Slashdot Mirror
When Sysadmins Go Bad
An anonymous reader writes "Here is a story about what can happen when you think you're being oh so clever. This sysadmin planted so-called logic bombs on the systems he was responsible for and then quit. He also tried to game the stock market, buying put options on his former company, hoping to cash in when the disaster he engineered struck. Who can companies trust if they're afraid that this kind of thing can happen? How can they prevent it?"
How is that cruel? That is absolutely, completely normal administration, and anything less is gross negligence. Indeed, it should be common practice to reset any administrative password that a former employee might have had, and any coworkers password that they may have known: It has nothing to do with trust of mistrust, and even if it was the Pope who just left your employ that is standard protocol.
For critical systems, nothing gets changed without an approved change request. All changes must be examined, tested and approved by someone other than the programmer. You can also have a separate group to maintain the source libraries and to do builds.
Mea navis aericumbens anguillis abundat
That was the standard for a major (30%) layoff with the company I work for. Most people knew they were gonna get it by day's end because their logins wouldn't work. Some knew it on arrival at the lab because their key-fobs had already been deactivated.
You didn't happen to work at a biotech production lab in Cincinnati, did you?
It's standard practice. I've been asked to lock out employees (including my boss at the time) as they were being told they were being made redundant. It's not fun, and it didn't make me feel happy, but it's the job you have to do as a SA.
Puts can translate to vastly more money.
For example, right now UBS stock is about $50 and for $0.40 (last trade) you can by a put option with a strike price of $45 that expires in about a month. So for $0.40, you can by the right to sell the stock at $45.
If the UBS were to drop to $40, the payoff would be $4.60 (45-40-0.40). A $21K investment would pay $241K (less commissions).
Put option quick explaination:
Suppose that the stock of company FooBar is worth $80 today.
I buy the *option* of selling that stock at $80 in one weeks time (this of course cost me something since there is a risk involved for the entity that I buy this option from).
Let's say that priviledge costs me $1 (since everybody considers company FooBars stock prices to be quite stable).
Now, one week later the "bomb" has blown up their computer system and the stock has plunged to $40.
The option of selling one stock at $80 is now worth $40 since the stock is currently priced at 40$. I don't even have to own the stock since someone who does can buy the option from me instead.
In total I've made 39$ on an investment of 1$ in one weeks time.
Add additional safeguards as you see fit - for instance you could have two people who know one half of the password and two different people knowing the other half, or three people each knowing a third of the password, and so on. It might be inconvenient on occassion, but hey, since when has decent security not caused a little inconvenience?
UNIX? They're not even circumcised! Savages!
Yep. Standard practice at several places I've worked is for me to be asked to watch for a certain person to walk into the HR department. As soon as they're through the door, disable the account. That way, by the time they know they're being made redundant, they've already lost their access to the system. At a bank I worked at, that was followed by the unlucky victim being frogmarched to their desk by security, allowed to collect their personal artifacts, and then being escorted from the building...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
You can say that SysAdmins "own" the business, or at least, they control whether it runs or not. They can crash/corrupt/etc anything in less time it takes you to fart...
It is a common practice to delete any sysadmin account *before* they get the news.
Most people I know were even escorted out of the building.
Think about the bad things a secretary can do? Not much... Maybe call a few customers and piss them off? Bogus orders of pizzas? Now think about what a sysadmin can do? Create a disaster big enough to kill a company... It's too easy to "skip" some backups and then crash a few DB's. I'm sure there are tons of way you can "kill" a company... It's too easy for a sysadmin..!
-- Leeeter than leet
Not quite. You've described a short sale.
With a "short sale" you can borrow stock that you don't own, sell it, then later on, after the value has fallen, buy it, and give it back to its owner. Think of borrowing your neighbour's lawnmower in April when lawnmowers are expensive. Sell it for $200. Then in November when lawnmowers are cheap, buy a lawnmower on clearance for $100 and give it back to your neighbour.
Options (a put option is one of two kinds of option) are a bit different in that you don't actually buy any stock. You only buy *the right* to buy (call options) or sell (put options) the stock at a given price.
What's the difference?
Well, for options, you have a limited risk (it's impossible to lose more money than you put in -- the worst that can happen is that your options become worthless and you throw them away). But with a short sale, the risk is potentially limitless, since it's possible for the stock price to be infinitely high when you have to buy them back and repay the lender.
- In Capitalist America, law violates YOU!
A friend of mine was let go last week. During the meeting they informed her she could stay until the end of the week (3 more days), but she would not have access to anything.
Her access was removed during the meeting. She elected to head home immediately afterwards.
At my place of work, if you are given a termination notice, you continue to be paid for a month, and have access to your office and electronic accounts the entire time. You aren't expected to conduct company work during this time. Instead, you have free use of your office to hunt for another job.
C//
But was ultimately limited by his physical location and environment reach. Had he done this two years ago, he would have done more damage, but now that PaineWebber has been a part of UBS Warburg for, two years most of our transaction and settlement occurs in our Stamford facility But he did take out an entire data center in New Jersey, three external websites, and connectivity to all 500 of our national retail (private investor) branches, FOR A WEEK!!
Don't get me wrong, I use sudo every day, and it's a great tool. But you have the following problems anyway:
These occasions occur on a regular basis. If I had to track down a frickin' envelope and get an Act of Congress to let me open it each time, I'd just quit.
Too late to be known as Bush the First, he's sure to be known as Bush the Worst.
If you discover them in the normal course of business, you explain what you were doing and how you discovered them. Do it on paper, sign and date the paper, keep a copy on your person, send a copy to your boss and whoever else it makes sense to send it to.
If you took it upon yourself to "audit" the system without specificly getting permission, then you probably violated a policy and potentially broken the law. The real answer is "don't do that."
Obviously "good" is tied to "doing what you're authorized to do," NOT "finding things that could potentially be held over someone's head but not yet taking advantage of them.
The company is repsonsible for ensuring its shareholder value is protected from people who violate policies and laws.
Randall Schwartz got a felony conviction- I don't believe anyone argued that he was going to maliciously use the information he gathered, but he violated policy and the current law in that jurisdiction. Exceeding your authority accessing computer systems is wrong. If you want to look around *get written permission* from someone who's authorized to grant it.
I do computer forensics relatively often on behalf of corporate clients. If something ominous happened to a machine you'd just probed that evidence wouldn't do you any good- even if you weren't linked to the orginal problem.
If the work environment is right, go in and admit improper access, explain why it won't happen again without permisson and explain the findings. Otherwise, an unrelated event could put a bad spin on it that could do you real damage.
Paul
http://www.pauldrobertson.com