Slashdot Mirror
Get Fired. Delete Colleague's Account. Go To Jail.
SierraPete writes "CNet reports that Thomas Millot, a former systems analyst for a major pharmaceutical company, has lost his appeal on a computer intrusion charge. Mr. Millot was convicted of unlawfully entering the system that he used to work on and deleting a colleague's account after his job was outsourced. Mr. Millot's attorneys argued that his actions did not amount to $5K in damage--the threshold for the crime he was convicted of. The court disagreed, saying that IBM had done over $20K in work to undo his handiwork." Update: 01/14 19:55 GMT by J : Typo corrected; turns out the word "not" is important...
So IBM are apparently claiming $20,350 at $50/hour to investigate the incident. That's 50 man days. For fsck's sake, what sort of incompetent morons are they employing? Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything. But 50 man days? That's just not even vaguely reasonable, and smacks of them just going for the throat out of malice. Yeah, he screwed up, and deserved to be punished, but the punishment should be proportional to the crime, and it clearly isn't here. Quite how they managed to get a judge to swallow that is beyond me. It sounds like the defence lawyers weren't doing their job. I can't think of any other explanation.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
After all, now that's he's been outsourced, what better job security post-9/11 than sitting in jail with all the "terr'rists"?
if you can't do the time, don't do the crime
other than, that game on !
20k for undeleting account?
Pheww...
Now I understood why IBM four times bigger than Microsoft....
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
Isn't it quite obvious that he should go to jail for this?
My quality social news site.com.
Charging $20K != Performing $20K of value-add
What most people will get out of it: people shouldn't break into computer systems and delete stuff
What I get out of it: don't outsource IT to a firm that doesn't lock out former employees
What are you eating? isItVeg?.
If you're going to let someone go who holds high computer or network credentials, please make sure you disable or terminate their access IMMEDIATELY PRIOR to informing them of your decision. Failure to do so makes the outsourcee become an insider threat.
The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.
Instead of sending him to jail for a crime which no one was hurt, have him repay the money AND then you save room in jail for a VIOLENT OFFENDER.
But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.
Millot trespassed on private property, damaged said property, and now is trying to claim the damage wasn't bad enough to warrant a hefty sentence. He's already admitted to committing the actual crime. Whatever you want to say about the competence of IBM, IMO the individual in question deserves what he gets. Or, better put, doesn't deserve another job in the industry again.
The point to me is he DID admit to illegaly gaining access to a network he had no right to be in anymore AND IBM DID bill the company that money. Now, if IBM Charged too much isnt relevant b/c the company DID have to pay it. He willfully deleted that account and well yes IBM charges a heck of a lot to recover it the company did pay that amount. End of story.
The summary should read: Mr. Millot's attorneys argued that his actions did not amount to $5K in damage...
It's those itsy-bitsy words that make all the difference.
Kai MacTane: Web developer for hire in San Francisco
YTou forgot the meetings that had to occur to schedule the meetings, and then the meetings to approve the reports needed have a meeting to approve having a meeting.
It was not IBM that owned the system, IBM was doing the work. We don't know the status of their backups, security. Part of what may be included is the time spent detecting any backdoors or other potential breaches by the Defendant. How do they know that he only deleted the account and not added a backdoor or timebomb?
Fight Spammers!
I've seen an IBM hotswappable server hard drive fan with two LED indicator lights on it cost $850+ in total to replace. Not much IBM can charge would surprise me now.
Saskboy's blog is good. 9 out of 10 dentists agree.
So when a company breaks in my system (eMule, BitTorrent) I just can claim my $15/hour costs. But if it's IBM they can claim $20K.
That's not justice, thats abuse of economic status.
What happens if anyone sends an eMail to Bill Gates and he claims 10 seconds dagames for reading it?
A couple of days after he left it was observed that the front door was continually unlocking itself
Good thing he wasn't malicious, perhaps.
This was a crime, hands down. Period. End of story.
If you read the article, there were multiple breakins, on multiple days, over a period of years.
The last likely removed files between backups, resulting in time lost for the employee. It doesn't speak of what was done during previous raids by this crook, but it is quite possible other costs were attributed to previous breakins.
Crimes like this should be punished, and harshly. This crook should receive a couple of years, for something like this. Perhaps more.
Why so harsh, you ask? It's simple. We need to start attributing _real_ penalties to crime on the internet. Sony, for example, should have seen criminal charges levied against the employees, management and all that had anything to do with that back door. Fines should have been in the billions. Yes, billions, as they should have received several thousands in fines per count. Employees must be treated harsely as well, after all, they can not legally claim they are just "following orders".
If you know your employer is doing something illegal, you are BREAKING THE LAW if you do not report such an act! If you work with the employer, helping to break the law, guess what! It's jail time for you!
We need (well, actually.. needed to, past tense) lock down crime on the internet a long time ago. We really have two choices here. We pay for police presence on the internet, judges that understand the crimes being committed.. or we leave the internet open and lawless.. and see horrid restrictions come down as a result.
People won't put up with cracking all over the place. The public will demand security. The public is indeed, starting to. It can come from laws and police enforcement of those laws.. or draconian laws that restrict rights and freedom on the net (DRM).
Which do you choose? DRM all over the place, locked down bioses and operating systems, logging so intense that ISPs keep a year of detailed backlogs, or realistic laws and paid for strong police presence on the net?
Police all over the world are crying out that they are overburdened with crimes on the net. They are claiming that they don't have the ability to catch crooks, because they need new laws. It's happening right here, in Canada. It's happening, because police _don't_ have the manpower to handle crime on the net, by tracking down crime in the standard fashion. The answer, to them, is increased logging and wiretaps/net taps without warrents. I say, that democracy costs.
To that end, we need to train judges and police to specifically handle computer crime. We need to enact treaties with out countries, and make sure that extradition is a possiblilty. We need to make sure that the police do not have unlimited ability to spy, but that there are judges in place that can issue warrants when the cause is evident. Fund the police, or allow DRM. Again, that is the choice we have.
Anyhow, back to this particular case. A case like this, should be treated as if a physical breakin occurred, sentence wise. This guy KNEW he was breaking the law. He KNEW he was being an asshole. Being employed by someone does not entitle you to smash things in a temper tantrum, years after you've been fired or outsourced.
Bleh.
$20,000 to restore some backups?
Now I know how IBM manages to make so much money.
Many people go to jail for just accessing systems without permission. This guy actually purposely caused harm... so I really don't see a reason for anyone to complain. Another point that nobody seems to make is that the time the administrators used to fix this was probably not the only time spent. Many managers probably had to spend time working on this, reporting etc.
Are you sure it's ineptitude? IBM didn't have to just restore the account, they pobably had to do a security audit to make sure the guy didn't do anything else, didn't plant backdoors, etc. Depending how much access and how big their net is, yeah that could be $20K. BTW IBM is more in the $100/hour range for consulting.
When a new hire is set up with a network account, it costs $20,000 in bumbling MSCE ineptitude to click on the gui widgets in User and Groups, and create one?
Because the cost of the investigation can't be counted. If you steal a $1 candybar from walmart, they're not allowed to add in the costs of the police investigation/arrest to the crime itself. Or else there'd never be any petty crime.
What the guy did was wrong no doubt in that. I'm sure the auditors will have a field day with this one.
Let an employee go and let him keep his SecurID and his access - smooth move.
I am deeply grateful to all those who gave their valuable insight and opinion into IBM's work whilst knowing jack sh*t about what they had to do and actually did. /sarcasm
AT&ROFLMAO
Seems you forgot to add "project management" charges to the bill. I guess there were at least three project managers on this one and all the related staff to edit meeting minutes, etc.
Achille Talon
Hop!
Maybe it should be looked at as if it happened with a non-electronic breakin.
What if he'd unlocked the front door with a copied key, broken off his coleague's key in the lock, maybe shredded a few random documents and destroyed the lock on a filing cabinet?
I don't think this sort of punishment would be appropriate, so why is it just because it's electronic? Even if they hired $expensive_security_company to repair the lock and the filing cabinet, and then claimed that was the cost of damage...it would be considered ridiculous.
As other posters have said, the bill seems to have included a lot more than restoring some files from a backup tape... IBM people inspected the rest of the systems at the site to make sure that other damage hadn't been caused as well (security backdoors, timebombs, and the like). That can add up to a bit of work depending on the number and types of systems inspected.
This guy acted like a child, a spoiled one at that. As a result he's been sent to his room without any supper.
Its time to grow up, and here's a few knocks from the clue-bat just to make sure you get the message.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Of course the cron job on the server that ran 10 days later and found that you hadn't touched a certain file in a week deleted your managers account. It wasn't you.
I once worked at a company where a billing clerk embezzled about 5K USD. She noticed that some clients repeatedly double-paid bills because of the confusing layout of the bill. The previous billing system had a fix for this, but was recently replaced with one that had the same problem.
So she managed to reroute the extra payment to her bank account. The internal books still balanced because it was a double payment on the client's part.
When eventually caught she was fired but not procesecuted because prosecution brings bad PR to the company. 2 years later somebody pulled another accounting embezzlement trick and still no procesuction. I think if they prosecuted the first one, it may have prevented the second.
If the only risk is getting fired, then the incentive to embezzle is pretty high.
Table-ized A.I.
Nice thought, and if we'd been runing on Unix/Linux instead of Win2K, it might have been possible. If, of course, I had the privileges to add a chron job, which I didn't as that wasn't part of my responsibility.
Good, inexpensive web hosting
I've seen lots of similar comments about how what he did was wrong and that he should therefore go to jail.
I don't think anyone claims what he did was not wrong, but jail time isn't the only answer our society has to crime. The question here is not whether what he did was wrong. The question is whether he should go to jail for it.
I say no. We already send too many people to jail. Generally, jail time is bad. It costs our society money, and it makes the situation worse for those spending the time in jail, and it makes our society worse because these people will most likely come out of the jail a worse person than when they went in.
This person here didn't harm anyone. He harmed a company. And he didn't do anything which can't be undone by recovering the data from a backup. Really, what he did was wrong, but it is hardly something worth putting him in jail for.
Ah well, amazing you can hire an IBM'er for 50 bucks an hour. 3rd month in IT and I was already generating more. The bubble really burst.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything.
Think about the situation they had here. A disgruntled former employee who left himself at least one back door has performed at least one malicious deletion. According to you, close the single backdoor you've discovered, undo the single deletion he did, slap him on the wrist and call it a day. No security consultant (rightfully) works this way.
Even if this were just a matter of finding a backdoor without any proven malicious intent (i.e. maliciously deleting at least one thing), the correct thing to do is assume that there are other backdoors and you start re-installing operating systems to make sure you catch them. You restore router and switches back to factory defaults and re-set them up.
This case unfortunately goes even further than installing hidden backdoors - he maliciously deleted things! All level of paranoia are justified in such a situation.
According to you, let him violate ethics by leaving himself a backdoor, let him violate ethics by at least deleting one thing maliciously, but trust him that he did nothing else? Sorry, but I'd like to verify his story and sorry again, verification costs money.
I'm a big tall mofo.
to make sure next time there is no way to trace you.
1. The idiot who logged on to his former employers system and took a little childish revenge.
2. The idiot who didn't disable the account of a security chief who's just been fired.
Remind me never to do business with a company who are that lax with security.
Quidquid Latine dictum sit, altum videtur (anything said in Latin sounds important)
The guy did not steal any actual cash; nor did he sell stolen items for cash. He also did not cause injury to any person. He seems a bright guy; the sort I would want to teach my children about computers, or participate in a research project. So (if I was in a hiring position, and I thought he had reformed, and he was honest about what he had done) I would consider hiring him. The financial loss to the employer is somewhat arbitrary; the bill from IBM could be any amount you wanted. Arguably, the employer shuold have had a long-term service contract which would cover this eventuality, plus the possibility of flooding like New Orleans, plus worse, all in the service with no additional charge. If that had been in place, the damage would have been under the magic $5000, and the guy could have been given his thousand hours of community service ... teaching teenagers to program computers, hopefully ... instead of jail time.
So I would be a little cautious about throwing him out with the bathwater. Someone might need him again some day, and forgiving might possibly be wiser.
Dear Sir or Madam,
Please refrain from turning unrelated articles into political flames. Thank you.
Regards,
Anonymous Coward
Whatever the judicial system's problem's are, and whatever the circumstances of his dismissal, the basic transgression remains. He abused people's trust, and he sold his integrity for the benefit for a bit of revenge. The commitments you make when you join an enterprise should remain in place whatever happens during the job later, or however you part company. If there is a problem, then fight the good fight and refrain from stooping to a lower standard of behaviour. A job is temporary. He has lost something forever.
I know it's a drop in the bucket for them, but if a man's freedom hangs in the balance, those numbers better be accurate and they better be crossing the t's and dotting the i's. Remember when Sun claimed a $20 million loss from Kevin Mitnick copying a file, and then went and gave that file away free to educational institutions a couple months later? They didn't report that one to their stockholders either, as I recall. I don't begrudge companies for going after hackers, but they should not be allowed to reel off whatever numbers they want to support their case.
You don't want to go to jail don't do it. Deleting files isn't exactly a harmless prank and it isn't entirely the fault of the vitim for not being better protected. If you really don't see the harm go in to work Monday and for a laugh format the hard drive on the server. If everyone laughes it off I guess I'm wrong but I'll bet the owners don't see the humor. The amount was inflated to avoid splitting hairs. If they claimed six grand in looses the attorney probably could have agrued it down to a lesser crime. The point wasn't so much to punish him but to avoid it becoming a fad to trash accounts when you get fired. One person could do tremedous damage in a short amount of time without physically destroying anything. They were stupid to not remove his priviledges but it doesn't excuse his actions.
Anyone else find it strange that "IBM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350" which means they needed nearly 51 person-days of 8 hours to do their job? Just *how* incapable are they? I am not saying that what this guy did is excusable, but the cost presented here as "damage" is indeed ridiculous. Especially as the damage cost should only include what it needs to restore the account -- I do not assume they IBM needed 50 days to do just that?
Has slashdot really gotten to the point where we have to spell things out with <irony> tags?
Regards,
- me.
P.S.: The real irony is that the article was about a security breech by someone who lost his job through being outsourced; there have been a lot of security breeches that were a lot more severe than just deleting someones email, that were the direct result of offshoring ... there are lessons for both employees and management in this article.
Unfortunately management, being management, probably won't read the memo. They're more interested in CYA.
Look if every time you got fired you could jack up computer systems for a company with no repercussions, don't you agree you'd see a much higher rate of this being a problem? You can quote whatever studies you like but it simply flies in the face of reason, and of personal experience (I really, really have a strong desire not to go t jail that overrides a lot of mischievous impulses).
Personally I think for white collar stuff it's MORE of a deterrent, as who with a desk job really wants to go to jail?
As far as what society gains by locking him up - mostly deterrence. But it also is a wakeup call to this one individual who I imagine will heed this lesson far more than many other people who go to prison for more serious crimes.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
While I do not mean to dismiss the severity of Mr. Millot's crime, I do have to ask: It took 407 man-hours worth of work for Big Blue to figure out what happened and to simply restore access/file-backups?
If that isn't over-billing, I have no idea what is.
/dev/random
You'd think IBM would already have policies to prevent this sort of scenario and be adept at cleaning up after one like this. You would think...
--
"What? That's not my name, it's yours."
Having read the article, but not knowing whereof I speak , I note that there were 2 men who spent a total of 400 man-hours (or equivalently 5 work weeks of them both working at the job) doing nothing other than, as the IBM claim states, working "in response to the intrusion."
However, not all work "in response" to an intrusion could count as loss. If they were doing work that was supposed to have been done in the first place (but never had been), or upgrading a system beyond what it had been before, that is profitable work or work owed, not work lost. Moreover, I suspect that these two workers probably had other work in the meantime, meaning that some of that work should have been billed elsewhere.
So to the extent that some of this response was profitable work or billed to the wrong customer, it was misbilled. Such misbilling can be common for fortune-500 companies. Indeed, my own plant manager at a fortune-500 company would regularly take all the employees' timesheets, and erase/rewrite them, to bill time from where it should have been billed, to where he thought he could get away with the least pressure. As employees, we were required to write our timesheets in pencil for exactly that reason. That's outright fraud, I know, but my point is that among fortune-500 companies, it would appear to be common. It certainly seems that it's easy to get away with.
Yet I'm not sure that the lawyers could challenge it, because the offender was not the primarily injured party. Moreover, even if the lawyers knew that there was fraud, they would have trouble securing "reasonable cause" for a search warrant.
So it might have been a case where the lawyers saw the bill, and ground their teeth, but could say nothing.
In which case, I'd have to say, yeah, that's malicious by IBM, but the criminal was wicked, let his wickedness lead him into evil, and that's what this gets him.
But all I can be reasonably sure of, is that I don't know the whole story here. At such a point, I don't think I could assign fault one way or another.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
It's easy to say that he should not go to jail. Far harder to think of another punishment. So what's your answer? Kill him outright? Give him a cookie?
They have different kinds of jails for exactly this reason. I say jail time will teach him a good lesson, and serves an important reminder to the rest of us that computer crime leads to serious real-world consequences even if the damage is all virtual.
We may send too many people to prison, but it seems to be that someone maliciously damaging company computers is exactly the kind of person who should be going to prison in the first place - so work instead on getting the people who do not really belong there (like petty drug offenders) into some other kind of system. Though personally I have no answer for what that other system should be which is why we still have these people going to prison.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
He seems a bright guy; the sort I would want to teach my children about computers, or participate in a research project.
Why would you want someone with really lax morals to teach your kids anything? Sounds pretty insane to me.
In the computer world you have to have to follow some kind of code of honor, as it is possible to do so much damage so easily. I would want someone who has a firm grasp of right and wrong to be instructing my kinds on what is possible with computers, but also what is wrong and why the line is where it is.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Just how far are you allowed to take your definition of "damage he caused"? Maybe he planted a poison tablet in the water system! Bill him for dismatling and rebuilding IBM headquarters! Maybe he spread lies about the management! Bill him for extensive brainwashing of all the staff!
Does everything include nothing?
Was anyone under the impression that this kind of behavior was ever legal?
I'm surprised this is the least of crimes committed by people who's jobs have been cut due to outsourcing. I could very well imagine a scenario of a person long established in a company getting fired due to outsourcing, not lack of skill going nuts and burning the company headquarters down and murdering all the company executives. Why hasn't this happened yet?
Here is my question. WTF is this in YRO? Whose rights were violated or even in question? This broke into a system and destroyed data illegally. IBM had to come in and figure out how much damage he did and repair it. Is 20,000 a lot? It might be on the high end, but you need to remember that not only did they need to undo the damage, but they had to make sure there was no other damage done. I don't know about you, but if a disgruntle ex-employee broke into my system and did damage, I would want the entire system checked from top to bottom to make sure he did nothing else.
So this man clearly violated the law and he got a sentence. Was the sentence appropriate? Hell yes! He got sentenced for just 3 months in a 'white collar resort' plus fines. 3 months for breaking into a computer system and forcing a company to pay to have their entire system checked over is a fair punishment. The company in question will never be sure that they caught all the damage or that he didn't slip a backdoor in. If anything, I think they went light on him.
The only rights violated were the rights of the company in question. The ass hole who broke into the system got exactly what he deserved. A slap on the wrist jail sentance in a white collar resort, a fine, and has effectively made it such that he will never get a job in IT again. Good riddance.
I was outsourced in August 0f 2004 by a large insurance brokerage firm. I was given thirty days notice of my termination.
During this period I had remote access to backup servers and full admin rights on a network with about 1100 users.
While I was oboviously upset about the company's decision, at no time during this period did I ever even consider deleting files, accounts, etc.
Additionally, will this person ever get another job in IT? Don't think so - he's no Kevin Mitnick, just a person who made a really bad choice.
We are a nation of law. Break them and pay the consequences.
"Let us raise a standard to which the wise and honest can repair" - George Washington
This guy did something wrong. He should be punished.
I think the punishment being imposed is egregious. $5,000 fine, OK. I think the IBM bill of $20,350 is outrageous. There must be much much more going on than was presented to us to justify such a bill, so I think that's too much. Not that I dispute that he should pay- just how much.
Three months home detention seems fairly harsh, but it may be reasonable. Three years of what is essentially probation also seems harsh, but is conceivably reasonable.
Jail is unreasonable in this case. It is certainly unreasonable in addition to all the above penalties. Maybe if the sentence is suspended with mandatory probation.
What would I propose ? $5,000 fine. $5000 for the IBM services. (Thats two men for a week at $50/Hr with a little overtime) He should stay on house arrest 30 days fulfill two years probation. If he does that he should never go to jail. If he fails to hold up his end of that deal he should get up to 6 months in jail.
That and his probation officer should definitely be wearing the kid gloves.
The real menace this guy might pose is of erasing someone else's account again. That isn't a great threat to society. I doubt he will ever be hired for any position where he is focused on computer security ever again, and further he isn't likely to ever get any job requiring root/administrator access or any type of security clearance or bond.
Those penalties will go on long after any of the penalties being directly imposed by the court, and should be weighed carefully. They represent a disastrous circumstance. At best he will have to completely rebuild his life, at worst he may become completely unemployable.
An eye for an eye leaves the whole world blind. Well the penalties here are far beyond the actual damages and inconvenience to Aventis or IBM. Tread carefully.
Don't post innacurate information
If you do, I swear by my pretty floral bonnet I will end you.
This guy worked in security. He should be above abusing his abilities. Sure they should have taken his card, but as a security professional he should have been trustworthy. Instead he maliciously took advantage of the situation. And what... you want him around children? Really, I'm sorry, but I can't believe what I'm reading, maybe I'm missing something. What else am I missing? Hmm, perhaps this - child molesters shouldn't be jailed if no cash was taken and nobody is physically injured. Also, child molesters are able to lure kids towards them, so they'd be good at selling ice cream in parks.
I find that the BOFH mentality is usually just jokes. It takes a special kind of sociopath to want "revenge" for
every perceived wrongdoing to their person. The thoughts of formatting someone's hard drive for revenge
are fun to think, but the committing of the crime is an entirely different story.
music lover since 1969
Child's play. If you're going to be spiteful do it legally.
When the last dot com I worked for offshored a ton of jobs and fired about 150 to 175 coworkers the day before thanksgiving (fuckers! at LEAST wait until after the holidays) I decided to leave soon after. But while I stayed I wrote a script which would have done the following:
I tested it and it propogated correctly and worked, but I thought better of it (it's illegal) so I deleted that script. I showed a couple people who got fired the script and they liked it, and wished I could have actully run it.
What I did instead was I encrypted the filesystem of the workstations I used and since they were not a member of the domain after I left they could not get into them, and before some of the engineers' whose jobs were getting outsourced I mentioned envryption to them. That was the extent of my getting vengeance for fucking over so many people right before the holiday. It was the only thing I could do that was within legality, but I'm not sure the ones I suggested this to were within legality. Due to the nature of my job the workstations I used were not on the domain for security reasons, so I had legitimate reasons to encrypt the filesystems.
You know, after I left (it was about two or three months later) the company had the gall to call me and ask me for some prototypes I had written on my own time and proposed for production, which they turned down because they were "different" (some of their software was still 16-bit, and I was so sick of the limitations and GUI I wrote new versions from clean code at home). Before I left, I deleted my own works from the hard drives and overwrite them several times and then defragmented the hard drives, and did the same on my home machines, keeping only interesting components I invented (no, I didn't patent them and don't ever plan to patent software. ANYTHING you can invent in software is obvious use of a computer language. software is already protected under copyright). Later on, the folks in marketing who rejected the rewrite (the project was DONE and fully unit tested and about 75% integration tested when I showed it to them) thought better of it because they were losing sales due to the antiquated GUI and word spreading of bugs in the 16-bit component. Thankfully I had signed nothing upon my hire which covered my own works done on my own equipment on my own time (there was no Tandy-like clause giving them ownership of anything like web sites, software, inventions, creative works, etc. - this company wasn't quite that evil at the time I was hired. Later hires had agreements with those types of clauses) so I told them I didn't have the projects any more, only certain components I invented at home, and only retained parts I deemed interesting. I told them I could reimplement it again from scratch, and since I remembered most of the code I could implement it in under 2-3 months, but I would do so only if they paid me $3,500 up front for the initial site visit and then a ridiculously hourly rate, and if the project is cancelled or if my contract is terminated for any reason whatsoever, whether I'm laid off, the company closes, or I decide to leave again of my own volition, I would be owed the full amount for the estimated project implementation, figured at 60 hours per week. Of course they balked at that.
As I understand it from friends who still put up with their shit, they still have the same 16-bit components, only two software developers are on staff, they have made NO new features, they have cancelled an alternate version of the product they were developing, and they still retain customers for only 18 months when they discover that the product (which sells for $250K to $7.5million depend
And of course it didn't cost them that much. This guy is what we call an "example." Let it be known that nobody screws with Big Blue.
I think the redundant ones are pretty funny. for now....
Can you be Even More Awesome?!
How many consultants did IBM send to the project? I could imagine them sending 5-6 people if it was an emergency rush job.
Now, there are some people in this discussion crying out for tougher policing on the internet, saying this is just like any other crime.
While I agree that it is a crime, I would like to point out that eliminating internet crime is incredibly dangerous. Constant attacks are what motivate us to create better, more open systems. On the other hand, an artificial safety vacuum leads to ignorant homogeneity and cataclysmic vulnerabilities.
Maybe some of you guys have forgotten what the security scene was like in the mid '90's, but I haven't. The only reason we're where we are today (with apache leading the market) is because of white hats, gray hats, and, yes, black hats.
The technically illiterate people out there look at a story like this and wet their pants. Although I do see the criminial element of it in the individual case, as part of a larger trend, I see this as reassurement (to think in terms of evolution, for a moment) that the environment is imposing security and technical skill as selection criteria.
Although I agree this case is a pretty clear-cut example of criminal revenge, I'd rather see the computer crime laws loosened in general. They always say (rightly) that it's not the criminals that you hear about on the evening news that you ought to worry about...it's the ones you never hear about at all. I fear that any kind of regulation or policing on the internet is just going to make the flock all the fatter.
Don't forget sales tax!
LOLOLOLOLOLOL This is like recursive hypocrisy.
Unless I'm missing something, I cannot understand how IBM needed 20K worth of incident response services to figure out what happened. SecurID systems can log all activity. A simple check of the logs would have indicated who disabled the access and when.
I would have told IBM to put that invoice where the sun don't shine if they tried to bill me for investigating such a simplisitic "compromise" of a system *they* were supposed to be managing.
-SHP (CISSP, CISA)
Sorry, but IBM's rate is more like $150/hour.
Go directly to jail.
Do not pass IBM.
Cause $20000 of repair work.
HAHAHAHA
Right. Because Win2k doesn't have anything like 'at.exe/winat.exe' or 'scheduled tasks' that you could use in place of cron...
Don't hire IBM employees to something as simple as restore from a backup.
$20k to restore a deleted account?
What was lacking, more than anything else was Administrator access to do anything worth doing.
Good, inexpensive web hosting
At risk of being a 'me too' post....
Regardless even if it was 5 dollars, what he did should be considered a jailable offense.
After you are fired, going back in and doing *anyting* should be breaking and entering at the very least. You should be tossed in the can.
The fact IBM may have overcharged has no relevance. ( and i say may have, we dont know what else was done to consitute the bill )
---- Booth was a patriot ----
The guy deliberately kept passwords and access devices for a system he'd been responsible for, and deliberately trashed parts of the system and deleted accounts for other administrators, and he deserves what happens to him. This isn't like Mitnick giving away information, or even crackers using the victim's machine as a launching pad for zombies - it's pure premeditated vandalism. The concept of a "protected computer" in Federal laws may be dodgy, but he did a lot more real and potential damage than stealing a company car, a crime for which nobody would be bothered by him getting a few months in jail.
If anybody's ripping anybody off here, it's his lawyers taking this to a Federal Appeals Court when the guy's obviously getting off light, and you know his lawyers are charging him a lot more than $50/hour and billing a lot more hours if they're getting to that level of the courts. They should have told him to do a plea-bargain and helped him get one that avoids jail time, but maybe the initial judge wouldn't go for it and he thought it was worth the money to try to get bounced to a state court.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
IBM apparently charged Adventis their standard "$50/hour outsourcer grunt" rate, not a "$2000/day medium-level consultant" rate or an "If you have to ask you can't afford it Security Wizard" rate. Not only did Adventis get off way light paying for the lower-priced consultants (though admittedly a lot of the work is scanning logfiles, if the logfiles can be trusted), but either the system was designed to really effectively limit the scope that he had access to, which is a dodgy assertion if he had anything to do with designing it, or else they should have brought in much bigger guns to find out what he might have tampered with. (Of course, they should have also had backups for the critical information that they could pop up quickly, and the probably did, so hopefully most of the work was done after they'd restored access to the other sysadmin, but can you trust the backups?) Sometimes destructive people are just opportunistically trashing whatever's nearby, and maybe they decided that that was all he did, but if he'd been seriously trying to sabotage them he could have caused a lot more damage.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's pretty tough to restore from known good backups, unless you make assumptions like "he didn't know the outsourcing/layoffs were coming until 2 months ago" and "hand-inspecting the backups is good enough". Might account for why they used 400 hours of grunt-work instead of security-wizard time.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
$50/hour is a bit cheap, but it's not out of line for outsourcing an entire department. It's certainly not the kind of rate you'd get for mid-level consultants you brought in for a specific project, much less security wizards for an emergency, but it's the kind of price you might charge to replace an IT staff that's mostly doing operations.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"The court disagreed, saying that IBM had done over $20K in work to undo his handiwork."
TFA says something different. "BM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350." - which is not the same as 'undoing' whatever he did.
I would also like to see another person sharing the guilty in this case -- the security/system administrators responsible for ensuring that every employee who leaves has his account access (via SecurID, or any other method) removed. For employees who get fired, this should be done *before* they're informed about the decision.
If they don't do their job properly, they're effectively handling out daggers to ex-employees to come and stab the company anytime.
RTFA, he didn't 'put backdoors in the security system', he used the access that he orignally had had legitimately, and which Aventis had failed to revoke.
I read this story as "the employer fucked up by not locking off his id card. someone had to pay. so they told the ibm experts 'make sure it costs over $5,000 - we want to send this bastard to jail'."
my password really is 'stinkypants'
Um ... just in case you missed the headline -- the job was outsourced to IBM not to INDIA ... next time please bother to read atleast the first few sentences carefully before publicly displaying your racist credentials.
For the truly anti-social BOfH....
:)
Set-up a periodic listener on a known open port on a system (say, once a month, for 10 minutes) that upon receipt of the "I've been fired, and I want revenge" packet, starts a countdown timer on a neighboring system, then deletes itself.
Months later, when the original listener app. has been relegated to offsite backups, if it's on any backup at all, the activated program wakes up, and begins systematically opening backdoors, dropping in trojans, deleting white-collar files...
And finally, demands "One million dollars!" before un-installing itself as well.
Just one thing, if you actually go and do something like this, please leave my name out of it
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
And how does a jail fix things? How is sending him to jail protecting the society?
How is it reducing our debt/budgets and taxes? It costs more to keep people in jail than
it costs to go to a hilton hotel.
You should only send insane loosers who will slit your neck and steal your car to prisons.
Just let him go, and give him 250hrs community service in IT to help churchs/small orgs and a $1000 fine.
100 congress men steal and lie and bank roll their hidden companies and what do they get? more terms and more cash.
Those are the real crooks.
Liberty freedom are no1, not dicks in suits.
I heartily dislike this verdict, mainly for the fact that damage is exaggerated where is not much.
Lessons learned ? How about those:
- when they piss you off, don't just play a little, make sure you don't get caught at all. Do whatever that takes.
- don't just fool around with someones account, kill the company outright. If they fight for their life or are dead, there is less incentive to play games with you. You have the inside knowledge, so there is plenty of shit you can do. Be hard, swift and merciless.
I'm not really sure that's what we want to teach, though.
"You does the crime, you does the time."
This guy ain't special so let him be punished just like the rest of us would be if we were criminals. I bet he won't be inclined to pull this stunt again.
Has anyone seen the movie "Firewall" and see a vague resemblance? http://www.imdb.com/title/tt0408345/
So a security specialist has to rob his bank, to pay back a ransom.
So a sysadmin decideds to do some damage to his old company, to take revenge on the IT department.
Sounds like Hollywood material to me!
1. Get fired.
2. Delete colleague's account.
3. Go to jail.
4. ???
5. Profit!
Maybe his attorneys should talk to Randal Schwartz's attorneys.
Schwartz Case Upheld on Appeal (slashdot story posted 2001.04.07)
Latest data on it is from November of that year.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility.
Ambrose Bierce, The Devil's Dictionary
They started to have second thoughts about the financial benefits of outsourcing.
There they are a conga line of suck holes. On the conservative side of Australian politics. - Mark Latham
And it was BILLED at $50 an hour (that's after overhead and margin, remember). I'm pretty sure that wasn't any of IBM's U.S. employees.
An engineer who ran for Congress. http://herbrobinson.us
If hacking and opening up systems to hacking is a crime and punishable by Jail, why didn't they prosecute Sony and throw the Music Overlords into Jail for hacking into thousands of XP systems and making them vulnerably with their RootKit?
How come they got left off for committing a more heinous crime than this poor idiot who did something under "emotional stress"?
How come Sony gets to pay $7.50 for such a crime for which we pay $220/- to GeekSquad to get it repaired?
My first question:
1. Why didn't those stupid lawyers for this poor guy quote Sony as a precedence and make the Judge "let go" of this guy with just a $7.50 fine?
2. if that was not possible, why didn't they argue his error made only ONE company vulnerable while Sony actions have made hundreds of computers in possibly atleast 50 companies MORE vulnerably? That would have made the Judge sit up and either throw out Sony settlement / atleast question it, and MOST important of all, made the Judge let off this poor guy.
3. If both are not possible, and Now that THIS guy's case becomes a precedence, make the same Judge apply the same rules to Sony and make those executives suffer Jail time?
Sheesh !
What fuckin' justice system we have !
Corporates and corporate idiots who cause millions of dollars in damage to personal property by producing rootkits and like are let off OJ Simpson style, but the poor idiot who does the SAME thing in MUCH SMALLER proportion and in anger gets a jail time.
This guy should go and apply work at Sony Music or BMG.
"Doing what i can, with what i have." ~ Burt Gummer
This idiot brags about doing something any script-kiddie could do.
Its usually best not get mired in revenge over soured old business relationships, but look forward to making money in new, clean work.
Also, in this extremely fluid industry you never know when you'll run into a previous business relationship as a boss, co-worker, supplier, customer, etc. Its best to leave with a reputation as smart, good guy, even if you got screwed.
Is this a joke? Can you seriously not think of another way to punish him?
How about a monetary penality? Having him pay for the problems he caused?
It's a serious question.
The answer you gave is OK but doesn't really constitue punishment. If money equivilents were OK, I could just steal a car and pay for the gas used (or perhaps pay you based on the IRS approved milage fee).
The problem is that in any crime there are damages beyond monetary, and it's unfair to the vicitm to say that money makes everything right. Jail time is a way of making a criminal pay for damages that are not just monetary.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Spray-painting a back-alley wall meets these criteria as well. It also meets the same criteria as causing damage (e.g. requiring someone to do repairs to the affected property.)
I have one question - how can you tell that he has reformed? And while I'm asking, how can you make your potential clients (e.g. a large quantity of customers, government agencies requiring top-secret) believe that he has reformed as well?
This is an abuse-of-trust situation - the system administrator was trusted, and he violated that trust. This is not a "script-kiddie" that is just trying to learn. It is also not an accident as the account was willfully deleted.
And that's why he won't be hired in the future. If you are cautious about throwing out a clean sysadmin, you can be certain other HR personnel *will not* hire a person with such a criminal conviction that has not been pardoned.
Lawyers: Imagine if he'd hit the delete key TWICE! IBM could have been out of business!
IBM: Please don't spread that around.
Obviously, paying exactly the damage you caused is generally not a good and suitable punishment. The punishment should fit the crime, not the monetary damage caused by the crime. Clearly, in some cases, the monetary penalty should be higher than the damage caused. It's also possible to see cases where it would be the other way around.
However, you should note that there's a difference between your example and the case here: He has to pay a whole lot more than a bit of gas.
There are of course cases where a monetary penalty - any monetary penalty - is not severe enough. To me, this particular case does not seem to be one of them.
Deleting accounts can be dangereous. You don't want user accounts to be recreated (e.g., does 'bsmith' refer to Bob Smith or Bill Smith, and what do you do when Bob is rehired?), and it's not uncommon for sysadmin accounts to be more integrated into the system than anyone intends. It's not intentional, just inadvertant ownerships or development scripts getting put into place before they're ready.
/etc/shadow file. SSH keys are often overlooked, and a sysadmin probably has SSH-key access to multiple accounts. E.g., I can log in directly as root, but it's for a "worst case recovery" situation. You would also want to remove the person from /etc/group, if appropriate.
What you do want to do is _disable_ the account and monitor access attempts. This could be disabling the password and monitoring log files to something more sneaky like keeping the password in place but having a minimal program/script that records the connection information and flashes the security administrators before dropping the connection.
BTW disabling access is more than changing the
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken