On Fri, Nov 11, 2011 at 03:11:17PM -0500, Sam R wrote: > The problem comes if he, like so many people, reused the laptop password > somewhere else and says, "Um, no. Sorry." because that would give us > access to more than just the home directory. The Company CEO is of the > opinion that this is company property, the password is part of the > property, to ex-user has to divulge it. A nice legal theory, I just don't > know if it holds up to common practice[2].
If it were my company? I'd figure the data was gone and just wipe the drive. It avoids all sorts of privacy/ethical dilemmas. People are going to do personal stuff on the laptops you give them; there really isn't much you can do about that. Also, in my experience? stuff on the user's laptop isn't particularly useful without the user to explain it. As a business owner, I periodically attempt to do the tasks that I hire other sysadmins to do, and I verify that the process is documented enough that I can figure it out if they leave. Getting employees to write good documentation is a good first step, but much like a backup, it doesn't count until you've tested it. Personally, if there was something on the drive I wanted? I'd ask the person to come by and extract the data I need for me. If they were remote, I'd ship 'em the laptop and ask nicely, maybe offer an hour or two consulting wages. If I wanted the whole image, I'd ship 'em the laptop and an external drive. "Decrypt this and put the resulting files on this external drive." alternately, especially if it's an odd laptop that others don't want, instead of a consulting fee tell 'em they can keep the laptop if they decrypt and send you the files on it. That way, I'd get the data I need, and they'd get to delete the furry porn or whatever it is on the hard drive they don't want me seeing. Everyone wins. I mean, this assumes you trust the person not to mess things up, but honestly? how careful are you about back doors? I think that it's really hard to get away from the reality that you trust people that have root, even after you fire them, so be nice. Now, if you are of the opinion that breaking into the laptop is ethically an okay thing to do, and that you absolutely can't trust the fired employee with the data? (and I can see that argument, too; I disagree, but I can understand the argument.) 99% of the time, a user with an encrypted home directory uses their login password to encrypt that home directory. If you have the hash, it's trivial to brute force most passwords; so you can brute-force the login password, then try that on the encrypted drive. Of course, if the user was the smart one percent and used a different password to encrypt the disk, I have no idea how difficult it would be to brute force that. I would hope much more difficult than brute-forcing a regular password hash, in which case, you might be out of luck if the user doesn't cooperate. _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
