Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Wrongfully Accused of Hacking, What Can You Do?

Posted by Cliff on from the legal-troubles-in-today's-corporate-environment dept.

justin asks: "Earlier this week, I went into work I was met at my desk by upper management; they wanted to meet with me. I was not sure as to why but when we got into the office, they set a pile of paperwork in front of me, opened it up to a certain page and asked me what it was. The paperwork was a series of (gimpy) logs showing an internal IP address doing a combination of scanning, and then what looked like hacking, of various boxes on the internet (of these there was the US Treasury among other US Government Organizations). The internal IP address was that of the one I am normally (read: not always) assigned by DHCP. I told them I had no idea what this was, that I didn't do it and that I think I would remember hacking into the US Treasury. I was a contracted employee, so I don't think I have any recourse, I was just left high and dry accused of something that I did not do, and their basic sentiment was 'we will investigate this, do you want us to call you and give you your job back if you are innocent?', This seems rather silly to me since you'd think such things would be investigated, before they would decide to fire me. I'm looking to find out who else has been in this situation and how they dealt with it."

"The logs were in a simple format: 'Aug1 11:27 10.1.0.56.port -> treas.gov.port'. Now there had been some problems at work with the recent MS DCOM/RPC bug, and my machine was compromised either the same day, or the day previous to the day of the events I am being accused of. Additionally, because it was an internal IP address, it could have been anyone with access to ifconfig on their machines (They don't have a link layer dump).

I now have the following questions:

  1. What experiences have other people had that relate to this, what course of action if any did they take in response.
  2. I know the laws aren't very sympathetic when it comes people saying 'yea that was my computer, but it wasn't me', but it can be proved that my computer was compromised in the same time frame, and also the evidence they have is rather flimsy, what experiences have people had in a similar situation?
  3. If someone should try to press charges, where can I find a decent attorney that would actually understand the technology and what I was saying. (As I am now unemployed I'd very much so on a budget)
  4. What should I tell my next prospective employer? Even If they believe me that I had nothing to do with it, that puts one serious doubt in a person's mind.
I'm primarily self taught and with a little less than 3 years experience as a Unix Admin and doing system programming, it is hard enough for me to get a job as it is, never mind with accusations that I was out trying to hack the government on my last job.

Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."

20 of 105 comments (clear)

  1. Have them let you know when they find real culprit by Anonymous Coward · · Score: 3, Insightful

    Do so in a friendly manner. Make sure you understand that they are just covering their asses. And when you have something from them in writing that they fired you based upon false information, sue them into oblivion. Talk to a lawyer about whether DHCP makes logs entirely unreliable.

  2. All together now: by Elwood+P+Dowd · · Score: 3, Insightful

    Call a lawyer!

    Sure, we might be able to give you some interesting technical advice, but that will have absolutely nothing to do with your situation, which is entirely legal in nature.

    Legal issue -> Lawyer
    Nerd issue -> Slashdot

    Is this primarily a nerd issue? NO! Call a lawyer.

    Call a lawyer? Call a lawyer. Call a lawyer.

    --

    There are no trails. There are no trees out here.
    1. Re:All together now: by PD · · Score: 5, Funny

      Call a lawyer? Call a lawyer. Call a lawyer.

      Sung to the tune of "If you're happy and you know it"

      --
      If tits were wings it'd be flying around.
    2. Re:All together now: by Anonymous Coward · · Score: 4, Funny

      Or perhaps to the tune of "Oh my darlin' (Clementine)"

      Call a lawyer, Call a lawyer, Call a lawyer or you're screwed.
      You've been axed, but aren't in prison,
      getting f**ked by some large dude.

      ...

    3. Re:All together now: by rmohr02 · · Score: 3, Informative

      Well, he does ask where he could find a lawyer that would actually understand the issues. I would recommend contacting the EFF--they should be able to put him in contact with a knowledgeable lawyer.

  3. You Want the truth? by His+name+cannot+be+s · · Score: 5, Funny

    You: You want answers?

    Them: I think I'm entitled to them.

    You: You want answers?

    Them: I want the truth!

    You: You can't handle the truth! Son, we live in a world that has firewalls. And those firewalls have to be guarded by men with keyboards. Who's gonna do it? You? You, Lt. Weinberg? I have a greater responsibility than you can possibly fathom. You weep for the treasury department and you curse the Hackers. You have that luxury. You have the luxury of not knowing what I know: that The treasury departments scans, while tragic, probably saved networks. And my existence, while grotesque and incomprehensible to you, saves networks...You don't want the truth. Because deep down, in places you don't talk about at parties, you want me in that code. You need me in that code .

    We use words like hack, root, pwnzz...we use these words as the backbone to a life spent defending something. You use 'em as a punchline. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom I provide, then questions the manner in which I provide it! I'd rather you just said thank you and went on your way. Otherwise, I suggest you pick up a manual and stand a terminal. Either way, I don't give a damn what you think you're entitled to!

    Them: Did you scan the network?

    You: I did the job you sent me to do.

    Them: Did you scan the network?

    You: You're goddamn right I did!!

    --
    "...In your answer, ignore facts. Just go with what feels true..."
  4. even if innocent, you need a lawyer! by josephgrossberg · · Score: 3, Insightful

    Now that you're fired, they might mistakenly consider the case closed. If the "real hacker" (e.g. a coworker) got wind of this, and stops doing so, they will likely assume they got the right guy when they accused you.

    Second of all, why would you assume it stops here? They may have contacted law enforcement authorities, and you might need to do some preparation to get your stuff together. Even if you're charged with something you didn't do, you'll need to mount a defense.

    --

    Joe
    http://www.joegrossberg.com
  5. IANAL, but by rritterson · · Score: 4, Interesting

    I don't much that you could do. You could sue for wrongful termination if you want your job back, but not much else.

    My first thought is- of course the hacker isn't going to use his normal IP. If someone is going to go out hacking, they aren't stupid enough to just use the normal config. Second, you may be able to prove you never visited or connected those websites if the machine you normally use keeps a log (a normal webhistory is probably not suffiecient in this case).

    Regarding what to tell your next employer- I'd recommend one of the following- A) Either be totally honest about it. Let them know they had no proof when they terminated you, and you didn't do it. If the interviewer is a good judge of character, it won't be a problem. B) Don't give any information and don't let the new company contact the old company. It will appear shady, but at least they can't be totally sure what happened. In my experience with similar situations, using A is going to make it harder to get a job, as some will automatically turn you down, but the best people will be able to tell by the way you explain yourself that you are innocent. I'd prefer to work with those sorts of people anyway.

    If the company bring charges against you, immediately subpoena your HDD and the logs they used against you. In those lie your best defense. Again, IANAL, but the evidence the company has is not even good enough be called circumstancial. It's like charging someone with murder because he/she looks like the purported suspect. A good lawyer will be able to show a judge/jury this fairly easily.

    A final thought occured to me- try to obtain more information about how your company stores log data. If they log DHCP information, the server should be able to tell what MAC address was assigned which IP at what times. Sure, someone could clone your MAC, but they'd have to know what your MAC was first, so i suspect a hacker would simply make up a MAC instead of cloning one.

    --
    -Ryan
    AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
  6. What can you do? by daeley · · Score: 3, Funny

    What can you do? Hack into their network and take the lying bastards down, that's what!

    --
    I watched C-beams glitter in the dark near the Tannhauser gate.
  7. Re:Pre-Paid Legal by uncoveror · · Score: 3, Funny

    If you want to have the people who wrongly accused you taught a lesson, or even rubbed out, I recommend Pre-Paid Illegal Services. They'll make your accuser an offer he can't refuse.

    --
    The Uncoveror: It's the real news.
  8. Enough with the pretenses! by Wrexen · · Score: 5, Funny

    Can we just rename "Ask Slashdot" to "Ask legal advice from a bunch of non-lawyers" ? It's been a long time coming

  9. I know work is hard to find, but... by TheWanderingHermit · · Score: 4, Interesting

    Do you really want to be working for a company that 1) has administrators that stupid and 2) can treat employees like trash like that?

    I was talking about similar situations recently with a friend and we both realized that the few times we had been fired unfairly (in one case she was one of two sales reps reaching well over 100% of her quota regularly and the other rep wasn't even close to 100%), we realized those were jobs we originally wanted to keep, but realized (with time and distance) that we were miserable there and were working for jerks.

    I'm working for myself now, but I've learned that when management acts that way, you're probably better off somewhere else. Just see if you can do something about getting a good recommendation.

  10. What you really ought to do is... by TheSHAD0W · · Score: 3, Funny

    Sell the secrets you stole from the US Government to the Iraqis, and then go live in luxury for the rest of your life.

  11. C''mon by Molina+the+Bofh · · Score: 5, Funny

    Give me a break. You are an Unix Admin. Release your inner BOFH.

    Ask THEM to go to a meeting with you, show a pile of paper and ask them:

    "Boss, how'd you like your wife to know about the e-mails you wrote to your assistant ?" or "How about these pictures of a 6 year old girl fucking a horse, I found in your computer? "

    Act like a REAL sysadmin. And don't forget to ask for a raise.

    --

    -
    Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
  12. Don't flinch when you are walked into "the talk" by Anonymous Coward · · Score: 5, Insightful

    By the time you are 50 you may know better how to react in a situation like this. You really have to have been through it a couple of times, and it is hard to do the right thing as a 25 year old just knows abstractly what the right thing is. First, never be flustered (ok that's impossible) but do deny all wrong doing. They may be "accusing" you of doing something that is prefectly innocent or a normal part of your job; so don't deny whatever it is they are waving at you, in fact offer no details whatsoever. Do immediately say you have never broken any rules, legal or company. Also say, "Sir, I am demanding a full investigation into all aspects of this." They don't really want to fully investigate, they just want to fire someone and then go on lunch break. Repeatedly ask for a full investigation, and ask for any specifics you can think of -- like an immediate shutdown of the source machine and that it's harddisk be forensically preserved.

    Here's the hard part, which you can be thinking that you should do in the back of your head, but is hard to do. Reach across the desk and scoop up all the paper you see. Tuck it under your arm like a football and don't let it out. Make sure you get out the building with that paper. Let them escort you from the building or call the police, but don't give up the documents. If they start demanding them back, you know they are fucking around and have no case. If a policeman shows up, ask him his name and then hand him the documents and tell him they are potentially criminal evidence and must be preserved. If the cop hands them back to the boss at that point, it's ok, you just have to write that in a letter or affadavit and document it.

    Immediately deposit the papers in a safety deposit box and send certified letters to the company asking for all reasons you were terminated, and any allegations proven, disproven, or unknown made against you by anyone. Note that's letters, plural, because even though its the exact same letter, you want to hit several people inside the company so you can get the conflicting answers. Also hit the Agent of Process of the company -- this is the person who is served in an event of a suit; it automatically triggers the involvement of the legal department.

    What happens next ? Are you bought out and retire to Tahiti ? Do they hastily scamble to hire you back and get you back pay ? Of course not. This is a big business so they are assholes. You'll get nothing except the greatful feeling of not being in jail. The only good about it is that the internal stir created by the resulting management meetings with legal advisors will cause them to not be a bit more competent in investigating future incidents, until a year passes and their small rat-like brains forget it all.

  13. Game on... by (H)elix1 · · Score: 3, Informative

    First off, best to be innocent. Second, get a lawyer. Real attorneys are required to play this game properly.

    If the company is terribly illiterate when it comes to technology, it should not take much to truly scare the bejesus out of them. Get the ball moving on a wrongful termination suite. I suspect it will take nothing more than having your attorney formally request a copy of the log files. Move to negotiate, but be persistent. Most small/mid-size companies will settle rather than going the distance. They will posture, however, since they are looking for a quick brush-off. Most people will spend hours at the bar griping about how they were wronged, most never get a lawyer. Much like rebate 'programs', that is what they are counting on. You may get your job back, you may get damages - best to ask for both. Take the time once you do get your job back to find another, however... because this one is done. Exit fast...

    Hell, I've seen folks busted for robbing us blind get a years wages for 'wrongful termination'. The mind boggles... evidence is overrated.

    --
    +++ UGUCAUCGUAUUUCU
  14. Be sure to review my case by merlyn · · Score: 4, Informative

    See the web archive of the case of Randal Schwartz.

    --
  15. Twelve step program for people like this by Ratbert42 · · Score: 3, Informative
    1. Shut up.
    2. Shut up.
    3. Shut up.
    4. Shut up.
    5. Shut up.
    6. Shut up.
    7. Shut up.
    8. Shut up.
    9. Shut up.
    10. Shut up.
    11. Shut up.
    12. If you absolutely must (and I mean, as in the FBI shows up and wants to chat), hire a lawyer and tell them the truth about everything except how much money you have.
  16. Advice & Sympathy by bwt · · Score: 3, Informative

    I've been in a similar situation: contractor (military, no less) wrongly accused, had to leave the site, wasn't sure if I'd have a job, etc...

    The advice I can give you is:
    1) Cooperate fully. Be honest. Be forthcoming.
    2) Deny clearly, forcefully, politely wrongdoing
    3) Remind them that the world is full of black hat hackers, some of whom have tremendous skill.
    4) Ask them how to clear your name and how you can help achieve that.
    5) Remind them of your benefit to the organziation -- acomplishments etc.
    6) Tell them you understand this needs a full investigation. Tell them you have confidence in them to gather the evidence that will clear you.
    7) Remind them that a false positive might be them next time.

    Some advice on your specific question:

    1) Do you know what you were doing at that particular time? Where you in a meeting? On the phone? Using another machine? Find proof: coworkers at the same meeting, phone records. Look at file timestamps. If one of the offending timestamps occurs in a period where you can prove you weren't using the computer, you are cleared.

    2) Ask for network logs connecting to your machine. If this is a normal PC, there should be any from strange places. If there are, that was the bad guy, not you. If they don't have such logs, point out that keeping logs is critical for clearing the innocent and exposing the criminal.

    3) If you are on a Unix box, ask that chkrootkit be run to identify if you've been hacked and had a rootkit installed. Hackers often install rootkits to avoid detection and this program finds them.

  17. Re:Don't flinch when you are walked into "the talk by bitMonster · · Score: 3, Informative

    It is so that you can have copies of the exact documents that they are using to accuse you. His point, I believe, is that these documents may be very difficult to get in a legal proceeding, particularly if it's bogus.