Get Fired. Delete Colleague's Account. Go To Jail.

SierraPete writes "CNet reports that Thomas Millot, a former systems analyst for a major pharmaceutical company, has lost his appeal on a computer intrusion charge. Mr. Millot was convicted of unlawfully entering the system that he used to work on and deleting a colleague's account after his job was outsourced. Mr. Millot's attorneys argued that his actions did not amount to $5K in damage--the threshold for the crime he was convicted of. The court disagreed, saying that IBM had done over $20K in work to undo his handiwork." Update: 01/14 19:55 GMT by J : Typo corrected; turns out the word "not" is important...

Re:IBM ineptitude

[Zordak]

Nobody seems to have disputed the reasonableness of what IBM charged. The defense attorneys instead tried to make the argument that IBM "volunteered" to do the investigation since they were not the employer. The fact remains that IBM charged the company $20,350 for the investigation of the matter, which apparently the company paid. The company was out that money, he caused it out of spite and did it illegally. I have no sympathy for the guy. I'd say he got what he deserved.

Oh Please...

[GodLived]

If you're going to let someone go who holds high computer or network credentials, please make sure you disable or terminate their access IMMEDIATELY PRIOR to informing them of your decision. Failure to do so makes the outsourcee become an insider threat.

The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.

Re:Oh Please...

[techno-vampire]

The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.

Although I've never liked losing a job, I'd rather have that done than be allowed to wander out on my own. This way I have a witness that can testify that any damage done after I was terminated isn't my fault.

Last time I was let go, I told my manager that I was logged in and asked him to come over to my desk and log me out because I didn't even want to touch that computer again. He told me that he trusted me not to do anything foolish, but I still had him watch me log out, just to be safe.

WTF

So when a company breaks in my system (eMule, BitTorrent) I just can claim my $15/hour costs. But if it's IBM they can claim $20K.
That's not justice, thats abuse of economic status.

What happens if anyone sends an eMail to Bill Gates and he claims 10 seconds dagames for reading it?

RFID devices

[Tim+Ward]

A member of my staff once resigned and left.

A couple of days after he left it was observed that the front door was continually unlocking itself ... a quick log on to the access control system showed that the RFID tag doing the unlocking was the one belonging to the departed employee ...

... and in due course the tag was discovered in an envelope in HR's pigeon-hole; the guy, on discovering that nobody had asked him for his tag, had simply mailed it back, and as this was a proper hands free system with a range over a metre its position in the pigeon-hole was enough to unlock the door ...

... because of course as well as nobody remembering to ask him for the tag back nobody had remembered to disable it on the system either.

Good thing he wasn't malicious, perhaps.

This is a fair decision IMO.

[efagerho]

Many people go to jail for just accessing systems without permission. This guy actually purposely caused harm... so I really don't see a reason for anyone to complain. Another point that nobody seems to make is that the time the administrators used to fix this was probably not the only time spent. Many managers probably had to spend time working on this, reporting etc.

Aventis account policies

[portwojc]

What the guy did was wrong no doubt in that. I'm sure the auditors will have a field day with this one.

Let an employee go and let him keep his SecurID and his access - smooth move.

Re:IBM ineptitude

[Rantastic]

what sort of incompetent morons are they employing?

Funny you should ask. I have had several recent jobs cleaning up after IBM consultants. I finally had the chance to find out what is going on. It goes like this: IBM keep their top talent hard at work on the big multli-million dollar contracts. For the rest, it is anyone they can get off the street.

I learned of this when I recently had a job interview with IBM. They had already signed a $2 million contract with a government agency to build a computational data center, but had no available staff to allocate to the contract. The interviewer was completely candid with me when I asked about why they would sign a contract they couldn't fulfill. He said it happens all the time and is standard operating procedure. They simply hire contractors as needed. I turned the job down.

Ready for the punchline? They hired a guy that I have worked with in the past. This guy has no prior experience working with the technology he will be deploying. He is a decent guy, but he will be figuring things out on the fly. He is the best they could do. He is being sent in as an expert consultant by IBM. Think he will bill more hours than someone with actual experience?

I recently asked a former customer of mine, who works IT for a large university, why people would hire IBM over a smaller company with more expertise. He said that as far as his boss is concerned, if you hire IBM and they screw something up, you are covered because you went with IBM. This same customer then went on to tell me how IBM completely botched a $1 million installation job at his university last year. They are in court over it.

If this guy had a good lawyer they should have audited all the work done by IBM and the qualifications of the people doing the work.

PR problems

[Tablizer]

I once worked at a company where a billing clerk embezzled about 5K USD. She noticed that some clients repeatedly double-paid bills because of the confusing layout of the bill. The previous billing system had a fix for this, but was recently replaced with one that had the same problem.

So she managed to reroute the extra payment to her bank account. The internal books still balanced because it was a double payment on the client's part.

When eventually caught she was fired but not procesecuted because prosecution brings bad PR to the company. 2 years later somebody pulled another accounting embezzlement trick and still no procesuction. I think if they prosecuted the first one, it may have prevented the second.

If the only risk is getting fired, then the incentive to embezzle is pretty high.

Re:Or here is a better idea

[Peyna]

We send white collar criminals to jail because while jail probably isn't much of a deterrent for your average bank robber, rapist or murderer (but might be what *those* type of criminals deserve), serving jail time can be VERY frightening for white collar criminals.

So, if we send a few of them to jail, they'll either have to try harder not to get caught, or not do it. Unlike murder, most white collar crimes are not the type that you commit without any regard to the possible punishment. (In other words, most murderers probably readily accept their possible punishment of life in prison or death and go through with their actions knowing if they're caught it's over. If white collar criminals were not threatened with jail time, then there is very little of a deterrent, since most of them probably can afford to pay any fine we might charge, and if not, losing all your money and everything you own isn't as bad as going to jail if you're smart enough to get another good paying job later.)

one thing to remember

[Aurisor]

Now, there are some people in this discussion crying out for tougher policing on the internet, saying this is just like any other crime.

While I agree that it is a crime, I would like to point out that eliminating internet crime is incredibly dangerous. Constant attacks are what motivate us to create better, more open systems. On the other hand, an artificial safety vacuum leads to ignorant homogeneity and cataclysmic vulnerabilities.

Maybe some of you guys have forgotten what the security scene was like in the mid '90's, but I haven't. The only reason we're where we are today (with apache leading the market) is because of white hats, gray hats, and, yes, black hats.

The technically illiterate people out there look at a story like this and wet their pants. Although I do see the criminial element of it in the individual case, as part of a larger trend, I see this as reassurement (to think in terms of evolution, for a moment) that the environment is imposing security and technical skill as selection criteria.

Although I agree this case is a pretty clear-cut example of criminal revenge, I'd rather see the computer crime laws loosened in general. They always say (rightly) that it's not the criminals that you hear about on the evening news that you ought to worry about...it's the ones you never hear about at all. I fear that any kind of regulation or policing on the internet is just going to make the flock all the fatter.

Re:IBM ineptitude

[megarich]

The fact remains that IBM charged the company $20,350 for the investigation of the matter, which apparently the company paid. The company was out that money, he caused it out of spite and did it illegally. I have no sympathy for the guy. I'd say he got what he deserved.

I have no sympathy for the guy either but IBM is a bigger crook. Where's the justice on IBM for having the balls to quote a price of 2 grand(no I'm not exaggerating) to change out of freaking myrinet cable?! And while they are out the money in the grand scheme of things I somehow doubt IBM misses a mere few grand in their multi-billion dollar operation.

This is simply billed hours, and he deserved it

[billstewart]

If you RTFA, his former employer hired IBM to administer computers for them, and dumped some of their direct employees including him. IBM is apparently billing $50/hour for labor, and recorded 407 hours of labor that was charged to this project and billed to Adventis, and that's the kind of project work that's part of the standard billing arrangement for this sort of computer outsourcing. IBM certainly won't report this as a loss - it was billable work charged to their customer, though for Adventis this is a loss that might show up on a balance sheet if it's only rounded to the nearest thousand and not the nearest million. He's also getting off way light on the costs - IBM was apparently charging this as a typical US outsourcing "Grunts by the hour" price of $50, not a $2000/day "mid-level consultant" rate or a $5-10K/day "security wizard" rate - while much of the work was crunching through log files, doing a thorough cleanup job means looking for deep penetration of backups and access systems. He could have easily been hit for a couple hundred thousand.

The guy deliberately kept passwords and access devices for a system he'd been responsible for, and deliberately trashed parts of the system and deleted accounts for other administrators, and he deserves what happens to him. This isn't like Mitnick giving away information, or even crackers using the victim's machine as a launching pad for zombies - it's pure premeditated vandalism. The concept of a "protected computer" in Federal laws may be dodgy, but he did a lot more real and potential damage than stealing a company car, a crime for which nobody would be bothered by him getting a few months in jail.

If anybody's ripping anybody off here, it's his lawyers taking this to a Federal Appeals Court when the guy's obviously getting off light, and you know his lawyers are charging him a lot more than $50/hour and billing a lot more hours if they're getting to that level of the courts. They should have told him to do a plea-bargain and helped him get one that avoids jail time, but maybe the initial judge wouldn't go for it and he thought it was worth the money to try to get bounced to a state court.