Slashdot Mirror
Disgruntled Engineer Hijacks San Francisco's Computer System
ceswiedler writes "A disgruntled software engineer has hijacked San Francisco's new multimillion-dollar municipal computer system. When the Department of Technology tried to fire him, he disabled all administrative passwords other than his own. He was taken into custody but has so far refused to provide the password, and the department has yet to regain admin access on their own. They're worried that he or an associate might be able to destroy hundreds of thousands of sensitive documents, including emails, payroll information, and law enforcement documents."
With backups no data will be lost. Oh, those are encrypted?
...you disable his account *before* you tell him he's fired.
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
Next thing you know, we'll have some dinosaurs on the Presidio.
Idiotic new law in 5...4...3...
We all dream about doing this to our ex-employer, but he's the one who's had the balls to do it!
No, not all of us do. Especially those of us who don't do things that get ourselves fired.
This guy's the limit!
He was arrested AFTER he disabled everyone else's account.
What do you recommend they do next time, use a crystal ball or ouija board to predict who's going to pull such a stunt?
There was an unsuccessful attempt to fire him. The article also mentions that he was essentially spying on people to learn things being said about him.
Why the hate towards the public sector? I have found the exact same shit going on in private companies, many of them quite successful.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Especially when it makes a crime a Felony. That is one of the four felonies charged to him. The other three are all related to tampering with a computer network.
While this guy is obviously an idiot for thinking he could blackmail a government entity I am quite pleased the security on the system is sufficient to make it hard to get into when strong security is put into place. In other words, nothing annoys me more than so called secured systems having some means of password decryption, let alone the ones that allow admins to see them plain text.
what is going to interest me is how many years they will attempt to land on him. Just how offensive to society is this type of crime versus murder or rape. It seems that every new crime invented by the government gets stronger penalties than existing ones; if only to make it appear more valid. After all the penalty wouldn't be so severe if it were not really a crime now would it?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Large municipal department of technology seeking software engineer for a multimillion-dollar computer system. At least 5 years of previous experience required. Must be able to gain administrative access to a system where the password is not known. Hiring immediately!
If you need a recognized code of ethics to tell you that sabotaging your ex-employer's system isn't right, then no code of ethics can help you. Unfortunately this guy screws it up for all of the honest techs who work hard to earn the trust which they need for doing their jobs.
I've been in a position to do this (I was still rooted from home in three systems, and though they changed the passwords, they didn't kick active sessions) and all I did was change the MOTD to "When firing a user with root access, make sure to abort existing sessions."
Professionalism is key if you expect to be trusted with access to big sexy systems.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
FTFA:
"At a news conference announcing Childs' arrest, District Attorney Kamala Harris was tightlipped about what his motive may have been."
I think there's more going on here than we're being told.
That director over there, he gets a golden handshake as he goes out the door... You want to keep him sweet because he knows where all your dirty secrets are and could cause all sorts of trouble for your operation.
The sysadmin, youre going to kick out the door becuase hes blue colar... Oh, wait a minute... He really does know where all your dirty secrets are and really can bring your operation to its knees. In fact hes far more dangerous going out the door than the exec... pity you didnt think of that.
Execs are heaved out the door all the time for being incompetent, but its done with kid gloves because theyre deemed to be potentially damaging... And they wear a suit.
Word of advice: if youre sacking somebody who can bring your operation to a grinding halt, make sure you you keep them sweet, regardless of the job they do for your organisation. Its simple business.
Thats why you run unpatched windows, it will take only 4 minutes to get access.
log in in init 1 (runlevel 1) and change the root password or;
/etc/shadow change this:
in
root:$2$3bJ7DS4R$rV45lDlqNsfDRntfO1NCk0:14069:0:::::
look exactly like this:
root::14069:0:::::
this and you can log in to root without any password
maybe other *nixes are close enough to do the same (BSD or solaris)
on ubuntu the root shadow is a little differrent since it is disabled with an asterisk:
root:*:14069:0:::::
just remove the asterisk
Politics is Treachery, Religion is Brainwashing
By using the fact that they still have physical access? Resetting his password, or re-enabling other admin accounts is trivial if you can boot the target server with a recovery disk or something along those lines.
The lesson here is that a sufficiently large corporation is indistinguishable from government. --ultranova
Number one rule in IT. If i have PHYSICAL access to a system i can get in. Some way, some how.
Government Agency rule number one: If I have PHYSICAL access to a criminal, I can get information. Some way, some how.
A reputation, based on people with a serious ideological axe to grind. Blind faith in the market producing magical efficiency gains is contrary to everything I have seen during my professional life, both in the public and private sector. From my perspective, I have never seen one bit of evidence to show there is any truth to it outside the imaginations of Tory politicians.
Furthermore, people like you who are so besotted with 'market forces' did attempt to introduce them to public services in the UK, and it has been an unmitigated disaster. The inability of internal prices to truly reflect the quality of services has resulted in huge waste, massive bureaucracy and a decline of standards. Now, the ideologues are at it again trying to push for a new round of 'targets' in the NHS. They never learn.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Poor soul. All pissy over a job that pays 150K/yr? This guy lacks perspective, huge. If incarceration and bankruptcy don't help him figure things out - perhaps a stint delivering pizza or a cardboard sign at the offramp.
[...] trusted with access to big sexy systems.
Mmm, fat chicks... <drool>
None of us know all the facts of the situation, but I think it's pretty obvious that this guy was just trying to maintain his livelyhood through a misguided attempt at job security. If we had an IT Union looking out for our careers that gave us some sort of protection against the arbitrary whims of upper-management, then maybe this wouldn't have happened.
As for the idea that the guy might have shared his password with some unscrupulous feind... how many of you, had you actually been given admin access to SAN FRANSISCO would really share that password with anyone? Drastic, misguided, sure... but stupid? Come on, there had to be a reason he got the job in the first place.
"Knock the stones together, guys!"
Talking of what people want to do to their employer... There was this large semi state-owned telecomms company (and a much-hated monopoly for very long in our dear country) that I contracted at. This happened after I moved to another job, but I still had contact with a lot of ex-coworkers. Allegedly a middle management type was sacked, and a few days afterwards he came in again (no idea how he got past various access controls) to (literally) make a stink: he had several shopping bags containing excrement (human, apparently, though it probably was not all his own), which he managed to smear across his own as well as his ex-boss' desk and office wall before being apprehended. Now the office building was one of these modern new agey glass and concrete monstrosities and consisted of 4 floors of open plan desks, with a large opening down the center the same shape and size as the huge lobby and indoor garden on the ground floor - thus no way to contain the "spill".
Apparently, this is one of the more widespread fantasies employees at that place have.
Not to give anyone any ideas or anything....
Free, as in your money being freed from the confines of your account.
I didn't actually intend to. This was about 15 years ago. I got hired to take care of payroll at a warehouse, which was a completely paper-based process. I suggested that I could transfer the whole operation onto a computer and be more efficient. They said go ahead, but for security be sure to password protect it.
It ended up taking me only a couple of hours to do what had been an all-day job, and naively I told them this and suggested that there were other areas of operation in the plant I could similarly improve. Instead, the next day they canned me - they wouldn't say why, only "It just isn't working out."
The day after that I was glumly poking through the classifieds when I got the call
"Hi, how are you doing?"
"Well, I'm unemployed. That doesn't help."
"Ah, yes... well. Say, you know your payroll system? It's password protected."
"Yes, I know. You asked me to do that." A little bubble of joy started in my chest.
"Well, could you tell me what the password is?"
"I could... but I don't work for you any more, do I?" Then I hung up.
Oh, all the raw data was still available on paper, but I'll bet it took them weeks to straighten it all out completely.
This is specifically described in the NIST/NSA protection profiles: when a user's access is revoked, all active sessions and running programs should be terminated as well.
Palm trees and 8
This isn't nearly the worst I've heard of though. The worst was a guy who locked all accounts, deleted files, and placed a high strength magnet in the tape drive so when they went to restore they screwed up the backups. That company went out of business AFAIK and the loser involved served jail time and worked for the rest of his life to try to repay the owner.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
In the scenario you descibre, the streets would become choked with dirty, unsafe buses and traffic would grind to a halt. This, in fact, happens.
Like so many market fundamentalists, you just can't see how easily your ideology falls flat on its face in the real world, or you would've seen the flaw in your own argument.
You are essentially laying all inefficiency at the feet of the 'state' - i.e. any actor that isn't an entrepreneur - and then using that as 'proof' that the entrepreneur is more efficient. This is what people smarter than you refer to as 'circular logic'.
Perhaps, when you've grown up, experienced the real world a bit and stopped reading Ayn Rands bullshit, you might get a clue.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Seems kind of funny that the article reports the DA is "tightlipped" about his motive. Makes me wonder if he is 'disgruntled' for a reason that would embarrass the agency if it got out.
Also pretty funny that they go into great detail about his salary, which seems kind of low to me for the area or at least average. Sounds like they are trying to make him seem unsympathetic in the public eye.
When information is power, privacy is freedom.
Firing someone for poor performance (as opposed to firing someone for a single unacceptable action) takes time....and MUCH coordination...at least everywhere that I have worked.
In a decently managed environment, the employee knows in advance that his management views his/her performance as unacceptable since the manager has discussed it with the employee and laid out a plan for improvement. Even an average employee could see the writing on the wall weeks/months in advance...but this individual was also using his administrative access to monitor related email messages.
If his group comprised even a moderately-sized MIS group, you could pull his admin responsibilities and transfer him to a role with lesser rights during the period of performance review and monitoring...but this individual was most likely hired to do this very specific job...and there may not have been another position in to which he could transition naturally...even temporarily.
My question - where are the backup tapes? Pull the tapes from a date prior to his manipulation of the system. Presumably, it should not be that long ago if they were ensuring that at least one other admin had routine access to the system. In such a case, they should have known within 24 hours that he had done something. If, on the other hand, he was a one man show, then I think that they are screwed until he gives up his password...which he will. Mark my word.
Of course, if we all had wings, we'd fly. Then reality sets in. Can't change the past.
I'm sure he was plenty stable until he became disgruntled, otherwise he wouldn't have ended up with the admin passwords, no?
Get fucked, asshole. The last thing this country needs is for butthurt pussies to define another ordinary crime as "terrorism" because they think a particular perp should be punished more "as an example" or because they're afraid.
This is not terrorism. It's an act of sabotage by one individual (who should undergo a psych eval) who should be prosecuted to the extent of the law, and to a lesser extent it's a failure of leadership for his bosses.
Hail Eris, full of mischief...
E pluribus sanguinem
For those who wonder what kind of working environment DTIS has:
PeopleSofts HRMS 8.x application software.
PeopleTools 8.4x, PeopleCode, SQL, SQR, COBOL, Application Engine, Oracle and HP/UNIX.
IBM hosts and DB2
Microsoft SQL Server 2000
Just look for open positions and you know what they are running.
Step 1: make bomb
Step 2: go to spice market
Step 3: asplode self and random shoppers
Step 4: Prophet
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This guy is the reason the rest of us have to deal with such draconian security measures around the office place. He has made life worse for everyone he works with and everyone whose CEO reads about this in the newspaper.
Check out my lame java blog at www.javachopshop.com
.
or sued. or jailed.
or would rather not spend the remainder of our prime earning years shelving stock at WalMart or flipping burgers for McD.
If you need a recognized code of ethics to tell you that sabotaging your ex-employer's system isn't right, then no code of ethics can help you.
Integrity and reputation is typically more profitable than malice and destruction.
I've been in the business a few years, and as you get older, you acquire positions of trust. You have too, you can't be "starting out" your whole career. This sort of behavior is a deal breaker. No one will hire him.
When laid off or fired. Collect your stuff, shake hands with your boss, tell them what is left to be completed, politely and with insight, try to be constructive with any discussions on the exit interview. Even a complete moron will leave a better impression than the greatest genius.
Once out, have a beer or two. Calm down. If you'r any good at all, when they are picking up the pieces of the layoff, they'll remember you attitude and professionalism and probably pay you contractor wages to do stuff while you collect unemployment and look for a new job.
Back in the 80's I had an analyst working for me that seemed to become more unstable as each day passed.
We had a big project that he was working on and making great progress but then he started feeling like the software he created was his and not the company's.
I talked it over with the regional VP as we did not have any reason to fire this guy but yet feeling more flaky with him all of the time.
Plus replacing him would set the project back months.
So I went in each evening (only lived a mile from the office) and made a backup of the files just in case.
The project was successful and in retrospect making the backups kept me sane and kept the pressure off of him that he would feel if I was nervous or watching him too closely.
It seems we attract those things we fear.
Dealing with brilliant but somewhat unstable (supposedly) individuals is a tricky balance and occasionally the situation can tip in the wrong direction.
Sounds like this case in SF tipped all the way.
And in the end, the love you take is equal to the love you make
My temptation was excessively high. I got the shaft for no good reason, and I was told that either I'd resign or they'd sue me for some kind of breach of contract: they didn't want to have to pay my unemployment, so they made this threat...I can't even remember what it was about now, but I do remember that the PHB...
Oh wait, I remember, it was an Arcview application that had never gotten completed because the demographic data was hung up at the state level, and he kept calling it Arcserve. So yea, I'm sitting there listening to this fat idiot with the bad hairpiece threatening me with a breach of contract dealing with a Windows backup program which we didn't even sell.
What a moron.
Anyway the "contract" was a complete handshake agreement, no paper work, no actual project specs, nothing, and the ball was in the clients court anyway, and in my opinion, they had no real interest in it in the first place. Basically he was trying to force me out to isolate one of the partners (my actual boss), and he was a real asshole about it.
So I had a moment, when I realized I had basically unlimited access, where I was tempted. I'm not a fuckup like the guy in San Fran either; I could have set shit in motion that would never have been caught, and I knew the state their backups were in.
But I'm a professional, and while I never would have been caught, I wouldn't have felt like I could be trusted with the big systems, wouldn't have been able to sit in an interview and say that my personal integrity matters more to me than just about anything.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
It's just not that easy for a sysadmin, especially a major one. For myself, I've got passwords, SSH-keys, and many other access points everywhere in my company. It's not because I want to screw with them, but because they tend to call me at all sorts of different times and I never know if I'll need secure access to the server.
So, routing rules from home. Public SSH keys on various border-servers with my USB-drive having the private keys, etc. They're all used for doing my job, and if I'm fired (not sure why I would be though) I'll just move on to the next one without tainting my career and doing something stupid to burn bridges. However, I could see a *bad* sysadmin using these same tools and more to entrench himself so deeply that you'd almost have to rebuild the entire infrastructure from scratch to find all the back-doors.
If this guy was a real dick (but a clever+smart one), knew it, knew he was going to be canned, and prepared for it... then how are you going to know that your authentication methods, your binaries, or even your kernels haven't been messed with in some way? MD5 sums only go so far when you have hundreds of systems tied together.
Here it is...
Dear Mr. Baker,
As an employee of an institution of higher education, I have few very basic expectations. Chief among these is that my direct superiors have an intellect that ranges above the common ground squirrel. After your consistent and annoying harassment of my co-workers and me during our commission of duties, I can only surmise that you are one of the few true genetic wastes of our time.
Asking me, a network administrator, to explain every nuance of everything I do each time you happen to stroll into my office is not only a waste of time, but also a waste of precious oxygen. I was hired because I know how to network computer systems, and you were apparently hired to provide amusement to your employees, who watch you vainly attempt to understand the concept of "cut and paste" as it is explained to you for the hundredth time.
You will never understand computers. Something as incredibly simple as binary still gives you too many options. You will also never understand why people hate you, but I am going to try and explain it to you, even though I am sure this will be just as effective as telling you what an IP is. Your shiny new iMac has more personality than you ever will.
You wander around the building all day, shiftlessly seeking fault in others. You have a sharp dressed, useless look about you that may have worked for your interview, but now that you actually have responsibility, you pawn it off on overworked staff, hoping their talent will cover for your glaring ineptitude. In a world of managerial evolution, you are the blue-green algae that everyone else eats and laughs at. Managers like you are a sad proof of the Dilbert principle.
Seeing as this situation is unlikely to change without you getting a full frontal lobotomy reversal, I am forced to tender my resignation; however, I have a few parting thoughts:
When someone calls you in reference to employment, it is illegal for you to give me a bad recommendation as I have consistently performed my duties and even more. The most you can say to hurt me is, "I prefer not to comment." To keep you honest, I will have friends randomly call you over the next couple of years, because I know you would be unable to do it on your own.
I have all the passwords to every account on the system and I know every password you have used for the last five years. If you decide to get cute, I will publish your "Favorites," which I conveniently saved when you made me "back up" your useless files. I do believe that terms like "Lolita" are not viewed favorably by the university administrations.
When you borrowed the digital camera to "take pictures of your mother's b-day," you neglected to mention that you were going to take nude pictures of yourself in the mirror. Then, like the techno-moron you are, you forgot to erase them. Suffice it to say, I have never seen such odd acts with a ketchup bottle. I assure you that those photos are being kept in safe places pending your authoring of a glowing letter of recommendation. (And, for once, would you please try to use spellcheck? I hate correcting your mistakes.)
I expect the letter of recommendation on my desk by 8:00 am tomorrow. One word of this to anybody and all of your twisted little repugnant obsessions will become public knowledge. Never f*ck with your systems administrator, Mr. Baker! They know what you do with all that free time!
Sincerely
David Blocker
Network Administrator
1. declare him a terrorist
2. torture him
3. ???? [redacted for national security reasons]
4. password!
If they were using symmetric cryptography correctly, it could be virtually impossible to recover any of the information without first recovering the password.
Actually, this is the perfect way to test the strength of symmetric encryption algorithms. For those cryptographers with tin-foil hats (http://www.schneier.com/essay-198.html), seeing how long it will take for various three lettered agencies to recover the data will illuminate a previously dark room containing the question, "How safe is your data really?" It seems to me that this guy is doing the whole cryptography community a favor.