Over the years, a few times I've heard a (perhaps sometimes apocryphal) story of something like this. The first one involved a programmer who had access to the payroll database.
Has anyone heard of someone getting away with this?
It seems dumb to me. Someone might feel pettiness impulses when wronged, but grievances are what lawyers are for.
(I did hear a variation on this story, where a programmer had artificially rigged up spreadsheets to fail periodically, so that they had to be brought back in as a consultant firefighter to "fix". IIRC, the story was told by a programmer who'd investigated and discovered what was going on. But this is close to standard operating procedure for a lot of development teams, though: through poor technical and business decisions, by accident or design, you guarantee yourself years of encumbered, time-burning work, to maintain and extend that.)
Well, has anyone heard of someone escaping appropriate repercussions?
For example, maybe the company found out, but decided not to involve the police or demand repayment.
For another example, maybe an employee found evidence that suggested such a thing happened, but not far up the chain of command decided that investigating and escalating it wasn't worthwhile to the company.
My reason for asking, is that my initial reaction was that is just a bad idea. Then I wondered whether it was a bad idea that was nevertheless happening.
At a previous company we fired an analyst. This person had been combative from the day the company I worked for aquired the company he did. When asked to simply show us his reports the first day we met with him he refused saying he "wasn't prepared to show us the secret sauce yet, he wanted his job security". Unsurprisingly it wasn't long before he was fired.
As was standard practice IT was given a heads up with a time. His manager would call him into his office at X time and by the time he left that meeting he'd be locked out of his computer and all his accounts.
Well his manager decided there was no point waiting and he might as well just do it, so several hours before the appointed time, he did. The analyst asked if he could get some personal files off his laptop, the manager agreed, and the analyst proceeded to delete everything he had ever worked on, from SharePoint and every PowerBI report he could including emptying the recycle bin, with his (now ex) manager sitting across the table from him.
Needless to say I got a very excited call from our management. Only nice thing I will ever say about SharePoint, once I worked out it was a thing recovering everything from the second stage recycle bin was pretty easy. I then pulled audit logs showing him deleting everything and let management know I had them anytime they wanted to pursue legal action.
The day I left the company those audit logs were still on my desktop never having been requested.
Maybe not quite "getting away with it" in that I was able to undo the damage, but pretty brazen and to my knowledge never faced any consequences.
I heard of a vaguely related story. A team left a big investment bank, and stole some software along the way. The bank realized 6 months later, but decided to not prosecute. They concluded it would make them look too bad that a team managed to steal all this software and not be caught; bad to their investors, bad to other employees. So that was that.
Whether it's true is of course a whole different question.
One time, allegedly, a biz person attempted to bring valuable IP to their employer's competitor, including by exfiltrating files.
I can't say the most interesting/illuminating part, since that would point to the company, but I can say:
(1) I believe that the alleged defector-thief was going to be legally made to deeply regret that mistake; and
(2) for the company's future operations, there was a rush to show diligent security that would prevent this from happening again (and you can guess how well-reasoned the actual measures were, but reality was even worse than your guess).
Everybody loses.
Incidentally, I suspect that the company learned of the IP theft from the competitor, rather than from their own IT dept. (I'm sure many biz people are willing to poach from a competitor while expecting to benefit from arguably proprietary information that comes along in the defector's head. But I suspect that even many of those, if the defector started to whip out documents or other artifacts, would suddenly become furious paragons of righteousness, and smack that person clear out the door, while establishing a paper trail that their company wasn't exposed to the information.)
Oof that spreadsheet story is like a glazier breaking windows, quite a way to make yourself indispensable!
I had to bring in a forensic IT expert after terminating someone who twice claimed twice he "might know a way" to read folks' email with no traces in the logs. He had previously mentioned a deadman-switch type setup, but in more of a "wouldn't it be cool" way.
After forensic person found no exploits, the recommendation was to proactively pay the employee a chunk of change with the stipulation that any future hacktivity would be treated as a criminal matter. We didn't do that (employee wasn't smart enough to create an invisible backdoor, or dumb enough to not just walk away).
The bad decisions he made (hiring, vendors, boys' club culture) probably did more damage than malicious code, and it's taken about 2 years to undo it.
This is bad - but I doubt there's an engineer in here that hasn't written throwaway code to make a deadline, joked about some code they wrote being "job security" because it's so confusing, or picked a soon to be deprecated package to use because it was quicker to get up and running.
Ethics is lacking in our industry, and as more and more people are laid off, you're going to have the equivalent of tens of thousands of "dead mans switches" going off at every company just out of sheer disincentivization of quality that's become so common in today's engineering culture.
I'm aware of at least one project at $work that will definitely break at some point that no one but me knows how to fix. Despite my best efforts to leave breadcrumbs to good resources and an extensive ReadMe, I suspect if I'm gone they just won't care enough to fix it and let employees go back to doing things manually (based on what happens right now when I'm not available to jump on a fix immediately). I wonder how many inadvertant "dead-man switches" like this there are out there where the loss of specific employees can cause a disproportionate amount of damage entirely by accident.
I dunno, the ethics depends on the situation, right?
If the customer asks for shoddy workmanship in a system that will have some safety critical application that will hurt the general public, you have a the engineer’s ethical obligation to blow the whistle.
If the customer asks for shoddy workmanship because they don’t care to prioritize documentation and robustness in their ad system, that’s management’s prerogative. The customer can be trusted to represent themselves.
A deadline is a business decision. An engineer makes a tradeoff (incurring tech debt) in order to meet the business goal. How is this remotely an ethics issue?
I think it's important to say that ethics are lacking from top to bottom. It isn't just devs who lack ethics. Companies do incredibly unethical things all the time and many folks act like not going along with it is somehow bad.
When the lil person gets a lil revenge we blow it way out of proportion because we're so incredibly desensitized to the constant barrage of unethical acts by executives and corporations.
I was grateful to every employer who canned me, though my parting words, verbal or written, may not have reflected it. :-)
I left one paranoid boss on "Take your child to work" day. (Coincidence) but the main lesson was not to let anyone abuse you with insulting demands. I left everything in good order and all documentation up front. I always did.
No need for revenge. They all sabotaged themselves way better than I could, even with root passwords, because they did it with their own incompetence and overblown egos.
In my last job, requirements, such as they were, were based on some idea that someone in authority thought we might need. No consideration was given to the needs of the clients of the code. They weren't savvy in the any of the current technologies, so it wasn't even the latest fad.
I developed the skill needed to implement their dumbfsck idea-du-jour quickly and without breaking existing code. However, the resulting code was increasingly more convoluted and incomprehensible. I had inherited a god object that I only added to over time.
When I quit, my boss knew he was not going to find anyone that could keep up my pace, much less understand the code. He tried to get me to stay, but I told him that I will never work on this code again, so there'd be no point in staying.
A couple years later a former coworker told me that the guy that had taken over had a bug in some code that was convoluted but rock solid when I left. I figured he had noodled with the code and broken it. Sucks to be him.
Told my coworker to tell him that my advice it to look for another job.
So yes, I hear you when you say they're perfectly capable of sabotaging themselves.
I often found that assignments from my boss were to please the fantasies the boss or their boss, who seemed to pay more attention to those fantasies and toys on their desktop than actually getting things done in a solid way for the customer.
On one job, I attended meetings where amazing ideas were dropped off the table because management couldn't see the big picture potential. We were in a market where every vendor had a proprietary database schema, to stymie conversion. A bunch of us proposed giving away an open database schema, and competing in that larger market, which was beneficial to customers, and a meritocracy. Oh no. That would mean that product quality was more important than slick salesmanship.
The boss sued a disgruntled employee for hacking his computer, and after he won, the judgment was "Well, you two work it out". Right.
One director had a mania for "Windows NT is the next great thing" in production systems. Fortunately, I was on the Solaris side. I didn't hang around long enough to hear the success stories (as in throwing chairs, I imagine)
I've never understood this mentality. Your employer might be the absolute worst but this? This is comitting a crime. To knowingly sabotage a company this way is a crime. Technical people like to look for technical loopholes in laws and might say things "him not being there to stop it happening doesn't make it a crime" or whatever simply don't understand the law.
Likewise, I've never taken a document or a line of code from an employer. There's nothing I've ever written that I couldn't write better if I started again from scratch. And again you were paid to create those things. You might feel ownership over some work product like this but it doesn't belong to you.
Whenever I've left a job, whether it's on good terms or bad, I simply brain dump everything I did and knew and put it out of my mind, hopefully never thinking about it ever again. This is your job, not your life.
It says something about the inhumanity of our contemporary culture that people willingly accept that our employers have no obligations to us in any way.
Whatever your employer did, it's not worth you committing a crime and/or having to defend a lawsuit. It's just not. You will suffer way worse than the momentary schadenfreude you get from watching the company suffer.
That doesn't mean you can't look out for yourself. You should absolutely. For example, I would advocate for not quitting your job until you start a new one. Things like giving notice are a convention, not a legal requirement (in the US at least; it can vary by country). Companies can rescind job offers. It's better to start. Then they have to lay you off or fire you.
If your conditions are really terrible and you have the luxury of just walking then do that. Walk. Immediately. Let them deal with the repercussions.
> Whatever your employer did, it's not worth you committing a crime and/or having to defend a lawsuit. It's just not. You will suffer way worse than the momentary schadenfreude you get from watching the company suffer.
While I agree in principle that it's generally not worth getting caught for sabotaging a company you've left, I wouldn't categorically state that it's never worth it. I suspect you're unaware of some of the deeply shady stuff some corporations have done.
For example, IBM leased Nazi Germany census machines which were instrumental in the identification of Jewish residents during the holocaust, continuing to provide upkeep and service for years. It's been remarked that the concentration camps could never have reached the numbers they did without the aid of IBM's machines. To make things worse: the machines required the use of specialized punch cards which at the time were only provided by IBM, meaning IBM could have cut things off at any time.
That's probably one of the most egregious examples, but it's not the only one. Off the top of my head, Coca-cola was alleged to have worked with paramilitary forces to murder union workers in Columbia. Chiquita banana was also revealed to have funded paramilitary groups within Colombia.
Playing devil's advocate: there are almost certainly some cases where a person could be forgiven (or even lionized) for sabotaging their employer on the way out.
It never ceases to amaze me how even the most inocuous online discourse, such as saying criminal misconduct isn't worth it just because you hate your job, nearly always somehow proves Godwin's Law.
We're talking about someone who most likely had a shitty experience at a shitty company for a shitty boss. Most of us has been there. That's all we're talking about.
"What if they're making Zyklon B?" They're not.
"What if they're funding or otherwise enabling death squads in Myanmar?" They're not.
And if they were, why were you (in this case) happy to work for them for 12 years up until you were demoted, knowing this?
> I've never understood this mentality. ... This is comitting a crime.
Some percentage of the population is criminals. Of various levels. Most are not the completely ruthless kind, but some are. They're all around us, and we need to factor that in to our decisions.
I’m not making any judgement on this particular event but your rigid way of thinking that because it’s a crime it’s wrong is, well, too rigid.
If I was a citizen of North Korea and I assassinated the great leader technically speaking I just committed a crime too. You see the nuance here? Maybe you think because the laws are American and Americans can do no wrong. Extraordinary rendition was completely legal and a thousand times worse than what this guy did. 10 years for this, 0 years for torture.
I want to hear his side of the story. How did they fuck him over after he gave them years of work.
And what evil was Eaton Corporation performing? No, seriously. Put your hyperbolic examples aside that clearly don't fit the facts.
And let's say the company was evil in some way. Well, the defendant was happy to keep working for them (12 years in this case) and only started sabotating when he was demoted. So there's not a shred of a moral stand here. It's just pure self-interest, which is fine. But if you go the route of sabotage, don't be surprised if you end up jail. Is that worth it? The answer is no.
I'm reminded of a really old Simpsons quote [1].
Alternatively, you just hoard information and make yourself impossible to fire.
This article is non-specific about the charge but this article [2] says the charge carries a maximum 10 year sentence, which means it's a felony. So for the rest of his life, he'll be a convicted felon regardless of how much (if any) prison time he gets. That has consequences.
It's also strange he went to trial at all. The conviction rate in Federal court is roughly 99%. Most Federal criminal cases plead out. I'd love to know what, if any, plea deal was offered, if he represented himself (pro se) and, if he didn't, how much it cost him. It has to be tens of thousands of dollars in legal fees.
You see what I mean when I say, it's just not worth it? "What if it was a moral crusade?" you might ask. It wasn't. That's the point. That's why it's not worth it.
I don’t know what evil was done by the corporation. I’m not making any judgement. I need to hear the employees side of the story which wasn’t given here.
If any evil was done, why wasn't it raised as a defense at trial? We just had one. He was found guilty. The defense was actually "it wasn't me" with a bad cover up and his account was linked to the malware.
I don't understand this weird obsession with being contrarian just for the sake of being contrarian or to raise hyperbolic examples that don't fit the facts. Sometimes, even most of the time, things are just what they appear to be. In this case: likely a shitty employer and a shitty job.
He then compounded his error by going to trial (Federal criminal cases have a 98-99% conviction rate at trial), paying possibly $100k in legal fees, going to prison for possibly years and being a convicted felon for the rest of his life with all that entails (loss of rights, more difficult to find work, lower earning potential, difficulty in getting visas, more difficult to rent and so on).
And for what? What's probably just a mild inconvenience for the company for a day or two. WAs it worth it?
> If any evil was done, why wasn't it raised as a defense at trial?
Because the evil likely wasn’t illegal.
> I don't understand this weird obsession with being contrarian just for the sake of being contrarian or to raise hyperbolic examples that don't fit the facts.
False. No one is contrarian here for the sake of it you and I have a different opinion. That’s all you think someone with a different opinion than you is contrarian?
> And for what? What's probably just a mild inconvenience for the company for a day or two. WAs it worth it?
Fuck no it wasn’t worth it. That’s what I mean. It’s a “crime” but was it a crime worth 10 years? No. If you weigh the situation based on gravity the greater evil was done to him. That’s part of the whole thing about a crime isn’t the end all be all of evil. Just because it’s a crime doesn’t mean anything.
> Sometimes, even most of the time, things are just what they appear to be. In this case: likely a shitty employer and a shitty job.
Appear to be what? They have no quotations or anything about him stating why he did what he did? Because the information is missing you are making a wild guess.
I don’t know how you can make a claim out of thin air that things are often what they appear to be EVEN when you literally were not given his side of the story. In any typical investigation motive is a huge part of the analysis and we don’t have motive.
I bet the prosecutor was like you. Just destroy a mans life because he “broke the law” or did a “crime.” If a child stole food because he was hungry would you send him to juvie because it’s a crime? Let’s be real here. If I had to venture any guess about why he’s going to jail for 10 years a huge part of it is that someone fucking hates him.
Then he has no case to commit crimes. He was also happy to work there for 12 years and only effectively took action when he was fired. There's no moral stance here.
> ... you think someone with a different opinion than you is contrarian?
No, I can just spot the product of (probably undiagnosed) autism. That is, I made a statement ("it's never worth it") that to some, particularly on the Internet, is like a red rag to a bull. What makes it particularly funny is you complained about "rigid thinking" in another comment.
I was talking about taking revenge against shitty jobs at shitty companies. The more neurotypical among us know this. This is a statement that fit the facts, not some completely different hyperbolic statement like, oh I don't know:
> If I was a citizen of North Korea and I assassinated the great leader technically speaking I just committed a crime too
As an aside, you'd probably be executed if you weren't killed on the spot. Hope it was worth it. Of course, that has nothing to do with the issue at hand anyway.
> ... Because the information is missing you are making a wild guess.
Actually, I just went looking for more info [1], which adds:
1. Forensic information was found on his laptop and a development machine linking him to the attack;
2. He admitted it to prosecutors (and went to trial anyway, which is crazy); and
3. He gave the malware Chinese and Japanese names, assumedly to lay blame at a foreign actor.
> I don’t know how you can make a claim out of thin air that things are often what they appear to be EVEN when you literally were not given his side of the story.
This is what I mean by contrarian and also what I mean when technical people start making technical arguments to legal issues.
Here's the example I like to use. If the Feds trace something illegal being downloaded to a particular IP address and then find from the ISP the home it belong to, they then investigate then ultimately arrest and charge the resident of that home. "Technical" people will see that and say things like "you can't prove it wasn't someone who hacked his wifi" or similar. That's what I call a "technical argument". But it's not how the law works. Investigators will do things like look at what's on his computer, his search history, whether the activity occurred when he was likely at home and so on. This is a legal standard (eg "beyond a reasonable doubt" for criminal cases, "preponderance of the evidence" for civil), not a technical standard with absolutely zero room for doubt.
His defense (or lack thereof) at trial is information. His apparent lack of any public statements is information. The nature of the code, being that it only triggered when he no longer worked there, is information.
I strongly advise yourself to be introspective and question why you feel the need to effort-post so hard and imagine a scenario where this was justified, just because someone said "it's never worth it".
> If a child stole food ...
Exactly like this.
My advice to you, and I mean this with all the empathy in the world, is to introspect on why you have this burning need to correct every imagined wrong on the Internet, particularly for something as inocuous as "it's never worth it" about committing crimes. I guarantee you you'll be happier for it.
Lastly, you bring up all these weird exceptions where something is justified but go back and read what I said. I never said it wasn't justified. I said "it's never worth it". It's not about being right, or wrong. It's about the consequences regardless of your moral position.
Think about why you shadow-boxed with something I never said too.
> Then he has no case to commit crimes. He was also happy to work there for 12 years and only effectively took action when he was fired. There's no moral stance here.
Again, evil doesn’t need to be illegal to be evil. What the CIA did of Torturing people through extraordinary rendition was completely evil.
Additionally you’re making a moral judgement call here without hearing the other side of the story. You’re morally stubborn and while I don’t think you’re evil, you’re likely a person to conduct evil through sheer stubbornness and an inability to examine your own moral rules.
> I was talking about taking revenge against shitty jobs at shitty companies.
Depends on what the shitty company did for which you don’t what they did. No autism, just logic.
> As an aside, you'd probably be executed if you weren't killed on the spot. Hope it was worth it. Of course, that has nothing to do with the issue at hand anyway.
So. It’s not a morally wrong action. Basically your point was if it’s a crime then it’s wrong and this example was there to show you that this type of thinking is incorrect even by your own standards.
> Actually, I just went looking for more info [1], which adds
Again. No motive. Nothing about why he did what he did and what was done to him.
> This is what I mean by contrarian and also what I mean when technical people start making technical arguments to legal issues.
The word you’re looking for is overly pedantic. Such level of detail is appropriate here for someone receiving 10 years. But to you it’s too “technical” because it’s a “crime” and let’s ruin his life and likely the lives of his entire family by throwing him in jail?
Also im not asking for 100
Percent proofs on everything or anything. I’m simply saying we literally don’t know his motive. We don’t know why and what was done to him. He wasn’t quoted. That’s reasonable and if you can’t agree with that then you’re just stubborn.
> I strongly advise yourself to be introspective and question why you feel the need to effort-post so hard and imagine a scenario where this was justified, just because someone said "it's never worth it".
When I disagree and overhear something I disagree with I like to talk about it. I’m not busy so this stuff fills my time. When I agree with something I also like to post.
> Lastly, you bring up all these weird exceptions where something is justified but go back and read what I said. I never said it wasn't justified. I said "it's never worth it". It's not about being right, or wrong. It's about the consequences regardless of your moral position.
Right. And these exceptions are the consequences of rigidly following your logic. You even acknowledge my examples are clear exceptions. The point of the exceptions is to show you that THIS case without hearing the employees side of the story MAY also be an exception.
I obviously brought up those examples because you wouldn’t think those examples are morally right. I brought it up because it’s the logical consequence of your reasoning, I quote: “I've never understood this mentality. Your employer might be the absolute worst but this? This is comitting a crime. To knowingly sabotage a company this way is a crime.”
It’s like a crime is full stop wrong.
My advice to you is to ask what pushes people to commit crimes like this and what pushes people to put him behind bars for 10 years.
Looking up the corporation in question (Eaton Corporation), I would say I am not shocked. They seem to have a history of being particularly shitty to their employees.
I thought you were going to say "smart enough to crash an entire company, but too stupid to realize that their intelligence should be put to other uses."
He literally wrote a script that locked out everyone on the network the second they disabled his employee account in active directory. He even named the variable Is[DH]EnabledInAD where [DH] is his initials.
Well the script is there, but maybe someone else put it there, because they were leaving/being forced out and they wanted to sabotage the company and make it look bad for DH (Article says DL).
No need to sabotage the company immediately, revenge is a dish best served cold.
Unlikely, given that he confessed and that in other attack, he damaged the machine only he had access to.
I mean, it is theoretically possible there were two disgruntled employees, and second one pinned his crimes to the first one, but I think this is pretty unlikely, given the observeed lack of common sense.
There have always been people like this, that are simply brainsick and petty, but it's something that is probably being exacerbated by the extreme animosity between the people that run companies, and the people that work on the front lines.
I'm not naive enough to think there was a "golden age," when everyone was happy-dappy, but I think it's much worse, now, than it has ever been.
I mean, in order to do big, complicated things, you need teams, and teams need to work together. That means much more than just the "hard" skills of individual intelligence, creativity, and discipline. It's also all the "soft" skills, that help the team to retain cohesion, like mutual respect, loyalty, integrity, etc.
The problem is that the example needs to start from the top, and there hasn't been much of a good example, up there, recently.
It's not difficult to imagine people feeling justified in doing bad things to their team, like deliberately writing shoddy code, taking credit for colleagues' work, bailing out, before their bugs come to the surface, or throwing their teammates under the bus.
I always tried to foster a team that had mutual respect, and could focus on common goals, even when everyone had their own motivations and priorities. In my case, it worked, but I know that I was lucky.
Those conflicts (and there was a more recent one, in UK, during the 1980s), are with folks that have difficult, low-skill, low-pay, blue-collar jobs that can be filled by many people.
I doubt that you could find similar stuff about high-skill, highly-paid employees, such as engineers. I think that, even in the days when cavalry was being used against striking miners, the white-collar workers were being treated fairly well.
Maybe it has been worse for them, but I’m not so sure.
"Whoever he is, he's very cunning and won't do anything to atract attention and we'll never figure it out." ... Richard Priar the lowly data entry drone rolls up to the front door of the building in a lambo with a huge painting in the passenger seat...
Many years ago, I found a piece of corporate code that stopped working when a specific person ID was not marked active in the Users table in a DB for a specific application. That person was the long-time developer responsible for supporting that application, who finally happily retired.
This took a while to happen, since that DB was not kept updated very well, it was easy to find, and nothing malicious happened. Just some bad debug code that made it into prod.
Article is a bit light on the details. It says he was demoted, and there was a restructuring. Why?
Usually when there are motives that are not easy to relate to, the corporate media will tell you what a horrible person they are. When they are easier to relate to, there is a curious silence.
> 237. Developer sabotaged ex-employer with kill switch that activated when fired (theregister.com) 64 points by defrost 7 hours ago | flag | hide | 63 comments
It probably highlights that he was trying to cover his trail?
(Also if he wrote his fork bomb and AD lockout thing on company time using company hardware, then deleting his code for them might count as destroying company property?)
I keep my personal stuff off my work machines specifically because I'll be handing them back intact. If you've done some work on that machine but not saved it anywhere else it's still company property and wiping the machine is destroying it. No one is likely to give you trouble over it unless they go looking for something you supposedly had, but if they wipe it instead of me there's no risk of a misunderstanding.
This is good practice anyway, if your laid off or fired unexpectedly, likely your going to be locked out of your machine without notice and without opportunity to clean up.
Has anyone heard of someone getting away with this?
It seems dumb to me. Someone might feel pettiness impulses when wronged, but grievances are what lawyers are for.
(I did hear a variation on this story, where a programmer had artificially rigged up spreadsheets to fail periodically, so that they had to be brought back in as a consultant firefighter to "fix". IIRC, the story was told by a programmer who'd investigated and discovered what was going on. But this is close to standard operating procedure for a lot of development teams, though: through poor technical and business decisions, by accident or design, you guarantee yourself years of encumbered, time-burning work, to maintain and extend that.)