Seem pertinent to atleast get an affidavit from the ex-employee detailing what he as done, agree to hold on to the hardware as evidence, put liability on the employee for any time-bombs that might have been stored, ask him explicitly to give in writing all the activities he performed, etc.
Just to have a thread to pull on, in the future, when something might go wrong.
We did get a hand written statement from him and the original evidence (hardware) is still untouched and locked away.
In his statement he wrote that the pi logged to the SD card but there was no data on the SD card (well not on the data partition) and I'm pretty sure that was a lie and it just logged to Balena.
But even though we could never decipher what the nodejs program actually did (because it was so heavily obfuscated) our internal working theory is that he was tracking the movement data of the boss to avoid him whenever possible.
>he was tracking the movement data of the boss to avoid him whenever possible.
Wow, imagine hating your boss so much you go to so much creative and illegal lengths (that can backfire against you) to track him, instead of using same skills legally to finding a better job.
I just don't get, something doesn't feel right about this being the true reason. To me it looks more like he wanted a covert backdoor in the company network for IP-theft, black-mail or other such data exfiltration purposes.
If only he knew that in a year he could avoid his boss all the time thanks to covid-WFH.
> Wow, imagine hating your boss so much you go to so much creative and illegal lengths (that can backfire against you) to track him, instead of using same skills legally to finding a better job.
I’ve mentored a lot of juniors. It’s not uncommon for young people, especially those with less developed social skills, to have an undeserved fear of their boss or anyone else with authority. It’s common with young people who have debilitating anxiety and a tendency toward rumination. They think that as long as they avoid the authority figure, they can avoid any negative social interactions (which are largely imagined).
It’s possible that the boss was bad, of course, but I kind of doubt it given that his response to this situation was to let the person off easy.
>I’ve mentored a lot of juniors. It’s not uncommon for young people, especially those with less developed social skills.
Sure, but even as a junior employee, we're still talking about mature adults here, not kindergarten kiddies, who can vote, pay taxes and are held accountable for their actions in front of the law, so they should be aware that deliberately backdooring their employer so that they can surveillance their boss, not only most likely violates their employment contract they signed and can have serious legal backlash against then both from the company and from the person who's privacy they were trying to break.
>It’s common with young people who have debilitating anxiety and a tendency toward rumination.
Yeah, I get that, but how is this in excuse for hacking your employer/boss? Why not seek therapy from professionals for that and try to either quit toxic workplaces or report abusive bosses and find a workplace that accommodates your personality and emotional type, not try to hack and backdoor your employer's network to keep tabs on your boss.
There is no workplace in the world and no work colleagues that will tolerate you hacking their network and invading their privacy because you have anxiety and a tendency toward rumination.
No disagreement here, but to answer your question: If someone is struggling with social anxiety, they actually have to somehow overcome their anxiety enough to seek that help. It can be a real catch-22. (Not a justification for this person's actions by any means. Just explaining motivation.)
> Sure, but even as a junior employee, we're still talking about mature adults here
It’s a wider range than you’d think. Juniors range from seasoned employees who have had various jobs over the years to completely green employees who have never had to work a day in their lives. The latter group can allow a lot of people to avoid dealing with their problems and maturing for a long time.
> Yeah, I get that, but how is this in excuse for hacking your employer/boss?
It’s not, and I never said it was. I was only replying to the insistence that the boss must be a terrible person.
The author of this piece didn't work at the company. It sounds like the company wasn't really full of technical people. The perpetrator probably thought they were so much smarter than everyone else that they'd never be caught.
I think it depends on the company. Larger corporations like banks tend to have management types who are sociopaths or giant egos who only care about making themselves look good to their own boss. They expect their reports to work unpaid overtime and don't recognize their efforts.
> Wow, imagine hating your boss so much you go to so much creative and illegal lengths (that can backfire against you) to track him, instead of using same skills legally to finding a better job.
I once worked at a place where one of the founders would too often get the shits with someone or some team, and become a micro managing asshole for a few weeks. I wrote a python script to run on the wifi router to monitor for MAC addresses connecting and disconnecting, ostensibly this was to publish a webpage with a "Is manager X in the building?" dashboard. Which also just happened to have filterable notification subscriptions and a Slack integration. Pretty soon, everybody he was micromanaging ended up getting 90 seconds or so notice of him arriving, as his phone connected to the wifi while he walked in from the car park.
The other managers and PMs all loved the dashboard, and I got a bonus for it at performance review time.
Not sure the micro managing founder ever found out people were using it to alert when he arrived. His asshole tendencies extended beyond micromanaging staff, and he ended up in a fight with the other two founders that resulted in him leaving the country with a warrant for his arrest of fraud charges within about a year.
People in his firing line would mostly use it to make sure that they were at their desk and had Jira open while waiting for something to compile, instead of HN or Reddit…
The managers-in-the-building website dashboard stayed running for at least several years after that, when I left, and it was still in regular use. People liked being able to do things like go “Hey, we’ve got the PM, Account Manager, and the CEO all in the office right now, let’s grab the tech lead security guys, and set up a 3 minute corridor meeting to make this decision.”
Realistically, how is this different from logging login attempts? If the device is configured to attach to the company network isn't it within the company's rights to know that a device is logged on at any given time even under GDPR? Or would it be the publication of that information - even internally - that would be the issue?
>If the device is configured to attach to the company network isn't it within the company's rights to know that a device is logged on at any given time even under GDPR? Or would it be the publication of that information - even internally - that would be the issue?
Logging anonymized MAC addresses is one thing, but converting the MAC addresses to employee names, revealing their location on premises that is shared with everyone in the organization without their consent is a completely different thing and is illegal under most EU privacy laws (at least in Austria and Germany).
Sure, in theory the company could already know when I come it at work from the logs of me swiping my access badge at the main security entrance door but any such logs are kept private and can only accessed by security and upper management if some act of theft or gross misconduct has occurred which warrants an investigation.
Sharing this information publicly with everyone in the org would be a privacy breach. If you want to know if I'm "at work" just look at my Slack/$CHAT_APP notification color.
what if this guy is just a hell of an introvert who is more comfortable rigging something like this up than with interacting with this boss. If this kid was in his early 20s I'd probably slap his wrist and impress on him the dangers of screwing with the company network closet. If he is an adult he really ought to know better
It’s super complex. There are cases where the person “gets it” and just getting caught is enough to cause growth. Accountability in the form of punishment may be a waste of time or even harmful to growth because the experience is too painful to integrate. On the other hand, someone who is always let off the hook may never develop a true sense of responsibility and things only get worse. There’s no single factor to tell what’s the right thing to do all the time.
But within the theme of this thread, I strongly doubt the optimum solution is “full punishment in every case for everyone the moment they cross the age of majority.”
Well the effect of applying draconian computer intrusion laws is extremely damaging to anybody's trajectory, so it's understandable to want to find some empathizeable reason to soften the blow. "Kids" get punished by paying damages and a stern "don't do that again", whereas for adults it's like here's your ten year federal prison sentence for being a witch.
At one point you wrote "It is beyond me why a co-founder of a company would distribute these devices around town but well.." I take it, however, that the installer turned out to be someone else. Now I am curious as to whether this company advertises itself as a supplier of such things, and if so, what it claims about their capabilities. Given that the code has not been reverse engineered, can you be sure its capabilities are limited to data exfiltration? I'm also wondering what the perpetrator was up to, if the device's purpose was indeed to help him avoid the boss.
This is what I was thinking, except that I started wondering what weird shit this company or its owner are up to.. Maybe a slap on the wrist is just a solution to a mutually assured destruction situation. We all love conspiracy theories so if i were the author of this article id quickly quash this one and provide some more deets.
how hard can you obfuscate nodejs? I'm pretty sure if you drop the code in some infosec channels they will happily take the challenge and tell you what it does ;)
For what it's worth, I'm pretty sure it's quite likely there is a disproportionate number of people Out There™ that would be very happy to sign an NDA and have a look at the nodejs program for free.
You might even be able to find someone local. Maybe wander over to the next in-person security conference vaguely nearby?
Sadly you have no contact info in your profile so I can't even suggest to people seeing this to cold-email you.
(I objectively don't think I would be very successful myself, given that you've mentioned everyone in the office looked at it; I don't have a lot of relevant experience, which sounds reasonably necessary to be successful here.)
Yes but if said book was used in the commission of a crime there is a certain level where it doesn't matter.
Don't plug shit into private networks unless you want it reverse engineered. This falls under the fair use exceptions (learning what software is doing / was doing to your network).
The copyright holder can take it up with whoever they licensed it to, there is a reason a lot of them read "not to be used in the commission of a crime".
Yeah, it'd be a pretty brazen or stupid hacker who tried to sue you for copyright infringement for code that if they claimed ownership of, provides proof of their illegal activity.
If the author was not the person who planted the device, they'd have a decent case. If person A throws person B's cellphone through your window, does that permit you to post person B's nudes online?
Just to have a thread to pull on, in the future, when something might go wrong.