Get Fired. Delete Colleague's Account. Go To Jail.

SierraPete writes "CNet reports that Thomas Millot, a former systems analyst for a major pharmaceutical company, has lost his appeal on a computer intrusion charge. Mr. Millot was convicted of unlawfully entering the system that he used to work on and deleting a colleague's account after his job was outsourced. Mr. Millot's attorneys argued that his actions did not amount to $5K in damage--the threshold for the crime he was convicted of. The court disagreed, saying that IBM had done over $20K in work to undo his handiwork." Update: 01/14 19:55 GMT by J : Typo corrected; turns out the word "not" is important...

IBM ineptitude

[Tet]

So IBM are apparently claiming $20,350 at $50/hour to investigate the incident. That's 50 man days. For fsck's sake, what sort of incompetent morons are they employing? Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything. But 50 man days? That's just not even vaguely reasonable, and smacks of them just going for the throat out of malice. Yeah, he screwed up, and deserved to be punished, but the punishment should be proportional to the crime, and it clearly isn't here. Quite how they managed to get a judge to swallow that is beyond me. It sounds like the defence lawyers weren't doing their job. I can't think of any other explanation.

Re:IBM ineptitude

[Leto2]

I'd like to know where Aventis found IBM consultants that only charge $50/hr...

Re:IBM ineptitude

[TechieHermit]

Besides, he only got three months in jail, plus restitution. That's relatively lenient for this kind of crime, isn't it? Most prosecutors try to lock hackers up for the maximum term.

The real effect of his record will be that it effectively bars him from working in I.T. Which might not be an entirely bad thing -- the guy DOES seem to have a pretty flexible moral compass, doesn't he?

My question is, why is this in "your rights online"?

Re:IBM ineptitude

[qwyeth]

IANA security professional, but here goes:

No system is 100% secure. Even if you do assume their security is state-of-the-art, there's still a margin of vulnerability. In this case, a security professional who was responsible for those systems abused his knowledge and former access to gain entry. Once he's in, there's no telling how many hacks, exploits, and sneaky tricks (not to mention previously-installed backdoors) he knows and can use to his advantage.

No matter what their level of security and how much money they spent hardening everything in the past, they simply cannot be positive he hasn't found a way to sneak around their logs, sniffers, and monitors and install a rootkit. 50 man-days to recover doesn't sound so bad when you consider that one successful intrusion (however difficult it was to achieve) can result in an invisible-yet-gaping orifice that leaves all that hard-earned security worthless to future penetration.

I agree that what Mr. Millot did is pretty stupid and stinks of 'amateur,' but IBM is operating in paranoia mode (and rightly so!). What if this guy is a pansy who knows just enough to get himself caught, but he was hired by a shady individual to plant a stealthy something and deleted the account as an afterthought? How does IBM know that their system isn't still compromised by something like that? Because they spent 50 man-days wiping and re-imaging systems or poring over md5 signatures or whatever it is they do in a situation like this.

Actually, they still can't be 100% positive, but at least they were (to paraphrase the parent) duly diligent.

Two lessons in there

[ThatGeek]

What most people will get out of it: people shouldn't break into computer systems and delete stuff

What I get out of it: don't outsource IT to a firm that doesn't lock out former employees

Or here is a better idea

[hsmith]

Instead of sending him to jail for a crime which no one was hurt, have him repay the money AND then you save room in jail for a VIOLENT OFFENDER.

But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.

Excellent, let's see MORE of this

[Blymie]

This was a crime, hands down. Period. End of story.

If you read the article, there were multiple breakins, on multiple days, over a period of years.

The last likely removed files between backups, resulting in time lost for the employee. It doesn't speak of what was done during previous raids by this crook, but it is quite possible other costs were attributed to previous breakins.

Crimes like this should be punished, and harshly. This crook should receive a couple of years, for something like this. Perhaps more.

Why so harsh, you ask? It's simple. We need to start attributing _real_ penalties to crime on the internet. Sony, for example, should have seen criminal charges levied against the employees, management and all that had anything to do with that back door. Fines should have been in the billions. Yes, billions, as they should have received several thousands in fines per count. Employees must be treated harsely as well, after all, they can not legally claim they are just "following orders".

If you know your employer is doing something illegal, you are BREAKING THE LAW if you do not report such an act! If you work with the employer, helping to break the law, guess what! It's jail time for you!

We need (well, actually.. needed to, past tense) lock down crime on the internet a long time ago. We really have two choices here. We pay for police presence on the internet, judges that understand the crimes being committed.. or we leave the internet open and lawless.. and see horrid restrictions come down as a result.

People won't put up with cracking all over the place. The public will demand security. The public is indeed, starting to. It can come from laws and police enforcement of those laws.. or draconian laws that restrict rights and freedom on the net (DRM).

Which do you choose? DRM all over the place, locked down bioses and operating systems, logging so intense that ISPs keep a year of detailed backlogs, or realistic laws and paid for strong police presence on the net?

Police all over the world are crying out that they are overburdened with crimes on the net. They are claiming that they don't have the ability to catch crooks, because they need new laws. It's happening right here, in Canada. It's happening, because police _don't_ have the manpower to handle crime on the net, by tracking down crime in the standard fashion. The answer, to them, is increased logging and wiretaps/net taps without warrents. I say, that democracy costs.

To that end, we need to train judges and police to specifically handle computer crime. We need to enact treaties with out countries, and make sure that extradition is a possiblilty. We need to make sure that the police do not have unlimited ability to spy, but that there are judges in place that can issue warrants when the cause is evident. Fund the police, or allow DRM. Again, that is the choice we have.

Anyhow, back to this particular case. A case like this, should be treated as if a physical breakin occurred, sentence wise. This guy KNEW he was breaking the law. He KNEW he was being an asshole. Being employed by someone does not entitle you to smash things in a temper tantrum, years after you've been fired or outsourced.

Bleh.