“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
Yes, and this is especially concerning because Eaton makes IoT devices. Imagine the damage a disgruntled employee could do by deploying malicious code to devices on millions of consumers' networks. A company of this size, with this large of a blast radius, should be highly diligent about internal threats.
Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.
I worked as a freelance contractor for years. Being available is not part of the job, in fact not having to be available at specific times, aside from occasional planned meetings, is one of the major perks of the job.
If I was expected to be available all the time, you can be damned sure I would have expected to be paid by the hour for that.
No only do I have a separate work phone, but my personal phone has two SIM cards (one physical and one eSIM), one of those numbers is my general spam number that I give to businesses and acquaintances, and the other is my actual personal phone number that only the people close to me in real life get. I have a widget on the home screen that can disable/enable the spam SIM card at will.
Makes it real easy to control how available I am to different groups of people.
After work, I put my work phone away. I have been in this industry for over a decade and I wouldn’t have it any other way.
I will never let an employer steal time away from my family again. Especially now that they want us all to RTO. Office time is theirs, home time is mine.
Most of us don't have work phones, that's stuff from early 2000s at best. Lugging around another brick just for work, no thank you.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
Every serious place I’ve worked at wants to put MDM on all devices with corp data on it. So one you leave, try can wipe all the apps with their data on it
And that’s fair. But I don’t want that on my personal devices. It’s literal spyware.
If work wants that level of control on my phone, they can just give me a phone they own outright. I’ll give it back when I’m done working there.
Seriously, it’s a huge mistake to mix personal and professional data on any device. Too many risks I want nothing to do with.
Damage is a funny word here. Yes - money was lost, but no building were destroyed, nor people physically harmed. “Actual damage” makes it sound like a lot more than lost time and a few extra contracts paid out.
Monetary damages are damages, I don't think this is particularly complicated. If I made it so you couldn't get several weeks of your wages for hours that you worked you would be rightly furious with me and feel like a victim.
Damages in the sense that warrants compensation and likely additional punitive damages as deterrence, agreed. But monetary damages don’t seem sufficient to justify jail time in a society that likes to claim it doesn’t have debtor’s prisons.
Yes, yes, criminal law and civil law are two different things and statutes can allow or require imprisonment in a criminal sentence. But we are discussing what is morally appropriate punishment for this misdeed, not what current law allows.
I don't buy this equivalence of financial damage to a person with financial damage to a business.
If I had a business its finances would be separate from my personal finance using limited liability, so even if someone destroyed 100% of its value, it would only be no return on investment for me - sad and bad but totally not equivalent to losing all my personal money.
Compensation and damages would probably mean decades of a bleak existence with most of your meger earnings going to the compensation and damages you owe. Chances are it will be a long time before he can get a good paying job after this, not like he has a good reference from his previous employer. I would seriously consider the prison time if given the option.
> “Do you understand what I'm saying?" shouted Moist. "You can't just go around killing people!"
> "Why Not? You Do." The golem lowered his arm.
> "What?" snapped Moist. "I do not! Who told you that?"
> "I Worked It Out. You Have Killed Two Point Three Three Eight People," said the golem calmly.
> "I have never laid a finger on anyone in my life, Mr Pump. I may be–– all the things you know I am, but I am not a killer! I have never so much as drawn a sword!"
> "No, You Have Not. But You Have Stolen, Embezzled, Defrauded And Swindled Without Discrimination, Mr Lipvig. You Have Ruined Businesses And Destroyed Jobs. When Banks Fail, It Is Seldom Bankers Who Starve. Your Actions Have Taken Money From Those Who Had Little Enough To Begin With. In A Myriad Small Ways You Have Hastened The Deaths Of Many. You Do Not Know Them. You Did Not See Them Bleed. But You Snatched Bread From Their Mouths And Tore Clothes From Their Backs. For Sport, Mr Lipvig. For Sport. For The Joy Of The Game.”
How is this a victimless crime or even almost a victimless crime? I’m confused by your post — you say it’s “almost a victimless crime” and then immediately describe who was victimized and why. So what do you mean? Just that it didn’t involve physical violence?
I'm not sure what is meant by supervised release but there is also three years of that after the initial four. He apparently also gets a permanent record as a felon, so I imagine it'll be hard for him to find new work. Without that, can he even have health insurance? He als can't vote in elections right? Sounds like his life is frankly going to be ruined.
From a Danish perspective I think that this is rather cruel.
It varies by state. In many states, felons can register to vote immediately after release (even while on parole) and aren't disqualified from programs like Medicaid. So it's not a death sentence despite what the system intends.
It's just a punishment for being too foolish: if he scheduled it to switch some time after he's fired, that would be more funny to investigators and he would get less years. /s
Waaaay overexaggerated sentence! But I believe this wasn't about the “damage” that happened but about sending a message asserting the power dynamics between the employees and employers, as in, if you dare to do something similar or rebellious you will have your life and future ruined forever, establishing a precedent that reinforces the power hierarchy between employees and employers. The underlying message suggests that any similar acts of defiance will result in severe and harsh consequences. By the way, modern dynamics have shifted a lot of things for granted. I know personally a few developers who worked back in the 80s/90s and up to this date the companies still pay them portions of their profits because these developers are the owners of that code and have ownership rights in the code they developed, meanwhile these days under “industry standards”, the code that you spent your time/life/etc. is totally owned by the company and you, the creator, do not, the original creator retaining no ownership rights whatsoever. Hilarious! slavery? Code monkey? Whatever you want to name it but definitely it isn't a good thing.
It’s a substantial shift in the balance of intellectual property rights between developers and their employers.
The article is pretty light on what exactly the charges were. Anyway he should have been slapped with a lot more monetary and probably less prison time.
Morality aside, that’s kind of hilarious.
Regardless, it should be pretty obvious that if an attacker gains RCE, they can do a lot.
How crazy would it be if he were framed.
Tinley plead guilty and got 6 months.
https://www.zdnet.com/article/siemens-contractor-pleads-guil...
If I was expected to be available all the time, you can be damned sure I would have expected to be paid by the hour for that.
Makes it real easy to control how available I am to different groups of people.
After work, I put my work phone away. I have been in this industry for over a decade and I wouldn’t have it any other way.
I will never let an employer steal time away from my family again. Especially now that they want us all to RTO. Office time is theirs, home time is mine.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
And that’s fair. But I don’t want that on my personal devices. It’s literal spyware.
If work wants that level of control on my phone, they can just give me a phone they own outright. I’ll give it back when I’m done working there.
Seriously, it’s a huge mistake to mix personal and professional data on any device. Too many risks I want nothing to do with.
Mine just stays on my desk when working and goes to a drawer when not. It is basically just a 2FA device. There is nothing to lug around.
He gets points for style. But this is novel behaviour that has to be discouraged.
Damage is a funny word here. Yes - money was lost, but no building were destroyed, nor people physically harmed. “Actual damage” makes it sound like a lot more than lost time and a few extra contracts paid out.
This is called wage theft and I haven't seen anybody going to jail for it.
I don't condone what this person did, but I wish justice was as swift for crimes committed by the rich and powerful.
And generally, the scale of the damage affects the punishment.
Yes, yes, criminal law and civil law are two different things and statutes can allow or require imprisonment in a criminal sentence. But we are discussing what is morally appropriate punishment for this misdeed, not what current law allows.
If I had a business its finances would be separate from my personal finance using limited liability, so even if someone destroyed 100% of its value, it would only be no return on investment for me - sad and bad but totally not equivalent to losing all my personal money.
> “Do you understand what I'm saying?" shouted Moist. "You can't just go around killing people!"
> "Why Not? You Do." The golem lowered his arm.
> "What?" snapped Moist. "I do not! Who told you that?"
> "I Worked It Out. You Have Killed Two Point Three Three Eight People," said the golem calmly.
> "I have never laid a finger on anyone in my life, Mr Pump. I may be–– all the things you know I am, but I am not a killer! I have never so much as drawn a sword!"
> "No, You Have Not. But You Have Stolen, Embezzled, Defrauded And Swindled Without Discrimination, Mr Lipvig. You Have Ruined Businesses And Destroyed Jobs. When Banks Fail, It Is Seldom Bankers Who Starve. Your Actions Have Taken Money From Those Who Had Little Enough To Begin With. In A Myriad Small Ways You Have Hastened The Deaths Of Many. You Do Not Know Them. You Did Not See Them Bleed. But You Snatched Bread From Their Mouths And Tore Clothes From Their Backs. For Sport, Mr Lipvig. For Sport. For The Joy Of The Game.”
Death speaks in ALL CAPS.
Death's bosses speak in italics.
I. Gods speak in
II. Commandments
The character speaking in the above quote is Dorfl, a golem, who speaks in Title Case.
I feel like 2 years would have made sense to me.
Mugging is “almost a victimless crime” by that standard.
And this was significantly more victim-ful than that.
From a Danish perspective I think that this is rather cruel.
>Ranked #4 in "100 Best Corporate Citizens" of Corporate Responsibility Magazine in 2013, also ranking in Top 50 for Six Consecutive Years.
Fucking bozos!