Thanks for providing the text of the Court's ruling - I am still punch drunk from reading it, and my IQ probably took a temporary dip of 50 points.

The facts of the case are as follows: (1) Mr. Powell was fired on May 30, 2000; (2) Mr. Powell successfully broke into his former employer's systems the evening of July 21, 2000 using one or both of the two Trojan horse programs that he had installed while he was still an employee of his former employer.

My interpretation is as follows: (1) Mr. Powell broke faith with his employer when he installed the Trojan horses. All admins do install backdoors, but these are user accounts with admin privileges. No admin would ever install Trojan horses in good faith; (2) On the date of Mr. Powell's successful attack, Mr. Powell was clearly no longer an employee of the firm since he had been fired at least seven weeks earlier.

The Appeals Court's decision was based on its interpretation of the validity of a key clause of the insurance contract, which is used to shield the insurance company from having to pay up for the malicious acts of employees of the policy holder. Apparently, the Appeals Court did not think much of that clause. The fact is that while Mr. Powell broke faith with his employer while still an employee of the company, Mr. Powell engaged in vandalism as an ex-employee of the company - so I am not sure why the insurance company could think it could wave this clause at the District Court and get away with it in the first place.

From a purely technical point of view, Mr. Powell somehow managed to retain remote access to his former employer's systems. He probably "telnetted" or "sshed" his way in from outside, which is why I am definitely against letting any admin who lives within reasonable commuting distance have remote access privileges. Mr. Powell's former employer should have exercised due diligence by running vulnerability tests against the machines.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/163/20259#20259