When Sysadmins Go Bad

An anonymous reader writes "Here is a story about what can happen when you think you're being oh so clever. This sysadmin planted so-called logic bombs on the systems he was responsible for and then quit. He also tried to game the stock market, buying put options on his former company, hoping to cash in when the disaster he engineered struck. Who can companies trust if they're afraid that this kind of thing can happen? How can they prevent it?"

Someone's been reading a bit too much BOFH...

[BuhSnarf]

:eek:

Everyone died today? Large lack of posts!

Re:Someone's been reading a bit too much BOFH...

[AndroidCat]

I'm saving it for a Lord of the Rings Triple Feature. (Somebody's got to show one some time. I'll be there.)

Sheesh!

[tigress]

Obviously, in the sake of security, you should NEVER provide system administrators with dangerous tools such as root passwords!

Seriously though, security is a very delicate matter which is entirely built on trust.

Ways to improve security is to limit access to only what you actually need to use. In the case of system administrators and the like, it's not quite as easy as they obviously need a high level of access.

One solution would be to have third party audits of the systems, perhaps with read-only access in order to prevent tampering, but even then you need to trust the integrity and skill of the auditors.

Another thing to remember is to have a solid disaster recovery plan, but that's only good AFTER something happens and the person designing and implementing this plan will likely be the person that has the most access.

There's no universal answer to this problem. If I knew of one, I'd be rich as heck from selling it to companies.

Re:Sheesh!

[oliverthered]

Sheesh exactly, so, what happened here.
1: The sys-admin had enough access to the systems that he could change the configuration and clean up and prevent the changes from being detected.
2:
The company didn't have proper procedures inplace to stop 1 happening.

Examples of good procedures could be.
*Systems provide automated roll back.

*Changes can only be applied through a script that is run by xyz and required GOD access (say knowlage of a password that changes daily)

*System should be configured to audit any changes that take place

*A review process, where by any changes are reviewed by another member of staff

etc.......

the sysadmin was bad the company was useless, I'm not supprised he quit and tried to take the company down.

Re:Sheesh!

[stinky+wizzleteats]

1: The sys-admin had enough access to the systems that he could change the configuration and clean up and prevent the changes from being detected.

Right on the money. This situation is yet another good reason why you should have a large enough IT staff.

I also couldn't help noticing that only *nix is capable of meeting your system change policy with any degree of reliability. Fancy that.

Re:Sheesh!

[arivanov]

No comments on the company as it happens to handle the stock options of one of my previous employers...

One comment on the sysadmin - cretinous moron. If he wanted make money on the options he should have been much more subtle. A sudden surge of damage makes everyone go to the backup tape rack. Everything is restored to pristine state in a day or so and the perpetrator is easily caught.

Compared to this slow corruption and small logical errors in the nth sign after the decimal are much harder to pinpoint and deal with. A similar case in germanyt a while ago operated for more then 5 years before negotiating a settlement. He did not even get caught.

Overall - what a greedy cretinous idiot. They should have fired him earlier for stupidity.

Re:Sheesh!

[wobblie]

wait .. you forgot

* treat employees with respect and dignity and they won't want to fuck you over

Oh no - that'll never happen.

Re:Sheesh!

[void*]

Now wait a minute

Examples of good procedures could be. *Systems provide automated roll back.

This isn't a procedure. This is a potential feature of the system itself. When I was a unix admin, I versioned config files, because unix doesn't provide automatic versioning of files, allowing rollback of config changes. However, as the person who set up the versioning system, if I had gone bad I would have been able to sabotage the files under revision control as well. Unless the system itself enforces this (i.e, the system keeps all versions of all files and does not allow an admin to change, in any manner, old versions), this sort of precaution can be bypassed.

*Changes can only be applied through a script that is run by xyz and required GOD access (say knowlage of a password that changes daily)

This, also, sounds good. However, on some Unix systems, at least, there have been issues with setuid scripts related to how the system loads and executes them, allowing race conditions that can lead to root access. Note that the issue I'm talking about is -not- a bug in the script, but rather a side effect of how #! loading is handled by some systems. A large percentage of the Unix S.A.s I know rightly disallow the use of setuid scripts for this reason, and the fact that it's easy to write a script that allows things like /tmp races and other bugs that lead to root access and/or clobbering of files.

*System should be configured to audit any changes that take place.

Again, not a procedure, but a potential feature of the system. If the system doesn't allow this directly, how do you propose to implement it?

*A review process, where by any changes are reviewed by another member of staff

"Hey Dave, I'm sabotaging the system -- Can you review my change for me? Thanks!" - Do you really think someone's going to let a change like that get into the queue for a review process? Are you advocating a line-by-line code/config review of -everything- every single time a change is made, and do you realize how impractical that is, especially if the deployed system is complex or the number of deployed machines is large? Do you understand that it is possible to make a change that cannot be reviewed?

You can do things to attempt to prevent this sort of thing, but you have to understand that there is no procedural solution for this problem -> the best you can do is reduce the odds that someone can do this and not get caught. This is a laudable goal, but, while in pursuit of this goal, the practical limitations need to be kept in sight.

The moral of the story is, it's very easy to post on Slashdot saying 'x, y, and z would have prevented this', with x, y, and z being impractical/impossible to implement, and through some twist of logic, come to a conclusion such as:

the sysadmin was bad the company was useless, I'm not supprised he quit and tried to take the company down.

Re:Sheesh!

[Darth_Burrito]

This isn't exactly a universal solution, but one could theoretically outsource all administrative tasks to another insured company. This third party would have their own set of protocols to follow consisting of backups, rollout procedures, etc.

It would be damned annoying at times, no doubt changes would be slow to roll out, but as long as this company was in business you'd have certain guarantees about your infrastructure. The company would have to have some kind of contract insurance. If one of their employees gets fired and triggers a bomb, their insurance should cover damages. If one of your employees uploads a bomb/change, the third party has control over backups and their methods have not been compromised, so they can still restore.

Of course, you might not be able to do everything that way, and the insurance would probably have some really high premiums.

Re:Sheesh!

[Arandir]

Are you advocating a line-by-line code/config review of -everything- every single time a change is made, and do you realize how impractical that is

Departments do this all the time, with much more complex code. Those departments are collectively called "Software Engineering". It may be impossible to grasp by IT departments, but it is possible, and desired, to review every line of code making its way into the system.

To be fair though, IT has different requirements. When the system is down, you don't have time for a review. But that's no reason not to do a post-fix review.

Re:Sheesh!

[SectoidRandom]

There is one option that far too many companies almost refuse to consider. That is; Treat employee's nice. Yes it's a hard one, and for most companies (and many people) it's easier to rebuild the entire network after every sysadmin change!

Sad but true all too often.

I had a friend who after being with a company for three years was the victim of a whole lot of drummed up charges, it was clear that the real motive was cut backs, I guess HR and many others didnt like the fact that he earned more than all of the rest of the administrators combined. So one day he was escorted out of the building, after which they literally unplugged the network, the whole Australian network (3000+ users) was offline for three days while the rest of the admins rebuilt every server!

Did it do any good? No, of course not. A typical simple minded HR view, after spending probably many thousands of dollars in time (and consultants) rebuilding the network not only was he still able to gain access, but he won a big unfair dismissal payout!

Re:Sheesh!

[yeOldeSkeptic]

I think some large companies divide the root password
into halves and each half is given to a sysadmin.
That way, in order to make changes to system
configurations, at least two sysadmins are needed.
No one person can install anything in the
middle of the night.

I don't know how widespread this procedure is
but I think it does put one more hurdle to
a malicious BOFH like the article mentioned.

Re:Sheesh!

[Arandir]

They could just sneak their code in, but it's still going to be hard with a decent source control system and procedures.

There are several ways to tighten up your checkin security, but I will mention but one: the source repository isn't hidden, so do an automatic nightly audit of checkins to see if they match the authorized checkins, and compare the build to the installation. If you find something that doesn't match, then someone's been tampering.

Re:Sheesh!

[LinuxParanoid]

However, as the person who set up the versioning system, if I had gone bad I would have been able to sabotage the files under revision control as well.

I don't disagree with your points or overall perspective, but thought I'd toss out one fairly simple "reduce the odds" step that deals with one of the key issues you raised.

As part of an investment deal in a company I worked for, we put all our code, and in fact, CVS trees in CDs into third-party escrow on a regular basis. (The fairly inexpensive escrow package included one escrow update per month as part of the price.) We did it for different reasons, but this approach would be quite resistant to after-the-fact sysadmin tampering.

--LP

Re:Sheesh!

[strobert]

It is post like this that make me think /. should allow point totals to by >5. This is the #1 way to prevent the issues. As the previous poster said "Trust" is the key. Well what heklps trust? by the company continuing to show it trusts and respects the employee.

And yes it is sad that the vast majority of companies (and more appropriate the vast majority of people in management positions) just don't get it.

Sounded cruel at the time.

[FTL]

Many years ago one of our staff left at the end of the summer. Our boss said "Thank you very much for working for us ... [pause as the door closed, then turned to a coworker] ... delete his account."

Re:Sounded cruel at the time.

Never ever delete an account before you're damn sure you won't need it (say one to five years after last use, no kidding). Just disable it, backup the home directory and log any access attempts.

Re:Sounded cruel at the time.

[ergo98]

How is that cruel? That is absolutely, completely normal administration, and anything less is gross negligence. Indeed, it should be common practice to reset any administrative password that a former employee might have had, and any coworkers password that they may have known: It has nothing to do with trust of mistrust, and even if it was the Pope who just left your employ that is standard protocol.

Re:Sounded cruel at the time.

[BitchHead]

That was the standard for a major (30%) layoff with the company I work for. Most people knew they were gonna get it by day's end because their logins wouldn't work. Some knew it on arrival at the lab because their key-fobs had already been deactivated.
You didn't happen to work at a biotech production lab in Cincinnati, did you?

Re:Sounded cruel at the time.

[N3WBI3]

Thans nothing I worked at a company where me boss came and told me to revoke his bosses access and give copies of his mail/data to some guys with no necks in suits.

Re:Sounded cruel at the time.

[$rtbl_this]

Gets my vote. I saw this blow up at my current workplace when a former IT drone's account was deleted (not suspended) as soon as she left the building, without anyone realising it was used as the service account for many things, including the backup server. It took many hours to track down all the things it was used for and to furnish them with saner accounts. I think this probably counts as an accidental logic bomb.

The really sad part of this is tale that it took over a fortnight for anyone to notice in the first place. Weep.

(I'm not part of the local IT department, so I'm blameless with respect to this particular fuck-up. I commit enough fuck-ups of my own without claiming responsibility for anyone else's!)

Re:Sounded cruel at the time.

[Tet]

I've been asked to lock out employees (including my boss at the time) as they were being told they were being made redundant.

Yep. Standard practice at several places I've worked is for me to be asked to watch for a certain person to walk into the HR department. As soon as they're through the door, disable the account. That way, by the time they know they're being made redundant, they've already lost their access to the system. At a bank I worked at, that was followed by the unlucky victim being frogmarched to their desk by security, allowed to collect their personal artifacts, and then being escorted from the building...

Re:Sounded cruel at the time.

[archeopterix]

Many years ago one of our staff left at the end of the summer. Our boss said "Thank you very much for working for us ... [pause as the door closed, then turned to a coworker] ... delete his account."

One of our customers (a bank) has a very funny login policy - you cannot login unless you are inside the building. Of course this is achieved by tracking employee use of ID cards to unlock doors, so it is not 100% airtight.

Re:Sounded cruel at the time.

[scoove]

without anyone realising it was used as the service account for many things, including the backup server

This absolutely screams of bad process design and the blame must go to inept management.

Some suggestions I'd pass along (having learned the hard way the first time, as well have having played on both tech and manager side of the fence):

- use role accounts/contacts, not personal ones: Domain registration, administrative accounts on servers, contact email addresses for company stuff, etc. should all point to a generic role contact or account. It's easy to map these to the appropriate individual accounts, but avoids the hell of deleting accounts when someone leaves. I've had to personally intervene with countless companies that have had their Internet domains registered in an employee's name (individual, not role) and experienced all sorts of nonsense when the employee left.

- require documentation (and if you're a tech, provide it and maintain even if you're not asked): Too many tech folks act as if knowing and not sharing process information, passwords, etc. is job security. It's not - it only ensures that when you go, they'll get rid of you like ripping off a bandaid, rather than offer obligatory goodies (severance, consulting contracts, etc.). I've been an advisor to many of these episodes where some tech had attained too much system control and refused to share it. The slightest demand for special treatment from these techs usually creates a knee-jerk reaction, but in the end, the tech always loses (so what if he downs the company's server for a few days - he just ensures bad references will spread and he'll be unemployable at any real job). Share your information! Document your password. Give copies to your boss. Being open like this creates trust and you'll be rewarded by knowing more things not usually shared, or in the even of a downturn, you'll probably get favorable treatment or even be retained (because they can trust you).

*scoove*

Re:Sounded cruel at the time.

[Doc+Hopper]

This happened to me once when I telecommuted for a company in Silicon Valley. I knew I was history long before the HR director called and said "I have some extraordinarily bad news". I said "Yep, I know, I've been laid off or fired" and he asked "What would make you think that?". I explained about the fact I couldn't log into any systems (and had watched my access get pulled, system by system, while trying to get work done that day). He suggested that it could have been chance, and found it odd I would jump to that conclusion.

Nope. If I get forcibly booted from a system, and then can't log into it again, I'm pretty sure either I pissed off another sysadmin or it's time start looking elsewhere...

Re:Sounded cruel at the time.

[scubacuda]

Amen...

Because even if you recreate one with the same name, it's NOT the same account....

Re:Sounded cruel at the time.

[Phil+Gregory]

As others have mentioned, disabling accounts is significantly better than deleting them. A very good paper on the process of dealing with the termination of a system administrator is Matthew Ringel and Tom Limoncelli's Adverse Termination Procedures.

--Phil (I highly recommend Limoncelli's other papers, too, especially "Deconstructing User Requests".)

Re:Sounded cruel at the time.

[invenustus]

It's a nice idea, except when they fsck up the chronological order in which these things are supposed to happen. I've heard the story any number of times, once at a place where I was working, of a worker saying "stupid computer says I don't have permissions on these files" a few hours before being summoned to the manager's office.

Re:Sounded cruel at the time.

[Jucius+Maximus]

"Could be worse - I've had accounts deleted BEFORE I was let go. In fact, thats how I found out I was terminated - my login no longer worked."

Dilbert Comic:

'Ted the Generic Guy' walks into the office and complains to the boss: Jeez, my security card access wouldn't work so I had to tailgate into the building. Then my phone mail refuses to let me in and my network password was refused! Is it possible for anything *else* to stop working today?

The Boss: Tee hee hee ...

Re:Sounded cruel at the time.

[PhilHibbs]

After I'd left a previous employer, I got a phone call from a former coworker to let me know that the boss had nearly exploded the following Monday AM, when he got an email from my account. The system had a 'release' date that you could set on a message, so I'd just configured it to send the following monday to send a thank-you email to my colleagues and managers. The boss thought I'd somehow managed to log in to the system after leaving the company. I guess I could have got into trouble for it, but what the hell, I didn't leave with bad feelings on either part.

Re:Sounded cruel at the time.

[GothChip]

Souds like he left that a bit late.

Accounts should normally disabled before they even leave the building - normally during the HR interview.

Re:Sounded cruel at the time.

Never ever delete an account before you're damn sure you won't need it (say one to five years after last use, no kidding). Just disable it, backup the home directory and log any access attempts.

Please, please, please take his advice!
I would be extremely disappointed if my cron jobs that sabotage the company did not run after I left!

Re:Sounded cruel at the time.

[Courageous]

At my place of work, if you are given a termination notice, you continue to be paid for a month, and have access to your office and electronic accounts the entire time. You aren't expected to conduct company work during this time. Instead, you have free use of your office to hunt for another job.

C//

Re:Sounded cruel at the time.

[ScuzzMonkey]

That has happened to several people where I am at, as well.

I often wonder how exactly they'll handle it when they can me (I'm the sysadmin). Yeah, they could have one of my techs lock my account... but I'd just figure I mistyped my password a few times and go in on the admin account and unlock myself! Sticky wicket for them if they ever decide to fire me. "Scuzz, could you please lock yourself out? We're getting rid of you in a bit here..." :)

Re:Sounded cruel at the time.

[Courageous]

Yeah, I agree. On unix systems, to kowtow to individual responsibility, I simply put "Managed by [Full Name]" in the free text field. E.g., backupacct, "Managed by John Smith".

C//

Re:Sounded cruel at the time.

[Carbonite]

It's true that the Pope can retire whenever he wants, but retiring isn't usually considered "losing your job". I believe the parent meant that there's only one way for the Pope to get forced out, i.e. the Big Pink Slip.

Re:Sounded cruel at the time.

[gorilla]

It's always been standard procedures at every company I've ever worked at to change all privlaged accounts and lock the personal accounts whenever anyone who may have known them left.

Re:Sounded cruel at the time.

[nil_null]

One day, I went into work and tried to login and it told me my account was disabled. Turns out my account had been configured incorrectly or something. Still, its a bit scary when you've only been working for 3 months and all of a sudden your account is disabled.

Re:Sounded cruel at the time.

[redcliffe]

I know that Telstra in Australia does this. Mind you they take away any permissions that would let you do damaging things, and AFAIK it was only for voluntary redundancy.

Re:Sounded cruel at the time.

[Enry]

I change passwords immediately, but don't delete the account itself.

Re:Sounded cruel at the time.

[ScuzzMonkey]

As if I'd tell the techs what the admin password was in the first place... otherwise they'd do the same thing when I had to get rid of them!

Re:Sounded cruel at the time.

[pi_rules]

Pfft.. I've got you beat. I was the semi-sys admin at a company once, who just knew enough about the NT systems we had up and running to take over in the event that our main admin was out for the day. We got along great, he took care of everything NT and I took care of everything *nix and we could swap back and forth for emergency situations.

One morning I'm pulled into a conference room at around 9:30 am and the HR guy starts scribbling on a piece of paper while my General manager lets me know that the company will have to be laying people off because times are getting tough, or something. So, they hand me a piece of paper with a time table and names on it. I'm instructed to disable each account at the appropriate time, which is when they'll be letting the person know they're fired. So I have to sit there and wait for hours before this is all over. I'm the only person aside from management that knows what's going on. I was given a bit over an hour heads up so I could make sure that I did indeed have the appropriate rights on the network to still do all this and if not just gather up the appropriate passwords from the NT admin.

I tell ya... that's a shitty feeling. Sitting across a cube-hallway across from a guy that goes "WTF? Something's wrong with my login.".. then seeing a manager walk in 2 minutes later and let him know he's fired. Nobody held it against me, but the NT guy did wonder why I had been plunking away in the server room (glass doors.. he could seem me)... I told him I just had to check a few things.. .then he was fired as I left the room.

Everybody took it well though, especialy the NT admin who knew a heck of alot more about how things worked than I did there. He left himself available over his personal cell phone for the next few weeks to make sure things were ironed out okay as I slid into his role.

Still... that was one horrible feeling morning at work.

Re:Sounded cruel at the time.

[0xA]

When I got laid off one time, I knew 2 hours before it happened.

My genius manager invited all the development team but 2 of us to an off site lunch meeting. When they got back not one of them could make eye contact with us.

I then get asked to meet my manager and the CTO in his office...

Uhh sure thing boss!

> scp myhouse entire_code_repository

Be right there!

Re:Sounded cruel at the time.

[ScuzzMonkey]

No, no... the password is locked away off-site in a safe deposit box as well, in case of my death or dismemberment. But it's unlikely that my technically less than astute superiors would realize they would need to retrieve that and get it to my subordinates ahead of time in order to successfully lock me out of the system.

Re:Sounded cruel at the time.

[ScuzzMonkey]

Although, you are right, if I were to go bad, they'd be in a world of hurt. But that would be true regardless, no? Because even if someone else knew it, I'd undoubtedly change it to something they didn't know before performing my other nefarious deeds anyway. This system, minimizing knowledge of the golden password, is actually best from my perspective, because it minimizes that chances that someone could go bad and really cause unfixable issues--I am really the only risk (and consequently the only suspect if something happens--a good incentive to make sure nothing does) and therefore the only one to really worry about.

If the systems involved were more business critical, I'm sure there are more complete secure methods for double-checking control, but there's nothing here that can't be gone without for a few days. And even so, like most companies, this one will allow me to spend very little time on security matters, since they'll never believe it's an issue until there is a serious breach.

Re:Sounded cruel at the time.

[Courageous]

BBN Technologies.

C//

Re:Sounded cruel at the time.

[Courageous]

You're a felon at heart? Interesting admission. Perhaps you should get counseling?

C//

When /. Sysadmins Go Bad?

[da3dAlus]

What the hell just happened?

I go to post a comment and I get a page full of ads. I think someone set up /. the [logic] bomb...

Re:When /. Sysadmins Go Bad?

[Jucius+Maximus]

"What the hell just happened? I go to post a comment and I get a page full of ads. I think someone set up /. the [logic] bomb..."

Were they ads for hotjobs.com? If so, it is possible that a sysadmin is warning you (via hosts mapping) that your boss may set up your job the bomb!

Re:When /. Sysadmins Go Bad?

[bytesmythe]

Maybe CmdrTaco got fired? See? They shoulda yanked his account! ;)

Re:When /. Sysadmins Go Bad?

[fanatic]

that your boss may set up your job the bomb!

And in English, that would be...?

Re:When /. Sysadmins Go Bad?

[Jucius+Maximus]

"that your boss may set up your job the bomb!"

"And in English, that would be...?"

It means that your boss is preparing to fire you.

How can they prevent it?

[MadKeithV]

By making sysadmins unnecessary!
Have everyone running WINDOWS XP! That doesn't need any system admistration at all, it has perfect uptime and is fully transparent for even the dumbest user!

[/sarcasm]

You *could*...

[veddermatic]

Have two sysadmins, who work in different areas, and who a la "missle key firing system" both have to approve additions to important code bases.

Obviously, you could get two bad apples and have the same thing happen, but odds are slim.

Problem is, it tough to find ONE good admin, much less two, esp. with tough times for business... having to dole out twice the budget to protect yourself "just in case". Then again, it would double the job market =)

OR mabye CVS everything, and look through all changes an employee made after they quit... then again, the clever get around this, etc.....

*sigh* People just suck sometimes.

Re:You *could*...

[Hanashi]

Actually, I don't think it's nearly as easy as you make it sound. Ok, assume we have set up such a dual-approver system. It has to run on some computer, right? There has to be someone somewhere who can administer that computer. The super user can always tamper with the software in ways you won't be able to detect.

Even assuming the absence of an all-powerful superuser, there are problems. Someone has to be responsible for installing, maintaining and perhaps upgrading the application that manages the dual-approver system, so there's at least one person who doesn't need any confirmation before setting you up the bomb.

And even if you solve that problem, there's the problem with untrustworthy hardware. Someone somewhere has physical access to the box, which would provide them with the ability to, say, take the disk drive "for maintenance", mount it in their own box, diddle whatever code they want, and return the "fixed" drive to service.

And that brings up the problem of... and then the problem of... not to mention the problem of... it just keeps going. With our current technology, it's literally impossible to eliminate the issue of trust in our computing environments. They say everyone has their price. Scary thought, isn't it?

Re:You *could*...

[Zocalo]

It's *very* easy to do this - you just make sure that no one person knows the root password(s). For example you have one person who knows the first half of the root password and another who knows the second half. Both parties write their part of the password down, put it in a sealed envelope and the two envelopes go into escrow in case of fatalities (the CEO's safe will do). Both parties must be present at, and sign off on, any changes that require root access.

Add additional safeguards as you see fit - for instance you could have two people who know one half of the password and two different people knowing the other half, or three people each knowing a third of the password, and so on. It might be inconvenient on occassion, but hey, since when has decent security not caused a little inconvenience?

Re:You *could*...

[afidel]

You must be a student.
No one who has ever worked in the real world would come up with such a thing! I'm just a lowly tech and I need root on the workstations I work on on a several time per day basis. If every time I wanted to do something I had to track down another person and have them be in the same physical place as me it would be insane. Now think of the sysadmins out there who get paged at 3am when something blows up. Now not only do they have to get up but so does someone else and they both have to believe that the other person will show up. The reality is you screen applicants, make sure you have some kind of regular contact with your employees, and finally have some system for angry people to vent without fear of reprisal. On my team I established an email list for bitching and complaining and made sure that no managers were on the list but also made sure management was aware of the lists existance.

Re:You *could*...

[vrmlguy]

You must be inexperienced. I've set up systems where no one had root access. You set up sudo (or one of its commercial clones) to give specific people permission to do specific things, then you write a script to change the root password to a very random string and send it to a real printer. As soon as the printer delivers the goods (in the presence of one of more officers), it is folded and placed in an envelope (which everyone signs on the seal) and locked away. Any emergency big enough to require the password needs to be brought to the possessing officer's attention anyway, and anyone can look at the envelope to make sure that it hasn't been tampered with.

Re:You *could*...

[fishbowl]

"I don't know how many times I use root privs during the day."

On a workstation, that doesn't really matter.

On a production system facing customers, that number should be Zero. Or at least, this something you SHOULD know.

If you worked for me, and you said "I don't know how many times I used root", I would tell you, remind you about the policy, and re-educate you on the use of sudo.

Re:You *could*...

[whterbt]

Don't get me wrong, I use sudo every day, and it's a great tool. But you have the following problems anyway:

• sudo passwd . Yes, you can lock down sudo so that's not directly possible. But what about sudo vi? Or anything that allows a shell?
• Shell-required operations. Sometimes you need to be root. Many software installations don't work when you use sudo because they see you as the (non-super)user instead of root.
• Filesystem check encountered errors. Enter root password to continue. Sudo won't help here either.

• These occasions occur on a regular basis. If I had to track down a frickin' envelope and get an Act of Congress to let me open it each time, I'd just quit.

Re:You *could*...

[vrmlguy]

Let's take your objections one at a time.

• sudo passwd . By default, sudo installs in a very locked-down state. Not that many commands allow access to a shell, so don't allow people to sudo them. And don't use wildcards or ALL as permitted commands.
• Shell-required operations. You seldom need to be root. Allow people to sudo your platform's standard package installer (rpg, apt-get, pkgadd, etc). I've not seen any that allow shell access. Make sure that those operations are heavily audited, since someone could produce a trojan package. Best practice would be to write a wrapper around your installer that only installs packages that are approved by someone else. The wrapper can also fix up any identity problems. I'll leave that as an exercise for the student, but note that the login.c knows how to do it.
• Filesystem check encountered errors. Enter root password to continue... Are you using a journalled file system? Are your servers on a UPS? It's been years since I've seen this message on any system I've administered.

BTW, I acknowlege that sometimes you have to edit files. Nobody says you can't use sed. Write a script to do the work, let someone audit it, then add it to the list of permitted commands. In a pinch, The Operator Shell (which I don't advise using in place of sudo) includes a hacked version of elvis (RVI) which won't let you edit any file that wasn't mentioned on the command line.

Tracking down the envelope doesn't have to be a big deal. One place that I worked had it thumbtacked to a bulletin board in their 24x7 help desk area. (Remember, the envelope is signed along the seal, so everyone can tell if it's been opened. Plus, it was one of those Kevlar FedEx jobs that's pretty difficult to open without detection. And the bulletin board was in a very visible location.) If I needed the root password, I just opened a trouble ticket. Of course, my boss would be calling me the next business day to inquire why I'd needed it, but it took less than a minute to get it.

Re:You *could*...

[vrmlguy]

And how do you defend against opportunity situations like reboot? One could take over the shell (linux) or insert an install CD.

If any of my servers go down, a trouble ticket is opened, the on-call sysadmin gets a page, and email is sent to several PHBs, all in less time than it takes the BIOS to finish its POST.

Its also vulnerable by any available service vulnerable to a root priv escalation attack.

True, but that's a vulnerability to more people than just rogue sysadmins. Hopefully there's only a small window of opportunity between finding out about an attack and getting it patched. And heaven help anyone internal caught exploiting such an attack.

I believe the only flaw with this system is to believe that it makes subverting the system impossible. Its not a bad psychological device to discourage "hacking".

Kinda like putting locks on doors discourages breaking and entering?

But this kind of procedure can only implementable with a disciplined production/engineering environment.

I've implemented environments like this with only two Unix sysadmins. In that case, I was the junior guy. The senior guy had been with the outfit for seven years and was pretty disciplined, but I was replacing a guy who considered himself a "hax0r" and it wasn't too hard to get things locked down even tighter. It helped that the company was in a business that gave them access behind their customers' firewalls, so security was very important to the owners.

Regular root access with auditing will accomplish almost as much as sudo.

True, but sudo with regular auditing accomplishes even more.

Staff your IT department

When you have reasonable salaries, reasonable work hours, and no one that runs everything.

First of all you'd have less disgruntled employees.

Second, you'd have less disgruntled employees.

Third, you wouldn't need to trust anyone 100%. Most egos of sysadmins wouldn't let them let someone else compromise their system. If you have 2 or more admins 100% responsible for the integrity of a system, and each performing checks on each other, you would reduce the occurences of these types of attacks.

Re:Staff your IT department

[axis-techno-geek]

There is only one problem with this, the PHB factor (pointy haired boss).

PHB: I have one sysadmin on salary, and he seems to be over worked, I could:

• Hire another -- NO, HR would want me to fill out a whole pile of forms to justify this, and I wouldn't have time for golf.
• Just tell the existing one we will hire another -- YES, but really do nothing, and keep working him into the ground. Then only hire another when this one quits.... eeeexcellent.... when was that tee time again.

It really comes down to "perceived" value, since I.T. does nothing but "suck" money out of the company, them all must be a bunch of slackers who deserve nothing.

PHB at review time: The sysadmin seem to work lots of overtime, but since he's on salary this doesn't cost me anything, he must lack in organizational skills, we'll have to cut his bonus for that (and add it to mine for pointing out this flaw in the employee, I'll be able to get that new driver for my golf game now).

Remember in the PHB's eyes salary == slavery

Re:Staff your IT department

[Wind_Walker]

First of all you'd have less disgruntled employees.

Second, you'd have less disgruntled employees.

And apparently a whole lot more redundancy.

Plus some redundancy.

Damn

[Sandman1971]

I was disappointed to find that this was an article, and not a new show on Fox.

What can be done?

[perfects]

> Who can companies trust if they're afraid that
> this kind of thing can happen?

Nobody.

> How can they prevent it?

They can't.

Employee misbehavior spans an entire spectrum of seriousness, from stealing paper clips to embezzling billions. You can't prevent a determined and dishonest sysadmin from sabotaging a system any more than you can prevent an accountant from diverting funds or an after-hours custodian from taking things off peoples' desks.

There is no panacea, technological or otherwise.

Preventing employee misbehavior has several parallels with Copy Protection. No affordable and practical scheme is bulletproof if the person is determined enough, so the best method is to remove the motivation. The same rules apply to all employees: treat and compensate people fairly and they will be less likely to want to hurt you.

But even that doesn't work in all cases. If your staff is large enough there will always be people who feel that you are mistreating them, or underpaying them, and who will feel compelled to get what is "rightfully theirs" in other ways, large and small. And many people steal/etc. without regard to the harm it causes the company or other employees; their motivation is purely selfish, so it doesn't matter how well they are treated and paid.

So even if you treat and compensate people fairly, and trust everybody you hire, you must monitor people's activity, investigate suspicious behavior, and, when necessary, prosecute wrongdoers to the fullest extent of the law.

I probably sound cynical, but I speak from experience.

Re:What can be done?

[sporty]

Employee misbehavior spans an entire spectrum of seriousness, from stealing paper clips to embezzling billions. You can't prevent a determined and dishonest sysadmin from sabotaging a system any more than you can prevent an accountant from diverting funds or an after-hours custodian from taking things off peoples' desks.

There is no panacea, technological or otherwise.

Ah, but you can make it harder, by having servers administered rotate among admins. That way, you cross train, and if something looks fishy, it can be.. fixed.

Re:What can be done?

[Twylite]

For some reason technical people tend to ignore many years of experience of similar problems in other domains. Quite simply, there are several effective mechanisms for preventing this type of abuse, but very few people which sufficient know-how to implement them.

The business rules for prevention of white collar crime are division of responsibilities, and cross checking (or auditing). The rules do not change just because you are working with computers.

The first thing to realise is that on most "enterprise" operating systems other than standard unix, the system administrator is NOT god. On NT, 2000, Novell and Trusted Solaris (amongst others) there is provision for delegating administrative privlidges and locking out the original administrator in an irrevocable manner. On most other Unix systems you can use "sudo" (or an equivalent) to selectively grant privlidges, and lock down root logon or "su" to the console only. Coupled with dual-key physical access control, this prevents any single person from becoming god ((s)he can't even modify hardware or reinstall because of physical controls). This scenario presumes procedures/rules (never leave just one admin in the room, watch and verify all operations, etc).

Many admins baulk at this idea, but if you're serious about security, there has to be a physical barrier preventing complete power over the system. In the absence of computer systems designed for dual authentication for privledged operations, physical controls (and associated procedures) must be used.

When responsibilities are divided, there needs to be an analysis of which privledges can interoperate, and which should not (because they could cause a security risk). The privledge of clearing log files should be limited to "god" - i.e. physical access to the console, which requires two people. Backups should be encrypted, if possible in such a manner that the key for recovery is split between two people (there is software to handle this sort of thing).

Auditing is also essential. Every so often, external experts should be brought in and allowed to inspect the system, under the supervision of one or more of the administrators. It is likewise important that administrators be forced to take time off (instead of infinitely accuring annual leave) -- this is when fraudulent activity is usually stumbled upon.

Does this offer complete protection? No. It won't work in organisations where there is only one admin (unless another technically savvy person can hold the second key for physical access), and it breaks down when two admins cooperate in the fraud. But it provides a whole lot more protection than the current practices, and in time can be improved (by drawing on other business and accounting practices).

Re:What can be done?

[ivan256]

Here's why you're wrong:

You don't need complete control to do what this guy did. You only need access to the code. If you write the code, and you're familliar with the code review procedures or smarter than the guy reviewing your code, you don't need access to the systems at all. The other hard working honest admins with software installation access will do the rest of the dirty work for you.

Anyway, the point is that you don't need 'root' access, or lots of privlidges to sabotage a system. You don't even necicarily need cooperation for another admin.

For all you know, they already did what you described.

Re:What can be done?

[ivan256]

So even if you treat and compensate people fairly, and trust everybody you hire, you must monitor people's activity, investigate suspicious behavior, and, when necessary, prosecute wrongdoers to the fullest extent of the law.


You forgot the most important part. If you can't deal with the remaining bit of uncertanty, BUY INSURANCE! Insurance companies exist to protect against exactly this kind of risk. The more you do to prevent sabotage, the less your insurance will cost, and then if the worst happens you're covered.

Really, do you think this guy's got enough cash on hand to cover the damages? You can't garnish his wages when he's in jail because he won't be making any money.

Re:What can be done?

[SuiteSisterMary]

Hell, one of the simplest things you can do is log all root/admin commands to a hardcopy printer at a differnet location.

Re:What can be done?

[uncleFester]

One thing that should be done is an effective and QUICK way to terminate employment. My last workplace was a shining example of how to handle it all wrong. My boss tells me at 8:10 to attend a meeting in a conference room downstairs.. as everyone else is in a meeting across the hall. When I ask him point-blank 'do I still have a job?,' he looks down and mutters "I can't tell you; go to the meeting." Which, of course is the answer right there.

Now, at this point I have 15 minutes to wreak havoc, were I malicious. This was utterly ignorant handling of the situation. If you even promote the HINT a person may no longer be an employee, for shit's sake don't let them near an open account. .. did I mention I was the Unix admin? That the entire facility depended on three Alphas running various Oracle databases, DNS, etc on those Alphas? They are simply lucky I am not a vindictive person (I accept the company did what it had to, though I do still have a personal issue with the shoddy manner in which my 'boss' handled the entire affair).

Re:What can be done?

[orangesquid]

Why not engineer a smart system that tries everything in its power to prevent its demise, a la Hal? The trouble is things like physical security, but some episodes of X-files have demonstrated that a computer that controls the security system in a building can protect itself fairly well =)

Re:What can be done?

[Lumpy]

BINGO!

you hit it on the head.... A "bad" sysadmin is far less dangerous than your "bad" accountant..

many MANY companies were robbed blind by a bad accountant embezzling money yes you dont hear this sensationalized like this article. it doesnt matter, from the janitor to the CEO EVERY EMPLOYEE has the ability to completely ruin your company.. anyone that is paranoid about it means they know they are screwing their employees and are sure they are disgruntled and TRYING to get back at them.

if you want to reduce the risk of having disgruntled employees screwing your company there are 2 things you need...

1 - Pay them fairly and treat them well. this is the MOST important thing. they will NOT respect you or your company if you don't respect them.

2 - critical parts of your company need redundancy.. if you have 15 computers and 1 sysadmin... HIRE AN ASSISTANT FOR THE SYSADMIN. less sneaky stuff happens when someone has a shadow. same as Accounting... have your books audited by someone else on a regular basis.. wow now is a good time to actually LEARN how to run your business instead of playing golf or having your Mercedes detailed.

99% of all bad things that happen in a business is the managemet's fault. their inattentiveness or apathy coupled with ignorance and sometimes just being a plain old asshole to their employees.

Re:What can be done?

[Frobnicator]

They can at least reduce the chance a lot with redundency.

I had an undergrad Computer Security class several years ago. It was taught by a SysAdmin at the IRS processing center. (it handles all the Business IRS submissions for the western US). Even more amazing, the professor was a SHE.

She discussed this exact situation and several others, and how much redundancy is needed to avoid it. In one story, told a story where the top 4 sysadmins went to lunch together. Their car was hit in traffic and all 4 died. Because the govenrmnet requires lots of redundency and documentation, there were many other people at that building and at the Eastern processing center who knew and could access every password, and could fill in every aspect of the jobs of the deceased. Sure, it initially took 8 people to do the job of the 4, but there was no interruption and no major economical damage done.

If you want a secure system, you should be able to have over half of your administrators, programmers, and other key employees suddenly die or quit, and still be able to operate normally with little or no interruption. This is even more important if you have multiple key sites -- If everyone died at one site from some plague, you should still be able to recover all of your data.

If you can't do that, your system is not secure.

frob.

Re:What can be done?

[Twylite]

In my own defense ;p "Accuring" (s/ur/ru/) is a typo, "baulk" is the British spelling of balk (see dictionary.com), and "privlidges" is one of those words that I was never privileged enough to remember how to spell correctly (so yes, a common misspelling).

Would you care to state your disagreement?

similar story

[KirkH]

Something similar happened to my Dad's business about 15 years ago. Back then, they just trusted the employees. For some reason I can't recall, they decided to fire the sysadmin that was running their billing systems and gave him a months notice. During that month, they let him take time off from work to interview at other places and were generally pretty nice about the whole thing.

A couple weeks after he left, the system started crashing and losing data. Apparently he used a rather well-known bomb because the company they used for support was able to dial in and found it rather quickly. He was charged, arrested, tried, and found guilty. It was a big deal because the state (South Carolina) had just passed some really though computer crime laws at the time, and the Attorney General wanted a "test case" for the law.

My Dad and his partner's requested that the guy not get any jail time since he had a wife and some kids, but he got major probation and a huge fine (something like $60,000, which was a lot back then). Plus he now has a felony charge on his record. Last I heard, he had gotten out of the computer biz and was working in a family business.

Anyway, the short lesson is: if you're a company firing someone with privileges, pay them the two weeks or whatever but don't let them back on site. And if you're the guy getting sacked, don't try to get revenge through sabotage; it's just not worth it.

As an aside: every place I've worked had a policy that whenever someone was fired they were led to their desk with a cardboard box, then escorted out of the building that very moment.

Re:similar story

[eam]

> and a huge fine (something like $60,000, which
> was a lot back then).

Wow. I must not be making enough money, because I think that is still a lot.

Re:similar story

[DeepRedux]

Puts can translate to vastly more money.

For example, right now UBS stock is about $50 and for $0.40 (last trade) you can by a put option with a strike price of $45 that expires in about a month. So for $0.40, you can by the right to sell the stock at $45.

If the UBS were to drop to $40, the payoff would be $4.60 (45-40-0.40). A $21K investment would pay $241K (less commissions).

Re:similar story

[Telastyn]

My company also has the policy that while the employee to be fired is in their firing meeting, IT resets their accounts and takes their computers. They can request info off of their work machine, which is screened for company/competative data and then mailed to them later.

This is for everyone too, not just privlidged employees

Re:similar story

[Fubar]

A friend of mine was let go last week. During the meeting they informed her she could stay until the end of the week (3 more days), but she would not have access to anything.

Her access was removed during the meeting. She elected to head home immediately afterwards.

Re:similar story

[Courageous]

Anyway, the short lesson is: if you're a company firing someone with privileges, pay them the two weeks or whatever but don't let them back on site.

My company has decided that the sort of behavior your recommend is insensitive and damages the moral of the employees who remain. We give everyone a one month notice, during which they are paid, have full access to their office and accounts, and aren't required to work at all. Instead, their office is a base for finding new work.

C//

Re:similar story

[bughunter]

pay them the two weeks or whatever but don't let them back on site

Well, that's good advice, but it's not enough, as the following two stories illustrate:

In 1989 I worked for a small startup company that was all Mac, and used an Appletalk network. Also on the network was a couple modems so that execs could dial in. Well, the company's flagship product failed catastrophically and the staff was eventually laid off in waves. When the Mac admin was laid off, he dialed in and found the admin account password had not been changed. So he composed a short Word document and sent 999 copies to every printer on the network, guaranteed to cause them to broadcast "out of paper" messages and give the document maximum exposure. The document was a quote from the catty blonde executive secretary:

I've been at the bottom and I've been at the top, and I don't care how much dick I have to suck, I'm staying at the top.

Of course, this valuable woman (indeed a hottie) still worked there. And when she found this document overflowing the outbins of every printer in the building, what did she do? She went around the office with a stack of them in her hand shrieking, "Did you do this?" at everyone...

That sysadmin became one of my closest friends.

At my current job, the Technical Publications interleaf network was brought down when the real admin deleted an account. At some point in the past she had brought in an "expert" from our software department -- a college student. A cocky, arrogant sonofabitch as I recall... I met him a few times and didn't take well to his air of superiority and disdain for others.

Anyway, the fix was simple, but annoying. When he was in there doing the job she asked for, he set up a chron job that would delete the password file if it discovered his account had been deleted. Well, it was, and so... no logins for an entire day.

This was years and years ago, before most management was aware of the seriousness of computer sabotage. I tried to explain to management the seriousness of the act, and the ethical bankruptcy that was required to do such a thing. They brushed me off, and the kid was eventually hired on a full time basis. So it didn't suprise me when the same thing happened on the software configuration management server after the guy quit a couple years later.

...so?

[TrumpetPower!]

How is this different from any other kind of sabotage by employees or ex-employees? As long as there have been accountants, there has been embezzlement. A short-order cook could forget to wash his hands. A construction contractor can use sub-standard building materials.

You gotta trust somebody; just make sure it's somebody worthy of trust.

As for preventing this particular kind of sabotage, use the same principles as everywhere else: supervision, audits, bonds, insurance, and the threat of jail time if the rest fails. Oh--a good disaster recovery plan sure doesn't hurt, either.

Cheers,

b&

A novel way to pay for retirement...

[constantnormal]

... pull a stupid crime and spend the rest of your life in a state-funded institution.

Configuration Control

[Detritus]

For critical systems, nothing gets changed without an approved change request. All changes must be examined, tested and approved by someone other than the programmer. You can also have a separate group to maintain the source libraries and to do builds.

Re:Configuration Control

[tomhudson]

Of course, this doesn't prevent someone from making undocumented changes on the sly if they've got root access ... or better yet, modifying the backups, then "arranging" a system crash. Who's going to audit a "known-good" backup, especially when your systems are down?

Tech plan = Good; Financial plan = Bad

[ohboy-sleep]

With the Paine Webber guy, I was amazed this guy didn't think the SEC could put 2 and 2 together.

"Hmmm, there's the guy who had access to the company's computers and made all those put options, but I don't know if there's any way we can prove motive or opportunity."

Who can you trust?

Trust in God; Everybody else pays cash

Who can you trust? -- Nobody. As our master said:

For of men it may generally be affirmed, that they are thankless, fickle, false, studious to avoid danger, greedy of gain, devoted to you while you are able to confer benefits upon them, and ready, as I said before, while danger is distant, to shed their blood, and sacrifice their property, their lives, and their children for you; but in the hour of need they turn against you. The Prince, therefore, who without otherwise securing himself builds wholly on their professions is undone.

Machievelli, The Prince Ch 17.
The answer to the question is no one, not even your mother. If you are not secure against being hacked by an insider, you are not secure. And that means everybody, Newspapers are full of headlines about CEO's ripping off their companies. Stories about long-time trusted employees who embezzle a few hundred thousand dollars are so common that they usually wind up on page 7 of the Metro section.

Re:Who can you trust?

[Elwood+P+Dowd]

Stories about long-time trusted employees who embezzle a few hundred thousand dollars are so common that they usually wind up on page 7 of the Metro section.

And that's the ones that are caught.

Re:Who can you trust?

[nakaduct]

And that's the ones that are caught.

Yeah! Err....... I mean, "yeah."

they can never prevent this happen

[z01d]

SysAdmin, as the word says, it's the Administrator of the System.

there's no technical way to restrict their actions, or we should restrict the computer's capacity.

people do bad things for money, that's all, how could we prevent this happen? how could we prevent crime? how could we prevent people shoot each other? these are analog.

it's political or human issue. not technical.

How to avoid this problem

[puppetluva]

Don't keep disgruntled employees or employees that you keep hidden away in a back room and ignore. Management that keeps good relationships with its employees don't have as many problems with this sort of thing.

This means:
1) Help work to keep employees happily employed (not with bribes - with real career paths, personal interest, etc.). If you keep wage-slaves, expect mutiny.
2) Actively replace employees who can't be kept happily employed. Get others who are competent and glad to have the spot (which shouldn't be too hard in this economy). Keeping people around who don't want the position isn't doing them any favors. If no one who would be qualified would also be glad to have the spot, rethink the position.

"Management" should be helping manage situations like this. If this guy had been disgruntled for a long time, it seems to be their fault for keeping him (and keeping him unhappy and ultimately vengeful). Sounds like someone did a bad job at people-management . . . sounds like the type of willfull neglect that is inexcusable but all too common. Many people think that "management" is watching the bottom line -- that is a lazy, oversimplified way of looking at an important job.

Re:How to avoid this problem

[lostboy2]

Help work to keep employees happily employed (not with bribes - with real career paths, personal interest, etc.). If you keep wage-slaves, expect mutiny

I second that motion. Money is only one means of rewarding/compensating your staff. Respect is another one, and one which often is ignored.

I once did a gig as a conslutant for $COMPANY. When the $PHB who hired me introduced me to the SysAdmin, the $SA was visibly displeased. I suspect that

• $PHB had failed to mentioned to $SA that this hire was taking place
  
• the $SA didn't have a say in the hiring process (he certainly didn't interview me)
  
• the $PHB may not have mentioned to the $SA that $PROJECT was taking place.

So, when $PHB mentioned to $SA that he needed to set me up with a computer and network account, $SA gave me the list of all of the admin passwords on all of their servers and said I could set up my computer and account myself. $SA quit within a week after I was hired.

Needless to say, that was an interesting experience. :-)

Re:How to avoid this problem

[Frobnicator]

One of my sys-admins has a poster on the inside of his door, which he usually keeps under his jacket. It has a picture of a boss and something like "Are the machines for the new people ready?" and a translation of "I guess I should tell you I'm going to hire some people."

It's amazing to me how many PHB's keep their SA's out of the loop. It's also amazing to me that PHB's will say "I want this put together by $DATE" where $DATE is just barely enough time if everything else is delayed. The SA gets it done at a huge cost to other projects, and then the PBH doesn't use it until several weeks after the date.

An unhappy sysadmin is a big security hole.

frob.

Sysadmins?

[Titusdot+Groan]

Luckily it's only sysadmins that do stuff like this and not traders, accountants or the CEO!

C'mon -- this is really small potatoes ...

Re:Sysadmins?

[Iamthefallen]

yeah, but the difference is, the sysadmin is a criminal, a CEO that's stealing is just unethical...

Re:Sysadmins?

[timeOday]

yeah, but the difference is, the sysadmin is a criminal, a CEO that's stealing is just unethical...

You know, I don't have any mod points, so I'm just going to say that is very "insightful."

My guess is the Paine-Webber guy will be reamed, and that's justice. But what about the people whose salarary+bonuses alone cost more than the damage this guy caused, and whose shenanigans drive a billion-dollar company into the ground, destroying people's pensions? That's a heck of a lot worse than forcing a Windows reinstall.

Re:Sysadmins?

[Guppy06]

"yeah, but the difference is, the sysadmin is a criminal, a CEO that's stealing is just unethical..."

No, these are CEO's we're talking about. It's getting caught that's unethical.

When your job is to busily whore yourself out to investors, just how "ethical" can you be?

Re:Sysadmins?

[wobblie]

This guy's in jail and Bernie Ebbers, who ruined the lives of many people, has not even been charged with anything.

Re:Sysadmins?

[ces]

Don't forget the auditors.

Re:Sysadmins?

[ces]

I don't know, some of the upper-level executives involved in the current scandals have had criminal charges filed against them.

And don't forget the new magazine that will be coming out due to these scandals:
"Martha Stuart Living -- In Prison"

I can't believe

[TerryAtWork]

That this firm had a SIXTY year old sys admin.

There's hope for me yet.

Re:I can't believe

[EricWright]

Probably cause they run a 30 year old system, and can't find anyone younger who knows the system, or cares that it exists.

don't put all your security eggs in one basket

[HealYourChurchWebSit]

If systems are so critical and secure, then you need to separate responsibilities, and dispense information to those holding the keys on a need to know basis.

/. caught the clap from k5

[wiredog]

or something like that.

BOFH alert!

[ACK!!]

Makes my little cron job that changed the shell on this user's account three times a week look really mild in comparison.

That guy annoyed the hell out of me one too many times.

Unfortunately

It is not equivalent to a real bomb. There was no destruction of property, no casualties. It's in a completely different league. The real solution here is to treat your employees with respect and not treat them as slaves.

Forensic hacking

[laughing_badger]

I'd love to know more about how much hard evidence they were able to gather about this guy. Obviously, anyone with enough brain power to engineer the logic-bombing of 1k machines is going to try and cover his tracks, but how well did he succeed? Is the prosecution going to have to make the leap from "you left, then bought shares, then something bad happened." to "it was you!".

Ethics aside, I have to admire this guys balls!

I'll put my ethics back on and fix the sendmail f'up I made this morning now :-)

This article isn't very good. Neat story though.

[zaqattack911]

From the article:

So-called logic bombs are pieces of software code buried within another program and are designed to disrupt computer systems. They are often delivered by e-mail.

Ok boys and girls, would someone like to explain how this is different than a virus/Trojan?

Keep in-mind that I am not a financial expert, nor the general public that I can assume are reading this article. With that in mind... the following statement is even more mind boggling:

He allegedly bought more than $21,000 of put options, which grants an investor the right to sell a certain amount of underlying stock at a certain price. By giving the investor the right to sell underlying stock at a given price, put options increase in value when the stock value falls.

Christ.... wtf does that mean :)

All in all this article goes into no detail in regards to how he was caught, and how they in intend to prove it's him.

--Noodles

Response

[nege]

"Who can companies trust if they're afraid that this kind of thing can happen? How can they prevent it?"

Management: "We don't need a sysadmin, everything is working just great!"

Insider Threat

[herwin]

This general problem is quite common--80+% of the attacks on e-commerce systems involve insiders. You either have to trust your people or watch them. Unfortunately, watching them (using intrusion detection technology) is not very effective at present. You either have to program the IDS to detect the specific signatures of malicious acts (not well understood at present), or you have to train the system to detect anomalies. The training problem is very hard because:

1. The training data may include an attack. Then hacking will be considered normal.
2. New things happen on networks all the time.
3. Successful retraining of an existing AI system to handle this is a hard problem, worth a PhD.
4. Categorization of attacks requires expert input.
   
5. False positives are common.
6. Attack indicators are brittle, so that hackers can sneak past them.

TANSTAAFL.

Re:Tech plan = Good; Financial plan = Bad

[bill_mcgonigle]

I was amazed he didn't think to have his friend or his grandmother buy the options.

what the...

[hpavc]

this problem has nothing special to do with sysadmins. its a human resource problem of a entirely generic form.

"how do people prevent people with privledge from fucking them over?"

i think employee onto employer a mockery of the likelihood of employer unto employee.

i dont have much more of flame bait suggestions for answers, just more or less refined questions.

Easy answer...

[gosand]

Who can companies trust if they're afraid that this kind of thing can happen?

Who can you trust?

Microsoft. Trustworthy computing.

At Microsoft, we make operating systems that administer themselves, so you don't have to hire those untrustworthy and expensive system administrators. Nearly any high-school graduate, or poo-flinging monkey, with the proper brainwa^H^H^H^H^H^H^H training can become a Microsoft-Only Operations Certified Omnipotent Worker. Get your own MOOCOW today, and let us handle your security problems. You shouldn't have to worry about these computer dealies - that's our job.

Microsoft. Trusted Computing since 2002.

Re:This article isn't very good. Neat story though

[zaqattack911]

No I understand that much.
The article is just not clear about the definition of a put option at all.

(Yes I know there is another definition linked in the slashdot post.)

Re:This article isn't very good. Neat story though

[Alphix]

Put option quick explaination:

Suppose that the stock of company FooBar is worth $80 today.

I buy the *option* of selling that stock at $80 in one weeks time (this of course cost me something since there is a risk involved for the entity that I buy this option from).

Let's say that priviledge costs me $1 (since everybody considers company FooBars stock prices to be quite stable).

Now, one week later the "bomb" has blown up their computer system and the stock has plunged to $40.

The option of selling one stock at $80 is now worth $40 since the stock is currently priced at 40$. I don't even have to own the stock since someone who does can buy the option from me instead.

In total I've made 39$ on an investment of 1$ in one weeks time.

Sysadmins hell, I want to kill the execs; story

[SeattleSluggo]

Forget the sysadmins hosing the company, how many friggin execs run the thing into the ground looking to pad their stock options, then leave?

At a big EDA firm I worked at the sysadmin got into big trouble (I think he was fooling around on his old lady and was trying to run away with some other chick). He decided to hose the backups by placing a small magnet on the read/write head (IIRC). Then he did real backups, which he hid in the drop-down ceiling. His stupidity led him to try to blackmail the company (gold coins). The episode ended badly--high speed chase, crash, prison. Now that I think about it, yeah, a Fox mini-series!

doug

For large businesses - multiple admins

[phorm]

A lot of larger companies can have multiple admins, each taking care of a particular sector. By having a common methodology or plan, you can ensure that one admin can cover for another (in case of unforseen accident) or take over.
In the schools where I work, I can walk into another admin's school and be fairly comfortable with making fixes/changes to their system - since everything runs similarly. This is convenient if one of us gets sick, or has a holiday, etc, and a server goes kaput somewhere.
Some of us are more well-versed than others, and one of the other admins has a much better knowledge of most of the systems than me - in particular our main user repository.

I can get by fairly well the "armadillo book" (0'Reilly) when there's something I don't understand, but sometimes I still need to call him when things go awry. For those that need to catch up with other admins, I do recommend the O'Reilly books though. I've only been here a few months, and I expect that after time (and reading) I'll be much more confortable with some of the systems I'm not currently as fluent in as others.

"Logic bomb"?

[Chagatai]

Duronio's logic bomb, the government charged, deleted files and led to $3 million in costs for PaineWebber to assess and repair the damage.

It just sounds like to me the guy set up a nice little crontab entry that no one bothered to check that did a rm -rf /* on their systems. But, then again, the article did say...

Duronio, a computer systems administrator, resigned from PaineWebber on Feb. 22 after complaining about his salary and bonuses. The logic bomb he allegedly constructed from November 2001 until February of this year was activated on March 4, U.S. Attorney Christopher Christie said in a statement.

So this guy was clearly dumb, executing something like this only two weeks after he left. I could see how it would take him from November to February to figure out how to work cron.

What can be done?

[Confused]

>> How can they prevent it?

> They can't.

They can at least reduce the chance a lot with redundency.

If you have a team of sys-admins, you have a good chance that the other might catch the bad one before it's too late. And if they feel treated well by the company and don't share the sentiment of the saboteur, the damage is usually contained.

Another policy I've seen in some banks is that all employees have to take 2 continuous weeks paid vacation each year (the rest of the paid vacation time can be distributed at will). This promotes cross-training and redundancy.

sounds like...

[bje2]

sounds like something right out of the Bastard Operator from Hell

Prevention is not all that hard

• Reasonable salaries, benefits, and work hours
  
• If someone is to be canned, you provide reasonable severance pay, and immediately lock them out of everything (including the physical building itself). Give them a month's pay, one week at a time, with the understanding that professional behavior is expected and they are to answer whatever questions might arise during this one month period.
  
• Maintain some level of operational redundancy. Relying 100% on a single sysadmin is asking for trouble. They might be dishonest, or they might die in a car crash.
  

All of this costs money, but think of it as cheap insurance, compared to the cost of rogue sysadmin. Is it worth penny-pinching on salaries and benefits, while maxing out the workload if that results in disgruntled employees who timebomb your systems as they head for a new job?

If you paid the sysadmins $1 million per year, there would be zero theft, zero funny business, and zero turnover. Of course, nobody can do that and stay in business. At some level less than $1 million and higher than fast-food wages, you can retain decent people and discourage malicious tactics. The key to avoiding a technological meltdown is to treat people well enough so that your recruiting process lets you avoid the marginal candidates. Once hired, a properly compensated person should feel as if the "have something to lose", and therefore you can expect such a person to act as a professional. Paying hamburger wages and putting a person in the sysadmin seat would be like staffing a nuclear power plant control room with random selections from the phone book.

This is a very interesting topic, especially right now. We are in a down market, and there is an irresistable temptation for some employers to make lowball offers to currently-unemployed candidates. This allows the employer to cheaply refill vacancies (or exert leverage against current employees). Those employers who are gung-ho about bottom-feeding are setting the stage for big trouble later. Employee turnover is just the tip of the iceberg.

Re:Prevention is not all that hard

[SectoidRandom]

I couldn't agree more about the decent pay / benifits, but:

" Give them a month's pay, one week at a time, with the understanding that professional behavior is expected and they are to answer whatever questions might arise during this one month period."

This is the hard part, since I would venture more often than not it is the COMPANY who is the "dishonest" party. Typical examples are snooty-HR types who 'deem' that a particular person does not "fit in", then slowly but surely their working conditions deteriorate. Worst of all it is generally much cheaper for a company to fire someone for miss conduct (with appropriate warnings), or push that person into a corner (shitty work conditions) where they will themselves leave. This is far far cheaper than a dismissal followed by full payout.

This is the kind of problem that really creates these "dishonest" ex-employees, and frankly the fault here lies completly with the company!

Re:Prevention is not all that hard

[Dusabre]

Pay them $millions a year and they'll be honest? Like CEOs?

Change control + tripwire

[ChaosMt]

- Design the system so that it requires change controls

- Take daily md5 snap shots of systems

- Always keep off site duplicates of your monthly full back ups. It's not just for DR; it's also for versioning.

- Sue him out of existence and make sure EVERY employer in the area knows about it - not just for vengence, but also as a heads up to other rouge sysadmins.

In other words, follow best practices and procedures.

On a related thought...

[Chagatai]

Here's a question that is related in part to what this numbskull did: suppose you are a sysadmin responsible for some set of vital systems like this guy was. You are fired/terminated/leave the company. However, during the course of your stay, you never documented anything (and I'm not talking about deleting documentation because you were pissed off and left). Consequently, your employer is definitely set back trying to figure out what you had in place. What are the legal ramifications from this?

My take on it would simply be that your employer did not pay enough attention to your activities abd subsequently due to their mismanagement you would not be at fault. Comments?

Re:On a related thought...

[LostCluster]

If they never ask you to document anything, then its their fault they didn't get any. In the time you would have been documented things, you were doing other "more productive" activities. That's their problem now.

If you were asked to document and didn't, they should have let you go a whole lot sooner. Their failure to keep track of you resulted in unsatistactory work by their standards, but it's too late to turn back the clock on that.

In either situation, they have the option of either figuring it all out on their own, or paying you to come back to get done whatever needed to get done.

Not possible...

[leeet]

You must not be a sysadmin...Or you must be working for the government?

This is unrealistic. When the fire is burning, you can't take 5 minutes to sit down and follow the procedures, you just jump in and fight it.

Re:Not possible...

[ces]

And you've never worked in a large datacenter with systems doing high-volume transaction processing.

There are proceedures to follow in a system down situation, but they make sure the problem isn't made worse, there is a rollback, security isn't comprimised, and the change is documented.

Re:Not possible...

[void*]

Suppose I pre-prepare a security comprimising change with the express intent of waiting for the fire, so I can slip it in with a fix, and I slip it in while fixing something that has -nothing to do with the security comprimising change- (i.e., the review wouldn't catch it because the reviewer wouldn't think to look in that portion of the system/code/etc)? The fix is still documented, procedures were still followed, there is a rollback, yet security would still be comprimised, no? (Note that I'm not saying that it wouldn't be hard, just that it's possible).

Re:Not possible...

[ces]

The truth about proceedures is they are in place to reduce the likelihood of a screwup, to reduce the damage, and increase the chances of detection.

They are never 100%

Re:Not possible...

[mmol_6453]

And you've never fought a fire.

As a volunteer department, it takes us between two and ten minutes to get to the scene. When we get there, we have to appraise the situation, even before parking apparatus. (What good is an engine if powerlines detach from a home and fall on it?)

We don't make split-second decisions. If you rush, you make mistakes. Even if the mistakes seem minor, people can die. Including you.

You follow every procedure you're taught.

Right down to feeling doors with the back of your hand before opening them. If you forget, you're going to get hit with a backdraft.

Forget to wear latex gloves before treating a bloody accident victim? You better hope they're not HIV positive.

Did you remember to put the spanners back in their mounts? (A spanner is a firefighter's wrench.) If not, how are the people running the engine going to know where to get the spanners to tighten the leaky coupling between the hose and the engine itself?

Did you remember to turn the coupling between that 200psi hose in the right direction, to tighten it? No? I wouldn't want to be in your shoes when it whips around like a possesed snake. (For reference, a 2 1/2" uncapped hoseline expels enough force to accelerate a 50' charged section of hose at 12 m/s^2.)

The bottom line is, you don't come up with a solution to the problem halfway through, you need to spend some time coming up with a plan. For large public locations, like a Best Buy or a Sears, the fire department responsible for the area will usually work out a plan ahead of time for handling anticipatable situations.

How does this profit?

[phorm]

He allegedly bought more than $21,000 of put options, which grants an investor the right to sell a certain amount of underlying stock at a certain price. By giving the investor the right to sell underlying stock at a given price, put options increase in value when the stock value falls.

I'm trying to figure this out. From the ABC article, it sounds like he bought stock in the parent company and expected to profit when things went bad? I could see how this works with buying into a rival company would work, but this sounds like a losing situation. Maybe the article is just weirdly worded, or I'm reading things wrong?

1) Buy stock
2) Logic bomb subsidiary company
3) ??? 4) Profit?

Re:How does this profit?

[The+Wing+Lover]

Not quite. You've described a short sale.

With a "short sale" you can borrow stock that you don't own, sell it, then later on, after the value has fallen, buy it, and give it back to its owner. Think of borrowing your neighbour's lawnmower in April when lawnmowers are expensive. Sell it for $200. Then in November when lawnmowers are cheap, buy a lawnmower on clearance for $100 and give it back to your neighbour.

Options (a put option is one of two kinds of option) are a bit different in that you don't actually buy any stock. You only buy *the right* to buy (call options) or sell (put options) the stock at a given price.

What's the difference?

Well, for options, you have a limited risk (it's impossible to lose more money than you put in -- the worst that can happen is that your options become worthless and you throw them away). But with a short sale, the risk is potentially limitless, since it's possible for the stock price to be infinitely high when you have to buy them back and repay the lender.

Perfectly normal...

[leeet]

You can say that SysAdmins "own" the business, or at least, they control whether it runs or not. They can crash/corrupt/etc anything in less time it takes you to fart...

It is a common practice to delete any sysadmin account *before* they get the news.

Most people I know were even escorted out of the building.

Think about the bad things a secretary can do? Not much... Maybe call a few customers and piss them off? Bogus orders of pizzas? Now think about what a sysadmin can do? Create a disaster big enough to kill a company... It's too easy to "skip" some backups and then crash a few DB's. I'm sure there are tons of way you can "kill" a company... It's too easy for a sysadmin..!

How can you prevent it?

[Call+Me+Black+Cloud]

You can't. Next question.

Re:How can you prevent it?

[Call+Me+Black+Cloud]

Same reason houses get robbed despite locks and alarms, cars get stolen despite chips in the keys, and software get copied despite all manner of protection

Man's capacity to overcome obstacles to larceny and other deeds is unlimited.

Re:Good story until...

[fizban]

Uh, but if the sysadmin was in charge of the backup system...

Always be kind to your sysadmins...

...for they can make or break your company.

"Be kind to your enemies; be peaceful. But if they lay a finger on you, send them to the cemetary."

Ruin it for everyone...

[NetJunkie]

My wife was consulting at the time and was called to a similar case. The network admin was fired and a few days later most of the workstations and a few of the servers just formatted themselves. She got there in time to save most of the servers and a few workstations, but it took weeks to rebuild. This was at the HQ of a regional company.... The last I heard the FBI was going after the guy after he ran off to New York.

This is the reason network contractors and admins almost NEVER get to work a notice.

Re:Escalation

[archeopterix]

This goes way beyond pissing in the company coffee pot.

Yeah, once you kill your boss and all coworkers, it goes downhill - you start planting logic bombs, stealing money from your company and end up pissing into the coffee pot and *gasp* stealing paper clips!

Trust many, not just one sysadmin

[no+soup+for+you]

How can you hire one person, give them God access, and trust they won't abuse it? you cannot, and you never will. Checks and balances -- hire a staff, not a person.

If co-admins can see the changes I've made and call me on them, my opportunity to screw with the company is dimished. Granted it's not completely gone, but it is less than if no one ever saw what I did.

You cannot keep one person happy forever. But with a staff you can attempt to control the unexpected life-events of your employees (which could cause someone to steal) with the decent salaries / work hours / conditions / respect / recognition that have been mentioned above.

Re:20 years

[BigFire]

I presumed you're the type that think that corporate CEO who looted pension fund shouldn't get any time in jail, since they didin't actually use physical violence?

A timebomb?

[caluml]

14 * * * * /bin/kill -9 $RANDOM

That would cause some pretty wierd things to happen from time to time. Kinda like bad ram, or something.
Wouldn't be that hard to find though.

Note it's similarity to my sig, too.

Oil Strike in Venezuela

Here in Venezuela, when the Oil strike begun some sysadmins blocked and placed logic bombs in the critical computers. It is costing the country an average of US$ 15 million a day. The computers that control the fuel-load process in the tankers where so sabotaged that any try to get the system up would end up spilling fuel on every "island" (the place where the fuel truck loads). The only way to stop the spill would be to activate the emergency system in the plant. Gladly (it's already very known worldwide) the goverment set up a "hackers team" to take over all the sabotaged industry computers. Most of them are running Solaris or Windows NT 4, so it wasn't too hard to break all the systems. If you calculate: US$ 15 Millions * 16 days = 240 Million US$ ... and most of it is because the admins who sabotaged the critical computers.

Ha, Ha.

[broody]

Looks like one SysAdmin is thinking things were not as easy as in Office Space or Superman 3. Off to "federal pound me in the ass prison" for him.

Time bombs

There are a few examples of this in my past:

1985: A travel company with several offices (local big group) had only one sysadmin for their computerized booking system. He was this nasty guy who was related to one of the founders, and no one wanted to fire the guy because only he knew how to run the damn things. Not that he did a good job. He was lazy, rude, and demanding. Well, one day, new management got sick of him, and tried to get an "assistant" for him (read "learn his job so we can fire him"). Sysadmin was wise to that, and basically they went through several employees in as few months. Finally, they decided to fire the guy, and hire a contractor to replace the systems. The firing was ugly, they ex-admin had to get dragged out by the police in the end. Days later, the whole system went down. Guess what? No backups. No one knew how it ran, and years of data was lost, chaos among their customers ensued, and six months later the company went out of business.

1996: Our company bought out a competetor. They guy in charge of the call center was the only one we didn't lay off right after the merger because he was the only one who knew what went where, and he used this knowledge to leverage his job security. He was impossible to work with, never did anything on time, never answered his pages, and did just enough work not get fired, but it was really, really hard to get him to do anything else. Finally, we gathered a team of experts (our staff plus vendors) to go as a group, figure out what he was doing, then fire him. His response? He deleted all the call center tables, databases, and destroyed all paperwork... then quit. We had him arrested, but he posted bail, and we never found him again. It took half a month to get everything working right, which meant we had to tell 300 call center employees they couldn't come to work or get paid until we called them back. Boy, was that a clusterfuck.

I saw this button once, "Now that I have changed the master password for the database, it is time to discuss my salary." Heh.

1997: The head of our HR department was fired due to some political bullshit. Standard procedure was to take an ex-employee's computer, wipe it, and give it back to the tech department. Guess what we lost because no one thought about it? All employee records for the department. Backup was on a single floppy that wouldn't load, and she hadn't done backup since the first of the year anyway. We had to have every employee resubmit 1099s and W4s, plus tell us honestly what vacation and sick they already took.

1999: Same company, same situation, but this time it was the guy who kept the entire tech department hardware inventory records. It took a year to recount what we had, and re-enter serial numbers and license keys into a new database. The stupid thing was, this guy made regular backups on the network drive... which was on a server they wiped by accident. Doh!

2001: After a round of layoffs, one of our more brilliant and inspired programmers had "expiration dates" on all his compiled software. He wrote most of the tools we still use today. Months after he was laid off, all of them stopped working on September 17th, 2001 at 12:00 midnight. The only way we got saved was that no one wiped his original desktop box (which had the source code on it, which is how we found out about the "expiration date"). So we recompiled without the date, and everything worked again. Due to WHEN it happened, our whole company thought we'd been attacked by terrorists (the clever generic error only said there was a "network failure") until the truth was revealed. Later we found 9/17 was his birthday, and it was just coincidence it happened so close to 9/11; the layoffs were in March, and they were unexpected and sudden. I doubt this guy had Al-Queda (sp?) connections, so he must have been planning this "job security" (as the comment in the code labeled it) way in advance.

Integrity?

[tsangc]

I see a lot of posts saying that if you pay people well, if you treat them better etc this won't happen. But it will, because even in the best environments, someone is unhappy.

What people need to remember is that personal integrity is important too. Two wrongs don't make a right.

A Decent Deterrent

[ReadParse]

...is 20 years in prison. It doesn't hurt to have national press coverage of the guys who have tried this and have failed. It's not like you can get away with this very easily.

Let's see? Who has had access to all of these systems? Who has recently quite or been fired? Who just sold a boatload of stock when we got hit? A smart admin realizes that there are other admins as smart or smarter. People can piece these things together, and obviously this employer and the government are taking this crime very seriously.

RP

Put options...

[Hubert_Shrump]

I have no idea what buying put options means, but with my "touch", the stock market is mine!

Anyone want anything on my way up?

Sysadmins are the least of my worries

[crivens]

Sysadmins are the least of my worries. I'm more worried about directors who screw up companies, or people who are brought in to manage the company whose only intention is to sell and make money. Yes B.L. that means you!

Re:20 years

[BattleTroll]

20 years seems harsh only when viewed in the context of a "victim-less" crime. However, most white collar crime has the potential to affect a larger number of innocents than most people consider.

Consider the consequences of an irrevokable malicious act on a trading company. If damage is broad enough the perp shuts down said company for days on end. Thousands of clients are unable to do anything during this time. Employees waste thousands of man hours attempting to rebuild wasted systems. If the damage is extensive enough, it could put the entire company out of business.

Just take a look at the fallout of the Enron situation and you'll find countless people who have lost entire life savings because of some "victim-less" white collar crimes. Not only is Enron dead, their consulting firm has died, thousands of people are out of work, numerous support companies have gone under, and thousands of people have lost millions upon millions of dollars in retirement savings. The consequences of Enron's illegal practices touch many people who did not have anything to do with the crimes being commited.

Don't assume because a crime doesn't physically harm someone that it has fewer consequences or requires lesser punishment. In the broad perspective of total social impact, white collar crimes have the potential to an aweful lot of harm to a large number of people.

On a somewhat related note...

What if the employee is a good guy? What if they have discovered one or more security flaws in the company's systems(s)? Flaws that range from minor (Joe Random customer being able to format a sales terminal) to intermediate (changing employee paychecks or discounting merchandise) to major (stealing the entire payroll account)?

The question: How does the employee tell the company without getting in trouble? After all,the employee did gain... improper... access to the systems to find out this information. obviously, the employee is good or they would have taken advantage of this opportunity, but the company may not see it that way.

So, how can the employee (or anyone, for that matter) handle this?

Re:On a somewhat related note...

[ellem]

Ask Randal Schwartz that question!

Re:On a somewhat related note...

What if the employee is a good guy? What if they have discovered one or more security flaws in the company's systems(s)? [...] How does the employee tell the company without getting in trouble?

He can't. I've had this happen to me one or two times. I've been pushed in to sysadmining (dammit, Jim, I'm a programmer, not a sysadm!) in this small association (about 60 employees, about 60000 members), and initially just assumed the system I took over was OK. After a year or so I discover, quite by accident, the first horrible thing... Every user PC has a small script on it, that contains the root password to the main server in plaintext.

Apparently, no-one knew. I was responsible, even if it was my predecessor (or his) that had written that script. What to do? Go up to the boss and say "Hey Joe! Funny thing, any employee may have had root access to the DB in the last five years! Ain't that funny?". No. Fix it. Shut up.

There were a few almost as horrible things I fixed quietly over the next few months.

I also have to confess that I have did a horrible blunder myself, that has gone undetected. What do you do when you find that a bug in an old program you wrote has lead (over the last six months) to >4% of your members mailing addresses beeing slowly mangled? When membership dues are mostly collected by mail? Which has lead to large losses for the association, and great unhappiness among the members?

Fix the bug, correct the adresses as much as possible, delete the evidence, lie when confronted. That's what you do.

Re:On a somewhat related note...

[proberts]

If you discover them in the normal course of business, you explain what you were doing and how you discovered them. Do it on paper, sign and date the paper, keep a copy on your person, send a copy to your boss and whoever else it makes sense to send it to.

If you took it upon yourself to "audit" the system without specificly getting permission, then you probably violated a policy and potentially broken the law. The real answer is "don't do that."

Obviously "good" is tied to "doing what you're authorized to do," NOT "finding things that could potentially be held over someone's head but not yet taking advantage of them.

The company is repsonsible for ensuring its shareholder value is protected from people who violate policies and laws.

Randall Schwartz got a felony conviction- I don't believe anyone argued that he was going to maliciously use the information he gathered, but he violated policy and the current law in that jurisdiction. Exceeding your authority accessing computer systems is wrong. If you want to look around *get written permission* from someone who's authorized to grant it.

I do computer forensics relatively often on behalf of corporate clients. If something ominous happened to a machine you'd just probed that evidence wouldn't do you any good- even if you weren't linked to the orginal problem.

If the work environment is right, go in and admit improper access, explain why it won't happen again without permisson and explain the findings. Otherwise, an unrelated event could put a bad spin on it that could do you real damage.

Paul

Re:On a somewhat related note...

[sakeneko]

Ask Randal Schwartz that question!

Yeah, and don't take a job with Intel. <wry grin>

Re:Good story until...

[The+Wing+Lover]

When you are a huge corporation, even a day's downtime to restore backups can cost $3m in lost productivity and business opportunities.

Re:Talk about cruel...

[orthogonal]

Their firing procedure: the boss invites you out to lunch. As soon as you are outside the turnstyle he says, "You're fired. Give me your ID badge." And you have to wait there a few minutes while a (former) colleague boxes up your personal effects and brings them outside to you.

Why the gratuitous cruely? To make recruitment of new employees so much the harder?

Bank officers *have* to take 2 weeks vacation

[bee]

Actually, banks are required by law to report to the Federal Reserve each year with a list of all officers of the bank (pretty much anyone in any manager role at all, plus major non-managers) who did not take 2 weeks of consecutive vacation that year.

In the past, this time was used to audit the person's desk. Nowadays, it's kept around under the theory that if someone wants to hide something, it's much more likely to show up if they can't cover their tracks for 2 weeks straight.

Re:similar story - bad for morale, though

[Insightfill]

My company also has the policy that while the employee to be fired is in their firing meeting...

They do that here, too. The catch is that to the rest of the employees, the firing can often look arbitrary, and everyone gets nervous.

For example, last month they let go of two people (for diff. reasons). Each of them had several meetings for "remediation" (warnings) for months in advance, but they had to finally let them go. The meetings were usually in private, so nobody else knew. All that anyone else knew was that suddenly they're packing up a box and saying goodbye.

The management isn't allowed to tell anyone it's coming since it's an HR policy, and the employee isn't likely to brag that they're "on the bubble", so all anyone else sees is that their own job appears to be pretty fragile. We all "know" differently, but the impression is there.

Don't delete, disable...

[Spoing]

As a rule I never delete an account or remove user identification information.

Nuking an account kills part of your auditing trail and/or proper file associations when you do it. Besdies, if you need to check something as a specific user it can be a bear to undo the dammage. Temporarily suspending access can happen just as often depending on the environment, so why not simplify it to one process?

Besides the practical option of re-enabling the account if the person comes back, disabling accounts is a good habit preventing nasty problems fixing mistakes (John Smith vs. Johan Smith).

Re:Don't delete, disable...

[Spoing]

Here's another reason to disable instead of delete;

If someone before you deleted President Joan Smith's account 'jsmith' when Joan left, and two years later Jimmy "The Fish" Smith comes in as a temp and given the 'jsmith' account, you've just given The Fish a corporate president's level of access to many resources on your network.

that's a good question, dark day for all.

[twitter]

What the hell just happened?

That's a very good question, it's too bad you were joking. You can fix the advert problem by adding "ALL: www.transfer.com" to your hosts.deny file. It uses CGI to load up images from other sites based on some hideous random number. Blocking the images from www.transfer.com does no good because the images come from other servers. Blocking all crap from them cleans the page up and eliminates their pop ups too. Now for the serious matter.

The article was a slam job. It has a byline of december 17th and says that they tried to contact the sixty year old perpetrator the same day he was due to go to trial. Duh, someone chruning through the justice system might be hard to reach. Yet we are unable to tell if he refused comment or was simply not reached. All we have is the accusation.

Presumption of innoncence is a nice thing to have. There are several reasonable explainations for this man's actions. He might have quit in disgust, having been overridden by management on several key issues and just known that the results would be catastrophic. We have no proof yet that he really planted "bombs", we have only the prosecutor's interpretation of what the company and software vendors told them. I wonder just how he will be able to defend himself without access to systems that have been manipulated by his accusers.

This case should send chills down your spine. There is no way to keep a responsible person from sabotaging a company. It's the same case in meat space, anyone can throw a monkey wrench into the works. In cyberspace much more is stacked against you. The evidence is not easy to explain, is easy to create and destroy, and is wholy controled by those accusing you. It can not be visited by your defenders and what they find if they could look can be modified without a trace.

Re:that's a good question, dark day for all.

[slashdot_commentator]

I agree with the general premise of your statement, but you are off on a couple points.

I wonder just how he will be able to defend himself without access to systems that have been manipulated by his accusers.

The legal mechanism is called discovery. Basically, well before a case goes to trial, the prosecutor sends to the defendant's lawyer the printed data containing all the evidence they plan to present to court to prove the defendant is guilty. There is none of this Perry Mason surprise witness/evidence crap in real life trials because it can be grounds for a mistrail (acquittal for the defendant). The defendant can even request access to certain evidence (like backup tapes) though I'm not sure how accommodating the prosecutor/plaintiff is required to be (IANAL).

The key indicator is when he procured the put options. Sure, someone else could have ghosted as the admin to put into place the logic bombs. But he/she would also have to purchase the put options while masquarading as them (tougher to do). (Note there would also have to be either person or phone transactions for the transaction to take place.)

Frame-ups have occurred before, but I don't think the computer age has made it MUCH easier for MNCs or governments or "The Net" type villians to sucessfully frame people. The courts still require prosecutors to proceed in the same "impartial" manner, with the same access to evidence by the defendant, as before the computer age.

OK.

[twitter]

You say:

- Design the system so that it requires change controls

So who has the "change control" if not the administrator?

- Take daily md5 snap shots of systems

Woot, the system stays the same and this dude's chron jobs execute on time.

- Always keep off site duplicates of your monthly full back ups. It's not just for DR; it's also for versioning.

I suppose your monthly full back up will save your bacon, as well as the chron job. Still, the chron job can be found and the data repaired. That's what happened here, right?

- Sue him out of existence and make sure EVERY employer in the area knows about it - not just for vengence, but also as a heads up to other rouge sysadmins.

Not so fast. First you have to prove that he did it. I have not seen anything but an accuasation yet. Imagine that you have a disagreement with your boss. The dumb dumb wants to do something you know will be a disaster, you disagree and quit. He does it, it's a disaster, then he blames and frames you siting you being dissatisfied with the subpar salary you put up with for years. Woops, you be very very rouge now, like third degree red, while your boss claims that you are a rogue.

In other words, follow best practices and procedures.

Words of wisdom to be sure.

Re:OK.

[Eponymous,+Showered]

No you would be very very rouge, like third degree red (as opposed to, say, second degree red?), for critiquing someone's spelling while talking about "chron jobs"

Duh!

[xmda]

Who can companies trust if they're afraid that this kind of thing can happen? How can they prevent it?"

In the same way one should prevent employees from placing out pieces of fish to rot in strategic places around the building, or other nice ways to sabotage: by taking care of their workers.

I don't see the difference between this way of sabotaging and my silly example above.

Re:Duh!

[gorilla]

This comment has been marked 'funny', but it really should be marked insightful. SysAdmins are not the only people who can cost their companies a lot of money. From throwing a brick through a window all the way up to 1.3 billion dollars in bad trades.

The answers are the same for all employees. Suitable controls on what they do. Suitable auditing on what they have done. Suitable reactions to what they can do. Making the employees care about the company (Which means don't screw them over).

Jurassic Park Lesson

[billtom]

Remember the lesson of "Jurassic Park":

If you don't pay your programmers enough money, a tyrannosaurus rex will eat your lawyer.

Re:Jurassic Park Lesson

[No+Such+Agency]

This is _hardly_ a deterrant ;-)

Re:Jurassic Park Lesson

[Cro+Magnon]

Damn, THAT'S why I didn't get that raise!

heh heh

[painehope]

We cook your meals,
we haul your trash,
we drive your ambulances,
we protect you while you sleep.
Do not fuck with us.
--Tyler Durden, Fight Club

We backup your servers,
we script your patches,
we don't mention the porn on your laptop,
we run your firewall,
don't fuck with us.
--Painehope

Buy insurance

[anthony_dipierro]

fund the policy from your employees salaries.

Allow employees to get a refund of most of the insurance salary deduction by being bonded for a few million dollars.

Alternatively, just take your chances and hope shit doesn't happen, or that if it does, you catch the person and they don't go bankrupt.

Another sysadmin horror story

[larsu]

This story is about a large company my previous employer did work for. Of course I won't say the company's name, but it's often used as a verb, and their products are probably in your office.

We were hired to write software to show our customer's customer how our customer was doing. It kept track of when shipments went out, things like that. It was replacing an earlier attempt from the sole sysadmin at that location.

Now I must mention that the entire network was 5 years old. Everything was purchased at one time, when the location opened, and nothing had been bought since.

Anyhow, the admin gives us a Compaq P75 workstation with 24MB and NT Workstation to use as our production web/database server. Significantly below our requirements. :)
He refuses to give us access to their current data to convert/test. Etc, etc. The Manager then gives him the ultimatum to comply or quit, so he walks out. No one there knows any passwords, no network diagrams, not even what boxes do what.

So I had to own every device on their network to give them control again. While writing the software we were there to do originally. Lots of 80 hour weeks, and my previous employer is a bunch of bastards so I was not well paid for it. But to this day, the customer location is still in business, and I have a terrific reference on my resume from them. :)

Had this myself

[theolein]

A company I previously worked for treated me like absolute crap. Eventually they threw me out and I before they threw me out they let me go clean up my desktop. I copied a "logic bomb" that I had studied out of interests sake onto the firewall and then left. This one required a specific IP/request to set it off, but I never did it, because after I had calmed down it was just too childish and irresponsible. They had been scared however, that I would do something like that and deleted all my accounts, thereby shooting themselves in the foot when they needed to work on the webserver sometime later, I heard from a former coworker. For all I know that bomb is still there today.

Re:This article isn't very good. Neat story though

[Minna+Kirai]

Their definition of logic bomb isn't quite accurate, it's a little too specific. Logic bombs and trojans are highly related (you could argue that either is a subclass of the other), but viruses are quite different.

A virus is a program fragment which, when run, inserts that same fragment in other programs. Today's mass media enjoys the word "virus" and applies it to many other kinds of malware- the recent headliners like Melissa, ILoveYou, and Code Red were mostly worms, not viruses. (A virus rarely spreads very fast, since the delay before infected programs are restarted introduces a lagtime)

The difference between Trojan and Logic Bomb is a little vaguer. Trojans are usually inserted into software by a programmer who wishes to gain access to a computer he doesn't administer. The canoncial logic bomb is something left behind to impair a system long after the bomber has gone away.

Usually "Logic Bomb" implies that there is some kind of timer mechanism involved, so that after you're fired the payload can still be delivered, even if the target computer has no internet access.

For instance, a simple logic bomb might be to schedule a job to delete all a server's files in 6 months. As long as you're employed, you can keep cancelling that job and re-scheduling it... but a while after you leave, boom! (More subtle payloads would be both more damaging, and less likely to get you caught)

Re:I got a +5

[kiwimate]

I got a +5 (Score:1, Funny)
by Anonymous Coward on Wednesday December 18, @12:12PM (#4916014)
And I forgot to be logged in.

Arrrggggghhhhh. Isn't that how it always goes.

Apparently, with you, yes it is. Jolly bad show, old chap.

Re:20 years

[cant_get_a_good_nick]

I remember reading a comment by somebody, somewhere (gee, can I be more vague?)...

I think it was in SF, and they got called for a survey about crime. They got asked "how do you feel about crime rates?" They asnwered "I think they're going up, Enron is stealing millions WorldCom is stealing millions, so is Xerox and a bunch of other guys." The survey taker was taken somewhat by surprise by this. "Um, no I mean street crime". "Oh you mean some guy who's going to steal $6 from my wallet instead of a couple thousand dollars from my grandma's pension fund?" The survey taker sid "um, yes." "Oh, I think that's getting better, though crime overall is bad."

Some junkie jonesing for a fix steals some car parts, goes to prison. WorldCom execs lie and still get millions from bankrupt companies.

Documentation

[jeepliberty]

I remember a CS professor saying there should be x comment lines per every line of code. Seems like it was more than 1:1.

In the real world your company should have code documentation standards. Unfortunately most standards seem to focus on compiled code (C,C++) and not php, perl, bash or configuration scripts.

In any case, typically sysadmins work unpaid overtime to meet unrealistic delivery schedules set by marketing or management.

Is it better to have a working system or unfinished well documented code?

Supervisors should set a good example. Peer code reviews and team projects lead to better documentation.

Beware of the lone wolf and loose canon.

Sudden interest in documentation

[Xandar01]

What about when you have been working for years with minimal documentation. Suddenly upper management wants you to document everything. Not too suspicious until you consider the amount of layoffs that has been happening recently. On the other hand new equipment is being implemented and there is more time during this slow economy.

So if "The writing is on the wall", do you take your time? Do you procrastinate? What quality do you provide? How much do you let your documentation interfere with your job hunting?

My boss was given this dilemma, right after setting up a W2K cluster. I think he followed the procrastination route. It seems management realized he is still worth what they pay him so they are not bothering about the documentation anymore.

Re:Sudden interest in documentation

[Clover_Kicker]

>What about when you have been working for years
>with minimal documentation. Suddenly upper
>management wants you to document everything. Not
>too suspicious until you consider the amount of
>layoffs that has been happening recently. On the
>other hand new equipment is being implemented and
>there is more time during this slow economy.

>So if "The writing is on the wall", do you take
>your time? Do you procrastinate? What quality do
>you provide? How much do you let your
>documentation interfere with your job hunting?

In a situation like this, you produce large quantities of paper documenting the stunningly obvious and/or completely useless.

Make a little binder for each server with serial #s, driver diskettes, and lots of info about obvious hardware and software setting. IRQs, driver revisions, patchlevels, IP addrs, MAC addrs, etc. Be creative, make it look SPIFFY SHINY PROFESSIONAL.

This style of documentation looks very impressive to management, who will not appreciate that it could be recreated by a trained chimp in a fairly short time.

The true BOFH scrimps on documentation by never explaining why things are set up the way they are. Never mention what problems you've encountered, or how you solved them. Don't explain the interactions of the systems, or which programs/machines depend on other programs or machines. Hell, don't even explain what task each server is doing!

Copious documentation of "what" is not nearly as valuable as documentation about "how" and/or "why". "What" can be discovered with a little effort, but the reasons "why" are often very obscure and complicated, i.e. "you had to be there".

The sad thing is, most documentation has exactly these weaknesses without even trying to be evil.

Your SIG

[Rick+the+Red]

I accidentally turned off the UPS powering the APC booth at Comdex.

What happened? Enquiring minds want to know!

[I'm guessing either nothing (the APC UPSs worked just fine and nobody noticed) or major disaster (APC wasn't using their own product).]

Re:Your SIG

[greenrd]

I read that as "I switched the UPS device into off mode", so it wasn't supplying power. Am I right?

Re:Your SIG

[mmol_6453]

Yeah...there was this huge UPS behind the displays, and I was fiddling with the menu...

Re:This article isn't very good. Neat story though

[alkali]

The foregoing is correct: buying options, in this case puts, is a good way to make an enormous return on large short-term movements in stock prices ...

... which is why the SEC investigates any large options purchases which occur shortly before large short-term movements in stock prices. If you're one of these lucky devils, they will probably get your name and address from your broker and see if you are employed by the company in question, if you work for a law or accounting firm retained by that company, if you have the same last name or home address as someone who works for the company, etc., etc.

There is nothing sinister about this kind of investigation; it's routine police work. (Likewise, if you're the town layabout, and the day after a masked man robs the town bank you start spending money like it was going out of style, the sheriff will probably peg you as a suspect.) What is amazing is that people do not realize that it is the SEC's job to do this sort of investigation: they just blithely go ahead with their stupid criminal plans. Even lawyers, who ought to know better even if they are unwilling to behave better, do this sometimes.

The perfect inside trader would have 10 loyal friends located around the country willing to make small purchases of options on his behalf, to forward him all the profits, and to stonewall the SEC investigators who come knocking. Believe me, you don't have 10 friends like that.

You mean they still trust you?

[upper]

That sounds very unusual. Typical US corporate procedure is not to give you a clue until you're done working, and then not to leave you alone until you're out the door. I know a guy at HP who is still technically an employee and doesn't have access to the site or his accounts. (IIRC, he has a couple months to look a job to transfer to within the company before he gets laid off and his severance pay starts.)

I guess it makes sense from the corporate prime directive of "maximize shareholder value". Presumeably the thinking is that you're loyal and you can't figure out you might be in line for the axe, but in the instant you get the news your loyalty evaporates. But it is not a reasonable model of how people work, and it is not humane.

On my honeymoon

[MrScience]

We got back after one day, and had more than 20 (!) messages on our answering machine. The entire line was shut down because the software was not seeing any new orders. My boss had been going around, saying, "Well, he's finally left. I knew he would do something like that. We're screwed."

Turns out some fool had modified a record without using the proper indexes (ancient FoxPro for DOS). Because the indexes were no longer synchronized, the software's "do while order == opened" loop hit a closed record that was indexed as open, and exited prematurely.

I went in, fixed it in five minutes, and left. They were bankrupt within 4 months, and I was thankfully on to a new employer (that didn't trust employees any further, but that's another story).

Uuh???

[pagercam2]

Aren't all sysadmins evil trolls that restrict user rights, sleep in server rooms and complain that they don't have enough control????

Logic Bomb?

[spun]

Okay, I have heard the term before, but it smells of fear mongering in this story. Trojan horse would have been more accurate. They use the term 'logic bomb' six times in a nine paragraph story.

CEOs and accountants do more damage to companies and steal more than this while getting less time in prison. I wonder if this guy is going to some cushy minimum security country club?

When rich people are caught stealing, the crime is getting caught, not stealing, and the punishment is light. When rich people's trusted tools are caught stealing, they are terrorists.

Re:Logic Bomb?

[Ymerej]

In this case, although it may have seemed like the writer of the article was sensationalizing it, they were actually using the term correctly. We have no idea whether or not it was a Trojan horse, and it may or may not have been a time bomb, but it was definitely a logic bomb. From Charles P. Pfleeger's "Security in Computing" 2ed. p 197:

A Trojan horse is a piece of malicious code that, in addition to its primary effect, has a second, nonobvious malicious effect. An example of a computer Trojan horse is a login script that solicits a user's identification and password, passes the identification information on to the rest of the system for login processing, but also retains a copy of the information for later, malicious use. In this example, the user sees only the login occurring as expected, so he or she has no evident reason to suspect anything else.

A logic bomb is a class of malicious code that "detonates" or goes off when a specified condition occurs. A time bomb is a logic bomb whose trigger is a time or date.

Re:Quis custiodet ipsos custiodes

[Jenova]

The presedent has his key, somone else has another key. The presedent doesn't have access to the second key, and the second key holder can't access the presedents key.You need both keys to launch the nukes.
----
I always like the other part of the same story, both the president and the vice-president gets same clerk to type in both the keys!

Re:Quis custiodet ipsos custiodes

[Dwonis]

You still have to trust someone to implement the double-key system.

Ethics are valuable for their own sake

[dheltzel]

I'm a UNIX sysadmin and Oracle DBA. I've always had root (and sys, for Oracle) on all systems I manage. I've done this for years and have never compromised any data or any system. And I don't think I'm an anomoly. As the admin, I'm very proud of the work I do and the efficacy of the systems I'm responsible for. Employers have extended a trust to me and I wouldn't dream of violating it. No amount of money would be worth the loss of self-worth.

At my last job, I had unfettered access (at work and at home) to thousands of customer's credit card info. It was not even a temptation for me (it was a source of concern that the info might be compromised by others, and I brought that to management's attention on a number of occasions). When the company started layoffs and morale plummetted, I left, but on extremely good terms. The level of trust between us was so high that I was asked to keep my secured access to the system in my home for several months in return for a consulting retainer.

When we were getting new PC's, they let us spec what we wanted. The PC dept prohibited us from ordering the PC's with CDRW's because they were afraid that we would use them to steal company data or code. My boss chuckled when I pointed out that it would be safer and more convenient for me to download said data or code via the company provided ISDN to my house. I just bought a CDRW myself and installed it. Either the PC guys never figured it out or they were afraid to mess we me. Doesn't matter much now, as they are all unemployed anyway.

Code Of Ethics

[Intrinsic]

Hearing about this kind of abuse really pisses me off, it puts us Sysadmins that are legit in a serious bind, and we are less trusted.

The Sys Admins need to form some kind of honor system/group, that puts a code of ethics in place that group members need to follow, If they are suspected of malicious intent during a screening process or on the job, they are banned from the group and can never work in the IT industry again, that's how serious these types of actions should be taken.

Then employers could at lest be assured that we tried to screen out as many plp as possible that are shady.

Anyway just my 2cents.

Sure this guy deserves some jail time...

[shepd]

But honestly, why is it that companies don't 3rd party audit departments that are so important to their continuation every year?

Do they just let the accounting department run wild?

Seems to me the company looks just as stupid as this guy for never picking this up.

Re:Beware the BOFH!

[RoboProg]

Man, the first example reads like a page out of BOFH! http://bofh.ntk.net/Bastard.html

(New boy comes in) "Here, hold this wire." (Bzzt!)

Yeah, it's a multi-faceted problem. I guess it comes down to "Don't hire jerks, and try not to be a jerk" as much as "redundant meat-ware".

When Slashdot Editors Attack

[Dirtside]

I like the fact that this article is titled "When Sysadmins Go Bad", as opposed to "If Sysadmins Go Bad".

ALTERNATE JOKE: What do you mean, go bad? I thought Sysadmins were all Chaotic Evil.

How do you think Saddam Hussein, etc do it?

[TheLink]

This is not a technology issue. These sort of problems cannot be solved with technology. Whatever you are entrusted to control or change you can destroy.

Don't put those you cannot trust in critical/important positions (same for the incompetent). There will always be critical/important positions. You can improve things by requiring cooperation/collusion between more than one party in order for things to be done. This has its costs. And if the untrustworthy are plentiful in your company, you might be doomed anyway.

Technology can help those you trust do their job properly - prevent/recover from mistakes, help manage people with various degrees of trustworthiness/integrity.

The AI proponents through their failures, have proven computers are no substitute for humans. Those pushing AIs created by modeling systems they don't understand, are laughable - I'd trust the resulting creations even less than humans, and definitely far less than a trained dog. And we all know software has bugs.

An organisation which cannot trust its people would have to spend a lot more money and resources vainly trying to extend the boss's capabilities and control (since the boss would then be the only one who can be trusted). However that scenario would render most of your employees capabilities redundant. And at a certain point the boss won't be able to oversee everything and would still have to trust someone else.