nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
I was authorized to trash my employer's network, sysadmin tells court

Silver badge
Angel

"I wish for world peace"

Everyone in the world disappears.

The next wish is a 4000 page definition of what exactly "world peace" should entail.

If this guy wins, expect your next contract to be like something written by Tolstoy.

37
0
Silver badge

Re: "I wish for world peace"

>If this guy wins, expect your next contract to be like something written by Tolstoy.

He won't. We have juries to even out the edges and maintain the spirit of the law, which in the US is, "tough luck for the employees."

More likely, there will be clauses concerning the requirement to "ensure the continuity of corporate systems' functionality as required by the company for operational activities..."

12
3
Anonymous Coward

Re: "I wish for world peace"

More likely, there will be clauses concerning the requirement to "ensure the continuity of corporate systems' functionality as required by the company for operational activities..."

.. which is actually as it should be. In a normal business, IT is there to support the business in its objectives. Nuking the whole shebang strikes me as mildly conflicting with such an aim..

16
0
Silver badge

Re: "I wish for world peace"

Why? It will just say something like "in the discharge of their authorised duties, the employee agrees to at all times refrain from actions likely to cause damage to the company, its suppliers, customers, associates, ...."

If your company gives you a car, you have the right to depress the accelerator or brake hard to avoid an emergency. It does not follow that you are permitted to do it for kicks until you've damaged it.

Hope he loses. What an arse hat.

11
9
Silver badge

Re: "I wish for world peace"

Soldiers are "expressly authorised" to fire their rifles as well , but which direction makes a big difference

23
4
Bronze badge

Re: "I wish for world peace"

> Soldiers are "expressly authorised" to fire their rifles as well , but which direction makes a big difference

Actually they aren't. When deployed they are given rules of engagement which say what they can shoot and when.

Typically they'll be phrased as allowing any use of force in self defence or defence of your unit.

Example on wikipedia:- https://upload.wikimedia.org/wikipedia/commons/3/35/Operation_Provide_Relief.Rules_of_Engagement.jpg

15
2

Re: "I wish for world peace" ---- of course, we all do, but not necessary

this sys admin is not going to get away with his "damaging actions"

because that is what counts here.

We are all empowered to do things like updating and deleting and so on.

We are NOT empowered to do that with harmfull intent.

No authority given to any sysadmin (or cop, or pharmacist, or hairdresser (with the scissors...) was intended to allow anyone to do damage.

period.

this guy is going to cough up the 130K usd and his sentence will be upheld.

10
5
Silver badge

Re: "I wish for world peace" ---- of course, we all do, but not necessary

I wonder about the employment contract that a pilot signs before being left in control of a plane full of hundreds of people. Or the one that a surgeon signs before he or she is allowed to start cutting people open. There has to be a element of trust involved and when we are dealing with humans then there will always be a rare one who acts wrong, for whatever reason.

I recall I once go caught out by the two separate ODBC drivers on a windows OS (32 bit and 64 bit) and having checked and double check that the ODBC was set up for the right database, I ran an update that changed an in-use production system through the other one, costing us all 3 hours of time to recover from backups. I felt really bad for a week or so after, and I could not imagine ever doing anything but my utmost to protect the systems.

8
0
Silver badge
WTF?

Re: "I wish for world peace" ---- of course, we all do, but not necessary

"We are all empowered to do things like updating and deleting and so on.

We are NOT empowered to do that with harmfull intent."

Hmm, what exactly is the difference?

I mean sure, this guy has admitted intent - but in the real world people make mistakes - how does a 3rd party tell the difference between a mistake and malicious intent sans a confession?

6
2
Silver badge

Re: "I wish for world peace" ---- of course, we all do, but not necessary

Hanlon's Razor, or its corollary: "Sufficiently advanced stupidity is indistinguishable from malice".

10
1

Re: "I wish for world peace" ---- of course, we all do, but not necessary

"how does a 3rd party tell the difference between a mistake and malicious intent sans a confession?"

Various methods - "reasonable doubt" and "a jury of your peers" spring to mind.

8
0
Silver badge

Re: "I wish for world peace" @Oh Homer

If this guy loses, he wins, Oh Homer, given the nature of the beast for taming ..... or shooting.

And here's something to think on, over the weekend ....... "When you see that in order to produce, you need to obtain permission from men who produce nothing; when you see that money is flowing to those who deal not in goods, but in favors; when you see that men get rich more easily by graft than by work, and your laws no longer protect you against them, but protect them against you, you may know that your society is doomed." - Ayn Rand

Do really smart folk need or read imprisoning contracts .... or are they the sub-prime vehicle of choice for dumb ignorant and sharp arrogant contractors?

2
1
Silver badge

Re: "I wish for world peace" ---- of course, we all do, but not necessary

I mean sure, this guy has admitted intent - but in the real world people make mistakes - how does a 3rd party tell the difference between a mistake and malicious intent sans a confession?

Trump has expressed support for waterboarding.

1
4

Re: "I wish for world peace"

He won't. We have juries to even out the edges and maintain the spirit of the law, which in the US is, "tough luck for the employees."

Ahh.. but this is an Appeal - handled by the 5th circuit. So it will be heard by a judge (or panel of judges), who are only interested in the technicalities and legalities. There is no jury.

3
0
Anonymous Coward

Re: "I wish for world peace" ---- of course, we all do, but not necessary

this sys admin is not going to get away with his "damaging actions" because that is what counts here.

No, there are two part to the law here - (1) Causing damage (2) Without Authorization.

Reading his appeal, many of the actions performed would be those reasonably expected by a sysadmin troubleshooting a problem. Because the company had backups of the servers, was there are real "damage" done?

Then, as mentioned in the appeal, there's the authorization aspect:

according to the plain language of the statute, a computer user can only cause “damage without authorization” if he has “no rights, limited or otherwise,” to “impair” the “integrity or availability” of the data or system at issue.

He had at least limited rights to impair integrity availability of data as a function of his job.

0
0
Silver badge

Re: "I wish for world peace"

"He won't. We have juries to even out the edges and maintain the spirit of the law"

This is an appeal. If the US system is anything like the UK it won't be heard by a jury. In fact, it's an argument on a point of law. It's up to the appeal court to decide if it makes sense.

1
0
Bronze badge

Re: "I wish for world peace"

"Everyone in the world disappears."

Ursula K Leguin had something to say about that in /The Lathe of Heaven/. The premise of that part of the book was more or less that (in the protagonist's view of things) humans can't function without conflict, so the only reason they wouldn't make war on each other was if they were making war on invading aliens.

I'd have to say overall that the book shows her to have had a very grim view of human nature.

0
0
Anonymous Coward

Re: "I wish for world peace" ---- of course, we all do, but not necessary

Various methods - "reasonable doubt" and "a jury of your peers" spring to mind.

I doubt the jury of his peers will be suitably knowledgeable or experienced in IT, not that it matters per se in this instance whereby the rarity of common sense should suffice. However, it does raise the point of juries seldom being of your peers or suitably qualified - fraud trials spring to mind. That and "who is really free to perform jury duty these days without incurring undue hardship etc in a world of zero hour contracts?"

0
0
Silver badge
Devil

This should be covered by a different clause in the contract

While he was authorized to carry any one of the actions separately, most contracts also include one or more clauses of general character which prohibit the employee from doing anything intentionally to the detriment of the company.

In his specific case it may be possible that he has no such clauses. Employee No 2 in most companies ends up not having 2 miles of boilerplate legalese. It is quite possible that he had his duties spelled out, but the usual intent clauses where not there.

If that is the case:

1. His ex-employee is out of luck. There is no grounds for the usual unauthorized access charge.

2. This does not change a thing. The contract for 99.999% of people out there covers this case within the first 2-3 clauses so even if the court decides in his favor it will not result in any significant contractual changes for the rest of us.

19
0
Silver badge

Re: This should be covered by a different clause in the contract

"clauses of general character which prohibit the employee from doing anything intentionally to the detriment of the company."

Which would be a civil matter (breach of contract) and not a criminal matter.

23
0
Gold badge

Re: This should be covered by a different clause in the contract

"a civil matter"

I wouldn't be so sure. If a colleague of mine punches me in the face, that's assault whether or not her employment contract allows it. At least, I hope so...

4
5

Re: This should be covered by a different clause in the contract

That would make professional boxing a pretty boring career then wouldn't it?

9
0
Silver badge

Re: This should be covered by a different clause in the contract

"If a colleague of mine punches me in the face, that's assault whether or not her employment contract allows it. At least, I hope so..."

That's a specious analogy, but I'll still bite. If your colleague's contract allows hitting you in the face, it may be because you are both boxers, or doormen/bouncers at a training course, or involved in a military exercise e.g. SERE. In any of thes examples, she could hit you in the face and it would not be considered (criminal) assault.

And to add my $0.02 to the original discussion; the issue at stake here is whether he was technically, criminally guilty of acting without authorisation; not whether he was guilty of being an arse. It may well be that by the letter of his employment contract, he wasn't technically criminally guilty (because his employer didn't adequately specify what he was authorised to do and in what context), and therefore the prosecutors have brought the wrong charge and he should be exonerated. They may or may not then be in a position to bring a new charge, likely something to do with criminal interference in the running of a corporation, but that will be a different case.

Either way, there will be a lot of companies examining their sysadmin employment contracts to see if they are at risk. We as sysadmins should be doing the same.

19
0
Bronze badge

Re: This should be covered by a different clause in the contract

Your colleague may be employed as a boxer, with the purpose of punching fellow employees in the face to boost morale...

3
0

Re: This should be covered by a different clause in the contract

"Well, I could be pummeling you in my spare time."

1
0

Re: This should be covered by a different clause in the contract

The key point here is that it's a civil matter, and should never have been treated as a criminal matter. He was an employee, and he was authorized to have the access he used and to perform the actions he took. What he did was wrong, but does not rise the the minimum level of "criminal". I think he's quite right about that.

That doesn't mean he isn't liable for civil damages for taking actions that were maliciously-motivated and knowingly counter to the interests of his employer. Any employment contract or company policy should have covered those areas, and the standard of proof in a civil matter is "on the balance of probability".

The criminal conviction should go. The $130,000 fine should stay as civil damages.

3
1
Bronze badge

Re: This should be covered by a different clause in the contract

"Which would be a civil matter (breach of contract) and not a criminal matter."

Up to a point, except that the criminal matter centres on whether he was authorised to do those things. If he's not authorised, it becomes an informatic version of criminal damage (because of how the Computer Misuse Act and similar are interpreted), and therefore it's a criminal matter.

So if the thing about not doing things "intentionally to the detriment of the company" is classed by the courts as a form of dis-authorisation of what he did, then he wasn't authorised to do them and gets hit by the criminal damage thing. (And it's entirely possible that there isn't such a thing *explicitly* in his contract, and it's equally possible that the court will treat it as implied.)

2
0
Silver badge

Re: This should be covered by a different clause in the contract

"Which would be a civil matter (breach of contract) and not a criminal matter."

If someone were provided with a key to the business's premises (authorised access) and used that to let them in out of hours and then smashed the place up with a hammer it would be prosecuted as criminal damage.

If someone with access to the company's ledgers used that to gain money to which they were not entitled it would be fraud, a criminal offence.

There's nothing novel in the application of criminal law in a case like this.

2
0
Silver badge

Re: This should be covered by a different clause in the contract

"If someone were provided with a key to the business's premises (authorised access) and used that to let them in out of hours and then smashed the place up with a hammer it would be prosecuted as criminal damage."

Your analogy is only accurate if smashing things up with a hammer was considered part of the job description, and written as such into the employment contract; without adequately specifying when it was appropriate to smash and when not. In this case, the company would have a hard time prosecuting for criminal damage (they'd have to prove it wasn't simply negligent) - much like this guy's lawsuit is trying to prove.

This is the problem with analogies - they frequently omit critical elements of the case and lead to faulty conclusions.

0
1
Silver badge

Re: This should be covered by a different clause in the contract

Except that destruction of other people's property, in general, is covered by statute. The authorization must be to specifically destroy something, such as by being part of a wrecking crew under contract.

That's where the appellate panel can nail him. Where is his specific and immediate authorization to destroy most of the company's records at that time?

1
0
Silver badge

Re: This should be covered by a different clause in the contract

I suspect that's what the lawsuit will hinge on. Bear in mind it's simply not possible for a sysadmin to have specific, immediate authorization for every instance of destroying information - they spend a significant proportion of each day doing just that (dropping tables, overwriting old backups, revoking access, deleting database records and so on) - so a typical employment contract will contain a blanket authorization as part of regular day-to-day duties. Where this case differs is context not content, whether this context was provably malicious; and whether that in itself constitutes a criminal offense.

0
0
Anonymous Coward

Re: This should be covered by a different clause in the contract

Routine cleanup, yes, you can generally get a blanket exemption. But if it's significant, such as destroying a drive to ensure it's not skimmed, and so on, you usually have to sign off on it: for legal reasons, if nothing else.

0
0
Silver badge

Re: This should be covered by a different clause in the contract

Yes, but he wasn't physically destroying disks, was he? He was performing routine activities (database deletions etc) which in any other context would have been part of his job. Hence context, not the activity itself, is everything.

0
0

Re: This should be covered by a different clause in the contract

Unless you and your colleague are boxers...

0
0

On the other hand...

...they didn't actually treat him like shit. His buddy got hosed, but he was getting a little extra to do his job.

But back on the first hand he was a total d-bag.

4
3
Anonymous Coward

My God, what a hairball

I entirely disagree with what he did, but I must grudgingly admit that this defence is nothing short of genius as it will have implications either way.

I think I'm going to have to look at a few contracts now, just to check on the language.

/shakes head

16
3
Silver badge

Re: will have implications

yeah the implications being the law becomes more of an ass.

more pointless non productive paperwork is generated

more money goes to parasitic lawyers

6
2
Silver badge

Re: My God, what a hairball

Of course every contract ever written now needs to be examined for the "null hypothesis" (a favorite with statisticians.)

In a peashell, unless otherwise spelled out as part of the contract and attachments, amendments, and references; a contract about performance also needs to be a contract about non-performance. What are the actions that could be taken to be liable for non-performance.

Of course, this is ridiculous and can't be specified without an infinite roll of TP. For example, you can't take a dump while on company time if your dump gets in the way of a critical piece of work.

There is nothing to promote this line of questioning other than the visions of more money in some legals eyes.

1
0
Silver badge

Re: My God, what a hairball

"this defence is nothing short of genius"

Yes, but only as a means for the lawyers to extract another set of fees.

0
0

Easy fix

Add "don't be a twat" to contracts.

13
0
Joke

Re: Easy fix

*gropes own genitals*

Check.

15
1
Silver badge

Re: Easy fix

It should be part of the PHB's contracts as well.....

11
0
Trollface

Re: Easy fix

*gropes own genitals*

Check.

He didn't say "don't have a twat."

Or are you equating the ego with the equipment, and hence admitting that you're a dick?

19
2
Bronze badge
Pint

Re: Easy fix - A friend who consistently wants me to work for him.

I have told him in the spirit of our usual drinks sessions that I want the right to call him exactly that (or similar worded sentiments) if the situation warrants it written into my contract of employment.

2
0
Anonymous Coward

Re: Easy fix

does that apply to the boss too?

5
0
Silver badge

Re: Easy fix

re Add "don't be a twat" to contracts.

That is in fact , the most sensible and succinct suggestion in the comments so far...

4
0
Silver badge

Re: Easy fix

Wait, didn't a company use to have something similar as its motto?

7
0
Anonymous Coward

Re: Easy fix

does that apply to the boss too?

If you manage to do that in a respectful manner (as in a spirited design discussion and you have an actual point to make) I would actually cough gently (I favour reserving off-dictionary language for rare occasions) and let it go. People say things like that when they're truly passionate about something, and as that's what I'm after I shouldn't make a fuss about some predictable side effects.

In my view, being an egotistic pr*ck makes you a manager, not a leader and I do my level best to keep such people out of the business as they only create aggro. I rather have a slightly dimmer bulb that can take as well as give than some prissy hotshot who seems to think he or she is God's gift to the world but can't take criticism or a discussion of alternatives. They can give themselves to other companies for all I care. You get far more out of a team that works well together that from one my-way-or-the-highway high maintenance genius, also because those tend to be one-trick ponies.

Been there, done that and the T shirt is by now a rag..

7
0

Re: Easy fix

@Aladdin Sane

I think you're right. Can't remember who.

I'll just Google it

7
0
Silver badge

Re: Easy fix

Add "don't be a twat" to contracts.

But he's not arguing that he didn't breach his employment contract, he's arguing that he didn't break the law. Thankfully, breaking your employment contract is still not illegal.

7
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing