Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud?
from the court-may-think-so... dept
We’ve noted in the past how the courts have been stretching massively the Computer Fraud and Abuse Act (CFAA), which was really designed to deal with unauthorized access to computers — commonly referred to as malicious hacking. Yet, the courts have been interpreting it to cover all sorts of things that nobody would actually think of as hacking. In a recent case, for example, a guy who was a consultant at giant Deloitte & Touche, but then left to join a competitor, was sued by D&T because he destroyed the original hard drive in his work issued computer. When he quit, he returned the computer with a brand new hard drive. He had taken out the old hard drive and destroyed it because it had personal data on it (tax returns, account info and logins for personal things) that he didn’t want to share with D&T.
It’s difficult to see how this amounts to “hacking” or unauthorized access, and so the guy sought to have the case dismissed. Yet the court is allowing it to go forward, saying that the destruction of the hard drive was “without authorization” and thus the action fits under the CFAA. The problem here, as in other CFAA cases, is that it seems to interpret almost anything that doesn’t have direct authorization as being “unauthorized access” and thus, the equivalent of fraud or hacking. But in this case, it seems pretty clear that the guy didn’t do anything to harm the original company. He was just a little overzealous in trying to protect his personal info. Considering that his expertise as a consultant was in security and privacy… perhaps his actions aren’t all that surprising, really. What really is questionable here is why D&T is suing in the first place. They got back the computer with a newer hard drive, so it’s not like he returned a broken sytem to them.
Filed Under: cfaa, fraud, hacking, hard drive
Companies: deloitte & touche
Comments on “Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud?”
Company Data
There could have been company data they need on the drive that was not backed up anywhere else that they no longer have access to, that he was not authorized to delete/destroy.
Especially as D&T does all sorts of tax, auditing, and financial work, and does it for some of the largest companies in the world. It’s entirely possible some of the records on his laptop could be related to legal cases. I know the hoops you need to jump through just to encrypt data on drives that may be involved in legal cases (and the encryption product I use changes neither the data itself or meta-data such as last modified dates). And we have special procedures for any machines that are considered under “legal hold” – if anything happens to it, or it is being given to someone else, the drive is pulled, stored, and a new one put into the machine.
Since supposedly he’s and expert in privacy and security, why was he keeping such sensitive personal information on a computer he didn’t own? Sure, I’ve got some personal stuff on my work laptop, but nothing I’d be afraid of my employer having access to, or being made public. When my contract is up at BigBank, I’ll be deleting my personal stuff, but sure as heck won’t be wiping the drive.
Wait…does that mean that techies can use this to bring legal charges against all those people who make a mess of their computers?
Because I really like that idea 😀
Re: Re:
my first thought too… and I approve.
He put himself in a bad place. He should have cloned the drive and wiped it, and returned it blank with all of the original equipment (perhaps reinstall the OS).
Instead, he took the drive, and that means that he has everything that was on it, including proprietary stuff from D&T. Even if he says he destroyed it, can he really prove it?
His actions show can be taken as intent, and that makes it hard to get around.
Re: Re:
He should have just given the drive back after destroying the data.
Re: Re:
So, uh, what’s the difference in wiping the HDD and destroying the original after replacing it for a new blank one?
And considering he destroyed the HDD and trashed it, how is he gonna prove? Guilty till proven innocent? Inversion of
Re: Re: Re:
Quoting one of the relevant provisions of the CFAA from the opinion:
Physically destroying a hard drive is not at all the same as transmitting a ?program, information, code, or command?.
A hammer is not a program.
Re: Re: Re: Re:
That. for some reason I can only see part of my post… I meant inversion of values. And yes, a hammer is not a software and that’s the point here, CFAA is stretching it to extremes.
Re: Re: Re: Re:
he ‘commanded’ his arm that he commanded to pick up a hammer, and he made a willful and premeditated command to destroy the HD.
That would come under ‘computer abuse’ !!
It was not his computer, it was not his hard drive, he therefore had no right to make any claim to ownership of that HD or it’s contents because he had no right to use that computer for personal use. It was not his property, and it was a clear misuse of someone elses property.
This guy is or must be a total moron with little or no clue about computer security, as displayed by his actions.
but destroying a hard drive is a ‘command’.
Its just as much a command as “Shift-delete”.
Re: Re: Re:2 Re:
With all due respect, you’re an idiot.
Re: Re: Re:2 Re:
W..T..F..?
Re: Re: Re:2 Re:
“I see…” said the blind man to he deaf daughter as he picked up his hammer and saw…
Re: Re: Re: "A hammer is not a program"
Nonetheless, a hammer can be considered to be a command. If you disagree, come on over and I’ll show you how such a command works 🙂
Not very good at his job
If he knew what he was doing in security and privacy, he’d know how to protect his personal data without destroying the hard drive. If “destroy the hard drive” is an answer to “how do I protect personal data?” at Deloitte, sign me up for a high-paying consulting job. I can destroy hard drives ALL DAY LONG.
Still, a very bad precedent to set – hopefully the court comes to its senses.
Re: Not very good at his job
If he knew what he was doing in security and privacy, he’d know how to protect his personal data without destroying the hard drive. If “destroy the hard drive” is an answer to “how do I protect personal data?” at Deloitte, sign me up for a high-paying consulting job. I can destroy hard drives ALL DAY LONG.
Competent security specialists know that there are cases where destroying the drive is the most practical way to completely destroy the data on it.
Re: Re: Not very good at his job
Its actually the only way to guarantee it. Pieces of data can be left in bad sectors, cache memory etc even when doing a 35-pass wipe. I destroy my HDDs and so does my 60 year old mother for exactly the same reason this guy did.
Re: Re: Re: Not very good at his job
*My* being the operative word of course. This wasn’t ‘his’ drive.
Whether he should be charged under this statute or another, he willfully destroyed property belonging to someone else.
I can quite safely say that either he was not authorized to put his personal data on that drive
OR
he was allowed to but with the understanding that he was doing so at his own risk and specifically not allowed to destroy the drive because he had put his information on it.
Re: Re: Re: Not very good at his job
As a former employee of a defence company I can confirm that damaged or end of life hard drives that may have contained classfied information were required to be certifiably destroyed by etching the magnetic material off the platters. It is the only way to guarantee complete removal of data.
Assuming that all company data was backed up (which seems likely) this guy has acted in an exemplary fashion and this case is ridiculous.
Re: Re: Re:2 Not very good at his job
Assuming he took that route he should have returned the etched platters to the company as confirmation.
Re: Re: Re:2 Not very good at his job
He didn’t act in an exemplary fashion, because he acted without consent and without knowledge of the company.
What it sounds more like is that he was trying to destroy data that might get him in trouble, perhaps showing that he had used the company computer in a way that was not permitted. Rather than just deleting the data and using an obscuring tool to re-write all the unused space on the drive, he instead took unilateral action.
The company has no way to know if he destroyed the drive for real, gave it to a competitor, or perhaps destroyed it after the data was taken by a third party. Who knows?
His actions really indicate he had something to hide.
Re: Re: Re:3 Not very good at his job
Fine, he may have done something illegal. Charge him with breaking whatever law you think he might have broken. Just because what he did might have been illegal, does not mean you can charge him with whatever you want.
Homicide and speeding are not interchangeable laws. Neither should any possibly illegal act that involves a computer involve the CFAA.
Re: Re: Re:3 Not very good at his job
“His actions really indicate he had something to hide.”
indicate is not proof. In court it takes proof. Proof or STFU.
Re: Re: Re: Not very good at his job
I assume you personally burn every receipt you have, too? Shredding them can let someone put them back together.
There is such a thing as too paranoid. A nice multi-pass wipe on a modern drive will make all but maybe a few bytes recoverable, and you won’t be able to do anything with those. Context matters.
Re: Re: Re:2 Not very good at his job
But what problem is it of yours if he’s too paranoid?
Why should you have a problem with it if he’s being paranoid? Sure, it’s extra effort on his part, but obviously it’s something he wanted to do.
Re: Re: Re: Not very good at his job
shenanigans. https://www.infosecisland.com/blogview/16130-The-Urban-Legend-of-Multipass-Hard-Disk-Overwrite.html
a single pass of zeroes ( dd if=/dev/zero of=/dev/[DISK] )
and its totally unrecoverable.
Re: Re: Re:2 Not very good at his job
AKA low level format – easily done via utilities available for free from your hardware’s manufacturer.
Re: Re: Re:2 Not very good at his job
Wrong about the one pass of zeroes being totally unrecoverable. There is sideband data that with the right tools can be reconstructed. It’s difficult and expensive but to say it’s an urban myth is just plain wrong.
Re: Re: Re: Not very good at his job
Its actually the only way to guarantee it. Pieces of data can be left in bad sectors, cache memory etc even when doing a 35-pass wipe. I destroy my HDDs and so does my 60 year old mother for exactly the same reason this guy did.
Yes, because the first thing someone does when getting their hands on a used hard drive is spend several days running drive salvage software and trying to piece together the information from bad sectors and caches in the hopes of finding something they can use.
Here’s a challenge I’ve made to others (and never had any takers); Take your main computer, the one you keep all your programs and important files on, and without backing it up, do a full format/zero-fill of the drive. Just do ONE pass, which everyone claims is completely useless for getting rid of data. Then send the drive off to one of these hard drive recovery services. If they can salvage even 25% of the data, I’ll pay their entire bill.
Wanna try it? After all, with just a single-pass erasure, it shouldn’t take them more that a couple minutes to completely restore your drive, right? Hell, you can probably un-format the drive yourself with some piece of freeware software.
So, are you game?
Re: Re: Re:2 Not very good at his job
Here’s a challenge I’ve made to others (and never had any takers);
No wonder. You need to make it worth their while first.
So, are you game?
Tell ya what, come out from hiding behind your fake name, offer some big bucks (written, legally backed by a bond) to recover *any* data, and you’ve got yourself a deal. Otherwise, you’re just blowing hot air.
Re: Re: Re:3 Not very good at his job
Tell ya what, come out from hiding behind your fake name, offer some big bucks (written, legally backed by a bond) to recover *any* data, and you’ve got yourself a deal. Otherwise, you’re just blowing hot air.
“Any data”? What happened to the argument that users need to do a 10+ pass wipe to keep hackers from recovering all the information on the drive?
Here’s a much easier challenege; Contact any drive recovery service and ask them how much data they can recover from a zero-filled drive. See if you can find even one that claims they can recover all your data.
Standard hard drives are designed to store one, and only one set of data in each sector. When that data is overwritten, there is absolutely no way to force a drive to read the previous data. If there was, don’t you think hard drive makers would use this overwrite-&-recover method to double the storage capacity of their drives? Write the data, erase it, overwrite it, and still be able to read the old data?
Pulling any information off sectors that have been overwritten requires disassembling the drive, removing the platters and placing them in a hugely expensive machine that can read residual magnetic patterns, and even then, it can’t recover anything reliably if the sector has been written to more than a couple times. They can also read tiny bits of data at the edges of tracks, where the head wasn’t perfectly centered, but there’s no way they’re going to be able to read all of the data, or even enough of it to do anything with. No to mention that these methods are out of the reach of your average hacker, whose idea of salvaging data is to run Recuver-It on a quick-formatted drive where none of the data was actually overwritten.
Re: Re: Not very good at his job
Still, there is a tangential point to be made there: a competent security specialist should never have had such personal sensitive information on a company laptop that he felt the hard drive required being destroyed. If you must have personal data on a company laptop (and frankly, you don’t), and it’s ultra-sensitive data (the stupid is increasing), then use a TrueCrypt container to store it, and just remove the container from the hard drive and format/killdisk before you turn the laptop back in.
I don’t really see the harm in what he did, but that doesn’t mean that what he did was right.
From the article:
I can see Deloitte having an issue with the hard drive being destroyed if they believed that it had records of his soliciting another employee to leave with him, but do they not have email or chat archives to look at? I don’t think that rises to the level of “hacking” by any means though. After all, those ocnversations would be considered personal in nature anyway, right? So how would deleting that be any different from deleting his tax returns, etc.?
And wouldn’t an expert in security and privacy know better than to keep that stuff on his work computer anyway (despite stupidity of the masses)?
This just seems like a case of Deloitte bullying a manager who left for something more interesting. If it is a question of him recruiting another employee in violation of an emlpoyment agreement, then ” still don’t see how this rises to a claim of hacking.
Re: Re:
In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the ?without authorization? element to be adequately pled.
Wait, what? So the court actually found that “soliciting another employee to leave” is an element of computer hacking? I know that many courts have a big-company bias these days, but isn’t that stretching the law really far?
Re: Re: Re:
No, this was an allegation in the complaint separate and distinct from the CFAA. It was based upon contract and general common law principles, and not the CFAA.
Re: Re: Re:
“Wait, what? So the court actually found that “soliciting another employee to leave” is an element of computer hacking? I know that many courts have a big-company bias these days, but isn’t that stretching the law really far?”
No, but I can see how taking a company owned piece of hardware and destroying evidence on it to hide breaking company policy (I’m guessing, but it’s pretty standard employment/contractor language not to solicit other company employees for other employment) could be accessing company property or systems w/o access.
While I’m loathe to agree with this particular AC who throws the word FUD around with such ease, in this case I think Techdirt has it wrong. At the very least, I can see why the court would think the statute applies at least enough to allow the case to go forward….
Re: Re: Re: Re:
The problem here is that there’s plenty of things the defendant is liable for, there’s no reason to tack on a very overboard interpretation of the CFAA just for kicks. If the statue applies here it applies to practically any case where there was a breech of an employment contract.
Re: Re: Re: Re:
No, but I can see how taking a company owned piece of hardware and destroying evidence on it to hide breaking company policy (I’m guessing, but it’s pretty standard employment/contractor language not to solicit other company employees for other employment) could be accessing company property or systems w/o access.
Wow. By that reasoning then, practically anyone who violates a company policy and then accesses any company computer equipment (time clock, most modern phones, email, etc.) could then be charged under the CFAA. That’s even scarier.
Re: Re: Re:
Yes, actually. The court said that because soliciting another employee to leave was a breech of contract and subsequent access to the companies computer system, even with valid credentials, was a violation of the CFAA.
Opinion pdf
Deloitte & Touche v Carlson: Memorandum Opinion and Order, No. 11 C 327, N.D. Ill., July 18, 2011
Re: Opinion pdf
Mike doesn’t care what the opinion actually says. He sees “CFAA,” and the little hamster wheel in his head spits out “hacking” and “courts stretching the law” FUD. It’s hilarious to watch.
Re: Re: Opinion pdf
For someone that claims that this is “hilarious to watch”, you sure seem angry and bitter. I’m not saying that it’s wrong or anything (we are all crazy in our own way), just saying that your reaction doesn’t quite fit the commonly accepted definition of finding something to be hilarious.
I mean, there’s no 🙂 or :p or 😀 in your posts. What’s up with that?
Re: Re: Re: Opinion pdf
I’m LOLing on the inside. 😉
Re: Re: Re: Opinion pdf
He can’t 🙂 and certainly doesn’t want to 😛 or 😀 because he’s got his head stuck in the sand and that would let the sand in his mouth.
Re: Re: Opinion pdf
This particular AC doesn’t care what Mike actually says. He sees “Masnick,” and the little hamster wheel in his head spits out “FUD”. It’s hilarious to watch.
Re: Opinion pdf
The opinion pretty clearly interprets the CFAA in the DISCUSSION section under heading B. sub-heading i. as covering anything done to a computer ?without authorization,? which is, in my mind, overboard. The statute as it was written seems to be far more explicit than that.
What the plaintiff is arguing is that, essentially, breaking any clause in an employment contract is grounds for CFAA liability if you did literally anything with one of their computers after having done so and the judge says he’s ok with that:
“Defendants argue first that there is no allegation that Carlson acted ?without authorization,? as required by the statute. Defendants highlight that Carlson was an employee of Deloitte when the alleged data destruction occurred, and therefore not acting ?without authorization.? Defendants do acknowledge that an employee may be acting without authorization if he has breached a duty of loyalty to his employer prior to the alleged data destruction. See Int?l Airport Centers LLC v. Citrin, 440 F.3d 418, 420-21 (7 Cir. 2006). In the Defendants? words, Citrin does not apply because in that case ?the employee had been undertaking a pattern of activity adverse to his employers? interests? prior to the official end of his employment.
This is exactly what is alleged in this case. Here, Carlson is claimed to have begun his solicitation of Deckter before departing Deloitte. The data destruction was done, in part, to cover his tracks in wrongfully soliciting Deckter. If, as claimed, Carlson was so nakedly violating his
Director Agreement, he would have been acting contrary to his employer?s interests, thereby ending his agency relationship with Deloitte and making his conduct ?without authorization.”
That’s a little crazy I think. Suddenly any breach of an employment contract could be a CFAA violation if you do anything with a company computer afterward.
Re: Re: Opinion pdf
That’s a little crazy I think. Suddenly any breach of an employment contract could be a CFAA violation if you do anything with a company computer afterward.
That’s one way to frame it. I think though that if an employee pulls a hard drive out of his computer and destroys it for the purpose of covering his tracks for wrongdoings against his employer, it’s probably safe to say that that employee is acting “without authorization” as to that hard drive and he damn well knows it.
Re: Re: Re: Opinion pdf
So if an act involves a computer, and authorization wasn’t allowed, you’re saying that act is in violation of the CFAA? So, stealing a laptop from Best Buy is a violation of the CFAA rather than a violation of stealing laws? How about rather than stealing the laptop, just smashing it. Is that a violation of the CFAA or a violation of destruction of property laws?
I’m perfectly fine with allowing that the guy may have done something illegal, but let’s charge him with whatever law he supposedly broke rather than stretching the CFAA absurdly.
Re: Re: Re: Opinion pdf
Here’s another way to frame it:
You don’t have to shoehorn this case into the CFAA (and neither does the judge) in order for him to be liable for a number of things due to his actions. They aledge them in the case, “breach of the non-solicitation provision of an employment contract, breach of a right-to-inspect provision of the contract concerning access to personal computers, breach of the fiduciary duty of loyalty, and tortious interference with prospective economic relations.”
There’s no need to tack on CFAA violations and twist the provision into applying by pedantically focusing on two words and ignoring the rest of the statue.
Re: Re: Re:2 Opinion pdf
That said, the judge was just rejecting the motions to dismiss at the moment anyway.
But in this case, it seems pretty clear that the guy didn’t do anything to harm the original company. He was just a little overzealous in trying to protect his personal info. Considering that his expertise as a consultant was in security and privacy… perhaps his actions aren’t all that surprising, really. What really is questionable here is why D&T is suing in the first place. They got back the computer with a newer hard drive, so it’s not like he returned a broken sytem to them.
I know you’re in such a hurry to FUD out anything related to the CFAA by pulling out the word “hacking” (even though that word is nowhere to be found in the statute), but did you even read the article on Evan Brown’s Internet Cases blog that you linked to?
As Evan Brown says on his blog: “In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the ?without authorization? element to be adequately pled.”
Why they are suing is right there. Or better yet, if you want to understand why they’re suing, you could actually look up the case and read the complaint for yourself.
Nope. Not Mike. Mike’s too busy pouncing on anything that involves the CFAA with his stupid FUD-tastic “hacking” bullshit. Pure idiocy, Mike. Absolute nonsensical FUD.
Re: Re:
That would be a lawsuit, not a CFAA violation, now, wouldn’t it? Destruction of evidence (Of a CRIME, of course) is a crime, but destruction of evidence in a civil matter before said civil matter is brought? No case. So, explain how this is a CFAA violation? All you’ve done is point at a civil suit.
Re: Re: Re:
Read the opinion for yourself: http://docs.justia.com/cases/federal/district-courts/illinois/ilndce/1:2011cv00327/251532/26/0.pdf
Re: Re:
…pulling out the word “hacking” (even though that word is nowhere to be found in the statute)…
Heh, Anonymous Apologist trying to pretend that it isn’t an anti-“hacking” law. Funny.
Re: Re: Re:
The CFAA is broader in scope than just “hacking”. “Hacking” is but a subset of several activities covered by the statute.
Re: Re: Re: Re:
“The CFAA is broader in scope than just “hacking”. “Hacking” is but a subset of several activities covered by the statute.”
That’s absolutely true, but now my opinion is changing a bit. While I think the employee may have done something wrong here, I’m not so sure the CFAA actually applies. Granted, I’m relying heavily on Wikipedia here, but in their list of violations of the act, I’m not sure I see anything under which this particular action would apply.
http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
This may be something that would need to be relegated to a contract law case, assuming he was under some kind of no-solicitation clause, or some kind of destruction of evidence law. I’m not seeing it in the CFAA, but if there’s a clause or language you could point me to otherwise, I’d be willing to listen….
Re: Re: Re:2 Re:
A link to the decision is provided in one of the above comments. It clearly noted that a claim associated with the CFAA was but one of many separate and distinct claims asserted by the plaintiff, including, for example, breach of contract, breach of a duty of loyalty, interference with prospective contractual advantage, etc., etc.
As for the CFAA, while many believe it to be so, the act is not limited to so-called “hacking”. It is broader and reaches a number of other actions associated with what one may do to a computer.
Re: Re: Re:3 Re:
Right, I get the guy fucked up and the CFAA claim is one of many. From what I’m reading, I actually agree that D&T has a good case against him. I thought I was clear on that.
What I’m now NOT clear on is HOW the CFAA applies. The decision doesn’t seem to jive w/what I’m reading about the CFAA and what constitutes as a violation of it. The article was about an over-broad application of the CFAA and I’m starting to see why that may be so.
So can you point to something in the CFAA that would apply here or not?
Re: Re: Re:4 Re:
The statute can be found at 18 USC 1030.
As for how it relates to the lawsuit, the above-cited opinion by the court does go into some detail about how the act applies. The general gist (and I do mean “general” to avoid presenting a post the length of a legal treatise) is that data was destroyed, and in doing so the defendant violated one or more of the many provisions of 18 USC 1030.
Re: Re: Re:4 Re:
“So can you point to something in the CFAA that would apply here or not?”
Mr Hat, I am not a lawyer but I have seen one on TV. One could possible, with a fair amount of stretching, apply item 3 and 4 from the wiki page. However, item 3 mentions goverment computer. Perhaps they meant the term “protected computer” defined above. If so, replacing the drive with a blank one would apply. Maybe. As for item 4… this guy clearly saw some value in removing sensitive data, if he was indeed covering his tracks.
I can see why the judge would let the case move forward.
Re: Re: Re:
Heh, Anonymous Apologist trying to pretend that it isn’t an anti-“hacking” law. Funny.
Yes, Mike. It is an anti-hacking law. But it’s also broader than that.
My point is simple. At the end of the piece you say: “What really is questionable here is why D&T is suing in the first place. They got back the computer with a newer hard drive, so it’s not like he returned a broken sytem to them.”
The reason “why D&T is suing in the first place” is right there in Brown’s blog entry that you linked to and made the basis of this entire article. As Brown explains: “In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the ?without authorization? element to be adequately pled.”
Now, either you completely missed this when you read Brown’s blog piece, or you are intentionally misleading your readers. Considering the fact that Brown’s piece is short and easy to read (with a font size even my mother would love), I think it’s safe to assume that you read and understood all of it. You did, after all, write a whole article about it. Thus, it seems likely to me that you are intentionally leaving information out.
The goal, I presume, is because you want to spread your silly “it’s not hacking so they’re wrongfully broadening the scope of the CFAA” FUD. I think there are good arguments that the CFAA shouldn’t apply here, but jumping to your “hacking” FUD does little to advance the discussion.
Re: Re: Re: Re:
And you such an incredible amount to advance the discussion here….
As usual, your post can be distilled to: deflect, distract, and denigrate.
Perhaps instead you could advance the discussion by helping everyone understand how the CFAA actually applies?
Re: Re: Re:2 Re:
I’m merely pointing out that when Mike played like he didn’t know why D&T was suing this guy, it was for the purpose of advancing his CFAA-hacking FUD.
Let’s run through how the FUD is created.
Brown explains that the defendant claims to have destroyed the hard drive because “it had personal data on it such as tax returns and account information.”
Rephrasing this, Mike claims the defendant destroyed it because “it had personal data on it (tax returns, account info and logins for personal things) that he didn’t want to share with D&T.”
Yes, Mike made up the “logins for personal things” out of thin air.
Later, Brown explains the plaintiff’s theory of why the defendant really destroyed the hard drive. They claim “that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks.”
But Mike feigns cluelessness.
First, Mike says “it seems pretty clear that the guy didn’t do anything to harm the original company.” This isn’t clear at all, considering all the claims the plaintiff is making. The claims which Mike conveniently pretends don’t exist.
Second, Mike says the defendant is “just a little overzealous in trying to protect his personal info.” Of course, leaving off the fact that he is alleged to be covering his tracks makes his destroying the hard drives seem all the more OK.
It’s another classic example of Mike FUDing something out to the hilt.
Re: Re: Re:3 Re:
Your complaints all hinge on speculation. If you believe someone is innocent until proven guilty then your argument falls apart pretty quickly. Of course it seems bad if you assume that he’s already guilty. That’s why we don’t.
Re: Re: Re:4 Re:
It’s not speculation, it’s deduction and reasoning. Do you really think Mike just happened to completely miss the fact that the plaintiffs might have had a different version of why the defendant destroyed the drive, or is it more likely that he intentionally left that part off?
Mike wonders aloud about why the plaintiffs could possibly be upset about the defendant destroying the hard drive, while at the same time the very article he links to and makes the basis of his whole article explains why in one simple sentence. It’s ridiculous FUD. If you can’t see that, I’m not sure how else to explain it.
Re: Re: Re:5 Re:
You can explain it by considering that you might be manufacturing that perspective yourself rather than it being Mike’s. I read the post and recognize that the validity (or not) of Deloitte’s claim is less important to the overall post than the validity of the use of the CFAA.
Deloitte’s claim probably has merit. The defendant is probably a douche-bag, but that doesn’t mean we should warp laws to make them apply.
You’re too busy trying to make everyone turn against Mike to participate in the actual discussion though.
Re: Re: Re:5 Re:
It’s ridiculous FUD.
Side note: You need a new buzz word. I find it very difficult to keep reading your comments once I hit that word. It would be easier if you knew what that acronym meant, or if you didn’t obviously have such an ax to grind for anything posted on this site, ever.
I’m only bothering to type this at all because if you could sound less like a frothing douche canoe (while keeping your own viewpoints, of course!) you’d be a valuable member of the community here; You seem intelligent and knowledgeable.
So, try and work on that, okay?
Re: Re: Re:3 Re:
and it’s another example of you assuming things that aren’t there.
People ingest information through the filter of their own context. You would likely argue that the majority of readers on this site don’t view the posts critically enough and others would likely argue that you view all posts far too critically–so much so that you read in intent and agenda that isn’t there. Both are likely true–but not to the degree either party thinks.
Most people here wanted to discuss whether the CFAA was being stretched to cover this situation. Mike wanted to bring that situation to light.
Everything else you’ve brought with you and the words you use completely undermine any point you want to make, which is frankly, sad.
Re: Re: Re:4 Re:
Fair enough. It is a topic worthy of discussion. But framing it as “not hacking” and pretending like he has no idea why the company could possibly be mad at the guy for destroying the hard drive (when it’s simply because they say he’s covering his tracks for alleged wrongdoings against the company) is sad on Mike’s part. I’m all for the discussion. What I don’t appreciate, and what I feel is worthwhile to point out, is that Mike is kicking off the debate with his typical lopsided, misleading FUD. Talk about sad.
Re: Re: Re:5 Re:
I’m trying really hard to see what you see and I just don’t. I don’t read a single word of his post as “lopsided, misleading FUD.”
Your words, “pretending like he has no idea why the company could possibly be mad at the guy”.
I guess it was the last few sentences of the post that are the problem. You see those words as Mike not digging enough or reacting in a shallow manner to certain words, but I see them similarly but without the judgment part. In other words, yes perhaps he could have understood Deloitte’s position better, but he still achieved the objective: point out an area for commenter scrutiny.
Ultimately, the value in the site for me is not Mike’s opinion, but the identification of possible areas of government, corporate, and legal overreach in technology and rights. I, for one, believe that is happening more and more. Perhaps you fundamentally believe it is a witch hunt, but many of us do not.
But if you removed the personal attacks from your posts I imagine more of us would listen to you.
Re: Re: Re:6 Re:
You’re right. If you take Mike’s silly, unsupported, and purposefully misleading “opinions” out of the picture, the site has value. It’s a shame though that the reader has to eliminate the FUD, and then do their own homework to get the whole picture. I’m OK with someone having an opinion. I’m not OK with someone lying and misleading others while calling it an opinion. Big difference.
Re: Re: Re:6 Re:
In other words, yes perhaps he could have understood Deloitte’s position better, but he still achieved the objective: point out an area for commenter scrutiny.
And how could he promote an informed conversation in the comments if he doesn’t even know (or pretends not to know) the facts of the case or the court’s reasoning in denying the motion to dismiss? That’s what proves it’s all FUD. He can’t be bothered with the actual acts or the actual reasoning in deciding that the CFAA is being abused. Give me a break. Mike is just being super silly here. His motives are clear enough to me.
Re: Re: Re:7 Re:
I am truly fascinated by your ability to accuse one party of something you are so clearly demonstrating yourself: myopic fanaticism.
He can promote an informed discussion because he provides ample citations and allows all sides of the discussion to occur below rather than restrict or prevent them (by requiring logins or posting approval).
I will listen to you if you post reasonable arguments, but I will not dismiss what I read here based on your ad-hominem assertions.
Their arguments are well-reasoned, well-founded, and as informed as can reasonably be expected. If that isn’t good enough for you, well… don’t expect people to keep listening or to treat you as anything other than a troll.
Re: Re: Re:8 Re:
I think an informed conversation can happen despite Mike’s contribution, but I wouldn’t say that promoting a reasoned debate is his object. There’s just too much FUD on too many issues from Pirate Mike to pretend that he’s trying to spread a reasoned insight into any of this. This article is a great example. He doesn’t know the facts, law, or reasoning, but still, he’s quite sure the judge got it wrong. It’s all about the FUD-filled headlines and pirate-approved agenda on techdirt. Reasoned debate takes the backseat.
Anyway, I’ve said my piece. Bring on the enlightened debate.
Re: Re:
Mike doesn’t say a word about if the employee is guilty of anything or not. He’s pointing out that the CFAA is using hacking and unauthorized access in a stupidly broad way. There might be other accusations involved but Mike is concerned on how the court is working (along with the CFAA), not with the guy himself… learn 2 read.
As an expert he should have known about Eraser
Surely a security expert knows about programs like eraser to securely wipe hard drives? He could have deleted everything possible, uninstalled unnecessary programs and then run eraser to wipe free space. Or if he was that worried, wipe the drive and re-install the OS and applications.
Of course that might still be hacking by the CFAA definition.
Re: As an expert he should have known about Eraser
Surely a security expert knows about programs like eraser to securely wipe hard drives?
As “a security expert” he probably also understood the limitations of such programs, especially when dealing things such as automatic sector relocation.
Re: As an expert he should have known about Eraser
As a security expert working for a corp with security experts, he might have realized that, well, data is really really hard to destroy, particularly when someone has physical access.
Things that have been done with physical access:
1) RAM that was unpowered for 10 minutes was read perfectly, using a special hot-boot OS. For example, to grab an encryption or decryption key.
2) A 10 character password was copied into 10 files randomly distributed on a hard drive, then the hard drive was formatted, and written over 3 times with random 1’s and 0’s. The password was able to be recovered, (because some of the bits refuse to flip and areas/bits of non-randomness were apparently easy to identify). You aren’t likely to copy down a password ten times, but it might be, say, store din a cookie, in firefox for auto-complete, maybe once in a password file somewhere, maybe all of those are copied because you have a back-up of your program preferences for some reason, whatever.
3) Files that they suspected to exist were completely falsified, because the defendant could not deny that they could reconstruct the file.
Re: As an expert he should have known about Eraser
As a security expert working for a corp with security experts, he most certainly knows that running a 35 pass gutmann on a 500gb drive (for example) takes quite some time.
Staring at a progress bar quickly loses its charm.
Did he use a hack saw or hack it apart with an ax?
Both of those are clearly elite use of “hacking” skills!
When I returned my company issued laptop I cleaned the hard drive and re-formatted it using the Military format clearer (Does about 100 cycles of filling the hard drives with random one and zero and reformat it).
Replacing the hard drive is not that simple – it could have been a more expensive enterprise class hard drive or some other special hard drive. Also depending on how this guy destroyed the hard drive – is there a certificate from an authorized hardware disposal or did he sell the hard drive?
Re: Re:
Does about 100 cycles of filling the hard drives…
Umm, no, it doesn’t (on modern hard drives). There are areas of the drive that are not under the direct control of the user. Thus, the user may not overwrite these areas.
Tacky Deloitte & Touche… tacky.
I dunno..
I know my opinion might not be shared but I think the company has a right to pursue this. Perhaps the CFAA is the wrong channel, but destroying a component of something the company owns and replacing it is not an acceptable practice. That is just common sense.
The part of the story that sticks out to me is there doesn’t seem to be any proof the defendant destroyed the drive. Just a claim that he did.
Re: I dunno..
No, I think your sentiment is shared, just that we all also think the CFAA is the wrong channel.
You’ll notice a number of us questioning the defendant’s motives, and supposed ability as a security expert.
It wasn't his drive to destroy
I don’t see how it is a CFAA violation, but why they have to bring such legislation against someone when it isn’t the point of the case unless they are insinuating that the destruction of the drive was to cover up a CFAA violation… but that can get pretty circular pretty fast…
Can’t they just do a good old criminal/civil combo using common reasons? Criminal: He stole the drive – whether or not he made restitution isn’t the issue; Civil: That drive had information on it that we feel is relevant and we would like compensation for the loss of it.
Re: It wasn't his drive to destroy
This. Why try to force an anti-hacking law that doesn’t really fit the crime when there are already existing laws that cover it? Taking a hard drive without permission is theft, destroying it is destruction of property. This isn’t that hard.
Re: Re: It wasn't his drive to destroy
If they file the charge, he will have high probability to be found guilty, but since he had voluntarily return a new harddisk to the company, and has good reason to back it up, while this will mark him with criminal record, the judge probably wouldn’t put him into jail or even fine him much. And that’s probably not what his ex-company wants.
The best way to ruin a security professionals’ life of business is probably get him convicted guilty with CFAA. In this way most computer security related companies won’t hire him, and if they hire him, it’d be clear that something fishy has happened.
Without Authorization....
Was he authorized to open the PC? Was he authorized to remove the HD? Was he authorized to destroy company data?
Last place I worked had an acceptable use policy, opening the case was NOT acceptable… taking anything from inside the PC was NOT acceptable… just because he was allowed to take it home, does not mean that he was allowed to open it up.. Unless they issued him with a machine that had a blank hard drive, returning the machine with one would not be acceptable in any place I worked..
Someone else asked if there was proof of drive destruction… that’s something that needs more looking into…
and is it theft if you take something that isn’t yours, even if you replace it with something equivalent?
WHY did he put personal info on company's computer?
IF he did. That may be only a cover story for removing the employee-luring that seems nailed down.
Regardless, there’s basis for allowing suit to continue, if only because ALL data on the drive was company property, no question. This high-powered consultant got himself into a tangle through a series of stupid decisions. Let him hang, be an example for others to NOT mix work and personal.
Re: WHY did he put personal info on company's computer?
The general consensus *is* to let him hang, but the issue is that the CFAA is the wrong rope to hang him with.
Ninth circuit criticizes seventh circuit
The Seventh Circuit’s decision in Citrin (upon which the present opinion is based) has been heavily criticized. In LVRC Holdings v Brekka (2009), the Ninth Circuit was not pursuaded by that precedent.
From an article contrasting Citrin with Brekka:
(Citations omitted.)
Note that the present case, in the Northern District of Illinois, is in the Seventh Circuit, so the district court is bound by Citrin.
Well, if he used an axe to destroy the hard drive, does it count as hacking?
Consultants usually brand themselfs as experts, they know funny words, dress like presidents, and do higly detailed powerpoints full of things like “the sky is blue”, “water can be found in liquid state”, etc.
Most funny thing to watch its an all “I am a consultant, an expert” project, its like an Opera documentary on Discovery Channel.
Re: Re:
As Dogbert said, “I like to con people… I like to insult people. I’ll be a consultant!”
Unintended consequences
Whatever the legal rights and wrongs Deloitte & Touche have clearly acted in a vindictive and high handed manner – and been widely seen to do so to the pool of potential employees.
The net result is that their ability to employ good staff in future is compromised – and as a result they will have to pay slightly more for slightly worse employees for a while to come.
Verdict (if they win) Pyrrhic victory!
(if they lose the appeal) Pure own goal!
$5,000 damage
A laptop hard drive isn’t $5,000 these days.
From the opinion:
From the first Google hit: Newegg.com – Notebook Hard Drives, Laptop Hard Drives.
A laptop hard drive isn’t $5,000 these days.
Re: $5,000 damage
Ah, but what was the value of any company data on the drive?
Not that I agree, but I would imagine it would be pretty easy for Deloitte to claim >$5,000 in value in this way.
Re: Re: $5,000 damage
Zero.
From the opinion, I am left with the strong impression that Deloitte didn’t actually set forth any plausible claim that data was lost.
I rent a car
and return it with a new engine (for what ever reason I use).
It can’t be done as it is not my car. The fact the engine is new is not relevant at this point.
[Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud?]
For a “security consultant” to put “personal data on a company computer” is (in my opinion) somewhat laughable.
For emphasis, there are a few variables here to consider:
1. Who owns the computer?
2. Who destroyed the data?
3. Who “owns” the data?
4. What was the company policy at time of hire and did the said person go through orientation of that policy?
As noted in “3” the ownership of the said data is key. This is why when I do any kind of development (that goes outside of the SOW or Scope of job title) I always did it on “my” laptop and on my time as to retain not only ownership, but, chain of custody.
In my humble opinion.
3
Re: [Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud?]
It does seem worth mentioning, as the court did in its opinion, that the defendant who “smashed” the hard drive was the Director of IT for the company. In all likelihood he was the one who promulgated company IT policy, so if anyone should be familiar with the policy it should be him.
If that was a new laptop, he might have voided warranty on hdd since it is not the same hdd that was installed so manufacturer would reject for future repairs and try to charge $300 for hdd.
Technically, willful destruction of property, possibly theft (as there could be company data on that drive. I would assume he kept the drive to prove it was destroyed but if not, then he would be financially responsible for that data if it got into unauthorized hands. I can see that being the reason for the Hacking.)
Seriously. Think about it. Mike is saying that the judge got it wrong and is abusing the CFAA, but Mike hasn’t even read the opinion and doesn’t even know the facts of the case. If his bias has ever been completely laid bare for all to see, this is it. For shame, FUD boy. For shame.
Re: Re:
…and yet again you contribute nothing of value to the discussion. Troll.
It’s the same as burning a paper.
Wouldn’t it have been easier (and less expensive) to just download programs like Tracks Eraser Pro and Clean Disk Security and securely wipe out the data he wanted to destroy?
Regarding writing random bits to erase data
I remembered that 20 years ago, the standard to ensure completely unrecoverable erasure is just 3 passes random writes. Now it’s 20.
While I agree there physical limit that can make sure it’s unrecoverable with “current technologies”, I’m agreeing no non-physical measure is enough if the harddisk contains data that I absolutely want noone to recover the tiny bit.
A previous post mentioned 25 percent recovery rate. But you know, for confidential data, the risk of being able to recover 0.0001% of data is still too high.
Re: Regarding writing random bits to erase data
The standard to erase modern, high density, drives is only one pass.
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
This has been true since about 2001 and is applicable to drives that are larger than 15GB. It’s all about density. There are no longer multiple paths possible for read/write heads on hard drives. The critical question is whether all sectors are being overwritten. The only software that guarantees this does it by triggering the ATA secure erase command, a command embedded in all hard disk controllers which are always integrated within the hard disk.
As far as my knowledge is concerned, many big companies take multiple computers for lease in huge numbers to complete their task. They are bound by laws and policies, to erase all their confidential data from the hard drive with the help of secure data erasure software, before handing over the computers to their original owners. If found guilty both the company and their employees have to face heavy fine or even imprisonment or both. So there is no harm to erasing data because no one want to compromise there data and become victim of data breach.