Developer jailed for taking down employer's network with kill switch malware A US court sentenced a former developer at power management biz Eaton to four years in prison after he installed malware on the company’s servers. Davis Lu, 55, spent a dozen years at Eaton and rose to become a senior developer of emerging technology, before the company demoted him after restructuring. Lu unwisely responded to …
He really wasn't the brightest spark at the company, was he?
On a lesser note, I am gravely disappointed that the author of this fine article omitted the obvious pun: "Developer makes an Eaton Mess".
Probably wouldn't resonate with your good self and the other non-Brit readers, though! (NB: despite the name and the appearance, the dish in question is delicious.)
> As The Register has pointed out time and time again, insiders can cause the most damage with ease. All the fancy firewalls, AI tools, and malware monitoring services won't protect you if the person running them goes rogue.
Treat people with dignity and respect and you'll seldom have to worry abut them.
For the rest, Alfred said it best in the Batman movie: "Because some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with. Some men just want to watch the world burn."
This post has been deleted by its author
I think this was a comment by Voltaire concerning Byng whose hanging Voltaire interpreted as fatal lesson from the English establishment to others in the service to show more "willing."
Logically an arguable restraint in action implying unambiguous punishment would have the lack of punishment implying unrestrained action (contrapositive.)
I don't think Voltaire was expressing his approval the whole sorry Byng affair which is what makes the use his phrase seem out of place in this context.
"A US court sentenced ... to four years in prison"
The "evidence" which paints him as a total idiot, on a laptop that was in the companies possession, looks more like a frame than a picture. He may well have done it, but I don't believe that "evidence" for a moment.
Looks like a "pour encourager les autres" punishment to me - as it usually seems to be the case to when people inconvenience their ex employers.
The correct term is not "kill switch" (which is just a general term for any mechanism that deactivates something), but "dead man's switch", which is a term for a deactivation mechanism that automatically executes in the absense of preventive action in a specified time period
"They have that on tube trains in case the driver passes out."
It's nearly universal on every train these days. Train companies are also adding visual monitoring so if drivers are fiddling with their phones, the train may come to a stop as well. Continued employment after that may be a challenge.
When an admin is leaving, even on good terms, have them change their passwords and the administrator passwords during the notice period. This will bring to light any process where their accounts were used to keep the org running. This is to protect the employee as much as the employer. Because when you / they leave, you will be the scapegoat for everything that happens.
Also do a vm of their computer and archive it.
Once they leave for better things, Change the passwords again.
"Also do a vm of their computer and archive it."
There are plenty of stories where an exec's credit card/email was used for an important outside service and the walls came down when it stopped at the next renewal since the company couldn't get the billing to go through and the contact email was dead. A cautionary tale for putting things on accounts tied to individuals rather than routing them through proper channels.
He installed IPP then ?
IsDLEnabledinAD - I would have given him four years just for the camel case with an extra few years for the Java. ;)
Not as though you can't pick up a cheap notebook refurbished or new without using the company issued device to leave evidence of your nefarious deeds.
Could have even cloned the existing disk on to a new SSD, swapped disks, did the dastardly, swapped back, "declassified" the SSD (in a furnace.)
Clearly not the sharpest tool in the shed.
"I am proud of the FBI cyber team’s work which led to today’s sentencing and hope it sends a strong message to others who may consider engaging in similar unlawful activities," said assistant director Brett Leatherman of the FBI’s Cyber Division. "This case also underscores the importance of identifying insider threats early."Yeah, great gumshoe work there, Sherlock.
The perp did everything except leave, in the words of Mr. A. Guthrie, "twenty seven eight-by-ten colour glossy photographs with circles and arrows and a paragraph on the back of each one explaining what each one was to be used as evidence."1
___________________
1 "It's a song about Alice."
Yes you can. Columbo is great source of great ideas for murder. And this day and age some movies are useful too but so are articles just like this.
We'll never hear of the ones that did it properly, as they don't get caught. But people that do this REALLY need to think about it, think about it carefully, all the time, in the shower, on the bog, how would YOU find you if you had to investigate.
Doing searches is as bad as the bent UK copper that was using the work computers to search for guides on black mail, as he was black mailing people.
Use a burner account. If a 3rd party has admin access for whatever reason use that account, use that account to create your burner account. Hide your service with a name that blends in.
I do RDP hijacks to get into our 3rd parties admin account, I then use that to create dummy accounts to prove my point. But it has a flaw because you can see my own admin account doing the RDP hijack. Think of these issues.
The best one I've seen was Aaron Margosis doing a sysinternals talk and mentioned Accesschk way back in 2014. Which showed you the permissions on system objects. It could show you permissions on a service. And one place where he was called in for a security breach his team ran it and someone spotted something. They'd put the filter on to exclude all the noise and noticed the SNMP service had RW permissions on it. Looking more into it, it had Write DAC and Write Owner. So it gave them permissions to change permissions and the permissions to change the owner. Doesn't have the SNMP, could be any service and you then get the service to run your own code. It was a back door that was REALLY hard to find.
Heist movies are mostly far fetched but the good ones are still very useful for ideas. Oh and don't come on The Register and talk about your ideas.
Yes, I see the potential problem with using official.Microsoft deletion functions.
dd leaves no such log entries. I'm not talking about WSL; someone wrote a freeware version of dd which runs under Microsoft Windows. It references drives and MS volumes using a non-Unixy notation, and I had successfully used it at work (for legitimate purposes).
I can see why they'd let him go, no brains. Poor opsec doesn't get close to covering the ham fisted sabotage and researching same on a company issued laptop. It's the sort of thing you'd research on a burner laptop you pick up cheap at a boot sale while on a long weekend trip. Once devised, one would at least use another account or create an account in a way that isn't telling and gets deleted immediately after. Bonus points for making it appear to be an account of the boss's offspring that was given a job to keep them out of trouble.
Too often the people that get caught doing this sort of thing make it easy to see why the company wants them gone.
As I get older, I seem to be developing an allergy to stupid. Stories like this, precipitate an overwhelming visceral reaction within me. It's not just that I want to throttle the poor idiots for such a profound lack of foresight, or even simple self-preservation. It's that I am of a growing certainty that no matter what we do, the percentage of the population composed of these incontinent cretins is growing larger by the year. And it's getting harder and harder to avoid the results of their handiwork. It has ceased to be funny. They are a plague. I am reduced to mumbling "..the horror..." from Conrad's 'Heart of Darkness' as I contemplate the true hopelessness of our ever clambering out of the pit of base human nature. This is what we are. Irredeemable. C'est fini.
To have a quality IT setup, a company needs two things:
(1) People knowlegable and motivated to design reliable and secure IT setups; and,
(2) Management which will approve and support the proper creation and maintenance of such setups.
Organisations providing item (2) above tend to be free of pathological office politics, and have much-higher job satisfaction scores than companies lacking (2) above. Companies with high job satisfaction scores are much-less likely (IMHO) to have a disaffected tech board the revenge-boat. "Damn, it sucks I was sacked ... but I can see they needed to make cuts, and they are a good company to work for ..."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
