Get Fired. Delete Colleague's Account. Go To Jail.

SierraPete writes "CNet reports that Thomas Millot, a former systems analyst for a major pharmaceutical company, has lost his appeal on a computer intrusion charge. Mr. Millot was convicted of unlawfully entering the system that he used to work on and deleting a colleague's account after his job was outsourced. Mr. Millot's attorneys argued that his actions did not amount to $5K in damage--the threshold for the crime he was convicted of. The court disagreed, saying that IBM had done over $20K in work to undo his handiwork." Update: 01/14 19:55 GMT by J : Typo corrected; turns out the word "not" is important...

IBM ineptitude

[Tet]

So IBM are apparently claiming $20,350 at $50/hour to investigate the incident. That's 50 man days. For fsck's sake, what sort of incompetent morons are they employing? Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything. But 50 man days? That's just not even vaguely reasonable, and smacks of them just going for the throat out of malice. Yeah, he screwed up, and deserved to be punished, but the punishment should be proportional to the crime, and it clearly isn't here. Quite how they managed to get a judge to swallow that is beyond me. It sounds like the defence lawyers weren't doing their job. I can't think of any other explanation.

Re:IBM ineptitude

[Zordak]

Nobody seems to have disputed the reasonableness of what IBM charged. The defense attorneys instead tried to make the argument that IBM "volunteered" to do the investigation since they were not the employer. The fact remains that IBM charged the company $20,350 for the investigation of the matter, which apparently the company paid. The company was out that money, he caused it out of spite and did it illegally. I have no sympathy for the guy. I'd say he got what he deserved.

Re:IBM ineptitude

[Raindance]

50 man days to
1. undo what little damage he did, and
2. make damn sure he didn't do anything more serious and insidious?

I'd call that about right.

Re:IBM ineptitude

[Kymermosst]

50 man days to
-2. Find out who was responsible.
1. Find exactly when and what happened.
0. Find out exactly how much damage was done.
1. undo what little damage he did, and
2. make damn sure he didn't do anything more serious and insidious?

I'd call that about right.

So would I, after my minor additions. (Yeah, they were implied, but you have to spell this kind of thing out for some people.)

Re:IBM ineptitude

[Leto2]

I'd like to know where Aventis found IBM consultants that only charge $50/hr...

Re:IBM ineptitude

[TechieHermit]

Besides, he only got three months in jail, plus restitution. That's relatively lenient for this kind of crime, isn't it? Most prosecutors try to lock hackers up for the maximum term.

The real effect of his record will be that it effectively bars him from working in I.T. Which might not be an entirely bad thing -- the guy DOES seem to have a pretty flexible moral compass, doesn't he?

My question is, why is this in "your rights online"?

Re:IBM ineptitude

[ThaFooz]

Wait... so Aventis Pharmaceuticals Pharmaceuticals outsources its IT security to IBM, who in turn charges Aventis $20,350 to reach the conclusion that their recent security breach was caused by a flaw in IBMs security policy: not removing clearance from disgruntled ex-employees who are disgruntled soley because they are being replaced by IBM? That's FUNNY.

Re:IBM ineptitude

[Rantastic]

what sort of incompetent morons are they employing?

Funny you should ask. I have had several recent jobs cleaning up after IBM consultants. I finally had the chance to find out what is going on. It goes like this: IBM keep their top talent hard at work on the big multli-million dollar contracts. For the rest, it is anyone they can get off the street.

I learned of this when I recently had a job interview with IBM. They had already signed a $2 million contract with a government agency to build a computational data center, but had no available staff to allocate to the contract. The interviewer was completely candid with me when I asked about why they would sign a contract they couldn't fulfill. He said it happens all the time and is standard operating procedure. They simply hire contractors as needed. I turned the job down.

Ready for the punchline? They hired a guy that I have worked with in the past. This guy has no prior experience working with the technology he will be deploying. He is a decent guy, but he will be figuring things out on the fly. He is the best they could do. He is being sent in as an expert consultant by IBM. Think he will bill more hours than someone with actual experience?

I recently asked a former customer of mine, who works IT for a large university, why people would hire IBM over a smaller company with more expertise. He said that as far as his boss is concerned, if you hire IBM and they screw something up, you are covered because you went with IBM. This same customer then went on to tell me how IBM completely botched a $1 million installation job at his university last year. They are in court over it.

If this guy had a good lawyer they should have audited all the work done by IBM and the qualifications of the people doing the work.

Re:IBM ineptitude

[theLOUDroom]

50 man days to
1. undo what little damage he did, and
2. make damn sure he didn't do anything more serious and insidious?

I'd call that about right.

Based on that reasoning why not 500 man days? 5,000?

"Damages" should be calculated based on actual damages. If not, there's really no limit to how much damage they can claim.

It's not that I necessarily believe that the number 50 is unreasonable, it's that the argument you're using to support it certainly is.

Imagine if this was applied to someone who stole a $1 candy bar: Yes, it only took $1 to replace the candy bar, but we had to spend $10,000 to inventory the whole store.

Re:IBM ineptitude

[qwyeth]

IANA security professional, but here goes:

No system is 100% secure. Even if you do assume their security is state-of-the-art, there's still a margin of vulnerability. In this case, a security professional who was responsible for those systems abused his knowledge and former access to gain entry. Once he's in, there's no telling how many hacks, exploits, and sneaky tricks (not to mention previously-installed backdoors) he knows and can use to his advantage.

No matter what their level of security and how much money they spent hardening everything in the past, they simply cannot be positive he hasn't found a way to sneak around their logs, sniffers, and monitors and install a rootkit. 50 man-days to recover doesn't sound so bad when you consider that one successful intrusion (however difficult it was to achieve) can result in an invisible-yet-gaping orifice that leaves all that hard-earned security worthless to future penetration.

I agree that what Mr. Millot did is pretty stupid and stinks of 'amateur,' but IBM is operating in paranoia mode (and rightly so!). What if this guy is a pansy who knows just enough to get himself caught, but he was hired by a shady individual to plant a stealthy something and deleted the account as an afterthought? How does IBM know that their system isn't still compromised by something like that? Because they spent 50 man-days wiping and re-imaging systems or poring over md5 signatures or whatever it is they do in a situation like this.

Actually, they still can't be 100% positive, but at least they were (to paraphrase the parent) duly diligent.

Re:IBM ineptitude

[ePhil_One]

You do need detailed computer forensics when you are stupid enough not to revoke admin privledges when you fire someone.

It was not his account he was using to access it, but rather an auxilary "Admin-level" card he stole. He was in charge of admin-ing the SecureID tokens, and had issued "spare" or "loaner" tokens. Bad security policy yes, but perhaps they outsourced his job because he made stupid policy decisions. Perhasp they should have done a full audit when he was let go, but in large companies this can be extremely difficult and disruptive, and still doesn't cover all the potential backdoors/traps/trojans a malicious admin could lay. The reality is you trust professionals to do whast right, they were already ahead of the game using token based authentication, its impossible for him to have a co-workers password

Blaming the victim is always bad policy, and you should feel no remorse for a criminal who has put IT professionals in a bad light. This wasn't one stupid momment, it was a series of really dumb decisions.

1. Steal SecureID token from company you no longer work for
2. Access (9 times at least!) former company's private network
3. Vandalize former comapny by deleting data

Personally, I'd feel fine if the company added lost productivity to the toll, not just for the manager, but for any projects that were delayed as a result of his criminal behavior, etc. This idiot got off light, don't be an idiot yourself and sympathize with him.

Eh ?

[Delifisek]

20k for undeleting account?

Pheww...

Now I understood why IBM four times bigger than Microsoft....

Go to jail already.

[mikkom]

Isn't it quite obvious that he should go to jail for this?

Re:Go to jail already.

[TheWanderingHermit]

I will probably be modded to troll for saying this, since I've noticed that on Slashdot there are many people who are so busy being right they aren't secure enough to listen to a disagreeing opinion.

There are a lot of people here who seem to feel that because they can figure out how to do something, they have the right to do it. "I can, therefore I should be allowed to," would sum it up. It's a group that feels that if you lose your job, you are justified in taking revenge, legal or illegal. While losing a job is a rough experience, it's part of life. Businesses change and let people go. If you're not a big enough person to accept it and move on, then maybe you weren't responsible enough to accept the job in the first palce.

Yes, he should go to jail, but those that feel that they are, somehow because of their superior technical skills, some part of a "hacking elite" that should be able to break any laws they consider wrong (read: laws that are in their way, since, in their minds they are always right) and should be able to do so without consequence.

It's a shame because such people really make it harder for the rest of us, both in discussions here and in life in general.

Re:Go to jail already.

[barc0001]

There were thousands of factors you were unaware of when you judged him, yet you are absolutely sure of yourself.

Er, the court of LAW also judged him to be guilty of a crime, so therefore he faces the punishment for committing a crime. From TFA: But he kept an administrator-level SecureID card with him and used it to enter the network nine times.

NINE times. That's not a quick leaving-day "fuck-you" to the Man, that's premeditated and deliberate.

However, let's look at this in simple terms without specifics. Your account and account are tools you need to do your job if you work in IT, correct? If the story said "Fired mechanic broke into the shop and cut up $10,000 worth of his replacements' tools and equipment with an acetylene torch" you wouldn't be saying "boo" about it, even though this would probably be quicker to recover from (borrow other workers' tools in the shop until insurance replaces them a few days later) than a forensic audit on a system (shut it down and lock everyone out until you figure out how someone got in and what they did).

Here's the take-away from this: He was fired. He broke things belonging to the company after he was fired. That is a crime. He goes to jail for doing it. End of story.

Re:Go to jail already.

[Kymermosst]

Funny. His ID is lower than yours =-)

Not by much... but still

His ID: 714956
My ID: 33885

And they say the public education system is failing us.

As an aside, I was here when slashdot started registration. I stayed an AC for a while on some stupid principle. And then I decided I really wanted good karma. Looking back, I should have registered immediately... I could have sold it on eBay.

Re:Go to jail already.

[thesandtiger]

I will probably be modded to troll for saying this,

I will probably be modded off-topic for saying this, but I've noticed that if one starts a comment saying "I'll probably get dinged on karma for this, but darn it, it needs to be said!" they will tend to be modified as insightful or interesting or informative, even when they are just stating the obvious.

I'm not saying that your post wasn't insightful/informative/interesting, just that because you began by saying you'll be modded a troll you boosted the probability of a +5 rating substantially.

Watch -

I'll probably be modded off-topic for this, but darn it, it needs to be said: Ice is cold. Not as cold as dry ice, but still - cold enough that it's darned uncomfortable to have to have it on your skin.

[sits back, lets the karma roll in and out - like the tides]

Two lessons in there

[ThatGeek]

What most people will get out of it: people shouldn't break into computer systems and delete stuff

What I get out of it: don't outsource IT to a firm that doesn't lock out former employees

Oh Please...

[GodLived]

If you're going to let someone go who holds high computer or network credentials, please make sure you disable or terminate their access IMMEDIATELY PRIOR to informing them of your decision. Failure to do so makes the outsourcee become an insider threat.

The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.

Re:Oh Please...

[techno-vampire]

The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.

Although I've never liked losing a job, I'd rather have that done than be allowed to wander out on my own. This way I have a witness that can testify that any damage done after I was terminated isn't my fault.

Last time I was let go, I told my manager that I was logged in and asked him to come over to my desk and log me out because I didn't even want to touch that computer again. He told me that he trusted me not to do anything foolish, but I still had him watch me log out, just to be safe.

Or here is a better idea

[hsmith]

Instead of sending him to jail for a crime which no one was hurt, have him repay the money AND then you save room in jail for a VIOLENT OFFENDER.

But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.

Re:Or here is a better idea

[tomhudson]

Okay, I know this is slashdot and most people didn't RTFA:

A federal judge disagreed and handed down a relatively light sentence of three months of imprisonment, three months of home detention and three years of supervised release, plus a $5,000 fine and $20,350 in restitution.

So he IS going to repay them $$$, lots of it. Not just jail time.

Re:Or here is a better idea

[ThaFooz]

Instead of sending him to jail for a crime which no one was hurt, have him repay the money AND then you save room in jail for a VIOLENT OFFENDER. But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.

So your argument is that white collar criminals aren't really criminals? I don't buy it.

Re:Or here is a better idea

[TheRaven64]

I would argue that jail time does not work as a deterrent (there are studies that back this up, but I have not yet seen one that supported the contrary view). The only valid justification for a custodial sentence is that the individual's continued freedom will have a negative impact of the freedoms of others (i.e. violent offenders who are not capable of reform). Putting someone in a prison is expensive, and often has exactly the opposite effect - the convict is allowed to mix with other, often worse, criminals and learn from them.

What, in your opinion, does society gain from imprisoning this person? Does it deter him from future crimes more than the $25k fine? I would imagine that, since he is unlikely to work in IT ever again, this fine will have a much greater effect on his future life. Does it make society safer? Would anyone have been placed in any danger (either physical or financial) by this person having been free for the three months of the sentence? Does the sentence deter others from committing the same crime? I would imagine that the prospect of never working again in their chosen field and having to spend a while with a good chunk of their disposable income going to pay a fine is a much greater deterrent for most people.

Re:Or here is a better idea

[Peyna]

We send white collar criminals to jail because while jail probably isn't much of a deterrent for your average bank robber, rapist or murderer (but might be what *those* type of criminals deserve), serving jail time can be VERY frightening for white collar criminals.

So, if we send a few of them to jail, they'll either have to try harder not to get caught, or not do it. Unlike murder, most white collar crimes are not the type that you commit without any regard to the possible punishment. (In other words, most murderers probably readily accept their possible punishment of life in prison or death and go through with their actions knowing if they're caught it's over. If white collar criminals were not threatened with jail time, then there is very little of a deterrent, since most of them probably can afford to pay any fine we might charge, and if not, losing all your money and everything you own isn't as bad as going to jail if you're smart enough to get another good paying job later.)

Missing "Not" In Summary

[kmactane]

The summary should read: Mr. Millot's attorneys argued that his actions did not amount to $5K in damage...

It's those itsy-bitsy words that make all the difference.

Excellent, let's see MORE of this

[Blymie]

This was a crime, hands down. Period. End of story.

If you read the article, there were multiple breakins, on multiple days, over a period of years.

The last likely removed files between backups, resulting in time lost for the employee. It doesn't speak of what was done during previous raids by this crook, but it is quite possible other costs were attributed to previous breakins.

Crimes like this should be punished, and harshly. This crook should receive a couple of years, for something like this. Perhaps more.

Why so harsh, you ask? It's simple. We need to start attributing _real_ penalties to crime on the internet. Sony, for example, should have seen criminal charges levied against the employees, management and all that had anything to do with that back door. Fines should have been in the billions. Yes, billions, as they should have received several thousands in fines per count. Employees must be treated harsely as well, after all, they can not legally claim they are just "following orders".

If you know your employer is doing something illegal, you are BREAKING THE LAW if you do not report such an act! If you work with the employer, helping to break the law, guess what! It's jail time for you!

We need (well, actually.. needed to, past tense) lock down crime on the internet a long time ago. We really have two choices here. We pay for police presence on the internet, judges that understand the crimes being committed.. or we leave the internet open and lawless.. and see horrid restrictions come down as a result.

People won't put up with cracking all over the place. The public will demand security. The public is indeed, starting to. It can come from laws and police enforcement of those laws.. or draconian laws that restrict rights and freedom on the net (DRM).

Which do you choose? DRM all over the place, locked down bioses and operating systems, logging so intense that ISPs keep a year of detailed backlogs, or realistic laws and paid for strong police presence on the net?

Police all over the world are crying out that they are overburdened with crimes on the net. They are claiming that they don't have the ability to catch crooks, because they need new laws. It's happening right here, in Canada. It's happening, because police _don't_ have the manpower to handle crime on the net, by tracking down crime in the standard fashion. The answer, to them, is increased logging and wiretaps/net taps without warrents. I say, that democracy costs.

To that end, we need to train judges and police to specifically handle computer crime. We need to enact treaties with out countries, and make sure that extradition is a possiblilty. We need to make sure that the police do not have unlimited ability to spy, but that there are judges in place that can issue warrants when the cause is evident. Fund the police, or allow DRM. Again, that is the choice we have.

Anyhow, back to this particular case. A case like this, should be treated as if a physical breakin occurred, sentence wise. This guy KNEW he was breaking the law. He KNEW he was being an asshole. Being employed by someone does not entitle you to smash things in a temper tantrum, years after you've been fired or outsourced.

Bleh.

It's a crime. That doesn't mean "jail time".

[LKM]

I've seen lots of similar comments about how what he did was wrong and that he should therefore go to jail.

I don't think anyone claims what he did was not wrong, but jail time isn't the only answer our society has to crime. The question here is not whether what he did was wrong. The question is whether he should go to jail for it.

I say no. We already send too many people to jail. Generally, jail time is bad. It costs our society money, and it makes the situation worse for those spending the time in jail, and it makes our society worse because these people will most likely come out of the jail a worse person than when they went in.

This person here didn't harm anyone. He harmed a company. And he didn't do anything which can't be undone by recovering the data from a backup. Really, what he did was wrong, but it is hardly something worth putting him in jail for.

There are 2 idiots in this story

[The+Famous+Druid]

1. The idiot who logged on to his former employers system and took a little childish revenge.

2. The idiot who didn't disable the account of a security chief who's just been fired.

Remind me never to do business with a company who are that lax with security.