PDA

View Full Version : Legality of decrypting passwords



onthax@gmail.com
06-30-08, 07:48 AM
Hello,

I am having an argument with a coworker, who thinks it is fine to
decrypt users passwords to migrate files, as it is faster and more
convenient than having the users resetting their passwords.

I am sure this is almost never necessary, is a horrible invasion of
privacy, and quite possibly illegal.

Can anyone shed light on if this is legal or not, and if signing away
your data to the company would extend to them having the right to
decrypt your passwords?

Any legal cases would be extra useful

Cheers

Leythos
06-30-08, 10:28 AM
In article <dfba3ce1-64df-48b6-9872-05116c7954f6
@m45g2000hsb.googlegroups.com>, onthax@gmail.com says...
> Hello,
>
> I am having an argument with a coworker, who thinks it is fine to
> decrypt users passwords to migrate files, as it is faster and more
> convenient than having the users resetting their passwords.
>
> I am sure this is almost never necessary, is a horrible invasion of
> privacy, and quite possibly illegal.
>
> Can anyone shed light on if this is legal or not, and if signing away
> your data to the company would extend to them having the right to
> decrypt your passwords?
>
> Any legal cases would be extra useful

What does company policy say?

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Juergen Nieveler
06-30-08, 01:38 PM
onthax@gmail.com wrote:

> I am having an argument with a coworker, who thinks it is fine to
> decrypt users passwords to migrate files, as it is faster and more
> convenient than having the users resetting their passwords.

Why so complicated?

Give yourself admin rights to the folders and move them - the only
reason I could think of why you'd need to do this as a user is to take
ownership of files AFTER you accidentally made the admin the owner
(there's ways around that usally).

Speaking of which - does anybody know a good command line tool that
will take ownership of files from the login script?

Some of my users have files that belong to the same user, but from a
different domain - leftovers from a domain migration. Not an access
problem, the user doesn't even notice, but it messes up with quotas :-(

Juergen Nieveler
--
Door: Something a cat wants to be on the other side of

David H. Lipman
06-30-08, 03:41 PM
From: <onthax@gmail.com>

| Hello,

| I am having an argument with a coworker, who thinks it is fine to
| decrypt users passwords to migrate files, as it is faster and more
| convenient than having the users resetting their passwords.

| I am sure this is almost never necessary, is a horrible invasion of
| privacy, and quite possibly illegal.

| Can anyone shed light on if this is legal or not, and if signing away
| your data to the company would extend to them having the right to
| decrypt your passwords?

| Any legal cases would be extra useful

| Cheers

As Leythos indicated this would be based upon company policy.

The person migrating the files should NOT impersonate the user. They should
Administrative rights to perform this function.

If a person can relatively easily decrypt a password, the password is NOT strong enough!

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman
06-30-08, 03:43 PM
From: "Juergen Nieveler" <juergen.nieveler.nospam@arcor.de>

| onthax@gmail.com wrote:

>> I am having an argument with a coworker, who thinks it is fine to
>> decrypt users passwords to migrate files, as it is faster and more
>> convenient than having the users resetting their passwords.

| Why so complicated?

| Give yourself admin rights to the folders and move them - the only
| reason I could think of why you'd need to do this as a user is to take
| ownership of files AFTER you accidentally made the admin the owner
| (there's ways around that usally).

| Speaking of which - does anybody know a good command line tool that
| will take ownership of files from the login script?

| Some of my users have files that belong to the same user, but from a
| different domain - leftovers from a domain migration. Not an access
| problem, the user doesn't even notice, but it messes up with quotas :-(

| Juergen Nieveler
| --
| Door: Something a cat wants to be on the other side of

I think xcacls.exe is a utility you are looking for from the Resource Kit where you can
take "ownership" of the files.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

onthax@gmail.com
06-30-08, 06:57 PM
On Jul 1, 3:38 am, Juergen Nieveler <juergen.nieveler.nos...@arcor.de>
wrote:
> ont...@gmail.com wrote:
> > I am having an argument with a coworker, who thinks it is fine to
> > decrypt users passwords to migrate files, as it is faster and more
> > convenient than having the users resetting their passwords.
>
> Why so complicated?
>
> Give yourself admin rights to the folders and move them - the only
> reason I could think of why you'd need to do this as a user is to take
> ownership of files AFTER you accidentally made the admin the owner
> (there's ways around that usally).
>
> Speaking of which - does anybody know a good command line tool that
> will take ownership of files from the login script?
>
> Some of my users have files that belong to the same user, but from a
> different domain - leftovers from a domain migration. Not an access
> problem, the user doesn't even notice, but it messes up with quotas :-(
>
> Juergen Nieveler
> --
> Door: Something a cat wants to be on the other side of

Moving to a new mailsystem that uses different crypt functions for
example.

Not interested in company policy, but the law.

Todd H.
06-30-08, 10:21 PM
onthax@gmail.com writes:

> Moving to a new mailsystem that uses different crypt functions for
> example.
>
> Not interested in company policy, but the law.

Well, the law sorta hinges on what employees have been told to expect,
so if you aren't interested in company policy, you should be.

This is an evolving area, and courts are defining the interpretations
of the laws.

The recent text messaging privacy ruling was the basis of this
interview, but a lot of employer/employee privacy issues are still
evolving, so anyone who tells you here what "the law" is is likely to
be on the wrong side of an issue depending on how some court rules.
The law on this stuff is a lot more maleable than you might expect, it
seems.

Have a listen to this interview from this week, and you'll hear from
this law professor that employee expectations of privacy do factor in
what policies they've agreed to upon becoming employees.

http://www.npr.org/templates/story/story.php?storyId=91975527

Best Regards,
--
Todd H.
http://www.toddh.net/

\Reb\ Ruster
07-01-08, 04:08 PM
On Mon, 30 Jun 2008 05:48:15 -0700 (PDT), onthax@gmail.com wrote:

>Hello,
>
>I am having an argument with a coworker, who thinks it is fine to
>decrypt users passwords to migrate files, as it is faster and more
>convenient than having the users resetting their passwords.
>
>I am sure this is almost never necessary, is a horrible invasion of
>privacy, and quite possibly illegal.
>
>Can anyone shed light on if this is legal or not, and if signing away
>your data to the company would extend to them having the right to
>decrypt your passwords?
>
>Any legal cases would be extra useful
>
>Cheers

It's not illegal, but it's immoral and probably fattening.

Unruh
07-01-08, 05:39 PM
Tell us which company you work for so we can all avoid it.
a) you should not be able to decrypt the password. What kind of bad system
do you use?
b) It may be illegal, and it may definitely be against company policy.

onthax@gmail.com writes:

>Hello,

>I am having an argument with a coworker, who thinks it is fine to
>decrypt users passwords to migrate files, as it is faster and more
>convenient than having the users resetting their passwords.

>I am sure this is almost never necessary, is a horrible invasion of
>privacy, and quite possibly illegal.

>Can anyone shed light on if this is legal or not, and if signing away
>your data to the company would extend to them having the right to
>decrypt your passwords?

>Any legal cases would be extra useful

>Cheers

Goliard
07-02-08, 07:55 PM
It does indeed depend on company policy and goes far beond that.

By the mere fact of employement you have agreed to abide by and are bound by such policy. To the extent you maybe financially and/or criminality held responcible for loss, distruction, theft or subversion of information.

Which as a general rule also contractually includes a provision that any and all information on company coumputers and/or computers of homeworkers, owned by employees used for busness as a term of there employment, is the property of said company.
Maybe accessed by any person or persons the company allows, by any legal means, at any time the company desires, to be done with as they see fit.

Up to and including allowing law inforcement access to inspect content of all employees coumputers withought warrent or foreknowledge of said employees.
Information derived from such inspection may be used to obtain warrent of arrest for and as direct unsuppressible evedince in crimanal prosecution of employees. Withought the encumbrance of haveing to obtain a warrent or concern for privacy rights of the individual in question to acquire such information.

So states the supreme Court after review of a statute in the Patriot Act. Enacted into law by our Lord and Master G.W. Bush on March 9, in the year of out Lord 2006

In laymen terms your one stupid MF if you put "any" personal information on a company coumputer or a home computer used for company busness...