Slashdot Mirror
Get Fired. Delete Colleague's Account. Go To Jail.
SierraPete writes "CNet reports that Thomas Millot, a former systems analyst for a major pharmaceutical company, has lost his appeal on a computer intrusion charge. Mr. Millot was convicted of unlawfully entering the system that he used to work on and deleting a colleague's account after his job was outsourced. Mr. Millot's attorneys argued that his actions did not amount to $5K in damage--the threshold for the crime he was convicted of. The court disagreed, saying that IBM had done over $20K in work to undo his handiwork." Update: 01/14 19:55 GMT by J : Typo corrected; turns out the word "not" is important...
Nobody seems to have disputed the reasonableness of what IBM charged. The defense attorneys instead tried to make the argument that IBM "volunteered" to do the investigation since they were not the employer. The fact remains that IBM charged the company $20,350 for the investigation of the matter, which apparently the company paid. The company was out that money, he caused it out of spite and did it illegally. I have no sympathy for the guy. I'd say he got what he deserved.
Today's Sesame Street was brought to you by the number e.
If you're going to let someone go who holds high computer or network credentials, please make sure you disable or terminate their access IMMEDIATELY PRIOR to informing them of your decision. Failure to do so makes the outsourcee become an insider threat.
The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.
So when a company breaks in my system (eMule, BitTorrent) I just can claim my $15/hour costs. But if it's IBM they can claim $20K.
That's not justice, thats abuse of economic status.
What happens if anyone sends an eMail to Bill Gates and he claims 10 seconds dagames for reading it?
A couple of days after he left it was observed that the front door was continually unlocking itself
Good thing he wasn't malicious, perhaps.
Many people go to jail for just accessing systems without permission. This guy actually purposely caused harm... so I really don't see a reason for anyone to complain. Another point that nobody seems to make is that the time the administrators used to fix this was probably not the only time spent. Many managers probably had to spend time working on this, reporting etc.
What the guy did was wrong no doubt in that. I'm sure the auditors will have a field day with this one.
Let an employee go and let him keep his SecurID and his access - smooth move.
Funny you should ask. I have had several recent jobs cleaning up after IBM consultants. I finally had the chance to find out what is going on. It goes like this: IBM keep their top talent hard at work on the big multli-million dollar contracts. For the rest, it is anyone they can get off the street.
I learned of this when I recently had a job interview with IBM. They had already signed a $2 million contract with a government agency to build a computational data center, but had no available staff to allocate to the contract. The interviewer was completely candid with me when I asked about why they would sign a contract they couldn't fulfill. He said it happens all the time and is standard operating procedure. They simply hire contractors as needed. I turned the job down.
Ready for the punchline? They hired a guy that I have worked with in the past. This guy has no prior experience working with the technology he will be deploying. He is a decent guy, but he will be figuring things out on the fly. He is the best they could do. He is being sent in as an expert consultant by IBM. Think he will bill more hours than someone with actual experience?
I recently asked a former customer of mine, who works IT for a large university, why people would hire IBM over a smaller company with more expertise. He said that as far as his boss is concerned, if you hire IBM and they screw something up, you are covered because you went with IBM. This same customer then went on to tell me how IBM completely botched a $1 million installation job at his university last year. They are in court over it.
If this guy had a good lawyer they should have audited all the work done by IBM and the qualifications of the people doing the work.
Ask Slashdot: Where bad ideas meet poor googling skills.
I once worked at a company where a billing clerk embezzled about 5K USD. She noticed that some clients repeatedly double-paid bills because of the confusing layout of the bill. The previous billing system had a fix for this, but was recently replaced with one that had the same problem.
So she managed to reroute the extra payment to her bank account. The internal books still balanced because it was a double payment on the client's part.
When eventually caught she was fired but not procesecuted because prosecution brings bad PR to the company. 2 years later somebody pulled another accounting embezzlement trick and still no procesuction. I think if they prosecuted the first one, it may have prevented the second.
If the only risk is getting fired, then the incentive to embezzle is pretty high.
Table-ized A.I.
yes, you do have to spell things out for some people. please spell out for me what the difference between 0 and 2?
We send white collar criminals to jail because while jail probably isn't much of a deterrent for your average bank robber, rapist or murderer (but might be what *those* type of criminals deserve), serving jail time can be VERY frightening for white collar criminals.
So, if we send a few of them to jail, they'll either have to try harder not to get caught, or not do it. Unlike murder, most white collar crimes are not the type that you commit without any regard to the possible punishment. (In other words, most murderers probably readily accept their possible punishment of life in prison or death and go through with their actions knowing if they're caught it's over. If white collar criminals were not threatened with jail time, then there is very little of a deterrent, since most of them probably can afford to pay any fine we might charge, and if not, losing all your money and everything you own isn't as bad as going to jail if you're smart enough to get another good paying job later.)
What?
Child's play. If you're going to be spiteful do it legally.
When the last dot com I worked for offshored a ton of jobs and fired about 150 to 175 coworkers the day before thanksgiving (fuckers! at LEAST wait until after the holidays) I decided to leave soon after. But while I stayed I wrote a script which would have done the following:
I tested it and it propogated correctly and worked, but I thought better of it (it's illegal) so I deleted that script. I showed a couple people who got fired the script and they liked it, and wished I could have actully run it.
What I did instead was I encrypted the filesystem of the workstations I used and since they were not a member of the domain after I left they could not get into them, and before some of the engineers' whose jobs were getting outsourced I mentioned envryption to them. That was the extent of my getting vengeance for fucking over so many people right before the holiday. It was the only thing I could do that was within legality, but I'm not sure the ones I suggested this to were within legality. Due to the nature of my job the workstations I used were not on the domain for security reasons, so I had legitimate reasons to encrypt the filesystems.
You know, after I left (it was about two or three months later) the company had the gall to call me and ask me for some prototypes I had written on my own time and proposed for production, which they turned down because they were "different" (some of their software was still 16-bit, and I was so sick of the limitations and GUI I wrote new versions from clean code at home). Before I left, I deleted my own works from the hard drives and overwrite them several times and then defragmented the hard drives, and did the same on my home machines, keeping only interesting components I invented (no, I didn't patent them and don't ever plan to patent software. ANYTHING you can invent in software is obvious use of a computer language. software is already protected under copyright). Later on, the folks in marketing who rejected the rewrite (the project was DONE and fully unit tested and about 75% integration tested when I showed it to them) thought better of it because they were losing sales due to the antiquated GUI and word spreading of bugs in the 16-bit component. Thankfully I had signed nothing upon my hire which covered my own works done on my own equipment on my own time (there was no Tandy-like clause giving them ownership of anything like web sites, software, inventions, creative works, etc. - this company wasn't quite that evil at the time I was hired. Later hires had agreements with those types of clauses) so I told them I didn't have the projects any more, only certain components I invented at home, and only retained parts I deemed interesting. I told them I could reimplement it again from scratch, and since I remembered most of the code I could implement it in under 2-3 months, but I would do so only if they paid me $3,500 up front for the initial site visit and then a ridiculously hourly rate, and if the project is cancelled or if my contract is terminated for any reason whatsoever, whether I'm laid off, the company closes, or I decide to leave again of my own volition, I would be owed the full amount for the estimated project implementation, figured at 60 hours per week. Of course they balked at that.
As I understand it from friends who still put up with their shit, they still have the same 16-bit components, only two software developers are on staff, they have made NO new features, they have cancelled an alternate version of the product they were developing, and they still retain customers for only 18 months when they discover that the product (which sells for $250K to $7.5million depend
Now, there are some people in this discussion crying out for tougher policing on the internet, saying this is just like any other crime.
While I agree that it is a crime, I would like to point out that eliminating internet crime is incredibly dangerous. Constant attacks are what motivate us to create better, more open systems. On the other hand, an artificial safety vacuum leads to ignorant homogeneity and cataclysmic vulnerabilities.
Maybe some of you guys have forgotten what the security scene was like in the mid '90's, but I haven't. The only reason we're where we are today (with apache leading the market) is because of white hats, gray hats, and, yes, black hats.
The technically illiterate people out there look at a story like this and wet their pants. Although I do see the criminial element of it in the individual case, as part of a larger trend, I see this as reassurement (to think in terms of evolution, for a moment) that the environment is imposing security and technical skill as selection criteria.
Although I agree this case is a pretty clear-cut example of criminal revenge, I'd rather see the computer crime laws loosened in general. They always say (rightly) that it's not the criminals that you hear about on the evening news that you ought to worry about...it's the ones you never hear about at all. I fear that any kind of regulation or policing on the internet is just going to make the flock all the fatter.
2. make damn sure he didn't do anything more serious and insidious?
Um, they should have done that anyways. If you outsource someone's job and don't change everything to make sure they don't get back in, you're a fucking moron. End of Story. Charging him for what they should have done is bullshit.
That's what they *cost* IBM, not what IBM would bill them out to a client at.
Why oh why can't you RTFA before spouting off with your ignorance? It clearly states:
"IBM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350."
I have no sympathy for the guy either but IBM is a bigger crook. Where's the justice on IBM for having the balls to quote a price of 2 grand(no I'm not exaggerating) to change out of freaking myrinet cable?! And while they are out the money in the grand scheme of things I somehow doubt IBM misses a mere few grand in their multi-billion dollar operation.
The guy deliberately kept passwords and access devices for a system he'd been responsible for, and deliberately trashed parts of the system and deleted accounts for other administrators, and he deserves what happens to him. This isn't like Mitnick giving away information, or even crackers using the victim's machine as a launching pad for zombies - it's pure premeditated vandalism. The concept of a "protected computer" in Federal laws may be dodgy, but he did a lot more real and potential damage than stealing a company car, a crime for which nobody would be bothered by him getting a few months in jail.
If anybody's ripping anybody off here, it's his lawyers taking this to a Federal Appeals Court when the guy's obviously getting off light, and you know his lawyers are charging him a lot more than $50/hour and billing a lot more hours if they're getting to that level of the courts. They should have told him to do a plea-bargain and helped him get one that avoids jail time, but maybe the initial judge wouldn't go for it and he thought it was worth the money to try to get bounced to a state court.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks