“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
Yes, and this is especially concerning because Eaton makes IoT devices. Imagine the damage a disgruntled employee could do by deploying malicious code to devices on millions of consumers' networks. A company of this size, with this large of a blast radius, should be highly diligent about internal threats.
We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?
Just as a thought exercise, the better kill switch is a dead man switch that is disarmed every month or two until its next run, also one that acts as malicious ransomware that deletes everything including itself and all logs.
Obviously don't do this, because you don't want to be more morally bankrupt than your employer, or your whole argument of righteousness falls apart. The morally righteous never would, because they already know that employment in the US is voluntary for both sides. Also, over time, one would absolutely forget to disarm it.
the best kill switch is to write a slop codebase only you understand. no intentional evil little mechanisms, no intentional breaking, just the slop, slop written in good faith. now that is legal
To be fair, LLM can cut through unclear codebases like a hot knife through butter. The LLM may make some mistakes, but it gets the general idea.
There is one exception. It is when the code has no type definitions and obfuscated variable names, or worse yet, has incorrect type definitions and misleading variable names, but such code is not maintainable at all anyway, even for oneself.
In summary, even for the author to understand a codebase over a long period, it has to be well organized because human memory doesn't recall all the little details.
Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.
Most of us don't have work phones, that's stuff from early 2000s at best. Lugging around another brick just for work, no thank you.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
The article is pretty light on what exactly the charges were. Anyway he should have been slapped with a lot more monetary and probably less prison time.
Damage is a funny word here. Yes - money was lost, but no building were destroyed, nor people physically harmed. “Actual damage” makes it sound like a lot more than lost time and a few extra contracts paid out.
I'm not sure what is meant by supervised release but there is also three years of that after the initial four. He apparently also gets a permanent record as a felon, so I imagine it'll be hard for him to find new work. Without that, can he even have health insurance? He als can't vote in elections right? Sounds like his life is frankly going to be ruined.
From a Danish perspective I think that this is rather cruel.
It varies by state. In many states, felons can register to vote immediately after release (even while on parole) and aren't disqualified from programs like Medicaid. So it's not a death sentence despite what the system intends.
It's just a punishment for being too foolish: if he scheduled it to switch some time after he's fired, that would be more funny to investigators and he would get less years. /s
Waaaay overexaggerated sentence! But I believe this wasn't about the “damage” that happened but about sending a message asserting the power dynamics between the employees and employers, as in, if you dare to do something similar or rebellious you will have your life and future ruined forever, establishing a precedent that reinforces the power hierarchy between employees and employers. The underlying message suggests that any similar acts of defiance will result in severe and harsh consequences. By the way, modern dynamics have shifted a lot of things for granted. I know personally a few developers who worked back in the 80s/90s and up to this date the companies still pay them portions of their profits because these developers are the owners of that code and have ownership rights in the code they developed, meanwhile these days under “industry standards”, the code that you spent your time/life/etc. is totally owned by the company and you, the creator, do not, the original creator retaining no ownership rights whatsoever. Hilarious! slavery? Code monkey? Whatever you want to name it but definitely it isn't a good thing.
It’s a substantial shift in the balance of intellectual property rights between developers and their employers.
So if a developer owns the code he wrote, and gets paid for it’s use over time, does he also get paid while writing the code? And how do you determine how much to pay for said code? By line count, but then that goes against some chunk of income/profit which also has to be spread among marketing people’s writings, and manager’s decision outcomes, etc? I just don’t see how this works realistically, but I’m open to being enlightened.
Domestication. A lot of people are afraid to go against the status quo, or to be different from their colleagues, or demand things that aren't usually demanded. It shouldn't be hard for a programmer who is hired to demand that he owns the code he writes. Keep in mind too that a lot of company/startup founders are on HN and having this idea spreading around threatens their profits. Instead of having people paid peanuts to write code the company will own, then replace said people with a week's notice to bring another cheaper person, having programmers owning that code will end their exploitation model.
As for the up/down votes, I have them disabled so I don't know nor do I care about them. I actually should write that part in my signature.
“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”
Morality aside, that’s kind of hilarious.
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
Yes, and this is especially concerning because Eaton makes IoT devices. Imagine the damage a disgruntled employee could do by deploying malicious code to devices on millions of consumers' networks. A company of this size, with this large of a blast radius, should be highly diligent about internal threats.
Why do you think he had admin access to Active Directory?
Regardless, it should be pretty obvious that if an attacker gains RCE, they can do a lot.
He could prevent logins of other people. That means a rather high level of access.
you would be amazed how often this happens
i regularly see orgs with orphan machines running that no one understands or wants to touch
The article says he named programs after himself but also that he tried to evade detection.
How crazy would it be if he were framed.
Should have named it cryptolockDefender() and argued it was to protect against someone disabling his account to lock out the administrator.
4 years for that is absurd.
We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?
What an absolute joke.
Rules apply only if you're not rich enough to buy some special rules just for you. It's not how it was supposed to be.
I was thinking the same. I guess money can buy everything: morality, spirituality and even justice.
> and even justice.
Punishment, not justice!
1 reply →
Just as a thought exercise, the better kill switch is a dead man switch that is disarmed every month or two until its next run, also one that acts as malicious ransomware that deletes everything including itself and all logs.
Obviously don't do this, because you don't want to be more morally bankrupt than your employer, or your whole argument of righteousness falls apart. The morally righteous never would, because they already know that employment in the US is voluntary for both sides. Also, over time, one would absolutely forget to disarm it.
the best kill switch is to write a slop codebase only you understand. no intentional evil little mechanisms, no intentional breaking, just the slop, slop written in good faith. now that is legal
To be fair, LLM can cut through unclear codebases like a hot knife through butter. The LLM may make some mistakes, but it gets the general idea.
There is one exception. It is when the code has no type definitions and obfuscated variable names, or worse yet, has incorrect type definitions and misleading variable names, but such code is not maintainable at all anyway, even for oneself.
In summary, even for the author to understand a codebase over a long period, it has to be well organized because human memory doesn't recall all the little details.
https://en.m.wikipedia.org/wiki/Eaton_Corporation
This is like the archetype incarnate.
>Ranked #4 in "100 Best Corporate Citizens" of Corporate Responsibility Magazine in 2013, also ranking in Top 50 for Six Consecutive Years.
Fucking bozos!
Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.
Tinley plead guilty and got 6 months.
https://www.zdnet.com/article/siemens-contractor-pleads-guil...
Who answers their work phone while on vacation? I don't even have mine turned on outside of working hours. What a rookie.
Answering your phone is one thing, but not adding a critical date to your calendar!?
He was a freelance contractor. Being available basically all the time is part of the job.
1 reply →
Most of us don't have work phones, that's stuff from early 2000s at best. Lugging around another brick just for work, no thank you.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
4 replies →
Who carries a separate work cell phone?
5 replies →
Well this seems pretty cut and dry.
The article is pretty light on what exactly the charges were. Anyway he should have been slapped with a lot more monetary and probably less prison time.
Four years feels like a long time for this...
It was premeditated. It caused actual damage. He doesn’t appear to have done anything to stop it once is started.
He gets points for style. But this is novel behaviour that has to be discouraged.
> actual damage
Damage is a funny word here. Yes - money was lost, but no building were destroyed, nor people physically harmed. “Actual damage” makes it sound like a lot more than lost time and a few extra contracts paid out.
29 replies →
Yeah I know, it just feels long for what is almost a victimless crime. I'm aware the company lost money and therefore the shareholders etc etc.
I feel like 2 years would have made sense to me.
4 replies →
I'm not sure what is meant by supervised release but there is also three years of that after the initial four. He apparently also gets a permanent record as a felon, so I imagine it'll be hard for him to find new work. Without that, can he even have health insurance? He als can't vote in elections right? Sounds like his life is frankly going to be ruined.
From a Danish perspective I think that this is rather cruel.
It varies by state. In many states, felons can register to vote immediately after release (even while on parole) and aren't disqualified from programs like Medicaid. So it's not a death sentence despite what the system intends.
1 reply →
It is, there are rapists that get less prison than this.
Well, there are always two directions you can go to fix a double standard.
"Chinese national" feels like a pretty critical detail to this sentencing time.
It's just a punishment for being too foolish: if he scheduled it to switch some time after he's fired, that would be more funny to investigators and he would get less years. /s
He gets an A for naming his methods sensibly. But Fs in morality and long game planning.
pretty dumb way to go about implementing this, dont skip code review kids
[dead]
Waaaay overexaggerated sentence! But I believe this wasn't about the “damage” that happened but about sending a message asserting the power dynamics between the employees and employers, as in, if you dare to do something similar or rebellious you will have your life and future ruined forever, establishing a precedent that reinforces the power hierarchy between employees and employers. The underlying message suggests that any similar acts of defiance will result in severe and harsh consequences. By the way, modern dynamics have shifted a lot of things for granted. I know personally a few developers who worked back in the 80s/90s and up to this date the companies still pay them portions of their profits because these developers are the owners of that code and have ownership rights in the code they developed, meanwhile these days under “industry standards”, the code that you spent your time/life/etc. is totally owned by the company and you, the creator, do not, the original creator retaining no ownership rights whatsoever. Hilarious! slavery? Code monkey? Whatever you want to name it but definitely it isn't a good thing. It’s a substantial shift in the balance of intellectual property rights between developers and their employers.
So if a developer owns the code he wrote, and gets paid for it’s use over time, does he also get paid while writing the code? And how do you determine how much to pay for said code? By line count, but then that goes against some chunk of income/profit which also has to be spread among marketing people’s writings, and manager’s decision outcomes, etc? I just don’t see how this works realistically, but I’m open to being enlightened.
Indeed, and to add to the irony, yours is the most downvoted comment. Developers think owning their work product is a bad idea?
Domestication. A lot of people are afraid to go against the status quo, or to be different from their colleagues, or demand things that aren't usually demanded. It shouldn't be hard for a programmer who is hired to demand that he owns the code he writes. Keep in mind too that a lot of company/startup founders are on HN and having this idea spreading around threatens their profits. Instead of having people paid peanuts to write code the company will own, then replace said people with a week's notice to bring another cheaper person, having programmers owning that code will end their exploitation model.
As for the up/down votes, I have them disabled so I don't know nor do I care about them. I actually should write that part in my signature.