Networking

Refusal to turn over passwords amounts to hijacking

Bill Detwiler explains why San Francisco administrator's refusal to turn over network passwords amounted to "hijacking" and, why the experience reminds IT employees that they don’t "own" their employer's network.

A few TechRepublic members have taken me to task for using the case of Terry Childs as the introduction for the IT Dojo video, "Five ways to keep your own IT staff from stealing company secrets". Some disagreed with my description of Childs' actions as "hijacking" and others complained that I inaccurately suggested Childs' stole and corrupted data or compromised the city of San Francisco's FiberWAN. I would normally reply to each criticism within the original post's discussion thread, but I believe this situation creates a perfect opportunity to explain why I still believe "hijacking" correctly defines Childs' actions and why it's important to remember that we don't "own" our employer's network.

Holding passwords hostage amounts to "hijacking"

If you read through the stories linked to below, you'll discover that there are conflicting accounts of how dangerous or illegal Childs' actions were. For example, the City of San Francisco claimed that Childs' possession of VPN group names and passwords was evidence that Childs was a threat to the city network. InforWorld's Paul Venezia argued against the city's claim, writing that "the [city's] portrayal of the VPN information suggested that Childs should not have had this documentation, even though he was the city's lead network admin and apparently had to maintain these lists as part of his job".

One fact however, does not appear to be in dispute. Both before and after his arrest, Childs refused to turnover the usernames and passwords for many of city's FiberWAN network devices to officials from San Francisco DTIS (the city's IT organization). After his arrest, Childs said he would only turn the information over to San Francisco Mayor Gavin Newsom, and he eventually did so.

I contend that Childs' act of holding the group names and passwords from their legitimate owners (senior DTIS officials) amounts to seizing the network by threat of force--one definition of the word "hijack". At this point, it doesn't appear that any city data was actually destroyed or stolen, but neither of those occurrences is required for Childs' actions to be called hijacking. At no point in the IT Dojo video did I say Childs stole or destroyed data or even brought down San Francisco's FiberWAN. I used the situation to illustrate why IT organizations should follow adequate security practices--even with their own employees.

But the argument over my describing Childs' actions as "hijacking" is a purely semantic dispute. The real crux of this situation lies with Childs' decision to not hand over the network passwords when asked and the consequences of those actions--deserved or not.

IT employees don't "own" their employer's network

From what I've read, Childs was an experienced CCIE who either single-handedly built or lead the building of San Francisco's FiberWAN--a fiber network designed to connect the city's many different networks. According to Venezia:

"Following the completion of the FiberWAN, Childs looked upon his creation as art -- so much so that he applied and was granted a copyright for the network design as technical artistry. Skeptical of his colleagues' abilities, Childs became the sole administrator of the FiberWAN, and the only person with the passwords to the routers and switches that comprised the network."

From Venezia's writings and other accounts, it's clear that Childs felt a sense of "ownership" toward San Francisco's FiberWAN. Unfortunately, Childs overlooked a fundamental truth of working for someone else--be it a private corporation or government agency. Very rarely, if ever, does an IT employee "own" the hardware, software, or network they support for their employer.

I understand those who sympathize with Childs' current situation. But, the City of San Francisco paid for the equipment to build the FiberWAN. The city paid Childs to design, build, and administer the network. The City of San Francisco "owns" the FiberWAN and can thus manage it as they see fit--including locking out Childs.

In refusing to surrender the passwords to his DTIS superiors, Childs was at the very least guilty of insubordination and possibly violating California criminal statutes on unauthorized access to a computer. Now, Childs may be exonerated of any criminal charges in the end but, was his defiance worth going to jail over? Only Childs can answer that.

It's true that public protest and personal sacrifice can bring about necessary and dramatic social change. But, let's be honest. San Francisco's FiberWAN may an amazing creation but, Childs' refusal to hand over the passwords was not a strike against a great social evil.

What happens with Childs's case remains to be seen. Regardless, all IT professionals should heed his experience and remember that there's a difference between what individuals think is "right" and what the laws defines as "legal".

More information about San Francisco's case against Terry Childs:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

55 comments
butkus
butkus

I though this was resolved years ago (1989) when newtwork people or secreteries held the only passwords on files or the system and refused to give them up when fired. It was basically called extortion in legal terms . If you are employed by the company... you do not "own" the system nor files as "intellectuial property". You were paid for that service. If he was an employee, the employer ownes that work. Book-um Dan O

dkahlbaum
dkahlbaum

It's kinda sad that the "IT" people taking over the network appeared unable to password recover and get on with it. No wonder he was concerned about them running his "creation". Clearly not serious network techs.

jck
jck

Q) Was Childs wrong for keeping the passwords from "officials"? A) Only if those officials were his "superiors". Q) Should he have been jailed for it? A) Not in my opinion. It is as much the fault of the DTIS "officials" to let one person have sole access to the network administration as it is his for keeping it from them. His act was in essence sabotage, and theirs was incompetence and negligence. So if his was punishable by jail time, then whomever above him in DTIS made the decision to let only he have the access to administrate and control access...should be terminated on the spot.

dallen3747
dallen3747

I didn't read anywhere what Childs expressed as his motivation for his actions. Without that, it's difficult to decide whether or not he may have somehow been a hero to San Francisco. Sometimes life gets as dramatic as fiction - or, maybe he slipped a notch or two mentally. Since he designed the system, if I read it right, did he not retain any rights whatsoever to information he believed he was protecting? Sounds like there's more to it, to me. I feel it's draconian to always side with the big guns. Will the author of the article publish a follow-up when all the information becomes public record?

jdclyde
jdclyde

Punks like that make us all look bad. While there has to be a system for who is to make changes, it is stupid to allow one person to kingdom build. His managers should have been fired long before it got to that point.

DadsPad
DadsPad

I agree that what he did was wrong, and agree that IT personel need to be aware of, not only, their responsibilty, but who is the owner of the equipment they maintain. As far a Childs, I see two problems. First, he should be given an evalutation on his mental state. He could have been under more stress than he could handle. This could make his judgement impaired, where he would make decisions he would not normally have done. The second thing, did he have any person(s) he could have consulted to see if what he was doing was the correct course. A supervisor, an attorney, etc., it seems he was making all the decisions alone. Then left to out to dry.

HAL 9000
HAL 9000

If it was just Child's alone yes I agree he did wrong. But in this case it wasn't just Child's it was the system and the way that the Officials wanted it to be. If it works we don't want to know about it and we certainly are not going to supply enough staff to do this properly. Oh and BTW please give all of these details which we have never wanted previously about the inner workings and security to this person who isn't qualified and knows even less but as we employed them yesterday to look at this it's OK. Yea Right. Security works both ways you can not expect an Individual to have everything never should but when you force them to know it all don't want to know what they do and care even less you can not expect that person who ever they be not to do as you told them to as apposed to what you are telling them now which is completely different to what was the original Brief. In this particular case Child's wasn't right but he appears to be more right than those Officials who where supposedly in charge of him and didn't do their jobs in any shape of what is acceptable either. When when the Brown Stuff Hits the Fan because of [b]Totally Incompetent Management[/b] what do they do blame the single person who is responsible for making them look so good over the previous years and then to prove their Total Incompetence they hand out to the Public Domain the very information that they where sworn to keep secret. This mess is typical of the Bureaucratic Mind Set if I don't get my way I go running to my Superiors, [b]Everyone Concerned here is WRONG!!!!!![/b] The biggest blame has to go to the Citizens of San Francisco as they are responsible for electing the Incompetent Officials who run the City and Propagate the Belief that [b]She'll Be Right Mate[/b] Just my 2 cents worth though. OH and BTW when was Insubordination ever a Criminal Matter? Col

mikifinaz1
mikifinaz1

they deserve what they get. I don't let any of my knuckleheads have the "keys".

Batsy01
Batsy01

Sympathize? I can't imagine any profound evidence that comes out to even remotely justify this guy's actions (I don't know, something silly such as allowing the US government to record and spy on everyone using the network and then allowing them to feed everyone's credit card numbers over to Greenpeace so that they could build a nuclear weapon to take out the Falkland Islands) No one should have any sympathy for him (unless of course, he is an individual with a mental disability or behavioural disorder) Pure and simple. He had all of the passwords so he went rogue and locked everyone out. Any security guy will tell you: the major difference between a hacker and pen tester: PERMISSION. He essentially 'stole' the network and the only thing he didn't do that some hackers do is use this hijacking and extort some money from the city of SF. At least he would have had a good reason for doing this. I don't care how good he is, good luck finding a job after this one. In the words of Top Gun: "Your ego is writing cheques your body can't cash...You don't own that plane, the taxpayers do" One last thing: If he just gets insubordination, it's just another example of the inequity for the punishment of a white collar crime compared to that of a blue collar crime. Example: Barings Bank: Singapore-based options trader Nick Leeson broke the 227-year-old bank by hiding $1.4 billion in trading debt he had accumulated and was charged with fraud for deceiving his superiors about the riskiness of his activities and the scale of his losses. Sentenced to only 6.5 years and served only half of it.

sboverie
sboverie

I agree with the author, Child's actions certainly meet the definition of high jacking. It also appears that he took too much pride in the design and implementation of the network systems. This caused him to be very territorial with the system. His comments that I have read indicated that he did not trust his supervisor and justified his actions as a way of protecting his work. The punishment for his actions will depend on how those actions are defined and how he thinks of his actions now. The actions do not rise to being a crime but it was insubordinate. This is best left to the courts to decide.

Jaqui
Jaqui

In my opinion, any network admin who doesn't make sure that the login information is available in event of their not being there [ hospital / killed in traffic accident ] needs to be fired and the network rebuilt with new passwords. Terry Childs should not have been the only person with the information, if he is truly a PROFESSIONAL.

bcampbell
bcampbell

I would argue that the owners are not senior DTIS officials, but the City of San Francisco. By giving the passwords to the mayor, he gave them to the only official in charge of the City of San Francisco. I guess in reality he could have given the passwords to the citizens of San Francisco...

Tig2
Tig2

At one company I worked for we went so far as to refer to all computers as "Network Connectivity Devices" (NCD) as a way to stress to our users that the device wasn't THEIR computer. THEIR computer is the one that they had at home. I may be responsible for equipment, process, projects, and software. But beyond my moral sense of ownership- that thing that keeps me doing a good job, I don't actually OWN anything that I did not create. And based on the terms of my employment, I may not own that either. In many companies I have worked for, if I created anything on THEIR time or using THEIR equipment it becomes my work product and THEIR intellectual property. In my opinion, Mr Childs unquestionably hijacked that network. They should throw the book at him.

Bill Detwiler
Bill Detwiler

In an IT Dojo blog post, I explain why San Francisco administrator's refusal to turn over network passwords amounted to "hijacking" and, why the experience reminds IT employees that they don?t "own" their employer's network. Original post: http://blogs.techrepublic.com.com/itdojo/?p=186 Have you ever felt like you "owned" a employer's network, system, or server that you built and managed? How far did you allow those feelings to go? Would you push back against superiors who you felt were endangering your creation? What actions would you take?

HAL 9000
HAL 9000

The main question here is Who Had the Right to Ask for these Passwords? This is the same in any organization you do not hand over sensitive information to anyone who asks for it. What is apparent here is that those asking did not have the right to have this information and while anyone is free to ask that in itself doesn't mean that they should be answered. It's just the same as the Mail Boy walking up to the CEO and asking for access to the Executive Washroom he's free to ask but very unlikely to gain admission.

Batsy01
Batsy01

made by everyone. to clarify my previous statements: 1) He designed it and had all of the access 2) If his supervisors asked for the passwords and he flatly refused and gave them an explanation WHY 3) If his supervisors took the explanation under advisement and ignored his suggestions and asked the passwords and he still refuses 4) He should be fired on the spot for insubordination. 5) IF he still refuses to give up the passwords (which he did), since he is no longer an employee: he is NOW technically a criminal under the law and should be punished appropriately. (Think of it another way, you own a company. You gave X employee a company car which was brand new. You asked for keys back. Refused. Asked again: refused. Fired him and he still doesn't give it back. What would you have done? Good bet is that you probably would have called the cops.) Just because its a network and one designed it doesn't mean anything, its still company property which is my point. Based on all of the articles I've seen, this guy continues to refuse in devulging the information but with no explanation to as WHY. So what if the other techs are incompetent? He's not in charge of hiring, even if they were, who's to say in 6 months after he's left - they all jump ship and are replaced with monkeys. The point is, the network is not his and he doesn't own it. They asked for the information and he wouldn't give it up. So frankly I'm astonished that people believe that he shouldn't be punished. I admit throwing the book at him isn't what I had in mind since he did not use it to leverage some criminal activity etc. but IF he had given up the passwords within a few hours of being in jail or at the time of arrest, I would say slap on the wrist and a written record of what he did was fine but he decided to initiate a standoff so he's gone past breaking the plane so to speak. Based on this source: http://www.weblocator.com/attorney/ca/law/c13.html#cac130800 Computer crimes are a max of $10K fine and/or 3 years in jail. which I think is reasonable but I don't believe that the law ever took into a account if the 'good' guys went rogue. He's where he should be based on his actions. It probably seemed like a good idea at the time but when he does get out I'd like to hear what possessed him to do so because his defense lawyer hasn't said anything about a mental disorder or a lapse of insanity etc.

Neon Samurai
Neon Samurai

I don't think anyone in this particular discussion has suggested that including myself. Could the replacements not just pop the keys and continue on? They could get direct access to the machines so that limits the list of challenges down to encryption and a short list of other layers. It's possible that the network could have been so well constructed that even with physical access, one needed the right keys. There may also have been the concern of booby traps in place to eat itself if tampered with. I think I remember that being discussed in the past. The cost of having an auditor go in and open it up may have been prohibitive even though it's government and they could probably get another branch of the gov too help out.

jdclyde
jdclyde

for your thoughts instead of your feelings.... :p weenie.... :D As was stated back when this first came out, all the other techs were happy enough to let Childs do all the work, and the bosses were also happy to have it done. It is time for a house cleaning, top to bottom.

thisismyclone
thisismyclone

When you have to get up at 3 ayem to fix the network, or some idiot's printer it's easy to feel not only that you have ownership, but that the network is like your child. It needs constant care and feeding and if you don't do it, it'll die. No one tells you this when you first become an IT manager. Maybe they should.

BryanReyn
BryanReyn

As far as I have read, the network was solid - as in FULLY operational. If he had used the network for other purpose - yes. As I have not been responsible for that scale of infrastructure - I can only imagine. I doubt if any of the respondents have built (or been responsible for) anything of similar size.

john3347
john3347

I don't know how this washes out in strict legal terms but, NO organization should EVER allow one individual to have sole knowledge of information that is critical to the company's operation. NEVER........EVER !!! At least 3 people should have access to secret recipes, user names and passwords, and such critical information within a company. Such things could be saved in such a way that they would be protected from unauthorized access, but the company has made a HUGE blunder if only one person has access to such information and is thereby given power to hold the company/city hostage. The City of San Francisco is guilty of gross negligence here. The Mayor and senior city fathers heads should roll over this blunder. Oh yes, the person who stepped through this door that the city left wide open should have a swift slap on the wrist too; but the city is the big violator here. That's my story and I'm sticking to it.

Realvdude
Realvdude

Did the major hire him? Did the major hire or appointment his superior that hired him? The city manager or city commission is more likely the entity that was the top of his administrative hierarchy.

Jaytmoon
Jaytmoon

This guy became obsessive. I could see him in line for an insanity defense. Look, yes your in charge of the network, it's your "baby". But really, its a pile of metal and silicon that someone else bought and supplied you with to do a JOB. Its just a job. Your not guarding the Holy Grail or something. Give it up when the time comes and just walk away knowing you did the best job YOU could.

tommy higbee
tommy higbee

What most people know of this is what they read in the media. At first glance, it looks like an open and shut case. The more you look, the more it appears to be a failure of management. First of all, we're only hearing one side of this story. Childs has not been allowed to defend himself publicly, because he's been accused of a felony. Second, the one side of the story we're hearing is so wild and exaggerated that it impugns the creditability of his accusers. Childs was falsely accused of "hacking" the network. Then the existence of modems attached to routers and access points scattered throughout the San Franciso network were claimed to be proof of his intention to access the network illicitly. Note that he never was accused of illegal access to the network, he was accused of basically conspiring to have illegal access to the network. Up until this time, Childs appeared to be an extremely conscientious, knowledgeable, and overworked manager of the network. He had requested more help, but apparently they were satisfied he was able to cover it. He had requested approval of a network security policy which would have covered this sort of situation, but no one would even look at it. Suddenly, new management comes in and wants to implement a security policy. But rather than work with the person who was already there and had been responsible for years, they seemed determined to treat him as an enemy and a threat. I've seen management make bad decisions before, but I've never seen the sort of bad faith effort to marginalize and demonize someone like this before, to the point of using imprisonment and threats of prosecutions to settle what should have been an ordinary IT issue. I think whatever brought the whole issue on, management rather foolishly over-reacted, then felt obliged to carry through with their wild threats. I suspect there will ultimately be a lawsuit against the city of San Francisco for the defamation and false imprisonment of Terry Childs. I don't think it was about the network being Childs's "baby" at all.

jak
jak

Wow, I really enjoyed reading all of the reply's here. Sounds like there are a few people here that need a reality check. If anyone really believes they have the right to keep network passwords from those who supervise them are sadly mistaken. Be a grownup about it. If you have concerns about who has access, then put something in writing and have your supervisor sign it. Make sure you state the reason's for your disagreement. Let it be known that it is a security risk and you don't agree with how it's run. Keep a copy for your record's in case you are a scapegoat down the road. If this guy had nothing to hide he wouldn't have been worried about his job in the first place. For those of you complaining about the incompetence of his supervisors, you should take a look at your own security practices. I'm sure there are plenty of devices at your own location that your supervisors don't know the passwords to. Get over yourselves and just do what you are hired to do. At the end of the day, go home, play your World of Warcraft and pretend you're the most powerful nerd there. If you can't handle the game of life.....there's the door.

Dr_Zinj
Dr_Zinj

If you're the head of network administration for a large company, and the CTO/CIO/CPO is about to engage in a maneuver that you are sure will have disasterous consequences for the company, and they have refused to listen to your warnings, you have a professional obligation to the company to upchannel your warnings to the highest level. i.e. the CEO. In Childs case, this was the Mayor of San Francisco. And in his case, the CIO called company security to grab him before hand, which happened to be the police department and got him thrown in jail. Childs was going to lose his job no matter what he did. If he went quietly, the first time his "replacement" screwed the pooch, they'd have been all over him legally because through no fault of his own, the system broke. So in essence, he jumped over all the preliminary crap and took it straight to the top and got the legal junk out of the way at the beginning. There's a similar situation with the military and classified information. None of the information belongs to any military member. But if you're charged with protecting it, and you beleive that the person requesting or demanding the information is a risk for disclosing it, and isn't authorized to declassify it, even if they are a 4 star general and you're only an E-2, you have the right to refuse to divulge it, and can be charged with disobeying a lawful order. You'll have to prove it in a court martial, it will have severe repercussions on your career; but if you're right, you did the right thing. Sometimes doing the right thing forces us to make great sacrifices; sacrifices that make no sense to people not in your place.

Mabrick
Mabrick

The answer is because it was highly visible and extremely embarrassing for the City of San Francisco. There is so much blame to go around on this one I just want to punch the reset button and start over. Let's see it this sounds about right. - egotistical know it all admin with a god complex (like this is original) - IT workers who revile said admin as much as he disses their competence (like this is unique) - city IT management so incompetent that they can not "see" how dysfunctional their IT staff is (no surprises here) - looming layoffs make everyone more stressed and jumpy (rather ordinary) - security policies that allow one individual to control a critical piece of infrastructure (you know, the military has two-person control regulations for a reason) A BLIND person could have seen this coming. I fail to understand why anyone thinks this is so unusual. I read about it all the time. Let's move on shall we?

bens
bens

While I like to think of the company servers and network as 'my own', it is only in a sense that I alone am purely responsible for their operational functionality. In my opinion though, I think you are correct that there would be a line of 'ownership' those feelings have to stop at. In my case, it stops at responsibility. Oh the joy of intellectual property...it is never 'your creation' if you are on the clock. It becomes the creation of the company. Humans can be incredibly territorial can't we?

mark101
mark101

People can argue back and forth over the term "hijack" and whether or not it fits. Personally, I agree with what you said. However, whether or not you agree with the term, what he did was wrong. Unless I bought and paid for the equipment with my own funds, the equipment is owned by the company I work for whether private or government. I have an ethical responsibility to treat is as such. If I do not agree with how the company is using the equipment, then either voice those concerns and work to fix the problems or find someone else to work for. As far as I am concerned, the same applies to the user's computers and company email. Many have argued that a company should not monitor an employee's company email because it is private. As far as I am concerned, the same rule applies. Who bought it? Who is paying the fees to have it and maintain it? If I do not want the company to monitor my email, get a private email account.

CCrabtree
CCrabtree

Problem being he was never fired. He's still employed by the city and being paid, as far as I know. At least he was when he handed the passwords over. They arrested him while he was on payroll for doing his job - no crime. Absolutely bull.

Realvdude
Realvdude

Read the definition in the link you provided. I can only partially agree with hijacking either, since hijackers seize something for their own use or gain. What was Child's use or gain? I think that those who have pointed to his mental status are on the right track. Whatever his motivation, his obligation was to turn over the information. He does have the right to do that through legal representation, which is what someone in their right mind would have done. I would hope that through a legal process, he could have received exemption of responsibility for anything resulting from surrendering the information or even for any responsibility after terminating his working relationship with the city.

HAL 9000
HAL 9000

He was only fired after handing over the Access Codes to the system that he designed. He had also begged his Supervisors for extra people so he wasn't the only one with complete control but the Management was perfectly happy to leave things exactly as they where while it suited them to. In other words they didn't want to pay to have the correct controls in place and then after employing a person who seems not to have any experience other than being capable of reading the guidelines in a book the Brown Stuff Hit the Fan here. Quite simple really when you want something on the CHEAP that is exactly what you get. Just one question here when was the last time you heard of a Bureaucrat being Fired for Incompetence? These after all are Bureaucrats who employed another Bureaucrat to Supervise the Security. In other words the new person brought in was promoted for incompetence just like every other advancement in the Bureaucracy. Now under those conditions what would you do? Col

HAL 9000
HAL 9000

Child's built the Optic Backbone no where it is claimed that he was in control of any Data flowing over the Network. In effect all he did was to stop working and not hand over the Passwords to the Backbone. He in no way stopped the flow of Data or in any way impeded or interfered with it. On the other hand however the people supposed to know what they where doing and was happening made public several Hundred Passwords of End Users when they submitted these to the Court as Evidence. There is also not direct description of the person who was supposedly hired to run the Security and being a bureaucrat they quite possibly may have had no idea of what it was that they where hired to do and understood even less. In a situation like that I don't know that I would hand over the Keys to the [b]City Either[/b] given the possibility that someone by not knowing anything at all will destroy years of work and be extremely expensive to clean up after. Here even the Mayor who doesn't understand the system gave the wrong information to the people from Cisco brought in to fix the mess that their own Techs had no idea where to even start with. To me this looks like [b]Bureaucracy Gone Mad.[/b] Not my preferred way to work and if I was forced to be the only Point of Control I would have walked years prior. But under the same conditions I just do not know how I would react either. There is no way I even come close to believing that I own the thing but there is no way in Hell I would give control to some one to destroy it to give me a bad name for their incompetence either. When everything is said and done it is only the Backbone of a very large WAN City Wide here that Child's was in control of. He didn't control any of the Data flowing across the Backbone or in any way prevent it flowing all he did was prevent it stop working. And then only a very small part of the actual WAN with no direct access to Data no harm at all done where as if he had of handed over the Passwords it would be a totally different story. So who was looking after the Citizens of San Francisco here the People Employed to, Those Elected to or Child's? Has anyone noticed that there have been no reports since the Passwords where supposed to be handed over just how reliable that system has been? Col

jck
jck

oh master of feelingless and thoughtless posting :p Didn't I just say it was time for removing the people at the top? It's not the job of laymen to make sure they or their co-workers do their job. It's management/supervisory's job. Plus, it was management's job to make sure that they had open access to that network or any other system. so yeah, I said clean house. I just did it in a more verbose way than you. That means I used more words :p lol :D

Realvdude
Realvdude

Should be in his originally design plan and documented as to their purpose. From that point it would have been his superiors repsonsibility to determine if the purpose was legitimate. If the they allowed the modem installation to be implemented, then that is their approval. As the author of this post points out though, it is a good object lesson; I believe to both employees and employers.

butkus
butkus

After a few years at my public school I figured I was just human. No one else knew much about technology here. I did and used that knowledge. I have a sealed envelope that is kept locked up. All the passwords in the building. His supervisors should have started that long ago. Obviously his supervisor was not technologically keen. As I told my students in my computer classes I taught starting back in 1992. Everything is passwords.... that's the new power ! People die, get sick, get fired..

Neon Samurai
Neon Samurai

Before you start freely issuing reality checks, consider how the company structure might effect everyone?s opinions. ?If anyone really believes they have the right to keep network passwords from those who supervise them are sadly mistaken.? One person already pointed out that in the military, it is an unpleasant requirement to deny access to a higher rank where evidence indicates it will lead to a breach. Similarly, in a large business with hierarchy charts and long oak meeting tables, one could also deny access to a higher rank based on evidence that access may lead to a breach. In both cases, if the CEO or Commander of the Navy your dealing with the top dog and you?d best hand over the goods. If there is a rank above the one you answer too though, then there is a position the issue can be presented too. Heck, with mid to large sized companies, the CIO should have no passwords beyond the regular user password anyhow; the position is concerned with other matters. On the other hand, if it?s a privately held single proprietorship; the owner?s title trumps one?s ?contractor? from the start. You can only discuss the implications of a data leak or system issues then hand over the goods and let the higher rank make the final decision. In the case of Childs, you have a near military hierarchy based on politics but without the threat of going to war to keep people focused on training rather than infighting. As someone else pointed out; the CEO was the Mayer, the corporate security was the local police department. It wasn?t a good situation; everybody helped make it worse. I think it is more of an example of what can go horribly wrong rather than an example to be contemplating industry wide best practices from. You provide a real gem though; document it. If the supervisor or owner says give it and there is no higher ranks to present too and there is no existing policy in place then document the heck out of it and start drafting your estimate for the recovery contract that will come afterward. It?s just not as simple as King Weenie protecting his keyring of passwords during the day and ruling the realm of the Ghausts in the evenings.

butkus
butkus

If I leave my job after 14 years here, someone comes in and makes all kinds of changes and the "network" dies... I would just say... told you so ! I have no right to stop someone from messing up what I started back in 1999. I'm not hired to "protect it".

brent.russell
brent.russell

..of the admin passwords to the whole system and he died thus preventing the sytem being used/maintained thenm HE is guilty of neglect of duty. No single person should be the sole admin of any system. Basic fact, a single point of failure is fatal. Forget all the legal semantics. He is therefore guilty of 'hijack' regardless.

Support Slug
Support Slug

Whether something is right of wrong is immaterial. The question is whether it is illegal or not. Statues regarding unauthorized access have no bearing on the case if Terry has not gone back to access the network. I doubt there is a law on the books regarding withholding passwords. Whether what he did was right or wrong can be a somewhat subjective determination depending on what the details of the situation are.

HAL 9000
HAL 9000

They have cleaned out the Bottom Rung but are balking at the middle and top of the system. After all when was the last time that you heard of a Bureaucrat being fired for Incompetency? They normally get promoted. Col

Neon Samurai
Neon Samurai

If your sure that handing over the information is going to break something and that breakage will be much bigger than something managed by a CYA document like you suggest then you should at least be able to go up one level. This admin's supervisor was not the top of the hierarchy; he could have presented is case to the next person up whom they both report too. In this specific case, it wouldn't have caused more harm than keeping the keys secret either and would have demonstrated a professional concern for the welfare of the network. But there's not clear cut single answer too fit all variables. A company should have a way to at least push an issue up one level for review then a proper documented signoff. An enlightened company would be able to do so without ill feelings between subordinate and supervisor.

jak
jak

Yeah, he had a duty to the people. I guess it comes right down to this. If your supervisors tell you they need information that you have, then you had better provide that information. You work for them, period. He was not elected into this position by the people. He was hired by the staff that requested the passwords, to have more work done. If you decide you're not responsible to answer to your supervisors, it's time to find another job. Or in this case, go directly to jail and do not collect $200.

Neon Samurai
Neon Samurai

As I remember, the first information from Child's point of view was just after he was imprisoned. Part of that was finding out that he was willing to cooperate with authorities and provide the passwords. For Childs, I'm not claiming there should be sympathy but understanding that he wasn't the only idiot at this country dance is worth some consideration. I'm also more interested in discussing the general situation rather than a specific example of how such a thing can get right fowled up.

Dr_Zinj
Dr_Zinj

Let's expand the comparison a bit more. I'm your military supervisor and I tell you to put a bag over a prisoner's head, and then tell you to kick his feet out from under him every time I tell you to. Are you going to obey my order, or are you going to realize that I'm committing an unlawful attrocity and refuse it? Are you a professional? If you don't adhere to a higher standard of ethical conduct, a standard that transcends your job at the moment, I'd definately say that you are not. Childs had a duty to his supervisor. Due to the nature of his particular job, he also had a duty to the people of the City of San Francisco. I my book, his duty to the people outweighs his duty to any moron who happened to hire him.

jak
jak

When you get to the point of going to jail, you can be pretty sure they're not testing you. When you're sitting in jail the first, oh I don't know, two or three days, you might want to give your supervisor the passwords. If he was truely concerned about his networks security and not about being fired, he would have just tagged along with the contractor doing the verification. That way he would be able to answer any questions they had, and could have protected his network at the same time. Sorry, no simpathy here. I guess if you are the type of person that may be trying to hide something, jail might be a better alternative for the time being. For me though, I don't want to be Bruno's wife in jail.

Neon Samurai
Neon Samurai

I don't think it'd be a gun to the temple in the US military. It would surely have been a different situation though. Do they courtmarshal him, imprision him in contempt until devulging the information, simply bring in the good NSA lads who already audit the military networks with a near 100% success rate? (It's not if they can get in but how much effort they have to put into it; according to interviews) Granted, there are some places where military and even civilian, let along government, would be given that simple choice. "this is my gun, what's the password?"

Neon Samurai
Neon Samurai

To get it out of the way; war time is different and questioning orders in the field is unacceptable. How, when back on base, their should be a mechanism that allows for verification. Example; I'm sgt fingers and Major fish just walked in and asked me for a print of the base passwords. Is there no check point where I take his ID, call someone and ask questions? Is it not possible to document and follow up with questions after if declining is not an option? At some point, reprecutions of negligence and potential for allowing breach must trump the conditioning for rank structure started in basic training. My military experience isn't worth admitting in relation to years of full time service but I understand the culture and structure very well. It surely wouldn't go well for the lowly NCO who disobeyed the suprior but if they are in the right and block an attempted breach... What if it is auditing? Years ago, my supervisor (the sys admin on base) had to call in an attempted breach he saw that morning in the logs. It was mostly just harmless network noise but it was an anomaly with the target IP being us. First, it was testing on his network including if he would report it or not. Second, it may also have been training for the other side of the network who may have been getting reamed for failing to breach while this admin was getting a "well done" for having a protected system. It might be a test and the lowly sgt get's F'd for not denying the higher rank. I'm not saying SGT fishtoes has more authority than LT bigfoot or should but there has to be some type of verification available in the trust model. In this specific case; I've never had cofee with Childs, spoken by phone or had text correspondence so I don't know if his motivation was simply to remain relevant in the threat of a contractor. I'm simply saying that protecting the network is the admin's responsibility and if his supervisor was a concern, he should have had the option to appeal up the hierarchy if the honest intent was infrastructure safety.

Batsy01
Batsy01

He's lucky that he's not military. They would have just put a gun to his head and politely asked for the access. Then put him on the no-fly list to make his life miserable.

jak
jak

Well, the military theory is great and all. By the way, I spent 9 years in the Army, so I know how it works all too well. The problem here is that when you have a supervisor that is telling you to give them access because they have hired someone to verify the setup, you have no choice. I have yet to work anywhere that I had more control than my immediate supervisor. That doesn't make any sense. If that supervisor is not trained in the same field you are, but hires someone who is, that trumps any "right" to withhold that information. It's no different if he were to get fired and the person that is hired to replace him were to get that information to perform the job. That's what it really comes down to in this case. He felt that he had something that prevented him from being let go, and he used the network security as an means to stay irreplaceable. The only thing he did was to put a nail in his own coffin.

HAL 9000
HAL 9000

As apposed to constantly trying to get staff to work with him and Management refusing claiming that he was doing a great job as things where. The problem here is that the Management here wanted things this way and when it bit them on the Bums they complained. I honestly believe that got exactly what they deserved but without any damage being done to the system. They didn't deserve that to happen and it's only the Professionalism of the accused that prevented it happening. That is the funny part here. :D Col

Realvdude
Realvdude

There was a case in Detroit back in the 80's where a programmer was allowed to ransom new bus schedules, because the city did not ask for the password that was protecting them, prior to the programmers dismissal. The courts upheld his right to compensation for turning over the password. From this, I ascertain that if your asked for such operational information prior to termination, you have provide it; if your asked after termination, you're holding all the aces.