Get Fired. Delete Colleague's Account. Go To Jail.

SierraPete writes "CNet reports that Thomas Millot, a former systems analyst for a major pharmaceutical company, has lost his appeal on a computer intrusion charge. Mr. Millot was convicted of unlawfully entering the system that he used to work on and deleting a colleague's account after his job was outsourced. Mr. Millot's attorneys argued that his actions did not amount to $5K in damage--the threshold for the crime he was convicted of. The court disagreed, saying that IBM had done over $20K in work to undo his handiwork." Update: 01/14 19:55 GMT by J : Typo corrected; turns out the word "not" is important...

IBM ineptitude

[Tet]

So IBM are apparently claiming $20,350 at $50/hour to investigate the incident. That's 50 man days. For fsck's sake, what sort of incompetent morons are they employing? Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything. But 50 man days? That's just not even vaguely reasonable, and smacks of them just going for the throat out of malice. Yeah, he screwed up, and deserved to be punished, but the punishment should be proportional to the crime, and it clearly isn't here. Quite how they managed to get a judge to swallow that is beyond me. It sounds like the defence lawyers weren't doing their job. I can't think of any other explanation.

Re:IBM ineptitude

[Raindance]

50 man days to
1. undo what little damage he did, and
2. make damn sure he didn't do anything more serious and insidious?

I'd call that about right.

Re:IBM ineptitude

[Kymermosst]

50 man days to
-2. Find out who was responsible.
1. Find exactly when and what happened.
0. Find out exactly how much damage was done.
1. undo what little damage he did, and
2. make damn sure he didn't do anything more serious and insidious?

I'd call that about right.

So would I, after my minor additions. (Yeah, they were implied, but you have to spell this kind of thing out for some people.)

Re:IBM ineptitude

[Leto2]

I'd like to know where Aventis found IBM consultants that only charge $50/hr...

Re:IBM ineptitude

[TechieHermit]

Besides, he only got three months in jail, plus restitution. That's relatively lenient for this kind of crime, isn't it? Most prosecutors try to lock hackers up for the maximum term.

The real effect of his record will be that it effectively bars him from working in I.T. Which might not be an entirely bad thing -- the guy DOES seem to have a pretty flexible moral compass, doesn't he?

My question is, why is this in "your rights online"?

Re:IBM ineptitude

[undeadly]

It goes like this: if you, as a home user, are hacked, your time used for investigation/recovery are worthless because you can't bill anyone. A company does not have that restriction. Welcome to the US style of democracy favoring those with money.

Re:IBM ineptitude

[Sigma+7]

So IBM are apparently claiming $20,350 at $50/hour to investigate the incident. That's 50 man days. For fsck's sake, what sort of incompetent morons are they employing? Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything

Here's some basic information:
- Those 5 or 50 man days were spent cleaning up on the incident, and are not recoverable. (As opposed to endless meetings that "optimize" the performance of the company.) While it may not seem like a lot, it just takes one lost man day on a critical path to slow down an entire project.
- Restoring from backup is not typically a drag-and-drop operation. In general, most large companies use backup tapes to store a large amount of data, and those are not typically random access.
- When there is a person with Administrator privilages that made the changes, you need to assume Rootkit. This takes a lot of time to steralize the computer and examine what went wrong. In addition, you can't always assume that the logs are legitimate.
- You still need to to check whether a script kiddie simply cracked the password to an account, or if it was a disgruntled employee that used an idle account.

What appears to be a simple 5 man hours of work can easily balloon into 50, especially when you have to prove things beyond a reasonable doubt for a criminial conviction.

Yeah, he screwed up, and deserved to be punished, but the punishment should be proportional to the crime, and it clearly isn't here.

No, he didn't screw up. A screw-up requires incompetance, and does not apply to malice of any form (unless the incompetance existed during the malicious act.)

Re:IBM ineptitude

[lucm]

This is not a simple matter of disabling a user account. To do a proper resolution of this issue, IBM must involve a lot of people:

* an account manager to handle the issue with the customer
* a senior analyst to evaluate the situation and make an action plan
* a systems analyst to make recommandations to prevent this kind of issue in the future (new ACLs, firewall rules, etc)
* a couple of technicians to carry out the job (log scanning, password reset, etc)
* a security specialist to proceed to an ethical hack and validate the new measures
* a security analyst to review the company's security policy

Would they bill only 50$/h for those people, still the invoice could get high very quickly. They would not even have to get nasty. But then 50$/h an hour is a very low rate for consultants.

Welcome to the world of big business.

Re:IBM ineptitude

[theLOUDroom]

50 man days to
1. undo what little damage he did, and
2. make damn sure he didn't do anything more serious and insidious?

I'd call that about right.

Based on that reasoning why not 500 man days? 5,000?

"Damages" should be calculated based on actual damages. If not, there's really no limit to how much damage they can claim.

It's not that I necessarily believe that the number 50 is unreasonable, it's that the argument you're using to support it certainly is.

Imagine if this was applied to someone who stole a $1 candy bar: Yes, it only took $1 to replace the candy bar, but we had to spend $10,000 to inventory the whole store.

Re:IBM ineptitude

[Protectiva]

Claiming for damages, OK. Sounds fair. But claiming for expenses incurred to discover the full extent of the intrusion seems a mite dodgy. And terribly vulnerable to abuse. The company can say: "Our security is absolute crap. We don't even notice who comes and goes. If there is a security breach, we have to do a comprehensive security audit to discover the extent of any damage, made all the more time-consuming because we don't reliably detect intrusions. But the perpetrator has to pay for the unnnecessarily-complicated investigation. So there is no incentive for us to secure the network beforehand." Whatever happened to due dilligence?

It is fair that they seek to recover the money/man-hours which were expended to undo the actual damage inflicted by the perpetrator. They actually had to expend those resources to get their production environment back the way it was before the intrusion. But why include the cost to "make damn sure he didn't do anything more serious and insidious"? Yes, the intruder is ultimately responsible for the damage. But is he/she also punishable for the network's sloppy security?

I see more and more cases like this where the actual damage inflicted is very small and the actual recovery is not expensive. However, the sanitizing of the network takes up the bulk of the time.(E.g. one server compromised, easily spotted in what might be the preliminary stages of a deeper attack. But the incident response team spends absolutely ages tweaking filters and going through logs trying to see if anything else was compromised or if the intruder has gained a foothold in the network.)

Any thoughts on this?

Re:IBM ineptitude

[qwyeth]

IANA security professional, but here goes:

No system is 100% secure. Even if you do assume their security is state-of-the-art, there's still a margin of vulnerability. In this case, a security professional who was responsible for those systems abused his knowledge and former access to gain entry. Once he's in, there's no telling how many hacks, exploits, and sneaky tricks (not to mention previously-installed backdoors) he knows and can use to his advantage.

No matter what their level of security and how much money they spent hardening everything in the past, they simply cannot be positive he hasn't found a way to sneak around their logs, sniffers, and monitors and install a rootkit. 50 man-days to recover doesn't sound so bad when you consider that one successful intrusion (however difficult it was to achieve) can result in an invisible-yet-gaping orifice that leaves all that hard-earned security worthless to future penetration.

I agree that what Mr. Millot did is pretty stupid and stinks of 'amateur,' but IBM is operating in paranoia mode (and rightly so!). What if this guy is a pansy who knows just enough to get himself caught, but he was hired by a shady individual to plant a stealthy something and deleted the account as an afterthought? How does IBM know that their system isn't still compromised by something like that? Because they spent 50 man-days wiping and re-imaging systems or poring over md5 signatures or whatever it is they do in a situation like this.

Actually, they still can't be 100% positive, but at least they were (to paraphrase the parent) duly diligent.

Re:IBM ineptitude

[bobt1956]

I used to consistantly charger $125 per hour as an analyst supporting IBM AIX systems. $50 an hour is cheap. However it wouldn't take anywhere near that amount of time to undue and repair the damage. On the other hand, sounds like the company got a complete overhaul in the deal which would be unrelated to the problem other than it scared them and pointed out the need! There should have been (2) bills here: 1. Find and fix problems related to the account -$2,000 2. Re-design the whole system $18,000. I feel confident IBM naturally started finding un-related problems and holes and a small project turned into something completely different. Having been an anaylst for 25+ years and spending my life making things work, I'm the last person to condone his actions but he shouldn't have been tagged with the bill to rebuild the whole system!

Re:IBM ineptitude

[pnewhook]

It's not just the time to restore the account. They had to search the system to find out how it happened and who did it. That can take a lot of time.

Re:IBM ineptitude

This could be like if someone poked you with a needle. They may have just given you syph, which is a $30.00 penecillen shot. However, they could have also given you aids. So, to be sure, you have to be tested for everything. So they should be liable for all the testing in addition to actual damages.

Re:IBM ineptitude

[ePhil_One]

You do need detailed computer forensics when you are stupid enough not to revoke admin privledges when you fire someone.

It was not his account he was using to access it, but rather an auxilary "Admin-level" card he stole. He was in charge of admin-ing the SecureID tokens, and had issued "spare" or "loaner" tokens. Bad security policy yes, but perhaps they outsourced his job because he made stupid policy decisions. Perhasp they should have done a full audit when he was let go, but in large companies this can be extremely difficult and disruptive, and still doesn't cover all the potential backdoors/traps/trojans a malicious admin could lay. The reality is you trust professionals to do whast right, they were already ahead of the game using token based authentication, its impossible for him to have a co-workers password

Blaming the victim is always bad policy, and you should feel no remorse for a criminal who has put IT professionals in a bad light. This wasn't one stupid momment, it was a series of really dumb decisions.

1. Steal SecureID token from company you no longer work for
2. Access (9 times at least!) former company's private network
3. Vandalize former comapny by deleting data

Personally, I'd feel fine if the company added lost productivity to the toll, not just for the manager, but for any projects that were delayed as a result of his criminal behavior, etc. This idiot got off light, don't be an idiot yourself and sympathize with him.

Re:IBM ineptitude

[cgenman]

I hope this doesn't burn too many bridges, but while IBM charged the company $20,350 for the investigation, that doesn't mean that the person did $20,350 dollars worth of damages. If someone sniffs around the old apartment they used to live in, eventually deciding to steal a 2,000 dollar laptop, for criminal purposes the person has stolen 2,000 dollars worth of property. It doesn't matter if that homeowner then hires a PI at 200,000 dollars per hour, you've still stolen 2,000 dollars worth of property.

I don't know about you, but I can restore someone's access to a system that I sysadmin in about 15 minutes. Add an hour or two to restore backups of their home directory and any other data that may have been deleted with the account. Add in a 4 hour murphy's law buffer, and a day of tracing your steps through the system to make sure you didn't do anything else, and the company is out less than 1,000 dollars. Assume a generous 1000 dollars for the theoretical cost of "downtime" of the employee (which should have been all of "Hey, I can't log in. Hey Frank, I can't log in... Oh, it's working again, thanks!"). You're still at 2,000 dollars. Unless they have a nasty, unadministerable system, this should be the cost of the intrusion for damage purposes.

Again, what this person did was inexcusably petty and stupid. But the justice system should try his case fairly. His probably overworked defense lawyer is correct in pointing out that IBM is not a criminal investigation team. They are not the law. IBM is notorious for overcharging, overbilling, and frequently underperforming, and as a for-profit company should not be used as the sole source of information for what the cost of an intrusion works out to be.

Justice should be blind, but not to the source of their numbers. The principle of fair trials for everyong outweighs the stupidity of this particular person's action.

Re:IBM ineptitude

[pnewhook]

Why shouldn't criminals have to pay for the consequences of their actions? If they had to pay for these things, including the costs of convicting them then maybe the justice system wouldn't be so massively underfunded.

Go to jail already.

[mikkom]

Isn't it quite obvious that he should go to jail for this?

Re:Go to jail already.

[TheWanderingHermit]

I will probably be modded to troll for saying this, since I've noticed that on Slashdot there are many people who are so busy being right they aren't secure enough to listen to a disagreeing opinion.

There are a lot of people here who seem to feel that because they can figure out how to do something, they have the right to do it. "I can, therefore I should be allowed to," would sum it up. It's a group that feels that if you lose your job, you are justified in taking revenge, legal or illegal. While losing a job is a rough experience, it's part of life. Businesses change and let people go. If you're not a big enough person to accept it and move on, then maybe you weren't responsible enough to accept the job in the first palce.

Yes, he should go to jail, but those that feel that they are, somehow because of their superior technical skills, some part of a "hacking elite" that should be able to break any laws they consider wrong (read: laws that are in their way, since, in their minds they are always right) and should be able to do so without consequence.

It's a shame because such people really make it harder for the rest of us, both in discussions here and in life in general.

Re:Go to jail already.

[barc0001]

There were thousands of factors you were unaware of when you judged him, yet you are absolutely sure of yourself.

Er, the court of LAW also judged him to be guilty of a crime, so therefore he faces the punishment for committing a crime. From TFA: But he kept an administrator-level SecureID card with him and used it to enter the network nine times.

NINE times. That's not a quick leaving-day "fuck-you" to the Man, that's premeditated and deliberate.

However, let's look at this in simple terms without specifics. Your account and account are tools you need to do your job if you work in IT, correct? If the story said "Fired mechanic broke into the shop and cut up $10,000 worth of his replacements' tools and equipment with an acetylene torch" you wouldn't be saying "boo" about it, even though this would probably be quicker to recover from (borrow other workers' tools in the shop until insurance replaces them a few days later) than a forensic audit on a system (shut it down and lock everyone out until you figure out how someone got in and what they did).

Here's the take-away from this: He was fired. He broke things belonging to the company after he was fired. That is a crime. He goes to jail for doing it. End of story.

Re:Go to jail already.

[Ceriel+Nosforit]

That's not a quick leaving-day "fuck-you" to the Man, that's premeditated and deliberate.

Ah, see, you don't know that. That's an assumption. You assume he's guilty of everyting you accuse him of because he probably is guilty of some of it. You can only punish him for what you can prove he did, and you can never prove his intention even if he announces what his intentions were. Similarly there are a lot of other things you cannot prove. Thousands of them.

A court of law makes educated guesses. They are not sure about anything. Therefore nothing about this case is "obvious". That someone thinks it is obvious indicates a prejudice inconsiderate of the possibility of undue suffering of their fellow man.
Had the grandparent said "He should probably be thrown in jail", then I would not have argued. However, saying that is inconsequential and qould likely get modded 'Redunadnt'. Saying that he should obviously be thrown in jail sounds something akin to the exaggerated mode of speak some people resort to in casual conversations. Since people have an annoying tendency to go "yeah" to anything anyone in their surrounding says, there's the potential that a lot of people arbitrarily decide that 'this should be done' and form a mob. A contigency, of course, but it has happened before. Humans are not rational beings, but pack animals. By merely saying that no, it isn't obvious, I automatically provoke a retort by disagreeing. I can skip this by saying it's because "A thousand factors". Now someone either uses his wit and thinks for himself or is provoked to attack that statement. A statement which I have already enforced in my last reply in this thread.

Re:Go to jail already.

[geobeck]

Er, the court of LAW also judged him to be guilty of a crime, so therefore he faces the punishment for committing a crime. From TFA: But he kept an administrator-level SecureID card with him and used it to enter the network nine times.

NINE times. That's not a quick leaving-day "fuck-you" to the Man, that's premeditated and deliberate.

No, that's an incompetent company not disabling a SecureID card when they dismiss an employee. I know the location and status of every SecureID card I'm responsible for. If we terminate someone, the card is inactive before he even knows he's fired.

Re:Go to jail already.

Why should he go to jail? He didn't delete important files and then burn all of the backups which resulted in real loss. He deleted one account. Restore the account and you're done. Why are computer crimes trumped up to be worse than crimes that are committed in the flesh? If someone breaks into a store and steals a few hundred dollars of inventory, does the cost to install a new security system, gates, personel, and time spent by the police to write up the reports get added to the reported damages? No. He gets charged with stealing a few hundred dollars of items and the cost to repair the broken window.

Two lessons in there

[ThatGeek]

What most people will get out of it: people shouldn't break into computer systems and delete stuff

What I get out of it: don't outsource IT to a firm that doesn't lock out former employees

Or here is a better idea

[hsmith]

Instead of sending him to jail for a crime which no one was hurt, have him repay the money AND then you save room in jail for a VIOLENT OFFENDER.

But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.

Re:Or here is a better idea

[ThaFooz]

Instead of sending him to jail for a crime which no one was hurt, have him repay the money AND then you save room in jail for a VIOLENT OFFENDER. But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.

So your argument is that white collar criminals aren't really criminals? I don't buy it.

Re:Or here is a better idea

[TheRaven64]

I would argue that jail time does not work as a deterrent (there are studies that back this up, but I have not yet seen one that supported the contrary view). The only valid justification for a custodial sentence is that the individual's continued freedom will have a negative impact of the freedoms of others (i.e. violent offenders who are not capable of reform). Putting someone in a prison is expensive, and often has exactly the opposite effect - the convict is allowed to mix with other, often worse, criminals and learn from them.

What, in your opinion, does society gain from imprisoning this person? Does it deter him from future crimes more than the $25k fine? I would imagine that, since he is unlikely to work in IT ever again, this fine will have a much greater effect on his future life. Does it make society safer? Would anyone have been placed in any danger (either physical or financial) by this person having been free for the three months of the sentence? Does the sentence deter others from committing the same crime? I would imagine that the prospect of never working again in their chosen field and having to spend a while with a good chunk of their disposable income going to pay a fine is a much greater deterrent for most people.

What difference does that make?

[maynard]

Millot trespassed on private property, damaged said property, and now is trying to claim the damage wasn't bad enough to warrant a hefty sentence. He's already admitted to committing the actual crime. Whatever you want to say about the competence of IBM, IMO the individual in question deserves what he gets. Or, better put, doesn't deserve another job in the industry again.

Re:What difference does that make?

[maynard]

Uhhh, there's a minor difference between refusing to hire a felon and summary execution for property crimes. However, for the sake of argument - whether a $5K or $20K property crime - both seem pretty serious to me. It's not like the guy was an underage kid - he's an adult with serious responsibilities in the organization. His betrayal is not just to his former employer, it is also to the industry and society at large. As an adult he should be prepared to accept responsibility for his actions. JMO...

Re:What difference does that make?

[E8086]

DELETE THE ACCOUNT DELETE THE ACCOUNT DELETE THE ACCOUNT
did I mention delete the account?

Sorry about the excessive use of caps but the solution seems so very painfully obvious. Deleting the person's account when they leave protects both parties. The employee will not be able to do what that guy did and loging when they get home and do lots of damage, not that a sysadmin shouldn't make backups, and it prevents someone from changing the pword of the person who just left and connecting from an open access point, possibly outside/near some coffee shop with 'free wi-fi' where the are no cameras, using a randomly generated mac addr and logging in as the person who just left and doing lots of damage. Then all 'evidence' points to the person who just left, assuming the person remebers to delete all records of the pwrod change. Or someone puts out their no longer needed logins&pwords and SecurID card out in the trash together and is found by someone and sold to someone else who des the damage. Yes, this guy confessed, but it could just as easily been someone else.

Excellent, let's see MORE of this

[Blymie]

This was a crime, hands down. Period. End of story.

If you read the article, there were multiple breakins, on multiple days, over a period of years.

The last likely removed files between backups, resulting in time lost for the employee. It doesn't speak of what was done during previous raids by this crook, but it is quite possible other costs were attributed to previous breakins.

Crimes like this should be punished, and harshly. This crook should receive a couple of years, for something like this. Perhaps more.

Why so harsh, you ask? It's simple. We need to start attributing _real_ penalties to crime on the internet. Sony, for example, should have seen criminal charges levied against the employees, management and all that had anything to do with that back door. Fines should have been in the billions. Yes, billions, as they should have received several thousands in fines per count. Employees must be treated harsely as well, after all, they can not legally claim they are just "following orders".

If you know your employer is doing something illegal, you are BREAKING THE LAW if you do not report such an act! If you work with the employer, helping to break the law, guess what! It's jail time for you!

We need (well, actually.. needed to, past tense) lock down crime on the internet a long time ago. We really have two choices here. We pay for police presence on the internet, judges that understand the crimes being committed.. or we leave the internet open and lawless.. and see horrid restrictions come down as a result.

People won't put up with cracking all over the place. The public will demand security. The public is indeed, starting to. It can come from laws and police enforcement of those laws.. or draconian laws that restrict rights and freedom on the net (DRM).

Which do you choose? DRM all over the place, locked down bioses and operating systems, logging so intense that ISPs keep a year of detailed backlogs, or realistic laws and paid for strong police presence on the net?

Police all over the world are crying out that they are overburdened with crimes on the net. They are claiming that they don't have the ability to catch crooks, because they need new laws. It's happening right here, in Canada. It's happening, because police _don't_ have the manpower to handle crime on the net, by tracking down crime in the standard fashion. The answer, to them, is increased logging and wiretaps/net taps without warrents. I say, that democracy costs.

To that end, we need to train judges and police to specifically handle computer crime. We need to enact treaties with out countries, and make sure that extradition is a possiblilty. We need to make sure that the police do not have unlimited ability to spy, but that there are judges in place that can issue warrants when the cause is evident. Fund the police, or allow DRM. Again, that is the choice we have.

Anyhow, back to this particular case. A case like this, should be treated as if a physical breakin occurred, sentence wise. This guy KNEW he was breaking the law. He KNEW he was being an asshole. Being employed by someone does not entitle you to smash things in a temper tantrum, years after you've been fired or outsourced.

Bleh.

Probably not ineptitude, but security audit

[Oniros]

Are you sure it's ineptitude? IBM didn't have to just restore the account, they pobably had to do a security audit to make sure the guy didn't do anything else, didn't plant backdoors, etc. Depending how much access and how big their net is, yeah that could be $20K. BTW IBM is more in the $100/hour range for consulting.

So...

[NoMoreNicksLeft]

When a new hire is set up with a network account, it costs $20,000 in bumbling MSCE ineptitude to click on the gui widgets in User and Groups, and create one?

Because the cost of the investigation can't be counted. If you steal a $1 candybar from walmart, they're not allowed to add in the costs of the police investigation/arrest to the crime itself. Or else there'd never be any petty crime.

Re:So...

[CthulhuDreamer]

The ability to add post-incident internal expenses to a damage claim could have implications further down the line. After this ruling, the first thing any company should do in an incident is send $5000 to a consulting firm for an investigation (or simply assign high-paid internal people to the project until you reach $5K). Every incident, no matter how minor, now falls under the Computer Fraud and Abuse Act and is a cheap way to threaten jail time. The company will likely get reimbursed afterwards, anyway.

Compare to physical crime maybe?

[Hawke666]

Maybe it should be looked at as if it happened with a non-electronic breakin.

What if he'd unlocked the front door with a copied key, broken off his coleague's key in the lock, maybe shredded a few random documents and destroyed the lock on a filing cabinet?

I don't think this sort of punishment would be appropriate, so why is it just because it's electronic? Even if they hired $expensive_security_company to repair the lock and the filing cabinet, and then claimed that was the cost of damage...it would be considered ridiculous.

It's a crime. That doesn't mean "jail time".

[LKM]

I've seen lots of similar comments about how what he did was wrong and that he should therefore go to jail.

I don't think anyone claims what he did was not wrong, but jail time isn't the only answer our society has to crime. The question here is not whether what he did was wrong. The question is whether he should go to jail for it.

I say no. We already send too many people to jail. Generally, jail time is bad. It costs our society money, and it makes the situation worse for those spending the time in jail, and it makes our society worse because these people will most likely come out of the jail a worse person than when they went in.

This person here didn't harm anyone. He harmed a company. And he didn't do anything which can't be undone by recovering the data from a backup. Really, what he did was wrong, but it is hardly something worth putting him in jail for.

There are 2 idiots in this story

[The+Famous+Druid]

1. The idiot who logged on to his former employers system and took a little childish revenge.

2. The idiot who didn't disable the account of a security chief who's just been fired.

Remind me never to do business with a company who are that lax with security.

Seems simple enough

[Belseth]

You don't want to go to jail don't do it. Deleting files isn't exactly a harmless prank and it isn't entirely the fault of the vitim for not being better protected. If you really don't see the harm go in to work Monday and for a laugh format the hard drive on the server. If everyone laughes it off I guess I'm wrong but I'll bet the owners don't see the humor. The amount was inflated to avoid splitting hairs. If they claimed six grand in looses the attorney probably could have agrued it down to a lesser crime. The point wasn't so much to punish him but to avoid it becoming a fad to trash accounts when you get fired. One person could do tremedous damage in a short amount of time without physically destroying anything. They were stupid to not remove his priviledges but it doesn't excuse his actions.

Re:Oh Please...

[mixmasterjake]

That works if the employee is resigning of his/her own choice.

If they've been fired, why the hell would you want them training anyone anyway?

How many people did IBM send?

[netglen]

How many consultants did IBM send to the project? I could imagine them sending 5-6 people if it was an emergency rush job.

Re:IBM was grossly incompetent

[Todd+Knarr]

Given the certifications you put after your name, you should know the first rule of a security investigation: never ever assume you know what happened at the outset. One of the first things IBM would've had to do is check everything to make sure what the logs were showing them was reliable and not something the cracker had planted to divert an investigation away from his real activities.

undo?

[mmThe1]

"The court disagreed, saying that IBM had done over $20K in work to undo his handiwork."

TFA says something different. "BM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350." - which is not the same as 'undoing' whatever he did.

I would also like to see another person sharing the guilty in this case -- the security/system administrators responsible for ensuring that every employee who leaves has his account access (via SecurID, or any other method) removed. For employees who get fired, this should be done *before* they're informed about the decision.
If they don't do their job properly, they're effectively handling out daggers to ex-employees to come and stab the company anytime.

But why didn't they quote Sony...

[freedom_india]

If hacking and opening up systems to hacking is a crime and punishable by Jail, why didn't they prosecute Sony and throw the Music Overlords into Jail for hacking into thousands of XP systems and making them vulnerably with their RootKit?

How come they got left off for committing a more heinous crime than this poor idiot who did something under "emotional stress"?

How come Sony gets to pay $7.50 for such a crime for which we pay $220/- to GeekSquad to get it repaired?

My first question:
1. Why didn't those stupid lawyers for this poor guy quote Sony as a precedence and make the Judge "let go" of this guy with just a $7.50 fine?

2. if that was not possible, why didn't they argue his error made only ONE company vulnerable while Sony actions have made hundreds of computers in possibly atleast 50 companies MORE vulnerably? That would have made the Judge sit up and either throw out Sony settlement / atleast question it, and MOST important of all, made the Judge let off this poor guy.

3. If both are not possible, and Now that THIS guy's case becomes a precedence, make the same Judge apply the same rules to Sony and make those executives suffer Jail time?

Sheesh !
What fuckin' justice system we have !

Corporates and corporate idiots who cause millions of dollars in damage to personal property by producing rootkits and like are let off OJ Simpson style, but the poor idiot who does the SAME thing in MUCH SMALLER proportion and in anger gets a jail time.

This guy should go and apply work at Sony Music or BMG.