back to article I was authorized to trash my employer's network, sysadmin tells court

Back in December 2011, Michael Thomas did what many sysadmins secretly dream of doing: he trashed his employer's network and left a note saying he quit. As well as deleting ClickMotive's backups and notification systems for network problems, he cut off people's VPN access and "tinkered" with the Texas company's email servers. …

This will impact others as well

I've worked a variety of different jobs, some IT, as well as other job titles and every time I've needed to do something that would have far reaching implications, I have always asked someone higher up. Those questions have had a mix of reactions ranging from "Glad you asked first" to "I thought you were a self starter". The lack of clear policy is the issue here and it varies from company to company.

12
3
Silver badge

Re: This will impact others as well

The lack of a clear policy to not hose the company? I very much doubt you required any guidance on that.

8
3
Anonymous Coward

Re: This will impact others as well

"The lack of a clear policy to not hose the company?"

Ahh, yes, but consider the innocent, yet crappy admin who accidentally nukes the entire storage with a misplaced wildcard. Clearly not a criminal act. Should they be fired? Probably. Should they be arrested? No. Does the company need to spell out a "don't hose us" policy? No, they can, but what will it mean?

If this guy trashed the systems, and stuck around without leaving a note, he would be a-okay according to the law, yet we get the same result; company network is offline. If there's a policy in place against this, then the most they could do is just fire the guy, unless you're Oracle then you can back-charge him for some made up access/stipulation hidden in the contract. Apparently.

7
0

Re: This will impact others as well

It is certainly unethical, but whether or not it is illegal is what is questioned here. Companies spend a lot of money on lawyers for a variety of reasons, why not spend the money to ensure there is a clause prohibiting malicious activity.

5
0
Silver badge
Boffin

@Ellier ... Re: This will impact others as well

Unethical , heck yes 1000%.

Illegal? Yes.

While he has complete access as the admin, were the actions he took consistent with him performing his duties as an admin?

sudo su -

cd /

rm -rf *

3 simple lines that will hose any Unix/Linux system. (Kiddies do not try this at home)

As the admin, knowing that this will cause harm is what makes this illegal.

There's more to it, but the rogue employee had mens rea (guilty mind) which he doesn't deny.

Start there and you'll find his actions to be criminal.

6
7
Silver badge

Re: @Ellier ... This will impact others as well

Here it wouldn't be because sysadmin isn't a professional designation.

If he was an engineer and did this he would be guilty of professional negligence. But as a mere nuclear physicist I'm not considered a professional so anything I do that happens to leave a crater is considered just a D'oh moment.

11
2
Silver badge

Re: @Ellier ... This will impact others as well

Actually had this happen on one system I was working with. Another Admin "forgot" where he was and typed the command only to realise a fraction of a second after he hit enter that he had forgotten to chdir to the trash folder he meant to clear.

Thankfully the backups from the previous night were intact.

5
0

Re: @Ellier ... This will impact others as well

"Mens rea" is not in itself a crime. You can intend to be a total dick, intend to be nasty, intend to be any number of things. You have a guilty mind. But in order to commit a crime, you also must have broken the law as it is written. Not as it maybe SHOULD have been written, but whoever wrote it probably didn't have this scenario in mind. It's one of those weird edge cases.

If there is a loophole in the law as it currently stands, you're off the hook. If it needs fixing, that's up to the legislature to do, but they can't do it retroactively. If your act was, by the wording and letter of the law, legal at the moment you did it, then it was legal period. Regardless of your intentions.

And really, it could be solved by some simple wording in the employment agreement or contract. "Network users and administrators are not permitted to undertake malicious actions with the intent of damaging or disrupting the network or any device or data stored on it without the express permission of (insert here) or higher." There you go, now they're clearly not authorized to do it and you've closed the loophole.

14
0
Anonymous Coward

Re: This will impact others as well

Ahh, yes, but consider the innocent, yet crappy admin who accidentally nukes the entire storage with a misplaced wildcard. Clearly not a criminal act. Should they be fired? Probably.

Why? Any sysadmin who hasn't made that mistake is in my opinion not allowed near anything critical until they have. Nothing is as educational as a near catastrophic mistake and (assuming the person is otherwise properly competent) at that point you end up with someone who will think twice before doing that again.

Unless, of course, you're the kind who looks for a scape goat and is willing to do that again when the next one makes that mistake - at that point it's still you who recruited TWO idiots instead of one, so take your pick. Sacking is easy. Helping your staff be good at their job is harder, but IMHO a tad more rewarding (sorry to be off-norm here :) ).

13
0
Silver badge

rm -fr @IMG

I used to run HPC clusters where doing this on the compute nodes would not have been quite as catastrophic as on a normal system. They would probably have rebooted OK.

The reason for this is that / was always copied into a RAMfs on boot from a read-only copy, /usr was a read-only mount and most of what would normally be other filesystems were just directories in / and /usr. It's true that /var would have been trashed, and any of the data filesystems if they were mounted would also have gone, but the system would have rebooted!

On a related note, when the clusters were decommissioned, I was the primary person responsible at all stages of the systematic, documented and verified destruction of the HPC clusters. It ranged from the filesystems, through to the deconstruction of the RAID devices and scrubbing of all of the disks (about 4000 of them), the destruction of the network configuration and routing information, deleting all of the read-only copies of the diskless root and usr filesystems, even as far as the scrub of the HMCs disks (it's interesting, they run Linux, and it was possible to run scrub against the OS disk of the last HMC [it was jailbroken], while the HMC was still running!)

The complete deconstruction, from working HPC systems to them being driven away from the loading bay took 6 (very long) working days, and finished with a day's contingency remaining in the timetable.

So I am one of a relatively small number of people who can claim that they've deliberately, and with complete authorization, destroyed two of the top 200 HPC systems of their time!

I had real mixed feelings. It was empowering to be able to do such a thing, and upsetting, because keeping them running was almost my complete working life for four years or so.

3
0
Silver badge
Meh

Re: This will impact others as well

"Ahh, yes, but consider the innocent, yet crappy admin who accidentally nukes the entire storage with a misplaced wildcard. Clearly not a criminal act. Should they be fired? Probably. Should they be arrested? No. Does the company need to spell out a "don't hose us" policy? No, they can, but what will it mean?"

You're right, a single mistake shouldn't result in an arrest but what about when said innocent mistake is followed by several other "innocent mistakes" on unrelated systems? I'd say that was indicative of intent.

if (when !) I make mistakes of any magnitude, the very next thing I do is try and get it sorted, I don't put it to one side and go work on a different system.

3
0

Re: @Ellier ... This will impact others as well

only to realise a fraction of a second after he hit enter

The technical term for that fraction of a second is an "ohnosecond".

7
0
Silver badge

Re: @Ellier ... This will impact others as well

rm -rf *

If you have been a sysadmin as long as I have you would have done it at least once. Failing that you would have done the even more unpleasant chown -R X:X / or chmod -R 0xxx /. Either that or doing chown or chmod recursively on . being in the wrong directory.

Of course I know it will cause harm. You still sometimes do it even after 20 years of experience (I re-read my command lines at least 3 times if I use the -r (or -R) flags).

Start there and you'll find his actions to be criminal Even if we do so, it is criminal damage which funnily enough in USA (and many other jurisdictions) attracts an order of magnitude smaller penalty than unauthorized computer access.

2
0
Silver badge
Boffin

Yo! Coward... Re: @Ellier ... This will impact others as well

It doesn't matter if you consider it a professional designation or not.

If your job description says 'system administrator' then you need to know something about being a system administrator. So you should know that typing rm -rf * while at the root directory is a no no.

That's part of it.

The other part is a question of intent. Knowing your command could cause harm is part of the issue. Intentionally wanting to commit harm is the other part. As you said, you are a nuke guy and you accidentally typed your command in the wrong window. Ooops! No intent.

Being the admin, shutting down the back ups, locking others out... and then deleting the files? You have intent to do harm.

You need both and with respect to this case... they have it.

1
0
Silver badge

@ Oengus ... Re: @Ellier ... This will impact others as well

Oh yeah, I've seen smart people accidentally delete directories and do stupid things. That's why we have backups.

But there's no intent on their part. It was an accident.

1
0
Silver badge
Boffin

Re: @Ellier ... This will impact others as well

Mens rea is 'guilty mind' which means that you knew what you were doing and you knew it was wrong.

It goes to show intent.

There is no loophole in the law as written. The appeal will fall flat. He's looking for a loophole where none exists.

To really drive the point home... Imagine if you worked in a liquor store and had the keys to the place because you sometimes closed up at night. Now imagine one night, you decide to drive up, use your keys to gain access and then take a case of booze. Using the logic of the appeal, you claim you didn't break the law because you had the keys to the place as part of your job, and you routinely stock the shelves so you had the right to handle the booze.

That's the logic. Or rather you let yourself in, and destroyed a couple of cases of booze sitting on the shelf and claimed that you didn't break and enter because you used your keys that were given to you so you could access the store.

The git doesn't have a case and the extra wording isn't required in the contract. While IANAL, I've written and negotiated many SOWs which are contracts based on an MSA which I too have had to read, edit and sign.

1
0
Silver badge

@Peter ... Re: rm -fr @IMG

I know. I was trying to give a simple example.

As to decommissioning a server farm / cluster... Its a lot more fun when you have to shred your drives and sign a document to that effect because no drives are allowed to leave the DC. ;-)

0
0
Silver badge
Boffin

@Voland ... Re: @Ellier ... This will impact others as well

Yeah, we've all done it. Especially after a 36 hour marathon session to save a massive update build that went wrong because someone checked in some old code with their new mods.

Doing it as an accident is one thing.

Doing it intentionally to cause harm is another.

That's the thing.

Take a look at his actions.

Knowing it was wrong and doing it to cause harm is what makes it a criminal act.

There is more to this... there's the criminal aspect and then there is civil aspects in terms of the law. The company could sue him for damages too.

His argument is that he had access to the systems for work therefore he's not guilty of criminal trespass.

It doesn't work that way. In an earlier example I talked about a store clerk who had the keys to close up shop, coming back later and letting himself in to steal some alcohol. He's still guilty of trespassing.

0
1
Silver badge

Re: This will impact others as well

"If this guy trashed the systems, and stuck around without leaving a note, he would be a-okay according to the law"

I doubt it. As described, it wasn't a single action but a wide-spread trashing of various parts of the infrastructure. It makes it very difficult to believe anything other than intent. To take an analogy, if you damage one piece of kit it might be possible to argue percussive maintenance gone wrong but if you take a sledge hammer to the whole production line it's going to be criminal damage.

0
0
Silver badge

Re: @Ellier ... This will impact others as well

If it needs fixing, that's up to the legislature to do, but they can't do it retroactively. If your act was, by the wording and letter of the law, legal at the moment you did it, then it was legal period. Regardless of your intentions.

Dunno about UK and USA, but in Australia that is incorrect.

Is it possible to break a law that has not yet been made?

In Australia the answer is yes.

Both State and Federal Parliaments have the power to create retrospective legislation: laws that are made ex post facto – after the fact – so that they apply to events in the past.

Retrospective Legislation and the Rule of Law

0
0
Silver badge

Re: @Ellier ... This will impact others as well

Retrospective laws are specifically prohibited in the United States Constitution under Article I, Section 9 (which lists the kinds of laws Congress CANNOT pass, among them, "ex post facto" laws). To quote the relevant sentence: "No Bill of Attainder or ex post facto Law shall be passed."

0
0
Silver badge

@Charles 9 [was Re: @Ellier ... This will impact others as well]

Thanks. That was my recollection but I'm learning just how unreliable a 65 year old brain can be. I believe that something of that nature was written into the first draft of the Australian Constitution, but was excised later.

0
0
Silver badge

Re: @Peter ... rm -fr @IMG

Normally that site I was talking about has a shred policy, but they gave an exemption because we were able to prove to the satisfaction of the security team that once the disks in the RAID sets were scrubbed, juggled, per-disk scrubbed and the RAID configuration and disk layout mapping completely destroyed, that there was effectively no way of re-constructing the Reed-Solomon encoding (no data on any of these RAID disks was actually stored plain, it's all hashed).

And actually, the grading of the data was no higher than Restricted even by aggregation, and the vast majority was much lower or unclassified (intermediate computational results that would mean nothing to anybody outside the field, and not much to those in it), so sign off was granted.

Also, the cost of shredding 4000 or so disks was considered exorbitant, and would probably have taken more time than the rest of the decommissioning.

0
0

ok its all about the timing...when did he resigned and when exactly his resignation was found.

if he had done it before his resignation was found he would not be found guilty if after it was found he would be nailed to the wall.

1
2
Silver badge

When it was found isn't particularly relevant, unless his letter said something bizarre like "I tender my resignation effective as soon as you tell me you've read this" he should really consider it effective from when he left it on the desk and left the building.

3
0
Silver badge
Boffin

@Elf ... no, timing doesn't matter.

The issue is showing intent and mens rea.

Did he know what he was doing?

Did he know what he was doing was wrong and would cause his employer harm.

The acts were intentional,

He knew what he was doing would cause harm.

He knew what he was doing was wrong.

He also had motive in wanting to help his friend who was suing for wrongful termination.

He will lose his appeal.

IMHO, he had two choices.

1) Resign and walk away citing issues.

2) Stay, and do his job. Of course when it came time to be deposed, he could spill his guts about the bonus to take over his friend's job. There's more, and the point is he could have helped his friend by being ethical and above board at all times.

1
5
Anonymous Coward

Seems like a good example of why juries are a good thing - the guy quite obviously is guilty of what the law was intended to punish, and they acted accordingly.

1
6
Silver badge

I don't think it's that clear cut. The law was "obviously" intended to catch crackers etc. not people with legitimate access.

15
2
Gold badge

I don't think juries have the role that you imply. Their job is to decide which of the evidence is reliable. The judge's job is to decide what's legal. The court proceedings are steered by the judge to the evidence that relates to actual illegal stuff, then they decide whether they believe it. There have been cases where juries take the law into their own hands (https://en.wikipedia.org/wiki/Jury_nullification) but these are sufficiently rare that legal scholars get exercised over it.

9
0

having done Jury duty several times, it is explained to the Jury that we have the ability to decide anything. The judge is more the referee and has say over the sentence of the crimes that the Jury finds people guilty of. As an example: If a person is shot dead by another, no matter what the actual charge is- the Jury can rule it- an accident, self defense, murder (first, second or third degree) or even dismiss the charges. This is why a Jury is preferred over a judge when there are extenuating circumstances.

2
0
Silver badge

"There have been cases where juries take the law into their own hands ...but these are sufficiently rare that legal scholars get exercised over it."

Unless it was in a court west of the Bann.

0
0
Silver badge

"the Jury can rule it- an accident, self defense, murder (first, second or third degree)"

Nevertheless, the judge should have explained to the Jury what all these terms mean and what they need to believe about the evidence in order to arrive at one of them. Actually only a coroner's jury would need to arrive at one of the first two decisions, in a criminal trial it would simply be "not guilty".

0
0
Facepalm

Revenge is dish best served remotely, ideally from a self erasing bash script on the bosses laptop.

34
0

Considering all the fires he'd been putting out, it sounds like the company would've been dead in the water if he had simply quit. Which would also imply that he didn't do any real damage.

12
0
Anonymous Coward

They deserve each other

The larger case aside which is a nightmare.... Serial entrepreneur used to cynically sh1tcanning staff before IPO / asset flipping takes it in the nads?

Sorry, but moral ethics have failed on both sides here... Not advocating anything, just saying .......... Karma is a bitch!

22
0
Silver badge

There are two different things here: Computer hacking, and causing criminal damage.

There was a case a few months ago, where a store employee handled a computer to sell lottery tickets: Customer hands over cash, she tells the computer how many tickets to print, takes the cash, hands over the tickets. This employee was caught printing about 1,000 lottery tickets a week for herself and not paying. A judge said that she was authorized to use that computer, so there was no computer hacking involved. But of course it was theft of the tickets.

Something similar will be the case here. That admin was indeed authorized to delete backups etc., so no computer hacking. But he caused a huge amount of damage by his authorized computer access, and will be responsible for that. Just the same as if he had taken a sledge hammer and destroyed the servers and physically destroyed the backup drives. Tons of damage, but no computer hacking.

(Obviously only true before he resigned. At the moment he resigned the authorization would have been gone).

15
0

This was pretty much my thought. I think he has a good point, it was not unauthorized access (or hacking in common parlance) but that doesn't mean he couldn't be guilty of some other crime.

5
0

inn this country the wording for criminal damage is "permanently deprive". as there were still existing on-site back-ups, which he would have known about, this could be classed as "non-permanent damage" which is less likely to count as a criminal matter.

1
0
Silver badge

Surely intentional damage is criminal whether you have authorisation to be there or not?

In my last job, my keycard gave me authorised access to the whole building 24/7.

Forget the obvious machine rooms, what if I'd decided to smash up the bogs, and spray graffiti on the walls? I'm sure I'd have been done for criminal damage despite having permission to be there.

And no-where on my contract did they have the "don't vandalise the bogs" clause.

IANAL etc.

3
1
Silver badge

inn this country the wording for criminal damage is "permanently deprive". as there were still existing on-site back-ups, which he would have known about, this could be classed as "non-permanent damage" which is less likely to count as a criminal matter.
Charge him with vandalism?

1
0
Silver badge

Time can never be recovered so loss of time is always permanent. That's why even temporary damage can be charged.

0
0

You mean, like... a tax on time is a crime? That would open up a YUGE pandora's box for the government.

0
0
Silver badge

What interests me

is the "authorization" bit, if you took this and ran with it within a broader scope of roles within a company.

The techy person "deleting stuff" is pretty cut and dry, "they pressed a button and it went".

But as he's arguing he was authorized to do this.

Lots of other people are "authorized" by their employer to do all manner of potentially detrimental stuff. Terminating a contract here, signing up something nobody will able to deliver for a bonus there - and this may get you fired, but is extremely unlikely to get you brought up on criminal charges.

I guess my point is that it's relatively easy to do something harmful, that you're notionally allowed to do - but this does open up an entire new level of repercussion.

3
0

Re: What interests me

I guess that is what he is aiming for. His argument:

- What he did was not a criminal offence. He had authorization to access the systems. Therefore the law was misapplied.

- What he did was likely a breach of contract, a civil matter.

I don't rate it a strong hand, but if his lawyer thinks it is a loophole in the law, then maybe it'll stick.

If he wins I don't know what he'll be able to do regarding the 3 years in jail already served. I guess the fine would be repaid (if he has paid any of it), and then I guess he would have to file suit against either the police or the ex-employer, or both, to get restitution.

3
0
Silver badge

Re: What interests me

So if you were eg. CEO of a formerly great computer and engineering company and then ran it into the ground, fired all the good staff, split it into competing divisions, wasted $Bn on buying crap data analytics companies , etc

- would you be arrested for criminal damage or given a multi $MM severance package ?

19
0

Re: What interests me

No. A CEO would be fired and receive a Golden Parachute to cushion the blow. Apples an Oranges. This bloke was an IT Drone. Those of us who are IT Drones know full well that we are not treated like CEOs (or CIO's, for that matter).

1
0
Silver badge

Re: What interests me

So if you were eg. CEO of a formerly great computer and engineering company and then ran it into the ground, fired all the good staff, split it into competing divisions, wasted $Bn on buying crap data analytics companies , etc

- would you be arrested for criminal damage or given a multi $MM severance package ?

Oh I'd go for raping the pension pot as well and getting a knighthood.

4
0
Silver badge

Resigned to his guilt

I think the crucial part is not the actions he took during his time in work, even on his last visit to the office, you could perhaps accept the argument depending on the exact terms of employment that he did nothing "criminal" there, just a load of stuff that would be grounds for dismissal or perhaps a civil lawsuit.

The important part really is what he did remotely after he resigned. If you leave your keys and a resignation letter on the desk and walk about, you are effectively stating that you are no longer accepting employment and absenting yourself of any authorisation to perform activities withing the company you may previously have been given. Therefore from the moment you do that you can no longer try and use such authorisation as a defence for malicious actions like this. Accessing the systems remotely arguably becomes illegal, and any destructive action you take is criminal damage.

1
0

Bang whack bang

Panelbeaters are authorised to hit cars with hammers. I don't think this means they can pummel cars to pieces.

Sysadmins are authorised to maintain and administer IT systems. While deleting files and systems is a function of sysadmins, it's not the raison d'etre.

6
1
Silver badge

Re: Bang whack bang

Yet is it criminal if they do?

Or is it merely a civil matter, where they have breached their contract?

That's the argument.

Would you expect the police to arrest a panel beater who broke your windscreen, or would you expect them to pay to replace the windscreen, and pay you appropriate compensation for the extra time your car was unusable?

6
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017