IT Worker's Revenge Lands Her In Jail

← Back to Stories (view on slashdot.org)

IT Worker's Revenge Lands Her In Jail

Posted by samzenpus on Friday December 10, 2010 @06:19AM from the bad-idea dept.

aesoteric writes "A 30-year-old IT worker at a Florida-based health centre was this week sentenced to 19 months in a US federal prison for hacking, and then locking, her former employer's IT systems. Four days after being fired from the Suncoast Community Health Centers' for insubordination, Patricia Marie Fowler exacter her revenge by hacking the centre's systems, deleting files, changing passwords, removing access to infrastructure systems, and tampering with pay and accrued leave rates of staff."

41 of 347 comments (clear)

Makes the rest of us suffer... by Anonymous Coward · 2010-12-10 06:22 · Score: 5, Insightful

Every time some person does stuff like this and it hits the press, every other IT person ends up suffering when the PHBs realize what the sysadmin or the Cisco guy is capable of.
Will this mean better security? Of course not. It just means that oftentimes someone who shouldn't have access to enable secrets or root passwords gets those as a "backup".
1. Re:Makes the rest of us suffer... by mysidia · 2010-12-10 06:46 · Score: 2
  
  Of course not. It just means that oftentimes someone who shouldn't have access to enable secrets or root passwords gets those as a "backup".
  You mean someone who in your technical opinion as an engineer shouldn't be using enable secrets or root passwords?
  The systems belong to the PHBs. If you want to avoid giving out root passwords, then don't have passwords.... use biometrics. Or use a "password under seal" system, where the password is available but secure, and will be changed within days if a backup needs it.
  However, you will still have to provide access, doesn't matter if it's a password or something else, and that is perfectly reasonable, as long as you have accounting measures in place, clear policies on who is authorized to use access, and severe immediate penalties for any backup abusing their access
2. Re:Makes the rest of us suffer... by hendersj · 2010-12-10 06:59 · Score: 4, Insightful
  
  Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.
  It's a job requirement to be trustworthy when working in IT. Those who aren't pull crap like this.
  Even if she hadn't gone to jail, if she got caught tampering with systems (either while employed there or after being terminated), she should never, ever, under any circumstances be trusted to admin a system again.
  Ever.
  
  --
  Insanity is a gradual process; don't rush it.
3. Re:Makes the rest of us suffer... by MightyMartian · 2010-12-10 07:06 · Score: 2
  
  This applies across the board. Not just IT people but accountants, managers, legal advisers and so on. IT people are not the only ones who can cause significant damage to an organization.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
4. Re:Makes the rest of us suffer... by Venik · 2010-12-10 07:33 · Score: 4, Insightful
  
  Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.
  And if you decided to fire them, make sure you terminate their access to your network in a timely manner. Somehow I seriously doubt Ms. Fowler actually "hacked" their systems. It is far more likely that after four days she discovered her remote access account still works and she took full advantage of this.
5. Re:Makes the rest of us suffer... by MightyMartian · 2010-12-10 07:36 · Score: 2
  
  I don't agree. While rogue IT staff can bring infrastructure to its knees, an accountant is often far better placed to, say, rip off an organization in a huge way, and it happens enough via phony invoicing schemes to suggest to me that those in the financial end of an organization are by far the greater risk.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
6. Re:Makes the rest of us suffer... by Rydia · 2010-12-10 07:38 · Score: 2
  
  It's not a question of who is qualified. It's a question of who is entitled. It's their system and they are the PHB. There isn't a metaphysical judge of who should have what, merely practical; the admin arguing that the PHB shouldn't have access "just in case," and the PHB ignoring that and receiving it anyway.
7. Re:Makes the rest of us suffer... by HungryHobo · 2010-12-10 07:38 · Score: 2
  
  I can see why some people have reservations about giving they keys to the kingdom to the PHBs
  I've heard some really horror stories.
  "I am the boss thus I demand the most important passwords you have!"
  Followed by
  "Password? Oh, ya, I found that big long one hard to remember so I just changed it to my name"
  Followed by
  "Someone has hacked our servers! This is your fault as you're in charge of IT security!"
  So if you must use the "password under seal" system make sure it's a physical system like a safe which sets off several sirens when used, pages you and delivers a short list of "do not do under any circumstances" instructions along with said passwords to whoever is accessing them.
8. Re:Makes the rest of us suffer... by afidel · 2010-12-10 07:57 · Score: 2
  
  This is one of many reasons I continue to advocate that if it's not offline it's not a backup.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
9. Re:Makes the rest of us suffer... by Nadaka · 2010-12-10 07:59 · Score: 3, Insightful
  
  One difference is the respect that is shown and compensation provided to accountants, managers, legal advisers and so on. Meanwhile IT guys are basically treated like janitors.
10. Re:Makes the rest of us suffer... by zolltron · 2010-12-10 08:08 · Score: 4, Informative
  
  Meanwhile IT guys are basically treated like janitors.
  The irony of your comment is that it reproduces exactly the line of thinking that you criticize. You realize that janitors, by having physical access to almost all parts of a business, are capable of more havoc than IT folks. They often have physical access to all the same systems that IT people do and much more. If potential to cause damage should correlate with compensation, I'd argue that the janitors should get paid the most in any organization.
11. Re:Makes the rest of us suffer... by Red+Flayer · 2010-12-10 08:24 · Score: 2
  
  While rogue IT staff can bring infrastructure to its knees, an accountant is often far better placed to, say, rip off an organization in a huge way, and it happens enough via phony invoicing schemes to suggest to me that those in the financial end of an organization are by far the greater risk.
  Any business worth its salt has controls in place to prevent any accountant from having enough control with too little oversight to prevent this. In my entire career, I have never worked for a company that was vulnerable to this without the complicity of ownership or top executive-level management. Little amounts might make it through for some of the companies I've worked for... but "in a huge way"? Never.
  
  As for IT -- it's a function of the work involved that critical infrastructure is vulnerable to a rogue IT staff-member. Proper oversight is hard to do, especially since IT is an enigma to executive-level management most of the time. Proper system design, access management, etc, are harder to ensure for IT systems than they are for accounting processes.
  
  Accounting example: In order for a payment to go out, it must be signed and/or authorized by a signing authority (usually top-level management) -- many companies require two signatures. The signing authorities have taken the responsibility of ensuring the payment is accurate, valid, etc, and companies have tons of audited controls to make it so.
  
  IT example: In order for a critical system to be sabotaged... no such requirement. And even if you had the requirement, who among top-level management has the expertise to know what is proper?
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
12. Re:Makes the rest of us suffer... by Americano · 2010-12-10 08:27 · Score: 4, Informative
  
  Then you find a new job. You don't damage their systems and delete their data to "teach them a lesson."
  Imagine if your doctor, after years of telling you to get your cholesterol under control, decided to amputate a leg because you didn't take his admonitions with the seriousness and "respect" he felt that you owed him.
  Imagine if your mechanic came to your house one night and cut your brake lines because you hadn't praised his work as effusively as he felt you should have when you picked up your car.
  This "you better treat us right, or else," is unprofessional bullshit. Someone behaving unprofessionally towards you is not cause to behave the same way in return.
13. Re:Makes the rest of us suffer... by Hazelfield · 2010-12-10 08:48 · Score: 3, Insightful
  
  If you don't trust your IT people, they shouldn't be your IT people.
  I think the managers sort of realized that, and that's why they fired her.
  Maybe the true lesson to learn is this: don't let former employees keep their access. Not even for a few days.
14. Re:Makes the rest of us suffer... by Mister+Whirly · 2010-12-10 08:48 · Score: 4, Insightful
  
  Owner status trumps technical experience every time. Trust me, any PHB stupid enough to demand access to areas they know nothing about and then go messing about is going to screw something up. When they realize just how much money it will take to fix their screwups, sooner or later they will realize why it isn't smart to give themselves access to said areas. But if the owner demands the keys to the kingdom he owns, he get them whether or not it is the smart move or not. How long do you think any employee who refuses an order from the owner is going to last? And how do you go about determining who is qualified to make the decision if someone is qualified?
  
  --
  "But this one goes to 11!"
15. Re:Makes the rest of us suffer... by Mister+Whirly · 2010-12-10 08:54 · Score: 2
  
  Yeah, all the IT department can do is leak several hundred thousand secret cables to WikiLeaks. No real damage though.
  
  --
  "But this one goes to 11!"
16. Re:Makes the rest of us suffer... by dgatwood · 2010-12-10 09:59 · Score: 4, Insightful
  No one should have root passwords. The mere existence of a root password is a fundamental security hole. If everyone has a user account and certain people have sudo privileges, you have:
  
  An audit log
  
  A trivial way to cut off that person's admin access (with or without cutting off all access)
  
  Combine this with a proper centralized authentication/directory services system, and you're done.
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
17. Re:Makes the rest of us suffer... by mysidia · 2010-12-10 10:41 · Score: 2
  
  We aren't discussing that. We're discussing whether the CEO should have the root password to anything - the general answer is no
  And that general answer is wrong, if the CEO demands the password, it must be given to the CEO.
  It may be technically inadvisable for the CEO to use the password, and it may be inadvisable from a corporate security perspective for the CEO to have direct use of the password (other than the uninterruptable ability of the CEO to reveal the password to someone deemed qualified personnell).
  Or a corporate policy might be established, approved by the board of directors, that even the CEO has to follow.
  However, it's definitely not within a sysadmin's authority to make such a facilities security decision if counter to a requirement imposed by their boss.
18. Re:Makes the rest of us suffer... by TapeCutter · 2010-12-10 10:52 · Score: 3, Insightful
  
  This so called moron* is your employer (or their representative), HE has given YOU access to HIS equipment, not the other way around. He pays YOUR bills in return for you following HIS rules while operating the equpment HE has given YOU access to. It is his perogative to break anything that belongs to him, your job is to ADVISE him not to do so (and repair it when he says "opps"). If you don't like it when he ignores your ADVICE you are free to relinquish the access HE has granted to HIS property and leave, you are not free to force your advice on him (unless he is performing an illegal act). If because of personality/intelectual problems you cannot abide by this universal employer/employee contract and have come to believe it's you right to deny him access to his property then he will need HIS passwords to grant access to the person he replaces you with when he fires your contemptuous arse. The same principles apply to everything from the combination to the company safe to the keys to the janitors closet, the only thing you have an implied right to withold from your PHB are your PERSONAL passwords, swipe cards, etc. You DO NOT have the right to deny your employer access to their property, regardless of how much better you think you can care for it.
  
  * - If he is the moron then why is it that you are working for him?
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
19. Re:Makes the rest of us suffer... by shentino · 2010-12-10 13:16 · Score: 2
  
  It's called the chain of command.
  Specifically, the part where you'll get your ass fired for insubordination if you don't do what the fuck you're told by your superiors in the food chain. Your boss has more of a right to be an idiot than you do. It's one of the privileges of having authority.
  However, there is an exception.
  The only time you CAN refuse to give your boss the password is if an even BIGGER boss tells you not to, someone who is also your boss's boss.
  In fact, companies will often reserve "root spill" power to the monster cheeses that often are in direct contact with the board of directors or another super high level position, who then gives orders to the BOFH that the PHBs are forbidden to have the password.
  The private sector is just like the military with following orders. The only difference is that if you disobey orders in the military, you get court martialed and go to prison instead of merely losing your job.
20. Re:Makes the rest of us suffer... by smash · 2010-12-10 22:40 · Score: 2
  
  They should perhaps HAVE access to the root / admin passwords.
  They should not be using them however.
  There is a difference (and any competent PHB knows this). Having the password(s)/keys/etc in an envelope locked away in a physical safe for use in emergency (possibly by a contractor when in-house IT go awol, die, etc) is just good business sense.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Um good? by Hatta · 2010-12-10 06:22 · Score: 4, Insightful

Person commits crime, goes to jail. Fascinating reporting there.

--
Give me Classic Slashdot or give me death!
1. Re:Um good? by scorp1us · 2010-12-10 07:22 · Score: 2, Insightful
  
  You missed it. There's a girl in IT. That's the news!
  Its not even that she hacked in. NASA has always had a problem with girlfriends of employees getting pissed, getting in and then breaking stuff.
  
  --
  Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Harsh Sentence by Manip · 2010-12-10 06:22 · Score: 4, Insightful

I love how computer crimes are measured on an entirely different scale to all other crimes. While I think her crime was serious, when you look at the prison sentence relative to other things it seem disproportionate. If she had done the same thing without a computer I bet she would see less than 1/2 the jail time.
1. Re:Harsh Sentence by nomadic · 2010-12-10 06:25 · Score: 2
  
  If she had broken into the place, shredded documents, forged payroll records, changed some locks and damaged others so doors wouldn't open you think she would get less than half the jail time?
2. Re:Harsh Sentence by Monkeedude1212 · 2010-12-10 06:26 · Score: 4, Funny
  
  No, I'm pretty sure she would have been rehired and promoted into a management position.
3. Re:Harsh Sentence by fuzzyfuzzyfungus · 2010-12-10 06:26 · Score: 2
  
  Does taking a fire-axe to the SAN count as "using a computer"?
4. Re:Harsh Sentence by Farmer+Tim · 2010-12-10 06:28 · Score: 2
  
  As a target, yes.
  
  --
  Blank until /. makes another boneheaded UI decision.
5. Re:Harsh Sentence by Delusion_ · 2010-12-10 06:35 · Score: 2
  
  You make a good case for not involving the victims in sentencing.
6. Re:Harsh Sentence by redstar427 · 2010-12-10 06:55 · Score: 2
  
  It's a good thing she didn't share music files from a CD at the same.
  She could have owed millions of dollars, and her sentence might have been for a much longer time!
  
  --
  "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." Albert Einstein
7. Re:Harsh Sentence by Delusion_ · 2010-12-10 07:07 · Score: 3, Insightful
  
  My point is that you are convicted by a jury of your peers and not a jury of your victims for a good reason; a jury and a judge have a better ability to be dispassionate.
  That we involve victims in sentencing hearings is abominable, as is that we enforce arbitrary minimum sentencing regulations.
  If I am guilty of a crime, what I did is what should matter, not how good or bad a person the victim was. Rather than go down Hypothetical Alley with you about the value of human life, I'd like to keep our hypothetical closer to the facts:
  Would this crime be more heinous "your IT department", as you put it, were genuinely good people? Would it worth less sentencing if it took place at an equivalent organization whose IT staff was lazy and whose managers were bombastic annoying pricks? Surely not. In that case, your opinions as the victim as to what the guilty party deserves regarding sentencing are too compromised.
Yeah, but... by Ecuador · 2010-12-10 06:24 · Score: 2, Informative

is she hot?
Also, does she run linux at home?

--
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
1. Re:Yeah, but... by MobileTatsu-NJG · 2010-12-10 07:05 · Score: 4, Funny
  
  is she hot?
  Also, does she run linux at home?
  You may choose only one.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
2. Re:Yeah, but... by rtyhurst · 2010-12-10 09:41 · Score: 2
  
  I'm sure she's a total babe and a contributor to the Linux kernel.
  I look forward to the movie, with her played by Natalie Portman in a skimpy tank top, coding away while Ryan Gosling as Linus Torvald looks on admiringly.
  I want to bear her children!
What? by segedunum · 2010-12-10 06:30 · Score: 5, Insightful

Fowler's attack on the company's firewall, which had caused a "lockout", took Federal Bureau of Investigations (FBI) three months to resolve.
What? Seriously. What? What the hell is a lockout and why would it take anyone three months to solve a firewall issue?
1. Re:What? by Charliemopps · 2010-12-10 07:12 · Score: 4, Informative
  
  I'm fairly sure I know exactly what she did. Most companies have the same security flaw. They have their network hardware resolve user names and passwords the same way all their workstations do. They also have a "Lockout" if you get the password wrong a certain number of times (usually 3.) I'm sure you've seen this before. The vaulnerability is, if you then have everyones email be: userid@yourcompany.com, anyone can very easily pull down a full listed of userids from the exchange server. The companies address list literally has every userid in the company. You then simply write a script to hit a piece of network equipment 3x with a garbage password for every single user in the company. Because it's a telnet connection it's REALLY fast. The system locks out every single user. If the admins weren't smart enough to reserve a single master login (and they usually are not) you can cripple the entire company.
did she really "hack" it? by darjen · 2010-12-10 06:46 · Score: 3, Insightful

or did she use passwords she already had to get into the system? I wouldn't be surprised if this was yet more abuse of the word "hacking".
1. Re:did she really "hack" it? by TheRaven64 · 2010-12-10 07:02 · Score: 4, Interesting
  
  Given some of the 'hacks' that have been reported here over the last year, I think hack now means 'use a computer in a way that the writer does not completely understand.'
  
  --
  I am TheRaven on Soylent News
2. Re:did she really "hack" it? by Bobakitoo · 2010-12-10 07:05 · Score: 2
  
  Hacking has become a synonym for magic. Any technical feat that is beyond understanding is hacking. With the dumb media we have, pretty much anything is hacking these days.
Re:A Florida Story... by gfreeman · 2010-12-10 06:50 · Score: 2

Not that odd. The rest of the world reports on news from the rest of the world. It's only inside the borders of the US that the news programs seem to stop at the national border.

--
Ceci n'est pas un sig.
Re:Not even worth "Idle" by gfreeman · 2010-12-10 06:51 · Score: 2

Will the pric of stupidity stand up in court, or will she be put through the penal system?

--
Ceci n'est pas un sig.