I think someone at the org needs to be responsible for not ensuring former employees' access is not revoked, but that doesn't mean an employee who takes advantage of that lapse isn't responsible for his/her actions.

Put another way, someone at Verelox screwed up and left the door unlocked, but that doesn't mean that the person who walked in broke stuff is in the clear.

Look, someone, without authorization, accessed a former employer's network and maliciously destroyed data. That's a crime. Sure, the CFAA is overly broad and is abused, but this is not one of those cases: this is a textbook example of something that should be prosecuted under the CFAA.

We have no reason to suppose that the ex employees actions were justified. None whatsoever. He committed both a civil wrong and a crime and the default assumption ought to be that he ought to face both civil and criminal penalties. You tax dollars pay for punishing people who vandalize a car, I have no idea why they ought not to pay for punishing someone who vandalizes a server.

We may remain open to additional information without presuming that uncivil and illegal vandalism was justified indeed without inventing a narrative from whole cloth as you have done. The logical conclusion is that drawing from your own life experience you identify so strongly with the narrative of the wronged sysadmin that you desire to fit a narrative to sparse facts that has no basis in fact.

We are merely commenting on a story on hacker news. We aren't members of the jury and don't face the same burden or power. I'm down with repealing the cfaa because its badly written, I'm down with figuring out who dropped the ball as far as giving the sysadmin access post firing, but as to the sysadmin himself, burn the witch!

> I say when something like this happens and heads must roll, they must roll at the top. Fire the CEO. Fire the board. Leave the sysadmin alone.

IIRC, the Soviet Union had a policy rather like this, referred to as something like the Vertical Stroke, where anytime there was a screw-up at a low level, they would fire the screw-up-ee's manager, and manager's manager, and so on, up to a very high level. The practical result was a drastic decrease in innovation and risk-taking. CEOs and others at that level usually aren't close enough to the guys actually doing direct work to supervise them all closely enough to ensure they don't make mistakes. All they can do is create a culture where there's a book of rules, and you don't deviate from the rules ever, for any reason, no matter what. So that's what they do, and that's the resulting culture and economy that you get.

Maybe we shouldn't rush to judge either sysadmins or CEOs, but instead figure out who, if anyone, actually did something malicious, and let everyone else take the lessons they've already learned from what happened.

> I disagree. Once again, we can find a scapegoat at the lowest possible level and "stone" them or we can do a proper post mortem and try to learn from it.

If he did it (intentionally wiping the servers), then he is a criminal and a bad person.

If he is a scapegoat, then he didn't do it, so that's a totally different situation.

I don't see how you can disagree with either of these statements.

And discussion of how he still had access is an unrelated matter.

> why does an ex-employee still have access to production?

Maybe he became an ex-employee after (and as a result of) wiping production.

>This is a civil matter. My tax dollars should not pay for a criminal lawsuit. Screw that.

So if an aggrieved ex employee does enough damage that the company has insufficient resources to sue, or has enough resources themselves to make that difficult, it's all good?

Individuals and companies should not be vulnerable to attacks like this based on their resources. It's in all our interests to ensure this sort if activity is dealt with severely because we are all vulnerable. Mutual defence in the form of criminal prosecution of offenders is the way they go IMHO.

If you are a nefarious administrator, you don't think you could install something on your machines that would let you back in after they revoked your access?

If some one hacked your bank account and stole 20k you'd be singing a different tune.