I was authorized to trash my employer's network

[Robert]

What do we think of this guy?

In essence, Thomas is arguing that, yes, while he did intentionally cause damage it wasn't "without authorization." In fact, he was expressly authorized to access all the systems he accessed, and he was expressly authorized to carry out the deletions he did – every sysadmin in the world deletes backups, edits notification systems and adjusts email systems. In fact, it's fair to say that is a big part of the job they are paid to carry out.

His legal filing to the Fifth Circuit also points out that none of his actions were forbidden by the company's own policies.

Thomas is telling the court: sure, I trashed their systems but I did nothing illegal. And he has a point. It's just that every company in America is terrified that he might win the argument.

The context to it isn't completely clear:

Of course, there is a back story.

Thomas was hired to the company by a friend of his – Andrew Cain. Cain was the company's first employee and the only IT employee. As the company – which sets up and runs car dealership websites – grew, it needed another full-time IT staffer to handle demand.

Things went well for two years until, out of the blue, the company's founders fired Cain. Cain suspected the reason for his firing was the founders were looking to sell the company – something they have done repeatedly in the past as serial entrepreneurs – and didn't want to have to give Cain his cut as the first employee. At the same time they fired Cain – on a Thursday – Thomas was offered a bonus to stay on and take over his friend's job.

It's fair to say that Cain was just a tad irritated. And he called Thomas to tell him the news and that he would be suing for wrongful dismissal. And that's when ClickMotive started having trouble with its IT systems.

Thomas' appeal filing admits many of the things that came out during the investigation and trial: he obtained emails from ClickMotive's system and forwarded them to Cain's wife to help his lawsuit.

The day after Cain was fired, a Friday, the entire ClickMotive network went down from a power outage. Thomas got it back up and was still working remotely on Saturday, mopping up problems. Then, on the Sunday, the network was hit with a denial-of-service attack, taking it down again.

And so Thomas drove to the office Sunday evening and start working on getting it back up. While there, however, the rogue employee also carried out a whole range of activities, before departing a few hours later and leaving his keys, laptop, badge and a resignation letter – which were discovered the next morning.

That Sunday, Thomas deleted remotely stored backups and turned off the automated backup system. He made some changes to VPN authentication that basically locked everybody out, and turned off the automatic restart. He deleted internal IT wiki pages, removed users from a mailing list, deactivated the company's pager notification system, and a number of other things that basically created a huge mess that the company spent the whole of Monday sorting out (it turned out there were local copies of the deleted backups).

My initial reaction is that, whilst I have sympathy for the predicament he found himself in, I don't think I would responded in such a manner.

Still, reminds me of the sage, old advice to never knowingly piss off your waiter in a restaurant.

 

[ilwrath]

he was charged with a single felony count of "intentionally causing damage without authorization, to a protected computer."

This is one where you'd have to dig into the details. Personally, I'd say he was charged with the wrong thing. I'd argue that he is innocent of the charge. He had authorization on all systems.

Now, that still doesn't give you free reign to delete or modify anything you wish. There are laws on record retention and intentionally removing or attempting to remove all copies of protected records. Forwarding out those records? Also a no-no.

But, in his deletion spree, did he attempt to erase records, or did he just delete codebase? If he just deleted the code work he and Cain did, but left all records intact... He may well be innocent by the letter of the law. (Unless you argue the code was property of the company, at which point then he is guilty of destruction of property.) Devil is in the details.

Anyhow, agreed that is definitely the wrong way to handle the situation. I wouldn't have done that, either. And I have a feeling he'll be found guilty of something. Rightfully or no. And either way, it sets a lousy legal precident.

 

[FluffyMcDeath]

Seems like he'd have been better off just cryptolocking it and forcing the company to sign a contract recognizing Cain's employee one rights in perpetuity - or moving everything to his own server and running the business form there redirecting all accounts receivable to a new receiver. Hmm. Wonder how doable it is to simply take over a web based company. The key is in the online payment scheme and you should just be able to unplug the old payee and put your own in place if you have that level of access. Need some social engineering to change the ownership of the DNS record, but if you have sufficient access to the network you can likley send an email from the correct address to get this process done.
Once the old company is cut off from their funds and you are making the money it gets harder for them to hire lawyers and easier for you.

 

[redrumloa]

Not being an IT professional I won't try to cite specific laws, but unless his employment agreement was stupid sloppy, he'll be convicted of crimes.

That said, assuming this is reported accurately about his dismissal (which is not a given), what a dirt-bag company. I hate unethical dirt-bag companies.