21 comments

[ 2.9 ms ] story [ 32.5 ms ] thread
(comment deleted)
“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”

Morality aside, that’s kind of hilarious.

Four years feels like a long time for this...
The article is pretty light on what exactly the charges were. Anyway he should have been slapped with a lot more monetary and probably less prison time.
Should have named it cryptolockDefender() and argued it was to protect against someone disabling his account to lock out the administrator.
The article says he named programs after himself but also that he tried to evade detection.

How crazy would it be if he were framed.

Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.

Tinley plead guilty and got 6 months.

https://www.zdnet.com/article/siemens-contractor-pleads-guil...

(comment deleted)
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
Waaaay overexaggerated sentence! But I believe this wasn't about the “damage” that happened but about sending a message asserting the power dynamics between the employees and employers, as in, if you dare to do something similar or rebellious you will have your life and future ruined forever, establishing a precedent that reinforces the power hierarchy between employees and employers. The underlying message suggests that any similar acts of defiance will result in severe and harsh consequences. By the way, modern dynamics have shifted a lot of things for granted. I know personally a few developers who worked back in the 80s/90s and up to this date the companies still pay them portions of their profits because these developers are the owners of that code and have ownership rights in the code they developed, meanwhile these days under “industry standards”, the code that you spent your time/life/etc. is totally owned by the company and you, the creator, do not, the original creator retaining no ownership rights whatsoever. Hilarious! slavery? Code monkey? Whatever you want to name it but definitely it isn't a good thing. It’s a substantial shift in the balance of intellectual property rights between developers and their employers.
Indeed, and to add to the irony, yours is the most downvoted comment. Developers think owning their work product is a bad idea?
So if a developer owns the code he wrote, and gets paid for it’s use over time, does he also get paid while writing the code? And how do you determine how much to pay for said code? By line count, but then that goes against some chunk of income/profit which also has to be spread among marketing people’s writings, and manager’s decision outcomes, etc? I just don’t see how this works realistically, but I’m open to being enlightened.
4 years for that is absurd.

We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?

What an absolute joke.

pretty dumb way to go about implementing this, dont skip code review kids
He gets an A for naming his methods sensibly. But Fs in morality and long game planning.
Just as a thought exercise, the better kill switch is a dead man switch that is disarmed every month or two until its next run, also one that acts as malicious ransomware that deletes everything including itself and all logs.

Obviously don't do this, because you don't want to be more morally bankrupt than your employer, or your whole argument of righteousness falls apart. The morally righteous never would, because they already know that employment in the US is voluntary for both sides. Also, over time, one would absolutely forget to disarm it.

the best kill switch is to write a slop codebase only you understand. no intentional evil little mechanisms, no intentional breaking, just the slop, slop written in good faith. now that is legal
To be fair, LLM can cut through unclear codebases like a hot knife through butter. The LLM may make some mistakes, but it gets the general idea.

There is one exception. It is when the code has no type definitions and obfuscated variable names, or worse yet, has incorrect type definitions and misleading variable names, but such code is not maintainable at all anyway, even for oneself.

In summary, even for the author to understand a codebase over a long period, it has to be well organized because human memory doesn't recall all the little details.