Slashdot Mirror
Get Fired. Delete Colleague's Account. Go To Jail.
SierraPete writes "CNet reports that Thomas Millot, a former systems analyst for a major pharmaceutical company, has lost his appeal on a computer intrusion charge. Mr. Millot was convicted of unlawfully entering the system that he used to work on and deleting a colleague's account after his job was outsourced. Mr. Millot's attorneys argued that his actions did not amount to $5K in damage--the threshold for the crime he was convicted of. The court disagreed, saying that IBM had done over $20K in work to undo his handiwork." Update: 01/14 19:55 GMT by J : Typo corrected; turns out the word "not" is important...
So IBM are apparently claiming $20,350 at $50/hour to investigate the incident. That's 50 man days. For fsck's sake, what sort of incompetent morons are they employing? Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything. But 50 man days? That's just not even vaguely reasonable, and smacks of them just going for the throat out of malice. Yeah, he screwed up, and deserved to be punished, but the punishment should be proportional to the crime, and it clearly isn't here. Quite how they managed to get a judge to swallow that is beyond me. It sounds like the defence lawyers weren't doing their job. I can't think of any other explanation.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
20k for undeleting account?
Pheww...
Now I understood why IBM four times bigger than Microsoft....
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
Isn't it quite obvious that he should go to jail for this?
My quality social news site.com.
What most people will get out of it: people shouldn't break into computer systems and delete stuff
What I get out of it: don't outsource IT to a firm that doesn't lock out former employees
What are you eating? isItVeg?.
If you're going to let someone go who holds high computer or network credentials, please make sure you disable or terminate their access IMMEDIATELY PRIOR to informing them of your decision. Failure to do so makes the outsourcee become an insider threat.
The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.
Instead of sending him to jail for a crime which no one was hurt, have him repay the money AND then you save room in jail for a VIOLENT OFFENDER.
But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.
Millot trespassed on private property, damaged said property, and now is trying to claim the damage wasn't bad enough to warrant a hefty sentence. He's already admitted to committing the actual crime. Whatever you want to say about the competence of IBM, IMO the individual in question deserves what he gets. Or, better put, doesn't deserve another job in the industry again.
The summary should read: Mr. Millot's attorneys argued that his actions did not amount to $5K in damage...
It's those itsy-bitsy words that make all the difference.
Kai MacTane: Web developer for hire in San Francisco
So when a company breaks in my system (eMule, BitTorrent) I just can claim my $15/hour costs. But if it's IBM they can claim $20K.
That's not justice, thats abuse of economic status.
What happens if anyone sends an eMail to Bill Gates and he claims 10 seconds dagames for reading it?
A couple of days after he left it was observed that the front door was continually unlocking itself
Good thing he wasn't malicious, perhaps.
This was a crime, hands down. Period. End of story.
If you read the article, there were multiple breakins, on multiple days, over a period of years.
The last likely removed files between backups, resulting in time lost for the employee. It doesn't speak of what was done during previous raids by this crook, but it is quite possible other costs were attributed to previous breakins.
Crimes like this should be punished, and harshly. This crook should receive a couple of years, for something like this. Perhaps more.
Why so harsh, you ask? It's simple. We need to start attributing _real_ penalties to crime on the internet. Sony, for example, should have seen criminal charges levied against the employees, management and all that had anything to do with that back door. Fines should have been in the billions. Yes, billions, as they should have received several thousands in fines per count. Employees must be treated harsely as well, after all, they can not legally claim they are just "following orders".
If you know your employer is doing something illegal, you are BREAKING THE LAW if you do not report such an act! If you work with the employer, helping to break the law, guess what! It's jail time for you!
We need (well, actually.. needed to, past tense) lock down crime on the internet a long time ago. We really have two choices here. We pay for police presence on the internet, judges that understand the crimes being committed.. or we leave the internet open and lawless.. and see horrid restrictions come down as a result.
People won't put up with cracking all over the place. The public will demand security. The public is indeed, starting to. It can come from laws and police enforcement of those laws.. or draconian laws that restrict rights and freedom on the net (DRM).
Which do you choose? DRM all over the place, locked down bioses and operating systems, logging so intense that ISPs keep a year of detailed backlogs, or realistic laws and paid for strong police presence on the net?
Police all over the world are crying out that they are overburdened with crimes on the net. They are claiming that they don't have the ability to catch crooks, because they need new laws. It's happening right here, in Canada. It's happening, because police _don't_ have the manpower to handle crime on the net, by tracking down crime in the standard fashion. The answer, to them, is increased logging and wiretaps/net taps without warrents. I say, that democracy costs.
To that end, we need to train judges and police to specifically handle computer crime. We need to enact treaties with out countries, and make sure that extradition is a possiblilty. We need to make sure that the police do not have unlimited ability to spy, but that there are judges in place that can issue warrants when the cause is evident. Fund the police, or allow DRM. Again, that is the choice we have.
Anyhow, back to this particular case. A case like this, should be treated as if a physical breakin occurred, sentence wise. This guy KNEW he was breaking the law. He KNEW he was being an asshole. Being employed by someone does not entitle you to smash things in a temper tantrum, years after you've been fired or outsourced.
Bleh.
Many people go to jail for just accessing systems without permission. This guy actually purposely caused harm... so I really don't see a reason for anyone to complain. Another point that nobody seems to make is that the time the administrators used to fix this was probably not the only time spent. Many managers probably had to spend time working on this, reporting etc.
Are you sure it's ineptitude? IBM didn't have to just restore the account, they pobably had to do a security audit to make sure the guy didn't do anything else, didn't plant backdoors, etc. Depending how much access and how big their net is, yeah that could be $20K. BTW IBM is more in the $100/hour range for consulting.
When a new hire is set up with a network account, it costs $20,000 in bumbling MSCE ineptitude to click on the gui widgets in User and Groups, and create one?
Because the cost of the investigation can't be counted. If you steal a $1 candybar from walmart, they're not allowed to add in the costs of the police investigation/arrest to the crime itself. Or else there'd never be any petty crime.
What the guy did was wrong no doubt in that. I'm sure the auditors will have a field day with this one.
Let an employee go and let him keep his SecurID and his access - smooth move.
Seems you forgot to add "project management" charges to the bill. I guess there were at least three project managers on this one and all the related staff to edit meeting minutes, etc.
Achille Talon
Hop!
Maybe it should be looked at as if it happened with a non-electronic breakin.
What if he'd unlocked the front door with a copied key, broken off his coleague's key in the lock, maybe shredded a few random documents and destroyed the lock on a filing cabinet?
I don't think this sort of punishment would be appropriate, so why is it just because it's electronic? Even if they hired $expensive_security_company to repair the lock and the filing cabinet, and then claimed that was the cost of damage...it would be considered ridiculous.
Of course the cron job on the server that ran 10 days later and found that you hadn't touched a certain file in a week deleted your managers account. It wasn't you.
I once worked at a company where a billing clerk embezzled about 5K USD. She noticed that some clients repeatedly double-paid bills because of the confusing layout of the bill. The previous billing system had a fix for this, but was recently replaced with one that had the same problem.
So she managed to reroute the extra payment to her bank account. The internal books still balanced because it was a double payment on the client's part.
When eventually caught she was fired but not procesecuted because prosecution brings bad PR to the company. 2 years later somebody pulled another accounting embezzlement trick and still no procesuction. I think if they prosecuted the first one, it may have prevented the second.
If the only risk is getting fired, then the incentive to embezzle is pretty high.
Table-ized A.I.
I've seen lots of similar comments about how what he did was wrong and that he should therefore go to jail.
I don't think anyone claims what he did was not wrong, but jail time isn't the only answer our society has to crime. The question here is not whether what he did was wrong. The question is whether he should go to jail for it.
I say no. We already send too many people to jail. Generally, jail time is bad. It costs our society money, and it makes the situation worse for those spending the time in jail, and it makes our society worse because these people will most likely come out of the jail a worse person than when they went in.
This person here didn't harm anyone. He harmed a company. And he didn't do anything which can't be undone by recovering the data from a backup. Really, what he did was wrong, but it is hardly something worth putting him in jail for.
1. The idiot who logged on to his former employers system and took a little childish revenge.
2. The idiot who didn't disable the account of a security chief who's just been fired.
Remind me never to do business with a company who are that lax with security.
Quidquid Latine dictum sit, altum videtur (anything said in Latin sounds important)
You don't want to go to jail don't do it. Deleting files isn't exactly a harmless prank and it isn't entirely the fault of the vitim for not being better protected. If you really don't see the harm go in to work Monday and for a laugh format the hard drive on the server. If everyone laughes it off I guess I'm wrong but I'll bet the owners don't see the humor. The amount was inflated to avoid splitting hairs. If they claimed six grand in looses the attorney probably could have agrued it down to a lesser crime. The point wasn't so much to punish him but to avoid it becoming a fad to trash accounts when you get fired. One person could do tremedous damage in a short amount of time without physically destroying anything. They were stupid to not remove his priviledges but it doesn't excuse his actions.
How many consultants did IBM send to the project? I could imagine them sending 5-6 people if it was an emergency rush job.
Now, there are some people in this discussion crying out for tougher policing on the internet, saying this is just like any other crime.
While I agree that it is a crime, I would like to point out that eliminating internet crime is incredibly dangerous. Constant attacks are what motivate us to create better, more open systems. On the other hand, an artificial safety vacuum leads to ignorant homogeneity and cataclysmic vulnerabilities.
Maybe some of you guys have forgotten what the security scene was like in the mid '90's, but I haven't. The only reason we're where we are today (with apache leading the market) is because of white hats, gray hats, and, yes, black hats.
The technically illiterate people out there look at a story like this and wet their pants. Although I do see the criminial element of it in the individual case, as part of a larger trend, I see this as reassurement (to think in terms of evolution, for a moment) that the environment is imposing security and technical skill as selection criteria.
Although I agree this case is a pretty clear-cut example of criminal revenge, I'd rather see the computer crime laws loosened in general. They always say (rightly) that it's not the criminals that you hear about on the evening news that you ought to worry about...it's the ones you never hear about at all. I fear that any kind of regulation or policing on the internet is just going to make the flock all the fatter.
Unless I'm missing something, I cannot understand how IBM needed 20K worth of incident response services to figure out what happened. SecurID systems can log all activity. A simple check of the logs would have indicated who disabled the access and when.
I would have told IBM to put that invoice where the sun don't shine if they tried to bill me for investigating such a simplisitic "compromise" of a system *they* were supposed to be managing.
-SHP (CISSP, CISA)
The guy deliberately kept passwords and access devices for a system he'd been responsible for, and deliberately trashed parts of the system and deleted accounts for other administrators, and he deserves what happens to him. This isn't like Mitnick giving away information, or even crackers using the victim's machine as a launching pad for zombies - it's pure premeditated vandalism. The concept of a "protected computer" in Federal laws may be dodgy, but he did a lot more real and potential damage than stealing a company car, a crime for which nobody would be bothered by him getting a few months in jail.
If anybody's ripping anybody off here, it's his lawyers taking this to a Federal Appeals Court when the guy's obviously getting off light, and you know his lawyers are charging him a lot more than $50/hour and billing a lot more hours if they're getting to that level of the courts. They should have told him to do a plea-bargain and helped him get one that avoids jail time, but maybe the initial judge wouldn't go for it and he thought it was worth the money to try to get bounced to a state court.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"The court disagreed, saying that IBM had done over $20K in work to undo his handiwork."
TFA says something different. "BM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350." - which is not the same as 'undoing' whatever he did.
I would also like to see another person sharing the guilty in this case -- the security/system administrators responsible for ensuring that every employee who leaves has his account access (via SecurID, or any other method) removed. For employees who get fired, this should be done *before* they're informed about the decision.
If they don't do their job properly, they're effectively handling out daggers to ex-employees to come and stab the company anytime.
I heartily dislike this verdict, mainly for the fact that damage is exaggerated where is not much.
Lessons learned ? How about those:
- when they piss you off, don't just play a little, make sure you don't get caught at all. Do whatever that takes.
- don't just fool around with someones account, kill the company outright. If they fight for their life or are dead, there is less incentive to play games with you. You have the inside knowledge, so there is plenty of shit you can do. Be hard, swift and merciless.
I'm not really sure that's what we want to teach, though.
Has anyone seen the movie "Firewall" and see a vague resemblance? http://www.imdb.com/title/tt0408345/
So a security specialist has to rob his bank, to pay back a ransom.
So a sysadmin decideds to do some damage to his old company, to take revenge on the IT department.
Sounds like Hollywood material to me!
If hacking and opening up systems to hacking is a crime and punishable by Jail, why didn't they prosecute Sony and throw the Music Overlords into Jail for hacking into thousands of XP systems and making them vulnerably with their RootKit?
How come they got left off for committing a more heinous crime than this poor idiot who did something under "emotional stress"?
How come Sony gets to pay $7.50 for such a crime for which we pay $220/- to GeekSquad to get it repaired?
My first question:
1. Why didn't those stupid lawyers for this poor guy quote Sony as a precedence and make the Judge "let go" of this guy with just a $7.50 fine?
2. if that was not possible, why didn't they argue his error made only ONE company vulnerable while Sony actions have made hundreds of computers in possibly atleast 50 companies MORE vulnerably? That would have made the Judge sit up and either throw out Sony settlement / atleast question it, and MOST important of all, made the Judge let off this poor guy.
3. If both are not possible, and Now that THIS guy's case becomes a precedence, make the same Judge apply the same rules to Sony and make those executives suffer Jail time?
Sheesh !
What fuckin' justice system we have !
Corporates and corporate idiots who cause millions of dollars in damage to personal property by producing rootkits and like are let off OJ Simpson style, but the poor idiot who does the SAME thing in MUCH SMALLER proportion and in anger gets a jail time.
This guy should go and apply work at Sony Music or BMG.
"Doing what i can, with what i have." ~ Burt Gummer