Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need advice about ex-contract

Status
Not open for further replies.
Jun 25, 2003
2,949
US
Hi. I am throwing out this question partially for the benefit and humor of all. However, I do feel inclined to respond to the email that is the reason for this post. I am looking for advice on what I should say. First, here is some background on the issue.

I was contracted at Worldcom Wireless for over 2 years. I was the Novell 'guy' and provided all top-level support for all of the Novell servers in the company. One of the things I was resonsible for was the billing system, which is a massive Btrieve database on several Novell 5.0 servers.

Through the Bankruptcy, fraud, cost cutting, bad management, etc... MCI/Worldcom shut down the wireless division. On July 29th, 2003, my contract with them was terminated (in good standing), as that was the official end date of all Wireless business functions.

However, they chose not to shut the billing system down (for whatever reason), and it is still running today. This is where I need advice.

I received an urgent email today from a still-employed MCI person. It reads:

--------
Marv,

No one left is a member of the Novell Admin group for the Wireless tree in Ashburn. Can you give me the admin username/password to the tree so that I can take care of some stuff?

Thanks!

Nxxxxx
---------

I would like to send a cordial yet frank response, something along the lines of A) I don't remember, B) It's not my problem, C) the name/password were documented and given to management (who is no longer there either) and D) I will be happy to come hack into the system for a hefty fee. (Note that systems are in Virginia, I am in Pheonix)

Any ideas, thoughts or general comments would be appreciated. Note that I'm not looking for responses that tell me how to hack the password or otherwise defeat the security.

Marv


Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting
 
Marv

I have been in a similar situation and had exactly the same thoughts as you. Personally, I could remember the password so I just gave it to them. However, I would just help them out the best you can, maybe even giving them a copy of the NLM (forget the name) that creates/resets the ADMIN password (along with a disclaimer that you are not responsible for any problems as a direct result of using the NLM of course!).

At the end of the day, this is not your problem, but if you are funny it might come back and bite you in the ass because things like that have that habit.

-----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------
 
Bing a contractor, passwords are not your responsibility. The people that left and were direct employees of MCI/Worldcom were the ones responsible to provide the password.

First, I would ensure I was talking to someone of management level, not just anyone. Give the password out (if you know it) to anyone can open you up to legal issue (breach of security). In cases when I know the password, I just give it to them after the proper authorization has been provided (they prove they are management level approved to have root access). However, if the client was a pain to work with, I would plead ignorance. How am I supposed to remember dozens of passwords for dozens of clients? I keep them in my palm pilot, and when you stopped being a client, I deleted the entry.

Most of the time, the client is just looking for the easy way out, and they see you as the easy way out. They don’t feel comfortable calling a former employee so they call you. Tell them sorry, don’t have it, please try to contact a former employee who did have access and request their password. Do note to them that if push comes to shove, you can crack the password with the help of Novell (I avoid using other peoples password cracks in front of clients). If you haven’t done it the Novell way, you just place a call to NTS, they send you a tool called ACLUTIL.NLM. You run it, it gives you a challenge string, NTS gives you a response string and walla, you have a new user with ACL rights to root. Not sure on your partner status, but NTS calls are around $400, the cost goes to the client on top of the your consulting fee. This tool will not work through any remote console tool I have used (RCONJ, RCONSOLE, FreeCon), you must be at the physical terminal. So the client will need to fly you out if they want you to do this. Huge cost on their part for a password. So in the end, they will muster up the courage to call that former employee who is pissed off at MCI/Worldcom for laying them off and ask them for their password.

BTW, nice web page. I like the format


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case [rainbow]
Senior Network Engineer
 
All, thansk for the advice. Brent, thanks for the advice and also for the kudos on the web page. I will post a summary of what happens, if anything.. I am a Gold Partner now so I do get some freebie tech incidents (I only give them away free to my "Preferred" clients, not ex-employers)

In all honesty, I could easily go in and crack the password. or break in via several methods, some which have been mentioned. But that is not the issue here. It's more of an ethical and legal issue.

The point is, they are looking for an easy solution to a problem that they created. They are looking for me to provide an easy answer, which is a priviledge they lost when they terminated the contract. Before they cut me from the contract, I saw several of my friends go in the same manner, and several of them got the same type of requests. I never felt it was fair to go to an ex employee, and was upset that they abused the ex-employee relationship the way they did.

Anyway, since the contract ended several months ago, how can I possibly remember a password that was randomly created in the first place. And secondly, I renamed the Admin user to somthing that I also can't remember, plus I don't remember the specific tree structure. (I am very focused on security, so I generally take steps to ensure a system can't be compromised)

Furthermore, MCI is notorious for cutting their IT staff while still running production systems. They've done it time and time again. They should learn not to do that.

Stay tuned... this will most likely be very interesting as it unfolds.

Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting
 
In light of the above, I would be professional to the end and explain the security placed on the system. I agree totaly with TheLad - watch out if you decide to play with them as it can indeed come back and bite.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top