“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
Yes, and this is especially concerning because Eaton makes IoT devices. Imagine the damage a disgruntled employee could do by deploying malicious code to devices on millions of consumers' networks. A company of this size, with this large of a blast radius, should be highly diligent about internal threats.
We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?
Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.
Most of us don't have work phones, that's stuff from early 2000s at best. Lugging around another brick just for work, no thank you.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
Damage is a funny word here. Yes - money was lost, but no building were destroyed, nor people physically harmed. “Actual damage” makes it sound like a lot more than lost time and a few extra contracts paid out.
I'm not sure what is meant by supervised release but there is also three years of that after the initial four. He apparently also gets a permanent record as a felon, so I imagine it'll be hard for him to find new work. Without that, can he even have health insurance? He als can't vote in elections right? Sounds like his life is frankly going to be ruined.
From a Danish perspective I think that this is rather cruel.
It varies by state. In many states, felons can register to vote immediately after release (even while on parole) and aren't disqualified from programs like Medicaid. So it's not a death sentence despite what the system intends.
It's just a punishment for being too foolish: if he scheduled it to switch some time after he's fired, that would be more funny to investigators and he would get less years. /s
The article is pretty light on what exactly the charges were. Anyway he should have been slapped with a lot more monetary and probably less prison time.
Waaaay overexaggerated sentence! But I believe this wasn't about the “damage” that happened but about sending a message asserting the power dynamics between the employees and employers, as in, if you dare to do something similar or rebellious you will have your life and future ruined forever, establishing a precedent that reinforces the power hierarchy between employees and employers. The underlying message suggests that any similar acts of defiance will result in severe and harsh consequences. By the way, modern dynamics have shifted a lot of things for granted. I know personally a few developers who worked back in the 80s/90s and up to this date the companies still pay them portions of their profits because these developers are the owners of that code and have ownership rights in the code they developed, meanwhile these days under “industry standards”, the code that you spent your time/life/etc. is totally owned by the company and you, the creator, do not, the original creator retaining no ownership rights whatsoever. Hilarious! slavery? Code monkey? Whatever you want to name it but definitely it isn't a good thing.
It’s a substantial shift in the balance of intellectual property rights between developers and their employers.
“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”
Morality aside, that’s kind of hilarious.
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
Yes, and this is especially concerning because Eaton makes IoT devices. Imagine the damage a disgruntled employee could do by deploying malicious code to devices on millions of consumers' networks. A company of this size, with this large of a blast radius, should be highly diligent about internal threats.
you would be amazed how often this happens
i regularly see orgs with orphan machines running that no one understands or wants to touch
Why do you think he had admin access to Active Directory?
Regardless, it should be pretty obvious that if an attacker gains RCE, they can do a lot.
He could prevent logins of other people. That means a rather high level of access.
The article says he named programs after himself but also that he tried to evade detection.
How crazy would it be if he were framed.
Well this seems pretty cut and dry.
4 years for that is absurd.
We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?
What an absolute joke.
Rules apply only if you're not rich enough to buy some special rules just for you. It's not how it was supposed to be.
I was thinking the same. I guess money can buy everything: morality, spirituality and even justice.
Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.
Tinley plead guilty and got 6 months.
https://www.zdnet.com/article/siemens-contractor-pleads-guil...
Who answers their work phone while on vacation? I don't even have mine turned on outside of working hours. What a rookie.
He was a freelance contractor. Being available basically all the time is part of the job.
1 reply →
Answering your phone is one thing, but not adding a critical date to your calendar!?
Most of us don't have work phones, that's stuff from early 2000s at best. Lugging around another brick just for work, no thank you.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
4 replies →
Who carries a separate work cell phone?
5 replies →
Should have named it cryptolockDefender() and argued it was to protect against someone disabling his account to lock out the administrator.
Four years feels like a long time for this...
It was premeditated. It caused actual damage. He doesn’t appear to have done anything to stop it once is started.
He gets points for style. But this is novel behaviour that has to be discouraged.
Yeah I know, it just feels long for what is almost a victimless crime. I'm aware the company lost money and therefore the shareholders etc etc.
I feel like 2 years would have made sense to me.
4 replies →
> actual damage
Damage is a funny word here. Yes - money was lost, but no building were destroyed, nor people physically harmed. “Actual damage” makes it sound like a lot more than lost time and a few extra contracts paid out.
18 replies →
I'm not sure what is meant by supervised release but there is also three years of that after the initial four. He apparently also gets a permanent record as a felon, so I imagine it'll be hard for him to find new work. Without that, can he even have health insurance? He als can't vote in elections right? Sounds like his life is frankly going to be ruined.
From a Danish perspective I think that this is rather cruel.
It varies by state. In many states, felons can register to vote immediately after release (even while on parole) and aren't disqualified from programs like Medicaid. So it's not a death sentence despite what the system intends.
1 reply →
"Chinese national" feels like a pretty critical detail to this sentencing time.
It is, there are rapists that get less prison than this.
Well, there are always two directions you can go to fix a double standard.
It's just a punishment for being too foolish: if he scheduled it to switch some time after he's fired, that would be more funny to investigators and he would get less years. /s
https://en.m.wikipedia.org/wiki/Eaton_Corporation
This is like the archetype incarnate.
>Ranked #4 in "100 Best Corporate Citizens" of Corporate Responsibility Magazine in 2013, also ranking in Top 50 for Six Consecutive Years.
Fucking bozos!
The article is pretty light on what exactly the charges were. Anyway he should have been slapped with a lot more monetary and probably less prison time.
pretty dumb way to go about implementing this, dont skip code review kids
Waaaay overexaggerated sentence! But I believe this wasn't about the “damage” that happened but about sending a message asserting the power dynamics between the employees and employers, as in, if you dare to do something similar or rebellious you will have your life and future ruined forever, establishing a precedent that reinforces the power hierarchy between employees and employers. The underlying message suggests that any similar acts of defiance will result in severe and harsh consequences. By the way, modern dynamics have shifted a lot of things for granted. I know personally a few developers who worked back in the 80s/90s and up to this date the companies still pay them portions of their profits because these developers are the owners of that code and have ownership rights in the code they developed, meanwhile these days under “industry standards”, the code that you spent your time/life/etc. is totally owned by the company and you, the creator, do not, the original creator retaining no ownership rights whatsoever. Hilarious! slavery? Code monkey? Whatever you want to name it but definitely it isn't a good thing. It’s a substantial shift in the balance of intellectual property rights between developers and their employers.
[dead]