So, you and your employer are not on good terms anymore and you think it is payback time? Here is a beginner's guide to expressing disagreement.
Disclaimer: the article does not focus on the moral and legal side of the issue, the focus is purely technical.
Note: a complementary article for employers will follow shortly, but if you're sharp enough you can derive the protection methods from this information.
The options are different, but if you're in the IT industry, the common choices are:
- change all the passwords and do not disclose them;
- delete all the data;
- encrypt all the data;
- apply subtle changes to the systems configurations, so that they seem to be working right, but somewhere deep inside a problem is waiting to happen;
- share private data with your employer's worst enemy.
Change all the passwords
It is a matter of time before they find a new person who knows how to apply the password reset procedure - most (if not all) systems have one. Sometimes it is as easy as reading the manual (which they should've told you to write in the first place) and following the instructions.
As an IT expert, you are aware of the fact that if someone has full physical access to a system - they can override pretty much every security measure.
- it is a matter of time before they reclaim access to the resources. Since the bridges are already burnt down - your image suffers badly, your future employment opportunities are quite shady. You gained nothing.
- easy to implement;
- it is more difficult and time consuming to get past this if there are remote resources (ex: servers) controlled by other companies, in other timezones;
- once they get everything back and sue you, you can say "I didn't want it to be serious, so I chose this trivial method" [then pray they'll buy that].
Delete all the data
This is a better approach, because in this case there is nothing to recover. They can have the passwords for every server, the key for every door - but there is nothing to be found behind any of the doors.
- there are backups, you'll have to delete those too, thus there is more work to be done;
- there are data recovery techniques, you'll have to make sure they won't work
- destroy the data (crash the hard disks; burn the DVDs, literally);
- wipe the data - wiping is the process of deleting data, then overwriting it with other data, to prevent recovery software from being able to retrieve the original files. In spite of the belief that you need multiple overwrite-passes to make a file impossible to recover - even one pass is good enough.
- the more time passes since the files were deleted, the more difficult it is to recover them. The employer will feel a lot of pressure because they have to do everything fast, or they'll have to disrupt the service for a while. This should make it evident for them that they should've given you the raise you asked for, it would've cost them less;
- if you were unprofessional enough to not make those regular backups, the employer will understand that they made more mistakes than they originally thought, one of them was that of employing you in the first place.
Encrypt all the data
This is an extension of the previous method, and it is psychologically more aggressive, because this time they know they have the files, and "all they need" is the password. This gives them the false feeling that they're almost there.
- encrypting data takes time, especially if there are large amounts of it;
- you may be foolish enough to use an encryption program that has backdoors in it - which makes your effort useless;
- the employer may have keyloggers installed on your systems, thus they will be able to find the password - rendering the exercise useless again;
- if you use a weak password - they can guess it or brute-force it.
- the method is meaner than simply deleting the data;
- even if they have full physical access to the system - it does not help them;
- if you are sure that you are using the best encryption program that does not have any backdoors and employs the best encryption algorithm, you're safe;
- if you use a smart card to encrypt the data, any brute-force or dictionary attack attempts will be futile.
Apply subtle changes to the systems configurations, etc.
If you need an example of this, remember the movie "Office space" to get an idea about how this is done.
- they won't know you've had them, because these backdoors are so subtle - thus you lose some of the moral satisfaction;
- when the new guy shows up, it may take a long time until the flaws are revealed (especially if you were insightful and weren't kind enough to document what you were working on, making it difficult to understand the system you left behind);
- you can exploit these flaws for many years, and perhaps get some benefits out of it. If you're not greedy and keep everything below the radar, you may never get caught.
Share corporate secrets with the competition
If you are not bound by an NDA, they won't be able to use this against you.
- if you don't keep this low profile, future employers won't be able to trust you, and your career may not get far from where you're standing.
- if there were no NDAs, technically you succeeded in making them suffer without breaking the law.
All the methods above have one thing in common - you'll have to pay for it sooner or later, and there is no approach that enables you to get away scot-free.
I do not encourage employees to cheat their employers (and vice-versa), I consider that a direct dialogue is the best way to solve a problem, as well as to prevent it from happening in the first place. This article must not to be used as legal advice.