Funnily enough, no, IT admins who trash biz machines can't claim they had permission

Court makes quick work of techie's long-shot appeal

By Thomas Claburn in San Francisco

Posted in Servers, 14th December 2017 20:09 GMT

In a not particularly surprising decision, the Fifth Circuit Court of Appeals in New Orleans, USA, this week ruled that Michael Thomas, in his former role as IT operations manager for web hosting biz ClickMotive, was not authorized to trash company files and infrastructure as he claimed.

Upset that a friend had been fired from the IT department, and, as court documents tell it, annoyed that fewer staff would mean more work, Thomas proceeded to "tinker" with ClickMotive's systems. This was back in December, 2011.

The rogue employee deleted 625 backup archives and backup scripts. He destroyed the virtual machine that performed backups and then didn't launch its redundant copy, to prevent backups from being made. He altered contact info in the company's notification system so employees would not be alerted to tech equipment troubles. He configured bosses' company email inboxes to forward messages to a personal account he created outside the biz. He erased the organization's troubleshooting wiki and sabotaged its VPN.

Thomas was convicted by a Texas court under the Computer Fraud and Abuse Act (CFAA) last year and sentenced to time served plus three years of supervised release and fined roughly $130,000, the cost of fixing the damage.

But he challenged the application of the law. The CFAA criminalizes anyone who "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer."

In February, Thomas appealed his conviction on the basis that he, as an IT administrator, was in fact authorized to delete files and make system changes.

The appeals court made short work of his claim.

"The nature of Thomas’s conduct is highly incriminating," the court's ruling stated this week. "No reasonable employee could think he had permission to stop the system from providing backups, or to delete files outside the normal protocols, or to falsify contact information in a notification system, or to set a process in motion that would prevent users from remotely accessing the network."

Beyond the obviously destructive nature of Thomas's actions, the court points to his words and behavior after his arrest as indicative of his intent.

When questioned by federal agents, the court revealed in its opinion, "he did not say that he caused the damage in order to maintain or improve the system; instead, his motive was to make things more difficult for the person hired to replace him. And his flight to Brazil is not what is expected of someone who had permission to engage in the conduct being investigated."

The court then considered the timing of his acts, noting that destroying data and crippling the VPN on a Friday night and over the weekend, when it was least likely to be detected, made little sense if he had permission to muck things up.

Finally, the court noted that, before his arrest, Thomas suspected he was breaking the law he now contends should not apply.

The ruling explained, "Just a couple weeks after the damage spree, and before the FBI had contacted Thomas, he told the friend whose firing had set this in motion that 'he thought he might have broken the law.' Which law, the friend inquired? Thomas’s response: 'the Computer Fraud and Abuse Act.'" ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Sysadmin crashed computer recording data from active space probe

Who, me? ‘I’m the reason we missed seeing aliens’, jokes nervous reader

Sysadmin Day 2017: Still time to get the beers in

70% of IT workers risk burnout: Don't let that be you. Pub. Now!

Lottery-hacking sysadmin's unlucky number comes up: 25 years in the slammer

Rigged a random number generator and tried to cash in

This week on GitHub: Facebook's forecaster and a sysadmin CURSE

Repo Roundup You always wanted an autonomous T-shirt cannon, right? Here you go

Sysadmin 'trashed old bosses' Oracle database with ticking logic bomb'

Always ensure the office laptop gets returned

Secret weekend office bonk came within inch of killing sysadmin

On-Call You drained the air-conditioner where, exactly? And now I've stepped in it ...

Sysadmin tells user CSI-style password guessing never w– wait WTF?! It's 'PASSWORD1'!

On-Call Sysadmin hated making it look so easy, but didn't mind being a hero for saving a payroll run

Job ad asks for 'detrimental' sysadmin

Yep. That sounds about right

Sysadmin 'fesses up to wrecking his former employer's IT systems

Ex-Agilent staffer faces 10 years in the cooler

Happy Sysadmin Day!

Today, it's all about you