No work you will ever do at a job is your labor. Employees are company property, their thoughts and achievements are company property.
It’s petty to do this but it shouldn’t be possible to get jail time.
Sounds like he could have been a bit more creative in implementing this. Having something immediately traceable back to a username is no bueno.
If he was smart he would not of done this in the first place
Is it even possible to do this in a way that can’t be tracked back to you? Unless you’re a Hollywood hacker that will rig something up to literally burn down the building the server the malicious code is contained on, there will always be some fingerprints left behind in the software. And there will almost always be a relatively short list of possible suspects. Even at large companies, there won’t ever be more than a handful of people with the skills, motive, and access needed to pull something like this off. Oh, the company’s entire database suddenly and mysteriously deleted itself? I wonder who caused that, maybe the disgruntled sysadmin we just fired? There really aren’t that many suspects in situations like this. And once you’re a suspect, they can get a warrant, seize all your computers, and scour them to dig up even more evidence against you. Hell, even just documentation of ill will against your old employer would be evidence in court. You better hope you really left no trace, otherwise you will be found out very quickly.
And really even in the best case scenario you still end up under heavy investigation, get all your computers seized, probably lose your new job, etc. Even if they can’t pin it on you, if you are the only one with the means, motive, and opportunity? They’ll tear your life upside down for years trying to prove it. Even if you are so good you can literally do it with no trace, no evidence in the code at all? It still won’t prevent your life from being torn apart. It will just keep you out of jail at best.
It would be easy depending on your company’s git practices. Complicated git workflows can leave room for you to slip stuff in unnoticed or misattributed. I mean, it still has to pass a review, but a lot of the devs I work with don’t review that closely. Could just assign a lazy dev to the review and increase your odds of getting it through.
They are one of the developers. The code is full of everyones fingerprints.
He 100% didn’t think this would result in criminal charges. A lot of people don’t think through the “how will this company with lawyers react to my petty nonsense?” when doing stuff like this.
What he did was brazen and stupid but 4 years sounds a bit excessive. Unless the journalist is under reporting what happened, he didn’t do any long-term damage just probably knocked them offline for a day and required somebody to come in and manually reset the drsm account in the domain controller.
But in a fit of rage and passion he built out booby traps and put his name all over everything. He wanted them to know it was him, How do you absolutely denied himself plausible deniability.
All he had to do was pretend he was inept and replace service accounts with his own login. Push 90-day password resets on the account for ‘security’. Set up a house of cards out of security certificates.
The company probably walked into that court with a technically competent team of lawyers and a bunch of expert testimony, he probably had a state defender.
I’m curious what this crowd thinks is an appropriate punishment here. No priors, found guilty, caused some lost revenue (which I have to admit doesn’t mean you actually lost revenue). So, should they even be sent to jail? House arrest? Or do we just want consistency in punishments?
Honestly, it’s kind of hard to tell. We’re missing a hell of a lot of intent and access to the evidence here.
If he was just straight up vengeful, He should have been on the hook for the lost wages they paid for all the people that were knocked offline. The cost of whatever contractors they used to repair the problem. 6 months jail time and some psychiatric review.
If he had the intent of blackmailing them, then felony and probably pulling his work visa.
As it sits, even if he had some way to keep his right to work here, there are a few that would touch him with a 10-ft pole. He’s required to disclose felonies as part of the hiring process pretty much everywhere. Anybody prospective employers are going to be extremely reluctant to give him any work that would afford him access to their network.
He should get a corporate level penalty. He made X dollars while working for that company but did something wrong while making that money. He should have to pay back .001% of his profits as a fine and the illegal stuff he did should then be ignored/forgiven. That is what corporations get as a penalty when they break the law, I think it should be applied when they are the victims.
Every user gets 0.003 cents as part of the settlement.
That sounds fair.
Usually a moderate prison sentence and a fine
5-10 years most likely
4 YEARS?! And gaming companies can just build a kill switch into their game and get no penalty?
The difference is, the rich and powerful do their crimes with lawyers. A contractor could actually write something into their contract that allowed them to install such a kill switch. And it would be perfectly legal. No different than if you stop paying for a software license and the program stops working. But regular employees don’t have the leverage to demand such a kill switch. Maybe more programmers should form unions. Write it into the contract that if the contract ever expires before a new one is signed, the union has the right to remotely activate a kill switch, shutting down crucial operations within the company. As long as this was all disclosed and signed to, it would be perfectly legal.
Tesla build them into fucking cars.
Good. Some one should sponsor and hire this guy.
For developers in similar situations, where the corporate overlords make your life miserable; use dead man’s triggers Instead of a simple killswitch: manually start handling certificates, introduce memory leaks that you can easily clear, have excessive disk filling logs that you can daily clear, and all kinds of other stuff that is a perpetual dumpster fire that you extinguish as part of your job. Oh, and don’t forget to forget commenting and documenting. The next developer should instantly learn the pressure they have been putting on you.
So I’ve done plenty of that in my, ahem, practice. And honestly if I had a choice to concentrate and not do that, even if that meant losing my “dead man’s triggers”, then so be it. Extinguishing a perpetual dumpster fire as part of your job is not good. Also someone might be given that to fix after you leave, I’ve been in that role too.
Errr
That’s EXACTLY why I did that in the past. It wasn’t an accident at all. Nope. It was future proofing my job. Completely intentional.
I’d like to imagine countless instances of this that we never hear about because there just isn’t anything concrete to write a news article about
Well the guy from the article is named David Lu and added a function with the name
IsDLEnabledinAD. That by itself deserves an article.
You’re an asshole
yes, you’re right, we should always bend over and spread our cheeks to appease our corporate overlords no matter the situation
He’s an asshole to the Dev that is hired to cleanup his mess, not to the evil company
That Dev should know how evil the company is as soon as possible though.
I have been burned out by project managers way too hard to have any respect for the capitalist tech world. I have more than 15 years of programming experience yet I’m literally looking for a job on a farm or warehouse.
They’re not saying to do this at any/every job, just shitty ones with shitty people
The defendant breached his employer’s trust
The company breached employee trust when they fired a bunch of people during a “realignment”.
Four years is far too long. If he had run over the CEO in the parking lot he wouldn’t have gotten four years.
It’s because they can quantify damages that way. Because you legally cannot put a value on the life of a “human” (still unsure if CEOs are human, but legally they still are), it’s just “murder” and not “you cost us eleventy billion dollars in downtime.” One is more negotiable in terms of damages than the other.
Then Ceos should be treated and charged with every crime a company commits or this is another class problem I’m going to solve. The guy who made the opiod crisis literally walked away with a billion dollar fine but should’ve gotten multiple live sentences for multiple murders.
You’re not wrong, but sadly that’s not how our legal system works.
Dipshit. Just do bad coding and leave timebombs that could be considered an accident.
Exactly, my coworkers at nearly every job have done this just by their disinterest in reading code and not caring about their craft.
It’s far more effective. Once you have a bad architecture and you keep adding to it over the years in haphazard ways, it becomes increasingly difficult to make any changes.
I mean, there’s a reason he got fired and it wasn’t because he’s a genius…
Yeah, name it after the boss, not yourself!
That just makes you a bad developer. And ripe for firing.
company ruins life of employee: stonk
employee ruin company: immediate imprisonment
edit:
Ultimately, Eaton Corp. bore substantial costs getting its network back online
actually, it did nothing to the company but cost it a few bucks. do not pass go/collect $200.
this person was not fired, he was laid off. he was not actively harming the company until the company ruined his life.
I mean the guy was just laid off. They didn’t “ruin his life.” They employed him for 11 years.
4 years is a bit much though!
You guys are wild. Why do you think it’s okay to sabotage your company just because you got laid off? If everyone did that everyone would be collectively fucked over, including coworkers and customers. And why is the company evil for laying him off? Should they just employ him for no reason if they don’t need the person? What if it’s a small business? Weird ass logic. If you think ur life if ruined from getting laid off then Ur life sucks.
He was employed for 11 years.
IDK about you, but if I get laid off, my life changes significantly by the next missed paycheck.
If it was in Europe, people being made redundant are typically given several months pay, but it’s America so he probably just got a t-shirt and a cardboard box.
he probably just got a t-shirt and a cardboard box.
So that’s clothing and lodging taken care of at least.
11 years in this field should be able to weather at least a few missed paychecks. Admittedly I didn’t read the article, but if it’s in the US they would be able to file for unemployment as well for supplemental income.
Doesn’t make the company evil. Should they employ him for 50 years just because he needs a job? Use ur brain.
No, they should pay him some months in advance so he has time to look for a new job.
Or at least give him some days off each week while still employing him.
What’s the difference between a lay off and firing people?
A lay off is when a company restructures and terminates the employment contract of several employees to save cost. Firing people is when you end an employment contract because of the employee’s bad performance or bad behavior. Or you shoot them out of a cannon.
Have to make an example of them lest the surfs realize they have power
*serfs but yeah
* Smerfs
Thought that didn’t look right
They’re both words. Serf is the one for a person subject to someone else’s rule just to live. (obvs not fully accurate definition, but dictionaries can give you the real deal)
Yea, sorry, English is my first language.
I actually cannot believe you have any upvotes for this type of comment.
If computers and networking were not involved, and we lived in the 1970s, this would be the equivalent of setting off a remote bomb in every factory across the country for your former company when you get fired.
This was a severe and premeditated act, and 4 years is what I would consider to be a moderate sentence for this type of computer crime.
In the 1970s this, first, would be an equivalent of what another guy wrote, changing a lock combination and not telling people, a minor mischief, and second, he’d have a union protecting him.
This is clearly disproportional.
A bomb kills\maims people and harms equipment, this is very clearly not a bomb.
In the 1970s this would be a scandal.
It is in no way a bomb. If this was the 1970’s, it would be the same as changing the combination on the safe and not telling anyone the combination after being fired.
Great username! Go Team Venture!
And how many people died or were injured? How much damage to property occurred?
Looks to me like he just wasted time and hurt revenue. That’s not any of the above.
You live in there modern world and see how things are going and your can’t believe people support the destruction of established systems? Ok.
I’ll agree to start imprisoning people for using their job to affect profit when CEOs start getting jailed for affecting the profit of those laid off.
Also, the equivalent to setting off a bomb? Get a grip on reality.
Ah, yeah, by the way - if you do something harmful at work and are hold responsible for it legally, it’s weird because when you do something clearly beneficial at work the company holds all the responsibility for that, and you hold your paycheck independently of the outcomes of your work.
So how the hell is this even treated as any kind of crime, let alone worth 4 years, is unclear for me. Some people seem to be forgetting that where peaceful protest is punished, violent protest finds a way.
If an intern damages a production database, they (or whoever else) are not (legally) held responsible, despite someone there definitely making a few mistakes leading to loss of profit. But it’s not even considered.
In this case it’s not a mistake, but does it matter? Unless they violated some security process inside the organization, thus illegally gaining access wherever, the story means that they used “maliciously” the access they were given.
deleted by creator
No one reviwing his code? Sounds like a timebomb in its self.
Gotta stay “lean”.
This was my first thought. Just zero code review going on? Some random server only that dude knew about? tf kind of controls these people have in place?
Oh right, none of the shit the company should have had.
Instead of jail time, the government should consider giving this guy whistleblower status and investigating the corp for negligence.
Idk kind of standard practice to have free reign of the place in certain positions. In my entire career working for billion dollar companies it wouldn’t be hard to bury anything like this. In fact I’ve done forensics on someone that did. Very few places outside government practice zero trust. Hell I’m sure the government fails to do this all the time too.
Kinda funny. 4 years seems excessive to me but what do I know.
this was stupid. A career ending move. no one’s gonna hire someone who wrote a logic bomb at their last job.
Yeah they will.
He’s going to end up running a consultancy where he charges absurd sums to give talks to corporate leaders on how to prevent this sort of attack. 😁
