Downsizing Insurance (Spring, 1997) ----------------------------------- By Hans Gegen You can buy insurance for just about anything these days. Some kinds of insurance, however, are better procured at home...or in the office. In an increasingly worker-hostile business environment, it's best to have something on hand in case disaster strikes. I don't recommend doing anything illegal. But your employers should be vaguely aware that if they let you go arbitrarily, there will be consequences. I once watched a coworker clean out his desk after being let go. He was so angry about what happened he was stuffing pens, calculators, note pads, and staplers in his bag. This was fairly pathetic. In the end, even a few hundred dollars worth of office supplies won't be missed. If you want to be really missed, make a "fire kit." Before I get into specifics, I want to stress that you should begin working on your fire kit long before you're put on the death watch. So start today. In fact, start poking around the corners of the company's networks and file cabinets for sensitive material as soon as you're hired. Watch what comes in on the fax machine. If you see the president's assistant photocopying something, distract him or her so that they leave the original in the machine. This leads me to your second tactic: plausible deniability. It's worked for the CIA for 50+ years, and you can make it work for you! Yes, if you're going to be caught nosing around somewhere where you shouldn't be, it's important to have an alibi ready and a good one at that. Boss: "Why were you digging around in the file servers?" You: "What's a file server?" Boss: "The place where all of our computer files are stored." You: "Oooh. That. I'm sorry, I'm new! I'm still trying to figure out where my predecessor's memos are stored." Boss: "Oh. Here, let me show you." (A note on my imagined dialogue: It's important to your credibility to understand how your co-workers perceive your computer savviness. If they know that you can recompile Linux kernels on a unicycle, then you're not going to be believed. So, if you're going to play dumb, stay dumb to the outside world. Once caught, be warned that you have already started a trail.) Approach all of your actions as if you were prepared to explain it to a jury (just hope that it doesn't come to that!). The key is believability, and someone who has a clear and precise recollection of events will be most believable. In short, don't make enemies, make notes. Step One: Collecting Sensitive Information With these precepts in mind, you should begin your fire kit. What's in a fire kit, you ask? Well, basically anything that will make your company worse off without you than with you. This can translate into actual documents/intelligence that your company would not want you taking with you as you're being escorted to the door on your last day. I work for a building maintenance firm in downtown Philadelphia. Some of the components in my fire kit are: * Rates charged clients. * Contracts/proposals. * Personal contact databases. (ACT! databases, for example, are often networked. If you're careful not to leave a trail, you can get client notes and histories for all of your company's clientele in one fell swoop!) * Pay records. This makes your boss real nervous. * Future business plans. * Lotus Notes archives. * Potentially embarrassing e-mails authored by your superiors. (For example, your boss confides in an e-mail that they've overcharged a client.) * Just about anything that your company's competition will drool over. Step Two: Making Your Successor's Job Impossible Your fire kit can also consist of nothing more than a systematic effort to make your successor's job impossible. If this is done carefully, your company will genuflect every time your name is mentioned. ("Why did we let go of Hans? He was the only one who could do this job!") If, however, they suspect that you intentionally destroyed data that your co-worker needed, they will curse and spit at any mention of your name. The key is to leave behind a work trail that is organized but extremely idiosyncratic. It doesn't hurt to add a few surprises. Here's what you can do: * Encrypt everything - but "forget" passwords. * Lose file layouts for any data dumps. (My predecessor did this to me!) * Create slight, but significant errors in your personal files. Careful with this. They can be minor, go into your contact manager and change the zip code of the company address of your major client so all of your successor's letters of introduction never arrive. Or they can be major, transpose quoted rates in your notes to indicate that you gave the client a 52 percent discount instead of a 25 percent discount. This will affect only those people who are using your notes to continue a business relationship. Remember to keep track of your "errors" in your fire kit. * Organize data into extremely complex directory structures. Embed directory after directory. Give them mysterious and useless names. Keep the key to these structures in an analog notepad, and put that notepad in your fire kit. The Big Day So the day of the merger has arrived and people are being called into the boss s office one by one. Your entire office has been deemed redundant and the pink slips are flying like a tickertape parade. It's time to put your kit into motion. There are a few questions to consider: What do I turn in on my last day? Some companies will not process your last bonus checks, expense reports, or even paychecks if you do not turn in certain files in a timely manner. This is largely a response to having salespeople take their rolodexes with them as they leave the company. I won't get into the legal aspects of who owns this information. You'll probably end up giving them the information. So what? The important thing is that you give your company the wrong information. Keep a "shadow" rolodex complete with incorrect rate quotes, inaccurate notes, and not-so-glaring omissions. You want the Rolodex/address book to be considered the real thing until those last checks come through. You will have no choice but to turn in your computer, of course. If the company is smart (which is not a sound assumption), they will be primarily interested in what's sitting on your hard drive - the value of the computer itself will evaporate in two fiscals. So keep your hard disk lean. Keep the applications on the disk, but keep the data with you. Don't put data on the company network if possible, because networks are usually backed up on a regular basis. If you keep files on floppies (or better yet, a 100MB ZIP disk) you're ready to roll. And always remember, intentionally destroying data is illegal. Before you give up your computer, however, make sure to do one thing. If you take nothing else away from this article, take this: wipe out the slack and unused space on your hard drive. For those of you who don't understand the mechanics of disk drives too well, let me briefly explain. When you delete a file, you are not necessarily wiping the files off of your hard disk. Rather, you are wiping the location of the file from the FAT (file allocation table), so the disk operating system does not know where to look for the file. The one's and zeroes that make up the file are still on the hard disk. Utilities such as Norton's UnErase can do a pretty fair job of recovering "deleted" files. Therefore, those embarrassing e-mails, resume drafts, and otherwise sensitive data that you thought went down the bit bucket are still there. There are utilities such as COVERUP.COM that will actually write random garbage over the disk, making full recovery of erased data nearly impossible. (I've read that it is extremely difficult to completely obliterate a file from a hard disk. There are companies out there that do nothing but recover such "irretrievable" data - their techniques are jealously guarded trade secrets.) Unless you're working for the DoD, however, COVERUP should do a pretty good job of wiping data from your hard disk. Where do I keep this stuff? Keep your kit on floppies and keep the floppies with you. Use PKZIP to crunch down the file sizes. It's best to use the encryption flag on PKZIP when doing so. Also, don't do something dumb like name these files SECRETS.ZIP. If you are taking hard copies with you, don't wait until your last day. You may not have the opportunity to get anything out of the office. Also, have a system-formatted disk with COVERUP and viruscreating software on hand. What do I do with this stuff once I ve been fired? This, of course, is the question to answer. My only concrete advice is to be careful. If you lead a trail back to yourself, you may have more than a career in the toilet, you could be facing criminal charges. It's important to remember that when you leak information, the first thing your company will want to do is figure out who is leaking. If you were recently let go, guess whose door they will knock on first. That's why it's important to set this up long before you are put on the death watch. For instance, what if some sensitive files mysteriously disappear when you are still in good graces with the company, but John Doe has been recently let go? If that material leaks, it's plausible that the material was leaked by John Doe. Take advantage of any strange opportunities. If you're willing to take the risk of exposing yourself, here are some ideas: * Send your company's main competitor an anonymous "care package" chockfull of your company's secrets. * Better yet, if you include an anonymous cover letter in the care package, cc your boss! (If you do this, you don't even have to send the actual package! Your company will go into freefall mode regardless! Imagine your boss talking to his competitive peer, trying to figure out what he knows!) * Hold onto it so you can have leverage over your old company in case you're hired by the competition. * Destroy it. If you're the only source of this info, then their cost-cutting maneuver of downsizing you will end up costing them lots! Rule of thumb destroy/wipe anything that they don't know exists. Don't destroy files that they know you filed every week for three years. * If the information is embarrassing, blow the whistle. (You should probably do this anyway.) Drop your local muckraking news team that bit of sensitive e-mail that came your way (please use an anonymous remailer). The material may not even be that bad - let the news team decide. If you have hard proof, they will be interested. In my company, engineers have been falsifying reports to the city for years. "Someone" in my company right now has the ability to let the city know tomorrow if the need arises! Whatever you do, don't post information to the Internet. In some ways, it's easier to have something done on the Net traced back to you than by analog means. Besides, it's probably better if we didn't make the Net vulnerable to misguided media attacks for a while. Conclusion The goal of your fire kit is to make your company regret its decision to let you go. But it's important to keep your company from realizing that you are the cause of any "irregularities" that occur after your departure. Let them think they fired a hard-working saint. If enough of us do this, employers will have to reconsider our country's legendary "workplace flexibility." So start building your fire kit today. Be on the lookout for any sensitive material early. Make notes of any events or comments that will be potentially damaging to your employers. Stay believable. Keep your documents on media that you take with you on the day of reckoning. Make your successor's job impossible. Last, if you're going to be vindictive, be careful. Don't let the indignity of being downsized make your actions sloppy.