Police blotter: Sysadmin loses e-intrusion case

By Declan McCullagh
Staff Writer, CNET News.com Published: January 13, 2006 12:03 PM PST

Tools

Talkback

E-mail

Related Stories: Police blotter: Alleged eDonkey pirate gets trial
January 6, 2006; Police blotter: Nude 'profile' yields Yahoo suit
December 9, 2005; Police blotter: Legal flap over secret sex video
November 25, 2005; Police blotter: Judge questions Patriot Act bugs
November 4, 2005; Police blotter: Feds' cell phone tracking denied
October 28, 2005; Police blotter: Closed-source breathalyzer on trial
October 21, 2005; Police blotter: Patriot Act wins a round
October 14, 2005

"Police blotter" is a weekly report on the intersection of technology and the law.

What: A Missouri system administrator appeals his conviction for unauthorized computer intrusion.

When: The 8th Circuit Court of Appeals ruled on Jan. 9.

Outcome: Conviction of three months imprisonment, a fine and restitution was upheld.

What happened: Thomas Millot worked as a systems analyst at Aventis Pharmaceuticals, where he was responsible for computer security at the company's Kansas City, Mo., office. As part of his job, Millot administered the SecureID card system.

After Aventis outsourced its computer security operations to IBM in late 2000, Millot found himself out of a job.

But he kept an administrator-level SecureID card with him and used it to enter the network nine times. During one of those intrusions, Millot deleted the account for his former colleague Jeff Jernigan, Aventis' manager of technical services.

IBM employees eventually tracked down what happened and restored Jernigan's access. IBM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350.

Millot admitted that he had misused the SecureID card, but his lawyers argued that the activity didn't meet the Computer Fraud and Abuse Act's requirement of $5,000 in damages.

A federal judge disagreed and handed down a relatively light sentence of three months of imprisonment, three months of home detention and three years of supervised release, plus a $5,000 fine and $20,350 in restitution.

Millot's attorneys reiterated their claim on appeal, which the 8th Circuit rejected.

Excerpt from the court's opinion (click here for PDF): "Millot argues that any costs incurred by IBM should not have been considered in determining whether the loss amounted to the statutory minimum because the system was owned by Aventis, and IBM was a 'volunteer' fixing the system. This argument lacks merit.

"The (Computer Fraud and Abuse Act) provides for a fine and imprisonment up to five years for an individual who 'intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage' and that conduct causes 'loss to one or more persons during any one-year period...aggregating at least $5,000 in value.'

"Although the damage was done to the Aventis computer system, the statute does not restrict consideration of losses to only the person who owns the computer system, and the district court properly instructed the jury to consider losses sustained by IBM in determining whether the statutory minimum was met.

"Next, we address the sufficiency of the evidence. Millot contends that the government's evidence was insufficient to establish that the actual loss exceeded the $5,000 minimum because there was no evidence that IBM specifically billed Aventis the amount alleged...At Millot's trial, the government presented undisputed evidence regarding the hours spent by (experts) Bridges and Meyers in response to the unauthorized intrusion, and that the time spent was valued at $50 per hour. IBM undoubtedly paid Meyers and Bridges for their time, and the work was done on behalf of Aventis to remedy damage to Aventis' computer system that Millot admits he caused.

"Accordingly, we find that the evidence presented was sufficient to support the conviction."

More from News.com on this story's topics: Lawsuits
Create an email alert | RSS feed; Security
Create an email alert | RSS feed; Legal
Create an email alert | RSS feed

See more CNET content tagged:
Aventis, Computer Fraud and Abuse Act, Police Blotter, Computer Fraud, conviction

Add a Comment (Log in or register) 21 comments (Page 1 of 1)

He did wrong, let him have it
by thenet411 January 13, 2006 1:09 PM PST: I hate it when idiots like Millot try and get out of punishment on technicalities. The bottom line is, the guy had his ego bruised and he was too immature to handle it. So, he deleted his collegue's account. Not only was it a childish thing to do, but also very dumb because the log trail he obviously left led right to him. The first rule in stealth is: NEVER LET THEM KNOW YOU WERE THERE.

Take your punishment, dude. You were childish and stupid. You deserve it.; Reply to this comment View reply
Processing

$20,350, you have to be kidding
by SpinelessWonder January 13, 2006 3:39 PM PST: OK, I find the expenses that IBM charged for two people to recover the data to be excessive. At $50/hr, these guys each spent over 25 days (407 hours) recovering the data. Either the techs who were recovering the data were incompetent or IBM padded the expenses to recover the data.

How hard is it to recover using either a current backup or forensic software to recover the deleted files? I could possibly believe 100 hours total if they had to use software to recover the deleted files from the hard drives, because that process involves weeding through a bunch of useless noise to find the useful information.; Reply to this comment View all 3 replies
Processing

I applause IBM!
by eitanc January 14, 2006 12:10 AM PST: What a great job IBM did!

Not only leaving the former security administrator's SecureID account open, but also evading responsibility for that and charging shameless amount for fixing the damage caused by their negligence.

No business like information security business!

Regards,

Eitan Caspi
Israel

Professional Blog (Hebrew): http://www.notes.co.il/eitan
Personal Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Blog (English): http://eitancaspi.blogspot.com
"Technology is like sex. No Hands On - No Fun." (Eitan Caspi); Reply to this comment

What's the real story?
by wbenton January 14, 2006 8:40 AM PST: IBM Bills Aventis $50/hr. for a combined total of $20,350.

Simple calculation shows that $20,350 divided by $50/hr comes to roughly 407 hours.

407 hours divided by 24 hours (assuming they worked non-stop around the clock comes to 16.95 days.

You mean it took IBM almost 17 days to figure out what happened?

I smell stench in here somewhere... just trying to figure out where... but it smells so bad that I find it hard to continue looking!!!

Walt; Reply to this comment View all 2 replies
Processing

using his key card... are you serious???
by hipparchus2001 January 14, 2006 5:17 PM PST: Something is very stinky here. If the guy has a private key on his keycard then the public key in the system should have been deleted on the day he left the organisation, so that he could no longer be authenticated. Anything else is lack of care.

Did the guy have access to root organisational certifier key and the tools to make a new key, and sign it afterwards?

I really think that public private key asymmetric systems are just a pile of junk. The whole world need to use One Time Pad instead.

Discard the key both ends every time it is used. Hey this is 2006, you can fit thousands of keys on a regular USB key fob, so there is no excuse.

Security depends on what you trust, and if you're trusting an organistional root certifier for a hundred years, it will be broken.

Apart from that, it's amazing that there was no activity log. 400 hours?? So this guy got in (VPN? - no access log?), logged into a server (no login activity log??), and deleted another guys account (don't tell me, no log).

Why could he even log into the server. I'd prevent logins the day the guy left.
Speaks more for total laxness of security in this case than the guys' actions. In some cases, people downsized in this way WILL be pissed. You have to expect that.

Sounds like he's paying for the company's rubbish security to me.; Reply to this comment View reply
Processing

redemption
by joepsu January 14, 2006 10:41 PM PST: Wow, $20k for restoring an account. Just think of how much money we could all make for the crap Microsoft bugs create on a daily basis. Lets all call our attornies.; Reply to this comment

What a dummy!
by casper2004 January 16, 2006 8:27 AM PST: The guy should have known that the only ones allowed to intrude, is Bush and company.; Reply to this comment

Bad Numbers
by David Arbogast January 16, 2006 8:37 AM PST: Multiply your rate by 2 and thus cut your time in half... then you'll be closer to IBM's actual rate. Most decent I.T. firms are not charging less than $80/hour. $100+ is very common. Its hard to judge IT professionals when you have no idea what they cost, eh?

~200 hours to find out what happened, who did it, how it happened, and how it can be avoided in the future... all while gathering enough evidence to prosecute.... Not bad at all.; Reply to this comment View all 2 replies
Processing

Sarbanes Oxley
by bowergo January 16, 2006 2:10 PM PST: A good example of why there was a need for SOX. I wonder why they did not try the "It was valid access because he still had valid credentials" defense. I suspect all of the billable time was spent looking into all nine "sessions" for details related to pressing charges.; Reply to this comment