People should be asking Siemens......
About the 'cracked' versions of its NX software. Install that and it gains full access to your PC and phones home to Siemens with everything on your PC and info of all servers it is connected to.
A programmer facing up to 10 years in the cooler, and as much as $250,000 in fines, blew his guilty plea deal on Monday – after he tried to avoid admitting full blame for his actions. David Tinley, 62, was in court to admit planting logic bombs [PDF] in spreadsheets he had developed for Siemens over a decade ago: if he pleaded …
Not quite. Let me rephrase that for you:
When you install a copy of Siemens PLM, part of process includes the code connecting to Siemens to verify you have a license to use the code. This can and does occur even if you downloaded a supposedly "hacked/cracked" version (so-called "warez"). If your licensing information doesn't stand up to scrutiny, Siemens retains information about your use of the illegally acquired code, and offers you the ability to purchase a proper license instead of being fined heavily and/or going to jail for software piracy.
It's called “compulsory licensing”. Most high-end code contains this kind of thing. Sometimes the warez doodz miss it. Caveat emptor.
Your beef isn't with Siemens. It is with the so-called hacker/cracker who released the code to the warez world without actually making the code safe to run "anonymously". And very likely it is your own damn fault for not running the code on an airgapped machine that can't phone home, as suggested in the documentation usually included with the cracked code.
Moral of the story: Use properly licensed software, chuckletrousers.
(Source: Client of mine. $200million dollar a year engineering group. When I found out what was going on, I advised the Board of the above. They fired the CTO and paid Siemens ... NOT a fine, mind, but the same exact rate they would have paid if they had purchased the code through the proper channels. Siemens was actually quite reasonable about it, and threw in an upgrade to the current code and a year of free tech support, which surprised the hell out of me.)
Then consider this situation, which happened a couple of years ago. A mechanical design student got a summer job, he used NX as part of his new job. Wanting to learn more quickly about the functionality of the S/W he did a stupid thing, he downloaded and installed a cracked version of the S/W on his personal PC at home.
Jump forward a little, the company at which he was doing his summer job, recieves a demand from Siemens regarding the unlicensed software, they were demanding £250,000. A demand for payment because an individual had downloaded and installed it on their own PC at home, without the knowledge of the place he was working.
How did Siemens know where to send the demand when he was using it on a non work PC and didn't have a work email in Outlook on his PC? The company which recieved the demand, didn't role over, they contacted a specialist who from what I understand, analyzed all the telemetry going into and out of the binary blob. The only link on the young guy's PC to the place he was working was email sent from his browser, not Outlook. Siemens was collecting all this information and more, including examples of designs he was working on as he was learning about the software. They were deep inside his PC.
When Siemens went to visit the company to have a discussion about payment of the unlicenced software, first it was made very clear to Siemens they didn't have a legal leg to stand on, and when the full report of all the telemetry being pulled was presented, the Siemens guy's face went grey.
After that, Siemens sent a letter to say the licence fee was being waived in this circumstance. The company which holds the telemetry report still has it but because it is a major user of NX software and no alternative which is good enough is available, decided not to go public.
What was made very clear from the telemetry analysis is that Siemens, if they wish, can see exactly what their software is being used for, including all the engineering designs being worked on.
Or, more likely, the moronic spanner in question either "borrowed" the config from work and didn't sanitise it (earning a medal for stupid) or set his bent copy up as if it were a work copy, typing in all the details (oak leaf and cluster on said medal).
I'd bet that the company has a site license, rather than paying per seat, the Siemens license server spots it running configured for Company A in two geographically disparate sites and fines Company A.
I hope they fired the dickhead.
Wrong. ANY company in the world who handles PII data on European citizens is subjected to GDPR.
In other words, your company could be from Timbuktu, but if you hold an address for Joe Bloggs in the UK, or Jose Blogaça from Spain, GDPR applies or GTFO of the EU market.
"How did Siemens know where to send the demand"
Simple. They didn't. Your story, the way you understand it anyway, is obviously missing some very important bits and pieces. And embellishing others that perhaps never existed. A true "heard it from a friend of a friend" story, featuring the old child's game of telephone ("Chinese whispers" to you Brits).
"They were deep inside his PC."
The warez doodz certainly were. Do the math(s).
And what the fuck would Outlook have to do with it?
> Nope. BYOD at that company is strictly forbidden. No personal laptops or phones are allowed anywhere near the corporate network.
It's also fairly feasible the guy was using a VPN to connect to his work on occasion, which would allow "auditing" code running on the home PC to collect a bunch of info from the work network and pass it along.
"What was made very clear from the telemetry analysis is that Siemens, if they wish, can see exactly what their software is being used for, including all the engineering designs being worked on."
Some engineering firms have their CAD and/or Finite Element Analysis machines on air gapped networks to minimise the risk of undesirables accessing their data. (I have no idea why this isn't standard practice...)
It's been quite a few years since I last used NX because we currently use some competing software, but I'd be amazed if there wasn't still a way to run it on a computer without an internet connection, because some of their customers would then *not* be able to use NX.
You can get a 5000 character formula into a cell. Excel only starts throwing a wobbly when you go above 8192 characters.
You can often run into that problem while debugging array formulae as each section of an array formula can easily handle tens of thousands of rows so while stepping through with F9, you go over the limit even though you have no intention of actually writing a formula more than 100 characters or so.
“Siemens .. put a team of people on it, including coders .. figure out if the dodgy code had caused mistakes in the past. It spent $42,000 on the issue”
That would take me about two hours and if I wrote the logic bomb then you wouldn't even find it. A password protected Excel Spreadsheet, this Tinley is obviously not the brightest LED in the drawer.
its not a question of clicking on each cell with a mouse to see if anythings in it.
you follow what the code does , and i guess you could write a routine to scan for other code / formulas in the far way cells at zzzzzz999999
p.s. lolz to Walter saying its both easy and impossible at the same time
But that's the point, if I was going to do something like that, I certainly wouldn't put it in code. I'd put it in a cascaded cell reference somewhere, with a value that at some point goes out of bounds and causes parts of the model to no longer work - but I wouldn't make it display an Excel error either.
Could no-one at Siemans crack a spreadsheet password? If you know what the program is supposed to do, especially if you have access to it for months then anything that is designed to crash would stand out like a sore thumb, especially as it would be written in VB. I would have stored the bomb in XORed uuencoded data stored as a BMP object.
I'm getting all triggered here over all the down votes :(
Could no-one at Siemans crack a spreadsheet password?
Quite possibly, and I'm just guessing here, their corporate security guys don't allow them to download, install, and run hacking software on the corporate network. Just possibly, they don't allow the client order spreadsheet to leave the network. Bit of an obvious issue trying to reconcile those things, no?
I would have stored the bomb in XORed uuencoded data stored as a BMP object.
You're my hero. Now, what if they didn't have any BMP objects in the rest of the workbook - kinda stands out again doesn't it?
Any sufficiently bad code can take days or weeks to untangle. It's not just finding the first bomb, its verifying that you found all the bombs.
Good ol' Excel strikes again.
Look at any organisation today in the Beancounter Department. Excel is king.
Macros, VBA Code, special plugins, References to other spreadsheets , url's and god knows what else. All done in the hopes of plugging the gaps in their own processes and procedures, or complete lack of them.
Pry open the hood on any spreadsheet that was "developed" a few years ago, I'll guarantee after 2 weeks of hair pulling, teeth gnashing, tourette's inducing investigation, You'll find formulas, code, references or any other "Smarts" they (the Legume Logistics Department) is just plain wrong.
Excel is never the answer. In fact nuke the bloody thing from orbit, just to make sure.
he's not saying the logic bomb problem occured because excel was involved,
He's saying , as an aside, wherever excel is involved its a stain on the system - either a decent system that some spreadsheet obsessed muggle has thought he'd introduce excel to , or the spreadsheet is a patch to fix parts of a shit system , or worst case the system is built on excel.
I currently run a system that has web dashboards , graphs , qureires and whatever you want to work with the info and data it deals with .
And yet people be all like "How do i extract this dataset into excel so i can do xxx yyy"
and I'm all:
"YOU DONT you F****** idiot! just tell me what you want , and i'll show you why the system already does that - put your shitty spreadsheet away!
That said there is a place for spreadsheets - but its sure as hell not getting a contractor in to do a job , without even telling I.T - who probably wouldve shown you why you didnt even need that step in the process , and then letting contractor fuck off with a password and a full wallet , only to ring I.T support 2 years later and ask them to fix the passworded mess the long gone contractor made.
/rant
If you have Excel, everything looks like a spreadsheet.
I've already replied to one of your comments on this topic with a snarky post but from a user perspective, a lot of the value of getting a clue in Excel is how amazingly versatile it is, so that you don't need to learn how to use a dashboard set up by Vogon A and another tool from Vogon B, you just put the data in Excel and use one tool.
Not saying that everything should be in Excel. It most definitely shouldn't, and as a reporting tool (guessing at that from how you've described it), your system is probably better. For going in and digging around the data, Excel is quite possibly superior.
yeah it has its uses , as i said.
In my case i'd go to the sql backend first for mnore indepth manipultion of the data ...
then to excel (with a good dose of vba in it) when my sql skills ran out.
In fact the other day one department told me they were still running a 15 year old accessdb , in parallel with my system because of (reasons) and they had to manually compare the 2 regularly.
after getting up off the floor in shock re the access.exe,
i opened a spreadsheet imported various bits of data from both systems and automated the comparisons they've been doing manually.
I guess thats one of the "patch" situations i described in other post :)
I have a theory - hopefully never proven - that if someone ever comes up with a Zero Day that stops Excel from working irrevocably - then by the end of that week civilisation will have fallen and we'll be eating each other....
Every corporate I have worked in has at least 1 business critical process running on Excel.
If he was an employee, his work product belongs to his employer. If he was a contractor, the same is true for stuff he developed while they were paying. It is only if they hired him and he used something he'd previously developed on his own time that he could claim ownership of it. But he better have some record of having made that clear when it was installed and them acknowledging it. You can't just install something you put together to over the weekend off the clock and logic bomb it to keep them paying you.
Maybe he should claim that his coding contains Planned Obsolescence, thus turning a potential felony into a classic business practice. I am not trying to excuse him, nor am I trying to excuse purveyors of Planned Obsolescence in the field of computer software.
It would be funny if the trick could be defeated by turning back the system clock.
plea deal required him to pay back Siemens some of the money it had spent tackling and fixing recurring glitches in spreadsheets that managed orders for electrical equipment – spreadsheets he built for the global giant in the early 2000s.
If this "Global Giant" was letting this one dodgy guy make a spreadsheet to do all its ordering, he'd have been better pulling a "Superman 3" / "Office Space"
especially as this has taken 20 years to come to light.
When I worked at Tesco Head Office (before the billion pound overstated forecast) the stock ordering/delivery process for every single store in the country was run through an excel macro, and there were no real controls for sending them out etc.
I was given complete control of the excel document when the usual bloke was off on holiday and i honestly could have just done fucking anything, and considering I was a fresh-out-of-university (where I studied History, no less) temp worker i'm honestly surprised I didn't completely destroy the company while running it.
Why would Siemens use password protected Excel files written by a third party and how come that third party kept the copyright ? What were the terms under which they were using the files ? ... this story is very strange
that guy must be a future seeing genius if he wrote Excel files which survived from the early 2000s until now with only his logic bombs preventing them to work
were they right after an Office upgrade when the files stopped working ?
my guess is the guy had a check to see if the file was not copied, and the rest of the failures were due to upgrades of Excel, and they sued him to get the IP and be rid of him
most DRM software works like code bombs anyway, I guess when it comes to going to jail it matters more if you're Johnny Public or BigCorp Inc.
[...]evidence that Tinley added code to the complex spreadsheets that "had no functional value, other than to randomly crash the program,"
Sounds like 99.99% of all code submitted by first time contributors to a FOSS project.
Only somewhat more seriously, if this is a felony then nearly any "legacy" software system could populate a prison.