IT Worker's Revenge Lands Her In Jail 347
aesoteric writes "A 30-year-old IT worker at a Florida-based health centre was this week sentenced to 19 months in a US federal prison for hacking, and then locking, her former employer's IT systems. Four days after being fired from the Suncoast Community Health Centers' for insubordination, Patricia Marie Fowler exacter her revenge by hacking the centre's systems, deleting files, changing passwords, removing access to infrastructure systems, and tampering with pay and accrued leave rates of staff."
Makes the rest of us suffer... (Score:5, Insightful)
Every time some person does stuff like this and it hits the press, every other IT person ends up suffering when the PHBs realize what the sysadmin or the Cisco guy is capable of.
Will this mean better security? Of course not. It just means that oftentimes someone who shouldn't have access to enable secrets or root passwords gets those as a "backup".
Re: (Score:2)
Of course not. It just means that oftentimes someone who shouldn't have access to enable secrets or root passwords gets those as a "backup".
You mean someone who in your technical opinion as an engineer shouldn't be using enable secrets or root passwords?
The systems belong to the PHBs. If you want to avoid giving out root passwords, then don't have passwords.... use biometrics. Or use a "password under seal" system, where the password is available but secure, and will be changed within days if
Re: (Score:2)
Re: (Score:3)
It's not a question of who is qualified. It's a question of who is entitled. It's their system and they are the PHB. There isn't a metaphysical judge of who should have what, merely practical; the admin arguing that the PHB shouldn't have access "just in case," and the PHB ignoring that and receiving it anyway.
Re:Makes the rest of us suffer... (Score:5, Insightful)
Re:Makes the rest of us suffer... (Score:4, Insightful)
* - If he is the moron then why is it that you are working for him?
Re:Makes the rest of us suffer... (Score:5, Insightful)
No one should have root passwords. The mere existence of a root password is a fundamental security hole. If everyone has a user account and certain people have sudo privileges, you have:
Combine this with a proper centralized authentication/directory services system, and you're done.
Re: (Score:3)
They should perhaps HAVE access to the root / admin passwords.
They should not be using them however.
There is a difference (and any competent PHB knows this). Having the password(s)/keys/etc in an envelope locked away in a physical safe for use in emergency (possibly by a contractor when in-house IT go awol, die, etc) is just good business sense.
Re: (Score:3)
It's called the chain of command.
Specifically, the part where you'll get your ass fired for insubordination if you don't do what the fuck you're told by your superiors in the food chain. Your boss has more of a right to be an idiot than you do. It's one of the privileges of having authority.
However, there is an exception.
The only time you CAN refuse to give your boss the password is if an even BIGGER boss tells you not to, someone who is also your boss's boss.
In fact, companies will often reserve "root sp
Re: (Score:3)
I can see why some people have reservations about giving they keys to the kingdom to the PHBs
I've heard some really horror stories.
"I am the boss thus I demand the most important passwords you have!"
Followed by
"Password? Oh, ya, I found that big long one hard to remember so I just changed it to my name"
Followed by
"Someone has hacked our servers! This is your fault as you're in charge of IT security!"
So if you must use the "password under seal" system make sure it's a physical system like a safe which sets
Re: (Score:2)
The systems belong to the PHBs.
That's an assumption. Not all PHBs are in charge of that hardware. Depending on the cost center relationship, that PHB may have no business whatsoever other than being the IT PHB instead of a business PHB.
Re:Makes the rest of us suffer... (Score:5, Insightful)
Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.
It's a job requirement to be trustworthy when working in IT. Those who aren't pull crap like this.
Even if she hadn't gone to jail, if she got caught tampering with systems (either while employed there or after being terminated), she should never, ever, under any circumstances be trusted to admin a system again.
Ever.
Re: (Score:3)
This applies across the board. Not just IT people but accountants, managers, legal advisers and so on. IT people are not the only ones who can cause significant damage to an organization.
Re: (Score:2)
Good point - it seems to be less of a problem in the other areas (in my experience, in any event). Thing is that admin people tend to have access to data from multiple of the other organizations, so while I wouldn't say that hiring untrustworthy people in any position is a good practice, in IT it can be doubly bad because the IT staff can generally access docs on shared drives (for example) that belong to accounting, legal, etc - and can either disclose it or nuke it along with the backups.
That can cause a
Re: (Score:3)
I don't agree. While rogue IT staff can bring infrastructure to its knees, an accountant is often far better placed to, say, rip off an organization in a huge way, and it happens enough via phony invoicing schemes to suggest to me that those in the financial end of an organization are by far the greater risk.
Re: (Score:3)
Any business worth its salt has controls in place to prevent any accountant from having enough control with too little oversight to prevent this. In my entire career, I have never worked for a company that was vulner
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Amen. The backup system that I have instituted has both onsite and offsite backups, with a weekly backup going offsite in a safety deposit box. Even if I were to go completely rogue and format everything, I couldn't in fact wipe organizational data; in particular accounting and payroll data. I might force bookkeeping to re-enter at most five days data from paper file, but that's the extent.
Re:Makes the rest of us suffer... (Score:4, Insightful)
One difference is the respect that is shown and compensation provided to accountants, managers, legal advisers and so on. Meanwhile IT guys are basically treated like janitors.
Re:Makes the rest of us suffer... (Score:5, Informative)
Meanwhile IT guys are basically treated like janitors.
The irony of your comment is that it reproduces exactly the line of thinking that you criticize. You realize that janitors, by having physical access to almost all parts of a business, are capable of more havoc than IT folks. They often have physical access to all the same systems that IT people do and much more. If potential to cause damage should correlate with compensation, I'd argue that the janitors should get paid the most in any organization.
Re: (Score:2)
No irony at all. I am completely aware of the similarities.
Re:Makes the rest of us suffer... (Score:5, Insightful)
Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.
And if you decided to fire them, make sure you terminate their access to your network in a timely manner. Somehow I seriously doubt Ms. Fowler actually "hacked" their systems. It is far more likely that after four days she discovered her remote access account still works and she took full advantage of this.
Re: (Score:2)
Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.
It goes MUCH deeper than just a trust issue.
What should have happened and didn't within less than an hour of her walking out the door is she should have locked out of everything. This company did not and paid the cost for their stupidity and laziness. This being the case...all executives/HR/whole IT department should have been fired/prosecuted for allowing this to happen. For that matter...the whole business should have been shuttered by the state of Florida and the FBI.
What she did was wrong...but it
Re: (Score:2)
You are an idiot. That is all.
"But your honor, she could have prevented this by wearing a locking chastity belt and carrying a gun. It's HER FAULT that she got raped!"
Re:Makes the rest of us suffer... (Score:4, Insightful)
If you don't trust your IT people, they shouldn't be your IT people.
I think the managers sort of realized that, and that's why they fired her.
Maybe the true lesson to learn is this: don't let former employees keep their access. Not even for a few days.
Re:Makes the rest of us suffer... (Score:5, Informative)
Then you find a new job. You don't damage their systems and delete their data to "teach them a lesson."
Imagine if your doctor, after years of telling you to get your cholesterol under control, decided to amputate a leg because you didn't take his admonitions with the seriousness and "respect" he felt that you owed him.
Imagine if your mechanic came to your house one night and cut your brake lines because you hadn't praised his work as effusively as he felt you should have when you picked up your car.
This "you better treat us right, or else," is unprofessional bullshit. Someone behaving unprofessionally towards you is not cause to behave the same way in return.
Re: (Score:2, Insightful)
Um good? (Score:5, Insightful)
Person commits crime, goes to jail. Fascinating reporting there.
Re: (Score:3, Insightful)
You missed it. There's a girl in IT. That's the news!
Its not even that she hacked in. NASA has always had a problem with girlfriends of employees getting pissed, getting in and then breaking stuff.
Re: (Score:2)
.
Re: (Score:2)
1. IT person argues with boss at work.
2. boss dismisses IT person for arguing.
3. boss says IT person wouldn't do what boss wanted.
4. IT person responds by changing some settings on a machine.
5. boss calles police and says, "arrest IT person."
6. police and judge put IT person in a jail.
ok
So, what we now have is a person who knows security settings, who is very angry, who has demonstrated an ability to change settings on machines. AND! is now in a big room filled with
Harsh Sentence (Score:5, Insightful)
Re: (Score:3)
Re:Harsh Sentence (Score:5, Funny)
No, I'm pretty sure she would have been rehired and promoted into a management position.
Re: (Score:2)
Re: (Score:2)
I was thinking that. Computer crimes aren't punished more severely, it's just easier to commit more severe crimes with them...
Re: (Score:2)
Re: (Score:2)
... when you look at the prison sentence relative to other things it seem disproportionate.
Your view might be different if it was your IT department, or your pay and leave records being dinked with...
If the penalty is a slap on the wrist, what's the deterrent?
Re: (Score:3)
You make a good case for not involving the victims in sentencing.
Re: (Score:2)
You make a good case for not involving the victims in sentencing.
Bullshit. Sentiences *should* bare some relationship to the impact on the victim.
Consider a geriatric wino living under a bridge - of no particular value to society. Does this make bum-killings "OK"?
Re: (Score:2)
Er, no ... which is entirely the point he was trying to make. Killing a bum gets you the same sentence as killing the President. Do you think it should be different?
Re: (Score:2, Offtopic)
These days...it is getting hard to TELL which one is the bum, and which one is the president.
Re: (Score:2)
No, parent's saying it shouldn't be up to the victims to decide the sentence.
Yes, if it was my IT department, one could feel more strongly. That doesn't mean it's a better sentence.
Re:Harsh Sentence (Score:4, Insightful)
My point is that you are convicted by a jury of your peers and not a jury of your victims for a good reason; a jury and a judge have a better ability to be dispassionate.
That we involve victims in sentencing hearings is abominable, as is that we enforce arbitrary minimum sentencing regulations.
If I am guilty of a crime, what I did is what should matter, not how good or bad a person the victim was. Rather than go down Hypothetical Alley with you about the value of human life, I'd like to keep our hypothetical closer to the facts:
Would this crime be more heinous "your IT department", as you put it, were genuinely good people? Would it worth less sentencing if it took place at an equivalent organization whose IT staff was lazy and whose managers were bombastic annoying pricks? Surely not. In that case, your opinions as the victim as to what the guilty party deserves regarding sentencing are too compromised.
Re: (Score:2)
My point is that you are convicted by a jury of your peers and not a jury of your victims for a good reason; a jury and a judge have a better ability to be dispassionate.
As was the case here. The victim didn't choose the sentence.
By the way, do you object to "Victim's Impact Statements" at the sentencing? For serious crimes like auto-related deaths / maiming, home invasions, and murder?
Re: (Score:2)
I wasn't responding to the case. I was responding to your post:
> Your view might be different if it was your IT department, or your pay and leave records being dinked with...
> If the penalty is a slap on the wrist, what's the deterrent?
RE "Victim's Impact Statements", yes, I object very strongly to them. This "Victim's Rights" movement is nonsense. It's not the victims who are on trial, it's the defendant. I understand why a victim desires a harsh, punitive sentence, but I think a judge and jury h
Re: (Score:2)
Let me bore you sometime about how traffic courts have become an immoral revenue generation scam in most jurisdictions.
My city has recently embraced the Traffic Camera - to improve traffic safety of course.
Re: (Score:2)
I dunno, I think morality of what happened should factor into the sentence (though, not whether you are guilty or innocent).
A man mysteriously appears and jumps into the river to save your child. When he gets out of the water, you recognize him as an escaped convict from the news. Do you tell the authorities?
Re: (Score:2)
Your view might be different if it was your IT department, or your pay and leave records being dinked with...
This.
I used to work at a place with a really shitty asshole of a manager. One of the other employees apparently had the bright idea to create a program that would mess with all of the customer records, since it would somehow make the asshole manager look bad when stuff started to fail.
Apparently he had been screwing around with the customer records for months, which pretty much made all of the backup
Re: (Score:2)
Re: (Score:2)
In some places the penalties for arson can be quite significant.
Re: (Score:2, Interesting)
1st: I do not think I agree with OP. If I did the same damage without a PC, I bet I would be arrested.
2nd: The reporting is interesting. To a great extent, folks knowledgeable about computer systems/programming are looked on as some type of magicians. We get mixture of respect and contempt because of this. People depend on us and our services and that creates a high level of conflict.
3rd: They are actually working on the idle CSS. Still sucks, but at least the edit textbox is no longer 0.75" wide.
Re: (Score:2)
I'm wondering why it took 3 months to get her to hand over the password. Not defending what she did but why couldn't they just preform a password reset?
It really doesn't seem like either her or her employer were all that competent.
Re: (Score:2)
Re: (Score:2)
It took them 3 months to figure out who was intruding into the system. Once the FBI asked/interrogated her, she fessed up. Still 3-months is a long time to go without the password when I'm sure the manufacturer would have helped them rest the password.
Re: (Score:2)
Do you realize how much damage you can do with that kind of access?
You are seriously underestimating the seriousness of the crime. That she didn't do all that much damage is relevant to a point, but she clearly intended to do as much harm as she could.
Re: (Score:2)
It's a good thing she didn't share music files from a CD at the same.
She could have owed millions of dollars, and her sentence might have been for a much longer time!
Re: (Score:2)
As for how she was able to do so, she was probably the only real IT person in the company
Disclaimer: I worked at SCHC as the sole IT person for a long time.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If she had broken and entered, destroyed some property, changed locks, sabotaged, say, manufacturing systems so they would need repair before normal business operations could continue, and falsified documents (fraud), you think she would have gotten a _smaller_ sentence?
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
As a target, yes.
Re: (Score:2)
You're right. It IS interesting: http://articles.latimes.com/2010/jul/19/local/la-me-state-computers-20100719 [latimes.com]
Fear for People in ... (Score:2)
Suncoast Community Health Centers for hiring such imbeciles to entrust with the health of you and your relatives!
Re: (Score:2)
Re: (Score:2)
Suncoast Community Health Centers for hiring such imbeciles to entrust with the health of you and your relatives!
As someone pointed out earlier in the comments,
Suncoast Community Health Centers is a non-profit providing health care to migrant workers, the elderly, and the poor. I'm guessing they don't have a lot of money to blow on getting the cream-of-the-crop IT professionals.
Yeah, but... (Score:3, Informative)
is she hot?
Also, does she run linux at home?
Re: (Score:2)
Isn't the second question redundant? Or maybe, "If not" instead of "Also,".
Re:Yeah, but... (Score:5, Funny)
is she hot?
Also, does she run linux at home?
You may choose only one.
Re: (Score:2)
You know that saying? (Score:2)
Unless you are very good, you aren't going to avoid leaving enough of a trail that wriggling out of the "#1 suspect" spot will be easy or comfortable...
Re: (Score:2)
Sure it's easy, just make sure you're behind seven proxies!
Getting out of the number 1 spot. (Score:2)
One important thing about getting out of the number one spot, don't broadcast how you would get out of it on Slashdot.
Re: (Score:2)
It's not that hard to be good at being bad.
Certainly, a dish served cold. Preparations can begin while the plate is still hot though.
Re: (Score:2)
The way to do it is to put in a few accounts for other ex-employees, "accidentally" elevate them to admin privileges and then walk away. If you still feel the need for revenge 6 months later use one of those accounts to do your da
What? (Score:5, Insightful)
Fowler's attack on the company's firewall, which had caused a "lockout", took Federal Bureau of Investigations (FBI) three months to resolve.
What? Seriously. What? What the hell is a lockout and why would it take anyone three months to solve a firewall issue?
Re: (Score:2)
Re: (Score:2)
Seriously. Replace the firewall.
Re: (Score:2)
Fowler's attack on the company's firewall, which had caused a "lockout", took Federal Bureau of Investigations (FBI) three months to resolve.
What? Seriously. What? What the hell is a lockout and why would it take anyone three months to solve a firewall issue?
That's how long the FBI spent running all the staff through ICE (Immigrations) before they replaced it. And you thought your last doctor's appointment was a long wait...
At the speed of government.
Re: (Score:2)
Have you seen the amount of paperwork involved? That alone could take up to 90 days for the FBI to process.
Now, if it's not actually helping people, it'll be done by tomorrow.
Re:What? (Score:5, Informative)
Re: (Score:2)
I didn't know she was wearing makeup at the time of her criminal activities.
Re: (Score:2)
Badum-tisch
Re: (Score:2)
did she really "hack" it? (Score:4, Insightful)
or did she use passwords she already had to get into the system? I wouldn't be surprised if this was yet more abuse of the word "hacking".
Re:did she really "hack" it? (Score:5, Interesting)
Re: (Score:2)
If only you had sudo permissions to grant me mod points....
Re: (Score:2)
Hyperbole time: Wouldn't "use a computer in a way that the writer does not completely understand." include ALL windows (ok ok computer) users? It would include themselves in this category because obviously they don't know what they themselves are doing... everyone is a hacker these days. IMHO Rote knowledge of a computer system regardless of OS and applications is just ROTE knowledge and has nothing to do with understanding... Apes/Cats/Dogs/Rats can all push buttons too and make stuff happen to benefit the
Re: (Score:2)
Re: (Score:2)
Uh yeah. Is that new or surprising to you? I'd say that probably happened over twenty years ago.
What a moron (Score:2)
Single Point of Failure = Facepalm (Score:2)
insubordination! (Score:2)
Sounds like she tried to start a mutiny or something!
Perhaps she refused a code red?
Seriously how can someone that works in IT at a freaking community health centre get canned for insubordination?
Maybe she had good reason to trash their systems... I'm guessing rogue AI.
Re: (Score:2)
The prics of stupidity are going to have a field day with this one.
Re: (Score:3)
Will the pric of stupidity stand up in court, or will she be put through the penal system?
Re: (Score:3)
Not that odd. The rest of the world reports on news from the rest of the world. It's only inside the borders of the US that the news programs seem to stop at the national border.