When contractors exact their revenge

IT contractors are often in positions to wreak havoc and extract money via "legbreaker" tactics. Think ahead to stay safe.

Christiaan Colen/Flickr (Creative Commons BY or BY-SA)

Extortion and ransomware on the rise

Extortion and ransom are crimes that have been around for centuries, and their new high-tech iterations are among the chief nightmares for infosecurity pros. There's good reason for anxiety: ransomware, malware that literally holds computers hostage, is on the rise in 2015. And while ransomware has traditionally targeted poorly protected PCs, it's been moving up the stack into servers that hold sensitive financial information.

But while you might worry about ransom requests delivered via trojans from shady Eastern European syndicates, there's another, more intimate potential vector: the employees and contractors you pay to work on your apps or websites. When those business relationships go south, there can be hell to pay.

Stay fit in SF, no webpage needed
Vincent Huang/Flickr (Creative Commons BY or BY-SA)

The gym vs. the German

Perhaps one of the most high-profile examples happened right in the tech epicenter of the Bay Area. Frank Jonen, a German Web designer, was engaged by Fitness SF, a local gym chain, to design a logo and a new website in May of 2012. By the following February, the relationship between the two had completely broken down -- but, crucially, Fitness SF never took away Jonen's access to their servers. And so Fitness SF woke up one day to discover that its website, which was not only its public face but also used for internal purposes, had been replaced by a (very well designed) infographic from Jonen, telling the world that he hadn't been paid for his services.

Reggae in Baltimore
Jussi/Flickr (Creative Commons BY or BY-SA)

Who's the real jerk here?

These attacks succeed because of a paradox specific to our era. Giving someone access to your servers -- particularly your website -- is an act of true intimacy; and yet many small businesses can't afford to tie IT staff to them with the loyalty of full-time employment, and instead use contractors. Fitness SF hired someone who lived on a completely different continent!

This combination of total access and tenuous, ad hoc relationships seems like a recipe for disaster. If web designer Julie Williams had been a full-time employee of the Baltimore Reggae Jerk Festival, she probably wouldn't have jeopardized her steady gig by replacing the festival's website with an invoice. As a freelancer, she had less incentive to play nice.

Robin Hood statue
Olaf1541/Wikipedia (Creative Commons BY or BY-SA)

Don't anger the wrong people

Some hailed Williams and Jonen as Robin Hood-style folk heroes; who can't sympathize with someone who is getting screwed out of payment they deserve? But don't assume you're safe just because you treat your contractors in a way that seems fair. Web developer and marketer Jean Scally of Jeanius Marketing shared a harrowing tale from her own experience. "One of my newer clients spent three years developing a website with some proprietary search functionality. The developer started to claim he should be a partner in the business (after he had twice previously turned down equity offers in favor of cash payments). When he asked again, they told him that they had not been impressed with his performance recently." (Can you see what's coming?)

Flaming computer
Am + Mo/Flickr (Creative Commons BY or BY-SA)

Extracting yourself is difficult

"He pulled their site down," says Scally, "and demanded equal partnership for its return. When they threatened legal action, he gave them temporary access to an old version then took that down while they were backing it up. He claimed they were tampering with it to destroy his work. (They were not; I was copying it for them.) When he took the site down, he also disabled access to their accounting system and all client access."

Sadly, this power move ended in the direst case: the clients "eventually walked away and are rebuilding the site. It's crippled their business -- they haven't been able to give their clients access (or bill anyone) for the last three months."

Sign on the bottom line, please!
24oranges.nl/Flickr (Creative Commons BY or BY-SA)

Protect yourself

Scally has seen a lot of scenarios like this, and she has some basic advice on the best way to protect yourself:

  • Buy your own domain in your own name -- don't let your developer do it.
  • Give developers their own accounts, not just access to your primary account, and make sure you have admin access to anything they set up. This includes social media sites.
  • Back work up to a cloud account that you own.
  • Sign a contract that makes it clear that you own the business's IP and your tech contractor is doing work for hire.
  • And pay your bills on time!
Blind justice
Tim Evanson/Flickr (Creative Commons BY or BY-SA)

Outside the law

It's interesting that in Scally's anecdote the threat of legal action seemed to rattle the extortionist for a moment but not necessarily shut him down. In truth, unlike cases of malware, in these intimate disputes it can be difficult to argue that the "outsider," who has been given access to servers and can claim copyright on the code in dispute, is legally in the wrong. As Frank Jonen put it, "What they’re suggesting is a bit like saying, 'You broke into their house.' 'What did you use?' 'My keys.' 'What did you steal?' 'My stuff.'" In Britain, claims that you haven't been paid are at least subject to that country's strict libel laws.

An SEO bomb can ruin lives
Jonathan Rolande/Flickr (Creative Commons BY or BY-SA)

The no-touch attack

In fact, the imbalance of technical power between IT pro and clueless client can sometimes be great enough that server access isn't necessary at all to do real damage. For instance, a web designer at LTrain Designs described a scenario where he did rush design work for bikiniacs.com, only to receive no payment and no contact for five months. He eventually used his Web design skills to create bikiniacs.net, as site that detailed his client's perfidy -- and used his SEO skills to make sure that it was the top Google hit for "bikiniacs." Ironically, the .net site is still online, while the .com site is long gone.

Can't get anything from an empty pocket.
Bradley Gordon/Flickr (Creative Commons BY or BY-SA)

Picking your battles

In the end, what may end up restraining the behavior of rogue IT contractors is common sense and self-interest. "Have you heard the saying 'you can't draw blood from a stone?'" asks Rich Kahn, founder and CEO of the digital marketing firm eZanga.com. "The same is true with IT. Of course designers can overtake a site and blast the open invoice or take the client's website down completely, but it doesn't really get them anywhere. While the law can tell someone they need to make good on an outstanding contract or payment, the law cannot make them write the check. They need to take other means and hurdles to recoup the funds, instead of using mafia-style 'legbreaker' tactics."

Terry Childs

Let's make nice

Ultimately, Frank Jonen and Fitness SF made up: within only a few weeks, the matter had been resolved to both parties' satisfaction. Maybe Jonen's legbreaker tactics helped speed negotiations along, or maybe they were just a bump in the road, but it's clear that everyone was acting more or less in their own rational self-interest.

The real scary cases are those like Terry Childs, the network administrator who held the San Francisco city government hostage over what he perceived as a threat to control over "his" systems. Someone mad over an unpaid bill shouldn't make you panic; after all, you can always just pay the bill. Be wary of those who just want to watch the world burn.