Employer keeps lists of (and uses) client's passwords without client's knowledge

[ljtechservices]

doing possibly illegal or morally objectionable things to keep a job isn't good.
Say you ended up getting caught with the password list. Say somebody outside of your company got a hold of it and did damage with it?
What good is your job against a possible lawsuit or jail-time if it's indeed a federal crime
To those saying its arrogant to say something like this. too bad.
lots of people end up in prison for being accomplices to crimes.

If I had a employee or a partner that did something like this I'd notify the client so the passwords could be changed and then get rid of the guilty party if possible. Hate to sound like an Internet Tough Guy but I'm in this business to help people, not steal from them.

considering the OP probably didn't find out about the situation beforehand I'd cut him a little slack as it looked like he managed to cut his ties as soon it was possible.
I've actually had clients hand me a list of everyones password before. I don't think it's uncommon. I've informed them the practice would change and show them how and why.
But this slime the OP worked for needs to be exposed. Gives the rest of us a bad name.

 

[Paul Rodgers]

I've actually had clients hand me a list of everyones password before. I don't think it's uncommon. I've informed them the practice would change and show them how and why.

At the company I work for full time one person does have all the passwords stored in a list. I'm really trying to push them away from that because it it a security risk and a liability for the person who maintains the list.

 

[coco3_man]

This is an excellent thread even though it has been a bit heated here and there. Ethics need the dealt with strongly ad discussed in the open. It molds all of us to function better and more ethically in our dealings with clients.

I am granted admin rights on all users computers through a special "resource" domain account. Abuse brings immediate termination.

We have hard drive encryption for all laptops and I can bypass it by using a console and unlocking the account at boot time. Activity is recorded by the server when I do this.

If I ask a user for their password, again, immediate termination. Although, I can reset the NT password on the PDC using my resource account.

I have full access to users data during migrations, computer is then held for 1 week before being wiped. I return computer to headquarters and they wipe it again.

Above all, as technicians, we have access to a great amount of sensitive data and our integrity should be impeccable and above reproach. Our actions in these matters should also be such that they will withstand scrutiny.

As for the initial post...that company is violating just about every ethical standard and should be reported. I also can not think of any defense that would be accepted in a court of law for participating in that sort of behavior. If it had been embezzlement or drugs or stock fraud would anyone still be considering the "I needed the job" reason to stay and not report?

Draw your own conclusions.....

P.S. bravo to the one who blew the whistle on the machines leaving the company without being wiped.........

 

[Knightsman]

To those saying its arrogant to say something like this. too bad.

considering the OP probably didn't find out about the situation beforehand I'd cut him a little slack as it looked like he managed to cut his ties as soon it was possible.

You said the magic words. It's not always easy to up and quit a job. But by actively looking for way out without killing your only source of income. I think any jury, judge or attorney would see this as reasonable.

 

[ZenMike]

ugh, so you wouldn't hire someone for making a mistake in the past? Even though they possibly learned from it, and is possibly a better person?

Not for making a mistake, for willingly participating in behavior that he suspected was unethical or possibly illegal. I want people that I can trust to make good decisions, even when they're not the easy decisions and even when no one else is looking.

considering the OP probably didn't find out about the situation beforehand I'd cut him a little slack as it looked like he managed to cut his ties as soon it was possible.

Not to be too hard on the guy because I acknowledge he was in a tough spot, but he did also say that he was fired from the job. You could argue he would have quit anyway, or he wanted to be fired, but that's not what happened.

As far as "really needing the job" I get it, but you can justify an awful lot under this umbrella. Just how concerned was he that the actions might actually be illegal?

Now look, I'm no saint or heartless perfectionist. I don't know anything about this guy. Maybe he just needs a mentor, or experience, or wisdom that comes with age or whatever. Maybe the post is being taken to literally and he embellished the details a little or whatever. I'm taking it for what it's worth and providing my opinion as part of what I would consider a case study. He's not asking me for a job, but if it helps him out as an employee, or anyone else as an employer, I'm glad to participate and debate.

 

[tankman1989]

I want to make something clear about the reason I didn't quit the job when I saw shady stuff happening. I had been looking for a job for 8-9 months prior to finding this one and this was the first job opening in my area in almost a year and it was over an hour drive each way! So i was in a bad spot as far as income and on top of that, ALL places I have worked at, be it restaurants, car dealerships, auto auctions, gyms, retail (big box), etc - they ALL did some very shady things. Not one place didn't do things that should have been reported.

Another issue I was having with this company was they were providing sub-standard equipment (routers) that wouldn't meet the broadband download speeds the business clients were paying for.

The IT firm was building Linux routers/firewalls using old 533mhz P3 computers with 64-128mb ram, and 4gb seagate HD's and no NIC's. These machines were on their last legs and should have been retired long ago but here they were being put back into action on the front lines! Since these machines didn't have NIC's and the boxes were of really odd design (they needed slimline NIC's not standard) "we" used USB NIC dongles. P3's don't have USB 2.0 so we were limited to USB 1.1 bandwidth, which was a MAJOR bottleneck when put inline with high speed cable modems doing 15-25Mbps.

So these piece of $hit machines were being sold as high end business class router/firewalls (as IPTables was installed).

When I started working at the company I was answering calls with complaints about Internet speeds and being new I was told to pass the calls off to the owner or my supervisor (the father-in-law). When I found out that the routers we were providing were using 2 USB 1.1 NIC's, one in, one out, I immediately asked them if they thought the USB 1.1 architecture was the bottleneck for the download problems. The immediate response was that it was only restricting 3-5% and it wasn't an issue at all. I thought it was BS right away so I spoke up and said that it was a lot more than 3-5% and the father-in-law got snippy (very uncharacteristic).

The Math
Max USB throughput is 1.1 MegaBytes/sec which = 8.8 megabits/sec. Realistic sustained transfer is reported to be 5.5-6.875 megabits/sec. This is a HUGE bottleneck when someone is paying for a 15-25 megabit/sec broadband connection! This means that they are only getting 22% to 37% of the speed they were paying for! I told my boss that I didn't want to handle any problems related to Internet speed anymore because I wasn't going to lie to them or deflect their questions.

I only worked with the company for 2-3 days after they returned from vacation, as I could not feel "right" continuing to work for them.

 

[ljtechservices]

Tankman1989

I just want to thank you for bringing this subject up.
You mentioned there's shady stuff going on everywhere, and I agree.

I think the major bone of contention with me, and probably others here, is that the IT industry, specifically the service sector, has a bad reputation. At least here in Central illinois it does.
Being non-responsive to user issues, over-selling, and out-right lying to customer's seem to be the norm. I have one customer that was told that 2.5" PATA HDD's were no longer made just so he could be sold a used one for $200. When I showed him the price for them on NewEgg he laid a golden brick.

I told my boss that I didn't want to handle any problems related to Internet speed anymore because I wasn't going to lie to them or deflect their questions.

thats a conversation that should never happen within a service and support company. I'm just shaking my head about the whole thing.

I wish you success in your career Tankman1989 and hope you can use this experience to build on.

 

[tankman1989]

This is an excellent thread even though it has been a bit heated here and there. Ethics need the dealt with strongly ad discussed in the open. It molds all of us to function better and more ethically in our dealings with clients.

I am granted admin rights on all users computers through a special "resource" domain account. Abuse brings immediate termination.

We have hard drive encryption for all laptops and I can bypass it by using a console and unlocking the account at boot time. Activity is recorded by the server when I do this.

If I ask a user for their password, again, immediate termination. Although, I can reset the NT password on the PDC using my resource account.

I have full access to users data during migrations, computer is then held for 1 week before being wiped. I return computer to headquarters and they wipe it again.

Above all, as technicians, we have access to a great amount of sensitive data and our integrity should be impeccable and above reproach. Our actions in these matters should also be such that they will withstand scrutiny.

As for the initial post...that company is violating just about every ethical standard and should be reported. I also can not think of any defense that would be accepted in a court of law for participating in that sort of behavior. If it had been embezzlement or drugs or stock fraud would anyone still be considering the "I needed the job" reason to stay and not report?

Draw your own conclusions.....

P.S. bravo to the one who blew the whistle on the machines leaving the company without being wiped.........

The person who blew the whistle on the hard drive wipes was the same person you were bashing for participating in unethical behavior, the OP.

 

[tankman1989]

I think something needs to be made clear here. I worked for this company a total of 3 months and the first month was nothing but grunt work doing things like taking desktops outside and blowing the dust out of them at all 30+ businesses we supported.

The next month I was doing some cabling, router installations, new system installs, migrations, upgrades, backups, updates, etc.

After about 2 1/2 months I talked to my supervisor and boss about the router bottleneck and requested not to deal with customer complaints about broadband speed anymore.

Finally, two days before my co-workers went on vacation I was given the password list, which I protested. I don't know if they would have trusted me with it or even given it to me had they not gone away on vacation. I was then "let go" two days after they returned from vacation. So all in all I had the list for just over a week.

When I was "let go" it was a huge relief, which is unusual but it was obvious that something wasn't right with this company.

Someone compared this password list to whistle blowers at financial firms or drug companies and I think this is totally absurd! I think some of you techies think a little too highly of yourselves. I do not know of any state of federal law which prohibits password sharing or even possession of someone elses password. At the worst you could be breaking company policy but in my case, as neither my employer (the IT company) nor the company we supported had employee handbooks with such passages. So all of you who are making a huge deal about MY ethics and standards and saying that "you would never hire me" can go pound sand, I would never want to work for someone so arrogant and shortsighted. I went above and beyond what I was required to do by telling my boss that I didn't think this was ethical (and on other occasions as well), which is probably why I was fired/let go.

Had my ethics ever been in question I would have been stealing the R&D, CEO, CFO, COO, and Accounting hard drives from the Fortune 100 pharmaceutical company I was doing contract work at for Dell but INSTEAD I reported that they had a major hole in security. I'm sure there was some valuable data on those HD's even if it was only projected stock performance...

So all you little techs who are talking $hit about how unethical I am and that "you would never do what I did" I call BS. You are probably sitting there gobbling up everything that is in this thread as your IT break/fix jobs are as dull as your personalities. So before you start spouting off how you have superior ethics and how I could be in legal trouble, turn off CSI and tune back into reality. The REAL WORLD is calling you.

 

[angry_geek]

The defense "I was only following orders" comes to mind every time I hear someone say "I was in fear of losing my job". How many horrible stories start with those words? There is a case in Long Island where a doctor supposedly harassed three women for years before firing them over some bazaar event in his office. http://www.myfoxny.com/dpp/news/loc...ong-island-doctor-faces-sex-suit-20101220-lgf

Three women claim that the Long Beach doctor sexually harassed them for years before he fired them.

I don't know if it's true or not. My point is if someone had reported this years ago, most of these things would never have happened, and it would have prevented some horrible trauma to many people. But they were all "in fear of losing their jobs".

So all you little techs who are talking $hit about how unethical I am and that "you would never do what I did" I call BS. You are probably sitting there gobbling up everything that is in this thread as your IT break/fix jobs are as dull as your personalities. So before you start spouting off how you have superior ethics and how I could be in legal trouble, turn off CSI and tune back into reality. The REAL WORLD is calling you.

I once had someone tell me that "no matter what I think, most people in the US smoke marijuana". This is BS; it's merely a way to justify behavior instead of dealing with self responsibility. I'm not questioning your ethics, Tankman. However, you described all the very elaborate steps you took to cover your own ass in case something bad happened. You didn't take those steps to report the suspect activity or to protect the client. You're young, I understand. But don't get so defensive that you go on the attack or resort to childish insults. A lot of us on here like you. Just take everything in and learn.

Just like cmanova, I am one of those ethical people. I run my business with honor and honesty. I am also one of those people who believe that the majority of people out there, as well as businesses, do the same. I'm not naive; I know that there is a lot of bad practices being used by people and businesses all the time. I just choose to believe it's not the majority. As far as this argument is going, there is one solid lesson to take away from this. Do the right thing. Sure there may be negative consequences. However, you should never forsake your dignity and morality for the sake of a job or a client, no matter how scary the prospects are. You have a responsibility to potential future victims, not just to yourself. It's like seeing a mugging or child porn or any number of crimes and simply walking by and doing nothing because you don't want to get involved. That's cowardice.

 

[tankman1989]

I just finished reading all the posts. I want to make it clear that I don't think anything illegal took place but I may be mistaken. If I would have thought that having a password list was illegal than I would have never accepted it. If it is illegal (which I can't see how it is) then almost every job I have ever worked at in the IT field would have been breaking the law as some people always had lists of other's passwords.

As far as the boss saying it would be "very, very bad", this was/is in regards to him potentially loosing the support contract and loosing over 50% of his revenue. If anyone is making it out to be anything bigger than this then you are over reacting.

Now as far as having the list being unethical, well that may be true and that is why I protested the fact. BUT being the new guy isn't exactly the easiest thing especially when I had already pointed out some area's of "concern" such as USB NIC dongle bottlenecks & boat loads of porn on the computer in the room for the "Teen Support Group" at a local Christian counseling center (yes, this is a whole other story...), and default login as ROOT on all Linux boxes (no SU'ing to get root access).

The biggest issue that hasn't been brought up is that it makes no difference if we have their password or not if an Admin wants to get their data. I can log in as administrator and copy whatever I want. On top of that, all IT employees share the same Admin account and password so who is to say which IT person logged in and took the documents. I never understood this logic with IT admin. IMHO I think the default admin account should either be disabled or only used by the CIO/IT manager; for all other administrators they should set up their own admin account with the proper rights and permissions so proper logging and auditing can be conducted. It just gets crazy when you have 15 people on an IT staff, all using the username "Admin" to support/make changes on the infrastructure. How can any of this be tracked? I know that when I have my own company things will be done correctly like this.

 

[ATTech]

If the IT Support company owned the hardware that hosted the AD servers and leased it to the company, then it's probably not illegal. If, however, the supported company owned their own hardware and paid the IT company to manage it, then it probably is illegal. I'm also not a lawyer, so this is based on years of watching lawyer shows, the occasional Judge Judy, and the subconscious learning of a child growing up with a criminal justice majored father.

 

[tankman1989]

If the IT Support company owned the hardware that hosted the AD servers and leased it to the company, then it's probably not illegal. If, however, the supported company owned their own hardware and paid the IT company to manage it, then it probably is illegal. I'm also not a lawyer, so this is based on years of watching lawyer shows, the occasional Judge Judy, and the subconscious learning of a child growing up with a criminal justice majored father.

That is a good point. I'm not sure how the setup worked, I just know I worked on the machines. Who owned them was irrelevant to me at that time.

 

[pugsport]

WOW, you lot need to lie in the snow and cool off a bit!

Tankman, I appreciate the position you found yourself in, it certainly is not easy being in a position like that. You did right to raise questions, the key thing here are what policies, if any, are avaialble/ in place?
There are laws protecting users privacy and data, but this all depends on the service providers (I.T. COMPANY) and clients policies. This can be a complicated area, but all companies should have enforcable policies in place, stating what is and not acceptable.

I had a conversation with my brother a while back, he works in the I.T. department for a local educational authority, he has been there 12 months, he, like his colleagues have never had any training or documentation on privacy nor data protection, he told me as an administrator he can remotely log on to any teacher's desktop and "do anything I want". I was alarmed and argued that under the law he could not do that, firstly this set up, in my opinion is all wrong, secondly as an admin, he should be able to perform any nesscersary work on an admin account unless there is something user specific, then he should have the users permission and the user be present.
He stated that all "users" signed a document giving the I.T. dept "complete control" of their accounts.
Two problems exist here, if the stated document is as "full control" have the users been made aware and does it state in the document that the I.T. staff have unreserved access to all the "users" files and the "users" fully understand this.
Secondly, as there has been no formal training or information given to the I.T. staff in relation to privacy and data protection, the I.T. Manager and his staff could find themselves on the wrong side of the law.

You can talk about ethics 'till your blue in the face, the crucial factor is not just what the law states, but what policies and signed documentation is in place. If you sign to agree to a policy that allows an authorised person exclusive access to your "user" account you don't have a leg to stand on. How ever if you are obtaining and keeping "users" passwords without their permission, or logging into their account without their permission you are breaking the law.

If it looks dodgy then it probably is, unless documentation shows otherwise.
It is so easy to sit back and make judgement and criticise, not everyone is "sure footed" or strong enough to raise questions or confident on how to deal with some situations, if you find yourself in between a rock and a hard place, document it, keep a diary, record your conversations, whistleblow ananomously, if you can quit.

 

[tankman1989]

WOW, you lot need to lie in the snow and cool off a bit!

Tankman, I appreciate the position you found yourself in, it certainly is not easy being in a position like that. You did right to raise questions, the key thing here are what policies, if any, are avaialble/ in place?
There are laws protecting users privacy and data, but this all depends on the service providers (I.T. COMPANY) and clients policies. This can be a complicated area, but all companies should have enforcable policies in place, stating what is and not acceptable.

I had a conversation with my brother a while back, he works in the I.T. department for a local educational authority, he has been there 12 months, he, like his colleagues have never had any training or documentation on privacy nor data protection, he told me as an administrator he can remotely log on to any teacher's desktop and "do anything I want". I was alarmed and argued that under the law he could not do that, firstly this set up, in my opinion is all wrong, secondly as an admin, he should be able to perform any nesscersary work on an admin account unless there is something user specific, then he should have the users permission and the user be present.
He stated that all "users" signed a document giving the I.T. dept "complete control" of their accounts.
Two problems exist here, if the stated document is as "full control" have the users been made aware and does it state in the document that the I.T. staff have unreserved access to all the "users" files and the "users" fully understand this.
Secondly, as there has been no formal training or information given to the I.T. staff in relation to privacy and data protection, the I.T. Manager and his staff could find themselves on the wrong side of the law.

You can talk about ethics 'till your blue in the face, the crucial factor is not just what the law states, but what policies and signed documentation is in place. If you sign to agree to a policy that allows an authorised person exclusive access to your "user" account you don't have a leg to stand on. How ever if you are obtaining and keeping "users" passwords without their permission, or logging into their account without their permission you are breaking the law.

If it looks dodgy then it probably is, unless documentation shows otherwise.
It is so easy to sit back and make judgement and criticise, not everyone is "sure footed" or strong enough to raise questions or confident on how to deal with some situations, if you find yourself in between a rock and a hard place, document it, keep a diary, record your conversations, whistleblow ananomously, if you can quit.

I find the entire IT field to be very disorganized and there is very little standardization. At one company I worked for there were 5-6 people on the IT staff and we all shared one "admin" account with one password. If someone abused the account or did something they shouldn't (either purposefully or accidentally) then there would be no way of determining who was at fault to either reprimand or correct and teach the proper way of doing something. There are SO many ways this type of account sharing can be abused yet I have found that this is the standard setup for all companies I have worked for.

 

[norm1320]

Having a list of passwords is not illegal in and of itself. It's all a question of who has legal authority to use the data and equipment which is being protected by those passwords (and occasionally also the nature of the data).

An employer having a list of all the employee passwords is almost always legal as long as the data involved is not in a special legal class (like medical information), or if the employee's contract specifically provides for privacy from employer scrutiny.

An IT company having a access to the list of passwords kept by that employer is also legal, provided:
a) the employer knowingly permits it
b) the IT company does not use it in ways which the employer does not approve
c) the employer has legal rights to the password protected data/equipment

In the situation you describe, the password list being kept by the company you worked for was almost certainly illegal. Just how severe the penalties could be for keeping and using the list depends in large part on the exact nature of the business which the client is in. If it is even partly security or medical related it could be very severe indeed.

For your own protection, I would recommend contacting the authorities (AG, DA, etc) or a lawyer for advice. If this ever becomes a law enforcement matter in the future, you could still be seen as an accomplice. Get out in front of it before that happens.

 

[FINACK-IT]

Many in this thread are simply calling this a password list but as I understand this company harvested password hashes and used rainbow tables to crack the hashes and obtain the passwords. To me that seems to be something completely different.

If you want to talk about legalities of this practice look into the case of Randal Schwartz. He was a contractor working for Intel in I believe the early 90's. He thought it was part of his job to obtain hashes and try to crack them to test password strength. However, he never asked for permission from Intel and was convicted on 3 federal charges. It took him until 2007 and a lot of money to finally be expunged.

Honestly, if I was in this position I would contact the local FBI field office and report it. From this practice the company is showing some real disregard for ethics and I would be wondering what else they are capable of.

Just my thoughts...