“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
Yes, and this is especially concerning because Eaton makes IoT devices. Imagine the damage a disgruntled employee could do by deploying malicious code to devices on millions of consumers' networks. A company of this size, with this large of a blast radius, should be highly diligent about internal threats.
We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?
Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.
I worked as a freelance contractor for years. Being available is not part of the job, in fact not having to be available at specific times, aside from occasional planned meetings, is one of the major perks of the job.
If I was expected to be available all the time, you can be damned sure I would have expected to be paid by the hour for that.
Most of us don't have work phones, that's stuff from early 2000s at best. Lugging around another brick just for work, no thank you.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
Every serious place I’ve worked at wants to put MDM on all devices with corp data on it. So one you leave, try can wipe all the apps with their data on it
And that’s fair. But I don’t want that on my personal devices. It’s literal spyware.
If work wants that level of control on my phone, they can just give me a phone they own outright. I’ll give it back when I’m done working there.
Seriously, it’s a huge mistake to mix personal and professional data on any device. Too many risks I want nothing to do with.
This. My work phone and computer are locked down to a ridiculous degree because I work a government job. Using my own devices is out of the question.
When I was younger I would answer calls and emails outside of work hours, because I wanted to be a Good Employee, but it's a huge mistake because management (and sometimes coworkers) will exploit it and after a while expect you to do it. Set hard boundaries immediately.
> Most of us don't have work phones, that's stuff from early 2000s at best.
You absolutely want hard physical separation between personal devices and company-controlled business devices. That means two phones and never allow control to cross those boundaries.
No only do I have a separate work phone, but my personal phone has two SIM cards (one physical and one eSIM), one of those numbers is my general spam number that I give to businesses and acquaintances, and the other is my actual personal phone number that only the people close to me in real life get. I have a widget on the home screen that can disable/enable the spam SIM card at will.
Makes it real easy to control how available I am to different groups of people.
After work, I put my work phone away. I have been in this industry for over a decade and I wouldn’t have it any other way.
I will never let an employer steal time away from my family again. Especially now that they want us all to RTO. Office time is theirs, home time is mine.
Anyone who doesn’t want some corporate IT administrator to be able to fat finger bricking their phone, or install corporate spyware on a personal device.
How is this a victimless crime or even almost a victimless crime? I’m confused by your post — you say it’s “almost a victimless crime” and then immediately describe who was victimized and why. So what do you mean? Just that it didn’t involve physical violence?
Damage is a funny word here. Yes - money was lost, but no building were destroyed, nor people physically harmed. “Actual damage” makes it sound like a lot more than lost time and a few extra contracts paid out.
Monetary damages are damages, I don't think this is particularly complicated. If I made it so you couldn't get several weeks of your wages for hours that you worked you would be rightly furious with me and feel like a victim.
Damages in the sense that warrants compensation and likely additional punitive damages as deterrence, agreed. But monetary damages don’t seem sufficient to justify jail time in a society that likes to claim it doesn’t have debtor’s prisons.
Yes, yes, criminal law and civil law are two different things and statutes can allow or require imprisonment in a criminal sentence. But we are discussing what is morally appropriate punishment for this misdeed, not what current law allows.
I don't buy this equivalence of financial damage to a person with financial damage to a business.
If I had a business its finances would be separate from my personal finance using limited liability, so even if someone destroyed 100% of its value, it would only be no return on investment for me - sad and bad but totally not equivalent to losing all my personal money.
Compensation and damages would probably mean decades of a bleak existence with most of your meger earnings going to the compensation and damages you owe. Chances are it will be a long time before he can get a good paying job after this, not like he has a good reference from his previous employer. I would seriously consider the prison time if given the option.
> “Do you understand what I'm saying?" shouted Moist. "You can't just go around killing people!"
> "Why Not? You Do." The golem lowered his arm.
> "What?" snapped Moist. "I do not! Who told you that?"
> "I Worked It Out. You Have Killed Two Point Three Three Eight People," said the golem calmly.
> "I have never laid a finger on anyone in my life, Mr Pump. I may be–– all the things you know I am, but I am not a killer! I have never so much as drawn a sword!"
> "No, You Have Not. But You Have Stolen, Embezzled, Defrauded And Swindled Without Discrimination, Mr Lipvig. You Have Ruined Businesses And Destroyed Jobs. When Banks Fail, It Is Seldom Bankers Who Starve. Your Actions Have Taken Money From Those Who Had Little Enough To Begin With. In A Myriad Small Ways You Have Hastened The Deaths Of Many. You Do Not Know Them. You Did Not See Them Bleed. But You Snatched Bread From Their Mouths And Tore Clothes From Their Backs. For Sport, Mr Lipvig. For Sport. For The Joy Of The Game.”
I'm not sure what is meant by supervised release but there is also three years of that after the initial four. He apparently also gets a permanent record as a felon, so I imagine it'll be hard for him to find new work. Without that, can he even have health insurance? He als can't vote in elections right? Sounds like his life is frankly going to be ruined.
From a Danish perspective I think that this is rather cruel.
It varies by state. In many states, felons can register to vote immediately after release (even while on parole) and aren't disqualified from programs like Medicaid. So it's not a death sentence despite what the system intends.
Florida passed a ballot measure allowing felons to vote a few years back. Our legislature just ignored it and instituted other requirements and hoops for them to jump through that made like 90+% of them ineligible to vote still.
It's just a punishment for being too foolish: if he scheduled it to switch some time after he's fired, that would be more funny to investigators and he would get less years. /s
The article is pretty light on what exactly the charges were. Anyway he should have been slapped with a lot more monetary and probably less prison time.
Waaaay overexaggerated sentence! But I believe this wasn't about the “damage” that happened but about sending a message asserting the power dynamics between the employees and employers, as in, if you dare to do something similar or rebellious you will have your life and future ruined forever, establishing a precedent that reinforces the power hierarchy between employees and employers. The underlying message suggests that any similar acts of defiance will result in severe and harsh consequences. By the way, modern dynamics have shifted a lot of things for granted. I know personally a few developers who worked back in the 80s/90s and up to this date the companies still pay them portions of their profits because these developers are the owners of that code and have ownership rights in the code they developed, meanwhile these days under “industry standards”, the code that you spent your time/life/etc. is totally owned by the company and you, the creator, do not, the original creator retaining no ownership rights whatsoever. Hilarious! slavery? Code monkey? Whatever you want to name it but definitely it isn't a good thing.
It’s a substantial shift in the balance of intellectual property rights between developers and their employers.
“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”
Morality aside, that’s kind of hilarious.
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
Yes, and this is especially concerning because Eaton makes IoT devices. Imagine the damage a disgruntled employee could do by deploying malicious code to devices on millions of consumers' networks. A company of this size, with this large of a blast radius, should be highly diligent about internal threats.
you would be amazed how often this happens
i regularly see orgs with orphan machines running that no one understands or wants to touch
Why do you think he had admin access to Active Directory?
Regardless, it should be pretty obvious that if an attacker gains RCE, they can do a lot.
He could prevent logins of other people. That means a rather high level of access.
The article says he named programs after himself but also that he tried to evade detection.
How crazy would it be if he were framed.
Well this seems pretty cut and dry.
4 years for that is absurd.
We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?
What an absolute joke.
Rules apply only if you're not rich enough to buy some special rules just for you. It's not how it was supposed to be.
I was thinking the same. I guess money can buy everything: morality, spirituality and even justice.
Should have named it cryptolockDefender() and argued it was to protect against someone disabling his account to lock out the administrator.
Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.
Tinley plead guilty and got 6 months.
https://www.zdnet.com/article/siemens-contractor-pleads-guil...
Who answers their work phone while on vacation? I don't even have mine turned on outside of working hours. What a rookie.
He was a freelance contractor. Being available basically all the time is part of the job.
I worked as a freelance contractor for years. Being available is not part of the job, in fact not having to be available at specific times, aside from occasional planned meetings, is one of the major perks of the job.
If I was expected to be available all the time, you can be damned sure I would have expected to be paid by the hour for that.
Answering your phone is one thing, but not adding a critical date to your calendar!?
Most of us don't have work phones, that's stuff from early 2000s at best. Lugging around another brick just for work, no thank you.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
Every serious place I’ve worked at wants to put MDM on all devices with corp data on it. So one you leave, try can wipe all the apps with their data on it
And that’s fair. But I don’t want that on my personal devices. It’s literal spyware.
If work wants that level of control on my phone, they can just give me a phone they own outright. I’ll give it back when I’m done working there.
Seriously, it’s a huge mistake to mix personal and professional data on any device. Too many risks I want nothing to do with.
This. My work phone and computer are locked down to a ridiculous degree because I work a government job. Using my own devices is out of the question.
When I was younger I would answer calls and emails outside of work hours, because I wanted to be a Good Employee, but it's a huge mistake because management (and sometimes coworkers) will exploit it and after a while expect you to do it. Set hard boundaries immediately.
> Most of us don't have work phones, that's stuff from early 2000s at best.
You absolutely want hard physical separation between personal devices and company-controlled business devices. That means two phones and never allow control to cross those boundaries.
> Lugging around another brick just for work
Mine just stays on my desk when working and goes to a drawer when not. It is basically just a 2FA device. There is nothing to lug around.
Who carries a separate work cell phone?
No only do I have a separate work phone, but my personal phone has two SIM cards (one physical and one eSIM), one of those numbers is my general spam number that I give to businesses and acquaintances, and the other is my actual personal phone number that only the people close to me in real life get. I have a widget on the home screen that can disable/enable the spam SIM card at will.
Makes it real easy to control how available I am to different groups of people.
I do, daily.
After work, I put my work phone away. I have been in this industry for over a decade and I wouldn’t have it any other way.
I will never let an employer steal time away from my family again. Especially now that they want us all to RTO. Office time is theirs, home time is mine.
> Who carries a separate work cell phone?
Anyone who cares about privacy and control of their personal life.
People who are serious about a wall between work and personal business.
Anyone who doesn’t want some corporate IT administrator to be able to fat finger bricking their phone, or install corporate spyware on a personal device.
Four years feels like a long time for this...
It was premeditated. It caused actual damage. He doesn’t appear to have done anything to stop it once is started.
He gets points for style. But this is novel behaviour that has to be discouraged.
Yeah I know, it just feels long for what is almost a victimless crime. I'm aware the company lost money and therefore the shareholders etc etc.
I feel like 2 years would have made sense to me.
How is this a victimless crime or even almost a victimless crime? I’m confused by your post — you say it’s “almost a victimless crime” and then immediately describe who was victimized and why. So what do you mean? Just that it didn’t involve physical violence?
It means that those are lesser categories of victims
Length of sentence aside, your notion of victimless crime is wild.
Mugging is “almost a victimless crime” by that standard.
And this was significantly more victim-ful than that.
A company losing money is way less bad than a mugging.
> actual damage
Damage is a funny word here. Yes - money was lost, but no building were destroyed, nor people physically harmed. “Actual damage” makes it sound like a lot more than lost time and a few extra contracts paid out.
As a thought experiment, consider how much monetary loss and how much time wasted you would tolerate before "it's just money bro" starts wearing thin.
It's a company, not a person.
Which means it affects hundreds if not thousands of people.
Monetary damages are damages, I don't think this is particularly complicated. If I made it so you couldn't get several weeks of your wages for hours that you worked you would be rightly furious with me and feel like a victim.
> If I made it so you couldn't get several weeks of your wages for hours that you worked
This is called wage theft and I haven't seen anybody going to jail for it.
I don't condone what this person did, but I wish justice was as swift for crimes committed by the rich and powerful.
Depends on the state, but wage theft is a criminal offense (punishable by jail).
And generally, the scale of the damage affects the punishment.
can you name one director who went to jail for this?
Damages in the sense that warrants compensation and likely additional punitive damages as deterrence, agreed. But monetary damages don’t seem sufficient to justify jail time in a society that likes to claim it doesn’t have debtor’s prisons.
Yes, yes, criminal law and civil law are two different things and statutes can allow or require imprisonment in a criminal sentence. But we are discussing what is morally appropriate punishment for this misdeed, not what current law allows.
That’s an insane take. Financial damage isn’t a problem for you? What if someone targeted you personally or your business?
I don't buy this equivalence of financial damage to a person with financial damage to a business.
If I had a business its finances would be separate from my personal finance using limited liability, so even if someone destroyed 100% of its value, it would only be no return on investment for me - sad and bad but totally not equivalent to losing all my personal money.
What about the employees you had to let go to cover the shortfall? No damages there either?
Same category - bad but not enough to warrant four years jail time. Unless you are prepared to argue four years in jail for unlawful termination.
Well, I know whose company I’ll be defrauding!
Compensation and damages would probably mean decades of a bleak existence with most of your meger earnings going to the compensation and damages you owe. Chances are it will be a long time before he can get a good paying job after this, not like he has a good reference from his previous employer. I would seriously consider the prison time if given the option.
I think Terry Pratchett laid it out best:
> “Do you understand what I'm saying?" shouted Moist. "You can't just go around killing people!"
> "Why Not? You Do." The golem lowered his arm.
> "What?" snapped Moist. "I do not! Who told you that?"
> "I Worked It Out. You Have Killed Two Point Three Three Eight People," said the golem calmly.
> "I have never laid a finger on anyone in my life, Mr Pump. I may be–– all the things you know I am, but I am not a killer! I have never so much as drawn a sword!"
> "No, You Have Not. But You Have Stolen, Embezzled, Defrauded And Swindled Without Discrimination, Mr Lipvig. You Have Ruined Businesses And Destroyed Jobs. When Banks Fail, It Is Seldom Bankers Who Starve. Your Actions Have Taken Money From Those Who Had Little Enough To Begin With. In A Myriad Small Ways You Have Hastened The Deaths Of Many. You Do Not Know Them. You Did Not See Them Bleed. But You Snatched Bread From Their Mouths And Tore Clothes From Their Backs. For Sport, Mr Lipvig. For Sport. For The Joy Of The Game.”
Was it really capitalised like that?
Yes, things like that are common in Pratchett's writing.
Death speaks in ALL CAPS.
Death's bosses speak in italics.
I. Gods speak in
II. Commandments
The character speaking in the above quote is Dorfl, a golem, who speaks in Title Case.
That’s kind of hilarious given who the style reminds me of.
I'm not sure what is meant by supervised release but there is also three years of that after the initial four. He apparently also gets a permanent record as a felon, so I imagine it'll be hard for him to find new work. Without that, can he even have health insurance? He als can't vote in elections right? Sounds like his life is frankly going to be ruined.
From a Danish perspective I think that this is rather cruel.
It varies by state. In many states, felons can register to vote immediately after release (even while on parole) and aren't disqualified from programs like Medicaid. So it's not a death sentence despite what the system intends.
Florida passed a ballot measure allowing felons to vote a few years back. Our legislature just ignored it and instituted other requirements and hoops for them to jump through that made like 90+% of them ineligible to vote still.
"Chinese national" feels like a pretty critical detail to this sentencing time.
It is, there are rapists that get less prison than this.
Well, there are always two directions you can go to fix a double standard.
It's just a punishment for being too foolish: if he scheduled it to switch some time after he's fired, that would be more funny to investigators and he would get less years. /s
https://en.m.wikipedia.org/wiki/Eaton_Corporation
This is like the archetype incarnate.
>Ranked #4 in "100 Best Corporate Citizens" of Corporate Responsibility Magazine in 2013, also ranking in Top 50 for Six Consecutive Years.
Fucking bozos!
The article is pretty light on what exactly the charges were. Anyway he should have been slapped with a lot more monetary and probably less prison time.
pretty dumb way to go about implementing this, dont skip code review kids
Waaaay overexaggerated sentence! But I believe this wasn't about the “damage” that happened but about sending a message asserting the power dynamics between the employees and employers, as in, if you dare to do something similar or rebellious you will have your life and future ruined forever, establishing a precedent that reinforces the power hierarchy between employees and employers. The underlying message suggests that any similar acts of defiance will result in severe and harsh consequences. By the way, modern dynamics have shifted a lot of things for granted. I know personally a few developers who worked back in the 80s/90s and up to this date the companies still pay them portions of their profits because these developers are the owners of that code and have ownership rights in the code they developed, meanwhile these days under “industry standards”, the code that you spent your time/life/etc. is totally owned by the company and you, the creator, do not, the original creator retaining no ownership rights whatsoever. Hilarious! slavery? Code monkey? Whatever you want to name it but definitely it isn't a good thing. It’s a substantial shift in the balance of intellectual property rights between developers and their employers.
[dead]