Ancient American Proverb
Wisdom handed down from father to son for countless generations (well 3 or 4 if you want to be pedantic - ancient wisdom has to start somewhere):
"Don't fuck with The Mouse."
A disgruntled ex-Disney employee has been arrested and charged with hacking his former employer's systems to alter restaurant menus with potentially deadly consequences. Michael Scheuer was charged [PDF] and arrested last week for allegedly violating the Computer Fraud and Abuse Act on three occasions by breaking into a …
@JoeCool "renaming the font file so that it would be picked up as the correct font, then propogated through the db, and requiring 2 weeks to recover, from a backup. that shows pretty good abuse of internal system design. that's a quality hack."
Maybe, or it could be as simple as using a font editor to open wingdings symbols TrueType font rename and save for each font to be replaced. Then using his work credentials to access a computer Menu Creator was installed on, uninstall the Disney Menu TrueType fonts © from the computer and install the renamed wingdings symbols.
Not really much of a hack when his work credentials still worked.
© Probably a 100 years knowing Disney
Two weeks to recover is almost certainly due to internal process delays.
The actual recovery time will have been half a day. Plus waiting for managers to sign off on the 'new' menu layout, then waiting for the next print run.
Quite possibly it's simply a fortnightly print run.
The cost would have been far higher if the attacker hadn't done the Wingdings thing though. It's very unlikely anyone would have noticed the QR code or missing allergen information until a diner complained (or worse).
On the contrary. By changing the fonts, he made sure that the attack would be discovered quickly.
Changing the QR codes was also done in the style of a script-kiddie website defacement. If his QR code had redirected to a website laced with affiliate links, which then sent the user back to the genuine Mouse site, he could have intruded profitably for a long period.
Removing - or changing - the allergen information could have done far more damage, again over a long period.
And he didn't cover his tracks (or Mouse clicks...).
Amateur!
What, no Toy Story jokes? Was he 'Buzzed' when he did it? Did it give him a 'Woody'? Was 'Sid' involved? Did he 'Etch' his initials someplace on the web site? Was he caught "Slinking" (ok a bit of a 'Stretch')...
(all those Debian releases from back in the day made me think of this)
1) ...his work credentials, which still functioned after his termination. That means whoever's in charge of your HR exit process should be looking for a new job about now.
2) ..a couple of weeks, requiring backup restoration to fix. If it takes two bloody weeks to restore your menu system, then whoever's running your data centre and whoever signed off on the backup / recovery process being fit for purpose should also be gone by now.
3) ...redirect menu QR codes... No need to do anything about this, QR codes are an exploit looking for a gullible idiot to happen to anyway. Still, knowing that, someone decided to use them and that person should be getting nervous.
his work credentials, which still functioned after his termination. That means whoever's in charge of your HR exit process should be looking for a new job about now.
Exactly. By all means jail this clown for what he did, but Disney's damages/compensation should be limited to a symbolic $0.01
2) ..a couple of weeks, requiring backup restoration to fix. If it takes two bloody weeks to restore your menu system, then whoever's running your data centre and whoever signed off on the backup / recovery process being fit for purpose should also be gone by now.
Really, this is the one detail that really caught my eye. Now is this the truth? Or is DizzyNee pumping up the numbers for drama? If it really took two weeks, that's a paddlin!
Generally they're competent at meeting the exact wording of the contract (not it's spirit though) for as little money as possible. This also means they're competent at writing contracts which are easy to wriggle out of and which are biased massively in their favour.
Now, I appreciate somewhere like Disney has the lawyers on staff to be able to spot this and tighten up any contract awarded, but there's only so far you can go before the bidding company pulls out and you're left with no one to pick up your latest tender if that happens too often.
his work credentials, which still functioned after his termination
Yep. This is inexcusable failure. They need to fire whoever made policy that created this scenario.
It may or may not be the fault of the account admin, but I would bet it's upper management policy failure and work culture.
"It may or may not be the fault of the account admin"
Quite. They can only do something about it they've been told an employee is being "let go" and also the priority - i.e. "we're firing him now so need him to be locked out of everything now".
I wonder how this "misuse of computers" compares to Microsoft's constant and blatant "misuse" every time they force their crap on users despite them having said "No!" - such as the almost forced Windows 11 upgrades happening now.
Yes I know you can use a GPO to block it. But damn it we bloody well shouldn't have to! When will Microsoft lean "No" means "NO".
I wanna see some Disney villain doing that on the next Ratatouille or something, changing all the menus to Wingdings and removing the allergen warnings.
And karma turning on his head, as the villain is violently allergic to peanuts and choking to death on them.
=======================
Geez, that could have been qualified as terrorism or attempted murder.
the changes knocked the system offline for a couple of weeks, requiring backup restoration to fix
I think more people belong behind bars. I'm just not sure who being unfamiliar with the system in question, but we have a case where either the techs absolutely didn't think to simply change the font back, so it took two weeks and restoration from backup....or the system is such a steaming turd that it needed restoring to get it back to sanity after changing the font.
If it's really that simple to bring the thing to its knees... jeez.
But, yeah, any sympathy I might have had for an effective hack vanished the moment he decided that it was a good idea to nuke the allergen information. Bastard. [note for non-UK readers: in the news right now, 14 year old girl dies on holiday in Italy due to peanut allergy, this shit's serious]
This is something that's always got to me. Why does a criminal receive a lesser sentence if his plan doesn't work?
Potential murderers will have often got shorter sentences due to a particularly skilled doctor. If that doctor had been sick that day, and a less skilled replacement failed to save the life, the perp would get a tougher sentence!
I know, Hippocratic oath, and all that, but I wonder if after some attack, any doctor thinks "this bastard will be saved from the chair if I manage to save this victim"
> Why does a criminal receive a lesser sentence if his plan doesn't work?
It depends on the jurisdiction, but in a lot of places attempted murder has a big overlap of sentence ranges with murder and/or manslaughter, which should lead a Judge to give a sentence for attempted murder equivalent to some murders if the facts of the case warrant that.
Disney says man can't sue over wife's death because he agreed to Disney+ terms of service
Remember, at the moment the removal of allergen info is just an accusation (but it's Disney so it's as good as won).
Yeah, horrible. I wonder if they were on an international visit, because $50K for a death is extremely low claim. Disney knows they will have to leave soon, so even refuse to pay that paltry amount.
Disney filed court documents in May saying the $50,000 lawsuit should be dismissed and resolved by individual arbitration because of terms Piccolo agreed to when he signed up for a free trial of the streaming service Disney+. The filing also says he accepted the same terms when he used the Walt Disney Parks website to buy tickets.
Correct, but now it appears they have found someone to blame.
If we are to believe Disney, all restaurant menus were printed after this guy allegedly removed allergen info, nobody noticed there was no info, nor was it necessary for anyone to notice there was no info when proofing the menus.
The only saving grace is that it's hard to read a wingdings-font menu, so in order for printed menus to have shipped someone would have had to switch the fonts back and NOT check anything else
Then again, minimum wage workers and "right to work" doesn't breed any kind of desire to do more than the absolute minimums
There isn't, but it's a classic narcisstic rage thing
Still having enough access after termination to be able to pull this is grounds for firing the HR management (not grunts)
Taking 2 weeks to effect a recovery is grounds for sacking IT managment (not grunts)
Interfering with safety-of-life data (the allergen informaytion) takes his behaviour from mere defacement to terrorism (intention to cause the death of random bystanders AND create a panic in the process)
If the intention was to take revenge on the company for whatever perceived reason, then changing only the allergen information would have been harder to spot (maybe not for weeks or months) and could have cost Disney billions in compensation payouts.
But changing the fonts screams look I have done something bad, check some more.
Who in the US hasn't been screwed by a company? Working in the US is just a matter if time before someone either doesn't pay you or uses you like a rag and then fires you when they find some fresh meat I've been f****Ed and been treated unfairly by many employers as an IT guy it's pretty much expected. You need to develop a sense of resiliency and a thick skin knowing that at any moment your job can be cut. Always ready always looking has been my motto. I've been locked out of my admin account first thing Monday and all my shit stolen (scripts, files, etc). But at no time was I ever SO DAMN STUPID to even think about doing something like this or even try it. Let alone to a company that has just as many lawyers as they do employees! This cat is the definition of blind, stupid, arrogant and ignorance IT dude who's mindset is somewhere in the 2000's when you could get away with shit like this!!!
What a total imbecile believing he was going to get back at them and get off Scott free. Because of his stupidity he deserves everything they give him!! IDIOT!
The House of Mouse, obviously
BTW: In some countries "Mickey Mouse" means high quality and isn't a reference to those 1950s wristwatches that would disintegrate as soon as you looked sideways at them
Jut like in some countries "Pukka" means "good" and in others it means "utterly fucked" - which is a cause for great amusement when inhabitants of the latter countries run into "Pukka Pies"
This post has been deleted by its author
in some countries "Pukka" means "good" and in others it means "utterly fucked"
Curious in which countries pukka means "utterly fucked."
Not really part of AU English and only heard in period dramas or from pretentious poms like Jamie Oliver.
Apparently the particular sense of pukka used is 'solid' but also meant 'cooked' I believe. So in the sense of ones goose being cooked I can see the "utterly fucked."
This chap apart from having lost the plot, has decisively incinerated his goose.
The first rule of employee offboarding is deactivate all credentials immediately. If Disney fired the guy, and left a credential active the Disney IT screwed the pooch and allowed a hacking attack that could have been prevented. Rewriting menus with wingdings is pretty funny though.