IT admin was authorized to trash employer’s network he says

Dialog box asking "Are you sure you want to delete these files?"

Meet Michael Thomas, real-life BOFH.

On December 5 2011, he quit his job as IT admin for a startup called ClickMotive.

This was no ordinary resignation. This was the mother of all IT admin resignations: the type of blow-it-all-to-smithereens resignation that some – many? Please, Lord, let it not be not all – sysadmins dream about.

On the day he called it quits, he left a few things: his resignation letter, his keys, his laptop, his entry badge, his offer to stay on as a consultant, and a trail of tears for whoever came in on Monday to find that Thomas had deleted 615 pages of ClickMotive’s backups, the pager notification system for network problems, half a dozen wiki pages, and employees’ access to the VPN. According to court documents, he also “tinkered” with email servers at the Texas company, which sets up and runs car dealership sites.

Thomas also cut off contact with the company’s customers – large auto companies and dealerships – by snipping the names of company employees and executives from email distribution groups created for customer support.

In June 2016, Thomas was convicted of a single federal count of violating the Computer Fraud and Abuse Act (CFAA) in the Eastern District of Texas. He was sentenced to the four months he already spent in pre-trial detention, three years supervised release, and to pay restitution of $131,391.21.

After a three-day trial, a jury had found Thomas guilty of knowingly transmitting programs, information, codes, or commands that intentionally caused damage to his employer’s computer system, that he lacked authorization to cause the damage, and that those damages incurred losses to the employer in excess of $5,000.

But hold on a minute, said his lawyer, well-known hacker defense attorney Tor Ekeland: Thomas’s role as a sysadmin gave him all the authorization he needed to routinely delete the sort of files he deleted on his last days at ClickMotive.

Now, Thomas is appealing (PDF) his conviction in the Fifth Circuit Court of Appeals in New Orleans, on those grounds.

His defense: sure, he did damage to ClickMotive’s systems. Intentionally. But it certainly wasn’t “without authorization.”

In fact, every sysadmin is authorized to access all the systems he accessed, and they’re all authorized to do the things he did: delete backups, edit notification systems, and tweak email systems. That’s part of their job, his argument goes.

Another part of his appeal that should have managers jumping on the phone with their lawyers and digging up their policy manuals: there was nothing in ClickMotive’s policies that said Thomas couldn’t do exactly what he did.

From the appeal, filed on Tuesday:

Michael Thomas had unlimited authorization to access, manage, and use ClickMotive’s computer systems, and was given broad discretion in his exercise of that authority.

Thomas was handling all of the routine duties of a sysadmin – deleting data, managing user privileges and more – because his friend, colleague, and the only other employee working in IT administration had recently been fired from ClickMotive. If carrying out those parts of the job constitutes “damage,” isn’t every sysadmin liable for getting sued under the CFAA?

Yes, Ekeland has argued: Thomas’s guilty verdict is “dangerous for anyone working in the IT industry.” It should worry any IT admin that’s ever hit the “delete” key in the course of their duties, he said:

If you get in a dispute with your employer, and you delete something even in the routine course of your work, you can be charged with a felony.

From the appeal:

The central issue in this case is whether Thomas acted ‘without authorization’ if he performed these same actions in a manner that was contrary to the company’s interests.

During his trial, Thomas’s defense team explained how over the weekend during which he did the damage and quit, he had been in the office to deal with a denial-of-service attack on ClickMotive’s site and to repair a cascading power outage problem.

Those 615 backup files he deleted? They were all replicated at other servers on the network.

Ekeland told Wired that ClickMotive’s treatment of Thomas has been pretty shabby, considering:

They’ve destroyed this guy’s life over the fact that he worked on a Sunday to keep the company going, and then deleted some files on the way out to say f*** you to his boss.