Forgot your password?
typodupeerror
The Courts Government News IT

Get Fired. Delete Colleague's Account. Go To Jail. 425

Posted by Zonk
from the i-would-have-taken-up-a-hobby dept.
SierraPete writes "CNet reports that Thomas Millot, a former systems analyst for a major pharmaceutical company, has lost his appeal on a computer intrusion charge. Mr. Millot was convicted of unlawfully entering the system that he used to work on and deleting a colleague's account after his job was outsourced. Mr. Millot's attorneys argued that his actions did not amount to $5K in damage--the threshold for the crime he was convicted of. The court disagreed, saying that IBM had done over $20K in work to undo his handiwork." Update: 01/14 19:55 GMT by J : Typo corrected; turns out the word "not" is important...
This discussion has been archived. No new comments can be posted.

Get Fired. Delete Colleague's Account. Go To Jail.

Comments Filter:
  • IBM ineptitude (Score:5, Insightful)

    by Tet (2721) <slashdotNO@SPAMastradyne.co.uk> on Saturday January 14, 2006 @03:35PM (#14472073) Homepage Journal
    So IBM are apparently claiming $20,350 at $50/hour to investigate the incident. That's 50 man days. For fsck's sake, what sort of incompetent morons are they employing? Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything. But 50 man days? That's just not even vaguely reasonable, and smacks of them just going for the throat out of malice. Yeah, he screwed up, and deserved to be punished, but the punishment should be proportional to the crime, and it clearly isn't here. Quite how they managed to get a judge to swallow that is beyond me. It sounds like the defence lawyers weren't doing their job. I can't think of any other explanation.
    • Re:IBM ineptitude (Score:5, Interesting)

      by Zordak (123132) on Saturday January 14, 2006 @03:41PM (#14472111) Homepage Journal
      Nobody seems to have disputed the reasonableness of what IBM charged. The defense attorneys instead tried to make the argument that IBM "volunteered" to do the investigation since they were not the employer. The fact remains that IBM charged the company $20,350 for the investigation of the matter, which apparently the company paid. The company was out that money, he caused it out of spite and did it illegally. I have no sympathy for the guy. I'd say he got what he deserved.
      • Re:IBM ineptitude (Score:5, Insightful)

        by TechieHermit (944255) on Saturday January 14, 2006 @03:51PM (#14472176) Journal
        Besides, he only got three months in jail, plus restitution. That's relatively lenient for this kind of crime, isn't it? Most prosecutors try to lock hackers up for the maximum term.

        The real effect of his record will be that it effectively bars him from working in I.T. Which might not be an entirely bad thing -- the guy DOES seem to have a pretty flexible moral compass, doesn't he?

        My question is, why is this in "your rights online"?

      • Re:IBM ineptitude (Score:3, Insightful)

        by cgenman (325138)
        I hope this doesn't burn too many bridges, but while IBM charged the company $20,350 for the investigation, that doesn't mean that the person did $20,350 dollars worth of damages. If someone sniffs around the old apartment they used to live in, eventually deciding to steal a 2,000 dollar laptop, for criminal purposes the person has stolen 2,000 dollars worth of property. It doesn't matter if that homeowner then hires a PI at 200,000 dollars per hour, you've still stolen 2,000 dollars worth of property.

        I d
    • Re:IBM ineptitude (Score:5, Insightful)

      by Raindance (680694) <(johnsonmx) (at) (gmail.com)> on Saturday January 14, 2006 @03:41PM (#14472116) Homepage Journal
      50 man days to
      1. undo what little damage he did, and
      2. make damn sure he didn't do anything more serious and insidious?

      I'd call that about right.
      • Re:IBM ineptitude (Score:5, Insightful)

        by Kymermosst (33885) on Saturday January 14, 2006 @03:46PM (#14472149) Journal
        50 man days to
        -2. Find out who was responsible.
        1. Find exactly when and what happened.
        0. Find out exactly how much damage was done.
        1. undo what little damage he did, and
        2. make damn sure he didn't do anything more serious and insidious?

        I'd call that about right.


        So would I, after my minor additions. (Yeah, they were implied, but you have to spell this kind of thing out for some people.)
      • And:

        3. 50 days while someone that is working on that isnt working on something else.
      • Exactly. It can take alot of work to clean up after something like that.

        How much disagreement can there possibly be about this article? If you're an asshat and break the law, you should do time and pay the fine. I mean, seriously, now we know why they fired him!
      • Re:IBM ineptitude (Score:5, Insightful)

        by theLOUDroom (556455) on Saturday January 14, 2006 @04:56PM (#14472435)
        50 man days to
        1. undo what little damage he did, and
        2. make damn sure he didn't do anything more serious and insidious?

        I'd call that about right.


        Based on that reasoning why not 500 man days? 5,000?

        "Damages" should be calculated based on actual damages. If not, there's really no limit to how much damage they can claim.

        It's not that I necessarily believe that the number 50 is unreasonable, it's that the argument you're using to support it certainly is.

        Imagine if this was applied to someone who stole a $1 candy bar: Yes, it only took $1 to replace the candy bar, but we had to spend $10,000 to inventory the whole store.
        • Re:IBM ineptitude (Score:3, Insightful)

          by bobt1956 (945961)
          I used to consistantly charger $125 per hour as an analyst supporting IBM AIX systems. $50 an hour is cheap. However it wouldn't take anywhere near that amount of time to undue and repair the damage. On the other hand, sounds like the company got a complete overhaul in the deal which would be unrelated to the problem other than it scared them and pointed out the need! There should have been (2) bills here: 1. Find and fix problems related to the account -$2,000 2. Re-design the whole system $18,000. I
          • Re:IBM ineptitude (Score:3, Insightful)

            by pnewhook (788591)
            It's not just the time to restore the account. They had to search the system to find out how it happened and who did it. That can take a lot of time.
    • Yes, that's my thought too. The amount of damage claimed doesn't seem reasonable at all, unless you want to count court costs. Kind of like the kid who's going to be up for some sort of ridiculous felony for telling everybody to hit 'refresh' on his school's web-page when it was more of a 'disturbing the peace' sort of offense.

    • Millot trespassed on private property, damaged said property, and now is trying to claim the damage wasn't bad enough to warrant a hefty sentence. He's already admitted to committing the actual crime. Whatever you want to say about the competence of IBM, IMO the individual in question deserves what he gets. Or, better put, doesn't deserve another job in the industry again.
      • First, people can make mistakes. I'd be hesitant to hire the guy again, but I might consider it.

        Secondly, levels of offense, sentences and sentencing guidelines exist for a reason.

        Though, maybe we should take your tack and say all crimes are punishable by death! After all, it doesn't matter how bad the offense was, the punishment should be very high no matter what. So, lets give the highest punishment possible for every crime!

        • Uhhh, there's a minor difference between refusing to hire a felon and summary execution for property crimes. However, for the sake of argument - whether a $5K or $20K property crime - both seem pretty serious to me. It's not like the guy was an underage kid - he's an adult with serious responsibilities in the organization. His betrayal is not just to his former employer, it is also to the industry and society at large. As an adult he should be prepared to accept responsibility for his actions. JMO...
        • First, people can make mistakes.

          To me, a mistake would be logging onto the system once after getting fired. I don't think that the guy made a "mistake".

          -h-

          • To me, a mistake would be logging onto the system once after getting fired. I don't think that the guy made a "mistake".

            A mistake would be forgetting to return the SecurID.

            What he did took malice and forethought. The lightest thing you could call it would be a "lapse of judgement".
            • DELETE THE ACCOUNT DELETE THE ACCOUNT DELETE THE ACCOUNT
              did I mention delete the account?

              Sorry about the excessive use of caps but the solution seems so very painfully obvious. Deleting the person's account when they leave protects both parties. The employee will not be able to do what that guy did and loging when they get home and do lots of damage, not that a sysadmin shouldn't make backups, and it prevents someone from changing the pword of the person who just left and connecting from an open access
          • Mistake != accident. Mistakes can be even serious errors in judgement. What matters is that you recognize that you did something wrong, and would choose differently were the choice open to you again. And while it can be hard to tell whether or not the change in worldview has really occured until the person has the same opportunity, I'm open to giving people the benefit of a doubt.

      • Hmmm... After RTFAing, I still don't think the claim of damages was reasonable. But I do think the sentence was reasonable. But I do disagree with "This guy deserves what he gets.".

    • While back I used to support vertical market accounting software (mainly used in glass shops). A lot of these shops would hire consultants to work with me.

      I've seen 10 minute jobs get stretched out to 2 months or more - and I'm not kidding in the slightest. The second you try to argue with these guys about how they are doing it these people would bite my head off and start talking about security this or installation that. It got to the point where I'd call the owners of these shops and tell them I can't wor
    • YTou forgot the meetings that had to occur to schedule the meetings, and then the meetings to approve the reports needed have a meeting to approve having a meeting.

      It was not IBM that owned the system, IBM was doing the work. We don't know the status of their backups, security. Part of what may be included is the time spent detecting any backdoors or other potential breaches by the Defendant. How do they know that he only deleted the account and not added a backdoor or timebomb?
    • Re:IBM ineptitude (Score:5, Insightful)

      by Leto2 (113578) on Saturday January 14, 2006 @03:51PM (#14472174) Homepage
      I'd like to know where Aventis found IBM consultants that only charge $50/hr...
      • That's what they *cost* IBM, not what IBM would bill them out to a client at. $50/hr => $100K/yr total cost (maybe $60K salary, after you figure in taxes & benefits)

        I doubt they could get away with trying to give their billing rate in court.
        • That could be... But if I was the prosecutor for Aventis, I would have argued that the cost to fix the accounts was actually what they paid to IBM to get it fixed...
      • Mod parent up.
        That's the whole point. I have never ever seen such low rates from IBM Global services or any other IBM department as well. The rates are more in the 150-300$/hr bracket. The total amount charged represent something like 7-15 man/days.
    • Re:IBM ineptitude (Score:4, Insightful)

      by Sigma 7 (266129) on Saturday January 14, 2006 @03:55PM (#14472194)
      So IBM are apparently claiming $20,350 at $50/hour to investigate the incident. That's 50 man days. For fsck's sake, what sort of incompetent morons are they employing? Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything


      Here's some basic information:
      - Those 5 or 50 man days were spent cleaning up on the incident, and are not recoverable. (As opposed to endless meetings that "optimize" the performance of the company.) While it may not seem like a lot, it just takes one lost man day on a critical path to slow down an entire project.
      - Restoring from backup is not typically a drag-and-drop operation. In general, most large companies use backup tapes to store a large amount of data, and those are not typically random access.
      - When there is a person with Administrator privilages that made the changes, you need to assume Rootkit. This takes a lot of time to steralize the computer and examine what went wrong. In addition, you can't always assume that the logs are legitimate.
      - You still need to to check whether a script kiddie simply cracked the password to an account, or if it was a disgruntled employee that used an idle account.

      What appears to be a simple 5 man hours of work can easily balloon into 50, especially when you have to prove things beyond a reasonable doubt for a criminial conviction.

      Yeah, he screwed up, and deserved to be punished, but the punishment should be proportional to the crime, and it clearly isn't here.


      No, he didn't screw up. A screw-up requires incompetance, and does not apply to malice of any form (unless the incompetance existed during the malicious act.)
    • So IBM are apparently claiming $20,350 at $50/hour to investigate the incident. That's 50 man days.

      Perhaps the server had to be taken down for a quarter of a day (2 hours) and the company has 200 employees? That's 50 man days lost right there. Perhaps the intruder deleted the logs and the entire security setup had to be audited to detect and remove any other back doors he may have put in. Perhaps they got hit with fines due to some data protection law.

      Just some thoughts.

      Michael
      • Perhaps the server had to be taken down for a quarter of a day (2 hours) and the company has 200 employees? That's 50 man days lost right there.

        Are you suggesting that IBM charged Aventis the amount that Aventis lost in productivity?
         
    • by ThaFooz (900535) on Saturday January 14, 2006 @04:03PM (#14472231)
      Wait... so Aventis Pharmaceuticals Pharmaceuticals outsources its IT security to IBM, who in turn charges Aventis $20,350 to reach the conclusion that their recent security breach was caused by a flaw in IBMs security policy: not removing clearance from disgruntled ex-employees who are disgruntled soley because they are being replaced by IBM? That's FUNNY.
    • Re:IBM ineptitude (Score:5, Interesting)

      by Rantastic (583764) on Saturday January 14, 2006 @04:24PM (#14472333) Journal
      what sort of incompetent morons are they employing?

      Funny you should ask. I have had several recent jobs cleaning up after IBM consultants. I finally had the chance to find out what is going on. It goes like this: IBM keep their top talent hard at work on the big multli-million dollar contracts. For the rest, it is anyone they can get off the street.

      I learned of this when I recently had a job interview with IBM. They had already signed a $2 million contract with a government agency to build a computational data center, but had no available staff to allocate to the contract. The interviewer was completely candid with me when I asked about why they would sign a contract they couldn't fulfill. He said it happens all the time and is standard operating procedure. They simply hire contractors as needed. I turned the job down.

      Ready for the punchline? They hired a guy that I have worked with in the past. This guy has no prior experience working with the technology he will be deploying. He is a decent guy, but he will be figuring things out on the fly. He is the best they could do. He is being sent in as an expert consultant by IBM. Think he will bill more hours than someone with actual experience?

      I recently asked a former customer of mine, who works IT for a large university, why people would hire IBM over a smaller company with more expertise. He said that as far as his boss is concerned, if you hire IBM and they screw something up, you are covered because you went with IBM. This same customer then went on to tell me how IBM completely botched a $1 million installation job at his university last year. They are in court over it.

      If this guy had a good lawyer they should have audited all the work done by IBM and the qualifications of the people doing the work.

      • by schon (31600)
        I asked about why they would sign a contract they couldn't fulfill. He said it happens all the time and is standard operating procedure.

        You say this like it's something unusual. If so, I doubt you have much experience with company with an employee base of >1.

        Here's a story that might help you understand a little better:

        A salesman and a technician wenet bear hunting. They hiked up into the mountains, to get to a remote cabin. When they got there, the salesman said "OK, you unpack, and I'll go find us s
    • Re:IBM ineptitude (Score:2, Insightful)

      by lucm (889690)
      This is not a simple matter of disabling a user account. To do a proper resolution of this issue, IBM must involve a lot of people:

      * an account manager to handle the issue with the customer
      * a senior analyst to evaluate the situation and make an action plan
      * a systems analyst to make recommandations to prevent this kind of issue in the future (new ACLs, firewall rules, etc)
      * a couple of technicians to carry out the job (log scanning, password reset, etc)
      * a security specialist to proceed to an ethical hack
    • Call it a couple of hours to trawl some log files, a few more to retrieve the missing account from backup, and be generous and round it up to a week -- 5 man days to tie up all the loose ends, write the incident report and get management signoff for everything.

      Think about the situation they had here. A disgruntled former employee who left himself at least one back door has performed at least one malicious deletion. According to you, close the single backdoor you've discovered, undo the single deletion
    • $50 an hour seems absurdly low - for a typical 2000 hour work year a comapny would only get $100K, which doens't leave a lot of room for salary and benefits plus the margins consulting services seek. Either the IBM Consulting has some real low billing rates, or they did this as a favor to a big client.
  • After all, now that's he's been outsourced, what better job security post-9/11 than sitting in jail with all the "terr'rists"?
  • Eh ? (Score:5, Funny)

    by Delifisek (190943) on Saturday January 14, 2006 @03:37PM (#14472084) Homepage
    20k for undeleting account?

    Pheww...

    Now I understood why IBM four times bigger than Microsoft....
  • by mikkom (714956) on Saturday January 14, 2006 @03:37PM (#14472085) Homepage
    Isn't it quite obvious that he should go to jail for this?
    • Isn't it quite obvious that he should go to jail for this?

      You're new here, aren't you?
      • Okay, what I really meant that he should be penalized for this, he clearly did know what he was doing. It really doesn't matter if the security company overbilled IBM or not, he absolutely did knew what he was doing and should carry the consequences.
    • No. No it isn't obvious in the least. That you think it is makes my skin crawl in disgust. There were thousands of factors you were unaware of when you judged him, yet you are absolutely sure of yourself. My mind boggles. My mind boggles and my skin crawls.
      • by barc0001 (173002) on Saturday January 14, 2006 @04:09PM (#14472267)
        There were thousands of factors you were unaware of when you judged him, yet you are absolutely sure of yourself.

        Er, the court of LAW also judged him to be guilty of a crime, so therefore he faces the punishment for committing a crime. From TFA: But he kept an administrator-level SecureID card with him and used it to enter the network nine times.

        NINE times. That's not a quick leaving-day "fuck-you" to the Man, that's premeditated and deliberate.

        However, let's look at this in simple terms without specifics. Your account and account are tools you need to do your job if you work in IT, correct? If the story said "Fired mechanic broke into the shop and cut up $10,000 worth of his replacements' tools and equipment with an acetylene torch" you wouldn't be saying "boo" about it, even though this would probably be quicker to recover from (borrow other workers' tools in the shop until insurance replaces them a few days later) than a forensic audit on a system (shut it down and lock everyone out until you figure out how someone got in and what they did).

        Here's the take-away from this: He was fired. He broke things belonging to the company after he was fired. That is a crime. He goes to jail for doing it. End of story.
        • That's not a quick leaving-day "fuck-you" to the Man, that's premeditated and deliberate.

          Ah, see, you don't know that. That's an assumption. You assume he's guilty of everyting you accuse him of because he probably is guilty of some of it. You can only punish him for what you can prove he did, and you can never prove his intention even if he announces what his intentions were. Similarly there are a lot of other things you cannot prove. Thousands of them.

          A court of law makes educated guesses. They are not su
    • I dunno. He had an immature hissy fit and deleted some guy's account. It was stupid and wrong, but I don't know how jail-worthy that is, legal technicalities aside. He ought to pay a hefty fine and have to live with that large scorch mark in his files (good luck finding a new tech job with that on your record).
      • ...good luck finding a new tech job with that on your record...

        I'd hire him. He's unlikely to make the same mistake twice, meaning I've got an employee who will be careful to stay out of trouble.
        • >He's unlikely to make the same mistake twice,

          His mistake was that he got caught.

          >meaning I've got an employee who will be careful to stay out of trouble.

          No, he's seen what he needs to do to avoid getting caught again. And he know exactly what to do legally if he does (but, again, knows what works and what doesn't).
          • If I'm dumb enough not to spot someone deliberately malicious at job interview, I don't stand in a very good position with or without him.
            • >If I'm dumb enough not to spot someone deliberately malicious at job interview

              How do you spot this in a hour long formal interview which the other person knows you are looking for flaws?
              • Well, first off I ditch formality...

                Then I question his motives. Why he wants this job. Why we should hire him. Then I move on to casual conversation. Simply getting to know him. Eventually I try to get him engaged in a subject he's passionate about. Maybe politics. If I find him to lack ethics or morals, he doesn't get the job. Amongst the applicants I should be able to find at least one trustworthy fellow.
      • It was stupid and wrong, but I don't know how jail-worthy that is, legal technicalities aside.

        They can get him for vandalism, destruction of private property, malicious mischief and probably some other things I haven't thought of if they want to badly enough. I don't know if they will, and I'm not sure they should, but the possibility's there.

    • by TheWanderingHermit (513872) on Saturday January 14, 2006 @03:49PM (#14472161)
      I will probably be modded to troll for saying this, since I've noticed that on Slashdot there are many people who are so busy being right they aren't secure enough to listen to a disagreeing opinion.

      There are a lot of people here who seem to feel that because they can figure out how to do something, they have the right to do it. "I can, therefore I should be allowed to," would sum it up. It's a group that feels that if you lose your job, you are justified in taking revenge, legal or illegal. While losing a job is a rough experience, it's part of life. Businesses change and let people go. If you're not a big enough person to accept it and move on, then maybe you weren't responsible enough to accept the job in the first palce.

      Yes, he should go to jail, but those that feel that they are, somehow because of their superior technical skills, some part of a "hacking elite" that should be able to break any laws they consider wrong (read: laws that are in their way, since, in their minds they are always right) and should be able to do so without consequence.

      It's a shame because such people really make it harder for the rest of us, both in discussions here and in life in general.
      • by thesandtiger (819476) on Saturday January 14, 2006 @07:46PM (#14473109)
        I will probably be modded to troll for saying this,

        I will probably be modded off-topic for saying this, but I've noticed that if one starts a comment saying "I'll probably get dinged on karma for this, but darn it, it needs to be said!" they will tend to be modified as insightful or interesting or informative, even when they are just stating the obvious.

        I'm not saying that your post wasn't insightful/informative/interesting, just that because you began by saying you'll be modded a troll you boosted the probability of a +5 rating substantially.

        Watch -

        I'll probably be modded off-topic for this, but darn it, it needs to be said: Ice is cold. Not as cold as dry ice, but still - cold enough that it's darned uncomfortable to have to have it on your skin.

        [sits back, lets the karma roll in and out - like the tides]
  • by ThatGeek (874983) on Saturday January 14, 2006 @03:42PM (#14472121) Homepage
    What most people will get out of it: people shouldn't break into computer systems and delete stuff

    What I get out of it: don't outsource IT to a firm that doesn't lock out former employees
    • What I get out of it: don't outsource IT to a firm that doesn't lock out former employees

      Especially a disgruntled former admin in charge of security who you just put on the unemployment line. However, this guy had pocketed an admin account SecurID card so you can't fault them entirely.

      There are seemingly few companies out there who have termination procedures as thorough as new hire procedures. There are even fewer who can lock out someone who had root. Moral of the story ... if you're going to dump

  • Oh Please... (Score:5, Interesting)

    by GodLived (517520) on Saturday January 14, 2006 @03:42PM (#14472123) Journal
    If you're going to let someone go who holds high computer or network credentials, please make sure you disable or terminate their access IMMEDIATELY PRIOR to informing them of your decision. Failure to do so makes the outsourcee become an insider threat.

    The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.
    • RFID devices (Score:4, Interesting)

      by Tim Ward (514198) on Saturday January 14, 2006 @03:52PM (#14472179) Homepage
      A member of my staff once resigned and left.

      A couple of days after he left it was observed that the front door was continually unlocking itself ... a quick log on to the access control system showed that the RFID tag doing the unlocking was the one belonging to the departed employee ...

      ... and in due course the tag was discovered in an envelope in HR's pigeon-hole; the guy, on discovering that nobody had asked him for his tag, had simply mailed it back, and as this was a proper hands free system with a range over a metre its position in the pigeon-hole was enough to unlock the door ...

      ... because of course as well as nobody remembering to ask him for the tag back nobody had remembered to disable it on the system either.

      Good thing he wasn't malicious, perhaps.

    • Re:Oh Please... (Score:5, Interesting)

      by techno-vampire (666512) on Saturday January 14, 2006 @04:05PM (#14472246) Homepage
      The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.

      Although I've never liked losing a job, I'd rather have that done than be allowed to wander out on my own. This way I have a witness that can testify that any damage done after I was terminated isn't my fault.

      Last time I was let go, I told my manager that I was logged in and asked him to come over to my desk and log me out because I didn't even want to touch that computer again. He told me that he trusted me not to do anything foolish, but I still had him watch me log out, just to be safe.

    • That's for sure! When we let someone go, there's no "2 weeks" or anything... they come and see me when "my email stopped working".

      "Yeah, about that... here's your severence cheque, a box for your stuff, and this guy will watch you pack up your shit and then escort you from the building."

      Just had to do this about 2 weeks ago with a programmer.

    • immediately after receiving their resignation

      Oops! You added that one by mistake. See, if they had any desire to harm you, then they would have done so before they gave their notice. They knew they were leaving on a certain date, even if you didn't, and had plenty of time to plan for it.

      Fire a guy? Sure, escort him out. If he's voluntarily leaving, though, the whole exercise is pointless.

    • Well, this is a good reason to install a 'dead man switch' - a special script which will destroy everything it can reach if you don't perform some 'keep-alive' action during a month.
      • even better, set up your path variable so that your user account home directory is searched before some other permenant system directory, have a script in your home directory responsable for something fairly frequent but not constant, maybe a weekly tape backup procedure. have the identically named script in the system directory be broken, either just a subtle flaw or a catistrophic nuke. that way if they delete your account the whole thing goes boom, and it's not even your fault they broke the system when
  • by hsmith (818216) on Saturday January 14, 2006 @03:43PM (#14472124)
    Instead of sending him to jail for a crime which no one was hurt, have him repay the money AND then you save room in jail for a VIOLENT OFFENDER.

    But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.
    • by tomhudson (43916) <barbara@hudson.barbara-hudson@com> on Saturday January 14, 2006 @03:50PM (#14472173) Journal

      Okay, I know this is slashdot and most people didn't RTFA:

      A federal judge disagreed and handed down a relatively light sentence of three months of imprisonment, three months of home detention and three years of supervised release, plus a $5,000 fine and $20,350 in restitution.

      So he IS going to repay them $$$, lots of it. Not just jail time.

    • by ThaFooz (900535) on Saturday January 14, 2006 @03:53PM (#14472187)
      Instead of sending him to jail for a crime which no one was hurt, have him repay the money AND then you save room in jail for a VIOLENT OFFENDER. But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.

      So your argument is that white collar criminals aren't really criminals? I don't buy it.
      • no, that there are worse criminals that deserve jail time. sentence the guy to 2000 hours of community service. save jail for the BAD people.
      • by TheRaven64 (641858) on Saturday January 14, 2006 @04:33PM (#14472378) Journal
        I would argue that jail time does not work as a deterrent (there are studies that back this up, but I have not yet seen one that supported the contrary view). The only valid justification for a custodial sentence is that the individual's continued freedom will have a negative impact of the freedoms of others (i.e. violent offenders who are not capable of reform). Putting someone in a prison is expensive, and often has exactly the opposite effect - the convict is allowed to mix with other, often worse, criminals and learn from them.

        What, in your opinion, does society gain from imprisoning this person? Does it deter him from future crimes more than the $25k fine? I would imagine that, since he is unlikely to work in IT ever again, this fine will have a much greater effect on his future life. Does it make society safer? Would anyone have been placed in any danger (either physical or financial) by this person having been free for the three months of the sentence? Does the sentence deter others from committing the same crime? I would imagine that the prospect of never working again in their chosen field and having to spend a while with a good chunk of their disposable income going to pay a fine is a much greater deterrent for most people.

    • by Peyna (14792) on Saturday January 14, 2006 @04:37PM (#14472396) Homepage
      We send white collar criminals to jail because while jail probably isn't much of a deterrent for your average bank robber, rapist or murderer (but might be what *those* type of criminals deserve), serving jail time can be VERY frightening for white collar criminals.

      So, if we send a few of them to jail, they'll either have to try harder not to get caught, or not do it. Unlike murder, most white collar crimes are not the type that you commit without any regard to the possible punishment. (In other words, most murderers probably readily accept their possible punishment of life in prison or death and go through with their actions knowing if they're caught it's over. If white collar criminals were not threatened with jail time, then there is very little of a deterrent, since most of them probably can afford to pay any fine we might charge, and if not, losing all your money and everything you own isn't as bad as going to jail if you're smart enough to get another good paying job later.)
  • by kmactane (18359) on Saturday January 14, 2006 @03:45PM (#14472145) Homepage

    The summary should read: Mr. Millot's attorneys argued that his actions did not amount to $5K in damage...

    It's those itsy-bitsy words that make all the difference.

  • WTF (Score:3, Interesting)

    by Anonymous Coward on Saturday January 14, 2006 @03:49PM (#14472163)
    So when a company breaks in my system (eMule, BitTorrent) I just can claim my $15/hour costs. But if it's IBM they can claim $20K.
    That's not justice, thats abuse of economic status.

    What happens if anyone sends an eMail to Bill Gates and he claims 10 seconds dagames for reading it?

  • by Blymie (231220) * on Saturday January 14, 2006 @03:53PM (#14472185)
    This was a crime, hands down. Period. End of story.

    If you read the article, there were multiple breakins, on multiple days, over a period of years.

    The last likely removed files between backups, resulting in time lost for the employee. It doesn't speak of what was done during previous raids by this crook, but it is quite possible other costs were attributed to previous breakins.

    Crimes like this should be punished, and harshly. This crook should receive a couple of years, for something like this. Perhaps more.

    Why so harsh, you ask? It's simple. We need to start attributing _real_ penalties to crime on the internet. Sony, for example, should have seen criminal charges levied against the employees, management and all that had anything to do with that back door. Fines should have been in the billions. Yes, billions, as they should have received several thousands in fines per count. Employees must be treated harsely as well, after all, they can not legally claim they are just "following orders".

    If you know your employer is doing something illegal, you are BREAKING THE LAW if you do not report such an act! If you work with the employer, helping to break the law, guess what! It's jail time for you!

    We need (well, actually.. needed to, past tense) lock down crime on the internet a long time ago. We really have two choices here. We pay for police presence on the internet, judges that understand the crimes being committed.. or we leave the internet open and lawless.. and see horrid restrictions come down as a result.

    People won't put up with cracking all over the place. The public will demand security. The public is indeed, starting to. It can come from laws and police enforcement of those laws.. or draconian laws that restrict rights and freedom on the net (DRM).

    Which do you choose? DRM all over the place, locked down bioses and operating systems, logging so intense that ISPs keep a year of detailed backlogs, or realistic laws and paid for strong police presence on the net?

    Police all over the world are crying out that they are overburdened with crimes on the net. They are claiming that they don't have the ability to catch crooks, because they need new laws. It's happening right here, in Canada. It's happening, because police _don't_ have the manpower to handle crime on the net, by tracking down crime in the standard fashion. The answer, to them, is increased logging and wiretaps/net taps without warrents. I say, that democracy costs.

    To that end, we need to train judges and police to specifically handle computer crime. We need to enact treaties with out countries, and make sure that extradition is a possiblilty. We need to make sure that the police do not have unlimited ability to spy, but that there are judges in place that can issue warrants when the cause is evident. Fund the police, or allow DRM. Again, that is the choice we have.

    Anyhow, back to this particular case. A case like this, should be treated as if a physical breakin occurred, sentence wise. This guy KNEW he was breaking the law. He KNEW he was being an asshole. Being employed by someone does not entitle you to smash things in a temper tantrum, years after you've been fired or outsourced.

    Bleh.
    • I agree. What he did was no different than supergluing your desk drawers shut, filling the keyholes with glue, crapping on the desk and ripping the seat cushion to shreds. I find it strange that there are already posts blaming IBM for 'taking so long' to do things. Would you complain that a maintenance guy took to long to repair that kind of damage? Probably not.
  • Many people go to jail for just accessing systems without permission. This guy actually purposely caused harm... so I really don't see a reason for anyone to complain. Another point that nobody seems to make is that the time the administrators used to fix this was probably not the only time spent. Many managers probably had to spend time working on this, reporting etc.
  • by Oniros (53181) on Saturday January 14, 2006 @04:02PM (#14472226)
    Are you sure it's ineptitude? IBM didn't have to just restore the account, they pobably had to do a security audit to make sure the guy didn't do anything else, didn't plant backdoors, etc. Depending how much access and how big their net is, yeah that could be $20K. BTW IBM is more in the $100/hour range for consulting.
  • So... (Score:3, Insightful)

    by NoMoreNicksLeft (516230) <john.oyler@NOspam.comcast.net> on Saturday January 14, 2006 @04:03PM (#14472236) Journal
    When a new hire is set up with a network account, it costs $20,000 in bumbling MSCE ineptitude to click on the gui widgets in User and Groups, and create one?

    Because the cost of the investigation can't be counted. If you steal a $1 candybar from walmart, they're not allowed to add in the costs of the police investigation/arrest to the crime itself. Or else there'd never be any petty crime.
    • There's a huge difference between petty larceny and having illicit access to information systems. Petty larceny is pretty much an isolated crime.

      Ilicit access to information systems could be part of any or all of the following:

      1. Destruction of private property (information)
      2. Industrial espionage
      3. Fraud
      4. Identity theft
      All of which are quite a bit more serious than petty larceny.
  • by portwojc (201398) on Saturday January 14, 2006 @04:14PM (#14472281) Homepage
    What the guy did was wrong no doubt in that. I'm sure the auditors will have a field day with this one.

    Let an employee go and let him keep his SecurID and his access - smooth move.

  • I am deeply grateful to all those who gave their valuable insight and opinion into IBM's work whilst knowing jack sh*t about what they had to do and actually did. /sarcasm
  • Maybe it should be looked at as if it happened with a non-electronic breakin.

    What if he'd unlocked the front door with a copied key, broken off his coleague's key in the lock, maybe shredded a few random documents and destroyed the lock on a filing cabinet?

    I don't think this sort of punishment would be appropriate, so why is it just because it's electronic? Even if they hired $expensive_security_company to repair the lock and the filing cabinet, and then claimed that was the cost of damage...it would be co
  • This guy acted like a child, a spoiled one at that. As a result he's been sent to his room without any supper.

    Its time to grow up, and here's a few knocks from the clue-bat just to make sure you get the message.

    Lee
  • PR problems (Score:3, Interesting)

    by Tablizer (95088) on Saturday January 14, 2006 @04:32PM (#14472375) Homepage Journal
    I once worked at a company where a billing clerk embezzled about 5K USD. She noticed that some clients repeatedly double-paid bills because of the confusing layout of the bill. The previous billing system had a fix for this, but was recently replaced with one that had the same problem.

    So she managed to reroute the extra payment to her bank account. The internal books still balanced because it was a double payment on the client's part.

    When eventually caught she was fired but not procesecuted because prosecution brings bad PR to the company. 2 years later somebody pulled another accounting embezzlement trick and still no procesuction. I think if they prosecuted the first one, it may have prevented the second.

    If the only risk is getting fired, then the incentive to embezzle is pretty high.
           
  • by LKM (227954) on Saturday January 14, 2006 @04:37PM (#14472391) Homepage

    I've seen lots of similar comments about how what he did was wrong and that he should therefore go to jail.

    I don't think anyone claims what he did was not wrong, but jail time isn't the only answer our society has to crime. The question here is not whether what he did was wrong. The question is whether he should go to jail for it.

    I say no. We already send too many people to jail. Generally, jail time is bad. It costs our society money, and it makes the situation worse for those spending the time in jail, and it makes our society worse because these people will most likely come out of the jail a worse person than when they went in.

    This person here didn't harm anyone. He harmed a company. And he didn't do anything which can't be undone by recovering the data from a backup. Really, what he did was wrong, but it is hardly something worth putting him in jail for.

  • Just been reading about some american judge who send a repeat child rapist to a mere 2 months in jail and a guy who deletes a single account gets 3 months. Yeah yeah apples and oranges but something is very very wrong here. IF society is not served by sending the child rapist (who is claimed to be severely retarded) to jail then how is society served by sending this idiot to jail? Force him to communinity work for half a year for no pay or something.

    Ah well, amazing you can hire an IBM'er for 50 bucks an h

  • by The Famous Druid (89404) on Saturday January 14, 2006 @05:26PM (#14472497)
    1. The idiot who logged on to his former employers system and took a little childish revenge.

    2. The idiot who didn't disable the account of a security chief who's just been fired.

    Remind me never to do business with a company who are that lax with security.

  • by Belseth (835595) on Saturday January 14, 2006 @05:36PM (#14472549)
    You don't want to go to jail don't do it. Deleting files isn't exactly a harmless prank and it isn't entirely the fault of the vitim for not being better protected. If you really don't see the harm go in to work Monday and for a laugh format the hard drive on the server. If everyone laughes it off I guess I'm wrong but I'll bet the owners don't see the humor. The amount was inflated to avoid splitting hairs. If they claimed six grand in looses the attorney probably could have agrued it down to a lesser crime. The point wasn't so much to punish him but to avoid it becoming a fad to trash accounts when you get fired. One person could do tremedous damage in a short amount of time without physically destroying anything. They were stupid to not remove his priviledges but it doesn't excuse his actions.
  • by SHP (8391) on Saturday January 14, 2006 @07:36PM (#14473074)
    Unless I'm missing something, I cannot understand how IBM needed 20K worth of incident response services to figure out what happened. SecurID systems can log all activity. A simple check of the logs would have indicated who disabled the access and when.

    I would have told IBM to put that invoice where the sun don't shine if they tried to bill me for investigating such a simplisitic "compromise" of a system *they* were supposed to be managing.

    -SHP (CISSP, CISA)
    • Given the certifications you put after your name, you should know the first rule of a security investigation: never ever assume you know what happened at the outset. One of the first things IBM would've had to do is check everything to make sure what the logs were showing them was reliable and not something the cracker had planted to divert an investigation away from his real activities.

  • undo? (Score:4, Insightful)

    by mmThe1 (213136) on Saturday January 14, 2006 @10:48PM (#14473744) Homepage

    "The court disagreed, saying that IBM had done over $20K in work to undo his handiwork."

    TFA says something different. "BM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350." - which is not the same as 'undoing' whatever he did.

    I would also like to see another person sharing the guilty in this case -- the security/system administrators responsible for ensuring that every employee who leaves has his account access (via SecurID, or any other method) removed. For employees who get fired, this should be done *before* they're informed about the decision.
    If they don't do their job properly, they're effectively handling out daggers to ex-employees to come and stab the company anytime.

A rock store eventually closed down; they were taking too much for granite.

Working...