Normally you disabled a person’s accounts first before telling them they’re fired...
Sounds like several people (in IT & HR) need to be told they can no longer play with the choo choo’s.
A former IT administrator at the Canadian Pacific Railway has been jailed for 366 days for sabotaging the organization's computer network. Christopher Victor Grupe, 46, had a rocky relationship with his employers: in December 2015, he was suspended for 12 days for insubordination and just not making the grade as a sysadmin. …
> . I'm surprised that the judge or even the forensics folks didn't rip the CIO a new one
I'm not. When I worked IT admin, management (not just from one company) would frequently "let someone go" with out informing us. For the most part we were lucky in that the only damage done was a deleted mailbox (recoverable) and a mouse lead being severed (£3 to replace). And sure, after I would then have a chat, the next few dismissals we were informed just before the meeting, but inevitably it slipped again after a few months, or new managers. Rinse and repeat.
management (not just from one company) would frequently "let someone go" with out informing us.
The problem is org charts. HR have a visceral resistance to the reality that on a day to day basis a SysAdmin is a far more powerful (and therefore potentially dangerous) individual than a CEO and consequently needs to be handled with greater care.
The same thing happens in DCs. People get awestruck by CTOs and (to a lesser extent) networking guys and forget that regular electricians and aircon plumbers underpin everything[1].
[1] Based on a "logic bomb" left by a disgruntled sparky. A few breakers were "accidentally" miswired so that when a scheduled power down happened three months later the wrong aisles got powered off which also unbalanced the 3-Phase with assorted domino effects. The miscreant was long gone back to somewhere in Eastern Europe by then.
"This is _why_ you need documented procedures for these kinds of things".
I've ended up writing such procedures on the way out in previous jobs - which is not ideal. Thankfully, these were positions where my departure was on amicable terms - but this isn't the sort of thing you want to do when the person is annoyed and would like to see their (now ex-)employer go up in flames like a Bond baddie's secret volcano hide-out.
"I'm surprised that the judge or even the forensics folks didn't rip the CIO a new one"
Why would they? Failing to run a business according to best practice is not generally a criminal offence. If you leave your door unlocked and someone robs your house, it's not the judge's business to tell you you're an idiot, he's only there to sentence the burglar.
Although I live in the UK I've worked for US and CDN companies for decades.
I find it bizarre that over here you can be fired with several weeks notice, and can be expected to continue doing your job and set your house in order for a smooth transition - while in North America, even if you've done nothing wrong, you are called into a meeting, have your accounts locked, laptop removed and are escorted from the building, leaving colleagues to cope with the fallout.
The latter approach just seems to make for very angry and aggrieved ex-employees, and places a burden on remaining staff who have to pick up the pieces.
"I find it bizarre that over here you can be fired with several weeks notice, and can be expected to continue doing your job and set your house in order for a smooth transition"
Not that I'm massively experienced but I've never seen anyone fired for misconduct and been allowed to continue working. I've seen people made redundant and work their notice period as you describe above.
I have seen people try to pass through the turn styles only to find their passes have been disable. They're handed a letter and told to go home and await the meeting to be scheduled. IT access has also been similarly revoked.
Gardening leave was enforced and a severance package was available at the time.
Location: UK.
Our entire office was made redundant but we were all allowed to continue using the facilities for preparing/updating CVs, arranging interviews and just generally faffing about. Any faffing had to be legal and within our T&Cs, so no downloading pirated stuff, no browsing pr0n sites and so forth.
As far as I know, nobody abused it.
"over here you can be fired with several weeks notice, and can be expected to continue doing your job and set your house in order for a smooth transition"
The difference is that here, if you're being made redundant (vs "fired") you're going to be given a severance package and a reference which are both at risk if you do anything stupid.
If there's a hint that you won't play nice then your notice period will be spent at home, gardening, with all access codes having been changed before you were told about it.
The USA in particular has this peculiar concept of "at will" employment (which the tories keep trying to introduce here) which means that noone's job is secure from one day to the next - and one of the favourite manglement tactics when firing a lot of people is to parachute XYZ inept manager into the location with promises of long term upgrade to start sacking people ("hoorah", he thinks), and then push him out the door with no compensation when the dirty work is done.
Honestly, you'd think it would be written into HR and Management manuals by now: if you have an employee who is showing signs of being likely to become an ex-employee, then when you fire him you lock his accounts first, then you inform him that he is being terminated and that his remaining tenure with the company is gardening leave, to be spent off-site.
Otherwise, try to conduct all such business with the maximum of politeness and dignity, so as to preserve your company's reputation and minimise hurt and annoyance to the soon-to-be-ex employee. Pay a little more than statutory minimum redundancy payments, extend health cover for a month or so, basically be nice to the bloke you're firing and with luck he'll be nice back to you.
> An IT professional should be exactly that.
> People who pull this kind of shit should be
> barred from the profession for life and receive
> much tougher penalties.
And all IT professionals should be bonded. It's still amazing that with the kind of access that IT folks get, they don't have to post a serious bond.
I ask as forensic experts "got in" by an employer is not the same as an impartial police investigation and certainly not be accepted as evidence equal to a real investigation.
Again not shutting his access down is just inviting trouble and should be viewed as being equivilent to leaving a window open.
Perhaps the reason original arguement requiring his dismissal was about how incompetent his management were
^ someone got a guilty conscience? Your analogies are nonsense; an open window is not an invitation to anyone other than criminals.
You got a point, but (continuing the anaology) it's also an invitation for Insurance companies* not to pay up, should something happen in said circumstances.
* You are free to argue said companies are also 'criminal' of course.
"open window is not an invitation to anyone other than criminals", no you are just plain wrong, security is everyone's responsibility.
An open window, at court, is the difference between breaking and entering (a crime) and entering to dick with you by turn off some of your electric equipment, changing the recording times on your PVR (not a crime) or any other action that doesn't break the law.
Hence one is a crime the other would be a civil case at best, this because not taking security seriously costs everyone else money and is correctly seen as incitement by the courts.
Here we have a prime example of failing to implement minimum security practices and personally I would say the company is far from innocent in this. If they had removed all access at the point where he was suspended or at very least when he left then there would not be any court case to hold.
@AC Actually the two cases you've cited would be "breaking and entering" if the Windows were shut and "criminal tresspass" if the Windows were open.
Just because a window was open, doesnt give you ANY right to climb into another persons house without there permission.
What you do inside the house would just determine if there were other crimes you were charged with. oh and by the way things like "dicking around with your Equipment" would likely bring a criminal mischief charge.
Playing with other peoples toys, with out their permission, is just not allowed...
US law of "criminal tresspass" I presume, still IMHO does not make just being on someone else property a instant crime but it is the US after all and since there are a lot of lawyers making the laws then it is possible.
In the UK we have people coming onto our property all the time to deliver mail, tell you to buy a TV license trying to sell you something or get you to contribute towards the charity who employ them on commission and whilst the later can be annoying we the tax payers are paying for the courts and the solicitors to have their time wasted because some tool can't be bothered to secure their home or is after an insurance payout.
For my part I would prefer to keep my front garden than shoot people if they step on my grass but then again I am not in the US.
@AC You're changing your definitions. You were talking about people coming through the window, not someone walking on your front lawn. If your mailman climbs through your window to deliver your post, believe me you are well within your rights to call the Police and have them arrested for tresspassing. Even in the UK. Same with TV licence people and charity collectors. You are also welcome to call the Police on them again for tresspassing if they were to climb into your back yard for that purpose. The front yard, however, usually allows for entry for the purpose of movingto your front door. if they decide to set up a rave in your front yard without your permission, then again they are tresspassing.
It's not so difficult to understand, now is it?
@Iglethal "You're changing your definitions"
Not at all, in the UK tresspass is not a instant crime. Here you have to refuse to leave before the police get involved.
however we also have laws created for the benefit of vested interests but generally rather than making laws to fill prisons where they again cost the tax payer, we instead try to prevent "crime" in the first place by placing a minimum responsibility on everyone to avoid inviting crime.
Here we used to have things like a welfare system so people do not have to steal to eat because providing money for food to the hungry is cheaper than the time of police, judges and then having pay to feed and house them anyway for the duration of their sentence. Same for housing costs and health care but these are being eroded by people who do not understand that if we have your laws then we get the same outcome that you have, i.e. people being shot all the time. I presume that shooting "criminals" without having to bother with courts or prison keeps your costs down but that just means the criminals go armed and innocents get shot by "accident" .
"It's not so difficult to understand, now is it?" I understand what you are saying, that the analogy is difficult for people who have more lawyers, guns and deaths by shooting per head of population than any other country. I can understand even you believing the BestBuy forensic expert's paid for evidence and the lesson here for everyone else is do not be a system admin in the US they are out gunning for you
US law of "criminal tresspass" I presume, still IMHO does not make just being on someone else property a instant crime but it is the US after all and since there are a lot of lawyers making the laws then it is possible.
No trespass charge in the US is for one of two things. You were told to leave and did not or it's plea deal from burglary.
@AC "An open window, at court, is the difference between breaking and entering (a crime) and entering to dick with you by turn off some of your electric equipment, changing the recording times on your PVR (not a crime) or any other action that doesn't break the law."
Window open or not isn't really relevant, entering someones house/private property uninvited is still trespass, and so is a crime. Even in the US just entering a location without permission can be classed as burglary, even if nothing was taken or no other crime committed, it just has to be shown that you have no valid reason to be there.
"An open window, at court, is the difference between breaking and entering (a crime) and entering to dick with you (...)
Hence one is a crime the other would be a civil case at best..."
I don't know how things stand where you live but around these parts "Criminal Trespass" and "Illegal Entry" are still criminal, not civil, offenses. They may be only misdemeanors while B&E is a felony (combining within itself, as it does, both trespass AND property damage), but still criminal.
An open window, at court, is the difference between breaking and entering (a crime) and entering to dick with you by turn off some of your electric equipment, changing the recording times on your PVR (not a crime) or any other action that doesn't break the law.
Seriously? so i can just walk into someones house and watch their telly? or an office building? and then complain about being manhandled by the understanably frustrated owner ?
The guy was fired and his creds not wiped, presenting the open window for criminals, who may or may not have been the man on trial, to do malicious damage, or something just happened and the recently dismissed / resigned was blamed with evidence corroborating it.
I’d like to see remote access, ad and tacacs logs proving he logged into that laptop and did those things before he wiped it and handed it back.
For a tech site, we can surely expect the journo to include info on these details.
Having worked for a number of bad employers then when I see these sorts of news storys then I always look at what information has been released before making any judgement.
One employer I worked for was still blaming a guy who left to go contracting for every failure two months later regardless of if they guy had ever touch it. I didn't know the guy until they finally had to pay his rates but my dealings with his work suggested that he was more competent than 90% of my peers.
Another had the a network admin grilling the staff and starting the dialogue with "we found evidence on a machine you used and the timestamps say you did it" when this was a complete lie, when they tied it with me I said "this isn't amature hour, lets bring the police in" and they bricked it.
One company had managed to turn a clients multi CPU novell cluster into a single CPU fileserver after the manager's friend rebuilt it and then made the client upgrade the network and switch to Microsoft to hide the fail.
I could go on but basically I have worked with a lot of bad managers who in my experience truely believed that they could do or say anything.
So if the only proof here is the say so of some "third party" investigator who was employed to find evidence against the dismissed employee then I am going to wonder if it is just more bad management covering their own arses.
That the management admit failing to remove the dismissed employees access just adds icing to the cake
As in "this IoT thing is getting ridiculous, now the rails are network connected"
They are.
But generally the low-level control (relays or PLC-like units) is interlocked so that you can not direct a train onto a track where another train is present (except at switching yards where such a an action should be possible, although only at low speed). The network is used to send control messages to these low-level systems, with points, signals and block status being sent back. With the network out of action everything should come to a stop without creating hazardous situations.
A measure of his competence is that he used a laptop to carry out his attacks, and then handed it back to his former employer.
Even though he did make an attempt to wipe it, he should at least have changed the hard-drive, or just used a different machine altogether.
One of my fellow mature students from (UK) college, returned up north & started his first job following the completion.
Manager This is your resume, you have done all this?
Friend Yes
Manager See that guy down there in the blue overalls?
Friend Yes
Manager Go down there & tell him he's fired.
"Two working days later and they still hadn't disabled the account of a sysadmin. *rolleyes*"
As a sysadmin, I've sat down with management and ensured they disabled that all my accounts and access codes before I went out the door.
For the simple reason that if anything goes wrong later on, I do not want to be covered in any splattering shit. If they want to call me back in, then they can rehire me.
I've only had one employer who actually thought to change equipment administrative passwords. Most simply leave them alone for decades.
I left to go contracting for two years in China and Uzbekistan.
Upon my return (my wife was expecting our first child) the company I used to work for found out I was back and offered me my job back, which was very kind of them.
When I returned, I found I had the same SAP ID, the same email address, with two years of un-read email in it, and the pin code for the server room doors was the same!
A while ago (It must be about 24 years ago), the first thing I did when I got home was to phone the external support and tell them
A: Please change passwords, now...
B. You are now it. There is nobody onsite capable of doing any support or even following letter by letter instructions.
In the back of my mind was the possibility that things could go pear shaped. This way, when they did, nobody bothered me...
*cough* This. *cough*
I've done exactly the same (note: it was a sinking ship, and I was quite late to be picked on after all those above me had left and warned me of what was to come, I was picked up by word-of-mouth by a new employer before I'd even gone so I didn't even need their reference, but I DELIBERATELY worked through a critical point of the year so they couldn't blame things not working on me, informed them that I'd had enough for a long time prior, they failed to accede to simple requests, so the foretold consequence was I would leave if it wasn't done by a certain date... and it wasn't).
So the upshot was: I'm going at the end of the day. Here's your handover. Please witness me disabling my account / changing my password to something of your choosing / handing back all your keys and cards / disabling my swipe card from access control / etc. If I ever access anything ever again, it's complete and utter deception on my part, not just a slip of a saved credential.
By the way... here's the "big book" of passwords, you have everything you need in there, right? Right? You don't know? Then you need someone to check because once I have gone a reasonable amount of time I won't have those details because I've removed all my access for my email from every device. If you don't ask me for a detail in the next week, and it's not already in the book, you are out of luck for anyone using that service, understood?
Followed by some guy they knew coming in, them paying for me one extra day to "handover" to someone "who knew IT better" (I have no problem with that). The guy was useless, I handed over in a matter of minutes because he didn't know what to ask, how to takeover, what to check, etc. and they just furnished him with the complete "big-book" without question. As you say... tag... you're it! (And you can deal with the guy who's been convinced for years that having the domain administrator password would somehow magically make his WMA-only voice recorders load into the MP3-only software he bought without conversion).
Got him to sign-off on my leaving and that I no longer had any access. Said bye forever.
Never heard from them again, except via whispers from people who similarly fled. Soon after, almost all the main staff changed, the IT changed entirely, even their website changed. I can't believe that was coincidence rather than someone just not knowing how to takeover and messing up.
But, no way would I leave them with an opportunity to pin things on me past that point (Hey, up until then? Blame me if you like but it'll require proof), even if they went to the extreme of fabricating evidence. Exhibit A: a signed piece of paper from an "independent" witness that he'd watched me disable and closed off all avenues of entry and he'd changed all the master passwords and removed all my access.
I don't WANT to be responsible for your systems. Or else I'd still be working there. And though I could cause untold damage if I had malicious intent, I'm not sure they got away with things that easy by me doing things exactly by the book either.
I wonder if this is the same guy who got FBIed for selling RFU Sunservers from our outift on eBay. If so, how'd CP hire him? If not, never mind, nothing to see here, keep moving. I expect he's got a career path at night drive-up manager at White Castle in the underprivileged area...
The First Nations population in Canada are very familiar with railroad operations, especially when it comes to protest.
To stop rail traffic First Nations people use a set of battery booster cables and short the outer - load-bearing - rails together and automation will look after the rest.
Shorts across these rails trigger red lights for a couple of train lengths of rail. Train lengths in North America are often measured in kilometres/miles using a formula based on time a train takes to pass a measuring point at a certain speed.
He yelled at his boss and then paid this bill by two weeks suspension. Why another penlity (being fired "or take the resign") was laid on him? This seems like double punishment, and whether this is lawful is under question. I suspect the company played a trick on forcing him to "resign". So what can he do when he found the company cheated him and unable to sue them? It's understandable that he hacked that company.