Get Fired. Delete Colleague's Account. Go To Jail. 425
SierraPete writes "CNet reports that Thomas Millot, a former systems analyst for a major pharmaceutical company, has lost his appeal on a computer intrusion charge. Mr. Millot was convicted of unlawfully entering the system that he used to work on and deleting a colleague's account after his job was outsourced. Mr. Millot's attorneys argued that his actions did not amount to $5K in damage--the threshold for the crime he was convicted of. The court disagreed, saying that IBM had done over $20K in work to undo his handiwork." Update: 01/14 19:55 GMT by J : Typo corrected; turns out the word "not" is important...
IBM ineptitude (Score:5, Insightful)
Re:IBM ineptitude (Score:5, Interesting)
Re:IBM ineptitude (Score:5, Insightful)
The real effect of his record will be that it effectively bars him from working in I.T. Which might not be an entirely bad thing -- the guy DOES seem to have a pretty flexible moral compass, doesn't he?
My question is, why is this in "your rights online"?
Re:IBM ineptitude (Score:3, Insightful)
I d
Re:IBM ineptitude (Score:5, Insightful)
1. undo what little damage he did, and
2. make damn sure he didn't do anything more serious and insidious?
I'd call that about right.
Re:IBM ineptitude (Score:5, Insightful)
-2. Find out who was responsible.
1. Find exactly when and what happened.
0. Find out exactly how much damage was done.
1. undo what little damage he did, and
2. make damn sure he didn't do anything more serious and insidious?
I'd call that about right.
So would I, after my minor additions. (Yeah, they were implied, but you have to spell this kind of thing out for some people.)
Lessons ? (Score:3, Informative)
Lessons learned ? How about those:
- when they piss you off, don't just play a little, make sure you don't get caught at all. Do whatever that takes.
- don't just fool around with someones account, kill the company outright. If they fight for their life or are dead, there is less incentive to play games with you. You have the inside knowledge, so there is plenty of shit you can do. Be hard, swift and merciless.
I
Re:Lessons ? (Score:3)
- don't just fool around with someones account, kill the company outright. If they fight for their life or are dead, there is less incentive to play games with you.
How about acting like a grown up and don't mess with the system? And if the company died, you would see a witchhunt for you instead of an investigation.
Re:IBM ineptitude (Score:2)
3. 50 days while someone that is working on that isnt working on something else.
Re:IBM ineptitude (Score:2)
How much disagreement can there possibly be about this article? If you're an asshat and break the law, you should do time and pay the fine. I mean, seriously, now we know why they fired him!
Re:IBM ineptitude (Score:5, Insightful)
1. undo what little damage he did, and
2. make damn sure he didn't do anything more serious and insidious?
I'd call that about right.
Based on that reasoning why not 500 man days? 5,000?
"Damages" should be calculated based on actual damages. If not, there's really no limit to how much damage they can claim.
It's not that I necessarily believe that the number 50 is unreasonable, it's that the argument you're using to support it certainly is.
Imagine if this was applied to someone who stole a $1 candy bar: Yes, it only took $1 to replace the candy bar, but we had to spend $10,000 to inventory the whole store.
Re:IBM ineptitude (Score:3, Insightful)
Re:IBM ineptitude (Score:3, Insightful)
Re:IBM ineptitude (Score:3, Insightful)
Re:IBM ineptitude (Score:5, Insightful)
It was not his account he was using to access it, but rather an auxilary "Admin-level" card he stole. He was in charge of admin-ing the SecureID tokens, and had issued "spare" or "loaner" tokens. Bad security policy yes, but perhaps they outsourced his job because he made stupid policy decisions. Perhasp they should have done a full audit when he was let go, but in large companies this can be extremely difficult and disruptive, and still doesn't cover all the potential backdoors/traps/trojans a malicious admin could lay. The reality is you trust professionals to do whast right, they were already ahead of the game using token based authentication, its impossible for him to have a co-workers password
Blaming the victim is always bad policy, and you should feel no remorse for a criminal who has put IT professionals in a bad light. This wasn't one stupid momment, it was a series of really dumb decisions.
1. Steal SecureID token from company you no longer work for
2. Access (9 times at least!) former company's private network
3. Vandalize former comapny by deleting data
Personally, I'd feel fine if the company added lost productivity to the toll, not just for the manager, but for any projects that were delayed as a result of his criminal behavior, etc. This idiot got off light, don't be an idiot yourself and sympathize with him.
Re:IBM ineptitude (Score:5, Insightful)
No system is 100% secure. Even if you do assume their security is state-of-the-art, there's still a margin of vulnerability. In this case, a security professional who was responsible for those systems abused his knowledge and former access to gain entry. Once he's in, there's no telling how many hacks, exploits, and sneaky tricks (not to mention previously-installed backdoors) he knows and can use to his advantage.
No matter what their level of security and how much money they spent hardening everything in the past, they simply cannot be positive he hasn't found a way to sneak around their logs, sniffers, and monitors and install a rootkit. 50 man-days to recover doesn't sound so bad when you consider that one successful intrusion (however difficult it was to achieve) can result in an invisible-yet-gaping orifice that leaves all that hard-earned security worthless to future penetration.
I agree that what Mr. Millot did is pretty stupid and stinks of 'amateur,' but IBM is operating in paranoia mode (and rightly so!). What if this guy is a pansy who knows just enough to get himself caught, but he was hired by a shady individual to plant a stealthy something and deleted the account as an afterthought? How does IBM know that their system isn't still compromised by something like that? Because they spent 50 man-days wiping and re-imaging systems or poring over md5 signatures or whatever it is they do in a situation like this.
Actually, they still can't be 100% positive, but at least they were (to paraphrase the parent) duly diligent.
This is simply billed hours, and he deserved it (Score:3, Interesting)
Re:IBM ineptitude (Score:2)
Yes, that's my thought too. The amount of damage claimed doesn't seem reasonable at all, unless you want to count court costs. Kind of like the kid who's going to be up for some sort of ridiculous felony for telling everybody to hit 'refresh' on his school's web-page when it was more of a 'disturbing the peace' sort of offense.
What difference does that make? (Score:2, Insightful)
Re:What difference does that make? (Score:3, Informative)
First, people can make mistakes. I'd be hesitant to hire the guy again, but I might consider it.
Secondly, levels of offense, sentences and sentencing guidelines exist for a reason.
Though, maybe we should take your tack and say all crimes are punishable by death! After all, it doesn't matter how bad the offense was, the punishment should be very high no matter what. So, lets give the highest punishment possible for every crime!
Re:What difference does that make? (Score:3, Insightful)
Re:What difference does that make? (Score:2)
To me, a mistake would be logging onto the system once after getting fired. I don't think that the guy made a "mistake".
-h-
Re:What difference does that make? (Score:2)
A mistake would be forgetting to return the SecurID.
What he did took malice and forethought. The lightest thing you could call it would be a "lapse of judgement".
Re:What difference does that make? (Score:3, Insightful)
did I mention delete the account?
Sorry about the excessive use of caps but the solution seems so very painfully obvious. Deleting the person's account when they leave protects both parties. The employee will not be able to do what that guy did and loging when they get home and do lots of damage, not that a sysadmin shouldn't make backups, and it prevents someone from changing the pword of the person who just left and connecting from an open access
Re:What difference does that make? (Score:2)
Mistake != accident. Mistakes can be even serious errors in judgement. What matters is that you recognize that you did something wrong, and would choose differently were the choice open to you again. And while it can be hard to tell whether or not the change in worldview has really occured until the person has the same opportunity, I'm open to giving people the benefit of a doubt.
Re:What difference does that make? (Score:2)
Hmmm... After RTFAing, I still don't think the claim of damages was reasonable. But I do think the sentence was reasonable. But I do disagree with "This guy deserves what he gets.".
Re:IBM ineptitude (Score:2)
I've seen 10 minute jobs get stretched out to 2 months or more - and I'm not kidding in the slightest. The second you try to argue with these guys about how they are doing it these people would bite my head off and start talking about security this or installation that. It got to the point where I'd call the owners of these shops and tell them I can't wor
not completely (Score:2)
It was not IBM that owned the system, IBM was doing the work. We don't know the status of their backups, security. Part of what may be included is the time spent detecting any backdoors or other potential breaches by the Defendant. How do they know that he only deleted the account and not added a backdoor or timebomb?
Re:IBM ineptitude (Score:5, Insightful)
Re:IBM ineptitude (Score:2)
I doubt they could get away with trying to give their billing rate in court.
Re:IBM ineptitude (Score:2)
Re:IBM ineptitude (Score:2)
That's the whole point. I have never ever seen such low rates from IBM Global services or any other IBM department as well. The rates are more in the 150-300$/hr bracket. The total amount charged represent something like 7-15 man/days.
Re:IBM ineptitude (Score:4, Insightful)
Here's some basic information:
- Those 5 or 50 man days were spent cleaning up on the incident, and are not recoverable. (As opposed to endless meetings that "optimize" the performance of the company.) While it may not seem like a lot, it just takes one lost man day on a critical path to slow down an entire project.
- Restoring from backup is not typically a drag-and-drop operation. In general, most large companies use backup tapes to store a large amount of data, and those are not typically random access.
- When there is a person with Administrator privilages that made the changes, you need to assume Rootkit. This takes a lot of time to steralize the computer and examine what went wrong. In addition, you can't always assume that the logs are legitimate.
- You still need to to check whether a script kiddie simply cracked the password to an account, or if it was a disgruntled employee that used an idle account.
What appears to be a simple 5 man hours of work can easily balloon into 50, especially when you have to prove things beyond a reasonable doubt for a criminial conviction.
No, he didn't screw up. A screw-up requires incompetance, and does not apply to malice of any form (unless the incompetance existed during the malicious act.)
Re:IBM ineptitude (Score:2)
Perhaps the server had to be taken down for a quarter of a day (2 hours) and the company has 200 employees? That's 50 man days lost right there. Perhaps the intruder deleted the logs and the entire security setup had to be audited to detect and remove any other back doors he may have put in. Perhaps they got hit with fines due to some data protection law.
Just some thoughts.
Michael
Re:IBM ineptitude (Score:2)
Are you suggesting that IBM charged Aventis the amount that Aventis lost in productivity?
Re:IBM ineptitude (Score:5, Funny)
Re:IBM ineptitude (Score:5, Interesting)
Funny you should ask. I have had several recent jobs cleaning up after IBM consultants. I finally had the chance to find out what is going on. It goes like this: IBM keep their top talent hard at work on the big multli-million dollar contracts. For the rest, it is anyone they can get off the street.
I learned of this when I recently had a job interview with IBM. They had already signed a $2 million contract with a government agency to build a computational data center, but had no available staff to allocate to the contract. The interviewer was completely candid with me when I asked about why they would sign a contract they couldn't fulfill. He said it happens all the time and is standard operating procedure. They simply hire contractors as needed. I turned the job down.
Ready for the punchline? They hired a guy that I have worked with in the past. This guy has no prior experience working with the technology he will be deploying. He is a decent guy, but he will be figuring things out on the fly. He is the best they could do. He is being sent in as an expert consultant by IBM. Think he will bill more hours than someone with actual experience?
I recently asked a former customer of mine, who works IT for a large university, why people would hire IBM over a smaller company with more expertise. He said that as far as his boss is concerned, if you hire IBM and they screw something up, you are covered because you went with IBM. This same customer then went on to tell me how IBM completely botched a $1 million installation job at his university last year. They are in court over it.
If this guy had a good lawyer they should have audited all the work done by IBM and the qualifications of the people doing the work.
Re:IBM ineptitude (Score:3, Funny)
You say this like it's something unusual. If so, I doubt you have much experience with company with an employee base of >1.
Here's a story that might help you understand a little better:
A salesman and a technician wenet bear hunting. They hiked up into the mountains, to get to a remote cabin. When they got there, the salesman said "OK, you unpack, and I'll go find us s
Re:IBM ineptitude (Score:2, Insightful)
* an account manager to handle the issue with the customer
* a senior analyst to evaluate the situation and make an action plan
* a systems analyst to make recommandations to prevent this kind of issue in the future (new ACLs, firewall rules, etc)
* a couple of technicians to carry out the job (log scanning, password reset, etc)
* a security specialist to proceed to an ethical hack
You're obviously not a security consultant. (Score:2)
Think about the situation they had here. A disgruntled former employee who left himself at least one back door has performed at least one malicious deletion. According to you, close the single backdoor you've discovered, undo the single deletion
Re:IBM ineptitude (Score:2)
Well, it sure beats having to look for another job (Score:2)
Eh ? (Score:5, Funny)
Pheww...
Now I understood why IBM four times bigger than Microsoft....
Go to jail already. (Score:4, Insightful)
Re:Go to jail already. (Score:2)
You're new here, aren't you?
Re:Go to jail already. (Score:2)
Re:Go to jail already. (Score:5, Funny)
His ID: 714956
My ID: 33885
And they say the public education system is failing us.
As an aside, I was here when slashdot started registration. I stayed an AC for a while on some stupid principle. And then I decided I really wanted good karma. Looking back, I should have registered immediately... I could have sold it on eBay.
Re:Go to jail already. (Score:2)
Re:Go to jail already. (Score:5, Insightful)
Er, the court of LAW also judged him to be guilty of a crime, so therefore he faces the punishment for committing a crime. From TFA: But he kept an administrator-level SecureID card with him and used it to enter the network nine times.
NINE times. That's not a quick leaving-day "fuck-you" to the Man, that's premeditated and deliberate.
However, let's look at this in simple terms without specifics. Your account and account are tools you need to do your job if you work in IT, correct? If the story said "Fired mechanic broke into the shop and cut up $10,000 worth of his replacements' tools and equipment with an acetylene torch" you wouldn't be saying "boo" about it, even though this would probably be quicker to recover from (borrow other workers' tools in the shop until insurance replaces them a few days later) than a forensic audit on a system (shut it down and lock everyone out until you figure out how someone got in and what they did).
Here's the take-away from this: He was fired. He broke things belonging to the company after he was fired. That is a crime. He goes to jail for doing it. End of story.
Re:Go to jail already. (Score:3, Insightful)
Ah, see, you don't know that. That's an assumption. You assume he's guilty of everyting you accuse him of because he probably is guilty of some of it. You can only punish him for what you can prove he did, and you can never prove his intention even if he announces what his intentions were. Similarly there are a lot of other things you cannot prove. Thousands of them.
A court of law makes educated guesses. They are not su
Re:Go to jail already. (Score:2)
No, although that's a common misconception. Trespass isn't a felony or even a misdemenor. It's an infraction, rather like a speeding ticket. If the trespasser does no damage and breaks no other laws in the process, the most the police will do (if they come out at all) is give them a ticket and ask them to leave.
Re:Go to jail already. (Score:2)
Re:Go to jail already. (Score:2)
I'd hire him. He's unlikely to make the same mistake twice, meaning I've got an employee who will be careful to stay out of trouble.
Re:Go to jail already. (Score:2)
His mistake was that he got caught.
>meaning I've got an employee who will be careful to stay out of trouble.
No, he's seen what he needs to do to avoid getting caught again. And he know exactly what to do legally if he does (but, again, knows what works and what doesn't).
Re:Go to jail already. (Score:2)
Re:Go to jail already. (Score:2)
How do you spot this in a hour long formal interview which the other person knows you are looking for flaws?
Re:Go to jail already. (Score:2)
Then I question his motives. Why he wants this job. Why we should hire him. Then I move on to casual conversation. Simply getting to know him. Eventually I try to get him engaged in a subject he's passionate about. Maybe politics. If I find him to lack ethics or morals, he doesn't get the job. Amongst the applicants I should be able to find at least one trustworthy fellow.
Re:Go to jail already. (Score:2)
They can get him for vandalism, destruction of private property, malicious mischief and probably some other things I haven't thought of if they want to badly enough. I don't know if they will, and I'm not sure they should, but the possibility's there.
Re:Go to jail already. (Score:5, Insightful)
There are a lot of people here who seem to feel that because they can figure out how to do something, they have the right to do it. "I can, therefore I should be allowed to," would sum it up. It's a group that feels that if you lose your job, you are justified in taking revenge, legal or illegal. While losing a job is a rough experience, it's part of life. Businesses change and let people go. If you're not a big enough person to accept it and move on, then maybe you weren't responsible enough to accept the job in the first palce.
Yes, he should go to jail, but those that feel that they are, somehow because of their superior technical skills, some part of a "hacking elite" that should be able to break any laws they consider wrong (read: laws that are in their way, since, in their minds they are always right) and should be able to do so without consequence.
It's a shame because such people really make it harder for the rest of us, both in discussions here and in life in general.
Re:Go to jail already. (Score:5, Funny)
I will probably be modded off-topic for saying this, but I've noticed that if one starts a comment saying "I'll probably get dinged on karma for this, but darn it, it needs to be said!" they will tend to be modified as insightful or interesting or informative, even when they are just stating the obvious.
I'm not saying that your post wasn't insightful/informative/interesting, just that because you began by saying you'll be modded a troll you boosted the probability of a +5 rating substantially.
Watch -
I'll probably be modded off-topic for this, but darn it, it needs to be said: Ice is cold. Not as cold as dry ice, but still - cold enough that it's darned uncomfortable to have to have it on your skin.
[sits back, lets the karma roll in and out - like the tides]
Two lessons in there (Score:5, Insightful)
What I get out of it: don't outsource IT to a firm that doesn't lock out former employees
Re:Two lessons in there (Score:2)
Especially a disgruntled former admin in charge of security who you just put on the unemployment line. However, this guy had pocketed an admin account SecurID card so you can't fault them entirely.
There are seemingly few companies out there who have termination procedures as thorough as new hire procedures. There are even fewer who can lock out someone who had root. Moral of the story ... if you're going to dump
Oh Please... (Score:5, Interesting)
The best security policy - although it seems cruel - is to escort someone out of the building immediately after receiving their resignation, or informing them that they are being terminated - and simultaneously disable their tokens, badges, RFID devices, company credit cards, voicemail accounts.
RFID devices (Score:4, Interesting)
A couple of days after he left it was observed that the front door was continually unlocking itself
Good thing he wasn't malicious, perhaps.
Re:Oh Please... (Score:5, Interesting)
Although I've never liked losing a job, I'd rather have that done than be allowed to wander out on my own. This way I have a witness that can testify that any damage done after I was terminated isn't my fault.
Last time I was let go, I told my manager that I was logged in and asked him to come over to my desk and log me out because I didn't even want to touch that computer again. He told me that he trusted me not to do anything foolish, but I still had him watch me log out, just to be safe.
Re:Oh Please... - THE CRON JOB (Score:3, Funny)
Re:Oh Please... - THE CRON JOB (Score:2)
Re:Oh Please... (Score:2)
"Yeah, about that... here's your severence cheque, a box for your stuff, and this guy will watch you pack up your shit and then escort you from the building."
Just had to do this about 2 weeks ago with a programmer.
Re:Oh Please... (Score:2)
Oops! You added that one by mistake. See, if they had any desire to harm you, then they would have done so before they gave their notice. They knew they were leaving on a certain date, even if you didn't, and had plenty of time to plan for it.
Fire a guy? Sure, escort him out. If he's voluntarily leaving, though, the whole exercise is pointless.
Re:Oh Please... (Score:2)
Re:Oh Please... (Score:2)
Re:Oh Please... (Score:3, Insightful)
If they've been fired, why the hell would you want them training anyone anyway?
Or here is a better idea (Score:5, Insightful)
But I guess it makes more sense to let child molesters on the street and keep a dangerous hacker behind bars! What has this country come to.
Re:Or here is a better idea (Score:5, Informative)
Okay, I know this is slashdot and most people didn't RTFA:
So he IS going to repay them $$$, lots of it. Not just jail time.
Re:Or here is a better idea (Score:5, Insightful)
So your argument is that white collar criminals aren't really criminals? I don't buy it.
Re:Or here is a better idea (Score:2)
Re:Or here is a better idea (Score:5, Insightful)
What, in your opinion, does society gain from imprisoning this person? Does it deter him from future crimes more than the $25k fine? I would imagine that, since he is unlikely to work in IT ever again, this fine will have a much greater effect on his future life. Does it make society safer? Would anyone have been placed in any danger (either physical or financial) by this person having been free for the three months of the sentence? Does the sentence deter others from committing the same crime? I would imagine that the prospect of never working again in their chosen field and having to spend a while with a good chunk of their disposable income going to pay a fine is a much greater deterrent for most people.
Re:Or here is a better idea (Score:5, Interesting)
So, if we send a few of them to jail, they'll either have to try harder not to get caught, or not do it. Unlike murder, most white collar crimes are not the type that you commit without any regard to the possible punishment. (In other words, most murderers probably readily accept their possible punishment of life in prison or death and go through with their actions knowing if they're caught it's over. If white collar criminals were not threatened with jail time, then there is very little of a deterrent, since most of them probably can afford to pay any fine we might charge, and if not, losing all your money and everything you own isn't as bad as going to jail if you're smart enough to get another good paying job later.)
Missing "Not" In Summary (Score:5, Informative)
The summary should read: Mr. Millot's attorneys argued that his actions did not amount to $5K in damage...
It's those itsy-bitsy words that make all the difference.
WTF (Score:3, Interesting)
That's not justice, thats abuse of economic status.
What happens if anyone sends an eMail to Bill Gates and he claims 10 seconds dagames for reading it?
Excellent, let's see MORE of this (Score:5, Insightful)
If you read the article, there were multiple breakins, on multiple days, over a period of years.
The last likely removed files between backups, resulting in time lost for the employee. It doesn't speak of what was done during previous raids by this crook, but it is quite possible other costs were attributed to previous breakins.
Crimes like this should be punished, and harshly. This crook should receive a couple of years, for something like this. Perhaps more.
Why so harsh, you ask? It's simple. We need to start attributing _real_ penalties to crime on the internet. Sony, for example, should have seen criminal charges levied against the employees, management and all that had anything to do with that back door. Fines should have been in the billions. Yes, billions, as they should have received several thousands in fines per count. Employees must be treated harsely as well, after all, they can not legally claim they are just "following orders".
If you know your employer is doing something illegal, you are BREAKING THE LAW if you do not report such an act! If you work with the employer, helping to break the law, guess what! It's jail time for you!
We need (well, actually.. needed to, past tense) lock down crime on the internet a long time ago. We really have two choices here. We pay for police presence on the internet, judges that understand the crimes being committed.. or we leave the internet open and lawless.. and see horrid restrictions come down as a result.
People won't put up with cracking all over the place. The public will demand security. The public is indeed, starting to. It can come from laws and police enforcement of those laws.. or draconian laws that restrict rights and freedom on the net (DRM).
Which do you choose? DRM all over the place, locked down bioses and operating systems, logging so intense that ISPs keep a year of detailed backlogs, or realistic laws and paid for strong police presence on the net?
Police all over the world are crying out that they are overburdened with crimes on the net. They are claiming that they don't have the ability to catch crooks, because they need new laws. It's happening right here, in Canada. It's happening, because police _don't_ have the manpower to handle crime on the net, by tracking down crime in the standard fashion. The answer, to them, is increased logging and wiretaps/net taps without warrents. I say, that democracy costs.
To that end, we need to train judges and police to specifically handle computer crime. We need to enact treaties with out countries, and make sure that extradition is a possiblilty. We need to make sure that the police do not have unlimited ability to spy, but that there are judges in place that can issue warrants when the cause is evident. Fund the police, or allow DRM. Again, that is the choice we have.
Anyhow, back to this particular case. A case like this, should be treated as if a physical breakin occurred, sentence wise. This guy KNEW he was breaking the law. He KNEW he was being an asshole. Being employed by someone does not entitle you to smash things in a temper tantrum, years after you've been fired or outsourced.
Bleh.
Re:Excellent, let's see MORE of this (Score:2)
This is a fair decision IMO. (Score:2, Interesting)
Probably not ineptitude, but security audit (Score:3, Insightful)
So... (Score:3, Insightful)
Because the cost of the investigation can't be counted. If you steal a $1 candybar from walmart, they're not allowed to add in the costs of the police investigation/arrest to the crime itself. Or else there'd never be any petty crime.
Re:So... (Score:2)
Ilicit access to information systems could be part of any or all of the following:
- Destruction of private property (information)
- Industrial espionage
- Fraud
- Identity theft
All of which are quite a bit more serious than petty larceny.Re:So... (Score:2)
Aventis account policies (Score:3, Interesting)
Let an employee go and let him keep his SecurID and his access - smooth move.
Deeply, deeply, deeply (Score:2)
Compare to physical crime maybe? (Score:2, Insightful)
What if he'd unlocked the front door with a copied key, broken off his coleague's key in the lock, maybe shredded a few random documents and destroyed the lock on a filing cabinet?
I don't think this sort of punishment would be appropriate, so why is it just because it's electronic? Even if they hired $expensive_security_company to repair the lock and the filing cabinet, and then claimed that was the cost of damage...it would be co
Act like a child, be treated like a child (Score:2)
Its time to grow up, and here's a few knocks from the clue-bat just to make sure you get the message.
Lee
PR problems (Score:3, Interesting)
So she managed to reroute the extra payment to her bank account. The internal books still balanced because it was a double payment on the client's part.
When eventually caught she was fired but not procesecuted because prosecution brings bad PR to the company. 2 years later somebody pulled another accounting embezzlement trick and still no procesuction. I think if they prosecuted the first one, it may have prevented the second.
If the only risk is getting fired, then the incentive to embezzle is pretty high.
It's a crime. That doesn't mean "jail time". (Score:5, Insightful)
I've seen lots of similar comments about how what he did was wrong and that he should therefore go to jail.
I don't think anyone claims what he did was not wrong, but jail time isn't the only answer our society has to crime. The question here is not whether what he did was wrong. The question is whether he should go to jail for it.
I say no. We already send too many people to jail. Generally, jail time is bad. It costs our society money, and it makes the situation worse for those spending the time in jail, and it makes our society worse because these people will most likely come out of the jail a worse person than when they went in.
This person here didn't harm anyone. He harmed a company. And he didn't do anything which can't be undone by recovering the data from a backup. Really, what he did was wrong, but it is hardly something worth putting him in jail for.
Legal system is insane (Score:2)
Ah well, amazing you can hire an IBM'er for 50 bucks an h
There are 2 idiots in this story (Score:5, Insightful)
2. The idiot who didn't disable the account of a security chief who's just been fired.
Remind me never to do business with a company who are that lax with security.
Seems simple enough (Score:3, Insightful)
IBM was grossly incompetent (Score:3, Informative)
I would have told IBM to put that invoice where the sun don't shine if they tried to bill me for investigating such a simplisitic "compromise" of a system *they* were supposed to be managing.
-SHP (CISSP, CISA)
Re:IBM was grossly incompetent (Score:3, Insightful)
Given the certifications you put after your name, you should know the first rule of a security investigation: never ever assume you know what happened at the outset. One of the first things IBM would've had to do is check everything to make sure what the logs were showing them was reliable and not something the cracker had planted to divert an investigation away from his real activities.
undo? (Score:4, Insightful)
"The court disagreed, saying that IBM had done over $20K in work to undo his handiwork."
TFA says something different. "BM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350." - which is not the same as 'undoing' whatever he did.
I would also like to see another person sharing the guilty in this case -- the security/system administrators responsible for ensuring that every employee who leaves has his account access (via SecurID, or any other method) removed. For employees who get fired, this should be done *before* they're informed about the decision.
If they don't do their job properly, they're effectively handling out daggers to ex-employees to come and stab the company anytime.
Re:If IBM charged 20K . . . . (Score:3, Funny)