On Thu, Apr 29, 2010 at 7:15 PM, <Valdis.Kletnieks@vt.edu> wrote:

So if you want to make an analogy, it's more like taking the keys away from a drunk so they can't drive.  Good luck finding a DA who will indict you for grand theft auto for taking the keys to prevent a DWI.

According to news reports in this case it was not a charge of theft, but a charge of criminal Denial of Service. The service denied being the ability to administer their network devices by their authorized admins: in this case that Childs had been ordered by people with management authority over him on various occasions to provide some access to equipment they owned, and he had refused on all occasions, or deceived them by intentionally providing incomplete or useless access details. It was well within management's authority to demand this, and not in violation of any laws (not equivalent to DWI). It may be of concern to some individuals, but the operational impact to well-managed networks should be zero. Make sure the collective management of the organization that owns the network has a means of directly conveying full access at all times to any user they authorize, that is provided on demand, or that there is a clear password policy that ensures that administration cannot be denied to authorized users ? "Theft" of keys does not equal theft of vehicle, and restraining someone who is not acting rationally and is intent upon committing a crime, directly endangering lives, is completely different Courts might take a much more dim view towards a valet/driver re-assigned to a different job refusing to surrender the keys to the owner's new valet, out of fear the vehicle might get treated in a way they considered poor or reckless. -- -J

On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote:

On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote:

...

Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile.

I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called "theft," rather "illegal control."

Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. William

On 4/29/2010 21:05, William Pitcock wrote:

On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote:

...

On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote:

...

Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile.

I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called "theft," rather "illegal control."

Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty.

I beg to differ (the archives may reflect my objection last time around). I agree that a crime was committed. It was committed by the management that allowed this situation to exist. It is a pretty easy matter to maintain controls that make the passwords secure but still available to management when they need it. The simplest system was one of sealed envelopes in several different District Managers locked desks. Every now and again a manager would take his or her envelope out and test the passwords to see if they worked (usually just before the scheduled password change each month). -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml

...

I beg to differ (the archives may reflect my objection last time around).

I agree that a crime was committed.

It was committed by the management that allowed this situation to exist.

Agree.

...

It is a pretty easy matter to maintain controls that make the passwords secure but still available to management when they need it. The simplest system was one of sealed envelopes in several different District Managers locked desks. Every now and again a manager would take his or her envelope out and test the passwords to see if they worked (usually just before the scheduled password change each month).

I don't disagree, but he should not have withheld passwords to devices that were not his direct property when asked by a superior.

Agree. On the other hand, this gets strange. Once you're fired, just how much can you reasonably be compelled to produce for your former employer's convenience? And that's all this is, because no one has suggested that the network was left nonfunctional, or that it wasn't possible for competent engineers to gain access and control of the system. I've seen people try to compare this to returning a cell phone or laptop, but the fact of the matter is, those are physical devices that can be returned. I remember passwords dating back decades. I'm not going to forget some of them short of brain surgery or Alzheimer's. On the other hand, there are many passwords I've forgotten entirely. If my employer from last week comes to me today, and says, "hey, we need access to this resource, hand over your password," maybe I still remember it, or maybe it was written on a sheet of paper that went to the shredder when I quit. What if it's a month, or a year, or a decade? Where does this obligation to regurgitate information end? What if it's not simple? (Childs was accused of handing over "useless" information, which I am interpreting to mean that it was probably a valid password, but not the full context of how to use it.) Need I provide information on how to dial into a remote access server, log into a router, connect via its aux port to another gizmo, and then from there to my final destination? To cover all possible scenarios could be a heck of a lot of documentation to write up. Am I expected to do that for free? What if I forgot it all? What if I went and shredded any documentation I had at home, wiped all the data from my laptop, all because I was trying to do the right thing by not retaining any intellectual property? What Childs did was wrong, but what his superiors did was ethically and morally inexcusable - they created a scenario where he could be criminally punished for their failure to manage their employee (and their network) appropriately. As far as I'm concerned, they're far more guilty, but of course they won't see the inside of a cell. The precedents set by this case are a bit scary. The lesson for operators should be clear: don't let a prima donna build your network without being thoroughly involved in the process. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.