back to article I was authorized to trash my employer's network, sysadmin tells court

Back in December 2011, Michael Thomas did what many sysadmins secretly dream of doing: he trashed his employer's network and left a note saying he quit. As well as deleting ClickMotive's backups and notification systems for network problems, he cut off people's VPN access and "tinkered" with the Texas company's email servers. …

  1. Oh Homer
    Angel

    "I wish for world peace"

    Everyone in the world disappears.

    The next wish is a 4000 page definition of what exactly "world peace" should entail.

    If this guy wins, expect your next contract to be like something written by Tolstoy.

    1. P. Lee

      Re: "I wish for world peace"

      >If this guy wins, expect your next contract to be like something written by Tolstoy.

      He won't. We have juries to even out the edges and maintain the spirit of the law, which in the US is, "tough luck for the employees."

      More likely, there will be clauses concerning the requirement to "ensure the continuity of corporate systems' functionality as required by the company for operational activities..."

      1. Anonymous Coward
        Anonymous Coward

        Re: "I wish for world peace"

        More likely, there will be clauses concerning the requirement to "ensure the continuity of corporate systems' functionality as required by the company for operational activities..."

        .. which is actually as it should be. In a normal business, IT is there to support the business in its objectives. Nuking the whole shebang strikes me as mildly conflicting with such an aim..

      2. DJSpuddyLizard

        Re: "I wish for world peace"

        He won't. We have juries to even out the edges and maintain the spirit of the law, which in the US is, "tough luck for the employees."

        Ahh.. but this is an Appeal - handled by the 5th circuit. So it will be heard by a judge (or panel of judges), who are only interested in the technicalities and legalities. There is no jury.

      3. Doctor Syntax Silver badge

        Re: "I wish for world peace"

        "He won't. We have juries to even out the edges and maintain the spirit of the law"

        This is an appeal. If the US system is anything like the UK it won't be heard by a jury. In fact, it's an argument on a point of law. It's up to the appeal court to decide if it makes sense.

    2. Adam 1

      Re: "I wish for world peace"

      Why? It will just say something like "in the discharge of their authorised duties, the employee agrees to at all times refrain from actions likely to cause damage to the company, its suppliers, customers, associates, ...."

      If your company gives you a car, you have the right to depress the accelerator or brake hard to avoid an emergency. It does not follow that you are permitted to do it for kicks until you've damaged it.

      Hope he loses. What an arse hat.

    3. Prst. V.Jeltz Silver badge

      Re: "I wish for world peace"

      Soldiers are "expressly authorised" to fire their rifles as well , but which direction makes a big difference

      1. Anonymous Coward
        Anonymous Coward

        Re: "I wish for world peace"

        > Soldiers are "expressly authorised" to fire their rifles as well , but which direction makes a big difference

        Actually they aren't. When deployed they are given rules of engagement which say what they can shoot and when.

        Typically they'll be phrased as allowing any use of force in self defence or defence of your unit.

        Example on wikipedia:- https://upload.wikimedia.org/wikipedia/commons/3/35/Operation_Provide_Relief.Rules_of_Engagement.jpg

    4. boatsman

      Re: "I wish for world peace" ---- of course, we all do, but not necessary

      this sys admin is not going to get away with his "damaging actions"

      because that is what counts here.

      We are all empowered to do things like updating and deleting and so on.

      We are NOT empowered to do that with harmfull intent.

      No authority given to any sysadmin (or cop, or pharmacist, or hairdresser (with the scissors...) was intended to allow anyone to do damage.

      period.

      this guy is going to cough up the 130K usd and his sentence will be upheld.

      1. werdsmith Silver badge

        Re: "I wish for world peace" ---- of course, we all do, but not necessary

        I wonder about the employment contract that a pilot signs before being left in control of a plane full of hundreds of people. Or the one that a surgeon signs before he or she is allowed to start cutting people open. There has to be a element of trust involved and when we are dealing with humans then there will always be a rare one who acts wrong, for whatever reason.

        I recall I once go caught out by the two separate ODBC drivers on a windows OS (32 bit and 64 bit) and having checked and double check that the ODBC was set up for the right database, I ran an update that changed an in-use production system through the other one, costing us all 3 hours of time to recover from backups. I felt really bad for a week or so after, and I could not imagine ever doing anything but my utmost to protect the systems.

        1. Sir Runcible Spoon
          WTF?

          Re: "I wish for world peace" ---- of course, we all do, but not necessary

          "We are all empowered to do things like updating and deleting and so on.

          We are NOT empowered to do that with harmfull intent."

          Hmm, what exactly is the difference?

          I mean sure, this guy has admitted intent - but in the real world people make mistakes - how does a 3rd party tell the difference between a mistake and malicious intent sans a confession?

          1. Swarthy

            Re: "I wish for world peace" ---- of course, we all do, but not necessary

            Hanlon's Razor, or its corollary: "Sufficiently advanced stupidity is indistinguishable from malice".

          2. cosmogoblin

            Re: "I wish for world peace" ---- of course, we all do, but not necessary

            "how does a 3rd party tell the difference between a mistake and malicious intent sans a confession?"

            Various methods - "reasonable doubt" and "a jury of your peers" spring to mind.

            1. Anonymous Coward
              Anonymous Coward

              Re: "I wish for world peace" ---- of course, we all do, but not necessary

              Various methods - "reasonable doubt" and "a jury of your peers" spring to mind.

              I doubt the jury of his peers will be suitably knowledgeable or experienced in IT, not that it matters per se in this instance whereby the rarity of common sense should suffice. However, it does raise the point of juries seldom being of your peers or suitably qualified - fraud trials spring to mind. That and "who is really free to perform jury duty these days without incurring undue hardship etc in a world of zero hour contracts?"

          3. Number6

            Re: "I wish for world peace" ---- of course, we all do, but not necessary

            I mean sure, this guy has admitted intent - but in the real world people make mistakes - how does a 3rd party tell the difference between a mistake and malicious intent sans a confession?

            Trump has expressed support for waterboarding.

      2. Anonymous Coward
        Anonymous Coward

        Re: "I wish for world peace" ---- of course, we all do, but not necessary

        this sys admin is not going to get away with his "damaging actions" because that is what counts here.

        No, there are two part to the law here - (1) Causing damage (2) Without Authorization.

        Reading his appeal, many of the actions performed would be those reasonably expected by a sysadmin troubleshooting a problem. Because the company had backups of the servers, was there are real "damage" done?

        Then, as mentioned in the appeal, there's the authorization aspect:

        according to the plain language of the statute, a computer user can only cause “damage without authorization” if he has “no rights, limited or otherwise,” to “impair” the “integrity or availability” of the data or system at issue.

        He had at least limited rights to impair integrity availability of data as a function of his job.

    5. amanfromMars 1 Silver badge

      Re: "I wish for world peace" @Oh Homer

      If this guy loses, he wins, Oh Homer, given the nature of the beast for taming ..... or shooting.

      And here's something to think on, over the weekend ....... "When you see that in order to produce, you need to obtain permission from men who produce nothing; when you see that money is flowing to those who deal not in goods, but in favors; when you see that men get rich more easily by graft than by work, and your laws no longer protect you against them, but protect them against you, you may know that your society is doomed." - Ayn Rand

      Do really smart folk need or read imprisoning contracts .... or are they the sub-prime vehicle of choice for dumb ignorant and sharp arrogant contractors?

    6. Steve the Cynic

      Re: "I wish for world peace"

      "Everyone in the world disappears."

      Ursula K Leguin had something to say about that in /The Lathe of Heaven/. The premise of that part of the book was more or less that (in the protagonist's view of things) humans can't function without conflict, so the only reason they wouldn't make war on each other was if they were making war on invading aliens.

      I'd have to say overall that the book shows her to have had a very grim view of human nature.

  2. Voland's right hand Silver badge
    Devil

    This should be covered by a different clause in the contract

    While he was authorized to carry any one of the actions separately, most contracts also include one or more clauses of general character which prohibit the employee from doing anything intentionally to the detriment of the company.

    In his specific case it may be possible that he has no such clauses. Employee No 2 in most companies ends up not having 2 miles of boilerplate legalese. It is quite possible that he had his duties spelled out, but the usual intent clauses where not there.

    If that is the case:

    1. His ex-employee is out of luck. There is no grounds for the usual unauthorized access charge.

    2. This does not change a thing. The contract for 99.999% of people out there covers this case within the first 2-3 clauses so even if the court decides in his favor it will not result in any significant contractual changes for the rest of us.

    1. Adam 52 Silver badge

      Re: This should be covered by a different clause in the contract

      "clauses of general character which prohibit the employee from doing anything intentionally to the detriment of the company."

      Which would be a civil matter (breach of contract) and not a criminal matter.

      1. Ken Hagan Gold badge

        Re: This should be covered by a different clause in the contract

        "a civil matter"

        I wouldn't be so sure. If a colleague of mine punches me in the face, that's assault whether or not her employment contract allows it. At least, I hope so...

        1. Dan White

          Re: This should be covered by a different clause in the contract

          That would make professional boxing a pretty boring career then wouldn't it?

        2. Lord Elpuss Silver badge

          Re: This should be covered by a different clause in the contract

          "If a colleague of mine punches me in the face, that's assault whether or not her employment contract allows it. At least, I hope so..."

          That's a specious analogy, but I'll still bite. If your colleague's contract allows hitting you in the face, it may be because you are both boxers, or doormen/bouncers at a training course, or involved in a military exercise e.g. SERE. In any of thes examples, she could hit you in the face and it would not be considered (criminal) assault.

          And to add my $0.02 to the original discussion; the issue at stake here is whether he was technically, criminally guilty of acting without authorisation; not whether he was guilty of being an arse. It may well be that by the letter of his employment contract, he wasn't technically criminally guilty (because his employer didn't adequately specify what he was authorised to do and in what context), and therefore the prosecutors have brought the wrong charge and he should be exonerated. They may or may not then be in a position to bring a new charge, likely something to do with criminal interference in the running of a corporation, but that will be a different case.

          Either way, there will be a lot of companies examining their sysadmin employment contracts to see if they are at risk. We as sysadmins should be doing the same.

        3. herman

          Re: This should be covered by a different clause in the contract

          Your colleague may be employed as a boxer, with the purpose of punching fellow employees in the face to boost morale...

          1. Bandikoto

            Re: This should be covered by a different clause in the contract

            "Well, I could be pummeling you in my spare time."

        4. Eduard Coli

          Re: This should be covered by a different clause in the contract

          Unless you and your colleague are boxers...

      2. Steve the Cynic

        Re: This should be covered by a different clause in the contract

        "Which would be a civil matter (breach of contract) and not a criminal matter."

        Up to a point, except that the criminal matter centres on whether he was authorised to do those things. If he's not authorised, it becomes an informatic version of criminal damage (because of how the Computer Misuse Act and similar are interpreted), and therefore it's a criminal matter.

        So if the thing about not doing things "intentionally to the detriment of the company" is classed by the courts as a form of dis-authorisation of what he did, then he wasn't authorised to do them and gets hit by the criminal damage thing. (And it's entirely possible that there isn't such a thing *explicitly* in his contract, and it's equally possible that the court will treat it as implied.)

      3. Doctor Syntax Silver badge

        Re: This should be covered by a different clause in the contract

        "Which would be a civil matter (breach of contract) and not a criminal matter."

        If someone were provided with a key to the business's premises (authorised access) and used that to let them in out of hours and then smashed the place up with a hammer it would be prosecuted as criminal damage.

        If someone with access to the company's ledgers used that to gain money to which they were not entitled it would be fraud, a criminal offence.

        There's nothing novel in the application of criminal law in a case like this.

        1. Lord Elpuss Silver badge

          Re: This should be covered by a different clause in the contract

          "If someone were provided with a key to the business's premises (authorised access) and used that to let them in out of hours and then smashed the place up with a hammer it would be prosecuted as criminal damage."

          Your analogy is only accurate if smashing things up with a hammer was considered part of the job description, and written as such into the employment contract; without adequately specifying when it was appropriate to smash and when not. In this case, the company would have a hard time prosecuting for criminal damage (they'd have to prove it wasn't simply negligent) - much like this guy's lawsuit is trying to prove.

          This is the problem with analogies - they frequently omit critical elements of the case and lead to faulty conclusions.

          1. Charles 9

            Re: This should be covered by a different clause in the contract

            Except that destruction of other people's property, in general, is covered by statute. The authorization must be to specifically destroy something, such as by being part of a wrecking crew under contract.

            That's where the appellate panel can nail him. Where is his specific and immediate authorization to destroy most of the company's records at that time?

            1. Lord Elpuss Silver badge

              Re: This should be covered by a different clause in the contract

              I suspect that's what the lawsuit will hinge on. Bear in mind it's simply not possible for a sysadmin to have specific, immediate authorization for every instance of destroying information - they spend a significant proportion of each day doing just that (dropping tables, overwriting old backups, revoking access, deleting database records and so on) - so a typical employment contract will contain a blanket authorization as part of regular day-to-day duties. Where this case differs is context not content, whether this context was provably malicious; and whether that in itself constitutes a criminal offense.

              1. Anonymous Coward
                Anonymous Coward

                Re: This should be covered by a different clause in the contract

                Routine cleanup, yes, you can generally get a blanket exemption. But if it's significant, such as destroying a drive to ensure it's not skimmed, and so on, you usually have to sign off on it: for legal reasons, if nothing else.

                1. Lord Elpuss Silver badge

                  Re: This should be covered by a different clause in the contract

                  Yes, but he wasn't physically destroying disks, was he? He was performing routine activities (database deletions etc) which in any other context would have been part of his job. Hence context, not the activity itself, is everything.

    2. AJames

      Re: This should be covered by a different clause in the contract

      The key point here is that it's a civil matter, and should never have been treated as a criminal matter. He was an employee, and he was authorized to have the access he used and to perform the actions he took. What he did was wrong, but does not rise the the minimum level of "criminal". I think he's quite right about that.

      That doesn't mean he isn't liable for civil damages for taking actions that were maliciously-motivated and knowingly counter to the interests of his employer. Any employment contract or company policy should have covered those areas, and the standard of proof in a civil matter is "on the balance of probability".

      The criminal conviction should go. The $130,000 fine should stay as civil damages.

  3. Cris E

    On the other hand...

    ...they didn't actually treat him like shit. His buddy got hosed, but he was getting a little extra to do his job.

    But back on the first hand he was a total d-bag.

  4. Anonymous Coward
    Anonymous Coward

    My God, what a hairball

    I entirely disagree with what he did, but I must grudgingly admit that this defence is nothing short of genius as it will have implications either way.

    I think I'm going to have to look at a few contracts now, just to check on the language.

    /shakes head

    1. Prst. V.Jeltz Silver badge

      Re: will have implications

      yeah the implications being the law becomes more of an ass.

      more pointless non productive paperwork is generated

      more money goes to parasitic lawyers

    2. elDog

      Re: My God, what a hairball

      Of course every contract ever written now needs to be examined for the "null hypothesis" (a favorite with statisticians.)

      In a peashell, unless otherwise spelled out as part of the contract and attachments, amendments, and references; a contract about performance also needs to be a contract about non-performance. What are the actions that could be taken to be liable for non-performance.

      Of course, this is ridiculous and can't be specified without an infinite roll of TP. For example, you can't take a dump while on company time if your dump gets in the way of a critical piece of work.

      There is nothing to promote this line of questioning other than the visions of more money in some legals eyes.

    3. Doctor Syntax Silver badge

      Re: My God, what a hairball

      "this defence is nothing short of genius"

      Yes, but only as a means for the lawyers to extract another set of fees.

  5. Andy Tunnah

    Easy fix

    Add "don't be a twat" to contracts.

    1. InfiniteApathy
      Joke

      Re: Easy fix

      *gropes own genitals*

      Check.

      1. Steve Knox
        Trollface

        Re: Easy fix

        *gropes own genitals*

        Check.

        He didn't say "don't have a twat."

        Or are you equating the ego with the equipment, and hence admitting that you're a dick?

    2. Mark 85

      Re: Easy fix

      It should be part of the PHB's contracts as well.....

    3. Mark York 3 Silver badge
      Pint

      Re: Easy fix - A friend who consistently wants me to work for him.

      I have told him in the spirit of our usual drinks sessions that I want the right to call him exactly that (or similar worded sentiments) if the situation warrants it written into my contract of employment.

    4. Anonymous Coward
      Anonymous Coward

      Re: Easy fix

      does that apply to the boss too?

      1. Anonymous Coward
        Anonymous Coward

        Re: Easy fix

        does that apply to the boss too?

        If you manage to do that in a respectful manner (as in a spirited design discussion and you have an actual point to make) I would actually cough gently (I favour reserving off-dictionary language for rare occasions) and let it go. People say things like that when they're truly passionate about something, and as that's what I'm after I shouldn't make a fuss about some predictable side effects.

        In my view, being an egotistic pr*ck makes you a manager, not a leader and I do my level best to keep such people out of the business as they only create aggro. I rather have a slightly dimmer bulb that can take as well as give than some prissy hotshot who seems to think he or she is God's gift to the world but can't take criticism or a discussion of alternatives. They can give themselves to other companies for all I care. You get far more out of a team that works well together that from one my-way-or-the-highway high maintenance genius, also because those tend to be one-trick ponies.

        Been there, done that and the T shirt is by now a rag..

    5. Prst. V.Jeltz Silver badge

      Re: Easy fix

      re Add "don't be a twat" to contracts.

      That is in fact , the most sensible and succinct suggestion in the comments so far...

      1. Aladdin Sane

        Re: Easy fix

        Wait, didn't a company use to have something similar as its motto?

        1. Locky

          Re: Easy fix

          @Aladdin Sane

          I think you're right. Can't remember who.

          I'll just Google it

    6. Tom 38

      Re: Easy fix

      Add "don't be a twat" to contracts.

      But he's not arguing that he didn't breach his employment contract, he's arguing that he didn't break the law. Thankfully, breaking your employment contract is still not illegal.

  6. Ellier

    This will impact others as well

    I've worked a variety of different jobs, some IT, as well as other job titles and every time I've needed to do something that would have far reaching implications, I have always asked someone higher up. Those questions have had a mix of reactions ranging from "Glad you asked first" to "I thought you were a self starter". The lack of clear policy is the issue here and it varies from company to company.

    1. Anonymous Coward
      Anonymous Coward

      Re: This will impact others as well

      The lack of a clear policy to not hose the company? I very much doubt you required any guidance on that.

      1. Anonymous Coward
        Anonymous Coward

        Re: This will impact others as well

        "The lack of a clear policy to not hose the company?"

        Ahh, yes, but consider the innocent, yet crappy admin who accidentally nukes the entire storage with a misplaced wildcard. Clearly not a criminal act. Should they be fired? Probably. Should they be arrested? No. Does the company need to spell out a "don't hose us" policy? No, they can, but what will it mean?

        If this guy trashed the systems, and stuck around without leaving a note, he would be a-okay according to the law, yet we get the same result; company network is offline. If there's a policy in place against this, then the most they could do is just fire the guy, unless you're Oracle then you can back-charge him for some made up access/stipulation hidden in the contract. Apparently.

        1. Anonymous Coward
          Anonymous Coward

          Re: This will impact others as well

          Ahh, yes, but consider the innocent, yet crappy admin who accidentally nukes the entire storage with a misplaced wildcard. Clearly not a criminal act. Should they be fired? Probably.

          Why? Any sysadmin who hasn't made that mistake is in my opinion not allowed near anything critical until they have. Nothing is as educational as a near catastrophic mistake and (assuming the person is otherwise properly competent) at that point you end up with someone who will think twice before doing that again.

          Unless, of course, you're the kind who looks for a scape goat and is willing to do that again when the next one makes that mistake - at that point it's still you who recruited TWO idiots instead of one, so take your pick. Sacking is easy. Helping your staff be good at their job is harder, but IMHO a tad more rewarding (sorry to be off-norm here :) ).

        2. IsJustabloke
          Meh

          Re: This will impact others as well

          "Ahh, yes, but consider the innocent, yet crappy admin who accidentally nukes the entire storage with a misplaced wildcard. Clearly not a criminal act. Should they be fired? Probably. Should they be arrested? No. Does the company need to spell out a "don't hose us" policy? No, they can, but what will it mean?"

          You're right, a single mistake shouldn't result in an arrest but what about when said innocent mistake is followed by several other "innocent mistakes" on unrelated systems? I'd say that was indicative of intent.

          if (when !) I make mistakes of any magnitude, the very next thing I do is try and get it sorted, I don't put it to one side and go work on a different system.

        3. Doctor Syntax Silver badge

          Re: This will impact others as well

          "If this guy trashed the systems, and stuck around without leaving a note, he would be a-okay according to the law"

          I doubt it. As described, it wasn't a single action but a wide-spread trashing of various parts of the infrastructure. It makes it very difficult to believe anything other than intent. To take an analogy, if you damage one piece of kit it might be possible to argue percussive maintenance gone wrong but if you take a sledge hammer to the whole production line it's going to be criminal damage.

      2. Ellier

        Re: This will impact others as well

        It is certainly unethical, but whether or not it is illegal is what is questioned here. Companies spend a lot of money on lawyers for a variety of reasons, why not spend the money to ensure there is a clause prohibiting malicious activity.

        1. Ian Michael Gumby
          Boffin

          @Ellier ... Re: This will impact others as well

          Unethical , heck yes 1000%.

          Illegal? Yes.

          While he has complete access as the admin, were the actions he took consistent with him performing his duties as an admin?

          sudo su -

          cd /

          rm -rf *

          3 simple lines that will hose any Unix/Linux system. (Kiddies do not try this at home)

          As the admin, knowing that this will cause harm is what makes this illegal.

          There's more to it, but the rogue employee had mens rea (guilty mind) which he doesn't deny.

          Start there and you'll find his actions to be criminal.

          1. Yet Another Anonymous coward Silver badge

            Re: @Ellier ... This will impact others as well

            Here it wouldn't be because sysadmin isn't a professional designation.

            If he was an engineer and did this he would be guilty of professional negligence. But as a mere nuclear physicist I'm not considered a professional so anything I do that happens to leave a crater is considered just a D'oh moment.

            1. Ian Michael Gumby
              Boffin

              Yo! Coward... Re: @Ellier ... This will impact others as well

              It doesn't matter if you consider it a professional designation or not.

              If your job description says 'system administrator' then you need to know something about being a system administrator. So you should know that typing rm -rf * while at the root directory is a no no.

              That's part of it.

              The other part is a question of intent. Knowing your command could cause harm is part of the issue. Intentionally wanting to commit harm is the other part. As you said, you are a nuke guy and you accidentally typed your command in the wrong window. Ooops! No intent.

              Being the admin, shutting down the back ups, locking others out... and then deleting the files? You have intent to do harm.

              You need both and with respect to this case... they have it.

          2. Oengus

            Re: @Ellier ... This will impact others as well

            Actually had this happen on one system I was working with. Another Admin "forgot" where he was and typed the command only to realise a fraction of a second after he hit enter that he had forgotten to chdir to the trash folder he meant to clear.

            Thankfully the backups from the previous night were intact.

            1. Joe Harrison

              Re: @Ellier ... This will impact others as well

              only to realise a fraction of a second after he hit enter

              The technical term for that fraction of a second is an "ohnosecond".

            2. Ian Michael Gumby

              @ Oengus ... Re: @Ellier ... This will impact others as well

              Oh yeah, I've seen smart people accidentally delete directories and do stupid things. That's why we have backups.

              But there's no intent on their part. It was an accident.

          3. seraphim

            Re: @Ellier ... This will impact others as well

            "Mens rea" is not in itself a crime. You can intend to be a total dick, intend to be nasty, intend to be any number of things. You have a guilty mind. But in order to commit a crime, you also must have broken the law as it is written. Not as it maybe SHOULD have been written, but whoever wrote it probably didn't have this scenario in mind. It's one of those weird edge cases.

            If there is a loophole in the law as it currently stands, you're off the hook. If it needs fixing, that's up to the legislature to do, but they can't do it retroactively. If your act was, by the wording and letter of the law, legal at the moment you did it, then it was legal period. Regardless of your intentions.

            And really, it could be solved by some simple wording in the employment agreement or contract. "Network users and administrators are not permitted to undertake malicious actions with the intent of damaging or disrupting the network or any device or data stored on it without the express permission of (insert here) or higher." There you go, now they're clearly not authorized to do it and you've closed the loophole.

            1. Ian Michael Gumby
              Boffin

              Re: @Ellier ... This will impact others as well

              Mens rea is 'guilty mind' which means that you knew what you were doing and you knew it was wrong.

              It goes to show intent.

              There is no loophole in the law as written. The appeal will fall flat. He's looking for a loophole where none exists.

              To really drive the point home... Imagine if you worked in a liquor store and had the keys to the place because you sometimes closed up at night. Now imagine one night, you decide to drive up, use your keys to gain access and then take a case of booze. Using the logic of the appeal, you claim you didn't break the law because you had the keys to the place as part of your job, and you routinely stock the shelves so you had the right to handle the booze.

              That's the logic. Or rather you let yourself in, and destroyed a couple of cases of booze sitting on the shelf and claimed that you didn't break and enter because you used your keys that were given to you so you could access the store.

              The git doesn't have a case and the extra wording isn't required in the contract. While IANAL, I've written and negotiated many SOWs which are contracts based on an MSA which I too have had to read, edit and sign.

            2. Pompous Git Silver badge

              Re: @Ellier ... This will impact others as well

              If it needs fixing, that's up to the legislature to do, but they can't do it retroactively. If your act was, by the wording and letter of the law, legal at the moment you did it, then it was legal period. Regardless of your intentions.

              Dunno about UK and USA, but in Australia that is incorrect.

              Is it possible to break a law that has not yet been made?

              In Australia the answer is yes.

              Both State and Federal Parliaments have the power to create retrospective legislation: laws that are made ex post facto – after the fact – so that they apply to events in the past.

              Retrospective Legislation and the Rule of Law

              1. Charles 9

                Re: @Ellier ... This will impact others as well

                Retrospective laws are specifically prohibited in the United States Constitution under Article I, Section 9 (which lists the kinds of laws Congress CANNOT pass, among them, "ex post facto" laws). To quote the relevant sentence: "No Bill of Attainder or ex post facto Law shall be passed."

                1. Pompous Git Silver badge

                  @Charles 9 [was Re: @Ellier ... This will impact others as well]

                  Thanks. That was my recollection but I'm learning just how unreliable a 65 year old brain can be. I believe that something of that nature was written into the first draft of the Australian Constitution, but was excised later.

          4. Peter Gathercole Silver badge

            rm -fr @IMG

            I used to run HPC clusters where doing this on the compute nodes would not have been quite as catastrophic as on a normal system. They would probably have rebooted OK.

            The reason for this is that / was always copied into a RAMfs on boot from a read-only copy, /usr was a read-only mount and most of what would normally be other filesystems were just directories in / and /usr. It's true that /var would have been trashed, and any of the data filesystems if they were mounted would also have gone, but the system would have rebooted!

            On a related note, when the clusters were decommissioned, I was the primary person responsible at all stages of the systematic, documented and verified destruction of the HPC clusters. It ranged from the filesystems, through to the deconstruction of the RAID devices and scrubbing of all of the disks (about 4000 of them), the destruction of the network configuration and routing information, deleting all of the read-only copies of the diskless root and usr filesystems, even as far as the scrub of the HMCs disks (it's interesting, they run Linux, and it was possible to run scrub against the OS disk of the last HMC [it was jailbroken], while the HMC was still running!)

            The complete deconstruction, from working HPC systems to them being driven away from the loading bay took 6 (very long) working days, and finished with a day's contingency remaining in the timetable.

            So I am one of a relatively small number of people who can claim that they've deliberately, and with complete authorization, destroyed two of the top 200 HPC systems of their time!

            I had real mixed feelings. It was empowering to be able to do such a thing, and upsetting, because keeping them running was almost my complete working life for four years or so.

            1. Ian Michael Gumby

              @Peter ... Re: rm -fr @IMG

              I know. I was trying to give a simple example.

              As to decommissioning a server farm / cluster... Its a lot more fun when you have to shred your drives and sign a document to that effect because no drives are allowed to leave the DC. ;-)

              1. Peter Gathercole Silver badge

                Re: @Peter ... rm -fr @IMG

                Normally that site I was talking about has a shred policy, but they gave an exemption because we were able to prove to the satisfaction of the security team that once the disks in the RAID sets were scrubbed, juggled, per-disk scrubbed and the RAID configuration and disk layout mapping completely destroyed, that there was effectively no way of re-constructing the Reed-Solomon encoding (no data on any of these RAID disks was actually stored plain, it's all hashed).

                And actually, the grading of the data was no higher than Restricted even by aggregation, and the vast majority was much lower or unclassified (intermediate computational results that would mean nothing to anybody outside the field, and not much to those in it), so sign off was granted.

                Also, the cost of shredding 4000 or so disks was considered exorbitant, and would probably have taken more time than the rest of the decommissioning.

          5. Voland's right hand Silver badge

            Re: @Ellier ... This will impact others as well

            rm -rf *

            If you have been a sysadmin as long as I have you would have done it at least once. Failing that you would have done the even more unpleasant chown -R X:X / or chmod -R 0xxx /. Either that or doing chown or chmod recursively on . being in the wrong directory.

            Of course I know it will cause harm. You still sometimes do it even after 20 years of experience (I re-read my command lines at least 3 times if I use the -r (or -R) flags).

            Start there and you'll find his actions to be criminal Even if we do so, it is criminal damage which funnily enough in USA (and many other jurisdictions) attracts an order of magnitude smaller penalty than unauthorized computer access.

            1. Ian Michael Gumby
              Boffin

              @Voland ... Re: @Ellier ... This will impact others as well

              Yeah, we've all done it. Especially after a 36 hour marathon session to save a massive update build that went wrong because someone checked in some old code with their new mods.

              Doing it as an accident is one thing.

              Doing it intentionally to cause harm is another.

              That's the thing.

              Take a look at his actions.

              Knowing it was wrong and doing it to cause harm is what makes it a criminal act.

              There is more to this... there's the criminal aspect and then there is civil aspects in terms of the law. The company could sue him for damages too.

              His argument is that he had access to the systems for work therefore he's not guilty of criminal trespass.

              It doesn't work that way. In an earlier example I talked about a store clerk who had the keys to close up shop, coming back later and letting himself in to steal some alcohol. He's still guilty of trespassing.

  7. elf25s

    ok its all about the timing...when did he resigned and when exactly his resignation was found.

    if he had done it before his resignation was found he would not be found guilty if after it was found he would be nailed to the wall.

    1. Phil W

      When it was found isn't particularly relevant, unless his letter said something bizarre like "I tender my resignation effective as soon as you tell me you've read this" he should really consider it effective from when he left it on the desk and left the building.

    2. Ian Michael Gumby
      Boffin

      @Elf ... no, timing doesn't matter.

      The issue is showing intent and mens rea.

      Did he know what he was doing?

      Did he know what he was doing was wrong and would cause his employer harm.

      The acts were intentional,

      He knew what he was doing would cause harm.

      He knew what he was doing was wrong.

      He also had motive in wanting to help his friend who was suing for wrongful termination.

      He will lose his appeal.

      IMHO, he had two choices.

      1) Resign and walk away citing issues.

      2) Stay, and do his job. Of course when it came time to be deposed, he could spill his guts about the bonus to take over his friend's job. There's more, and the point is he could have helped his friend by being ethical and above board at all times.

  8. Anonymous Coward
    Anonymous Coward

    Seems like a good example of why juries are a good thing - the guy quite obviously is guilty of what the law was intended to punish, and they acted accordingly.

    1. Adam 52 Silver badge

      I don't think it's that clear cut. The law was "obviously" intended to catch crackers etc. not people with legitimate access.

    2. Ken Hagan Gold badge

      I don't think juries have the role that you imply. Their job is to decide which of the evidence is reliable. The judge's job is to decide what's legal. The court proceedings are steered by the judge to the evidence that relates to actual illegal stuff, then they decide whether they believe it. There have been cases where juries take the law into their own hands (https://en.wikipedia.org/wiki/Jury_nullification) but these are sufficiently rare that legal scholars get exercised over it.

      1. Mahhn

        having done Jury duty several times, it is explained to the Jury that we have the ability to decide anything. The judge is more the referee and has say over the sentence of the crimes that the Jury finds people guilty of. As an example: If a person is shot dead by another, no matter what the actual charge is- the Jury can rule it- an accident, self defense, murder (first, second or third degree) or even dismiss the charges. This is why a Jury is preferred over a judge when there are extenuating circumstances.

        1. Doctor Syntax Silver badge

          "the Jury can rule it- an accident, self defense, murder (first, second or third degree)"

          Nevertheless, the judge should have explained to the Jury what all these terms mean and what they need to believe about the evidence in order to arrive at one of them. Actually only a coroner's jury would need to arrive at one of the first two decisions, in a criminal trial it would simply be "not guilty".

      2. Doctor Syntax Silver badge

        "There have been cases where juries take the law into their own hands ...but these are sufficiently rare that legal scholars get exercised over it."

        Unless it was in a court west of the Bann.

  9. Black Rat
    Facepalm

    Revenge is dish best served remotely, ideally from a self erasing bash script on the bosses laptop.

  10. Anonymous Coward
    Anonymous Coward

    Considering all the fires he'd been putting out, it sounds like the company would've been dead in the water if he had simply quit. Which would also imply that he didn't do any real damage.

  11. Anonymous Coward
    Anonymous Coward

    They deserve each other

    The larger case aside which is a nightmare.... Serial entrepreneur used to cynically sh1tcanning staff before IPO / asset flipping takes it in the nads?

    Sorry, but moral ethics have failed on both sides here... Not advocating anything, just saying .......... Karma is a bitch!

  12. gnasher729 Silver badge

    There are two different things here: Computer hacking, and causing criminal damage.

    There was a case a few months ago, where a store employee handled a computer to sell lottery tickets: Customer hands over cash, she tells the computer how many tickets to print, takes the cash, hands over the tickets. This employee was caught printing about 1,000 lottery tickets a week for herself and not paying. A judge said that she was authorized to use that computer, so there was no computer hacking involved. But of course it was theft of the tickets.

    Something similar will be the case here. That admin was indeed authorized to delete backups etc., so no computer hacking. But he caused a huge amount of damage by his authorized computer access, and will be responsible for that. Just the same as if he had taken a sledge hammer and destroyed the servers and physically destroyed the backup drives. Tons of damage, but no computer hacking.

    (Obviously only true before he resigned. At the moment he resigned the authorization would have been gone).

    1. Old Handle

      This was pretty much my thought. I think he has a good point, it was not unauthorized access (or hacking in common parlance) but that doesn't mean he couldn't be guilty of some other crime.

      1. Jamie Jones Silver badge

        Surely intentional damage is criminal whether you have authorisation to be there or not?

        In my last job, my keycard gave me authorised access to the whole building 24/7.

        Forget the obvious machine rooms, what if I'd decided to smash up the bogs, and spray graffiti on the walls? I'm sure I'd have been done for criminal damage despite having permission to be there.

        And no-where on my contract did they have the "don't vandalise the bogs" clause.

        IANAL etc.

    2. Salamamba

      inn this country the wording for criminal damage is "permanently deprive". as there were still existing on-site back-ups, which he would have known about, this could be classed as "non-permanent damage" which is less likely to count as a criminal matter.

      1. Swarthy

        inn this country the wording for criminal damage is "permanently deprive". as there were still existing on-site back-ups, which he would have known about, this could be classed as "non-permanent damage" which is less likely to count as a criminal matter.
        Charge him with vandalism?

      2. Charles 9

        Time can never be recovered so loss of time is always permanent. That's why even temporary damage can be charged.

        1. Anonymous Coward
          Anonymous Coward

          You mean, like... a tax on time is a crime? That would open up a YUGE pandora's box for the government.

  13. goldcd

    What interests me

    is the "authorization" bit, if you took this and ran with it within a broader scope of roles within a company.

    The techy person "deleting stuff" is pretty cut and dry, "they pressed a button and it went".

    But as he's arguing he was authorized to do this.

    Lots of other people are "authorized" by their employer to do all manner of potentially detrimental stuff. Terminating a contract here, signing up something nobody will able to deliver for a bonus there - and this may get you fired, but is extremely unlikely to get you brought up on criminal charges.

    I guess my point is that it's relatively easy to do something harmful, that you're notionally allowed to do - but this does open up an entire new level of repercussion.

    1. Sykowasp

      Re: What interests me

      I guess that is what he is aiming for. His argument:

      - What he did was not a criminal offence. He had authorization to access the systems. Therefore the law was misapplied.

      - What he did was likely a breach of contract, a civil matter.

      I don't rate it a strong hand, but if his lawyer thinks it is a loophole in the law, then maybe it'll stick.

      If he wins I don't know what he'll be able to do regarding the 3 years in jail already served. I guess the fine would be repaid (if he has paid any of it), and then I guess he would have to file suit against either the police or the ex-employer, or both, to get restitution.

      1. Yet Another Anonymous coward Silver badge

        Re: What interests me

        So if you were eg. CEO of a formerly great computer and engineering company and then ran it into the ground, fired all the good staff, split it into competing divisions, wasted $Bn on buying crap data analytics companies , etc

        - would you be arrested for criminal damage or given a multi $MM severance package ?

        1. Frank N. Stein

          Re: What interests me

          No. A CEO would be fired and receive a Golden Parachute to cushion the blow. Apples an Oranges. This bloke was an IT Drone. Those of us who are IT Drones know full well that we are not treated like CEOs (or CIO's, for that matter).

        2. Triggerfish

          Re: What interests me

          So if you were eg. CEO of a formerly great computer and engineering company and then ran it into the ground, fired all the good staff, split it into competing divisions, wasted $Bn on buying crap data analytics companies , etc

          - would you be arrested for criminal damage or given a multi $MM severance package ?

          Oh I'd go for raping the pension pot as well and getting a knighthood.

  14. Phil W

    Resigned to his guilt

    I think the crucial part is not the actions he took during his time in work, even on his last visit to the office, you could perhaps accept the argument depending on the exact terms of employment that he did nothing "criminal" there, just a load of stuff that would be grounds for dismissal or perhaps a civil lawsuit.

    The important part really is what he did remotely after he resigned. If you leave your keys and a resignation letter on the desk and walk about, you are effectively stating that you are no longer accepting employment and absenting yourself of any authorisation to perform activities withing the company you may previously have been given. Therefore from the moment you do that you can no longer try and use such authorisation as a defence for malicious actions like this. Accessing the systems remotely arguably becomes illegal, and any destructive action you take is criminal damage.

  15. Jonski

    Bang whack bang

    Panelbeaters are authorised to hit cars with hammers. I don't think this means they can pummel cars to pieces.

    Sysadmins are authorised to maintain and administer IT systems. While deleting files and systems is a function of sysadmins, it's not the raison d'etre.

    1. Richard 12 Silver badge

      Re: Bang whack bang

      Yet is it criminal if they do?

      Or is it merely a civil matter, where they have breached their contract?

      That's the argument.

      Would you expect the police to arrest a panel beater who broke your windscreen, or would you expect them to pay to replace the windscreen, and pay you appropriate compensation for the extra time your car was unusable?

      1. Ken Hagan Gold badge

        Re: Bang whack bang

        If they did it deliberately, its criminal and I'd expect police involvement. If it was an accident that occurred in the course of work that I'd asked them to do, I'd expect compensation (and I'd assume that they either had insurance to cover that sort of thing or a cash pile).

        Likewise, if a surgeon kills me.

  16. BlackKnight(markb)

    even a basic Change managment policy effectively negates his arguement (doesnt sound like one existed here). as he would have undertaken an unapproved change and thus unauthorised access to the system.

    of course. it would be possible for someone to game a basic change system depending on the culture and get "approval" for this "work" which would be amusing to then see argued in court that it was unauthorised.

  17. John Smith 19 Gold badge
    Unhappy

    Genius defense if it holds up.

    Yes turns out being a BOFH IRL has fairly serious consequences.

    The back story here is that looks like an IT company with no actual IT capabilities.

    IOW it's a sales operation for what sound like a bunch of fast talking sales types, with this guy (and his predecessor) doing the real work and who stabbed his mate in the back to avoid dividing up the spoils when the business is sold on, and thought they could buy him off with a bit of a raise.

    Whey you behave like that as an employer you'd better be pretty sure the guy whose taking over actually likes and trusts you.

    I wonder if anyone would buy this company now that they realize it's basically a shell, with no actually in house IT skills?

  18. phuzz Silver badge
    Devil

    It would have been different if he'd done something plausibly deniable, eg enabling verbose logging on a server and "forgetting" to set up automatic log rotation.

    So that's the question, what would you do to get revenge that would look at worse like a simple mistake?

    1. Justicesays
      Trollface

      Apparently,

      Don't do any disaster recovery testing, backup testing, backup scoping but just report that everything is fine with the backups to your lackadaisical management.

      Then don't upgrade the firmware on your HP array, wait until a failure happens, have the whole thing totalled when the parts are replaced, and then discover you have no recoverable backups.

      Seems to be classified as "Accidental" elsewhere.

      1. Ken Hagan Gold badge

        "Don't do any ..."

        Pah! Amateurs! If you're a pro, you do these things in secret because you can't predict when the failure will happen. It might be a moment when you don't want to trash the company, in which case you can quietly repair the damage and carry on. You only let the failure be irreparable if it happens at a time when you are disgruntled.

        1. Sir Runcible Spoon

          " You only let the failure be irreparable if it happens at a time when you are disgruntled."

          Quite. I don't need to do harm to anyone else I work with if they repeatedly manage to piss me off - I just 'withdraw my support'. Without it they usually end up getting into a scrape, and without support they're toast (I should add that once others know my support has been withdrawn from a particular person they tend to look at that persons actions a lot more closely too - kind of a canary thing).

          I don't do this lightly either, I'm not a total dick :)

      2. Huw D

        Are you referring to SSP here?

    2. 's water music

      KCL FTW

      So that's the question, what would you do to get revenge that would look at worse like a simple mistake?

      Time to look again at how happy the sysadmins were?

    3. Swarthy

      If he had done something plausibly deniable, like say, resigning before recovering from the crash/DDoS?

    4. Anonymous Coward
      Anonymous Coward

      What I'd do?

      The ever-expanding logs, of course. Possibly keep the spool directory on the system drive(it's there by default on Windows. Good admins move it)

      Then there's the 'manually corrected bug, seldom appearing bug' in your most important app. You know, the kind you know about, and fix the issues from by periodically run a simple command. Too small to really bother fixing permanently, as that takes many times longer, and you really could use the time for something else, such as updating the system docs.

      And yeah, the docs will be updated, and all the 'issues' will be listed in the appendix.

      Who reads all that anyway?

      Before the system goes tits-up, I mean?

      Possibly, the appendix is a text file in my homeshare since it needs to be updated now and then.

      You know, the homeshare that gets deleted automatically a few weeks after someone leaves...

  19. Mark 85

    He could have just said "Screw it" and left his resignation on the desk as he walked out the door. Add to that, refusal to train his replacement. No problem. This would have the choice for me (I've done it) and probably almost all of us.

    He could have done the deletes, etc. and claimed "oops"... Crap does happen, but the key here is "intentional".

    But to have done both is pretty damning. I can see where this might go either way at the appeals court depending on the "contract" but I'd bet on them upholding the conviction. Sadly, the law in the US makes no provision for the "extenuating circumstances" of the employer's toxic workplace.

  20. Pirate Dave Silver badge
    Pirate

    The problem here

    is if he wins, how is that going to fuck-over the rest of us Sysadmins going forward? Will we see a sea-change among employers who gradually start locking things down like they're a Fortune 100 company? No more fuzzy gray areas, no more admin-super-god access, no more special firewall rules for the Admin's computers, no more "root IS my account!" - it'll all be audit logs and constant re-authorizations for access and things locked away so tightly that only an auditor could love it. Big PITA for day-to-day work.

  21. Anonymous Coward
    Anonymous Coward

    What's wrong with the old-school methods?

    Just shit in the bosses trash can after hours!

    Kids today...

    1. Anonymous Coward
      Anonymous Coward

      Re: What's wrong with the old-school methods?

      Kids today...

      Have heard about DNA tracing

      1. Moosh
        Boffin

        Re: What's wrong with the old-school methods?

        "Hello, Police?"

        "Yes, i'd like you to DNA test this literal pile of shit in my office bin. And then cross check it with the DNA of people you most likely don't have on file anyway, and in an instance in which there is no real cause or excuse to go tracking down ex employees and forcing them to give a DNA sample, because really I could just empty the bin and use air freshener."

        "Yes, I want you to do this despite the fact that DNA evidencing is actually pretty sketchy and nothing at all like its portrayed in CSI"

  22. Anonymous Coward
    Anonymous Coward

    I can't see this guy winning the case

    Sure, he was authorized to perform these activities, but for the benefit of the company.

    I am authorized to represent my employer in front of customers, negotiate with suppliers and manage all aspects of customer data. But if I intentionally misrepresent the company, intentionally damage supplier relationships and delete customer data without a reasonable cause, I can get sued.

    1. Intractable Potsherd

      Re: I can't see this guy winning the case

      But that is the key point here - being sued is a civil action between two individuals (natural or legal), and where the penalty is damages (money). What you have described is not criminal (where the actors are the State and the individual) and you could not be arrested, tried, convicted and imprisoned for it. The question here is whether what the sysadmin did was criminal or civil - and I think the point being raised by the lawyers is a good one. Even if the appeal is unsuccessful, we need to ask ourselves very seriously if we want the State intervening in this sort of dispute - i.e. *should* it be criminal?

  23. SpeedEvil

    Company policy fixes this.

    If there is a policy saying 'you are expressly not authorised to use your knowledge of the company or its IT systems, including any passwords or other methods allowing you to access corporate systems to do X, Y,Z'.

    Then this not only makes the case for civil lawsuits simpler, but makes it clear that any access doing those things is unauthorised, and brings in the referred to law on unauthorised access, making it a criminal act, simply because the defence "my company authorised me" goes away.

  24. Anonymous South African Coward Bronze badge

    I don't commend his actions.

    He should have taken the clean way out and left without touching anything.

    As it is now, which company will take him on as employee/contractor seeing the way he treated his last employer? (burning bridges)...

  25. Anonymous Coward
    Anonymous Coward

    Reference:

    ...shows an excellent knowledge across a wide variety of critical systems...

    ...somewhat hasty on occasion...

  26. chivo243 Silver badge
    Facepalm

    shit on both ends of the stick

    The "owners" are a bunch of greedy slime balls in action #1. Part of me feels for Employee #1. Our friendly "sysadmin" is a tit for tat fuckwit. Not the way to champion karma...

  27. Hans 1
    Happy

    Treatment

    If you treat your employees like idiots, into idiots they will turn.

    Simple.

  28. Anonymous Coward
    Anonymous Coward

    Based on his logic

    A soldier is authorised to shoot anyone once he has been issued a weapon.

    There are usually rules of engagement, and in IT's case, a change control process usually starting with service requests, change requests, designs, or some other such process.

    The fact that many of the activities are within his sphere to deliver does not give carte blanche authority to change whatever he fancies.

    If they ran the place on a 2 blokes getting on with it between them basis then this may not apply, but it does mean that any medium to large organisation should be safe from staffers using this defence.

  29. Anonymous Coward
    Anonymous Coward

    If the dentist takes all my teeth out, it's fine because I said he could take one out.

    Come off it.

  30. Anonymous Coward
    Anonymous Coward

    He better win plenty

    Who will recruit him after this?

    1. Pompous Git Silver badge

      Re: He better win plenty

      Who will recruit him after this?
      You might be surprised. I once had a chat with a TV executive who'd done something nefarious at his place of work before resigning. Can't remember the details; 65 year-old brains!

      But, the interesting thing was what happened at his first interview at a different TV station. When asked why he had resigned, he described in full detail what he had done at his previous position, including the nefarious whatever.

      The response was: "You're hired. We really appreciate your honesty."

      The interview apparently lasted less than five minutes, but then he was well-known in the industry.

  31. dervheid

    Resignation Point

    I have to agree with some other posts on here: when he left the building, leaving behind his keys, badge etc with a letter of resignation, he effectively surrendered his authorisations for their systems at that point.

  32. 0laf

    Intent

    Yes he was authorised to carry out any and all of those actions while carrying out his function as an employee. But that is done within a framework of employment policies. None of which will say specifically "you must not destroy the company".

    If my job was to drive a truck I would be specifically authorised to get in the truck, to start it, to put it in gear and to make it move.

    That would not cover me if I was then to choose to drive that truck through a school.

    If this guy had caused all that damage while doing his job with the intent of fixing issues then he might get off. But on the evidence printed it seems unlikely that he will be able to prove his intent was anything other than malicious.

  33. Anonymous Coward
    Anonymous Coward

    Contracts...

    If this hinges on contractual terms then surely it's a breach of contract and not a criminal offence?

    1. Anonymous Coward
      Anonymous Coward

      Re: Contracts...

      I assume it's the contractual terms that give him permission to delete data and change configurations. They obviously didn't see the need to put "but not to intentionally break shit" in there.

      Surely bollocks though.

  34. Anonymous Coward
    Anonymous Coward

    My $0.02 worth

    That court had damn well better prove beyond reasonable doubt that the actions taken were malicious, because if they find against this guy then they have opened the doors for anarchy.

    Its not just about "routine" actions, as part of my job I was required to destroy hard drives. Had any of them contained evidence then this would be a criminal offense, contract or no contract.

    Same with "remote access", in principle being asked to knowingly set up a router with a trivially hackable password is irresponsible at the very least and possibly even illegal under CMA.

    I urge that in the event the court makes the wrong decision, every single sysadmin in the country should walk out in protest, because at that point the system is hopelessly broken.

    AC, because shooting the messenger unfortunately works, in the short term.

    1. Anonymous Coward
      Anonymous Coward

      Re: My $0.02 worth

      If your Remote Access is a simple router with password, then I'm not certain I'd want your $0.02...

      If you set up a VPN tunnel with 2-factor Identification, then yeah, I'd be willing to listen.

      (Assuming that tunnel only leads to a single server in a DMZ, of course, with a firewall between it and the rest of your network)

    2. Destroy All Monsters Silver badge

      Re: My $0.02 worth

      Its not just about "routine" actions, as part of my job I was required to destroy hard drives. Had any of them contained evidence then this would be a criminal offense, contract or no contract.

      Can't be a criminal offence if you didn't know about the hard drives' content, dude.

      1. Charles 9

        Re: My $0.02 worth

        Could still be nailed as negligence if holding devices for evidence is to be expected.

  35. Anonymous Coward
    Anonymous Coward

    What a dick!

    While i empathise and somewhat admire him sticking up for his best mate, what he did was childish and petulant at best.

    As for this appeal...well, the legal system is a bloody joke really - theres a clear cut case of the digital equivalent of criminal damage/espionage which he needs to be accountable for, but no...common sense goes out the window and there is a very real possibility that because his contract didnt explicitly state he couldnt do these things, then it must be OK.

    You can only hope that common sense prevails...

  36. Alister

    Missing the point

    An awful lot of commentards seem to be missing the point of this story.

    Thomas has never disputed that what he did was wrong, and would be grounds for a civil lawsuit from his ex employer, however, he was very specifically charged with a criminal act under the following:

    "intentionally causing damage without authorization , to a protected computer."

    His argument is that he should not have been charged under that statute, as he was authorised to access the computer(s) in question.

    As a shaky analogy, If I cause a road accident by throwing a concrete block off a bridge, and then got charged for "driving without due care and attention" I would be within my rights to appeal, as I wasn't driving at the time.

    1. flayman Bronze badge

      Re: Missing the point

      See my comment above yours. Malice is not an exercise of discretion. If he could be fired on the spot for his actions, then they cannot have been authorised.

    2. anonymous boring coward Silver badge

      Re: Missing the point

      Having authorised access doesn't mean he is authorised to do damage. But, yes, it's not "hacking". Just vandalism.

      1. Anonymous Coward
        Anonymous Coward

        Authorised access can mean legally acting in damaging ways.

        It is vandalism to shed long term company prospects and value to increase share prices for the next quarter but that doesn't mean it is authorised. Companies are often vandalised to the point of destruction without any charges being laid. If you are given total control, you have authorisation.

    3. Doctor Syntax Silver badge

      Re: Missing the point

      "intentionally causing damage without authorization , to a protected computer."

      How do you parse this?

      I can only parse it one way: he did not have authorization to cause damage but he did so and intentionally. Being authorised to access the computer is irrelevant, it was the damage he wasn't authorised to cause. And the additional factor is the intention. We all have the risk of that accidental oops moment which does cause damage but the intention to do so would be lacking.

  37. flayman Bronze badge

    Malice is not authorised.

    I don't think this will win, for a very simple reason that will not have far reaching consequences. The actions were carried out with malice, clearly. No employee is authorised to behave maliciously. If it's something which is grounds for summary dismissal under gross misconduct, then it's not really arguable that it was authorised.

    1. Charles 9

      Re: Malice is not authorised.

      But people in the US are presumed innocent. Meaning there must be a specific, referrable Act that doesn't allow it for a man to be tried. That act is always cited when your charge is read.

      Which Act covers general nonphysical malice against one's employer by means of authorized access?

  38. jason 7

    Gross negligence...

    ...if nothing else.

    As the prosecution I would put that to do all of that he must have been either negligent or the most incompetent IT engineer in the universe.

    1. flayman Bronze badge

      Re: Gross negligence...

      Not negligence. It was deliberate and malicious. It's gross misconduct. You can be fired on the spot for that, so there's no question it wasn't authorised.

  39. Cuddles

    Shouldn't be complicated

    Intent matters. Murder, manslaughter and self-defence can all refer to exactly the same actions, just with different intent behind them. Similarly, malicious damage, accidental damage, and proper maintenance of a computer system can all involve the same actions, but with different intent behind them. This isn't anything to do with IT or contracts, it's an old problem that the law already deals with in all kinds of situations - killing a person is far from the only thing that the law views differently depending on intention and context. If there really is any ambiguity here just because it involves computers, that suggests the law involved needs a simple bit of copy&paste from any of the wide variety of laws that already cover such situations perfectly well.

  40. Sparkypatrick

    Inappropriate charge

    It seems to be the norm in the US to go for maximum sentences or the most serious charge available to pressurise defendants to take a plea. This looks like a case of applying anti-hacking legislation to a case of criminal damage, presumably on the basis that it carries a higher tariff. It deserves to get knocked down for over-reach.

    "If he is found to have acted without authorization, the question then becomes: does that make other sysadmins criminally liable for mistakes they might make unless they get explicit permission beforehand? That would create a hell of a problem."

    Really? I thought getting permission in advance was called Change Control. I'd certainly be required to follow that process for any of the changes he made.

    1. flayman Bronze badge

      Re: Inappropriate charge

      "This looks like a case of applying anti-hacking legislation to a case of criminal damage, presumably on the basis that it carries a higher tariff. It deserves to get knocked down for over-reach."

      I respectfully disagree. I think this type of mischief should be covered by CFAA. There is fraud and abuse in abundance. The fraudulent aspect is the manner in which he cloaked his mischief in the routine performance of his duties, especially if he can be shown to have orchestrated the attacks that led him to gain access at the weekend when no one was around. You cannot argue authorisation to carry out actions that would get you fired on the spot.

      1. InfoSecuriytMaster

        Re: Inappropriate charge

        Fraud probably doesnt apply since he didnt do anything he wasnt authorized to do and didnt do anything for any monetary gain.

        1. Anonymous Coward
          Anonymous Coward

          Re: Inappropriate charge

          Authorization to destroy anything beyond routine stuff, though, usually requires specific authorization.

          1. Tom 38

            Re: Inappropriate charge

            Authorization to destroy anything beyond routine stuff, though, usually requires specific authorization.

            Usually is the operative word there. If the non IT people simply told him to "get on with it" or "you're the techy, you can't expect me to understand this, you make the decisions"...

  41. Anonymous Coward
    Anonymous Coward

    Lets be honest though..

    who at least hasn't at least once in their life wished they could do something like this to some sh*tehawk of an employer who is royally shafting the staff left, right and centre?

  42. Anonymous Coward
    Anonymous Coward

    Of course, as a System Administrator, he had "authorization" to manage the information systems, however, his job was not to damage the systems he managed, mismanage those information systems, or otherwise cause harm to them, so his argument that having access privileges to manage the information systems gives him free reign to cause harm to them, is without merit. If he wins this case, it's not because his assertion that having access and privileges to manage information systems gives him the RIGHT to mismanage and cause harm to them. This is a daft argument that will fail the rules of law, unless the judge is daft.

  43. Version 1.0 Silver badge
    Facepalm

    Guilty but not guilty

    Forwarding the emails was a mistake and almost certainly illegal but his argument on everything else is good. The sysadmin is god - while it's possible to legally restrict the sysadmin powers, it's impossible to keep IT running in the long term if you do so.

    I think we've all seen organizations where nothing is ever deleted (see icon).

    1. Doctor Syntax Silver badge

      Re: Guilty but not guilty

      "but his argument on everything else is good."

      Huh? He's authorised to intentionally commit damage? That's the crux of the matter.

  44. rh587

    If Thomas is found to have acted with authorization, every company will wonder if that gives their sysadmins carte blanche to ruin their systems with no legal comeback. That's not going to sit very well in boardrooms.

    Or just to use different legislation. I suppose it depends on the exact wording in your jurisdiction, but what he did would be equivalent to trashing the office on your way out - destroying furniture or putting a printer through a window.

    It becomes a criminal damage charge rather than an unauthorised-access/computer-crime/"hacking" charge.

    That said, I'm surprised there isn't a straight up clause in his contract to do with gross negligence or wilfully acting against the company's best interests or conduct which wilfully jeopardises operations.

  45. dmacleo

    very possible this could have even further implications.

    it is a stretch but if a hacker gains access to a system at that point he/she is the admin with the very same rights this person claimed.

    like I said, a real stretch but...be wary of the rulings on thi sone.

  46. David Gosnell

    "the whole of Monday sorting out"

    Oh my heart truly bleeds.

  47. InfoSecuriytMaster
    Megaphone

    Law, authorization and rules of behavior

    The law is only effective if the company has specific Rules of behavior AND Administrator RoBs. the Admin isnt going to get a separate permission every time they want to delete an extra file. The Admin RoB must specify 1 Thou shall do no evil; 3 You shall compy with Admin Policies and then 3- 25 (or 100) the rest of the specifics to do and other things that do need specific authorization (e.g. deleting all backups). And that any violation of can include termination, civil and criminal action against them. The wording may vary from state to state, but this is the basic premise. The RoB must be done because some employees are not on contractual obligation or may be unionized. Also the Admin RoB specifies adherence to Change|Configuration management s policies and procedures (i.e. nobody changes anything without written approval). And also compliance with Admin's policies noted above (the RoB may be a summary of the Admin's Policy manual). That is how to get a general or vague law to be effective.... And my guess is that this guy is going free if the employer company didnt do the policies and RoBs.

  48. Destroy All Monsters Silver badge
    Childcatcher

    It's a New Age!

    "Given the responsibility to not behave like an immature wrecker" is now actually "Given the authorization to behave like an immature wrecker"

    How fast can you say "thrown out of court"?

  49. Anonymous Coward
    Facepalm

    Company bosses attitude towards their IT people

    " the better solution is to follow an age-old piece of advice that company bosses never seem to grasp: don't treat your employees like shit"

    As far as most business type bosses are concerned their IT staff come somewhere between the janitor and the sanitation people.

    1. Destroy All Monsters Silver badge

      Re: Company bosses attitude towards their IT people

      Actually I also sometimes deal with sanitation right after installing antivirus and doing business analysis. It's an important job and someone has to do it.

  50. anonymous boring coward Silver badge

    Stupid defense.

    Having keys doesn't authorise you to burn down the house.

    1. Vic

      Having keys doesn't authorise you to burn down the house.

      No-one is saying it does.

      What he's claiming is that he's not guilty of breaking and entering.

      Vic.

  51. Anonymous Coward
    Anonymous Coward

    Double Standard for Directors and Employees

    After reading the comments I am surprised more haven't pointed out that Directors of companies regularly (and these days often) take actions that are damaging to the company. On occasion they openly state their damaging intentions to local media. An example many reading this have seen is a profitable company "locking" out it's workers in an attempt to make the company even more profitable, sometimes so it can be sold (though they never tell the media that). We all know of such examples, even some resulting in a total loss, with equipment being sold for scrap and leaving the clean up to taxpayers.

    Yet criminal charges are rarely if ever laid.

    Even when Directors or company owners have openly acted to intentionally cause damage they always claim they had authorisation, even when such actions cause the failure of global financial systems.

    In this particular case the company acted criminally when it attempted to defraud an employee, and now wants the government and courts to cover the unforeseen consequences of that criminal activity. Only business is allowed to use the courts in such a manner. If you think the legal system helps peasant criminals in their activities look at the unsolved murders in your area.

    Charges against Mikey should be dropped for that reason alone but IMO it is better to have it go to appeal so it can be made clear that Employees must be given clear directions, that each position be required to have a full description of the role and responsibilities, with limits and expectations and that the pay and compensation be equivalent to the level of responsibility being assigned. If you are the IT department, you are an executive and equally immune to being held responsible for your actions.

    Sounds like this company wanted it cake, dumping full responsibility and duties, and eat it too, paying only IT rates and being able to abuse employees at will.

    1. Destroy All Monsters Silver badge

      Re: Double Standard for Directors and Employees

      > An example many reading this have seen is a profitable company "locking" out it's workers in an attempt to make the company even more profitable

      You need to explain how that magically happens.

      > even when such actions cause the failure of global financial systems.

      Failure doesn't come from there. Look for "govnm't money printing" and "austrian business cycle theory".

      > If you are the IT department, you are an executive and equally immune to being held responsible for your actions.

      That's just not how life works.

      1. Anonymous Coward
        Anonymous Coward

        Re: That's just not how life works.

        "That's just not how life works." So very true. How it does work is by rewarding those who take advantage, in the case of business, advantage of the almost complete lack of accountability.

        Even when a company is destroyed because a manager felt he could make a better deal with the companies main contractor or when a fund manager sets up what is effectively a pyramid scheme but ensures none of the main political investors lose, accountability, let alone criminal charges, is not something to be feared.

        As an employee you can face charges, as an owner, investor, director, board member or regulator the most obvious damaging and destructive actions are not likely to result in anything other than a promotion, unless you cost the wrong people money.

    2. Doctor Syntax Silver badge

      Re: Double Standard for Directors and Employees

      "After reading the comments I am surprised more haven't pointed out that Directors of companies regularly (and these days often) take actions that are damaging to the company."

      A number of comments mention this. Irrelevant. That's not a matter before the court in this case.

      1. Anonymous Coward
        Anonymous Coward

        Re: A number of comments mention this...

        How did you manage to not read the quote you used? A hasty cut/paste I guess. Done that myself but I usually manage to read a couple lines. Which is all as irrelevant as your post but there it is anyway.

  52. Anonymous Coward
    Anonymous Coward

    To do this damage as a hacker is a criminal offence, however...

    ...to do this as an employee with full access to those systems makes it a civil offence NOT a criminal one.

    1. Doctor Syntax Silver badge

      Re: To do this damage as a hacker is a criminal offence, however...

      "to do this as an employee with full access to those systems makes it a civil offence NOT a criminal one."

      By analogy you seem to be arguing that an employee dipping into the till isn't committing fraud or theft.

      1. Vic

        Re: To do this damage as a hacker is a criminal offence, however...

        By analogy you seem to be arguing that an employee dipping into the till isn't committing fraud or theft.

        Some years back, we had a guy join the dive club. Learners got to borrow a full set of kit, so he picked all his up and signed for it.

        We never saw him again. Nor did we see the kit. We got the Police involved - who told us that this guy had not committed theft because we had not made it a condition of lending that he give the kit back when he'd finished with it...

        Club procedures were updated after that...

        Vic.

        1. Charles 9

          Re: To do this damage as a hacker is a criminal offence, however...

          "We never saw him again. Nor did we see the kit. We got the Police involved - who told us that this guy had not committed theft because we had not made it a condition of lending that he give the kit back when he'd finished with it..."

          Last I checked, the dictionary definition of "lend (vt)" includes the word "returned". Why didn't you counter to the police that the word "lend", because of its definition, implies a return condition?

  53. Bucky 2

    If I were on the jury

    I'd still find him guilty. But I'd reduce the monetary damages.

    The company obviously failed in their fiduciary responsibility to him as an employee. That nullifies his fiduciary responsibility to them. Perhaps not as a matter of law, but as a matter of principle.

    Yeah. He did an illegal thing. He spent time in jail already. I'd leave it on his record for being a dick, and a criminal. Good luck finding another job, asshole. But I wouldn't reward the company 130,000 for their part in this mess, either. $1 is more like it.

  54. Michael Felt

    Criminal or civil action

    if he was convicted in the criminal sense - i.e., a law that intends to protect computer users/owners from abusive behavior/actions from an individual.

    In short, this case will live and die by a strict discussion of the word "authorized" - to be or not to be.

    I doubt anyone will not see this as "wrongful" as it shows a behavior that most would consider outside the bounds of the "authorization".

    A different example: a police officer is authorized to carry and use a firearm. However, his "use" of the firearm, while also "authorized" is also subject to review to determine if he abused the authorization granted.

    If the current, or past law, that was used to charge the admin lacks a directive for review - the law is broken and needs an update. I expect, regardless of the outcome of this case such a review is forthcoming.

    And, of course - even if the appeal says he was authorized - in the legal sense - I would not feel safe, as a civil case can still be opened. Actually, surprised if this has not already been acted on.

    My two cents.

    1. Doctor Syntax Silver badge

      Re: Criminal or civil action

      "In short, this case will live and die by a strict discussion of the word "authorized" - to be or not to be."

      No. It turns on (a) what he was authorised to do and (b) intent. The charge was that he intentionally caused damage without authorisation. If he wants to argue this on contract terms he needs to point to the clause in his contract where, by implication or otherwise, he was authorised to commit damage. Not just access systems or even delete stuff, but commit actual intentional damage. The intent bit comes in when he does an rm -rf * or equivalent in several different places where that's damaging; once might be an accident but repeatedly on the same occasion?

  55. Jake Maverick

    sounds like a proper hero to me....

    but what i dnt get...the fired employee.....why and how on earth would he geta share of the profits simply because he was the first employee? that makes no sense to me...surely the first employee would be the owner/s anyway.....? i.e. employed by themselves...

    1. Pompous Git Silver badge

      why and how on earth would he geta share of the profits simply because he was the first employee?
      Probably in his contract. I once worked for a business on less than half-pay for a year on the basis that after 12 months I would own a share in the business. They fired me a week before the year was up.

  56. Daniel B.

    Best advice ever.

    Don't treat your employees like shit

    Something we can all agree on.

  57. Anonymous Coward
    Anonymous Coward

    Intriguingly

    This is exactly the argument for not overworking staff in the first place.

    I'm not condoning his actions but, if the backups contained information that if it were leaked (this is comparable to shredding of unwanted documents BTW) would have brought down the company, the case should be dropped on the grounds of technicality.

    Recall a similar case where, months after being "terminated" a copy of the cooked books in the form of a handful of CDRs was delivered anonymously to the IRS resulting in the Audit-from-Hell (tm) and several high profile plea bargains. Pretty sure this resulted in jail time for the executives and a job at the IRS Investigations department for the IT person in question.

  58. This post has been deleted by its author

  59. tlhonmey

    So what?

    It actually won't be that big a deal if he wins. Sure, criminal charges would be out in the future, but so what? Most fines go to the government, and you have to sue in civil court to get damages anyway.

    They'd still be able to sue him on the grounds that no reasonable person would think he was hired to destroy the network, and they would win, and he'd have to pay for the cost of fixing the problems he caused. He wouldn't go to jail, but so what? Sending him to jail just means that a portion of the company's taxes will be paying his room and board for a period of time. Taking his money and destroying his reputation so he can't get another job is far more cost effective.

    1. Charles 9

      Re: So what?

      "Taking his money and destroying his reputation so he can't get another job is far more cost effective."

      But riskier since he may be able to find SOMEONE to hire him who (a) doesn't know about him or (b) doesn't care. Attaching the criminal record (especially if a felony) tends to stop a lot of job vetters cold.

  60. Anonymous Coward
    Anonymous Coward

    More to the story

    There is more to this story than can be covered in an article I think. In the US appeals are decided by a panel of 3 judges and are based on a cold reading of the record and the law. In this case it has nothing to do with intent, malicious or not, but whether authorization to cause damage existed - which he had. Damage under the CFAA is defined essentially as any kind of change. 'Without authorization' in the CFAA isn't defined and has been interpreted different ways by different courts. In the US there is something called the rule of lenity that says when a criminal law can be plausibly interpreted multiple ways, the court is required to take the interpretation favoring the defendant.

    As some of the comments here have pointed out this was the wrong law to charge Thomas under, if charges were even warranted in the first place. Assuming there was even a violation of some kind of company policy, it is not permissible to base criminal liability on a private policy/contract. That would make the law void for vagueness as private parties would then be making decisions as to what is and is not criminal. The trial court judge and the prosecution here went to great lengths to make a square peg fit in a round hole here, applying a law that wasn't meant to be used in this scenario.

    I am sympathetic to the sysadmin here after reading his legal defense fundrazr page. He worked over a weekend to keep the companies systems functional, after his buddy had been fired, then resigned without notice when he decided he'd had enough. The company owners were pissed that he quit when there were still network issues and decided to try and ruin his life by maliciously hiring attorneys to sue then get the Feds involved to prosecute him (rather than the state). Left out of the story is the fact that the company filed a civil suit initially, then dropped it a few months later. Also that most of the 'damage' alleged to have occurred arguably falls within normal troubleshooting processes based on the things that were happening that weekend. Or that the government froze all of his worldly assets, which were not tied to the alleged crime, and listed him on Interpol's website after charging him - stranding him in a foreign country and preventing him from being able to hire an attorney for years. How about that the $130k restitution figure is based on paying people to do his job for the next 18 months after he quit, or that the jury was hung 6-6 on the case after deliberating two days and only returned a guilty verdict when the judge refused to let anyone go home and return for a 3rd day of deliberations (because he wanted to go on vacation the next day). Maybe that the employee handbook he is alleged to have violated was never produced at trial, only an acknowledgment of his receipt of it, which specified violations could result in disciplinary action "up to and including termination". Also that the government wanted him to go to prison for 3.5 years but the judge released him after only the 4 months he spent awaiting trial and sentencing.

    People don't seem to comprehend the toll that a federal criminal prosecution takes on someone, even if they win. They don't 'walk' or 'get away' with it. Being charged at that level for something that could result in 10 years in prison, under a system that is stacked against defendants, where 90% of cases plea guilty to reduce sentences. Where trials typically cost hundreds of thousands of dollars and face bleak odds of winning. Even if you win, you still lose. Criminal CFAA cases are very rare, ones that go to trial and appeal are even more so. This is a rare and important case that will help clarify the law. If his conviction is overturned it may curb future overreach by prosecutors who want their names in the paper, if upheld it will mean employers can retroactively rescind authorization and have employees prosecuted for anything they please.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like