Data Centre


Funnily enough, no, IT admins who trash biz machines can't claim they had permission

Court makes quick work of techie's long-shot appeal

By Thomas Claburn in San Francisco


In a not particularly surprising decision, the Fifth Circuit Court of Appeals in New Orleans, USA, this week ruled that Michael Thomas, in his former role as IT operations manager for web hosting biz ClickMotive, was not authorized to trash company files and infrastructure as he claimed.

Upset that a friend had been fired from the IT department, and, as court documents tell it, annoyed that fewer staff would mean more work, Thomas proceeded to "tinker" with ClickMotive's systems. This was back in December, 2011.

The rogue employee deleted 625 backup archives and backup scripts. He destroyed the virtual machine that performed backups and then didn't launch its redundant copy, to prevent backups from being made. He altered contact info in the company's notification system so employees would not be alerted to tech equipment troubles. He configured bosses' company email inboxes to forward messages to a personal account he created outside the biz. He erased the organization's troubleshooting wiki and sabotaged its VPN.

Thomas was convicted by a Texas court under the Computer Fraud and Abuse Act (CFAA) last year and sentenced to time served plus three years of supervised release and fined roughly $130,000, the cost of fixing the damage.

But he challenged the application of the law. The CFAA criminalizes anyone who "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer."

In February, Thomas appealed his conviction on the basis that he, as an IT administrator, was in fact authorized to delete files and make system changes.

The appeals court made short work of his claim.

"The nature of Thomas’s conduct is highly incriminating," the court's ruling stated this week. "No reasonable employee could think he had permission to stop the system from providing backups, or to delete files outside the normal protocols, or to falsify contact information in a notification system, or to set a process in motion that would prevent users from remotely accessing the network."

Beyond the obviously destructive nature of Thomas's actions, the court points to his words and behavior after his arrest as indicative of his intent.

When questioned by federal agents, the court revealed in its opinion, "he did not say that he caused the damage in order to maintain or improve the system; instead, his motive was to make things more difficult for the person hired to replace him. And his flight to Brazil is not what is expected of someone who had permission to engage in the conduct being investigated."

The court then considered the timing of his acts, noting that destroying data and crippling the VPN on a Friday night and over the weekend, when it was least likely to be detected, made little sense if he had permission to muck things up.

Finally, the court noted that, before his arrest, Thomas suspected he was breaking the law he now contends should not apply.

The ruling explained, "Just a couple weeks after the damage spree, and before the FBI had contacted Thomas, he told the friend whose firing had set this in motion that 'he thought he might have broken the law.' Which law, the friend inquired? Thomas’s response: 'the Computer Fraud and Abuse Act.'" ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Sysadmin running a Mac fleet? IBM has just thrown you a lifeline

'Zero touch' setup, Mac@IBM, lands at GitHub

Sysadmin misses out on paycheck after student test runs amok

Who, Me? College should've stuck to departmental nomenclature

Sysadmin sank IBM mainframe by going one VM too deep

Who, me? Tried to blame it on a bug, but logs don't lie

Microsoft sysadmin hired for fake NetWare skills keeps job despite twitchy trigger finger

Who, Me? Embellished CV almost spells disaster

Sysadmin wiped two servers, left the country to escape the shame

Who, me? Source/target mixup proved that mirroring software worked perfectly

Rookie almost wipes customer's entire inventory – unbeknownst to sysadmin

Who, Me? Spends three hours recreating the device tree by hand, leaves with heart in throat

Sysadmin shut down the wrong server, and with it all European operations

Who, me? Hey Dad, why does your old boss call you ‘The Powerdown Kid’?

Tired sysadmin plugged cable into wrong port, unleashed a 'virus'

Who, me? And then his colleagues pulled an all-nighter failing to fix it

What the #!/%* is that rogue Raspberry Pi doing plugged into my company's server room, sysadmin despairs

Online sleuths dig into the case, with surprising success

Sysadmin trained his offshore replacements, sat back, watched ex-employer's world burn

On-Call 'Our motivation for such a task wasn't exactly high'