Childs did not want to divulge the passwords to an entity that didn't have the right to said passwords. There are several other red flags in this case but $1.5M to regain access over some routers? Seems like gross incompetence on various levels.
Re: (Score:2)
Terry Childs did not want to divulge the passwords to an entity that didn't have the right to said passwords.
So what's the "real" history here? How could the company not have the right to the passwords?
Re: (Score:3, Insightful)
How could the company not have the right to the passwords?
The company DID have the right to the passwords, Childs simply tried to argue that since he "built" the system and all it entailed, it was his personal property.
Which was a fucking stupid argument.
Re:History rewritten (Score:4, Informative)
Half the story (Score:3)
He did not just refuse in that one instance. He was then fired and still refused to give the passwords to his duly authorized replacement. Had he felt he was improperly fire a wrongful dismissal suit was in order not withholding passwords.
Re:History rewritten (Score:5, Interesting)
His lack of finesse and social skills coupled by the complete (technical) incompetence of those at city hall definitely contributed to his downfall.
If I recall, didn't Kamala Harris put the passwords into public record, thus forcing the city IT department to go around and changing passwords on all devices to prevent from someone from "f*cking sh*t up"?
The funny thing is that the statute (California Penal Code Sec. 502(c)(5)) mentions "disrupts or causes the disruption of computer services or denies or causes the denial of computer services" yet....during this whole fiasco, the network was rock-f-ing-solid (at least until the passwords were put into public record without seal).
Not sure why the attorney didn't bring this point up.
If I was Terry Childs, I'd fire the attorney and then sue the city for breach of contract (oddly, for at least the same amount).
Re: (Score:3)
read the PDF; seemed like they were trying to cover their asses.
There are plenty of articles and editorials that say otherwise:
http://www.infoworld.com/t/government-use-it/the-terry-childs-case-san-francisco-just-guilty-886 [infoworld.com]
http://www.theregister.co.uk/2008/07/28/sf_rogue_sysadmin_password_mess/ [theregister.co.uk]
http://www.pcworld.com/article/149159/terry_childs_case.html [pcworld.com]
Re: (Score:3)
Since I knew that he was offering up the passwords, it seems implausible that no one at the city was aware that he was offering up the passwords.
So they asked him for the passwords, he hung up the phone, and they were supposed to know that he was "offering up the passwords"?
Later, after he was fired and had no reason to care about the minutia of the security policy, he still didn't give up the passwords. That was the illegal part.
Re: (Score:3, Insightful)
He was getting fired anyhow so why would breach of contract even matter? He was a self entitled neckbeard and dug his own grave. Give out the passwords and wash your hands of it.
Re: (Score:2)
Terry Childs didn't have the right to decide who got the passwords and who didn't. He was no longer an employee.
Use the "Politician's Friend" (Score:3, Funny)
"I don't remember."
More important knowledge (Score:5, Insightful)
There's far more significant knowledge you take with you that you're not legally required to give up (procedures setting stuff up, what vendor bugs to work around, what authentication scheme, whatever). No need to go to jail over passwords when there's plenty of other petards for a former employer to hoist themselves on.
Re: (Score:3)
Yeah, I was just wondering the same thing. I mean, I agree with the others here who believe that employees have a responsibility to hand over passwords when departing, but where does it stop? After all, if we have a responsibility to hand over our memory of that item, why not others? If I'm the only person who knows how to run a system, do I have a legal responsibility to document it fully before I depart, even if I live in a place with at-will employment in which I'm supposed to be able to just get up and
Reset? (Score:2)
Re: (Score:2)
Next time (Score:2, Interesting)
just root the servers, give the passwords back the change them.
This is also an epic fail on the other side (Score:5, Insightful)
Any sane organization of this size has a password policy that ensures critical passwords are recoverable. Any sane organization makes sure to not have a single-person dependency like that.
But Childs really lost context: It was not his network. He had no business trying to enforce anything. The SF IT department may run their networks as stupidly as they chose, and while this may lead to criminal and civil liability on their part, it does not lead to any accountability towards Childs.
Re: (Score:3)
I doubt that. In the worst case, he could have handed a sealed envelope to his lawyer with the express instruction of handing them over to a representative of the city that is required to keep client secrets secret, like a city lawyer. Then he would have handed over the passwords, but the city lawyer would not have seen them or would have to violates the law in using them. Something quite similar could have done with an independent notary, namely handing over the keys to the notary in a sealed envelope and
Back when I admined systems ... (Score:5, Interesting)
When I left, I handed him the key to my desk and said, "You know where they are."
Re:Back when I admined systems ... (Score:5, Informative)
When I left my last job (where I had root on a lot of servers), I had my replacement and staff watch my replacement enter the new root passwords (that only he knew), and delete my personal accounts.
I think that's a bit better than the person who's leaving continuing to know a shared secret.
I thought this was standard (Score:3, Insightful)
Wrong thing to withold. (Score:4, Insightful)
Your employer owns their hardware, including the "keys" to get into it.
Childs screwed up by withholding entirely the wrong sort of information. You don't pitch a fit and refuse to give them the passwords - You give them exactly what they've asked for and then watch in glee as they realize they don't have the faintest clue of what to do with those passwords.
Picture a fairly simple small-scale corporate WAN. Three separate subnets. Nothing massive in scale.
Now imagine they "no longer need your services" after three years of uninterrupted service.
Now imagine that you haven't persisted the router configs and they lose power.
Now imagine a non-technical city manager trying to figure out why he can't get to facebook, and demanding passwords from you.
When you stop laughing...
Yes, you can still thoroughly document your infrastructure for your successor, for the (most likely) scenario where you peacefully move on and want to help the poor bastard out. But if you suddenly find yourself "redundant", well, "here you go, all the passwords. Good luck, and I charge $1500/hr as my standard consulting rate".
social engineering from hire (Score:4, Interesting)
After finding out that he concealed material information during a background check, my opinion is that his permission to touch the network at all, even within the scope of his employment duties, was procured fraudulently and his entire CAREER with the city has been one huge social engineering attack, starting when he lied about his criminal history to people who almost certainly would have had ample grounds to decline to have hired him in the first place.
Withhold your employer's passwords... (Score:3)
... go to jail. Go directly to jail. Do not pass Go, do not collect $200. Nobody's surprised by this. It's his employer's network, after all, it's their passwords. If they decide to replace you as sysadmin, the only right you have is to insure they and not you are responsible for any problems that ensue (eg. "I will not give you my current password. I will initiate the password change process, enter the current password, and then wait outside the room while my replacement enters his new password. If there are any difficulties, I will assist by re-entering my password and/or unlocking the system until my replacement has successfully changed the password to something not known to me. This is to insure that after the hand-off I no longer have any access to the system.").
And yes, I've done the moral equivalent of that. Not with a root account, obviously, but when leaving a job I would deliberately fail enough login attempts to lock my user account and made sure they had notice of this and I had a paper trail proving they did. I figure that way they don't have to worry about me accessing the systems, and I don't have to worry about being accused of messing with them after I've left (well, I could be accused but I had the evidence to counter the accusation).
Compare to private industry? (Score:4, Insightful)
There are two groups arguing here - I think both may be missing the point.
Group 1: The passwords belong to your employer, turn them over. It's his fault, because he refused.
Group 2: He may have been paranoid, but he was really just following policy: don't give passwords to unauthorized people.
Regardless of which side you are on, ask yourself this: How would this scenario have played out if he worked for a private company? Consider that, in the end, he *did* hand over the passwords to the mayor, i.e., the "big boss". What would a private company have done?
- They wouldn't be claiming $1.5 million in damages - an absurd figure.
- They wouldn't try to prosecute him and throw him in jail. Bitter firings happen, life goes on.
- The *only* likely retribution would be: "don't use us as a reference".
Sending the guy to jail and suing him for more than his net worth? It takes a government to waste resources on that sort of idiotic vengeance.
The strongest evidence (Score:5, Insightful)
To me, these two paragraphs from the court document are the most damning evidence against Childs:
It's not just that he did these things – which were highly questionable, but might possibly have had some legitimate justification – but that he did them immediately before being placed on administrative leave, when he knew his employers wanted to relocate or fire him. The timing leaves little doubt of his intent.
The password is not the issue (Score:3)
The password is not the real issue here... it's a distraction. The real issue is that Terry Childs apparently deliberately caused a lot of unnecessary expense and hassle to his employer. It doesn't really matter whether he did it by withholding a password or going through the drop ceilings cutting ethernet cables... the net effect was the same.
Re:Never getting a dime can do 4 years (Score:5, Informative)
Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.
Re: (Score:2)
It is a bad practice to give your passwords to non-employees.
Re: (Score:3)
"except that nobody ever loses their job as a bus driver. public unions ftw!"
Liar.
Google: "bus driver loses job".
About 1,840,000 results (0.32 seconds)
Re: (Score:3)
If they had physical access to the systems, they should have been able to reset the passwords. Now, if he was intentionally prohibiting them from accessing the systems, after being fired, then he was doing something criminal. If, on the other hand, he was withholding passwords while working there - and being tasked with security for the network - then he did nothing wrong.
Of course they had physical access. To hundreds of individual devices scattered throughout a large city, requiring weeks and hundreds of hours to touch them all. Don't forget you have to power-cycle the devices to do a password recovery, so all that work has to happen during non-critical hours. Terry decided that a poorly written internal security policy document would serve him as a legal shield while he stood on his, arguably, warped principals. Terry was very, very wrong.