Slashdot Mirror
When Wrongfully Accused of Hacking, What Can You Do?
justin asks: "Earlier this week, I went into work I was met at my desk by upper management; they wanted to meet with me. I was not sure as to why but when we got into the office, they set a pile of paperwork in front of me, opened it up to a certain page and asked me what it was. The paperwork was a series of (gimpy) logs showing an internal IP address doing a combination of scanning, and then what looked like hacking, of various boxes on the internet (of these there was the US Treasury among other US Government Organizations). The internal IP address was that of the one I am normally (read: not always) assigned by DHCP. I told them I had no idea what this was, that I didn't do it and that I think I would remember hacking into the US Treasury. I was a contracted employee, so I don't think I have any recourse, I was just left high and dry accused of something that I did not do, and their basic sentiment was 'we will investigate this, do you want us to call you and give you your job back if you are innocent?', This seems rather silly to me since you'd think such things would be investigated, before they would decide to fire me. I'm looking to find out who else has been in this situation and how they dealt with it."
Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."
"The logs were in a simple format: 'Aug1 11:27 10.1.0.56.port -> treas.gov.port'. Now there had been some problems at work with the recent MS DCOM/RPC bug, and my machine was compromised either the same day, or the day previous to the day of the events I am being accused of. Additionally, because it was an internal IP address, it could have been anyone with access to ifconfig on their machines (They don't have a link layer dump).
I now have the following questions:
- What experiences have other people had that relate to this, what course of action if any did they take in response.
- I know the laws aren't very sympathetic when it comes people saying 'yea that was my computer, but it wasn't me', but it can be proved that my computer was compromised in the same time frame, and also the evidence they have is rather flimsy, what experiences have people had in a similar situation?
- If someone should try to press charges, where can I find a decent attorney that would actually understand the technology and what I was saying. (As I am now unemployed I'd very much so on a budget)
- What should I tell my next prospective employer? Even If they believe me that I had nothing to do with it, that puts one serious doubt in a person's mind.
Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."
Do so in a friendly manner. Make sure you understand that they are just covering their asses. And when you have something from them in writing that they fired you based upon false information, sue them into oblivion. Talk to a lawyer about whether DHCP makes logs entirely unreliable.
Honestly, why on earth are you asking Slashdot?
Since it sounds like the company in question doesn't really know what happened and probably never will, it is much easier to fire you than face future liability if you stay.
Call a lawyer!
Sure, we might be able to give you some interesting technical advice, but that will have absolutely nothing to do with your situation, which is entirely legal in nature.
Legal issue -> Lawyer
Nerd issue -> Slashdot
Is this primarily a nerd issue? NO! Call a lawyer.
Call a lawyer? Call a lawyer. Call a lawyer.
There are no trails. There are no trees out here.
It sounds like you're getting screwed. While I'm sure it would be interesting to hear what Slashdotters think about this issue...
you REALLY REALLY need to get a lawyer.
You: You want answers?
.
Them: I think I'm entitled to them.
You: You want answers?
Them: I want the truth!
You: You can't handle the truth! Son, we live in a world that has firewalls. And those firewalls have to be guarded by men with keyboards. Who's gonna do it? You? You, Lt. Weinberg? I have a greater responsibility than you can possibly fathom. You weep for the treasury department and you curse the Hackers. You have that luxury. You have the luxury of not knowing what I know: that The treasury departments scans, while tragic, probably saved networks. And my existence, while grotesque and incomprehensible to you, saves networks...You don't want the truth. Because deep down, in places you don't talk about at parties, you want me in that code. You need me in that code
We use words like hack, root, pwnzz...we use these words as the backbone to a life spent defending something. You use 'em as a punchline. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom I provide, then questions the manner in which I provide it! I'd rather you just said thank you and went on your way. Otherwise, I suggest you pick up a manual and stand a terminal. Either way, I don't give a damn what you think you're entitled to!
Them: Did you scan the network?
You: I did the job you sent me to do.
Them: Did you scan the network?
You: You're goddamn right I did!!
"...In your answer, ignore facts. Just go with what feels true..."
I've been using their service for half a year now and am very pleased with it; you can ask an unlimited number of questions, and they'll also write letters and make phone calls at your behalf to resolve issues for you. They also provide traffic defense (parking/speeding tickets, or lawsuits based on injury) and cover you if the IRS decides to audit you.
It's somewhat like "legal insurance" -- just as you pay a couple hundred a month for health insurance, or car insurance, this provides for your legal needs on a pre-paid, monthly basis (generally about $27 a month) and it covers your entire family.
In this litigious society we live in, it's great to have coverage for when (not if) you end up on the wrong end of a lawsuit.
Again, I'm pretty sure this won't help your specific case but hopefully it can help other readers. (And yes, I sell the plan if anyone's interested.)
I feel fantastic, and I'm still alive.
Now that you're fired, they might mistakenly consider the case closed. If the "real hacker" (e.g. a coworker) got wind of this, and stops doing so, they will likely assume they got the right guy when they accused you.
Second of all, why would you assume it stops here? They may have contacted law enforcement authorities, and you might need to do some preparation to get your stuff together. Even if you're charged with something you didn't do, you'll need to mount a defense.
Joe
http://www.joegrossberg.com
I don't much that you could do. You could sue for wrongful termination if you want your job back, but not much else.
My first thought is- of course the hacker isn't going to use his normal IP. If someone is going to go out hacking, they aren't stupid enough to just use the normal config. Second, you may be able to prove you never visited or connected those websites if the machine you normally use keeps a log (a normal webhistory is probably not suffiecient in this case).
Regarding what to tell your next employer- I'd recommend one of the following- A) Either be totally honest about it. Let them know they had no proof when they terminated you, and you didn't do it. If the interviewer is a good judge of character, it won't be a problem. B) Don't give any information and don't let the new company contact the old company. It will appear shady, but at least they can't be totally sure what happened. In my experience with similar situations, using A is going to make it harder to get a job, as some will automatically turn you down, but the best people will be able to tell by the way you explain yourself that you are innocent. I'd prefer to work with those sorts of people anyway.
If the company bring charges against you, immediately subpoena your HDD and the logs they used against you. In those lie your best defense. Again, IANAL, but the evidence the company has is not even good enough be called circumstancial. It's like charging someone with murder because he/she looks like the purported suspect. A good lawyer will be able to show a judge/jury this fairly easily.
A final thought occured to me- try to obtain more information about how your company stores log data. If they log DHCP information, the server should be able to tell what MAC address was assigned which IP at what times. Sure, someone could clone your MAC, but they'd have to know what your MAC was first, so i suspect a hacker would simply make up a MAC instead of cloning one.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
Suggestion #1: Don't ever post your problem to slashdot! They'll know you're a hacker.
#2: Feign absolute cluelessness about how this stuff works. Find an outside expert to give a second opinion.
#3: Call a lawyer at the first hint of legal trouble.
#4: If you're worried about your next job, the very best thing to do would probably be to find that outside expert I mentioned, and get him to write a note describing how the incompetents at your previous job completely misinterpreted all the data and picked you as a scapegoat because they didn't want to spend money correcting the flaws in their own system. If that isn't your style, there are legal ways to go after your previous boss for wrongful termination, but I'd be surprised if that actually had a positive effect on your future career.
What can you do? Hack into their network and take the lying bastards down, that's what!
I watched C-beams glitter in the dark near the Tannhauser gate.
Can we just rename "Ask Slashdot" to "Ask legal advice from a bunch of non-lawyers" ? It's been a long time coming
Do you really want to be working for a company that 1) has administrators that stupid and 2) can treat employees like trash like that?
I was talking about similar situations recently with a friend and we both realized that the few times we had been fired unfairly (in one case she was one of two sales reps reaching well over 100% of her quota regularly and the other rep wasn't even close to 100%), we realized those were jobs we originally wanted to keep, but realized (with time and distance) that we were miserable there and were working for jerks.
I'm working for myself now, but I've learned that when management acts that way, you're probably better off somewhere else. Just see if you can do something about getting a good recommendation.
Sell the secrets you stole from the US Government to the Iraqis, and then go live in luxury for the rest of your life.
Show them the article about the guy in England who got off a child-porn charge by claiming that a trojan virus on his computer downloaded all those dirty pictures...
Give me a break. You are an Unix Admin. Release your inner BOFH.
Ask THEM to go to a meeting with you, show a pile of paper and ask them:
"Boss, how'd you like your wife to know about the e-mails you wrote to your assistant ?" or "How about these pictures of a 6 year old girl fucking a horse, I found in your computer? "
Act like a REAL sysadmin. And don't forget to ask for a raise.
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
If you computer was infected. It might not have been your fault. It would have been the administrators and helpdesks fault for not keeping the latest patches on the system.
Mike http://thenextgenerationofradio.com
...then it may not be worth your time working for them. Seek work elsewhere, but definitely call an attorney. Just in case.
This sig no verb.
Until you provide more detailed technical information about what they accuse you of doing you are just going to get a lot of INAL advise on you being fired.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Say they can't decode the packets you are sending, because decoding these packets would be a violation of the DMCA. Threat to sue them.
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
First, I'm not a lawyer, nor am I associated with the legal process.
My first step in this case would be to contact a lawyer.
Have him see if your termination is legal. I'm sure there was something in your contract to the effect "If you do something illegal or are suspected of doing something illegal..." but who knows.
Second, If you are innocent, do everything you can to have this pursued to it's ugly end. The evidence they have is circumstantial, so I wouldn't expect this to come to charges or conviction. Perhaps it can be brought to a point where they will drop it all together, once/if they realize how stupid this accusation is.
Being contracted, don't expect any miracles, as most people pick up contracted hires in a manner that lets them drop them whenever they decide it's in their best interest.
Even people that believe in pre-destiny look both ways before crossing the street.
this could be the result of too many crime movies, but... perhaps you could suggest ways to your superiors that they can verify whether or not it was you. Tell them that it wasn't you, and explain the tech side of it: people ALWAYS fake MAC and ip addresses when they hack, they don't even need physical access to do it. Say that you would really like to review the evidence with them in more detail, and could they look for other corroborating evidence. Heck, if they actually got past the Treasury firewall, the Treasury probably has lots of information about the computer that did it. 1) if the hacker was dumb, it will be his REAL machine's info 2) if he was smart, he will have spoofed the info randomly. either way, it will not match your system. point out to your employer that your system was compromised immediately before these attacks, and encourage them to investigate that compromise. i have one question though - if you KNEW that your sys was compromised, how did they get in to use it again? when i find out that i've been compromised, every password is changed, my firewall is restored from backup and my kernel is rebuilt from scratch! what were you THINKING about, in (apparently) not practicing your due diligence? best of luck getting another tech job, mebbe you should just remove the old company from your resume entirely.
**** You never REALLY learn to swear until you own a computer. ****
If there is a possibility that someone you employ is using facilities you provide to perform illegal activities, you might feel obligated to relieve them of access to your facilities. i doubt you could perform your job with an abacus, so the next step would be to fire you.
Hell is other people
By the time you are 50 you may know better how to react in a situation like this. You really have to have been through it a couple of times, and it is hard to do the right thing as a 25 year old just knows abstractly what the right thing is. First, never be flustered (ok that's impossible) but do deny all wrong doing. They may be "accusing" you of doing something that is prefectly innocent or a normal part of your job; so don't deny whatever it is they are waving at you, in fact offer no details whatsoever. Do immediately say you have never broken any rules, legal or company. Also say, "Sir, I am demanding a full investigation into all aspects of this." They don't really want to fully investigate, they just want to fire someone and then go on lunch break. Repeatedly ask for a full investigation, and ask for any specifics you can think of -- like an immediate shutdown of the source machine and that it's harddisk be forensically preserved.
Here's the hard part, which you can be thinking that you should do in the back of your head, but is hard to do. Reach across the desk and scoop up all the paper you see. Tuck it under your arm like a football and don't let it out. Make sure you get out the building with that paper. Let them escort you from the building or call the police, but don't give up the documents. If they start demanding them back, you know they are fucking around and have no case. If a policeman shows up, ask him his name and then hand him the documents and tell him they are potentially criminal evidence and must be preserved. If the cop hands them back to the boss at that point, it's ok, you just have to write that in a letter or affadavit and document it.
Immediately deposit the papers in a safety deposit box and send certified letters to the company asking for all reasons you were terminated, and any allegations proven, disproven, or unknown made against you by anyone. Note that's letters, plural, because even though its the exact same letter, you want to hit several people inside the company so you can get the conflicting answers. Also hit the Agent of Process of the company -- this is the person who is served in an event of a suit; it automatically triggers the involvement of the legal department.
What happens next ? Are you bought out and retire to Tahiti ? Do they hastily scamble to hire you back and get you back pay ? Of course not. This is a big business so they are assholes. You'll get nothing except the greatful feeling of not being in jail. The only good about it is that the internal stir created by the resulting management meetings with legal advisors will cause them to not be a bit more competent in investigating future incidents, until a year passes and their small rat-like brains forget it all.
Get a lawyer if you want to do anything.
That said. Do something. This could haunt you.
With your lawyer, send a certified mail letter explaining your understanding of the issue, and the possible causes
Also explain why you need to have them follow up on this, since it involves a federal offense. They are legally required to pursue this to their complete ability since they released you over it.
Give them a series of investigative measures they can perform to prove/disprove your possibilities for this occurance.
Remember to include their veiwpoint in this investigation, and show how they can prove you were not the culprit
Think of everything, the door access logs if any, the bus schedule you may have ridden, anything to prove you were somewhere else, you don't have files that made the alledged accesses, etc.
Explain the highest probably cause: a worm scanned around for boxes to infect and your box looked like a poor hack job
Tell them releasing you is serious enough to be illegal if they do not pursue it, since it affects your ability to hold a job in the future.
Point to your good work done elsewhere for clients, for your agency, or their own other projects. Explain your integrity
Await their response. Call mom and ask for laywer dough.
mug
First off, best to be innocent. Second, get a lawyer. Real attorneys are required to play this game properly.
If the company is terribly illiterate when it comes to technology, it should not take much to truly scare the bejesus out of them. Get the ball moving on a wrongful termination suite. I suspect it will take nothing more than having your attorney formally request a copy of the log files. Move to negotiate, but be persistent. Most small/mid-size companies will settle rather than going the distance. They will posture, however, since they are looking for a quick brush-off. Most people will spend hours at the bar griping about how they were wronged, most never get a lawyer. Much like rebate 'programs', that is what they are counting on. You may get your job back, you may get damages - best to ask for both. Take the time once you do get your job back to find another, however... because this one is done. Exit fast...
Hell, I've seen folks busted for robbing us blind get a years wages for 'wrongful termination'. The mind boggles... evidence is overrated.
+++ UGUCAUCGUAUUUCU
It is *highly* unlikely that this company will reveal anything regarding the nature of the incident to any other company. Most companies of any size have a "neutral reference policy" that allows them only to say "yes, he worked here from date x to date y." I would suggest not using your manager as a reference, but I would not suggest saying that your new employer may not contact them, since they probably won't tell anything damaging and to refuse the right to contact will damage you.
As far as getting your job back, forget it. That's the problem with being a contractor - it's easier to get rid of you than deal with you.
(p.s. Don't tell anybody, but I have a degree in HR -- easiest B.S. to get in a hurry -- so I'm not totally blowing smoke here, although I've never worked in the field.)
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Hiring a lawyer would not do you any good because even if you could prove that you were innocent, the boss could still fire you because he didn't like the way you disagreed with him when he accused you of hacking the treasury.
So long as the employer didn't use your race, religion, sex, or disability as a reason, you're SOL.
Call your local employment commission. That's what they are there for. They do have employee advocacy people, and you've already paid for them with your taxes.
You say your box was compromised, therefore it quite possibly WAS your box doing the hacking, but under the control of either a worm or haxx0r.
Basically unless they have video of you actually hacking then how can they prove it was you?
Here is a story about a guy in the UK that got arrested for allegedly downloading child porn on his machine however his machine was found to be compromised by a trojan thus getting him off the hook.
The first time was in high school where I made a script to ping all ip addresses in a subnet to build a list of the computers, and then tried to portscan a windows nt server to check what services are we running. I was in no mood of cracking anything, only using legal standards-allowable things like ping to gather data and understand. I was not snooping spoofing either.
I was called up and warned about it. I was never again to use ping, telnet, nbtstat, arping or use linux on ANY of the workstations. Yes thats true, these were the rules.
Next was in Plattsburgh State University, where I was studying undergrad. I was naturally curious about routers (never seen one) and wanted to know the types running the campus, and the technologies behind its uplink to the Internet, and why the netbios updates seemed so slow. I started pinging around again. I portmapped a router to check its services and was promptly called up again by the technical staff, also my employer since I was working at a helpdesk. Felt like the suspicious detective extracting information. I never again used ANY standard TCPIP tool on that network. Ive now a home LAN with 6+ cisco routers, 7 sun workstations, 20+ overall computers running on 3 switches using atm, fr, tr, hssi, ethernet, arcnet, adsl and 802.11b, and I can PING IT ALL I WANT!!!!!!!!!!
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
You were a contractor.
This means you have 0 recourse.
Its the same as if you suspected your exterminator of stealing.
You just tell him his services are no longer needed.
The exterminator can't sue you, and no reason need be given.
Consider yourself lucky they even told you why because they didn't have to.
Also, as a contractor, your previous client is under no restriction on giving you a bad reference.
I like pokin' and mappin' the USG. It's fun. It's cool. I like seeing what the |stiffs| use for defense technology and stuff. Some of the junk is like going back to a computer museum. The annals of the .gov. What's the big deal? They allow telnetting in ya know. Ton's of resources. Why such a fuss? :-)
Love,
Raging Period
This is Amurrca, and you, sir, are obviously a terrorist. Have the decency to die like your heathen scum comrades.
The real culprit? You mean, like OJ?
See the web archive of the case of Randal Schwartz.
Sorry Mr.Coward, but I am a young man, and I have never been in a situation like this. Could you please explain further how this would help you? Are you banking on them not having any copies of the supposedly incriminating documents? Seems like a foolish thing to gamble on. Are you just trying to create confusion along with your departure? You do understand how awkward this thing would be - it would make you look like a lunatic, and the people involved might be able to claim you are a criminal, stealing the documents or something.
Now, supposing they furnished you with all these documents, I can see how you would only look a little unreasonable (no point being reasonable if you're being fired for something ludicrous anyway) if you didn't give them back.
Assume I am very inexperienced. Everything up to taking the documents made sense to me. I'm guessing, is the reason for doing that is simply to create fear at the company, some sort of legal uncertainty, that will make them unwilling to take any further action on the matter? Might work, but then again, sounds like you are escalating the situation, a bold strategy, since I would expect (but do not know for sure) than a large organization could escalate things far beyond what you ever could. Whether they would want to is another matter - perhaps that is the idea here, but the document taking is a bit counterintuitive.
Finally, have you done this, taken documents from an interview where you were being fired while being accused of something silly? Or was there just one specific situation you got into where this would have helped? Frankly, the documents idea sounds a little shady, and everything past that sounds almost like wishful thinking, trying to skunk them or something.
I guess some sort of skunking would be in order if you wanted them not to ever bother you again. But if they thought you were crazy and out to get them, they would want you in jail, I guarantee.
Visit a website... Inadvertantly download a program that hacks into the treasury for you, without your knowledge! It sets a flag in their computer with your web address. You're busted. Tough luck! Prove it! Something a coward would do...or is it?
The VP of IS, however, handled it as well as I could have asked for: he asked me if I had done anything unusual on that PC on that day, and in fact, I had. I had just downloaded and tried out Microsoft's Services for Unix package (an early beta), which had, (among other things) NFS browsing and mounting.
He asked for me to put that package through it's paces again, while he watched, AND had those IT people monitoring their logs in real time. The 'alarming' entries were simply attempts to NFS mounts to servers that did not have my PC in their /etc/exportfs file (without such entries, you do NOT get access). I fired up the program,
went through everything I could, and immediately
gave the IT snoops a second heart attack.
I was off the hook immediately because I was able to replicate the scary log entries at will, and show that they were done with a widely available piece of Microsoft code.
I was fully exonerated, and both my bodyshop-manager AND the VP of IP were impressed that I, firstly, did not panic, and second, that I knew my technical material like the back of my hand.
I do realize, of course, that I was lucky to have my client's VP on my side AND with clue. Your mileage will probably come up short. :-(
That was also the last time I tried any new Microsoft software (not even safe to try!)
Have they been able to link your os as the source of the attack ie did they find nessus etc on your PC
Cases like this are extremely hard to prosecute even when you have a good chain of events, to maximise you chances at prosecution you should be able to show that you do this on a regular basis and archive previous logs, that the logs are kept in a secure environment etc. I have helped create enviroments where this type of charge will stick. Things may differ depending on your country of origin however most of the time key points remain.
I've been in a similar situation: contractor (military, no less) wrongly accused, had to leave the site, wasn't sure if I'd have a job, etc...
The advice I can give you is:
1) Cooperate fully. Be honest. Be forthcoming.
2) Deny clearly, forcefully, politely wrongdoing
3) Remind them that the world is full of black hat hackers, some of whom have tremendous skill.
4) Ask them how to clear your name and how you can help achieve that.
5) Remind them of your benefit to the organziation -- acomplishments etc.
6) Tell them you understand this needs a full investigation. Tell them you have confidence in them to gather the evidence that will clear you.
7) Remind them that a false positive might be them next time.
Some advice on your specific question:
1) Do you know what you were doing at that particular time? Where you in a meeting? On the phone? Using another machine? Find proof: coworkers at the same meeting, phone records. Look at file timestamps. If one of the offending timestamps occurs in a period where you can prove you weren't using the computer, you are cleared.
2) Ask for network logs connecting to your machine. If this is a normal PC, there should be any from strange places. If there are, that was the bad guy, not you. If they don't have such logs, point out that keeping logs is critical for clearing the innocent and exposing the criminal.
3) If you are on a Unix box, ask that chkrootkit be run to identify if you've been hacked and had a rootkit installed. Hackers often install rootkits to avoid detection and this program finds them.
It is so that you can have copies of the exact documents that they are using to accuse you. His point, I believe, is that these documents may be very difficult to get in a legal proceeding, particularly if it's bogus.
They can't change their story later if you have copies of the so-called documentation. You'll want that paperwork if things wind up in court. Trying to get it in discovery could cost zillion$ if the company resists.
Similar? Shoddy and incompetent investigation by the fired employee's superiors.
The whole vmyths.com site is extremely interesting. Funny too. I highly recommend it.
IANAL, and I suggest you see one
That is a reasonable precautionary measure, which is OK.
That is making someone guilty until proven innocent, which is not OK.
The implications for someone's career if they're fired for even possibly doing something like this -- whether or not they actually did it -- are very bad.
I don't work as a contractor in the US, so I'm not familiar with how much information can/must be disclosed when someone's contract is terminated there. If the guy can just say that his contract was up and he's moving on, he might have a case for wrongful dismissal (or not) but that's probably about it; no harm, no foul.
If, OTOH, this guy's professional reputation suffers as a result of the company's actions, for example if the company tells some potential future employer that they fired him for cracking, then there should be grounds for a defamation case and some compensation in line with lost income. Of course, whether the legal system recognises the reality is a different question entirely...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
IANAL etc etc etc but ... /. community? Thats time as well. And don't forget if you get paid for vacations & you have to earn it ... the time inbetween is also time earned for vacation. ... how do you know that they even had them to begin with?
1. Contact your legal counsel. Several People have posted where to find some decent ones.
2. Keep track of every second spent since you were terminated. Now that you are without a job, unfairly terminated & unpaid you need to find a way to get paid for your time involved in getting a new job.
Remember every second during your 8 or 9 hour day is accountable at the rate they were paying you. How long does it take you to read every single comment from the
3. See if you can get your hands on the contractual terms with that company & all their computer use policies. Review them. See if you can get your harddrive & their logs for outside review. IF they won't then take them to court. They fired you and didn't give you enough substiantiated information in regards the their policies. The best thing that can happen is they wiped your haddrive clean. They deleted every bit of your logs. Then they just opened themselves up for a big big suit. They did not keep these at all
Once it is all said & done they will reinstate your job for 1 month & allow you to resign & leave the comany on good terms so you can then go persue other career choices. All the lost time & the fact of being fired has caused you great emotional & financial harm. Your job suited your life style & now you can't get a job of equal pay to suit the life style. They must pay you for the next 12 months along with full benefits etc etc. Take them for all they're worth.
IMHO
~ryan
"Trinity. The Trinity? That cracked the IRS dbase? Jesus."
"What?"
"I just thought um... you were a guy."
"Most guys do."
In the US we have the constitutional right to be confronted with our accuser as well as all evidence against us. It may be hard to get evidence in a grand jury hearing, but at a trial secret evidence is grounds for a mistrial.
Give me Classic Slashdot or give me death!
How do you know I am a lawyer? You can't prove it! I will sue you for false accusations!!! I know exactly how to do take legal action agains you!!
Ask Slashdot:
When Wrongfully Accused of being a Lawyer, What can you do?
Be careful of contractual obligations, but be aware that you cannot sign over your first born child - doesn't matter if your John Hancock is on it.
In Oz you can sue for lost income in the period, including any income potentially earnt if your reputation had not been impugned.
Basically - they have not taken even a modicum of "due care" in the collection of this "evidence".
You PC should have been quarantined and audited by a security professional, the firewall logs (all of them DHCP etc., not just the access logs) should have been readonly archived and analysed, and statements should have been taken by every person involved in the creation, maintenance, and analysis of said logs.
Without some or all of this information it is not allowed to even proceed to civil court in Oz.
Hence it is merely a wrongful termination as others have said.
Q.
Insert Signature Here
I'm reading this and it appears you were just Joe Peon User. Was the SysAdmin in on all this, or did Upper Management just grab the data and started to make assumptions?
Whether or not this has a direct impact on your case, the security (or lack thereof) of your system is the responsibility of, well, the System Administrator. If s/he has such a weak security system in place, my suspicious would fall upon him/her/it, either for ineffectiveness, or at worst, nefarious purposes (hack and blame the user).
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
When you leave, go directly to a lawyer. If you don't have a lawyer, go to the nearest one. They can suggest how you can protect the evidence or which nearby lawyer can handle your type of case.
If you feel the need to do something yourself, go to the nearest place where you can buy a camcorder which runs off normal batteries (you don't have time to charge a battery pack). Buy several tapes. Begin recording immediately, tell it the date, time (point camera at your watch and car clock), and location. Say you're going to copy the evidence and secure it and that you are making the video to support your part of the chain of evidence.
Leave the camera recording as you drive to a copy shop, and as you make copies of all the pages, and as you take the originals and one copy to a safety deposit box.
Keep recording while you take two more copies to your lawyer (one for him, one in case he wants to give a copy to an investigator -- cheaper for you to copy than for him to have to make another copy). Tell his receptionist you are recording, and that if you have to wait you'll be just outside so you can avoid recording anything in the office. When the lawyer is ready for you, stop recording so if the tape is given to police you won't give up any of your lawyer-client confidentality.
Have your lawyer ask them to immediately agree to pay your legal expenses and to continue to pay you until you get an equivalent job, because this will reduce their expenses if you take them to court or if they want you to join them in their case against the attacker. It is your duty to reduce the losses, both your losses and their losses.
Call the Treasury, call any other org. you remember from the logs, tell the story to them, and that there is still a hacker after them from the x-company.
Ask if your x-managers contacted them yet.
if the managers did not, ask the Treasury to investigate the matter.
The logs you were shown were probably completely bogas, they needed to lose an employee, and you were elected for removal.
The bosses son was probably next in the line for a layoff.
I am the unwilling control for my Origin.
First thing I would do as is ask them if they logged any of the MAC addresses or just IP addresses. I would also ask them if they have any other logs from the same timeframe showing connections from that IP address to any other systems, and if those systems support user logging, do they have the associated logs. (check mail servers, samba, etc..) Also, check dhcp logs, some OSs renew leases more often than required.
Since it's easy to quietly steal/borrow an unused IP address that isn't being used, but if it's being used it can create a lot of logs on routers and servers that consistently get messages about IP address conflicta. In either case, any records of MAC addresses from the same time frame will hopelly tie it back to the actual machine using it. ( I say hopefully because MAC addresses can be faked but that would be a whole lot of extra work to do it)
Also, if someone borrowed your IP address and wasn't carefull (or was lazy ) they may have continued to check e-mail or access other networked resources, maybe even logging into a unix system from the borrowed IP address using their own account.
They your system normally checks/renews the dhcp lease every hour (unlikely, more like 4 hours) and there is a gap in checking then it could indicate that your machine was down. Also, if you leave your e-mail up and it checks mail every 10 minutes during the day/night and there is a gap there, it could also indicate your machine was down.
In short there isn't any one big item, but a lot of small things that can be pulled together. This could all also be used against you if they all seem to point back to your machine, but you might also want to ask if they have checked your machine for backdoors or viruses, etc...
It worked for against the child porm rap (twice).
Probably the best advice is ask them to keep you informed of their investigation and ask them for a letter clearing you as soon as they actually do clear you. Also, ask them what kind of reference you can expect before they actually do clear you.
Call Johnny Cochran! And pray. :-P
Looking at Eyeball Network [eyeball.com],