Saturday, February 04, 2006

In my last post, I talked about how we tend to overlook the threat from insiders because we have become so focused on the external threat -- break-ins by a hacker. I want to follow up with some observations on an issue that arises with regard to attacks by "insiders," who are usually disgruntled employees.

In the U.S., the federal system and every state make it a crime to gain "unauthorized access" to a computer system. This crime reaches the conduct a noted above: an outsider who is not supposed to be able to access a computer system gains access by compromising the security that was supposed to keep him out.

There is, though, another kind of "unauthorized access," one that is outlawed in many states and, in some forms, at the federal level, as well. This takes the form of an insider's exceeding the access she legitimately has to a computer system. This type of conduct can be problematic for the law because you are dealing with someone who is authorized to access a computer system, at least for certain purposes; the question of criminal liability arises when she either goes beyond the scope of her authorized access or uses her authorized access for illegitimate purposes.

For example, on October 18, 2001, Philadelphia Police Officer Gina McFadden was on patrol with her partner. That day, the computer in McFadden's patrol car, likek the computer in all the other patrol cars, was broadcasting a message about a missing truck containing hazardous materials. For some incomprehensible reason, at 1:00 that afternoon McFadden used the computer in her patrol car to transmit a message that ostensibly came from terrorists; in profane language, the message stated that it was frome people who hated America had "antrhax in the back of our car". (State v. McFadden, 850 A.2d 1290 (Pa. Super. Ct. 2004)). The investigation launched into this transmission focused on McFadden, who ultimately admitted sending the message.

She was charged with an convicted of "intentionally and without authorization" accessing a computer system. (18 Pa. Cons. Stat. Ann. sec. 3933(a)(2)). McFadden argued that she was improperly convicted because she was authorized to use the computer in her patrol car. The appellate court rejected this argument, explaning that while McFadden was authorized to access the computer for purposes "of official police business, she was not authorized to access the computer for any other purposes. . . . She certainly was not authorized to access the computer for the purpose of distributing a message which implied that a Philadelphia police car had been contaminated with anthrax by terrorists."
(State v. McFadden, 850 A.2d 1290 (Pa. Super. Ct. 2004)).

What the court did not explain, of course, is precisely how McFadden knew she was not authorized to do this; common sense tells us that her conduct was beyond the pale, but common sense cannot substitute for legal standards when criminal liability is at issue. McFadden's crime is more accurately described as "exceeding authorized access." This captures the "insider" aspect of the offense. We do not know if she sent the bizarre message because she was angry at the police department that employed her and wanted to strike back, or whether she simply had an unfortunate sense of humor.

There are many "insider" cases, but one from Georgia captures the peculiar difficulties that can arise when a trusted insider goes rogue. Some years ago, Sam Fugarino worked as a computer programmer for a company that designed software for surveyons. (Fugarino v. State, 243 Ga. App. 268, 531 S.E.2d 187 (Ga. App. Ct. 2000)). He had become a "difficult" employee, but went around the bend when the company hired a new worker, in a completely unrelated position.

Sam became visibly upset, telling a co-worker that the "code was his product" and "no one else was going to work on his code". The other employee saw that Sam was deleting massive amounts of files, so that whole pages of code were disappearing before this employee's eyes. The employee ran to the owner of the company, who came to Sam's desk. Sam told the owner that the "code was his" and that the owner would never "get to make any money" from it. The owner managed to convince Sam to leave the premises, but then discovered Sam had added layers of password protection to the computer system, the net effect of which was to lock the owner and other employees out of the program Sam had been designing.

The upshot of all this was that Sam was charged with "computer trespass" under Georgia law. More precisely, he was charged with using a computer system "with knowledge that such use is without authority" and deleting data from that system. (Ga. Code sec. 16-9-93(b)). Sam was tried, convicted and appealed, claiming that his use of the computer system was not "without authority". Sam, of course, had full access to the computer system; and as a programmer whose job was developing software, he was authorized to use his access not only to write code but also to delete code.

The Georgia appellate court upheld Sam's conviction, using a common-sense, "you should have known what you were doing was wrong" approach very similar to that used by the McFadden court. It noted that at trial the owner of the company testified he had not given Sam authority to delete "portions of the company's program" . . . which ignores the fact that Sam clearly did have authority to do precisely this.

The issue is one of degree: Sam was authorized to delete program code as part of his work developing software; the problem is that he clearly went too far, that he was apparently bent on erasing all of the program code. Clearly, the owner had not specifically told Sam that he was not authorized to delete an entire program; the need to do so had probably never occurred to him.

The Fugarino case illustrates a difficult question that arises when "insiders" are prosecuted for "exceeding authorized access." How, precisely, is someone to know when exceeds authorized access? Relying on the common-sense, "you-should-have-known-it-when-you-did-it" approach taken by these courts is, I would argue, quite unsatisfactory. The over-the-top nature of the ocnduct at issue in these cases may make the approach seem reasonable, but in fact it is not.

Every organization has a host of trusted "insiders" who have authorized access, in varying degrees, to the organization's computer system. Like Sam's employer, most organizations seem to assume that insiders understand the scope of their authorized access and will abide by that understanding. This assumption no doubt derives from our experience with physical security. it is relatively easy to deny employees access to physical spaces; physical boundaries are fixed and obvious. Assume Sam had a key to his own office, but not to his employer's office. If Sam had been found in his employer's (formerly) locked office shredding documents, he could not credibly have claimed that his "access" to the office and the files locked inside was "authorized." It would be reasonable to infer from his conduct (somehow breaking into a locked office) that he knew he was not authorized to be there, that he was doing something "wrong."

Virtual boundaries tend to be invisible and mutable. In a literal sense, Sam did nothing he was not authorized to do; he did not (virtually) break into a locked area and attack data shielded inside. He was authorized to delete code and he deleted code.

As a matter of simple fairness, criminal law demands that one be put on notice as to what is, and is not, forbidden. The question raised by cases like these is precisely how we do this for the "insiders" who legitmately have access to our computer systems.

24 comments:

Anonymous said...

Your summary is incorrect. I did not get upset and leave. I told my boss that I was going to leave, packed my brief case and left. No files were deleted. He asked me what he could do to make me stay. Later that evening, I returned to work. An argument started in which I told him that I felt like he was taking advantage of me. It is at that point that he fired me and called the police. I did not delete any files, or for that matter, even start the work station. All this happened on a Friday.

That night I spoke with my twin brother and told him what had happened. A few days later, he called me and told me that Cowherd had called him and wanted the passwords to the computer. I was quite angry that he called my brother. He called him at work. He knew my brother worked for a local company's plant in Merced California. He actually called him before speaking with me or my wife.

The operating system was Windows NT 3.51, but the disk was formatted with FAT32. He really didn't need the passwords. Besides, I installed the operating system on the computer and hadn't been given any guidance on company passwords.

About a month went by before I was arrest. The police did a search of the computer, but did not look in the directory in which I did my devlopment. I was found guilty based on a snow job by the DA. They presented files in the recycle bin, most of which were object files created and deleted by the Microsoft compile I used. They then gave the computer back to Cowherd weeks before I was arrested.

One thing that is certain from the printouts the police produced. Someone created at least one file and deleted it after I left and before the company turned the computer over to the police.

Ironically, the dates the DA used at trial where dates the files were last modified, not deleted. In otherwords, there was absolutley no proof that I deleted anything.

I am at a lost why this case is on the internet. I was given first offenders status. The case should be sealed after my probation is complete. Another case of my rights being violated because of my attempt to fight back. If I don't appeal the case, you don't have me in your blog.

By the way, I had lost my oldest son in a car wreak in 1994. Exctly one year prior to my working for this bunch of thugs. To use that as motive to explain something that can't be proved and did not happen is cruel.

Another irony is that Cowheard said at trial that he was able to get the code back. It was always there,but that's not my point. He was never asked how he got it back.

If you don't believe you can get railroaded in this country, your mistake.

I did not have a degree in computer science. I was fresh out of school after serving in the Army for 7+ years. I am a desert strom vet, which actually worked to my disadvantage. Another reason to present me as a raving loon. Funny thing is, Cowherd is a Viet Nam vet and should have known better.

In the end, they have their story and I have mine. Either is pretty sad in my eyes.

You should read the appelate courts ruling. They said that the state didn't have to prove I deleted files, ony that I used the computer in a manner that exceeded my authority. They went further to say that this was proven by the "fact" that I had deleted large amounts of file. I'm not a student of logic, but I know circular reasoning when I see it.

By the way, not one file was ever identified by name at trial as belonging to the source code.

Anonymous said...

You know you are the first thing that comes up when I goole my name. No care for the harm you do, just as long as you have something to blog about. Sam Fugarino

Anonymous said...

After review, I have concluded that you are someone I should stay clear of. Whenever I do a web search on my name, your blog is number one on the list. Do you realize you are causeing me and my family harm. You are costing me job opportunities and much more.

Furthermore, you haven't even researched the case well. You talk about "should have known"in your article. We given that you are a law professor, you should have know that I have first offenders status and not blogged ny name all over the internet. To do so is malicious.

Sam Fugarino

Anonymous said...

You first obligation should be to the truth, but then again, you are a lwayer.

Anonymous said...

I was convicted, but the conviction was set aside under Georgia's first offenders act. I wonder if I could sue for the if not diliberate, obmission of this important fact. Isn't this a case of should have known.

Sam Fugarino

Susan Brenner said...

Everything I said in this post comes from the decision I cited in the post. If you have problems with that, you need to contact the court.

As to the conviction's being set aside, I checked on Lexis and did not find any information about what happened afterward. The omission was therefore not deliberate. Indeed, I would have been happy to include that fact in the post . . . and have now done so, in effect, by posting your comment.

If you want to post any further comments as to errors in the court's opinion and/or in my post, I will post them once I receive them.

Anonymous said...

Sure, but as a law professor, you should have researched the trial record. You are using my case to make a point. In reality, my case doesn't apply. You are filtering the information in a manner that is intended to justify the thesis of your blog. Furthermore, if you didn't know I had first offender status, you do now. You talk a lot about fairness in your article. Are those just words?

I did not give up my first offender status by appealing the case. I would have taken this case even further, but I didn't have a job and I had 3 children to feed. I have been used by the system to create case law. The lawyers involved had an obligation to find the truth, not to pad the law books. Your adding my comments as a way of balancing out the appealate courts, and your, disregard for my first time offender status is par for the course. Don't you realize that I actually had to serve a longer probation because I opted for the FTO treatment of my case. So how is the case ever going to be sealed now?

Finally, where is the out cry over my rights being violated. The police ran a sloppy forensic search on the computer. It wasn't even a forensic search. The detective used Norton Disk Doctor. He didn't check the directories where my work would have been. Worse, he gave the computer back to Cowherd some three weeks before I was arrested. The evidence should have been throw out, but wasn't. No chain of custudy was observed. The minute Cowherd used the computer the evidence was changed. This case is a bad case. The handling of it is just plain scarey. It certainly shouldn't be used to establish law through case law.

I don't think people realize just how sloppy the system is.

Sam Fugarino

Anonymous said...

Not to bother you with more tedious details. I was accused of deleting files on my local machine not the company network. This is a point that seems to be lost to the appelate court. I had access to the network and the companies source control repository. I was, however, never accused of deleting anything on the network. Kinda funny huh. You can't even find mention of the companies network in the trial, just in the appelate court brief. Do you think the appealate court was led astray? Absolutley! The case is presented in a manner intended to give the impression that I went beserk and started deleting everything. Why then would I leave anything in source control? If I had been working on this project for so long with Cowherds knowledge, why wasn't the code in source control. The police didn't check the source control repository. Why not? I worked on other projects, for example the AutoCad version of the software. Why wouldn't I delete it also. Seems like I would have started there. Seems like the police would have done a "forensic" search on the company's servers. Source Safe keeps an audit log. Why wasn't it presented. No the police went to the computer that Cowherd told them I worked on. The looked only in the directories they were told by Cowherd to look in. And they did this one week after I left the company. They didn't lock the computer up, they gave it back to Cowherd. That's why I asked earlier about how Cowherd recovered the "deleted" files. That's why the files that were created and deleted after I left were important. And, that's why the "evidence" should have never made it to court. Instead, the DA stood up in front of the jury with an inch and a half thick copy of deleted file, some of which were in the WinFax directory, and told the jury that they were proof positive that I had deleted files. Horse Hockey!

Another bothersome point.

Anonymous said...

I was never accused of deleting files on the network or from the company's source control repository.

Anonymous said...

The case was set aside at sentencing not after the appeal. That's what I have been trying to tell you. What you are doing, especially since you are an officer of the court, is circumventing the First Time Offenders act. I request that you remove the complete blog. I have no other way to communicate with you except through this blog. The email address posted doesn't work.

Anonymous said...

By the way I did have a key to the building. When I left that afternoon, I still had the key. The said they saw me delete files that afternoon, so why didn't they take away my key at that time?

Anonymous said...

No one differntiate between a source file or any other file that appeared in the printouts of deleted files. Every deleted file in the computers root directory, the recycle bin, and for some reason, the WinFax directory were presented to the jury in an inch and one half stack of meaningless paper. The pritout did show that c:\devel existed and wasn't deleted. Why then wasn't there a printout of that directory? That's the directory where the source code would have been.

Anonymous said...

By I find your instance that the Mafia is what August Bequai meant by orginized crime in his book "How to Prevent Computer Crime" insulting. It's on par with the juror in my case that concluded before the trial began that I was a hot-headed Italian and must have done it. Organized crime has roots in almost every immigrant group that has come inmasse to the United States; including the Jewish immagrants. You know, guys like Mayer Lanske and Bugsy Siegle. As far as Italian Americans go, they bought not only the Mafia, the bought people like Enrico Fermi. They had children and grandchildren like my father who was the best man I have known and had absolutly no connection with the mafia. He was a chemist.

Anonymous said...

To quote you in yor article "History Lesson"

The book has what seems, to me, to be a peculiar chapter on "infiltration by organized crime." As far as I know, the Mafia (which is what the book means by "organized crime") has never been a player in computer crime.

Anonymous said...

According to Cowherd, what made me a disgruntled employee was the death of my son. That makes no sense and as I have said before, shows a certain callousness that is beyond any humanity. I will tell you this, after my son's death, I used programming as an escape. A way to kill the pain I was experiencing. They were putting an extreme amount of pressure on someone who had lost a child only a year before coming to work for them. I was crushed that night when he took my work away. But that was that night, when I came back to work. Not that afternoon when they would later say they saw me deleting the "code." I know and my God knows that when I left that afternoon, my work was on the computer. The rest is just smoke to cover up the fact that the company didn't have a Windows version of their software in 1997. They were telling their customers that one would be out soon. Had been for over a year. The work I had competed needed at least another year. This company had been in business for 18 years and they were able to convince everyone that I was able to put them in a position of bankrupsy. At that time I had about 20 months experience. All of it at their company. They paid me 30K/year. That's below entry level. I had never written a line of code in C++ before coming to the company. I had spent the first year and a half of my tenure with them
working on the AutoCAD product which was written in C not in object oriented C++. When was I supposed to have learned enough to put them in that sort of position.

They tried to sue me before in 1997. Before the criminal charges were tried. Talk about bullying. We had recieved a small settlement from my son's death. All of 57K. Cowherd turned around and tied to sue me for it. He wanted 10K. Ironically, the same amount AutoDesk wanted upfront for their AutoCAD engine. We were using VersiCAD which had been purchased by Corel and that eventually went away. Cowherd wouldn't pay Autodesk the 10K. I've always felt that the only reason he hired me was that he was looking for investment capital. I bet they got their 10K from the victim's rights people.

They also tried to have me injoined from ever writting software. In reality, they were trying to keep me from ever competing with them.

Anonymous said...

From my perspective, letting me correct ignorance of my first time offenders status does not suffice. You should have known. Leaving this post online even after I have told you. Again, where is your sense of fairness? Why do you insist on leaving this article on your web site? Given the information that I have provided you, even if you don't believe me, you should at least investigate it. That is, if you intend on leaving these post up. Anything less, indicates that you shouldn't be teaching law, because it indicates that you would be knowingly willing to teach error. What bothers me so much about this case is that everyone wanting to prosecute me seem to only have give respect to the parts of the law that suited their agenda. Before the appeal, I had a hearing concering a motion for a new trial. I bought a computer book with me that clearly stated that the tools used by the detective who did the forensic search of the computer gave the date deleted files were last modified not the date they were deleted. I wasn't even allowed to show the judge. The assistant DA replied, "he doesn't have the presumption of innocense now." I'm tryin to show them that they allowed false testimony, because the detective had said the dates were the dates the files were deleted. Furthermore, the assistant DA hammered his version of what the dates meant during his closing arguements. The proper response would have been to seek the truth. I never had a presumption of innocense. There's more, much more. There were printouts of some files that were in a zip file. Goodman had given them to the police to use to look for files that called functions shown on the printouts. They were supposed to be from the old code base, a code base that was never in question. Funny, they contained the C?C++ declaration syntax of _declspec(dllexport). They were printouts of files that I had written. _declspec(dllexport) is used to declare a function that will be exported in a Windows dynamic link library dll. In otherwords, they were from a file that was supposed to be deleted. Were not talking about a file fragment that the detective found and asked the company about. Were talking about code that the company told the detective to look for. Now if the only place the code was stored was on my workstation and I deleted all of it, where did this pritout come from. It never came up at court, but I have a copy of the letter. Again, you have the company directing the investigation. It was critical that the detective make a printout of the DEVEL directory, but it was in the printouts.The printout of the root directory clearly show c:\devel as being on the drive and not being deleted. Why didn't the company tell the detective to look in that directory. It's beyond explanation.

Before you ask, my lawyer was aware of all of this.

Anonymous said...

I was able for a few days to push this article back from the top spot when a search for Sam Fugarino was done. I wonder why it's back at number one. Maybe you are resubmitting it to the search engines. Given that I have advised you of the error in your article, if you are resubmitting this page, and whether you are can be proven, it would be an indicator of malice on your part.

Susan Brenner said...

I have done nothing that would alter search engine retrieval of this article.

I assume the comments you keep posting have no doubt had an effect and may account for this phenomenon, if, indeed, it is occurring.

Anonymous said...

Just so there isn't any confusion. Under the first offender's act, I am under no obligation to say on any application that I have been convicted of a crime. As I have tried to point out to you, convictions for non-violent crimes under the first offender act are set aside in lieu of probation. The records are sealed at the successful completion of probation. Therefore, I have been done irreparable damage by the appellate court, by you, and by Owen Kerr, etc. There is no legal remedy for me, so, I guess, I am the prototypical man without a voice. No rights in court and no right to be treated with common decency afterward. The message, fight back and we will make your life that much more difficult.

Anonymous said...

The manner in which I have added comments that demand a response from you is very consistent with my treatment in this case. Every legitimate point made fell on deaf ears.

I especially love the term "massive" in the way it is used. Especially in the appealate courts decision. Go through the evidence, you won't find massive anything except the massive neglect of my rights. When the DA stood in front of the jury, he had a massive list of nothing. Pages upon pages of files in basically three directories, the root, the recycle bin, and the WinFAX directory. Not one page from the C:\Devel direcetory. Not One. There may have been a C++ file (extension .cpp), but not that many and even if there were, there presences means nothing without looking in c:\devel. I do know there were pages and pages of .obj files. Files created and deleted by the Microsoft compile I used and not really worth much after compilation. So, in reality, the prosecutor lied to the jury.

Anonymous said...

You not going to post my assetion that the prosecutor willfully lied to the jury about the dates on the printouts? He we go again. Suppression of evidence that should be included while including garbage that shouldn't.

My incompetent lawyer was counting on all counts being thrown out. He never put up one witness and didn't call me or my wife. In other words, he put up no defense at all. Now I have to put up with incompetent law professors using this disgraceful example of American "justices" to establish precedence to railroad other lesser suckers as myself.

Charlatans! As Mr. Chesterton says, "There are two kinds of charlatan: the man who is called a charlatan, and the man who really is one. The first is the quack who cures you; the second is the highly qualified person who doesn't." What sort of quack are you?

Anonymous said...

Lost another job today because of my "record." Over 10 years since the incident and 9 since the trial. I was working on a four month contract. Month into it, my background check comes back with a felony. Now, I am exceeding the job's requirements. I have work done that is supposed to be done in November and it's the end of September. It's funny, I had a background check in 2003 for Accenture that came back clean. Now I'm in my mid forties with less than a year left on my probation and it's coming up. The judge told me at sentencing that I could truthfully say that I hadn't been convicted of a felony because of the first offender status, but I guess not. Doesn't matter that the case's disposition is listed as judgement withheld. The good people at Agco couldn't deal with a felon in their pious midst. Buy John Deere Tractors!

Anonymous said...

Case Number: 97-B-02635-6
Case Date: Friday, August 29, 1997
Case Type: Indictment
Case Category:
Case Description:
Disposition Date: Thursday, May 07, 1998
Disposition: Judgment Withheld
Disposition Manner:
Jury Trial Demand:
Filing Type: General Criminal

Anonymous said...

Two more job opportunities down the tubes even though I have sucessfully completed my first offender's probation and according to Georgia law I have been exonerated and the case can not be held against me in regards to employment decisions.