IT Worker's Revenge Lands Her In Jail

aesoteric writes "A 30-year-old IT worker at a Florida-based health centre was this week sentenced to 19 months in a US federal prison for hacking, and then locking, her former employer's IT systems. Four days after being fired from the Suncoast Community Health Centers' for insubordination, Patricia Marie Fowler exacter her revenge by hacking the centre's systems, deleting files, changing passwords, removing access to infrastructure systems, and tampering with pay and accrued leave rates of staff."

Makes the rest of us suffer...

Every time some person does stuff like this and it hits the press, every other IT person ends up suffering when the PHBs realize what the sysadmin or the Cisco guy is capable of.

Will this mean better security? Of course not. It just means that oftentimes someone who shouldn't have access to enable secrets or root passwords gets those as a "backup".

Re:Makes the rest of us suffer...

[Berserker]

Unfortunately you are right on!!

Re:Makes the rest of us suffer...

[mysidia]

Of course not. It just means that oftentimes someone who shouldn't have access to enable secrets or root passwords gets those as a "backup".

You mean someone who in your technical opinion as an engineer shouldn't be using enable secrets or root passwords?

The systems belong to the PHBs. If you want to avoid giving out root passwords, then don't have passwords.... use biometrics. Or use a "password under seal" system, where the password is available but secure, and will be changed within days if a backup needs it.

However, you will still have to provide access, doesn't matter if it's a password or something else, and that is perfectly reasonable, as long as you have accounting measures in place, clear policies on who is authorized to use access, and severe immediate penalties for any backup abusing their access

Re:Makes the rest of us suffer...

[hendersj]

Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.

It's a job requirement to be trustworthy when working in IT. Those who aren't pull crap like this.

Even if she hadn't gone to jail, if she got caught tampering with systems (either while employed there or after being terminated), she should never, ever, under any circumstances be trusted to admin a system again.

Ever.

Re:Makes the rest of us suffer...

[MightyMartian]

This applies across the board. Not just IT people but accountants, managers, legal advisers and so on. IT people are not the only ones who can cause significant damage to an organization.

Re:Makes the rest of us suffer...

only for the slackers who don't control all content going to their bosses' computers.

Re:Makes the rest of us suffer...

[Venik]

Every time I see news like this, it certainly makes me suffer: a good sysadmin would not get caught. For a sysadmin, incompetence is the worst crime.

Re:Makes the rest of us suffer...

[hendersj]

Good point - it seems to be less of a problem in the other areas (in my experience, in any event). Thing is that admin people tend to have access to data from multiple of the other organizations, so while I wouldn't say that hiring untrustworthy people in any position is a good practice, in IT it can be doubly bad because the IT staff can generally access docs on shared drives (for example) that belong to accounting, legal, etc - and can either disclose it or nuke it along with the backups.

That can cause a lot more damage than if an accountant nukes his/her data, because they don't generally have access to the backups or other system-level tools.

If they do, the phrase "you're doing this wrong" comes to mind. ;-)

But point well taken.

Re:Makes the rest of us suffer...

[Fulcrum+of+Evil]

Are you suggesting that the PHBs are more qualified to determine who should have root passwords?

Re:Makes the rest of us suffer...

[Venik]

Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.

And if you decided to fire them, make sure you terminate their access to your network in a timely manner. Somehow I seriously doubt Ms. Fowler actually "hacked" their systems. It is far more likely that after four days she discovered her remote access account still works and she took full advantage of this.

Re:Makes the rest of us suffer...

[MightyMartian]

I don't agree. While rogue IT staff can bring infrastructure to its knees, an accountant is often far better placed to, say, rip off an organization in a huge way, and it happens enough via phony invoicing schemes to suggest to me that those in the financial end of an organization are by far the greater risk.

Re:Makes the rest of us suffer...

[Rydia]

It's not a question of who is qualified. It's a question of who is entitled. It's their system and they are the PHB. There isn't a metaphysical judge of who should have what, merely practical; the admin arguing that the PHB shouldn't have access "just in case," and the PHB ignoring that and receiving it anyway.

Re:Makes the rest of us suffer...

[HungryHobo]

I can see why some people have reservations about giving they keys to the kingdom to the PHBs
I've heard some really horror stories.

"I am the boss thus I demand the most important passwords you have!"
Followed by
"Password? Oh, ya, I found that big long one hard to remember so I just changed it to my name"
Followed by
"Someone has hacked our servers! This is your fault as you're in charge of IT security!"

So if you must use the "password under seal" system make sure it's a physical system like a safe which sets off several sirens when used, pages you and delivers a short list of "do not do under any circumstances" instructions along with said passwords to whoever is accessing them.

Re:Makes the rest of us suffer...

[afidel]

IT people can cause havok, bad accountants and executives cause Enron and Health South.

Re:Makes the rest of us suffer...

[lorenlal]

The systems belong to the PHBs.

That's an assumption. Not all PHBs are in charge of that hardware. Depending on the cost center relationship, that PHB may have no business whatsoever other than being the IT PHB instead of a business PHB.

Re:Makes the rest of us suffer...

[afidel]

This is one of many reasons I continue to advocate that if it's not offline it's not a backup.

Re:Makes the rest of us suffer...

[Nadaka]

One difference is the respect that is shown and compensation provided to accountants, managers, legal advisers and so on. Meanwhile IT guys are basically treated like janitors.

Re:Makes the rest of us suffer...

Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.

It's a job requirement to be trustworthy when working in IT. Those who aren't pull crap like this.

Even if she hadn't gone to jail, if she got caught tampering with systems (either while employed there or after being terminated), she should never, ever, under any circumstances be trusted to admin a system again.

Ever.

It's equally as important to display respect and trustworthiness towards your IT staff. Remember, trust is earned. If you antagonize enough, even the trustworthy may turn against you.

Re:Makes the rest of us suffer...

[MightyMartian]

Amen. The backup system that I have instituted has both onsite and offsite backups, with a weekly backup going offsite in a safety deposit box. Even if I were to go completely rogue and format everything, I couldn't in fact wipe organizational data; in particular accounting and payroll data. I might force bookkeeping to re-enter at most five days data from paper file, but that's the extent.

Re:Makes the rest of us suffer...

[Phoobarnvaz]

Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.

It goes MUCH deeper than just a trust issue.

What should have happened and didn't within less than an hour of her walking out the door is she should have locked out of everything. This company did not and paid the cost for their stupidity and laziness. This being the case...all executives/HR/whole IT department should have been fired/prosecuted for allowing this to happen. For that matter...the whole business should have been shuttered by the state of Florida and the FBI.

What she did was wrong...but it could/should have been prevented in the first place. Everyone there dropped the ball when it could have been prevented so easily.

In the future when this happens again...the perpetrator shouldn't be prosecuted...but those responsible for the security of the information. They are the ones responsible for things happening like this. What did they think was going to happen when they left raw meat out for the dog to see?

Re:Makes the rest of us suffer...

[zolltron]

Meanwhile IT guys are basically treated like janitors.

The irony of your comment is that it reproduces exactly the line of thinking that you criticize. You realize that janitors, by having physical access to almost all parts of a business, are capable of more havoc than IT folks. They often have physical access to all the same systems that IT people do and much more. If potential to cause damage should correlate with compensation, I'd argue that the janitors should get paid the most in any organization.

Re:Makes the rest of us suffer...

[Nadaka]

No irony at all. I am completely aware of the similarities.

Re:Makes the rest of us suffer...

[Red+Flayer]

While rogue IT staff can bring infrastructure to its knees, an accountant is often far better placed to, say, rip off an organization in a huge way, and it happens enough via phony invoicing schemes to suggest to me that those in the financial end of an organization are by far the greater risk.

Any business worth its salt has controls in place to prevent any accountant from having enough control with too little oversight to prevent this. In my entire career, I have never worked for a company that was vulnerable to this without the complicity of ownership or top executive-level management. Little amounts might make it through for some of the companies I've worked for... but "in a huge way"? Never.

As for IT -- it's a function of the work involved that critical infrastructure is vulnerable to a rogue IT staff-member. Proper oversight is hard to do, especially since IT is an enigma to executive-level management most of the time. Proper system design, access management, etc, are harder to ensure for IT systems than they are for accounting processes.

Accounting example: In order for a payment to go out, it must be signed and/or authorized by a signing authority (usually top-level management) -- many companies require two signatures. The signing authorities have taken the responsibility of ensuring the payment is accurate, valid, etc, and companies have tons of audited controls to make it so.

IT example: In order for a critical system to be sabotaged... no such requirement. And even if you had the requirement, who among top-level management has the expertise to know what is proper?

Re:Makes the rest of us suffer...

[Americano]

Then you find a new job. You don't damage their systems and delete their data to "teach them a lesson."

Imagine if your doctor, after years of telling you to get your cholesterol under control, decided to amputate a leg because you didn't take his admonitions with the seriousness and "respect" he felt that you owed him.

Imagine if your mechanic came to your house one night and cut your brake lines because you hadn't praised his work as effusively as he felt you should have when you picked up your car.

This "you better treat us right, or else," is unprofessional bullshit. Someone behaving unprofessionally towards you is not cause to behave the same way in return.

Re:Makes the rest of us suffer...

[Americano]

You are an idiot. That is all.

"But your honor, she could have prevented this by wearing a locking chastity belt and carrying a gun. It's HER FAULT that she got raped!"

Re:Makes the rest of us suffer...

[Red+Flayer]

I think you mistake what most accountants make. Typically less than what the IT staff gets paid. Management-level is a different case.

Nationally: Accountant II: $51k/yr; Network Admin II: $61k/yr.

This is just one example; compare accounting to IT jobs across the board and you'll see that IT jobs pay more.

Re:Makes the rest of us suffer...

[Red+Flayer]

In the future when this happens again...the perpetrator shouldn't be prosecuted...but those responsible for the security of the information. They are the ones responsible for things happening like this.

Horseshit. Punish the victim?

The company who failed to secure their property made a mistake, and they suffered for it already. That alone should be an incentive to do things right in the future, and other companies who find out about it will hopefully think twice about their policies.

This does not change the fact that the perpetrator should be prosecuted and punished if found guilty.

Re:Makes the rest of us suffer...

[Fulcrum+of+Evil]

Yes it is a question of who is quallified. You're trying to remind us that it's usually morons running the show, but guess what - we already know that. The PHB shouldn't have root access because there's no reason to give it and many things he can break, and I don't see you refuting this anywhere.

Re:Makes the rest of us suffer...

[Sczi]

The systems belong to the PHBs.

I dunno, sounds like the admin owned it for quite a while

Re:Makes the rest of us suffer...

[Phoobarnvaz]

Am so glad you clarified yourself on exactly how I WAS an idiot. Sounds almost like you are for leaving/hacking systems. If that is so...I am an idiot...but at least I have a clear conscience.

Re:Makes the rest of us suffer...

[Hazelfield]

If you don't trust your IT people, they shouldn't be your IT people.

I think the managers sort of realized that, and that's why they fired her.
Maybe the true lesson to learn is this: don't let former employees keep their access. Not even for a few days.

Re:Makes the rest of us suffer...

[Mister+Whirly]

Owner status trumps technical experience every time. Trust me, any PHB stupid enough to demand access to areas they know nothing about and then go messing about is going to screw something up. When they realize just how much money it will take to fix their screwups, sooner or later they will realize why it isn't smart to give themselves access to said areas. But if the owner demands the keys to the kingdom he owns, he get them whether or not it is the smart move or not. How long do you think any employee who refuses an order from the owner is going to last? And how do you go about determining who is qualified to make the decision if someone is qualified?

Re:Makes the rest of us suffer...

[Phoobarnvaz]

In the future when this happens again...the perpetrator shouldn't be prosecuted...but those responsible for the security of the information. They are the ones responsible for things happening like this.

Horseshit. Punish the victim? The company who failed to secure their property made a mistake, and they suffered for it already. That alone should be an incentive to do things right in the future, and other companies who find out about it will hopefully think twice about their policies.

Have seen it happen too many times that the ones in control of the network are the ones who will walk away without any punishment. With this mentality...they never will learn and will allow the same thing to happen at the next company too stupid to hire them.

This does not change the fact that the perpetrator should be prosecuted and punished if found guilty.

Along with those who allowed it to happen by not following established security perimeters. They are just as responsible as the perpetrator...if not more. They were the ones who allowed it to happen.

Re:Makes the rest of us suffer...

[Americano]

I think it's pretty clear why I feel you're an idiot: because I am for punishing the criminals, not the victims, and your entire post is basically a slap in the face to fundamental professional ethics. You've said that if somebody takes advantage of your poorly secured system, the person abusing the system shouldn't be prosecuted, the people who "failed to prevent" that abuse should be prosecuted instead.

That a system is insecure doesn't magically absolve you from responsibility when you abuse the system and the data it houses.

Re:Makes the rest of us suffer...

[Mister+Whirly]

Yeah, all the IT department can do is leak several hundred thousand secret cables to WikiLeaks. No real damage though.

Re:Makes the rest of us suffer...

Someone behaving unprofessionally towards you is not cause to behave the same way in return.

At the very least, you shouldn't punish yourself by getting caught.

Re:Makes the rest of us suffer...

[sauge]

Sounds like someone needs to offer up some policy documents that are signed by management (in this case required password characteristics). Not all solutions are technical and not all technical solutions are legal.

Re:Makes the rest of us suffer...

[Americano]

Yep, we'll make these jokes - and more than halfway mean them - and then we'll complain that other engineering disciplines and other professions don't respect us or take us seriously as professionals.

I wonder why?

Re:Makes the rest of us suffer...

[anegg]

When required, it is possible to provide for separation of duties in IT infrastructure. One method is to have a separate function responsible for reviewing logs, configuration changes, etc. A past project of mine used commercial software (Tripwire) to ascertain all router configuration changes, for example. It was also required that access to routers be done under personally-identifiable usernames. The logs included all admin activity on the routers, logged with the personally-identifable user names. The daily comparison of configuration files to the baseline configuration backed up the log files. Therefore all configuration changes could be tracked, unless someone boggered the tracking, which would itself be a security incident. "root" passwords for the routers were configured, and were kept in encrypted files in the hands of security staff. Perfect? no.... Could someone still hack things up? Yes, but they would be likely to leave a trail and be spotted before hacking things up too far.

It wasn't necessary to give PHBs the passwords, but the PHBs knew that the passwords were available in the event that the normal admins were unavailable to perform their duties (for any reason). If someone unauthorized used the stored "root" passwords, it would show up on the logs as well.

Re:Makes the rest of us suffer...

[OrangeMonkey11]

Right on, you would think someone within the IT department would have the common sense to disabled all of her accounts before she left the building.

Re:Makes the rest of us suffer...

[towermac]

just another vote for idiot.oh, and um,.. SCARY.

Re:Makes the rest of us suffer...

[meloneg]

However, the point is that your "Network Admin II" generally has much access to wreak havoc as a CFO. And, the comparison to janitors (and all facilities people) above is fair. Three major differences: a) PHBs tend to understand both the effort involved in and risks associated with the facilities people. b) Facilities people have a much stronger basis for collective-bargaining responses to PHBs. Even in a non-union shop, the PHBs know that the appropriate union would be more than happy to come-in and "help" a downtrodden janitor/HVAC guy/... c) There is a long and established history of how facilities people "should" be treated. Our industry is, at most, a toddler. Probably better said to still be an infant.

Re:Makes the rest of us suffer...

[rilian4]

Call me old fashioned but a "good" sysadmin doesn't screw up to the point of getting fired let alone destroying the network they used to admin. A skilled hacker, on the other hand, would be the one that didn't get caught. That said, you are right about incompetence.

Re:Makes the rest of us suffer...

[mysidia]

Are you suggesting that the PHBs are more qualified to determine who should have root passwords?

No. I am suggesting the PHBs have a stronger bonafide legal and moral right to be able to know the root passwords, and their rights trump any rights or obligations the system engineer might otherwise have to keep anything quiet / not reveal to other employees.

In the same manner as they have controls of all the other assets they manage, such as their staff. The CEO has a right to know the root password, just like he has the right to know the desk phone numbers of all his staff. The CEO can even fire someone without that person's manager's consent.

You cannot deny the CEO access to your desk drawer if he demands the key, let alone root to his company's server.

Technical ability does not grant authority, or ensure trust. Trust of people is a management decision, not a technical decision. Security is a top down thing. The people at the top impose security and security policies, sometimes at the advisement of technical staff.

But the PHBs are the masters of their own policies, and the rule supersedes their subordinates on all matters, even if their decision is to disregard technical or security advise, whether it's good advise, or bad advise from unqualified staff does not matter, they have a right to disregard or take under advisement as they wish.

In fact, a PHB has a right to require sysadmins don't know the passwords, so every day one starts work, and goes to their computer, the admin has to politely ask the PHB to come down, and type the password at a su prompt for the operator to become root.

For example, keys to the forklifts, keys to the company helicopter. PHBs can have these, or require they be available to them. This does not mean the PHBs are qualified forklift drivers or pilots.

But the PHBs have the right to those, the security control devices the same. It enables them to hire an additional driver/pilot at will, which they have a right to do.

The PHBs have a right to hire someone to come in, login as root, and audit their computer system, without telling the admin they delegate responsibility of that system to.

For example, as a means of quietly evaluating the sysadmin's work, or in preparation to replace the sysadmin.

The justification doesn't matter, the PHB has a right to do it, and has a right to keep information from the sysadmin.

The sysadmin has no right to keep security information from their employer, especially not the generic administrative keys to company owned equipment.

Re:Makes the rest of us suffer...

[dgatwood]

As an aside, if you allow the user to run a shell as the admin user with sudo, the user can purge the logs without logging a new security incident. For proper security, logs should be on a separate machine, and a separate person (ideally outside the IT department) should be the only one with root access. Separation of powers and all.

Re:Makes the rest of us suffer...

[dgatwood]

No one should have root passwords. The mere existence of a root password is a fundamental security hole. If everyone has a user account and certain people have sudo privileges, you have:

• An audit log
• A trivial way to cut off that person's admin access (with or without cutting off all access)

Combine this with a proper centralized authentication/directory services system, and you're done.

Re:Makes the rest of us suffer...

[bornagainpenguin]

Imagine if your doctor, after years of telling you to get your cholesterol under control, decided to amputate a leg because you didn't take his admonitions with the seriousness and "respect" he felt that you owed him.

You mean like former nutritionist Jon Basso? He got so tired of patients ignoring his advice on healthy eating he opened up the Heart Attack Grill to give them exactly what they're asking for--an early trip to the grave!,p>Not excusing hwt this woman has done or what Basso does, but there are consequences to being ignored when you give good advice. Do it often enough and people might start giving you what you're asking for, not what you need.

Re:Makes the rest of us suffer...

[CAIMLAS]

This is why I have decided to refuse external access (when possible) from my employers, and to not accept expulsion from the premises until I see them terminate my accounts (and change the passwords of any stupid 'shared' accounts).

Some time ago I was terminated by a vindictive boss. We're talking escape from the crazyhouse, straight jackets required formal, crazy. It was in a smaller town, and not long after I left, I started to hear outlandish rumours about myself: I was fired for groping a young female clerk; I was fired for stealing personal financial information; I was fired for looking at porn at work. You name it, I heard it. Surely, some of it was rumors, but I had some come up to me in person and say, "your old boss is saying such-and-such about you" because I'd made friends while there.

Thankfully, the boss was not smart enough to truly frame me for something like that, though the day I left I saw her attempting to do so (trying to access my workstation remotely). It would not have been outside her mentality to try to get into my home system(s) and then 'break in' to the facility's network using my (not terminated) credentials, had I any. Or, as is the case in many places, using a shared password which was never changed upon my termination.

This case, however, kinda sounds like one of those "I'm going to see if they canceled my accounts... oh, and I'm still really angry" affairs. Four days sounds about right for the reality of the situation to catch hold with the ex-employee. She gets in, starts snooping around, and then realizes what's at her finger tips... she gets carried away and it all goes down hill from there.

It can (and does) happen anywhere, not just in IT: construction workers go off-hinge and destroy property; lawyers and traders steal customers or other "proprietary business information" and bring it with them to a competitor - and so on. It's just that with IT, the impact is much more substantial to 'everyday' people because they see it in the performance/availability of the network systems those IT people set up and maintained - and therefore, it's more visible.

Re:Makes the rest of us suffer...

[PitaBred]

The problem is that most of those people overestimate their abilities, and I have a vested interest in eating. So they'll go in and fuck something up, and I am the one on the hook to fix it. And if they haven't approved the budget to do appropriate backups and such (why would they? They have no connection to reality given their overestimation of their abilities), then I get fired for letting things break. It may be expensive for the owner, it may even put him out of business. BUT I AM FUCKED AS WELL. Just because there are more of us sharing it doesn't make it better. Seeing that issue coming and saying "no" to password requests is just doing prudent risk management.

A good compromise may be to just say "Let's put the passwords in an escrow of some sort" so that the boss won't have access until you need to leave (or get hit by a bus), but he'll still have access if he needs it and it's most critical.

Re:Makes the rest of us suffer...

[dgatwood]

"But your honor, she could have prevented this by wearing a locking chastity belt and carrying a gun. It's HER FAULT that she got raped!"

No, more like "But your honor, she strolled drunk through Central Park at night completely naked and shouted "TAKE ME!" at every man she saw. It is in large part her fault that she got raped. There's definitely a line between reasonably intelligent behavior and pure idiocy that simply should not be crossed, beyond which you are just setting yourself up for getting screwed.

When you give someone access to a machine, you can reasonably expect them to do whatever they're allowed to do. It's not unauthorized access if you haven't taken away that person's access. Sure, you might have a civil case if they get in there and destroy things, but at least some portion of the fault does lie with the victim for choosing its employees poorly, for giving access that they should not have given, and for failing to take it away when they realized it could be abused.

Actually, a better analogy would be someone who consents to sex regularly for months, then dumps his/her partner, but gets a little tipsy and allows that former partner into his/her room anyway, and then accuses the partner of rape because even though he/she didn't say know, he/she didn't explicitly say yes. It's not that the act wasn't wrong, just that there is more than enough blame on both sides to go around, so it's not nearly as clear-cut.

Re:Makes the rest of us suffer...

[Mister+Whirly]

Actually, you were fucked when you accepted a job at a place that hasn't approved the budget to include backups.

The problem is that most of those people overestimate their abilities, and I have a vested interest in eating. So they'll go in and fuck something up, and I am the one on the hook to fix it.

I call this "job security". I too have a vested interest in eating and as long as someone keeps messing things up, and it is my job to fix them, I can keep eating.

Re:Makes the rest of us suffer...

[Americano]

No, more like "But your honor, she strolled drunk through Central Park at night completely naked and shouted "TAKE ME!" at every man she saw. It is in large part her fault that she got raped.

Ah, so the rapist is not liable for his crime at this point, then, and the woman who was raped should be put on trial instead? Is that what you're saying?

Remember, the poster I replied to specifically said exactly that: the perpetrator shouldn't be tried, and the people who were victims of the crime should be put on trial instead for failing to secure everything from every person with malicious intent.

Re:Makes the rest of us suffer...

[Grishnakh]

So they'll go in and fuck something up, and I am the one on the hook to fix it.

If you don't like it, you're free to quit and find another job more to your liking. As Fulcrum said, the system belongs to the PHBs, not to the employees, so they're allowed to do whatever they want, even if it's stupid or causes problems. As an employee, you're free to leave your job at any time (I hope; at least it's like that in my state) if you don't like the terms and conditions of employment.

Remember, we're not talking about the Terry Childs case, which involved a system that belonged to the government, and theoretically, the citizens of SF. We're talking about regular private companies here. In a regular company, you either follow your boss's orders, no matter how stupid, or you get another job.

If you think you're so good at being boss, start your own company. I'm sorry, I'm usually the last one to defend PHBs, because they really are a bunch of morons in most cases, but the idea that anyone other than the people running a company should have any say in how critical secrets are handled is the most inane thing I've ever read.

This is why employees in this country need to do a better job of managing their own lives and personal finances, so that they can afford to simply walk out of their job if their bosses are being idiots, and go find another job with smarter bosses. Poorly-run companies deserve to go out of business, but when employees are locked in by circumstance, that gives the company much more inertia than it deserves. Incidentally, I walked out of my job a few months ago, because I got sick of the BS. Then, a few weeks ago, it was on the news that their main competitor just bought them out.

Re:Makes the rest of us suffer...

[Fulcrum+of+Evil]

We aren't discussing that. We're discussing whether the CEO should have the root password to anything - the general answer is no, unless they're out there maintaining servers, they shouldn't, and if they are, it's probably a startup.

Re:Makes the rest of us suffer...

[mysidia]

"Password? Oh, ya, I found that big long one hard to remember so I just changed it to my name"

Followed by "Someone has hacked our servers! This is your fault as you're in charge of IT security!"

That's when you say, "the audit log shows you changed the system password to this simple one; you allowed the breakin"

And you rightly get... No... you're to blame for not having recommended appropriate password policies, and backed them up with technical enforcement measures.

Re:Makes the rest of us suffer...

[Shadow99_1]

'getting fired' isn't something you may happen to expect, but in a modern company it's usually a process of unintentionally pissing off the wrong person who decides to hold a grudge. I was a network admin for a company where most people liked me, but I became 'old blood' having outlived a particularly bad CAO the company had... The new HR person and the new business manager resented me for it and played politics behind my back to eventually get me fired. This wasn't helped by the HR manager having his mom on the board of directors (it's how he got the job).

I didn't 'do' anything to get fired, my 'crime' was not having any strong relationship with the board who pressured the new CAO who was my former direct supervisor.

The ironic thing is I talked to a former boss from the place I worked at before my last job and he was the vengeful type. Saying quite clearly that if it had been him, he'd have shut the system down when he left. Some of us are a bit vengeful about mistreatment from an employer.

Re:Makes the rest of us suffer...

[mysidia]

We aren't discussing that. We're discussing whether the CEO should have the root password to anything - the general answer is no

And that general answer is wrong, if the CEO demands the password, it must be given to the CEO.

It may be technically inadvisable for the CEO to use the password, and it may be inadvisable from a corporate security perspective for the CEO to have direct use of the password (other than the uninterruptable ability of the CEO to reveal the password to someone deemed qualified personnell).

Or a corporate policy might be established, approved by the board of directors, that even the CEO has to follow.

However, it's definitely not within a sysadmin's authority to make such a facilities security decision if counter to a requirement imposed by their boss.

Re:Makes the rest of us suffer...

Wow, genius, thanks for sharing your blatantly obvious point to us... what would we do without you?

Re:Makes the rest of us suffer...

Really, I think this just highlights something I've said for years: If you don't treat your IT people well, you'll pay for it eventually.

Re:Makes the rest of us suffer...

[TapeCutter]

This so called moron* is your employer (or their representative), HE has given YOU access to HIS equipment, not the other way around. He pays YOUR bills in return for you following HIS rules while operating the equpment HE has given YOU access to. It is his perogative to break anything that belongs to him, your job is to ADVISE him not to do so (and repair it when he says "opps"). If you don't like it when he ignores your ADVICE you are free to relinquish the access HE has granted to HIS property and leave, you are not free to force your advice on him (unless he is performing an illegal act). If because of personality/intelectual problems you cannot abide by this universal employer/employee contract and have come to believe it's you right to deny him access to his property then he will need HIS passwords to grant access to the person he replaces you with when he fires your contemptuous arse. The same principles apply to everything from the combination to the company safe to the keys to the janitors closet, the only thing you have an implied right to withold from your PHB are your PERSONAL passwords, swipe cards, etc. You DO NOT have the right to deny your employer access to their property, regardless of how much better you think you can care for it.

* - If he is the moron then why is it that you are working for him?

Re:Makes the rest of us suffer...

[oobayly]

Which is one the reasons I don't get why some people appear to think sudo is the be all and end all.
Anyone worth their salt will be able to screw up a system so that an audit trail will be of little help.
The other thing that's always used on sudo examples is "it stops you accidentally screwing things up", it doesn't stop the user from executing`sudo rm -Rf foo /*` because he knows he needs to be root to delete everything in ./foo/

Re:Makes the rest of us suffer...

[FPoe]

Will this mean better security?

Sounds like they have no security at all. If after 4 days you still have this type of access, your security policies and team has failed miserably.

Re:Makes the rest of us suffer...

[Fulcrum+of+Evil]

You just don't get it - this is not a question of authority - yes, the CEO can demand the password, but he has no business knowing it.

Re:Makes the rest of us suffer...

[Fulcrum+of+Evil]

wow, aren't you a sanctimonious prick. Most of the exec staff I respect fully owns that they are morons on technical matters (At least with the details) and would never want to know things like root passwords. They do business and decide things at a high level, then they let us go build and maintain as we see fit. We do a good job and nobody cares what we do specifically.

So maybe the big boss is a moron in general - they own the servers and all that, but they're still morons with no business touching them.

Re:Makes the rest of us suffer...

[HornWumpus]

In my experience facilities people are paid the least the buildings cleaning contractor can get away with and still maintain a full enough crew.

They steal anything that isn't bolted down and never speak English (last job I worked with this problem it sounded eastern European) when confronted with laptops etc in their trash bin.

I don't know why any tenant would agree to let complete strangers clean their space.

I'm guessing it's the nature of PHBs again. Price is not equal to cost. They can't even get that though their pointy heads.

Then again I wouldn't put it past the cleaning contractors to just jack up the price, make a million promises, then deliver the same bunch of scumbags. Everybody switch buildings. Repeat.

Re:Makes the rest of us suffer...

[Venik]

By "good" sysadmin I don't mean a doormat. Sysadmins are also people, but not all managers treat them as such. Sometimes they confuse "servers" with "servants". So, yes, it is entirely conceivable that even a mistreated good sysadmin, upon departure, may want to enhance his former employer's systems even more. This is why no employer should ever fire his last good sysadmin. Otherwise there will be nobody left to appreciate all this hard work.

Re:Makes the rest of us suffer...

We get it just fine thanks. You're just wrong, is all. The CEO has more business knowing it than you do.

Re:Makes the rest of us suffer...

[MokuMokuRyoushi]

I think everyone is in agreement, that he should not in fact even ask for the password. But you're the one that isn't getting it. Good intentions and common sense regardless, if he asks, you give it to him. The end. Sensibility has no part to play here.

Re:Makes the rest of us suffer...

[Fulcrum+of+Evil]

What exactly am I not getting?

Re:Makes the rest of us suffer...

As an example, some bar associations (laywers) ban lawyers from working in law offices in ANY capacity if they are suspended on disbarred, not just as a paralegal or receptionist, but even as a janitor.

Re:Makes the rest of us suffer...

[mysidia]

What exactly am I not getting?

The fact that the management defines what their business is, and what the sysadmin's business is in their organization; not their subordinate, or some outsider.

Re:Makes the rest of us suffer...

[dgatwood]

Ah, so the rapist is not liable for his crime at this point, then, and the woman who was raped should be put on trial instead? Is that what you're saying?

No. That is not what I'm saying. What I'm saying is that the rapist is wrong for doing what he did, but the woman is also wrong for not taking the slightest bit of personal responsibility for her well being. It is possible for more than one person to be at fault, you know. :-)

In my opinion, both parties should go through legal hell---the perpetrator for attacking the company, and the company for being grossly negligent. In particular, if there was any HIPAA data involved, that company should be spanked with a major fine. There are laws requiring health care providers to secure their systems in specific ways for good reason. This isn't just some random firm we're talking about here.

Re:Makes the rest of us suffer...

The best revenge is simply knowing you have not documented anything.

Re:Makes the rest of us suffer...

[Kjella]

As for IT -- it's a function of the work involved that critical infrastructure is vulnerable to a rogue IT staff-member. Proper oversight is hard to do, especially since IT is an enigma to executive-level management most of the time. Proper system design, access management, etc, are harder to ensure for IT systems than they are for accounting processes.

TThe real issue is that for most other systems, it's the IT system enforcing the rules. The accountant simply doesn't have the rights to make payouts himself. However, with IT access you can often subvert the whole process by writing directly to files, changing the database, replacing executables and so on.You can't trust anything a person has root/admin access to to abide by any rules nor tell you the truth.

Re:Makes the rest of us suffer...

[TapeCutter]

"wow, aren't you a sanctimonious prick

If by "sanctimonious prick" you mean a realist who belives property rights are fundemental to a civil society, then yes.

"Most of the exec staff I respect fully owns that they are morons on technical matters (At least with the details) and would never want to know things like root passwords."

There is a vast difference between a PHB making the wise decision to censor himself, and you making the unwise decision that he is not competent enough to have full control over his own property.

Re:Makes the rest of us suffer...

[shentino]

It's called the chain of command.

Specifically, the part where you'll get your ass fired for insubordination if you don't do what the fuck you're told by your superiors in the food chain. Your boss has more of a right to be an idiot than you do. It's one of the privileges of having authority.

However, there is an exception.

The only time you CAN refuse to give your boss the password is if an even BIGGER boss tells you not to, someone who is also your boss's boss.

In fact, companies will often reserve "root spill" power to the monster cheeses that often are in direct contact with the board of directors or another super high level position, who then gives orders to the BOFH that the PHBs are forbidden to have the password.

The private sector is just like the military with following orders. The only difference is that if you disobey orders in the military, you get court martialed and go to prison instead of merely losing your job.

Re:Makes the rest of us suffer...

[MokuMokuRyoushi]

It's not unauthorized access if you haven't taken away that person's access.

A point that you failed to factor in is that though she did have the ability to access the systems with ease, but it's fairly certain that she no longer had the permission. To analogize that with cars in mind; yes, I may have forgotten to take my spare key from you when I told you I no longer wanted to you run my errands, but that doesn't mean you have my permission to use my friggin' truck. Certainly not to crash it in an act of revenge.

Re:Makes the rest of us suffer...

[MokuMokuRyoushi]

What they said.

Re:Makes the rest of us suffer...

[kaatochacha]

Oh, you certainly give it to him. And you make sure you've got proof of his request, and your advising him of the danger. Basic CYA, actually.

Re:Makes the rest of us suffer...

Actually some mechanics do that kind of stuff, no need to do get into your home, next time you come he can change a new piece for an old one.
And doctors some times administrate pain at will, just a bit of it, good doctors don't ever do it but there are millions of them, and hell, a dentist can be in a bad mood too.

Re:Makes the rest of us suffer...

I don't know. I once got laid off from a network admin position and when I tried to collect unemployment, my former employer lied and said that I had quit. I still had access to their servers, so I went in and dug up proof that they had lied in an email from the CEO. Obviously I didn't present this to unemployment (it turned out to be unnecessary because the unemployment office believed me over the company), but it was my own confirmation that I was better off not working for a company like that.

I didn't damage anything. In fact, I fixed a couple of problems without thinking and then realized "what the hell am I doing, I don't work there any more".

Re:Makes the rest of us suffer...

[AK+Marc]

The systems belong to the PHBs.

I've had this discussion before, and you are 100% wrong. The PHB is a middle manager. The front line worker is as much the owner of the system as the PHB. You might have been correct if you discussed the difference between the worker and the owners. But a PHB, though higher on the org chart, is no more the owner of the system than the people that work for them.

Re:Makes the rest of us suffer...

[Xeno+man]

The top guy or guys (or maybe gals) have a right to know or at least have access to all the main passwords as many have said, it's their system, but at the same time there needs to be clear policies and agreements about the use of those passwords and what they should and should not be changing. If they want to fire and outsource the it staff, they need the ability to do so. At the same time, if your really worries about the PHB messing stuff up, sign an agreement that anytime a non IT staff member access and breaks something, all IT staff receive triple pay until the problem is resolved. As long as there are clear consequences for stupid things like that, problems seem to go away.

Re:Makes the rest of us suffer...

[Chris+Mattern]

Do have any idea the damage a janitor could do if he decided to be actively malicious and applied a little ingenuity?

Re:Makes the rest of us suffer...

[Securityemo]

Exactly. If he decides to do something, the consequences (besides lost company revenue, but that's just life) should not rest on your shoulders.

Re:Makes the rest of us suffer...

[BlackBloq]

Who cares>? They will never have the time or the inclination to learn your job. So the plumber can flood your house and the electrician can burn it down . Big whoop get over it and shut up.

Re:Makes the rest of us suffer...

[Fulcrum+of+Evil]

You're a moron.

I have already allowed that management has the right to demand passwords. My point is that they generally have no business doing so, or mucking about in the servers anyway. Why this simple point is generating so much ire is beyond me. Could it be that you just want to be right and that requires someone else to be wrong? Do you seriously think that a VP or executive guy should be hacking code or messing around in a production host? Really?

Re:Makes the rest of us suffer...

[Fulcrum+of+Evil]

Go back and find the part where I disputed that.

Re:Makes the rest of us suffer...

[shentino]

They have the authority to fire you. You do not have the authority to stonewall them from their own system.

That's the way the world works, dog eat dog where it's survival of the fittest. And this is true socially as well, where pissing off someone with power will get you killed.

And the sooner you realize that the better off you will be. If you don't like it, start your own company and see how long you last against your fellow backstabbers before you either fold or turn to the dark side yourself.

Re:Makes the rest of us suffer...

[mysidia]

I've had this discussion before, and you are 100% wrong. The PHB is a middle manager. The front line worker is as much the owner of the system as the PHB.

No, the PHB is granted authority over the "front line worker" by the owner. The "owner" being the company itself, whom their superior is an agent of.

As an agent of the owner the PHB has all rights conferred upon them by the owner. The "front line worker" has no rights not conferred to them by their boss. The PHB "owns" the employee.

That's what "boss" means. The boss is responsible for their employee, and dictates the conditions of their work.

The PHB of course has their own boss; however the front line employee is not a party to that relationship, or that agency. The boss is "God" to the employees they have responsibility for.

Re:Makes the rest of us suffer...

[AK+Marc]

No, the PHB is granted authority over the "front line worker" by the owner.

Authority over the front line worker does not give them ownership of the items the front line worker is responsible for.

As an agent of the owner the PHB has all rights conferred upon them by the owner.

That statement is as true when said about the front line worker. If, as you assert, the systems do not belong to the front line worker, they do not belong to their supervisor either.

That's what "boss" means. The boss is responsible for their employee, and dictates the conditions of their work.

Supervision of the employee doesn't confer ownership of the equipment.

The PHB of course has their own boss; however the front line employee is not a party to that relationship, or that agency.

You are arguing that the boss is more owner than the employee, and thus, as far as the employee is concerned, 100% owner. However, the fact is that the boss is 0% owner. So your logic is wrong, your premise is wrong, and you are arguing something other than reality. Greater authority and responsibility doesn't equate to ownership.

Re:Makes the rest of us suffer...

"Combine this with a proper centralized authentication/directory services system, and you're done."

well, as long as you have total physical security, maybe. Otherwise, someone could boot off a cdrom or usb disk then mount your machine's root disk and remove the root password. Then reboot, and you have root login and do whatever that system can do including impersonate any of the users with logins on that host.

"The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and I'm
not even too sure about that one"
-- Dennis Huges, FBI.

Re:Makes the rest of us suffer...

[deprecated]

A fucking dangerous sanctimonious ideologue is more accurate.

Re:Makes the rest of us suffer...

[sleeponthemic]

Seems to me you've deliberately used rather trivial scenarios to further your point, there, sir. On the other side of that coin, I've attempted to rape you. I'm thinking there might be just be a part of you that can empathize with such a reaction, even if you disagree with it.

Re:Makes the rest of us suffer...

[linuxrocks123]

> That's the way the world works, dog eat dog where it's survival of the fittest. And this is true socially as well, where pissing off someone with power will get you killed.

Yeah, man. I knew a guy who refused to give his boss the password to the router, and they found his dead body riddled with bullet holes in the river 2 weeks later. Insightful comment you made there.

Re:Makes the rest of us suffer...

Apparently, from someone who has never tried debugging a system. Root access isn't the problem, the problem has to do with not having a system in place where someone with such access can be locked out the instant they are fired. But even then, the article above says she hacked in, this could mean that she had either programmed the back door in herself, or she knew of a serious security flaw that she never reported. Either way the company was better off without her. Hopefully their backup was recent enough to undo most or all of the damage.

Re:Makes the rest of us suffer...

[smash]

They should perhaps HAVE access to the root / admin passwords.

They should not be using them however.

There is a difference (and any competent PHB knows this). Having the password(s)/keys/etc in an envelope locked away in a physical safe for use in emergency (possibly by a contractor when in-house IT go awol, die, etc) is just good business sense.

Re:Makes the rest of us suffer...

Or if, say, your boss told you to do something his way, even though you told him it would break everything, and then when it broke everything he told the customer that you had done it wrong, hadn't done it his way, he didn't tell you to do it that way because that's the way that would break things...

Re:Makes the rest of us suffer...

One difference is the respect that is shown and compensation provided to accountants, managers, legal advisers and so on. Meanwhile IT guys are basically treated like janitors.

Damned right!

I was once required to attend a few days' session (from an outside contractor, of course) titled, "IT as a Service Organization". What a crock of shit -- it was days of instruction in how to knuckle under and grovel.

One case study was about an HR manager whose project was allowed to languish. When the assigned programmer resigned, the HR guy's first clue was when his programmer's paperwork crossed his desk.

He called IT to find out what his project status was. The IT guy quickly assigned another programmer to get up to speed and soothe ruffled feathers, saying, "After all, it's only HR."

Apparently the rest of the class accepted the assignment like sheep. I nearly got thrown out when I suggested, while we were out on a break, that the newly-assigned programmer should go to HR and tell them exactly what was up -- essentially rat out out his chicken shit of a boss -- letting HR know that there had been inadequate supervision of the project and that he was just there to calm the tide.

Holy Jesus -- I couldn't believe the reaction from the others -- they immediately sided with the IT manager and tried to cast the blame on the HR guy -- for not checking on the progress of the project.

I said that was horseshit -- the reason for having IT is to handle stuff other departments couldn't do on their own. I also said the responsibility was entirely on IT as a simple matter of personal and professional INTEGRITY. It was obvious to me that, no matter how early the HR department checked, the IT guy who sneered at HR would simply nave given a BS status report.and blown the HR guy off anyway, at least until forced to provide some work product.

No one seemed to get the irony of justifying such misbehavior on the middle of a course on how to be a "service organization".

Typical American CYA executive behavior.

Re:Makes the rest of us suffer...

Proper oversight is hard to do, especially since IT is an enigma to executive-level management most of the time.

And the fault lies exactly at the feet of management. When IT has a request to make of management, the haughty bastard executives always demand it be "presented" (subservient enough?) in "business terms". They're too fucking arrogant to learn anything about what IT is all about. They're fine (and cozy) with accounting and engineering because that's the way came up themselves. No one else deserves the respect of mutual understanding -- everyone must learn their ways, with no reciprocity. If they learned shit about IT, they'd understand why "storage capacity nearing maximum" means action (and $$$) are needed. Instead, they cross-examine IT as if IT were just a bunch of cheats trying to eat the executives' bonus fund.

The signing authorities have taken the responsibility of ensuring the payment is accurate, valid, etc, and companies have tons of audited controls to make it so.

Just like Enron, whose top whores all disavowed knowledge of what was going on one level down -- a sterling example of the "idiot defense" -- http://en.wikipedia.org/wiki/Idiot_defense, where Ken Lay is specifically called out as an example.

And even if you had the requirement, who among top-level management has the expertise to know what is proper?

How gracious of you to prove my point.

Re:Makes the rest of us suffer...

[rtb61]

Only one conditional on that. In the event that the equipment owned by the Point Haired Boss is used to commit a criminal act, a release must be signed by said PHB that the network administrator is not legally liable for any criminal activity originating from said equipment.

When the police come looking for someone for criminal activity sourced to the equipment you are managing the first person they will question is you, the network administrator, you are then required to prove your innocence, a hard thing to do with wandering root passwords.

Re:Makes the rest of us suffer...

[Culture20]

Owner status trumps technical experience every time.

Hell, Mr. Nucular Silo launchy guy? I'm a US citizen, so I own this missile. I want to launch it. Give me your key and tell your partner we're going to launch on 0. 3... 2... 1...

Re:Makes the rest of us suffer...

[anegg]

Sorry - I should have mentioned that any useful application of logging to the maintenance of separation of duties requires that logging always be done in realtime to a separate logging sink or a physically isolated physical medium (i.e., paper output, write-once device, etc.).

Re:Makes the rest of us suffer...

[xmundt]

Greetings and Salutations....
          A couple of points.
          1) you (and several other posters here) seem to be confusing rape with sex. Rape has nothing to do with sex...it has to do with domination and having absolute power over another person. A locked door will keep out an honest person, but only slows down someone who wants in for a little bit. A rapist will do what is necessary to gain that domination and power no matter what.

            2) I have had the owners of companies request a complete list of passwords for the systems I administer. I have always handed them over, but, with a cover letter that reminds the person that use of some of the passwords (Root, for example) can allow massive damage on the system, and, as such, their using those passwords, or letting others use those passwords would mean that I was not responsible or liable for any data or program issues that might arise. I would also point out that according to the statistics, about 75% of the companies that suffer catastrophic data loss went out of business. So far, no problems...The owners are re-assured that if I get hit by a truck, they can still get into their systems, and, I have covered my ass enough that if someone logs in and starts deleting files because they do not know what they are for, it is their problem.
              Oh yea...I tend to keep good backups, so, as a part of this, I can usually do a restore back to a point when life was good. I have found that after a person has to type back in a few days of transactions again, because someone stupidly went in a wiped out a data file, the use of root password and such drops dramatically.
          pleasant dreams
          dave mundt

Re:Makes the rest of us suffer...

[fishexe]

* - If he is the moron then why is it that you are working for him?

Because he has money and we need jobs.

Re:Makes the rest of us suffer...

[fishexe]

There is a vast difference between a PHB making the wise decision to censor himself, and you making the unwise decision that he is not competent enough to have full control over his own property.

...how is it unwise if he actually is incompetent?

Re:Makes the rest of us suffer...

[fishexe]

Owner status trumps technical experience every time. Trust me, any PHB stupid enough to demand access to areas they know nothing about and then go messing about is going to screw something up. When they realize just how much money it will take to fix their screwups, sooner or later they will realize why it isn't smart to give themselves access to said areas. But if the owner demands the keys to the kingdom he owns, he get them whether or not it is the smart move or not. How long do you think any employee who refuses an order from the owner is going to last? And how do you go about determining who is qualified to make the decision if someone is qualified?

You're assuming the PHB is the owner.

Re:Makes the rest of us suffer...

[Mister+Whirly]

Yes, in this instance the PHB is the owner.

Re:Makes the rest of us suffer...

[Hognoxious]

This so called moron* is your employer (or their representative), HE has given YOU access to HIS equipment, not the other way around. He pays YOUR bills in return for you following HIS rules while operating the equpment HE has given YOU access to.

Fair enough.

Generally, he's also told me to perform X, while preventing, blocking, and generally screwing up all the things that are needed to achieve X.

Also, imagine you're a doctor. Now s/employer/patient/. He's entrusted HIS body to me. HE'S surely paying me. Does that mean I should prescribe what HE says, even if at best it won't help and at worst it will kill him? Sorry, I mean HIM.

Sometimes professionalism means saying "no".

Re:Makes the rest of us suffer...

[Hognoxious]

I doubt that would be legally binding, somehow. Basically, it's the Nuremberg defence.

But IANAL. AWIALCTC?

Re:Makes the rest of us suffer...

[Hognoxious]

There is a vast difference between a PHB making the wise decision to censor himself, and you making the unwise decision that he is not competent enough to have full control over his own property.

So you'd be happy to hand a drunk his car keys?

Re:Makes the rest of us suffer...

[Hognoxious]

No. I am suggesting the PHBs have a stronger bonafide legal and moral right to be able to know the root passwords, and their rights trump any rights or obligations the system engineer might otherwise have to keep anything quiet / not reveal to other employees.

Bullfuckingshit. Their rights do not trump the law of the land. Just one example - in some countries it's illegal to read employees' emails, and in others it's illegal without their consent or at least knoledge. If you were in such a jurisdiction and handed over the root passwords to enable such an act you'd be an accessory.

Second case, what if they were trying to remove evidence of fraud?

Now you might claim you didn't know, or didn't even suspect what they wanted them for. And who knows, the jury might believe you...

Re:Makes the rest of us suffer...

[Hognoxious]

The only time you CAN refuse to give your boss the password is if an even BIGGER boss tells you not to, someone who is also your boss's boss.

Nope. I can refuse if I think a bigger boss would retroactively agree with my decision.

And judges are the biggest bosses of all.

Re:Makes the rest of us suffer...

[Hognoxious]

He's probably someone with a kind of awe/fetish for power - or who wants to suck the cocks of people who have it.

You know, the kind who think cops can make up law on the spot, using that "failure to obey an order" bullshit.

Re:Makes the rest of us suffer...

[shentino]

Laws against wrongful termination and whatnot are bigger bosses, as are the judges who will hand your bosses ass to you if you get fired improperly.

Unfortunately, unless corporate policy or a superior boss higher than yours in the corporate chain of command says otherwise, you do not have the right to deny your boss access to a system belonging to the company you and them both work for.

It might even be against the law for you to give your boss the password, if that bigger boss happens to be something where compliance would result in a HIPAA violation.

As far as cops making up laws on the spot, they too answer to a higher authority. Not only do they have lieutenants and a police chief, plus the mayor watching them, but ultimately if they want to make anything *stick*, they need to have a judge sign off on it in court.

Just because you have to obey orders in a chain of command doesn't give your boss free reign. He has a boss too, and HE has a boss, and so on. In a corporation this chain runs all the way up to the CEO, and he answers to the board of directors.

Re:Makes the rest of us suffer...

[hendersj]

That's fine, your agreement isn't required. :-)

But consider this: Many IT people came from a finance background, especially those who have been in IT for a long time. Back in the 80's and 90's, the finance people were the ones using computers the most (Lotus 1-2-3, anyone?) to track company financials. So when businesses started building IT infrastructures, they turned to the people inside the company who used computers the most: the accountants.

Now, combine completely unfettered access to all of a company's financial information and enough knowledge in financial matters, and what do you get?

It's not about bringing the company to its knees - not entirely. Someone who wants to cause real harm to a company is going to generally want to do it in a way that isn't noticed (whether they're in finance or not) so they can prolong the damage.

It's also about the fact that an IT person has access (generally) to *all* of a company's secrets. An accountant - even a CFO - doesn't have access to all that information.

When the goal is to build an infrastructure that's unified and easily administered (and were IT staff are generally added only when absolutely necessary - and often long after they're actually needed), IT staff are often treated poorly and given access to *everything*.

That's a recipe for disaster if your IT staff aren't trustworthy.

Sack an accountant for violating trust and your exposure is limited only to financial data that they had access to.

Sack an IT person, though, and you need to hire in outside consultants to go over *all* of the systems that the IT person had access to to make sure they didn't put any back doors into the system. By the time they find them - if we're talking about a competent IT person with a grudge - it's far, far too late.

I've seen it happen a few times over my career in IT.

I'm not saying that a lack of integrity is good in any position, but IT people are generally highly intelligent, very resourceful, and generally very cunning. Sometimes they're also social outcasts (though that's less the case now than it was in the 80's and 90's) that the employees in a company try to minimise contact with if they possibly can.

Re:Makes the rest of us suffer...

[hendersj]

Anyone worth their salt will be able to screw up a system so that an audit trail will be of little help.

Especially with physical access to the systems and a legitimate need to be in the server room.

If you have physical access, all bets are off. Whoops, that ethernet cable seems to have not been plugged in all the way - before I plug it back in, I'll just fiddle with the box a little bit to make sure that the interface isn't hosed as well - oh, what's this? Finance data. Flash drive, copy, clear history, plug cable in.

A smart IT person who means to do evil has plenty of options available and will know the ways they can be monitored and how to work around them. The first mistake any manager or auditor will make is assuming that the auditing software systems are foolproof. And of course there's also the delicate matter of explaining to IT staff that you're watching over their shoulders but it's not because you don't trust them. Only some industries have regulatory needs for that type of monitoring and auditing, after all.

Having an auditing system in place can be read by IT staff as "they don't trust us" which can actually lead to untrustworthy behaviour. I've seen that happen as well.

Re:Makes the rest of us suffer...

[hairyfeet]

Here is the problem with your theory: True story, I used to have lunches in the state capital with a gruff old Linux admin named Glenn. Hell of a nice guy, just forever swamped and overworked and therefor really was too busy to BS most of the time.

So one week he comes in more ticked than usual, as he had to go all the way to the main office to be drug before the regional head because the PHB above him wanted to fire his ass. here is what the PHB said to the regional: "He has NO RIGHT to tell me who I am allowed to speak to! He is blocking my emails from Melissa and refusing to let me have them! He should be fired for insubordination!"

Lucky for Glenn the regional head actually read tech journals and knew what Melissa was. He turned to Glenn and said "Is he actually talking about the bug going around?" when Glenn said yes he rolled his eyes and said "Glenn is doing his job and actually protecting this company. There is NO "Melissa" it is a computer bug that spreads through networks and makes a mess, which I'm sure Glenn tried to explain if you weren't busy having a fit. From now on when Glenn says no that is FINAL, got it?" and then he had his secretary send Glenn a free steak dinner for two for having to put up with "that ass" as he put it.

But if that PHB had been given "the keys to the kingdom" as it were he would have happily unblocked the virus, brought down the whole damned network, and would HE have been fired? hell no! He would have blamed it on the IT guy for not "having a better security plan" or some shit. life ain't fair folks, and oftentimes just like shit the morons often float to the top.

Re:Makes the rest of us suffer...

[rtb61]

The defence is you do not have control over who can administer the machine, as such any attacks coming from it are not automatically yours. Everyone who has equal access to the machine is also liable, especially when taking into account script kiddie software.

The main reason for this is not so much the prosecution nut search warrants extending to your own home and confiscation of all your personal digital assets whilst they are investigated, often taking months, all down to incompetent manipulations of the company hardware by the PHB and their preferred butt polishers.

There are real liability questions which need to be covered to ensure you as the system administrator a not legally liable for all criminal activity originating from the computer system you manage.

Re:Makes the rest of us suffer...

[TapeCutter]

You missed the part where I said "you are not free to force your advice on him (unless he is performing an illegal act)".

Re:Makes the rest of us suffer...

[TapeCutter]

"Sometimes professionalism means saying "no"."

Of course it does, but denying someone access to their own property is not one of those times. You can advise against it but as I said you do not have the right to force your proffesional advice onto your client/patient/boss unless what they are proposing is illegal. Any time you say "no", (and I've done it numerous times myself), you have to be prepared to walk and it would be unproffesional in the extreme to walk without returning the keys.

Re:Makes the rest of us suffer...

[TapeCutter]

Basic property rights are for everyone, even the incompetent.

Re:Makes the rest of us suffer...

[Hognoxious]

Yeah, put them in some kind of escrow with a third party.

Or maybe there's a way to split the password among several people so one knows AB****, one knows **CD** etc.

Re:Makes the rest of us suffer...

[fishexe]

Basic property rights are for everyone, even the incompetent.

I didn't say he didn't have property rights. Wisdom and legality are not the same thing.

Re:Makes the rest of us suffer...

[TapeCutter]

"Wisdom and legality are not the same thing."

Who said it was? My point was that starting a fight you can't possibly win is generally regarded as unwise.

Re:Makes the rest of us suffer...

[sqldr]

Combine this with a proper centralized authentication/directory services system

How are you getting on finding one of those which doesn't have an admin password? :-)

Re:Makes the rest of us suffer...

[Just+Some+Guy]

Maybe the true lesson to learn is this: don't let former employees keep their access. Not even for a few days.

And the corollary: when leaving a job, for any reason, request in writing that your access privileges be revoked immediately. If you can't get in then you can't be blamed for random mishaps down the road. And while your request obviously doesn't accomplish the technical task of removing your access, it does help establish your good intent should anything suspicious ever happen.

Re:Makes the rest of us suffer...

[snowraver1]

You actually own about 1/350,000,000th of it. You alo do not possess any responsibility for the nuke, just like being a member of a co-op doesn't mean that you can just take free stuff because you are an "owner".

Is this really so hard to understand? I thought that slashdot people were generally pretty smart....

Re:Makes the rest of us suffer...

[mysidia]

here is what the PHB said to the regional: "He has NO RIGHT to tell me who I am allowed to speak to! He is blocking my emails from Melissa and refusing to let me have them! He should be fired for insubordination!"

Sounds like in that story the "regional" is the PHB. I'm not so sure the idiot counts as PHB in that story. A true PHB would have at least the power to discipline and/or fire the sysad on the spot, and would be more skilled at managing people anyways, so it would have happened differently. The fact the guy couldn't/didn't fire the sysad himself suggests he's a mere team leader/coworker, or supervisor, with little/no authority over the sysad, rather than a PHB.

There's definitely a difference between the boss and such a person.

But if that PHB had been given "the keys to the kingdom" as it were he would have happily unblocked the virus

No, probably not... merely having the keys does not confer the abilities required to pilot the aircraft; he would be in for a crash landing, and yes, unfortunately the sysad would suffer too in that case.

The pseudo-PHB on the other hand would not get that far, he could start the engine, perhaps, login, and then be clueless once presented with a bash prompt, his plane would never get off the ground.

, brought down the whole damned network, and would HE have been fired? hell no! He would have blamed it on the IT guy for not "having a better security plan" or some shit.

Realistically, he would've had to have found another person (a different technical person) to give the keys to.

The person he handed the keys to and ordered him to unblock Melissa, probably would have advised him of the error of his ways, and if they proceeded with the unblocking anyways, particularly if the blocking was properly documented.

After being advised by two people not to, someone would be taking the blame, but not the sysad who stated his objections, which he fully documented, and alerted corporate security to, but ultimately did was ordered, and documented that fact.

The paper trail would point so clearly to one person, that I think the pseudo-PHB might actually have a lot of explaining to do to the real boss.

Re:Makes the rest of us suffer...

This concept is one which has intrigued me for years. As a system admin and an IT professional you are often put into situations like this. Where your boss or an unqualified auditor approaches you demanding access because they want it, they claim they need it and/ or they just simply pull rank. A big issue here is that many of these professionals do not have security as a 'top-of-mind' topic. Many often use insecure passwords and will store passwords in ways and locations which are deemed insecure. When the systems are breached and the shit ultimately hits the fan the blame falls back on you as the system admin. I think the real trick here is trying to find a happy balance of cautiously warning management without sounding insubordinate.

Re:Makes the rest of us suffer...

[fishexe]

"Wisdom and legality are not the same thing." Who said it was? My point was that starting a fight you can't possibly win is generally regarded as unwise.

Depends. Sometimes the costs of doing an ordinarily unwise thing are less than the costs of the alternative, rendering the ordinarily unwise wise.

Re:Makes the rest of us suffer...

[Hognoxious]

Indeed I did, but since you posted it a) in another part of the thread and b) a day later than my post I'd say I was justified in doing so.

Re:Makes the rest of us suffer...

[cinderellamanson]

You work at gawker don't you?

Re:Makes the rest of us suffer...

[ps2os2]

I have a long reply to this but will try and make it short.
At one of my previous jobs the VP thought it would be a great idea to log everything I did (I was a sysadmin).
It was fun as right during my mass update of the OS I was getting so many loggings that the system actually slowed down because of it.
I called the auditor and asked him if he wanted to see what I was doing and have me explain what was going on. He was surprised and said sure bring it upstairs. I had three people bring 17 boxes of printout up to his conference room and put them on the table I told the three people to go back to their jobs. So I sat and waited for about 10 minutes and the auditor walked in and asked me what all this printout was from. I said well 10 percent of it is you logging me and the other 90 percent is printout that has to be saved for 12 months. Would you like me to explain what is going on? He says well he only has a few minutes and the conference room is booked. I said look I will give you a 5 minutes intro and just go through some of the output. I had to explain in 5 minutes a high level over view on maintenence and how it is supplied from the vendor. I then proceded to go through the first few pages and I could see his eyes glaze over and I paused. Is this enough explaination to ask you to turn off logging on me? He says he will get back to me.
10 minutes later he calls me up and tells me he has authorized the logging be turned off on me.
About 3 weeks later I was talking with my security guy and I asked him in a round about way who asked to have me logged. He would not tell me directly but I got who it was from they things he said. It was my boss's boss squared.
So the next time I had to run one of my huge jobs I got the three people together and put the paper on some carts and wheeled it in to his office and asked him if he wanted to see what I do for a living (he really had no clue). He said no thanks the auditor OK'd it and that was good enough for him. As I was leaving I could hear him on the telephone to the auditor asking how I knew who asked for the logging the auditor said he didn't tell me (he didn't). He never could figureit out.

Um good?

[Hatta]

Person commits crime, goes to jail. Fascinating reporting there.

Re:Um good?

[Panspechi]

She's not that good if she got caught... and seemingly the only evidence they really got was her admission. This smells like S.P.E.C.T.R.E. had their hands into this. This, thne VISA and Masterdarc. What's next?

Re:Um good?

Anonymous Coward did the actual hack. This woman just happened to be in the right place for us to frame.

Re:Um good?

I'm more suspicious of C.H.A.O.S.

Re:Um good?

[scorp1us]

You missed it. There's a girl in IT. That's the news!

Its not even that she hacked in. NASA has always had a problem with girlfriends of employees getting pissed, getting in and then breaking stuff.

Re:Um good?

[fyngyrz]

No... it was probably T.H.R.U.S.H.

Re:Um good?

Yes, generally news is about stuff that happened. Brilliant commentary there.

Re:Um good?

[RevWaldo]

Everyone knows C.H.U.M.P. is behind this one!

.

Re:Um good?

[LifesABeach]

If I understand this correctly:
1. IT person argues with boss at work.
2. boss dismisses IT person for arguing.
3. boss says IT person wouldn't do what boss wanted.
4. IT person responds by changing some settings on a machine.
5. boss calles police and says, "arrest IT person."
6. police and judge put IT person in a jail.

ok

So, what we now have is a person who knows security settings, who is very angry, who has demonstrated an ability to change settings on machines. AND! is now in a big room filled with other angry thieves. I'm glad I don't live in Florida.

Re:Um good?

[sconeu]

No, Shmart, it vas KAOS!

Re:Um good?

[RatBastard]

Would you feel safer if they just took her out behind the chemical sheds and shot her? Putting people in jail is what you do when said people illegally access your system and cause serious damage.

Re:Um good?

You missed it. There's a girl in IT. That's the news!

Was.

Apparently she GTFO, not tits.

Re:Um good?

[LifesABeach]

Community Service? With the idea of calming both IT person, and boss.

Harsh Sentence

[Manip]

I love how computer crimes are measured on an entirely different scale to all other crimes. While I think her crime was serious, when you look at the prison sentence relative to other things it seem disproportionate. If she had done the same thing without a computer I bet she would see less than 1/2 the jail time.

Re:Harsh Sentence

[KublaiKhan]

It'd be interesting to see someone modify payroll records without a computer in this day and age.

Re:Harsh Sentence

[nomadic]

If she had broken into the place, shredded documents, forged payroll records, changed some locks and damaged others so doors wouldn't open you think she would get less than half the jail time?

Re:Harsh Sentence

What you can't understand you must punish harshly... got a feeling there is more and more of that these days...

Re:Harsh Sentence

[Monkeedude1212]

No, I'm pretty sure she would have been rehired and promoted into a management position.

Re:Harsh Sentence

[fuzzyfuzzyfungus]

Does taking a fire-axe to the SAN count as "using a computer"?

Re:Harsh Sentence

[TheL0ser]

So you're saying shredding/burning records, cementing up doors to rooms (bad analogy, but I'm too lazy to think), and changing locks on other doors would be 9.5 months of jail time?

Re:Harsh Sentence

[Frosty+Piss]

... when you look at the prison sentence relative to other things it seem disproportionate.

Your view might be different if it was your IT department, or your pay and leave records being dinked with...

If the penalty is a slap on the wrist, what's the deterrent?

Re:Harsh Sentence

[JaredOfEuropa]

What if she broke into the office and set fire to a couple of file cabinets, and burned the company's financial books and payroll records as well (assuming they'd have none of it on computers)? Even if her actions wouldn't burn down the whole building, I should think she'd get a stiff penalty for that, including some jail time.

Re:Harsh Sentence

[Farmer+Tim]

As a target, yes.

Re:Harsh Sentence

[MyLongNickName]

1st: I do not think I agree with OP. If I did the same damage without a PC, I bet I would be arrested.

2nd: The reporting is interesting. To a great extent, folks knowledgeable about computer systems/programming are looked on as some type of magicians. We get mixture of respect and contempt because of this. People depend on us and our services and that creates a high level of conflict.

3rd: They are actually working on the idle CSS. Still sucks, but at least the edit textbox is no longer 0.75" wide.

Re:Harsh Sentence

[Frosty+Piss]

No, I think her sentence would be about the same. But remember anyway, 19 months means half of that, most low-level white-collar criminals get "good behavior" and "overcrowding" breaks...

Re:Harsh Sentence

[Bigjeff5]

Do you realize how much damage you can do with that kind of access?

You are seriously underestimating the seriousness of the crime. That she didn't do all that much damage is relevant to a point, but she clearly intended to do as much harm as she could.

Re:Harsh Sentence

[Delusion_]

You make a good case for not involving the victims in sentencing.

Re:Harsh Sentence

[jeffmeden]

You're right. It IS interesting: http://articles.latimes.com/2010/jul/19/local/la-me-state-computers-20100719

Re:Harsh Sentence

[Frosty+Piss]

You make a good case for not involving the victims in sentencing.

Bullshit. Sentiences *should* bare some relationship to the impact on the victim.

Consider a geriatric wino living under a bridge - of no particular value to society. Does this make bum-killings "OK"?

Re:Harsh Sentence

[TheLink]

Once you use fire, it could be categorized as arson.

In some places the penalties for arson can be quite significant.

Re:Harsh Sentence

[gfreeman]

Er, no ... which is entirely the point he was trying to make. Killing a bum gets you the same sentence as killing the President. Do you think it should be different?

Re:Harsh Sentence

[gmack]

I'm wondering why it took 3 months to get her to hand over the password. Not defending what she did but why couldn't they just preform a password reset?

It really doesn't seem like either her or her employer were all that competent.

Re:Harsh Sentence

[pantheonwhaley]

The point I think Frosty Piss was trying to make is that a bum and the President both equally want to live. Not that people value them differently.

Re:Harsh Sentence

[redstar427]

It's a good thing she didn't share music files from a CD at the same.
She could have owed millions of dollars, and her sentence might have been for a much longer time!

Re:Harsh Sentence

[davev2.0]

I worked there for a while. I am guessing she was the sole IT person. Thing to remember is that SCHC is a non-profit where most of the budget goes to health care.

Re:Harsh Sentence

[Bobakitoo]

She was the only IT worker, and they fire her.

Re:Harsh Sentence

[TheRaven64]

I think that's part of the entrance test for interviewees at Goldman Sachs.

Re:Harsh Sentence

[davev2.0]

I am betting the fact that SCHC is a non-profit providing health care to migrant workers, the elderly, and the poor might have figured into the sentencing.

As for how she was able to do so, she was probably the only real IT person in the company



Disclaimer: I worked at SCHC as the sole IT person for a long time.

Re:Harsh Sentence

[Johnny5000]

Your view might be different if it was your IT department, or your pay and leave records being dinked with...

This.
I used to work at a place with a really shitty asshole of a manager. One of the other employees apparently had the bright idea to create a program that would mess with all of the customer records, since it would somehow make the asshole manager look bad when stuff started to fail.

Apparently he had been screwing around with the customer records for months, which pretty much made all of the backups worthless.
One day he went too far, his damage caused the whole system to crash, and he got caught.
He was fired, of course, and I'm pretty sure he had charges brought against him, but guess who had to clean up the mess?

Re:Harsh Sentence

[icebraining]

No, parent's saying it shouldn't be up to the victims to decide the sentence.

Yes, if it was my IT department, one could feel more strongly. That doesn't mean it's a better sentence.

Re:Harsh Sentence

[Delusion_]

My point is that you are convicted by a jury of your peers and not a jury of your victims for a good reason; a jury and a judge have a better ability to be dispassionate.

That we involve victims in sentencing hearings is abominable, as is that we enforce arbitrary minimum sentencing regulations.

If I am guilty of a crime, what I did is what should matter, not how good or bad a person the victim was. Rather than go down Hypothetical Alley with you about the value of human life, I'd like to keep our hypothetical closer to the facts:

Would this crime be more heinous "your IT department", as you put it, were genuinely good people? Would it worth less sentencing if it took place at an equivalent organization whose IT staff was lazy and whose managers were bombastic annoying pricks? Surely not. In that case, your opinions as the victim as to what the guilty party deserves regarding sentencing are too compromised.

Re:Harsh Sentence

[Xugumad]

I was thinking that. Computer crimes aren't punished more severely, it's just easier to commit more severe crimes with them...

Re:Harsh Sentence

[cayenne8]

"The point I think Frosty Piss was trying to make is that a bum and the President both equally want to live. Not that people value them differently."

These days...it is getting hard to TELL which one is the bum, and which one is the president.

Re:Harsh Sentence

[Frosty+Piss]

My point is that you are convicted by a jury of your peers and not a jury of your victims for a good reason; a jury and a judge have a better ability to be dispassionate.

As was the case here. The victim didn't choose the sentence.

By the way, do you object to "Victim's Impact Statements" at the sentencing? For serious crimes like auto-related deaths / maiming, home invasions, and murder?

Re:Harsh Sentence

[Maury+Markowitz]

These days...it is getting hard to TELL which one is the bum, and which one is the president.

Not at all. One of them no longer smokes.

Re:Harsh Sentence

[TheQuantumShift]

Like breaking in after hours and swapping everyone's password stickies from under their keyboards? Or if the same department that secures IT secures the building, she probably still had her badge, so no breaking required. My guess is "The Guy" that handles AD/LDAP/whatever security was on vacation. Or they have some really shoddy security policies. Someone call the HIPAA/SOX police, quick!

Re:Harsh Sentence

[nomadic]

Also more likely to get hit with federal charges, though I will say if I were her I'd rather do my time in federal prison than Florida state prison.

Re:Harsh Sentence

[pspahn]

I dunno, I think morality of what happened should factor into the sentence (though, not whether you are guilty or innocent).

A man mysteriously appears and jumps into the river to save your child. When he gets out of the water, you recognize him as an escaped convict from the news. Do you tell the authorities?

Re:Harsh Sentence

[Delusion_]

I wasn't responding to the case. I was responding to your post:

> Your view might be different if it was your IT department, or your pay and leave records being dinked with...

> If the penalty is a slap on the wrist, what's the deterrent?

RE "Victim's Impact Statements", yes, I object very strongly to them. This "Victim's Rights" movement is nonsense. It's not the victims who are on trial, it's the defendant. I understand why a victim desires a harsh, punitive sentence, but I think a judge and jury have a better chance of getting it right.

Not that there aren't fundamental problems in our legal system. Let me bore you sometime about how traffic courts have become an immoral revenue generation scam in most jurisdictions.

Re:Harsh Sentence

[pgn674]

In Maine, if you see a person's password for their email account on a post-it note, and subsequently use that password to log into that person's email account without their express permission, then that is considered a crime of the same class (I, II, A, B; not sure) as beating up a small child.

Re:Harsh Sentence

[fluffy99]

It took them 3 months to figure out who was intruding into the system. Once the FBI asked/interrogated her, she fessed up. Still 3-months is a long time to go without the password when I'm sure the manufacturer would have helped them rest the password.

Re:Harsh Sentence

[MichaelKristopeit236]

you are NOTHING

Re:Harsh Sentence

[MichaelKristopeit223]

if you claim someone molests children and beats their wife, and that someone later murders the person making the accusation... was the victim asking for it?

cower some more, feeb.

you're completely pathetic.

Re:Harsh Sentence

[McMuffin+Man]

If she had broken and entered, destroyed some property, changed locks, sabotaged, say, manufacturing systems so they would need repair before normal business operations could continue, and falsified documents (fraud), you think she would have gotten a _smaller_ sentence?

Re:Harsh Sentence

[MichaelKristopeit223]

if someone claimed another molested children and beat their wife and was raped by religious figures, and that someone was later murdered for their actions... would the sentence still be the same?

why do you cower? what are you afraid of?

you're completely pathetic.

Re:Harsh Sentence

[Frosty+Piss]

Let me bore you sometime about how traffic courts have become an immoral revenue generation scam in most jurisdictions.

My city has recently embraced the Traffic Camera - to improve traffic safety of course.

Re:Harsh Sentence

[MichaelKristopeit224]

what do you think your mother would say in her "Victim's Impact Statements" if you were murdered for claiming someone molested their children and beat their wife and was raped by a religious figure?

why do you cower? what are you afraid of?

you're completely pathetic.

Re:Harsh Sentence

[arbitrarymodulus]

Somewhere in Ohio... The state senate maybe?

Re:Harsh Sentence

[MichaelKristopeit226]

if the penalty is death, the perpetrator would cower in fear.

why do you cower? what are you afraid of?

you're completely pathetic.

Re:Harsh Sentence

[trevdak]

Hell, if she could change someone's passwords without a computer, I'd hire her.

Re:Harsh Sentence

[sjames]

To an extent, the victim's nature could be either mitigating or aggravating for many crimes. If someone spews enough filth and venom at someone else, I would say that the inevitable punch in the nose is mitigated down to disorderly conduct. OTOH, if the victim is perfectly polite and reasonable, there is no way to justify the punch in the nose at all.

However, that only bolsters your primary point that the victim shouldn't determine the sentence.

Re:Harsh Sentence

[Americano]

Why do you say this crime is not worth a year and a half of jail time? She tampered with files & data. At a health center.

Do you know she didn't delete your medical records, or change something in them? Maybe you have a drug allergy. Are you okay with her nulling out a couple tables in a database that might contain that information? How about the lost time & effort of recreating or restoring all the data she tampered with and/or destroyed, and verifying the data that's still there to make sure she didn't corrupt it more subtly?

I'd say a year and a half (considering she'll probably be paroled for good behavior after she's served... what is it, 1/3 of the term she'll become eligible?) isn't all that steep. I think your sense of proportion as to how crimes are punished is skewed into thinking that simply because there's a computer involved, it must not be as serious as people think.

Re:Harsh Sentence

[Frosty+Piss]

...i'm 6'4" 220 lbs...

Are you sure you're not 4'6" and 220?

Re:Harsh Sentence

Did you read the article? She was sentenced to federal prison. The reduction for good behavior applies for sentences of more than a year and is 54 days per year. The computation is not well-defined, however. She should spend about one year and four and a half months, give or take. Closer to 87% of her sentence than half.

Re:Harsh Sentence

[MichaelKristopeit233]

you will die very soon at the hands of a man you told lies about.

why do you cower? what are you afraid of?

you're completely pathetic.

Re:Harsh Sentence

[westlake]

If she had done the same thing without a computer I bet she would see less than 1/2 the jail time.

It always surprises the geek when one of his own has to serve hard time.

The real punishment here, of course, is the long term consequences of conviction on a felony charge.

Re:Harsh Sentence

[werfele]

A man mysteriously appears and jumps into the river to save your child. When he gets out of the water, you recognize him as an escaped convict from the news. Do you tell the authorities?

Inspector Javert says "You betcha," with an outrageous French accent of course.

Re:Harsh Sentence

[Delusion_]

She'd probably say the same heartfelt emotional stuff every other mother says during these fiascos, and I sympathize.

But a sentencing hearing or a jury trial isn't a good place to rely on one's emotions rather than facts.

Re:Harsh Sentence

[MichaelKristopeit233]

if you were murdered, would anyone care? would anyone applaud?

why do you cower? what are you afraid of?

you're completely pathetic.

Re:Harsh Sentence

[Coren22]

19 Months? Not terribly long. I imagine they got her on a few felonies, so not so surprising. Did you perhaps misread that as 19 years?

Re:Harsh Sentence

[Coren22]

Exactly, not a heck of a long sentence considering the charges sound quite bad. Perhaps they let her off easy because it was "with a computer" instead of physical?

Nice job on your trolling of MK, you got him pretty mad, but it was a hilarious read.

Re:Harsh Sentence

[MichaelKristopeit233]

"Frosty Piss" spends their days making false claims that religious figures have raped me and that i beat my wife and molest children.

do you believe such actions beg for justice?

do you believe such a person would live much longer if the person being defamed with false accusations owned numerous firearms?

Re:Harsh Sentence

[Coren22]

The bum?

Re:Harsh Sentence

[MichaelKristopeit220]

tick tock tick tock tick tock tick tock

cower some more, feeb.

you're completely pathetic.

Re:Harsh Sentence

[Coren22]

Interesting question. I would probably give him a head start and show up at his sentencing hearing to tell the story.

Re:Harsh Sentence

[Coren22]

You know what, this is why people use pseudonyms online and don't give out their addresses (even if they are fake) People like you who go off the rocker all the time and attack everyone else.

Re:Harsh Sentence

...if you were murdered

You don't have the stones.

Re:Harsh Sentence

[PRMan]

Killing a bum gets you the same sentence as killing the President.

What's the difference?

Thanks, I'll be here all week. Try the veal...

Re:Harsh Sentence

[MichaelKristopeit220]

false claims were made by "Frosty Piss" that i beat my wife, molest my children, and was raped by a religious figure. i will bring justice to anyone making such false claims against me.

the rocker was left by "Frosty Piss" long ago... would bludgeoning someone with broken rocker parts long enough cause them to die? is there any way to test such a theory?

who is "everyone else"?

you are NOTHING

Re:Harsh Sentence

[MichaelKristopeit219]

this is why people abandon their civil rights and beg their representatives to rubber stamp the legislation towards a police state.

you are unable to defend yourself? you are unwilling to take responsibility for your actions and comments and false claims towards others?

JUSTICE WILL FIND YOU.

cower some more, feeb.

you're completely pathetic.

Re:Harsh Sentence

[Coren22]

who is "everyone else"?

Everyone who replies to every post of yours? Example:

you are NOTHING

Re:Harsh Sentence

[MichaelKristopeit234]

i have replied to my own posts, moron.

you're an ignorant hypocrite.

why do you cower? what are you afraid of? are you afraid of your rocker? if you don't get off it, you'll die in it.

cower some more, feeb.

you're completely pathetic.

Re:Harsh Sentence

[Dausha]

Heck, I'd like to see her delete passwords and lock IT systems without a computer.

Re:Harsh Sentence

[bckrispi]

Nope. This is Federal Prison. With good behavior, her sentence will not be reduced by more than 15%

Re:Harsh Sentence

[bckrispi]

Killing a bum gets you the same sentence as killing the President.

Nope. Murder of a Federal employee carries a different set of punishments.

Re:Harsh Sentence

[bckrispi]

That we involve victims in sentencing hearings is abominable, as is that we enforce arbitrary minimum sentencing regulations.

That's just silly - as well as contradictory. If you don't want "mandatory minimums", you obviously need to leave some level of sentencing discretion up to the judge. In these cases, a Judge must weigh both the mitigating as well as the aggravating facts in the case.

Re:Harsh Sentence

[gfreeman]

They kill you twice? Deader than just normal dead?

Re:Harsh Sentence

[gfreeman]

Consider the waitresses tipped :D

Re:Harsh Sentence

[Kjella]

That we involve victims in sentencing hearings is abominable, as is that we enforce arbitrary minimum sentencing regulations.

When they're not being abused, minimum sentences make sense. The jury has a range of sentencing, but the law still says no variety of the crime is worth less than X years in prison. Otherwise you could have something much worse than jury nullification, you could have juries finding the guy guilty of murder and sentence him to pay $1. The way the US looks at double jeopardy he couldn't be trialed again.

Re:Harsh Sentence

and ran for US Senate seat.

Re:Harsh Sentence

[TheRecklessWanderer]

The truth of the matter is, much like the war in Iraq, this crime costs corporate America money, and therefore is of interest to every one everywhere.

Re:Harsh Sentence

[Pence128]

...but some animals are more equal than others.

Re:Harsh Sentence

[Pence128]

Wait, you think jury nullification is a bad thing?

Re:Harsh Sentence

[tqk]

Heck, I'd like to see her delete passwords and lock IT systems without a computer.

Powerful magnet passed over harddrive. Granted, it's tough to do that remotely, and easily recovered with proper backups.

Re:Harsh Sentence

[SteeldrivingJon]

No, it also costs *fellow employees* money, and time.

Re:Harsh Sentence

[SteeldrivingJon]

I think most people can understand "fucked up your accrued vacation time" which is equivalent to "fucked up your banked vacation pay" without difficulty.

If, say, I had eight weeks accrued vacation coming to me, having not used any in a long time, and some psycho IT person intentionally wipes it out, it doesn't matter to me that a computer was used. I don't care if she wiped a hard drive, dropped a table, burned a stack of punch cards, or shredded old-fashioned paper files containing the information.

What I understand perfectly is that she wiped out records that I am owed eight weeks of salary, in the form of paid vacation time, which I have earned over an extended period.

If, say, I were laid off, I would expect to receive the cash value of that vacation time, along with any severance and final paycheck. If I were laid off immediately after the psycho's action, this would be significantly complicated, and I'd certainly not be confident that the employer wouldn't screw me out of the money.

It may be possible to fix the missing data, but in the meantime that's a non-trivial amount of pay in limbo. And if I were on the verge of leaving on a long-awaited vacation to use that accrued vacation time?

Re:Harsh Sentence

[MichaelKristopeit311]

my home is surrounded with stones, coward.

Re:Harsh Sentence

[MichaelKristopeit312]

your city has recently be invaded by a pathological, paranoid recluse.

you make claims of violence against women and homosexual rape by religious figures all with no evidence. they exist only in your broken psyche. you fantasize of child molestation.

you are WORTHLESS. justice will find you.

why do you cower? what are you afraid of? are you afraid of justice?

you're completely pathetic.

A Florida Story...

...reported on an Australian website? Odd.

Crime doesn't pay, idiots.

Re:A Florida Story...

[gfreeman]

Not that odd. The rest of the world reports on news from the rest of the world. It's only inside the borders of the US that the news programs seem to stop at the national border.

Re:A Florida Story...

Not that odd. The rest of the world reports on news from the rest of the world. It's only inside the borders of the US that the news programs seem to stop at the national border.

Seriously? Only the US?

I can think of several counter examples, but let's keep things simple and talk just about China! Are you asserting the Chinese have a gloriously open flow of uncensored and unfiltered news from both sides of the border?

Re:A Florida Story...

Partially due to size. The US in terms of size is the third largest country in the world. More than sufficient news stories to be had within the borders, Plus a lot of areas of the US might as well be another country (California especially)

Re:A Florida Story...

The US in terms of size is the third largest country in the world.

Yes, because the surface area of a country obviously means it has more newsworthey events, as opposed to the population of the country.

Thick cunt.

Re:A Florida Story...

Swap surface area with population size, and it's still the third largest.

Not even worth "Idle"

[Frosty+Piss]

She committed a serious crime that had no other purpose than revenge. She got caught and will now pay the pric of stupidity.

News?

Re:Not even worth "Idle"

[Delusion_]

The prics of stupidity are going to have a field day with this one.

Re:Not even worth "Idle"

[gfreeman]

Will the pric of stupidity stand up in court, or will she be put through the penal system?

Re:Not even worth "Idle"

Guess she really cocked up on this one.

Re:Not even worth "Idle"

News?

Not really.

If you're going to do revenge, do it better.

In the late 80's, I was a lead IT/admin and once got fired for something petty, (boss liked to save money by firing people to save on raises/vacation) I packed up and left and never looked back. They went from 3 full time IT to 1 (in a remote office) and decided to train a receptionist to handle support and backups (at half the salary, no IT experience).

While I was leaving, I didn't mention that I recently discovered a huge bug in the main processing system and was documenting it to fix. I never found out where I put my notes, I thought they were in my planner, they must caught on fire or something.

If they had laid me off, I would have been happy to help them fix the bugs, but no, they wanted to grab my vacation time and severance pay too. They offered to hire me back as a consultant a few weeks later, I didn't bother returning their calls.

[Yeah, I'm doing this anon, I know my long ex-coworkers would read this if I didn't, I don't want the hassle]

Re:Not even worth "Idle"

Well, at least she was only fired for being "insubordinate". I mean, fuck, these days, if your company is hierarchical & militant enough to use the word "insubordinate", they're just as likely to use "terrorist".
-BLAM- Konsidah yohself fie-ahd."

Fear for People in ...

[BoRegardless]

Suncoast Community Health Centers for hiring such imbeciles to entrust with the health of you and your relatives!

Re:Fear for People in ...

[mark72005]

what you say ! ! !

Re:Fear for People in ...

Suncoast Community Health Centers for hiring such imbeciles to entrust with the health of you and your relatives!

So, how did they know she was an "imbecile"?

When they hired her, more than likely she was currently employed, had great references, and checked out.

She was fired for "insubordination". That can mean anything: she was uncooperative and unwilling to work with others or she just asked questions and challenged the power that be for their polices - like every Slashdotter does. For example, "Gee boss, why do you want to allow internet access to our employment records?". Questioning authority can mean being labeled as being "insubordinate". Then again, she may have said, "You're an IDIOT for wanting to allow access to employee records from the internet!"

See the difference?

I have been in situations where the boss welcomed the "you're being stupid" argument from underlings and other bosses who called you "insubordinate" for just asking a question.

Of course, her reaction was completely moronic; which probably puts her into my latter examples. But my point is that her employer may have thought she was a great hire.

Re:Fear for People in ...

Somebody set the elderly up the wrong medication.

Re:Fear for People in ...

[Johnny5000]

Suncoast Community Health Centers for hiring such imbeciles to entrust with the health of you and your relatives!

As someone pointed out earlier in the comments,
Suncoast Community Health Centers is a non-profit providing health care to migrant workers, the elderly, and the poor. I'm guessing they don't have a lot of money to blow on getting the cream-of-the-crop IT professionals.

Re:Fear for People in ...

[mark72005]

Ethel have no chance survive make her time

Yeah, but...

[Ecuador]

is she hot?
Also, does she run linux at home?

Re:Yeah, but...

[badboy_tw2002]

Isn't the second question redundant? Or maybe, "If not" instead of "Also,".

Re:Yeah, but...

[frieza79]

those are mutually exclusive

Re:Yeah, but...

[MobileTatsu-NJG]

is she hot?
Also, does she run linux at home?

You may choose only one.

Re:Yeah, but...

[pnutjam]

violence is like duct tape, if it doesn't fix your problem, you didn't use enough...

Re:Yeah, but...

Who cares if she's hot. I want to know what distro she runs!

Re:Yeah, but...

[rtyhurst]

I'm sure she's a total babe and a contributor to the Linux kernel.

I look forward to the movie, with her played by Natalie Portman in a skimpy tank top, coding away while Ryan Gosling as Linus Torvald looks on admiringly.

I want to bear her children!

Re:Yeah, but...

I think those are mutually exclusive.

Re:Yeah, but...

Absolutely, positively, not hot. She worked at my company for awhile, she's an idiot, and I would in no way, shape, or form, do her.

You know that saying?

[fuzzyfuzzyfungus]

"Revenge is a dish best served cold." (or by Anonymous, on your behalf...). A massive grudge-hack spree 4 days after your termination suggests that A) IT didn't have its shit together and B) You are now suspect #1.

Unless you are very good, you aren't going to avoid leaving enough of a trail that wriggling out of the "#1 suspect" spot will be easy or comfortable...

Re:You know that saying?

[twidarkling]

Sure it's easy, just make sure you're behind seven proxies!

Re:You know that saying?

[Crudely_Indecent]

It's not that hard to be good at being bad.

Certainly, a dish served cold. Preparations can begin while the plate is still hot though.

1. Start by using your access to create new superuser accounts for yourself which have no reference to your name.
2. Use your new superuser accounts to delete your old superuser accounts and clean up the logs left behind.
3. Write some clever scripts that will do your dirty work at a frenzied pace, then self destruct after altering log files to point at someone you don't like.
4. Set up a scheduled task so the mayhem occurs while you're participating in an iron-clad alibi
5. Feel slightly gypped that someone else is named in the article that hits Slashdot

Re:You know that saying?

[onkelonkel]

Obvious Suspect Fail. If my wife or my business partner were to suddenly turn up murdered, the cops would be at my door in a heartbeat. I fire my IT person and three days later my entire IT infrastructure goes down hard. I don't need to be Sherlock Holmes to figure out who did it.

The way to do it is to put in a few accounts for other ex-employees, "accidentally" elevate them to admin privileges and then walk away. If you still feel the need for revenge 6 months later use one of those accounts to do your dastardly vengeance. Have a cleanup script that deletes all the logs, but maybe leaves an undeleted backup somewhere pointing at your patsy. Have the whole thing triggered by a chron task that goes off while you are hiking in the Himalayas with your church youth group.

Martin Fowlers wife?

Could it be

Doing it wrong.

One does not simply walk into BOFHdom.

What?

[segedunum]

Fowler's attack on the company's firewall, which had caused a "lockout", took Federal Bureau of Investigations (FBI) three months to resolve.

What? Seriously. What? What the hell is a lockout and why would it take anyone three months to solve a firewall issue?

Re:What?

[Frosty+Piss]

...why would it take anyone three months to solve a firewall issue?

"Reading comprehension" requires you to "think". It didn't take them 3 months to sort out their firewall, it took the FBI 3 months to pin down build a case against the rouge IT wench.

Re:What?

[Guidii]

Why would it take anyone three months to solve a firewall issue?

In July, the FBI secured an admission from Fowler that she had hacked the centre's systems, at which point she handed over the new password

They weren't configuring the firewall. They were trying to access it.

Couldn't they just reset the thing?

Re:What?

[eviloverlordx]

I didn't know she was wearing makeup at the time of her criminal activities.

Re:What?

According to the article it took the FBI three months to get her to confess and give the new password.

Re:What?

lockouts prevent backtracing

Re:What?

[pilgrim23]

What she did was remove all security and allow her Bosses to do exactly what they asked for... 10 minutes later the missiles launched and all was ruin.

Re:What?

[lymond01]

Seriously. Replace the firewall.

Re:What?

[ZappedSparky]

"Computer, *bleep* security lockout, authorisation,Sparky, charlie tango one five nine alpha."

Re:What?

[gfreeman]

Badum-tisch

Re:What?

[plcurechax]

Fowler's attack on the company's firewall, which had caused a "lockout", took Federal Bureau of Investigations (FBI) three months to resolve.

What? Seriously. What? What the hell is a lockout and why would it take anyone three months to solve a firewall issue?

That's how long the FBI spent running all the staff through ICE (Immigrations) before they replaced it. And you thought your last doctor's appointment was a long wait...

At the speed of government.

Re:What?

[ElectricTurtle]

Consequences will never be the same.

Re:What?

[Ambiguous+Coward]

Have you seen the amount of paperwork involved? That alone could take up to 90 days for the FBI to process.

Now, if it's not actually helping people, it'll be done by tomorrow.

Re:What?

[Charliemopps]

I'm fairly sure I know exactly what she did. Most companies have the same security flaw. They have their network hardware resolve user names and passwords the same way all their workstations do. They also have a "Lockout" if you get the password wrong a certain number of times (usually 3.) I'm sure you've seen this before. The vaulnerability is, if you then have everyones email be: userid@yourcompany.com, anyone can very easily pull down a full listed of userids from the exchange server. The companies address list literally has every userid in the company. You then simply write a script to hit a piece of network equipment 3x with a garbage password for every single user in the company. Because it's a telnet connection it's REALLY fast. The system locks out every single user. If the admins weren't smart enough to reserve a single master login (and they usually are not) you can cripple the entire company.

Re:What?

you're an idiot.

Re:What?

How's your Slashdot Karma? In the toilet? Maybe it's because you're a cunt.

Re:What?

DFTT, it just makes them think people are actually listening to them.

Re:What?

That's not important right now.

What's important, is that all of our fantasies are running wild that she is a naughty naughty hacker girl and needs to be punished appropriately! Have her bathed and sent to my basem... err, room!

/que *nix shell commands apropos for this scenario.

Re:What?

The question really is, did she lock it out on purpose or did she just guess at the password too many times and Active Directory or LDAP locked it...

Re:What?

[dbIII]

Once again, it's called Exchange for a reason. It's a warning to swap it with something else that works.

Re:What?

[eviloverlordx]

I'll be here all week!

Re:What?

What? Seriously. What? What the hell is a lockout and why would it take anyone three months to solve a firewall issue?

You've just explained why they're going so savagely after wikileaks -- they can't tolerate the idea that someone is so much more competent than they are.

Hence all the bullshit overcharging -- it's well-known that Interpol doesn't get involved in broken rubber stories as a matter of course.

Re:What?

Oh, no way was she smart enough to figure that shit out. She's a fucking idiot.

Oops! - Not sympathetic

If she worked in IT she should have known better.

She is likely not violently dangerous so I hope the system treats her well. Still if she did the crime this is a very believable result.

Certainly not going to help her get a new job.

A female IT worker?

WTF? Is she single?

did she really "hack" it?

[darjen]

or did she use passwords she already had to get into the system? I wouldn't be surprised if this was yet more abuse of the word "hacking".

Re:did she really "hack" it?

Well, the "Anonymous" group is hacking PayPal too with their DDOS "hacking tools". I think hacking has degraded to mean "any unauthorized use of a computer or computer-like device".

Re:did she really "hack" it?

[TheRaven64]

Given some of the 'hacks' that have been reported here over the last year, I think hack now means 'use a computer in a way that the writer does not completely understand.'

Re:did she really "hack" it?

[Crudely_Indecent]

If only you had sudo permissions to grant me mod points....

Re:did she really "hack" it?

[Bobakitoo]

Hacking has become a synonym for magic. Any technical feat that is beyond understanding is hacking. With the dumb media we have, pretty much anything is hacking these days.

Re:did she really "hack" it?

[treeves]

Uh yeah. Is that new or surprising to you? I'd say that probably happened over twenty years ago.

Re:did she really "hack" it?

[McNihil]

Hyperbole time: Wouldn't "use a computer in a way that the writer does not completely understand." include ALL windows (ok ok computer) users? It would include themselves in this category because obviously they don't know what they themselves are doing... everyone is a hacker these days. IMHO Rote knowledge of a computer system regardless of OS and applications is just ROTE knowledge and has nothing to do with understanding... Apes/Cats/Dogs/Rats can all push buttons too and make stuff happen to benefit them.

These writers are themselves HACKS.

ok ok I am tumbling off of the pulpit now.

tks!

Re:did she really "hack" it?

[clone52431]

'use a computer in a way that the writer does not completely understand.'

That was more of its original meaning, but it wasn’t illegal then. It was actually really cool. And breaking into computer security systems was called cracking, not hacking.

Re:did she really "hack" it?

[jollyreaper]

Given some of the 'hacks' that have been reported here over the last year, I think hack now means 'use a computer in a way that the writer does not completely understand.'

I almost got reported for hacking at college. The professor had put the class notes up on his website but made a typo in the html. I was able to ftp into the site and see what the file name should be and pointed out the problem to him. His face turned purple and he started shouting about how hacking would not be tolerated in his class.

Now some of you might say "Oh, man, you should have darked him to turn you in. Wouldn't the look on his face be funny after that!" That's assuming anyone higher up would recognize he was ignorant. More likely, they would accept his claim at face value and proceed directly to deciding my punishment.

Re:did she really "hack" it?

or did she use passwords she already had to get into the system? I wouldn't be surprised if this was yet more abuse of the word "hacking".

Don't look now, but I think your definition of the word just got hacked!

Re:did she really "hack" it?

[clone52431]

I almost got reported for hacking at college. The professor had put the class notes up on his website but made a typo in the html. I was able to ftp into the site and see what the file name should be and pointed out the problem to him. His face turned purple and he started shouting about how hacking would not be tolerated in his class.

You made the mistake of telling him what you did, and he didn’t understand it. Safer just to tell him he misspelled it. Even if it was something ridiculously impossible to have guessed. If he was skeptical about how you figured it out, just look at him funny... like, everyone knows how ~/classes/CS102-ws02-syllabus.rev6.htm is spelled. Unless maybe they’re a complete moron. Duh.

Then you and any of your classmates who knew what was what could enjoy your mirth later behind his back at his stupidity.

Re:did she really "hack" it?

[savvysteve]

I would contend that it was neither. When you already know the password to a computer then you don't get credit for either. This was a criminal act similar to criminal trespass. If I was to leave my key on the front door of my house and someone used that key to enter my home it is still unauthorized access but wouldn't be breaking and entering. It would be a lesser charge. If she had actually cracked the password because they changed them when she was fired I would be more impressed. He IT career is over... Once she gets out she will be flipping burgers b/c she was an idiot.

Re:did she really "hack" it?

[Halifax+Samuels]

As far as I can tell it just means "using a computer" to some people.

Re:did she really "hack" it?

The word "hack" gets misused by the press a lot. However I consider the word to mean 'to gain unauthorised access a computer' so after being fired her use of her username and password was unauthorised.

The password should have been changed and the account disabled of course!

You left out a question

(c) is she a lesbian?

Actually, it does not matter, in 17 months she will be one.

Getting out of the number 1 spot.

[www.sorehands.com]

One important thing about getting out of the number one spot, don't broadcast how you would get out of it on Slashdot.

Could have gotten that password sooner

[callmebill]

http://xkcd.com/538/

What a moron

[Just+Brew+It!]

Sounds like she got what was coming to her. Whether or not she had a legitimate grievance with her employer is irrelevant; you just don't pull shit like that. Period.

Amy Farrah Fowler

Is she related to Amy Farrah Fowler?

Of course it goes along...

Wow! Imagine a Beowulf cluster of her...

Single Point of Failure = Facepalm

[blueZhift]

Hmmm, given that this is not the first time this kind of thing has been in the news, you'd think that companies would not leave a single point of failure like this in place. You always have to be ready for someone with privileges to go rogue, especially when terminating them. During the tech bust of the 90s I remember IT people being routinely escorted from the building during layoffs, not even allowed to turn their computers back on. It was brutal, but I could see how some of those guys could go rogue and do a lot of damage.

Over 2 weeks

[milkyflava]

They noticed the event on March 17th and jumped into action and had it stopped a little after April 1st. Well, just a second there, professor. We, uh, we fixed the *glitch*. So she won't be receiving a paycheck anymore, so it'll just work itself out naturally.

insubordination!

[DarthVain]

Sounds like she tried to start a mutiny or something!

Perhaps she refused a code red?

Seriously how can someone that works in IT at a freaking community health centre get canned for insubordination?

Maybe she had good reason to trash their systems... I'm guessing rogue AI.

Re:insubordination!

They'll call whatever they want insubordination. I've seen honest (and minor) mistakes written up as insubordination by a boss who simply didn't like the worker being written up.

Support collective bargaining.

Re:insubordination!

Insubordination could mean anything in this context. It's typically a catch all word to mean the company (or the employee's boss) didn't like the person much so found any reason they could to get rid of that person. I've seen it all too often (of others and myself). Typically, the person being canned did nothing serious enough to warrant such an action so it leaves the person very frustrated, upset and longing for revenge of some kind. You can't term someone without good cause and expect them to walk out of the building with a smile, handshake and a "thanks for my time here" statement. If you mistreat someone, be prepared for mistreatment in return, even if that mistreatment goes overboard on revenge and is illegal.

This is what actually happened.

[Jesus_666]

FBI Agent A: "Decrypt their firewall."
FBI Agent B: "It's no use! She used a lockout code and quantum-encrypted the datagrams with 3000-bit MD5!"
FBI Agent A: "Damn. We'll have to hack all their IP addresses by hand. Start writing a GUI in Visual Basic."

Three months later...

fBI Agent B: "Success!"
FBI Agent A: "How did you get past that firewall? Did you spoof the ARP cache in order to cure the DNS root poisoning?"
FBI Agent B: "No, we took the machine off the network and replaced it with a new one."
FBI Agent A: *looks at Agent B baffled*
FBI Agent B: "We cut the binary stream on the physical level and installed a dummy firewall using authorized intrusion methods."
FBI Agent A: "Why didn't you say so? Learn to express yourself properly, boy."
FBI Agent B: "Yes, sir."

The best form of revenge

[sauge]

The best revenge is to become successful. I'll never forget the feeling of driving up to a user group meeting, whom an ex-boss was a participant in, with my new BMW.

Crappy Reporting 101

The whole story is crap. It's got misspellings and grammatical errors strewn throughout, gives no concise factual data (other than the possibility of suggesting that someone did something bad and got busted).

1) It's the SysAdmin's fault for not securing the system after a recent termination (assuming an old username was employed and not a legitimate "hack")
2) The FBI wouldn't be the ones "resolving" any sort of "lockout" situation. Auditing maybe, but not resolving.
3) The brevity of the post is clear proof that the reporter had nothing to go on and likely made up what (s)he did.

Three questions

[bradley13]

1. What the hell are the feds doing here? Is everything a federal crime nowadays?

2. $17,000 of damage is worth how many months in jail? Really?

3. How can it possibly take months to resolve the problems?

There is surely more going on here that is being reported. I especially wonder about (1)

Re:Three questions

[Shadow99_1]

It took months because they most likely fired their only IT person. Then had to find the absolute cheapest person to replace her possible, figuring no one had a nephew or niece in need of a job and able to use a computer. Having worked for some place similar, I can say they probably treated her like crap under their shoe to... So this isn't really any surprise to me.

It's a federal crime because it's 'hacking', of course that's the business variant of the word 'hacking' in which they just didn't bother or know how to remove her credentials.

Same reason as #1 for #2... it's 'hacking' and therefore evil beyond monetary damage.

I have two questions

[mikein08]

1. Why didn't this woman do this in such a way that it couldn't be traced back to her? 2. Why did the employer not change all critical passwords and accesses when the woman was terminated? I think both the employee and employer are guilty of terminal stupidity here.

demonstration of incompetence in the company

[Mark+Atwood]

This is a demonstration of incompetence in the company. I have, in the past, been the person who's job it was to secure a system after the firing of a guy who had "the keys to the kingdom". He was called in to the termination interview, and by the time he came back out, his windows and unix accounts was frozen and archived, his remote access credentials were revoked, his email was redirected, and his keycard was invalidated.

Backfire agaisnt IT workers

[Billly+Gates]

What do you want to bet that this will encourage employers to fire anyone on the spot who gives a resignation, dares looks for a job, or gets a call for a reference from an employee who still works for them.

After all if you want to leave you *could* be disgruntled and need to be fired right on the spot and escourted out. This has a double bonus of making I.T afraid to leave as they will be canned if anyone calls for a reference. that means more hours, abuse, and less pay. This worker just makes life more difficult for the rest of us. I read about these employers here and during the recession this has become more common as the accountants want to minimize damage to their I.T. systems.

wrong section

[X0563511]

This should be in Security, IT, or even YRO... idle is the completely wrong place!!

"Nobody touches, my hurricane..."

"... Nobody DARES to even try!" -> http://yro.slashdot.org/comments.pl?sid=1903798&cid=34515054

Funny how you "ran away" over there at the URL icebraining... why is that? LMAO!

("You try to catch me, but you-just-can't-catch-a-hurricane!")

APK

P.S.=> As to my subject-line above, & how it pertains to that link above + our discussion on HOSTS files (where I completely BLEW YOU AWAY, lol)? See THE RODS' video here -> http://www.youtube.com/watch?v=apOdWOK5Rh8&feature=related , as it explains it all as to what happened at the 1st URL above I posted now here, better than I can say it, lol... apk

I admire her industry, but...

[grikdog]

I'll admit, the tactics she unleashed on the company infostructures were somewhat unimaginative. It's possible to cause havoc simply by encrypting everything you're supposed to encrypt as a matter of company policy, giving your supervisor a copy of each of your passwords, leaving under a stormcloud -- and forgetting what all those passwords actually were when they call you weeks later to find out what your password was.

I love information entropy. It's like arson, only the only accelerant you need is your boss' inability to conceive why it might be important to keep those little scraps of note paper. The neat thing is, I always chose SECURE 32 byte passwords, so forgetting was just a matter of non remembering on a daily basis.

What about the PHB's?

After all, what she did, is nothing compared to say, what the "PHB's" did at the likes of Enron!

it's 'workplace' is not 'reich-place'

[globaljustin]

Your description and vision of the workplace is a totalitarian nightmare, not even the military is as cut and try as you describe.

You allow the boss of a worker to be rule with impudence and sharply criticize a worker who does not think of their employer as a slave owner or overlord.

The fact is, any employee can refuse to do anything, and expect that they will at least get a fair hearing from the boss's boss about why they refuse to carry out a specific task.

Yes, under certain circumstances, like a service worker at a small owner-run restaurant, the boss really is a dictator...but even then there are checks...if a restaurant gets a bad reputation they will not be able to find good help, and after a few iterations of the cycle they'll be headed straight for bankruptcy, i've seen it...when a small business gets a reputation as bad employers the word spreads and employees start to not care if they steal or do a bad job for you...

Consequences have actions, and there is a proper way to handle greivances...people like you perpetuate the boss as slave owner mentality...stop it! demand fair treatment!

For most of you....

This is as close to an actual woman you will get.

That's not the way it works in Europe

Here the employer would be sued for bad security.

Harsh?

[SteeldrivingJon]

Dude, if anyone fucked with my accrued vacation, live entry into a running woodchipper would be too kind.