Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Withhold Passwords From Your Employer, Go To Jail?

Unknown Lamer posted about 10 months ago | from the bad-plan-with-expected-results dept.

Crime 599

ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."

cancel ×

599 comments

Sorry! There are no comments related to the filter you selected.

hm.. (-1, Offtopic)

Anonymous Coward | about 10 months ago | (#45332797)

Sometimes you have to yolo before you can swag.

Passwords are property of the employer (5, Insightful)

ackthpt (218170) | about 10 months ago | (#45332799)

I don't care if you made them up, they are the property of your employer.

Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.

Re:Passwords are property of the employer (0, Funny)

Anonymous Coward | about 10 months ago | (#45332851)

So passwords are property now? Fine. You have used my password for a while now. Pay up or go to jail.

Re:Passwords are property of the employer (5, Insightful)

s.petry (762400) | about 10 months ago | (#45333009)

While funny, the issue is not with a personal password. These are passwords for infrastructure. It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

Could the company get a new set of passwords? Sure, same as the truck company could get a new set of keys made. But while they were waiting to access their property they lost money at a minimum. Since they were not _your_ trucks or devices you have no right to refuse to give them their keys back.

Re:Passwords are property of the employer (5, Insightful)

noh8rz10 (2716597) | about 10 months ago | (#45333035)

It's kind of like working for a trucking company and taking the truck keys with you when you quit, except that it sounds like this was a pretty big ass truck (thinking in $$).

it basically shut down the city of san francisco for at least two weeks. they held the guy in jail, but he refused to divulge. the mayor even went to the jail to ask him personally. he deserves prison.

Re:Passwords are property of the employer (0)

s.petry (762400) | about 10 months ago | (#45333113)

I agree with you completely.

Re:Passwords are property of the employer (0, Interesting)

Anonymous Coward | about 10 months ago | (#45333165)

It's worse than that. He threw all of the spare keys into the ocean and then took the keys. The problem isn't that he wasn't saying his password, but that he had modified the system so that only his password worked, which was the malicious action. If it had been some oversight on the part of the employer that they fired the only employee without asking that such password be divulged or a second admin account be created he wouldn't have that obligation communicate his password.

Re:Passwords are property of the employer (1)

Anonymous Coward | about 10 months ago | (#45333245)

He went a step further and rigged the trucks to explode (erase all data on the network) if they were started without his own key, even if they managed to recover and use one of those spare keys.

Re:Passwords are property of the employer (1)

Livius (318358) | about 10 months ago | (#45332855)

It's no different than physically walking out with the hardware.

In fact, I think it already falls under some form of trespass.

Re:Passwords are property of the employer (-1)

Anonymous Coward | about 10 months ago | (#45333125)

The Terry Childs case is exactly the kind of flamboyant homosexual drama you'd see from all the predominantly-borderline disorder inhabitants of San Francisco. In any sane city, the deal would have been handled amicably and both parties would have been compensated and secured to a mutual benefit.

It was a big deal on Slashdot when it first broke, Terry Childs was. You had the seasoned doo-gooders versus the purist idealogues, and the argument went pretty well. Now, like a hangover, we want to forget Terry Childs ever happened, and for good reason - Terry was probably snorting meth and up for the third consecutive day in and out of bathhouses, butthole gaping with the runoff of light bleeding and lube, when he decided to behave like a loon and tell the fucking city, "Look, I'll show the word how crazy I am if it means showing the world how stupid and incompetent you are! Bwahahaha!"

Re:Passwords are property of the employer (-1)

Anonymous Coward | about 10 months ago | (#45333149)

It's no different than physically walking out with the hardware.

In fact, I think it already falls under some form of trespass.

Besides the fact you're not PHYSICALLY walking out with anything... idiot.

Re:Passwords are property of the employer (2)

hawk (1151) | about 10 months ago | (#45333075)

As an attorney, I could easily see prosecuting these under traditional property crimes, as well: a password is a type of property, and taking it could be larceny, for example.

Such laws certainly make the prosecution easier (to the dismay of my criminal law partner)

hawk, esq.

Re:Passwords are property of the employer (0)

Anonymous Coward | about 10 months ago | (#45333231)

A password is not property, and in fact a properly engineered security design, you'll never find the password in the permanent memory of the system, it has no presence and as such is not a "thing" beyond a reasonable doubt thus Taking it can't be larceny. To use it without authorization to do so may be trespass. Using a password it to remove all other passwords to access a system and then refusing to divulge it borders on conversion, but not beyond a reasonable doubt on those facts along (you'd also have to show that the system was used beyond any possibly reasonable scope of the employment, such as after the fire date) , but both offences, trespass, and conversion, are in relation to the computer system the password gives access to, rather than the password per se.

Re:Passwords are property of the employer (1)

Frosty Piss (770223) | about 10 months ago | (#45333079)

I don't care if you made them up, they are the property of your employer.

Now the stupid thing here is Terry doesn't just engage in "burning bridges", but does it with himself standing in the middle. I can't feel pity for this fool.

It's interesting that this seems to be the prevailing opinion now. But when this all went down, Terry Childs was the Slashdot Poster Child. Why have opinions changed?

Re:Passwords are property of the employer (5, Insightful)

PlusFiveTroll (754249) | about 10 months ago | (#45333137)

Well, first a bunch of time has passed giving people time to think. It's not an 'unfolding story' either, all the details are out there. And lastly, 5 years is time for many slashdotters to get older/grow up. It's easy to make a weird judgement on property when you're young and don't have any, but all of a sudden you're 30 and you have a house, car, and a well paying job you tend to look at things differently.

Re:Passwords are property of the employer (4, Interesting)

ShanghaiBill (739463) | about 10 months ago | (#45333173)

It's interesting that this seems to be the prevailing opinion now. But when this all went down, Terry Childs was the Slashdot Poster Child. Why have opinions changed?

I think that the main reason opinions changed was because when the story was first reported, the journalists got almost every fact wrong.

Re:Passwords are property of the employer (0, Troll)

Anonymous Coward | about 10 months ago | (#45333101)

A password is not property, it's information. If my employer or ex-employer wants access to my accounts they can reset my password. I'll never divulge it to them.

Re:Passwords are property of the employer (2)

JDAustin (468180) | about 10 months ago | (#45333127)

Buts its not your accounts we're talking about here. It's account belonging to the employer that you were hired to manage.

Re:Passwords are property of the employer (0)

Anonymous Coward | about 10 months ago | (#45333195)

Buts its not your accounts we're talking about here. It's account belonging to the employer that you were hired to manage.

If it's the employers account then it's their responsibility to get access to again. What if the guy died from a heart attack? It's not like he's embezzling funds, he's simply withholding information from an ex-employer.

I've refused to give employers passwords before. In one case I refused because:

A) I already provided it in documentation when I left.
B) They owed me back pay for work.
C) They were jerks.

Re:Passwords are property of the employer (0)

Anonymous Coward | about 10 months ago | (#45333145)

""cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords.""

and not the complete idiots of the company for leaving there passwords with one person, and not having a way to access by way of a default password. his lawyer must have been an idiot as well if he didn't make that argument.

Re:Passwords are property of the employer (2, Insightful)

Anonymous Coward | about 10 months ago | (#45333251)

Couple of observations.

1: Taken to it's logical conclusion, the right to own the knowledge in someone Else's head is tantamount to slavery. Please do not attempt to extend property rights in this direction; teachers owning the knowledge in students heads is perverse usury; is demonstrably destructive to the progress of society and technology and you know it.

2: It has been ruled time and time again, it's the Employers sole responsibility and privilege to define, audit, move, add, change, and revoke security systems access; an employer the size of San Francisco has no excuse to strictly control such. There is no implicit lawful requirement for computer users to retain Login information during or after termination of employment unless the employer writes a contract and even then, it's a civil requirement. There's a perfectly plausible reason for an employee to destroy such information; namely to exonerate oneself from the use of such logins against the company after their termination by other individuals within the company (E.G. Other Techs hacking your logins and going payroll fishing from a vpn with it). Even while employed, There's a fine line between will-full destruction of property and incompetence.

3: Quoting the law:
"(5)Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network."

That's what he was found guilty under. What systems administrator or programmer would do business in the state of California with such a vague law? Be Incompetent, Fuck up, have a vengeful boss, go to jail. That's what this case is really about; the ability of state officials to fail to routinely document and confirm systems access by employee's whom make 100k+ a year who's job responsibility is to configure and maintain tens of millions of dollars of mission critical gear to toss your ass in jail on the flimsiest of reasons because they don't want to be bothered with kindergarten simple shit.

Even if he really was a malicious, self-serving, rent-seeking prick, being convicted under that law is complete and total bullshit.

God (-1, Offtopic)

TempleOS (3394245) | about 10 months ago | (#45332803)

Blaspheme the Holy Spirit? Unforgivable sin. ---- 22 And the teachers of the law who came down from Jerusalem said, “He is possessed by Beelzebul! By the prince of demons he is driving out demons.” 23 So Jesus called them over to him and began to speak to them in parables: “How can Satan drive out Satan? 24 If a kingdom is divided against itself, that kingdom cannot stand. 25 If a house is divided against itself, that house cannot stand. 26 And if Satan opposes himself and is divided, he cannot stand; his end has come. 27 In fact, no one can enter a strong man’s house without first tying him up. Then he can plunder the strong man’s house. 28 Truly I tell you, people can be forgiven all their sins and every slander they utter, 29 but whoever blasphemes against the Holy Spirit will never be forgiven; they are guilty of an eternal sin.” 30 He said this because they were saying, “He has an impure spirit.”

Seems fine with me. (5, Insightful)

dukeblue219 (212029) | about 10 months ago | (#45332815)

I don't have a problem with this. The company may have been dumb to put this much power in one person's hands, and perhaps they got what they had coming in someone's eyes, but it doesn't excuse this behavior. If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.

Re:Seems fine with me. (0)

Jah-Wren Ryel (80510) | about 10 months ago | (#45332909)

If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.

What kind of idiot budgets for a server room with a steel door that takes weeks to break down but doesn't include a duplicate key for the security office to hold? Why isn't that idiot the one in jail? What if you lost the key, would you still be OK with being sent to jail for not returning it?

Re:Seems fine with me. (3, Insightful)

Livius (318358) | about 10 months ago | (#45332933)

What kind of idiot

Management.

Re:Seems fine with me. (2)

Delarth799 (1839672) | about 10 months ago | (#45332977)

Intentionally withholding the key is different from losing the key because when you lose it then you let your employer know right away. Although the analogy used wasn't the greatest either because in this case the city was unable to use the network for a period of time, not just manage it. In this case it would more like he cut off connection to the server room and constructed a barricade inside to keep people out.

Re:Seems fine with me. (0)

Anonymous Coward | about 10 months ago | (#45333033)

Do you not understand that a metaphor is being employed here? Namely, likening a physical object to its computerized equivalent? Or are you being obtuse on purpose?

Re:Seems fine with me. (1)

The Grim Reefer (1162755) | about 10 months ago | (#45333039)

If I had the only key to the server room and got fired but didn't turn in the key, I would expect retribution of some form, especially if the office had a steel door that took weeks to break down.

What kind of idiot budgets for a server room with a steel door that takes weeks to break down but doesn't include a duplicate key for the security office to hold? Why isn't that idiot the one in jail? What if you lost the key, would you still be OK with being sent to jail for not returning it?

But that's different from with Terry Childs did. He didn't accidentally lose the key. He let everyone know that he still had it and wouldn't return it. Normally I wouldn't side with the company as readily as in this case. They should have never had him (or anyone) be the sole gatekeeper. But Mr. Childs chose to be a complete ass, and probably got exactly what he deserved.

Re:Seems fine with me. (1)

JDAustin (468180) | about 10 months ago | (#45333139)

We''re not talking about a company (where the idiots are weeded out), we're talking about a local government (where the idiots are promoted; especially if they are related to a politico).

Re:Seems fine with me. (1)

ArchieBunker (132337) | about 10 months ago | (#45333151)

Are you 12 years old or just an idiot?

Re:Seems fine with me. (2)

MrEricSir (398214) | about 10 months ago | (#45332987)

"The company" in this case was San Francisco city hall. Local governments aren't exactly known for their IT prowess.

Re:Seems fine with me. (2, Insightful)

Anonymous Coward | about 10 months ago | (#45332999)

This is subtly different. In my eyes, once the employee has been fired, they are really under no obligation to help their now ex-employer with much of anything. Of course, having a password in your head and a key in your pocket are different things, the company has the burden of due diligence to be sure you turn in the key, security badge, whatever before you walk out the door. If they don't have a password, that's their own fault. The key and lock equivalent would be I get home, having just been fired, and all the keys, security badges, whatever I have should (morally and legally) be shredded, burned, or otherwise destroyed.

HOWEVER, this isn't a case of due diligence. This guy went to great lengths to not only ensure no one else had access, but actually booby trap the system. That in and of itself should be grounds for firing and criminal charges. The only difference here is that they didn't find out what he had done until after he was fired, which doesn't change the fact that he was committing a crime in the first place.

Re:Seems fine with me. (1)

InfiniteLoopCounter (1355173) | about 10 months ago | (#45333141)

Have to agree with the senitment here. The company is at fault because he could have gone under a bus or something and there would be no way to recover the data.

He should have claimed amnesia.

Re:Seems fine with me. (0)

Anonymous Coward | about 10 months ago | (#45333189)

What company would that have been? You mean the city of San Francisco, his former employer?

His old bosses were clueless. I think he got confused when thinking about the need to keep his old bosses from f*cking up the system, with f&cking up the system by withholding the infrastructure keys. The reason for the huge bill to reset passwords was proof of his former bosses incompetence.

Never getting a dime can do 4 years (-1)

Anonymous Coward | about 10 months ago | (#45332817)

Standing on my dick. They are much more fucked than he is and they got what they deserved.

Re:Never getting a dime can do 4 years (5, Informative)

Grishnakh (216268) | about 10 months ago | (#45332871)

Um, if I remember this case correctly (it's been several years now I think), he DID give them the passwords, but not directly, he insisted on giving them to the city's mayor.

How, how HOW (5, Insightful)

Anonymous Coward | about 10 months ago | (#45332819)

HOW!(!) is this a surprise to anybody? It's extortion, plain and simple.

Re:How, how HOW (3, Informative)

dukeblue219 (212029) | about 10 months ago | (#45332831)

Yep. He didn't even just conveniently "forget" the password after he was fired, but apparently set this all up well in advance to intentionally disrupt their business. Dumb move.

Re:How, how HOW (0)

Anonymous Coward | about 10 months ago | (#45332893)

"Oh you know I keep all those in my password vault, and like a responsible person I removed all work files from my personal systems when I left. Sorry can't help you."

Re:How, how HOW (0)

Anonymous Coward | about 10 months ago | (#45332915)

That's why I find this a little scary. While he was a colonic asshat, what's to stop another employer going after an ex employee who didn't do anything wrong.

Consider case: employee terminated, so changes all passwords, prepares a working list and hands it to employer. Employer (through malice or incompetence), destroys old list. Employer "forgets" new passwords, calls police on old employee. Old employee goes directly to jail, does not pass Google, does not collect 200 passwords.

Re:How, how HOW (1)

DarkSoul42 (1241266) | about 10 months ago | (#45333027)

This is the reason why you sign a discharge/handover document upon leaving a company, even if you are fired "on the spot" :
- to prove that the employer DID notify you of what was subject to non-disclosure
- to prove that the employee DID return any assets (physical or otherwise) he was in charge of
- to prove that the employee DID proceed to skill transfer/handover of technical expertise, or important information (which means : you don't get sued for any software/hardware crash after you left, as long as it was in the handover/transfer scope; because the remaining staff is therefore supposed to be able to deal with it ; supposed being the keyword of course)

If you have such an agreement, which is dated written evidence, then an employer can't pull this on you. If he does and destroys the passwords, well, tough luck, it's all on his head.
If you don't have an agreement like that, then you need to level up in CYA skills, or if your employer refuses to give you one such agreement then you needed a new employer anyway.

Re:How, how HOW (1)

Anonymous Coward | about 10 months ago | (#45333175)

Now you're adding details that aren't in the original. Differences between cases can make or break a defense, and something like actually giving the employer a password list for them to use in your absence is a powerful show of due diligence. That employee is not going to jail.

Here's what actually got the article's asshat sent to jail:
"he knowingly prevented the city from being able to use its own computer system for a period of time, deliberately configured that system so that no one else could access it, set it up so that anyone other than him attempting to enter it would erase the data stored in it, and made the network more vulnerable to external attack by the filing of an unauthorized copyright application"

That goes far beyond an employee (ex- or otherwise) who didn't do anything wrong.

Re:How, how HOW (1)

taustin (171655) | about 10 months ago | (#45333135)

Yep. He didn't even just conveniently "forget" the password after he was fired, but apparently set this all up well in advance to intentionally disrupt their business. Dumb move.

As I recall, the "business" involved included their 911 system, didn't it?

Exactly right (5, Insightful)

Pirulo (621010) | about 10 months ago | (#45332825)

The passwords are like the key to the office. You have to return them.

Exactly Wrong (0)

Anonymous Coward | about 10 months ago | (#45332997)

The people who need them should already have them at all times.

Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.

Or hey. Maybe your employer is a moron. And he really really does expect you to know the password for $somedevice you never touched and never used.
But it's 'computer stuff' so you know all that stuff because thats your job. You're the computer guy.... Right?

I sure wouldn't want to be the 'computer guy' for anyplace that will send you to jail just because you forgot a password...
And they won't take 'i forgot' as an answer because not handing it over is a crime worthy of jail.

captcha:unjust

Re:Exactly Wrong (5, Informative)

taustin (171655) | about 10 months ago | (#45333159)

The people who need them should already have them at all times.

Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.

Or hey. Maybe your employer is a moron.

That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.

And keep in mind, the network in question included their 911 system.

The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.

Re:Exactly right (0)

Anonymous Coward | about 10 months ago | (#45333049)

Not until I've been paid in full, you bastards.

Re:Exactly right (1)

noh8rz10 (2716597) | about 10 months ago | (#45333051)

this situation is more like, this guy made sure there was only one key to the entire government IT, then took it with him when he left. he shouldn't be surprised that he sits in jail.

Re:Exactly right (1)

Jody Bruchon (3404363) | about 10 months ago | (#45333099)

Clearly he needs to re-read most of the Bastard Operator From Hell series.

Re:Exactly right (1)

formfeed (703859) | about 10 months ago | (#45333147)

The passwords are like the key to the office. You have to return them.

I think they are more like the pin code you would use to let yourself into the building. In which case as a honest employee you would disable your code before leaving the company ... :)

Re:Exactly right (1)

Pirulo (621010) | about 10 months ago | (#45333253)

Not quite. The guy was as well the pin maker and pin administrator. So disabling your pin would be akin to rendering the door lock unusable.

yes, withholding passwords can, as expected (0, Troll)

rubycodez (864176) | about 10 months ago | (#45332829)

good, justice served. usually I'm on the employee's side of things, but perp committed a crime, it's stealing, sabotage and extortion to do that

Seems obvious enough. (1)

Anonymous Coward | about 10 months ago | (#45332837)

When you lose your job as a bus driver, you have to return the ignition keys to the vehicle. Duh.

Another sensationalist headline which suggests a far different story than the one in the actual story.

Re:Seems obvious enough. (0, Troll)

noh8rz10 (2716597) | about 10 months ago | (#45333059)

When you lose your job as a bus driver, you have to return the ignition keys to the vehicle. Duh.

Another sensationalist headline which suggests a far different story than the one in the actual story.

except that nobody ever loses their job as a bus driver. public unions ftw!

Invoice (1)

Anonymous Coward | about 10 months ago | (#45332839)

He should have just invoiced them for his time to document them as a contractor at a really ridiculous rate.

Something about Betteridge (5, Insightful)

Anonymous Coward | about 10 months ago | (#45332843)

I've simplified the submission:

Withhold Passwords From Your Employer, Go To Jail?

Yes

History rewritten (4, Insightful)

guruevi (827432) | about 10 months ago | (#45332849)

Terry Childs did not want to divulge the passwords to an entity that didn't have the right to said passwords. There are several other red flags in this case but $1.5M to regain access over some routers? Seems like gross incompetence on various levels.

Re:History rewritten (1)

Ralph Wiggam (22354) | about 10 months ago | (#45332889)

Terry Childs did not want to divulge the passwords to an entity that didn't have the right to said passwords.

So what's the "real" history here? How could the company not have the right to the passwords?

Re:History rewritten (3, Insightful)

Anonymous Coward | about 10 months ago | (#45333023)

How could the company not have the right to the passwords?

The company DID have the right to the passwords, Childs simply tried to argue that since he "built" the system and all it entailed, it was his personal property.

Which was a fucking stupid argument.

Re:History rewritten (4, Informative)

Fallen Kell (165468) | about 10 months ago | (#45333031)

He was asked to give the passwords over during a meeting with several people who had not signed the appropriate papers for having said access and had not been documented by information/system security for having a right to the passwords. There was also a conference call being held on the phone in the room with unknown persons who would have then also been privy to the password divergence. Terry simple say "no" to diverging the passwords in that location, at that time, in that manner. In his contract, he had a duty to protect the passwords, and he was still an employee at that time. Giving up the passwords in that location at that time would have been a breach of his contract and he could have been fired on the spot for doing so. He was placed in an impossible situation, where they were firing him if he gave them the passwords or didn't give them the passwords. At that time, no one from security had authorize anyone else to have the passwords, and as such, Terry did the only thing he felt was correct, which was to attempt to give them to the only person who was in charge of the system, which was the mayor, who could then give them to whoever he felt like, in whatever manner he thought he should since it was not written in any contract that he had to protect the passwords or be fired for giving them to someone who had not filled out the proper paperwork and been given approval to have them and doing so in a location where only the person who had been authorized to have them would receive them.

Re:History rewritten (1)

Anonymous Coward | about 10 months ago | (#45333167)

Who voted this crap up?

Go read the judgement, it paints a VERY different picture.

Re:History rewritten (1)

Ralph Wiggam (22354) | about 10 months ago | (#45333185)

Terry simple say "no" to diverging the passwords in that location, at that time, in that manner. In his contract, he had a duty to protect the passwords, and he was still an employee at that time.

And instead of explaining that he would be happy to give the password to an authorized person in an authorized context, he just hung up the phone? That was the worst possible way he could have handled that.

Half the story (2)

jklovanc (1603149) | about 10 months ago | (#45333257)

He did not just refuse in that one instance. He was then fired and still refused to give the passwords to his duly authorized replacement. Had he felt he was improperly fire a wrongful dismissal suit was in order not withholding passwords.

Re:History rewritten (1)

Anonymous Coward | about 10 months ago | (#45333037)

Basically, the IT policy summed up as the Mayor being the only person authorized to receive the passwords. They arranged the teleconference to provide the passwords, which he was at all times willing to do, and he asked "is there anyone else listening to this conversation?"

When the Mayor confirmed that, yes, others were listening, Terry ended the call (what part of "can't provided passwords to unauthorized people" did they not understand?).

*Technically*, Terry followed the book. The book was written by idiots, but that's not his fault.

It was a stitch-up long before that point, but they proved exactly what he feared - CYA just doesn't matter when it's the government, just like the law doesn't either apparently (which we've seen more and more of since).

Re:History rewritten (2, Insightful)

ArchieBunker (132337) | about 10 months ago | (#45333177)

He was getting fired anyhow so why would breach of contract even matter? He was a self entitled neckbeard and dug his own grave. Give out the passwords and wash your hands of it.

Re:History rewritten (1)

Ralph Wiggam (22354) | about 10 months ago | (#45333229)

He was a self entitled neckbeard and dug his own grave.

The more I read into this, the more that's what it sounds like. Not a big mystery why so many people here are defending him.

Re:History rewritten (1)

dugancent (2616577) | about 10 months ago | (#45333041)

Terry Childs didn't have the right to decide who got the passwords and who didn't. He was no longer an employee.

Re:History rewritten (0)

Anonymous Coward | about 10 months ago | (#45333123)

Terry Childs didn't have the right to decide who got the passwords and who didn't. He was no longer an employee.

If he's no longer an employee he doesn't have any obligations to his previous employer.

Re:History rewritten (1)

MarkvW (1037596) | about 10 months ago | (#45333107)

Terry Childs arrogated to himself the right to decide who had the "right" to said passwords. The passwords belong to the PUBLIC, not him. Terry Childs doesn't have the right to make that decision. Terry Childs was a nutcase.

He got overprosecuted, though. That's for sure.

Re:History rewritten (0)

Anonymous Coward | about 10 months ago | (#45333171)

This! The passwords do indeed belong to the public.

So that we don't have a repeat of this situation, we need to make every member of the public aware of what the passwords are. The public should be able to fully enjoy the passwords paid for by their tax dollars.

Re:History rewritten (1)

Anonymous Coward | about 10 months ago | (#45333201)

What history was re-written? Was it you ignoring this vignette from TFA (boldface added by me)?
"he knowingly prevented the city from being able to use its own computer system for a period of time, deliberately configured that system so that no one else could access it, set it up so that anyone other than him attempting to enter it would erase the data stored in it, and made the network more vulnerable to external attack by the filing of an unauthorized copyright application"

None of that relates to a simple story of not wanting to give up the keys to the system. This is full-blown malicious intent.

Use the "Politician's Friend" (3, Funny)

Anonymous Coward | about 10 months ago | (#45332861)

"I don't remember."

Re:Use the "Politician's Friend" (1)

Tablizer (95088) | about 10 months ago | (#45333153)

"What? 6OFUKYRSLF doesn't work? I'll be damned!"

Lesson (0)

Anonymous Coward | about 10 months ago | (#45332869)

Get the passwords first then do the firing....

More important knowledge (4, Insightful)

Ukab the Great (87152) | about 10 months ago | (#45332875)

There's far more significant knowledge you take with you that you're not legally required to give up (procedures setting stuff up, what vendor bugs to work around, what authentication scheme, whatever). No need to go to jail over passwords when there's plenty of other petards for a former employer to hoist themselves on.

Reset? (1)

TheRealMindChild (743925) | about 10 months ago | (#45332885)

What system is there no way to reset the passwords? I'm having a hard time thinking of an OS/Embedded device that doesn't have a password reset mechanism or a means to overwrite the previous password with a boot disk

Re:Reset? (1)

Riceballsan (816702) | about 10 months ago | (#45332919)

Have you never heard of systems that are encrypted? There's no shortage of things that don't give solid means to reset them without loss of data.

Re:Reset? (1)

akgooseman (632715) | about 10 months ago | (#45333001)

If I recall, the system configs hadn't been saved to non-volatile memory. Reloading the routers as part of a standard Cisco password recovery/reset would have resulted in empty configs. As much as SF city government hated Terry Childs, they apparently loved his network equipment configs.

Re:Reset? (1)

Fallen Kell (165468) | about 10 months ago | (#45333087)

That is/was actually best practices for a secured network. One of the exploits for gaining access to the network required rebooting the network equipment so that it would load code injected by the attacker either from local/physical access or remote access. By having all the settings wipe, the attacker would trip monitoring sensors (due to the network segment going down) as well as not be able to gain any more information about the network from the device that was breached.

However, usually when this is done, a network backup copy of the config is located somewhere that the admin knows. Terry very well could have had such backup copied, but since the city had already fired him, he felt no obligation to give them any more information than what was already documented (which very well may have been saved in a readme, or disaster recovery document that was available somewhere on the network, but again, he was fired on the spot and thus, should not have had any obligation to tell them where to go looking other then between his cheeks as he walked out the door).

Best practices (1)

Anonymous Coward | about 10 months ago | (#45332887)

I'm sorry, but it's really a best practice to NOT have one person "holding all the keys" - EVER. As a consultant, I make sure ALL my clients have copies of everything, along with myself... just in case I get abducted by aliens or something!

Same should go for ANY IT situation.. that I can think of, at least.

Re:Best practices (1)

BradMajors (995624) | about 10 months ago | (#45332951)

It is a bad practice to give your passwords to non-employees.

Re:Best practices (0)

Anonymous Coward | about 10 months ago | (#45333015)

Well let's just give you a damn cookie already.

Re:Best practices (0)

Anonymous Coward | about 10 months ago | (#45333069)

I enjoy oatmeal WITHOUT raisins the most.

Next time (1, Interesting)

future assassin (639396) | about 10 months ago | (#45332897)

just root the servers, give the passwords back the change them.

Re:Next time (1)

Anonymous Coward | about 10 months ago | (#45333029)

Just use better grammar.

I'm waiting for the cautionary tale... (0)

Anonymous Coward | about 10 months ago | (#45332899)

...that ends with the NSA contractor refusing to give up the encryption keys to the vault, and us finding out later the NSA somehow managed to get through "unbreakable" crypto...and quickly.

Perhaps then we can all just absorb the true gravity of security these days instead of laughing at the tin-foil hatters still in shock over the wake of Snowden.

Precedent? (1, Interesting)

Oceanplexian (807998) | about 10 months ago | (#45332901)

Doesn't this set dangerous precedent?

Plenty of organizations have dozens or hundreds of passwords. Is it really the employee's responsibility to remember each and every password and keep records of them indefinitely after employment? Should I be required by law to produce network diagrams?

Yes, this guy was a douchebag, but he shouldn't have to turn over anything.

Access control policy is the responsibility of the employer. If they fail to set policy or fire employees before it's too late, it's their own damn fault. This is just another example of mismanagement backed by a broken justice system.

Re:Precedent? (0)

Anonymous Coward | about 10 months ago | (#45333121)

The part you're overlooking is that the passwords are the property of the company, not the administrator. This isn't really any different than a security guard or janitor keeping the door keys.

This is also an epic fail on the other side (4, Insightful)

gweihir (88907) | about 10 months ago | (#45332911)

Any sane organization of this size has a password policy that ensures critical passwords are recoverable. Any sane organization makes sure to not have a single-person dependency like that.

But Childs really lost context: It was not his network. He had no business trying to enforce anything. The SF IT department may run their networks as stupidly as they chose, and while this may lead to criminal and civil liability on their part, it does not lead to any accountability towards Childs.

Back when I admined systems ... (5, Interesting)

PPH (736903) | about 10 months ago | (#45332917)

... passwords were in a sealed envelope in my desk drawer, locked. That way, if I got hit by a bus, the boss could break into the desk and hand envelope over to my replacement.

When I left, I handed him the key to my desk and said, "You know where they are."

Re:Back when I admined systems ... (1)

Tablizer (95088) | about 10 months ago | (#45333203)

I gave the envelope to the bus driver

I thought this was standard (2, Insightful)

Riceballsan (816702) | about 10 months ago | (#45332983)

I know long before the terry childs case, I remember my IT teachers explaining that if you took off with passwords etc... to anything they didn't have an account over, the standard response is to hire some rediculously overpriced person who is paid by the hour to gradually break into it, then have the courts foot you the bill. I don't get why this is shocking. The Terry Childs case was a bit of an exception, namely because of his claim that the person who he was under the impression he was supposed to give the information too, was not present. IE childs was not saying he wouldn't give the password unless he was rehired or paid. He was explicitly saying he was going to give the password, but not to the middle manager who was asking him for it. Child's case he could have been screwed either way, giving the admin password to someone who shouldn't have it, makes you liable for the damages they cause... but refusing to give the password, is also a suable offense. If you know who has the rights to the password, and have access, there's no room for debate at all

Fuck this guy (0, Troll)

stungod (137601) | about 10 months ago | (#45332995)

Seriously, fuck him. Having been on the receiving end of this kind of crap before, I'm fine with this clown going to jail. A public beating wouldn't disappoint me either.

People who set things up so they're the only ones who can make it work need to face the same kinds of penalties for malpractice in other fields. There is nothing that will make me get rid of an employee faster than job security shenanigans.

Revenge, the old fashion way (0)

Anonymous Coward | about 10 months ago | (#45333047)

You get back at employers the old fashion way, make things overly complicated to the point where they need an army of techs or programmers to figure things out. Make it cost more to replace you than keeping you on the payroll.

Best Practices (0)

Anonymous Coward | about 10 months ago | (#45333063)

Yeah, great idea, let one guy have all the control.Everyone involved got what they deserved.

Give them the wrong password (1)

Cyfun (667564) | about 10 months ago | (#45333161)

Am I the only one wondering why he didn't just give them the wrong password? If it doesn't work, they can't prove he lied about it, he can claim that someone must have tried to change it or hacked into it or something.

$1.5 million? (1)

Hamsterdan (815291) | about 10 months ago | (#45333163)

How the heck is he supposed to pay that back?

Dear Everyone, (0)

Anonymous Coward | about 10 months ago | (#45333223)

If you use a work computer, phone, PDA, or calculator, assume that whatever you do is owned by them.

As for passwords, a smart company would have set up a dual custody (http://www.fdic.gov/regulations/safety/manual/section4-2.html) relationship between multiple sysadmins, rendering the issue moot.

In fact, it's kind of required by standards like PCI-DSS and Sarbanes-Oxley

How Soon We Forget ;-\ (0)

Anonymous Coward | about 10 months ago | (#45333227)

Nobody, least the writer remembers the exact circumstances of the sorry affair. Yes Terry was a fool, and could also have been accused of being self important.

BUT! This little man, a excellently competent network and systems manager, engineered a city network that in all the time he ran it never had a single serious failure. His two mistakes ware to care too much for his domain so that he never realised as he antagonised his superiors by demonstrating to them repeatedly that they were his technological inferiors, they would be all to keen to be rid of him, no matter what the cost to the city.

Fortunately, when the day came he held firm and refused to give up the keys to these drudges. He was eventually forced by weight of law to give up the keys and do you know since then there have been so many faults and failures of this network one would think it had been either deliberately damaged.

So I say the $1.5 restitution should more rightfully be paid by those same managers.

Hmm! even the CAPTCHA agreed (crucifix)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>