Funnily enough, no, IT admins who trash biz machines can't claim they had permission In a not particularly surprising decision, the Fifth Circuit Court of Appeals in New Orleans, USA, this week ruled that Michael Thomas, in his former role as IT operations manager for web hosting biz ClickMotive, was not authorized to trash company files and infrastructure as he claimed. Upset that a friend had been fired from …
Who the heck downvoted you?!
I quite agree, it's obvious this Thomas bloke was bonkers. I've got pee'd off at work when things didn't go my way but not for a single split second have I ever considered doing anything to damage a company's systems. It's simply unforgivable. Even as I've been redundant from various jobs I've always worked my hardest up the last day to ensure I left the job knowing I gave my best, my conscience was clear when I walked out.
There's no excuse for any person to damage company property, physical or virtual. As an IT admin you have been given high level permissions and a high level of trust, at the very least behave like an adult and act responsibly to show you deserved that trust the company put in you.
I think at least some of these cases can be explained by a little rephrasing:
"There's no excuse for any employer to damage an employee's livelihood, either directly or in terms of agreed benefits. As an employer, you have been given a great deal of power and a high level of dedication, at the very least show a reciprocal degree of loyalty to show you deserved that trust the employees placed in you."
Years of treating people as "Human Resources" (i.e. objects to be exploited) causes some employees to adopt the same mindset. From this point of view, the employer is simply an ore-bearing seam that the employee mines to extract resources to further overall career objectives. Obviously, you don't deliberately collapse your own mine while it is profiting you, but once it's worked out, all bets are off. You don't show "loyalty" to a hole in the ground. It certainly isn't going to show any to you.
When I was made redundant I did consider creating a Windows Service program that would place app_offline.html on the internal web applications that I developed just to "disable" the apps at random intervals, but not damage the applications or data. Just enough to annoy the Hell Desk :)
The only fix they would need to do is delete the app_offline.html file.
Never went through with it though.
Nice to dream :)
Even as I've been redundant from various jobs I've always worked my hardest up the last day to ensure I left the job knowing I gave my best, my conscience was clear when I walked out.
Even if I object to Mr Thomas actions, I wouldn't be glad either to provide lubricant lube for free before being fist fucked to the elbow... As Mr Kant said, "Wer sich zum Wurm macht, kann nachher nicht klagen, wenn er mit Füßen getreten wird." . A company treating me like a disposable item cannot expect the best from me.
Dunno about psychotic, but clearly guilty as hell of something. I question though, whether he's guilty as charged:
The CFAA criminalizes anyone who "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer."
It is very clear to me that that law is specifically written to deal with malware. It would be really stretching things to say that typing "rm -r backups" into the command console is really 'transmission'.
"knowingly causes the transmission of a...command"
It's no stretch at all. Typing a command into a console session is exactly transmission of the command.
The legislation is not specific to malware. It explicitly includes the type of activity he engaged in. The basis of his attempted appeal was that the consent given by his employers to access their systems in the normal course of his duties extended to his acts of sabotage.
Common sense tells us that this is nonsense and his own admissions suggest that he understood that he did not have permission to do what he did.
If it had been the 9th circus court (San Francisco) he'd have succeeded in his appeal... because SOME of these activist judges [which infest the 9th circus court] would actually GO with something stupid like this.
(So yeah, I'm glad the appeal attempt failed)
criminals are idiots, and APPARENTLY believe the rest of us are the same way. And it wouldn't be the first time someone with a criminal mindset would try to wrap the world around his finger and manipulate like that.
when I was in Jr. High there was this one THUG [a short kid with a mean attitude and 2 oversized 'not so smart' goons following him everywhere] had the school counselor MANIPULATED around his finger, because the school counselor was a touchy-feely-liberal of the 70's, who FELT everything (instead of thinking) and wanted to UNDERSTAND the thugs, and not EXPEL them. Predictable things followed, and that included the involvement of the police. [the cops fixed it]
"when I was in Jr. High there was this one THUG [a short kid with a mean attitude and 2 oversized 'not so smart' goons following him everywhere] had the school counselor MANIPULATED around his finger, because the school counselor was a touchy-feely-liberal of the 70's, who FELT everything (instead of thinking) and wanted to UNDERSTAND the thugs, and not EXPEL them. Predictable things followed, and that included the involvement of the police. [the cops fixed it]"
I think bringing this up here probably explains everything we've ever wondered about Bob.
>I think bringing this up here probably explains everything we've ever wondered about Bob.
I still want to know if Bob is the short kid or one of the thugs.
Maybe he was the counsellor and this event was what set the course of his Picklesish political arc
I have to agree with BOB here. There IS a very real threat form all of the loony left activist judges here in America. We ABSOLUTELY need more Trump appointees like Matthew Petersen. So what if he can't answer a few INSANE questions about law topics -- I couldn't answer those.
HIS opinions are shared by many others here too. Fill those POSTS quickly, Trump! Many Americans ARE counting on you to counter the DISGUSTING tide of liberalism!
It's simply not the role of judges (at any level) to inject their personal politics into their decisions. They are there to apply and interpret the law. They should be as close to "justice machines" as possible.
They should even resist the temptation to bend to public opinion and the mob.
at one point or another in my career. Deleted backups and reformatted drives. Disabled backup mechanisms. Not told users stuff behind the scenes was going horribly wrong. I don't think I've ever forwarded my boss' email without him knowing though.
All of that, however, was done incidentally to somewhat proper IT activities.
Same here!
This brings up a really big question. I've done all of these things. I think, even forwarding the boss's email somewhere else. All done legitimately, as part of doing my job.
Where does the line exist? Do I need to get written permission every time I delete a backup. Format a server? Change contact info with one of our cloud provides? Since I haven't been expressly given permission to do these things, am I breaking the law each time? It sort of opens a can of worms, doesn't it?
If that's in their job title and on a dev/ test server fine. But if management actually wants you to trash a production server you need to leave.
But do you leave before or after doing the deed? What if a nice payoff/good reference/early retirement package was forthcoming.
It could well be that doing the right thing would make you seriously at risk of being unemployable for years after - not good for the low/middle ranking employee likely to carry the burden of whistleblower.
Seriously, I can think of at least one very high profile media co. case of comms related backups/archives containing potentially incriminating evidence being deleted wholesale, but even when there was evidence found to show this had been ordered by individuals at the highest level in the company to impede the workings of justice, no-one responsible for this instruction got done for the dirty deed. It was presented as housecleaning in line with a new retention policy.
It depends entirely on your intention, and what an impartial observer would think.
If you're really not sure, then you should really get some sort of arse covering paperwork signed off.
Thus if your job is entirely about security, then you probably don't need explicit permission for a pen test. If you're a general sys admin bod, then it's a good idea, but probably OK. If you're on the helldesk, then you definitely need explicit permission.
For a more "real world" example, if I went up to my neighbors house* and broke the door down, then dragged the inhabitants out onto the street, then either I would be arrested, or reprimanded for being idiotic/brave. Mainly depending on how much smoke was coming out of the house at the time and whether I'd called the fire brigade first.
Public health announcement: smackheads and candles don't mix well.
*technically a sleepout, so an insulated shed
I don't think a impartial observer is a good idea , it's like asking joe smo , so look at this brain surgen performing this operation , so do you think they did a good job or a bad job ? , joe smo can submit a opinion but thats just it it's a opinion , he has no clue what it's like to actually do the job.
ainly depending on how much smoke was coming out of the house at the time and whether I'd called the fire brigade first.
I probably wouldn't call the brigade first.
1) I'd be yelling for others to call them.
2) Having recently had to dial 111 in an emergency, I was quite pissed off at the number of times the dispatcher verified my name and other details BEFORE getting onto the accident at hand. What could've been precious seconds were lost. The first thing the dispatcher should be doing is getting the address of the incident and the service(s) needed, then get more details. Fires can spread quickly and if you do intend to go in and rescue your neighbours, you don't want to be wasting 20 bloody minutes verifying the spelling of your own name for the umpteenth time.
3) Have been reprimanded for being idiotic/brave before. I'll do it again. If it appears to be the difference between life or death for someone andit's something I am confident I can do, I'll do it (eg when I am a strong swimmer I'll dive in to save someone else, if I am out of practice I'll look (quickly) for other options - no good me going into the water if I'll just need saving myself (of course, if it's an unconscious person I can at least get them upright and breathing while waiting for us both to be pulled out).
IF change management is even implemented, also as far as most technical requests go , hi mr manager who has no clue about anything IT related , Is it ok for me to adjust the companies DNS records I would like to adjust the mx records for another system , I also need to make some adjustments to our backup systems it will make over 700% better use of space it will save us a fortune in storage , Plus I really should take a look at the monitoring systems I am likely to be getting a lot of alarms lately due to some backup related changes you approved , is ok if i shut it down for a while , O last thing the vpn it has not been patched for like years , i think this weekend is the perfect time to do it :-) , o sorry one last thing the documentation server , it seems out of date would it be ok if i redo it for you , might take me a while like say a few months but don't worry the company is worth it ;-).
submitted as a request like this worded correctly , your IT manager normally some poor person from management would most likely still sign off not realising he just signed the death warrant for the network.
Problem solved , documentation (I was in the process of rewriting it when you arrested me , unfortunately now due to the stress of the arrest i wont be able to do it, it's a lot of work and i was going to start the documentation from the beginning to get it done just how the company likes, as in as much work as they can get for free while firing people ) , but the backups , o yes thats unfortunate we had a lot of failures so i wiped it, i was meaning to rebuild that , but the cops showed up , and the VPN ? o I patched it , it didn't work it's a shame i had already cleaned up the backups I could really have done with them at that point , lucky i got permission from management right , you subverted the email system , did I ? I asked if i could make the changes to the mx records, the manager said I could .
Bottom line is treat people with respect and fairly and you won't get people going over the deep end like this in the first place.
"Where does the line exist? "
Intent.
To take an analogy, more or less every doctor in the world has killed someone. They've missed an obvious symptom, or prescribed the wrong treatment, or accidentally put the wrong dosage on a form. Your first kill is practically a right of passage in medicine. However, this is clearly different from a doctor going out an shooting someone in the head.
The same applies here. I've deleted backups - hell, I've NEEDED to delete backups in order to maintain the overall health of a system in the past. And I was doing so precisely because it was what was required to fulfill my job roll - I need to keep the system running, even if that means doing stuff which is not normally 'correct'. This guy, on the other hand, was acting to break the system. He was like a doctor on a shooting rampage. There's no way you could spin this as being done for the sake of the system's overall health.
at one point or another in my career. Deleted backups and reformatted drives. Disabled backup mechanisms. Not told users stuff behind the scenes was going horribly wrong. I don't think I've ever forwarded my boss' email without him knowing though.All of that, however, was done incidentally to somewhat proper IT activities.
And there, you have the gist of Mr. Michael Thomas's idiotic appeal.
Yes, these are legitimate activities in properly maintaining the systems, but as the court pointed out, They are not legitimate activities when used to vandalise the systems he was supposed to be maintaining.
His argument was as farcical as a killer offing his victim with a hammer, then claiming that as a carpenter, it was part of his job to swing a hammer.
@DNTP
Well, wasn't that the whole thrust of his argument: that he actually had authority to perform each discrete action he did?
It's actually an interesting (to me) defence because it shines a light on the difference between the implied authority required for the tasks you need to perform and the implied responsibilities demanded by the outcomes you are hired to achieve.
Common sense dictates that of course what this person did was utterly wrong and that he should be punished but common sense and the law are not always in step so I was very interested to see how this turned out.
One concern I have, however, is the flip side of this - what if a sysadmin is fired and accused of destroying company property when they delete old backups that they believe are unnecessary in order to make space for new backups?
Again, common sense dictates that is not the same but how is that argued if such a case went to court.
Still, I just can't get in the mind of someone who would do something like this. Completely innocent people were likely severely impacted. This chap was annoyed that a reduction in IT staff would mean more work for him - did he feel sorry about all the extra stress and work and difficulties he was causing everyone else in the company?
I justify it to myself that I'm acting in good faith in the interests of my company, department, and users, and often that's actually my prime motive. Sometimes though it's just plain fun to get a new billing system in place and then put a bullet through the hard disk of our last (in 2015, for fuck's sake) WinXP PC.
I suppose in short , no he diden't give a care in the world about all the people he would upset and inconvenience , On the flip side, neither did the company as they throw away their employees like garbage , so kinda like pot calling the kettle black. Company doesn't care , doesen't listen to reason , eventually neither does the system admin. One might look at cause and effect , cause company treats people like crap , effect employee treats company like crap
Never assume malevolence when incompetence is a valid scenario, and never assume incompetence when a bad day, fat fingers and tiredness can make everything go horribly wrong. Everybody makes mistake from time to time.
However the mistake Michael Thomas made was being malevolent and being incompetent enough to get caught.
Now if he had:
a) Described his planned actions as a "Radical, agile, system-wide upgrade"
b) Given the plan a catchy title
c) Documented his intended changes and produced a three-bullet-point management summary
d) Got "Project Scorched Earth" signed off by his line manager (Before their unfortunate, fatal fall from the collapsing fire escape).
e) Engaged a highly paid consultant (also on the fire escape) to execute the plan
Then, assuming there were no meddling kids or a pesky dog nearby, he might just have got away with it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
