When Wrongfully Accused of Hacking, What Can You Do?

justin asks: "Earlier this week, I went into work I was met at my desk by upper management; they wanted to meet with me. I was not sure as to why but when we got into the office, they set a pile of paperwork in front of me, opened it up to a certain page and asked me what it was. The paperwork was a series of (gimpy) logs showing an internal IP address doing a combination of scanning, and then what looked like hacking, of various boxes on the internet (of these there was the US Treasury among other US Government Organizations). The internal IP address was that of the one I am normally (read: not always) assigned by DHCP. I told them I had no idea what this was, that I didn't do it and that I think I would remember hacking into the US Treasury. I was a contracted employee, so I don't think I have any recourse, I was just left high and dry accused of something that I did not do, and their basic sentiment was 'we will investigate this, do you want us to call you and give you your job back if you are innocent?', This seems rather silly to me since you'd think such things would be investigated, before they would decide to fire me. I'm looking to find out who else has been in this situation and how they dealt with it."

"The logs were in a simple format: 'Aug1 11:27 10.1.0.56.port -> treas.gov.port'. Now there had been some problems at work with the recent MS DCOM/RPC bug, and my machine was compromised either the same day, or the day previous to the day of the events I am being accused of. Additionally, because it was an internal IP address, it could have been anyone with access to ifconfig on their machines (They don't have a link layer dump).

I now have the following questions:

1. What experiences have other people had that relate to this, what course of action if any did they take in response.
2. I know the laws aren't very sympathetic when it comes people saying 'yea that was my computer, but it wasn't me', but it can be proved that my computer was compromised in the same time frame, and also the evidence they have is rather flimsy, what experiences have people had in a similar situation?
3. If someone should try to press charges, where can I find a decent attorney that would actually understand the technology and what I was saying. (As I am now unemployed I'd very much so on a budget)
4. What should I tell my next prospective employer? Even If they believe me that I had nothing to do with it, that puts one serious doubt in a person's mind.

I'm primarily self taught and with a little less than 3 years experience as a Unix Admin and doing system programming, it is hard enough for me to get a job as it is, never mind with accusations that I was out trying to hack the government on my last job.

Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."

You Want the truth?

[His+name+cannot+be+s]

You: You want answers?

Them: I think I'm entitled to them.

You: You want answers?

Them: I want the truth!

You: You can't handle the truth! Son, we live in a world that has firewalls. And those firewalls have to be guarded by men with keyboards. Who's gonna do it? You? You, Lt. Weinberg? I have a greater responsibility than you can possibly fathom. You weep for the treasury department and you curse the Hackers. You have that luxury. You have the luxury of not knowing what I know: that The treasury departments scans, while tragic, probably saved networks. And my existence, while grotesque and incomprehensible to you, saves networks...You don't want the truth. Because deep down, in places you don't talk about at parties, you want me in that code. You need me in that code .

We use words like hack, root, pwnzz...we use these words as the backbone to a life spent defending something. You use 'em as a punchline. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom I provide, then questions the manner in which I provide it! I'd rather you just said thank you and went on your way. Otherwise, I suggest you pick up a manual and stand a terminal. Either way, I don't give a damn what you think you're entitled to!

Them: Did you scan the network?

You: I did the job you sent me to do.

Them: Did you scan the network?

You: You're goddamn right I did!!

Enough with the pretenses!

[Wrexen]

Can we just rename "Ask Slashdot" to "Ask legal advice from a bunch of non-lawyers" ? It's been a long time coming

C''mon

[Molina+the+Bofh]

Give me a break. You are an Unix Admin. Release your inner BOFH.

Ask THEM to go to a meeting with you, show a pile of paper and ask them:

"Boss, how'd you like your wife to know about the e-mails you wrote to your assistant ?" or "How about these pictures of a 6 year old girl fucking a horse, I found in your computer? "

Act like a REAL sysadmin. And don't forget to ask for a raise.

Don't flinch when you are walked into "the talk"

By the time you are 50 you may know better how to react in a situation like this. You really have to have been through it a couple of times, and it is hard to do the right thing as a 25 year old just knows abstractly what the right thing is. First, never be flustered (ok that's impossible) but do deny all wrong doing. They may be "accusing" you of doing something that is prefectly innocent or a normal part of your job; so don't deny whatever it is they are waving at you, in fact offer no details whatsoever. Do immediately say you have never broken any rules, legal or company. Also say, "Sir, I am demanding a full investigation into all aspects of this." They don't really want to fully investigate, they just want to fire someone and then go on lunch break. Repeatedly ask for a full investigation, and ask for any specifics you can think of -- like an immediate shutdown of the source machine and that it's harddisk be forensically preserved.

Here's the hard part, which you can be thinking that you should do in the back of your head, but is hard to do. Reach across the desk and scoop up all the paper you see. Tuck it under your arm like a football and don't let it out. Make sure you get out the building with that paper. Let them escort you from the building or call the police, but don't give up the documents. If they start demanding them back, you know they are fucking around and have no case. If a policeman shows up, ask him his name and then hand him the documents and tell him they are potentially criminal evidence and must be preserved. If the cop hands them back to the boss at that point, it's ok, you just have to write that in a letter or affadavit and document it.

Immediately deposit the papers in a safety deposit box and send certified letters to the company asking for all reasons you were terminated, and any allegations proven, disproven, or unknown made against you by anyone. Note that's letters, plural, because even though its the exact same letter, you want to hit several people inside the company so you can get the conflicting answers. Also hit the Agent of Process of the company -- this is the person who is served in an event of a suit; it automatically triggers the involvement of the legal department.

What happens next ? Are you bought out and retire to Tahiti ? Do they hastily scamble to hire you back and get you back pay ? Of course not. This is a big business so they are assholes. You'll get nothing except the greatful feeling of not being in jail. The only good about it is that the internal stir created by the resulting management meetings with legal advisors will cause them to not be a bit more competent in investigating future incidents, until a year passes and their small rat-like brains forget it all.

Re:All together now:

[PD]

Call a lawyer? Call a lawyer. Call a lawyer.

Sung to the tune of "If you're happy and you know it"