Terry Childs conviction

Joe Greco jgreco at ns.sol.net
Thu Apr 29 22:12:34 CDT 2010


> > I beg to differ (the archives may reflect my objection last time around).
> > 
> > I agree that a crime was committed.
> > 
> > It was committed by the management that allowed this situation to exist.

Agree.

> > It is a pretty easy matter to maintain controls that make the passwords
> > secure but still available to management when they need it.  The
> > simplest system was one of sealed envelopes in several different
> > District Managers locked desks.  Every now and again a manager would
> > take his or her envelope out and test the passwords to see if they
> > worked (usually just before the scheduled password change each month).
> 
> I don't disagree, but he should not have withheld passwords to devices
> that were not his direct property when asked by a superior.

Agree.

On the other hand, this gets strange.  Once you're fired, just how much 
can you reasonably be compelled to produce for your former employer's
convenience?  And that's all this is, because no one has suggested that
the network was left nonfunctional, or that it wasn't possible for 
competent engineers to gain access and control of the system.

I've seen people try to compare this to returning a cell phone or laptop,
but the fact of the matter is, those are physical devices that can be
returned.  I remember passwords dating back decades.  I'm not going to
forget some of them short of brain surgery or Alzheimer's.  On the other
hand, there are many passwords I've forgotten entirely.  If my employer
from last week comes to me today, and says, "hey, we need access to this
resource, hand over your password," maybe I still remember it, or maybe
it was written on a sheet of paper that went to the shredder when I quit.
What if it's a month, or a year, or a decade?  Where does this obligation
to regurgitate information end?  What if it's not simple?  (Childs was
accused of handing over "useless" information, which I am interpreting to
mean that it was probably a valid password, but not the full context of
how to use it.)  Need I provide information on how to dial into a remote
access server, log into a router, connect via its aux port to another
gizmo, and then from there to my final destination?  To cover all possible
scenarios could be a heck of a lot of documentation to write up.  Am I
expected to do that for free?  What if I forgot it all?  What if I went
and shredded any documentation I had at home, wiped all the data from my
laptop, all because I was trying to do the right thing by not retaining
any intellectual property?

What Childs did was wrong, but what his superiors did was ethically and
morally inexcusable - they created a scenario where he could be criminally
punished for their failure to manage their employee (and their network)
appropriately.  As far as I'm concerned, they're far more guilty, but of 
course they won't see the inside of a cell.

The precedents set by this case are a bit scary.

The lesson for operators should be clear:  don't let a prima donna build
your network without being thoroughly involved in the process.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list