I was authorized to trash my employer's network, sysadmin tells court Back in December 2011, Michael Thomas did what many sysadmins secretly dream of doing: he trashed his employer's network and left a note saying he quit. As well as deleting ClickMotive's backups and notification systems for network problems, he cut off people's VPN access and "tinkered" with the Texas company's email servers. …
>If this guy wins, expect your next contract to be like something written by Tolstoy.
He won't. We have juries to even out the edges and maintain the spirit of the law, which in the US is, "tough luck for the employees."
More likely, there will be clauses concerning the requirement to "ensure the continuity of corporate systems' functionality as required by the company for operational activities..."
More likely, there will be clauses concerning the requirement to "ensure the continuity of corporate systems' functionality as required by the company for operational activities..."
.. which is actually as it should be. In a normal business, IT is there to support the business in its objectives. Nuking the whole shebang strikes me as mildly conflicting with such an aim..
He won't. We have juries to even out the edges and maintain the spirit of the law, which in the US is, "tough luck for the employees."
Ahh.. but this is an Appeal - handled by the 5th circuit. So it will be heard by a judge (or panel of judges), who are only interested in the technicalities and legalities. There is no jury.
"He won't. We have juries to even out the edges and maintain the spirit of the law"
This is an appeal. If the US system is anything like the UK it won't be heard by a jury. In fact, it's an argument on a point of law. It's up to the appeal court to decide if it makes sense.
Why? It will just say something like "in the discharge of their authorised duties, the employee agrees to at all times refrain from actions likely to cause damage to the company, its suppliers, customers, associates, ...."
If your company gives you a car, you have the right to depress the accelerator or brake hard to avoid an emergency. It does not follow that you are permitted to do it for kicks until you've damaged it.
Hope he loses. What an arse hat.
> Soldiers are "expressly authorised" to fire their rifles as well , but which direction makes a big difference
Actually they aren't. When deployed they are given rules of engagement which say what they can shoot and when.
Typically they'll be phrased as allowing any use of force in self defence or defence of your unit.
Example on wikipedia:- https://upload.wikimedia.org/wikipedia/commons/3/35/Operation_Provide_Relief.Rules_of_Engagement.jpg
this sys admin is not going to get away with his "damaging actions"
because that is what counts here.
We are all empowered to do things like updating and deleting and so on.
We are NOT empowered to do that with harmfull intent.
No authority given to any sysadmin (or cop, or pharmacist, or hairdresser (with the scissors...) was intended to allow anyone to do damage.
period.
this guy is going to cough up the 130K usd and his sentence will be upheld.
I wonder about the employment contract that a pilot signs before being left in control of a plane full of hundreds of people. Or the one that a surgeon signs before he or she is allowed to start cutting people open. There has to be a element of trust involved and when we are dealing with humans then there will always be a rare one who acts wrong, for whatever reason.
I recall I once go caught out by the two separate ODBC drivers on a windows OS (32 bit and 64 bit) and having checked and double check that the ODBC was set up for the right database, I ran an update that changed an in-use production system through the other one, costing us all 3 hours of time to recover from backups. I felt really bad for a week or so after, and I could not imagine ever doing anything but my utmost to protect the systems.
"We are all empowered to do things like updating and deleting and so on.
We are NOT empowered to do that with harmfull intent."
Hmm, what exactly is the difference?
I mean sure, this guy has admitted intent - but in the real world people make mistakes - how does a 3rd party tell the difference between a mistake and malicious intent sans a confession?
Various methods - "reasonable doubt" and "a jury of your peers" spring to mind.
I doubt the jury of his peers will be suitably knowledgeable or experienced in IT, not that it matters per se in this instance whereby the rarity of common sense should suffice. However, it does raise the point of juries seldom being of your peers or suitably qualified - fraud trials spring to mind. That and "who is really free to perform jury duty these days without incurring undue hardship etc in a world of zero hour contracts?"
I mean sure, this guy has admitted intent - but in the real world people make mistakes - how does a 3rd party tell the difference between a mistake and malicious intent sans a confession?
Trump has expressed support for waterboarding.
this sys admin is not going to get away with his "damaging actions" because that is what counts here.
No, there are two part to the law here - (1) Causing damage (2) Without Authorization.
Reading his appeal, many of the actions performed would be those reasonably expected by a sysadmin troubleshooting a problem. Because the company had backups of the servers, was there are real "damage" done?
Then, as mentioned in the appeal, there's the authorization aspect:
according to the plain language of the statute, a computer user can only cause “damage without authorization” if he has “no rights, limited or otherwise,” to “impair” the “integrity or availability” of the data or system at issue.
He had at least limited rights to impair integrity availability of data as a function of his job.
If this guy loses, he wins, Oh Homer, given the nature of the beast for taming ..... or shooting.
And here's something to think on, over the weekend ....... "When you see that in order to produce, you need to obtain permission from men who produce nothing; when you see that money is flowing to those who deal not in goods, but in favors; when you see that men get rich more easily by graft than by work, and your laws no longer protect you against them, but protect them against you, you may know that your society is doomed." - Ayn Rand
Do really smart folk need or read imprisoning contracts .... or are they the sub-prime vehicle of choice for dumb ignorant and sharp arrogant contractors?
"Everyone in the world disappears."
Ursula K Leguin had something to say about that in /The Lathe of Heaven/. The premise of that part of the book was more or less that (in the protagonist's view of things) humans can't function without conflict, so the only reason they wouldn't make war on each other was if they were making war on invading aliens.
I'd have to say overall that the book shows her to have had a very grim view of human nature.
While he was authorized to carry any one of the actions separately, most contracts also include one or more clauses of general character which prohibit the employee from doing anything intentionally to the detriment of the company.
In his specific case it may be possible that he has no such clauses. Employee No 2 in most companies ends up not having 2 miles of boilerplate legalese. It is quite possible that he had his duties spelled out, but the usual intent clauses where not there.
If that is the case:
1. His ex-employee is out of luck. There is no grounds for the usual unauthorized access charge.
2. This does not change a thing. The contract for 99.999% of people out there covers this case within the first 2-3 clauses so even if the court decides in his favor it will not result in any significant contractual changes for the rest of us.
"If a colleague of mine punches me in the face, that's assault whether or not her employment contract allows it. At least, I hope so..."
That's a specious analogy, but I'll still bite. If your colleague's contract allows hitting you in the face, it may be because you are both boxers, or doormen/bouncers at a training course, or involved in a military exercise e.g. SERE. In any of thes examples, she could hit you in the face and it would not be considered (criminal) assault.
And to add my $0.02 to the original discussion; the issue at stake here is whether he was technically, criminally guilty of acting without authorisation; not whether he was guilty of being an arse. It may well be that by the letter of his employment contract, he wasn't technically criminally guilty (because his employer didn't adequately specify what he was authorised to do and in what context), and therefore the prosecutors have brought the wrong charge and he should be exonerated. They may or may not then be in a position to bring a new charge, likely something to do with criminal interference in the running of a corporation, but that will be a different case.
Either way, there will be a lot of companies examining their sysadmin employment contracts to see if they are at risk. We as sysadmins should be doing the same.
"Which would be a civil matter (breach of contract) and not a criminal matter."
Up to a point, except that the criminal matter centres on whether he was authorised to do those things. If he's not authorised, it becomes an informatic version of criminal damage (because of how the Computer Misuse Act and similar are interpreted), and therefore it's a criminal matter.
So if the thing about not doing things "intentionally to the detriment of the company" is classed by the courts as a form of dis-authorisation of what he did, then he wasn't authorised to do them and gets hit by the criminal damage thing. (And it's entirely possible that there isn't such a thing *explicitly* in his contract, and it's equally possible that the court will treat it as implied.)
"Which would be a civil matter (breach of contract) and not a criminal matter."
If someone were provided with a key to the business's premises (authorised access) and used that to let them in out of hours and then smashed the place up with a hammer it would be prosecuted as criminal damage.
If someone with access to the company's ledgers used that to gain money to which they were not entitled it would be fraud, a criminal offence.
There's nothing novel in the application of criminal law in a case like this.
"If someone were provided with a key to the business's premises (authorised access) and used that to let them in out of hours and then smashed the place up with a hammer it would be prosecuted as criminal damage."
Your analogy is only accurate if smashing things up with a hammer was considered part of the job description, and written as such into the employment contract; without adequately specifying when it was appropriate to smash and when not. In this case, the company would have a hard time prosecuting for criminal damage (they'd have to prove it wasn't simply negligent) - much like this guy's lawsuit is trying to prove.
This is the problem with analogies - they frequently omit critical elements of the case and lead to faulty conclusions.
Except that destruction of other people's property, in general, is covered by statute. The authorization must be to specifically destroy something, such as by being part of a wrecking crew under contract.
That's where the appellate panel can nail him. Where is his specific and immediate authorization to destroy most of the company's records at that time?
I suspect that's what the lawsuit will hinge on. Bear in mind it's simply not possible for a sysadmin to have specific, immediate authorization for every instance of destroying information - they spend a significant proportion of each day doing just that (dropping tables, overwriting old backups, revoking access, deleting database records and so on) - so a typical employment contract will contain a blanket authorization as part of regular day-to-day duties. Where this case differs is context not content, whether this context was provably malicious; and whether that in itself constitutes a criminal offense.
Routine cleanup, yes, you can generally get a blanket exemption. But if it's significant, such as destroying a drive to ensure it's not skimmed, and so on, you usually have to sign off on it: for legal reasons, if nothing else.
Yes, but he wasn't physically destroying disks, was he? He was performing routine activities (database deletions etc) which in any other context would have been part of his job. Hence context, not the activity itself, is everything.
The key point here is that it's a civil matter, and should never have been treated as a criminal matter. He was an employee, and he was authorized to have the access he used and to perform the actions he took. What he did was wrong, but does not rise the the minimum level of "criminal". I think he's quite right about that.
That doesn't mean he isn't liable for civil damages for taking actions that were maliciously-motivated and knowingly counter to the interests of his employer. Any employment contract or company policy should have covered those areas, and the standard of proof in a civil matter is "on the balance of probability".
The criminal conviction should go. The $130,000 fine should stay as civil damages.
Of course every contract ever written now needs to be examined for the "null hypothesis" (a favorite with statisticians.)
In a peashell, unless otherwise spelled out as part of the contract and attachments, amendments, and references; a contract about performance also needs to be a contract about non-performance. What are the actions that could be taken to be liable for non-performance.
Of course, this is ridiculous and can't be specified without an infinite roll of TP. For example, you can't take a dump while on company time if your dump gets in the way of a critical piece of work.
There is nothing to promote this line of questioning other than the visions of more money in some legals eyes.
does that apply to the boss too?
If you manage to do that in a respectful manner (as in a spirited design discussion and you have an actual point to make) I would actually cough gently (I favour reserving off-dictionary language for rare occasions) and let it go. People say things like that when they're truly passionate about something, and as that's what I'm after I shouldn't make a fuss about some predictable side effects.
In my view, being an egotistic pr*ck makes you a manager, not a leader and I do my level best to keep such people out of the business as they only create aggro. I rather have a slightly dimmer bulb that can take as well as give than some prissy hotshot who seems to think he or she is God's gift to the world but can't take criticism or a discussion of alternatives. They can give themselves to other companies for all I care. You get far more out of a team that works well together that from one my-way-or-the-highway high maintenance genius, also because those tend to be one-trick ponies.
Been there, done that and the T shirt is by now a rag..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
