Slashdot Mirror
Fired Gucci Employee Accused of Attacking Network
WrongSizeGlass writes "Computer World, Information Week, The Register are all reporting on the story of a former Gucci IT employee who is accused of a November 2010 assault on Gucci's network deleting files and virtual servers, taking a storage area network offline, and deleting mailboxes from the corporate email server. The lost productivity is estimated at $200,000. Sam Chihlung Yin, 34, of Jersey City, NJ, allegedly created a fake VPN token in the name of a non-existent employee which he tricked Gucci IT staff into activating in June 2010, a month after his employment contract was terminated by Gucci for unrelated reasons."
Down with fashion!
"When information is power, privacy is freedom" - Jah-Wren Ryel
They should be paying him that lost $200,000 for running the white-hat attack to fish out the vulnerabilities. Yeah that's it...White. Hat.
Loading...
I remember a guy in intermediate school wearing Gucci. He used to dance a lot with the ladies a lot, I don't know what happened to him. If he has a family I guarantee you he's feeding off of my tax dollars! GNU FTW!
It's funny how the closer something is to hacking, the less the word is actually used in an article. While this seems to me to be more of a result of bad policies (admin passwords were never changes) and social engineering (which is a form of hacking) actual hacking, I find it funny that the term is hardly used at all whereas when Anonymous tries a DDoS, it's ZOMG HACK0RZ!!!! every other line.
I wonder how long it took for the IT staff to determine the bogus user and remove remote access. The IT department must have activated that account with a minimum of domain admin permission. Bad IT policy at Gucci.
Conjugal visits? Not that I know of. Minimum security prison is no picnic. The trick is, kick someone's ass on the first day or become someone's bitch.
http://www.killerclips.com/clip.php?id=74&qid=669&PHPSESSID=6ea47a84f4b8b325495d3b4b2a7ed7cd
Learning HOW to think is more important than learning WHAT to think.
Being fired is likely to piss off someone whether they deserve to be fired or not.
Gucci...
Cleavon Little...
The new sheriff is a ni[BONG]
What he got fired for is irrelevant. Sounds like a nerd's way of "going postal" is to delete as many files as possible on their way out.
Revenge is not a smart move. You are most likely going to get caught and it will ruin your chances at future employment as soon as a prospective employer does a background check.
"Action without philosophy is a lethal weapon; philosophy without action is worthless."
I can't say I didn't fantasize about throwing a supermagnet into the data center of an ex-employer I was downsized from, but I knew better and the majority of adults I hope would know better too.
Occasionally living proof of the Ballmer peak.
I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired. Or, to use a car analogy, if a former employee was able to walk into a dealership and drive away with a $200,000 car just like that.
The law about computer crimes should have strong penalties for managers that allow that shit to happen. It would be somewhat different if the guy still worked for the corporation, because it's much harder to guard against an attack from inside, but if someone is responsible for managing a valuable asset he should be competent enough to take reasonable precautions to protect it from any attack someone could bring from outside.
In other news Gucci recouped the lost revenue today with one sale (1 item). I kid I kid
Really? If I do something I deserve to be fired for, I am not going to hold it against the company. On the other hand, losing my job because the boss wants to put his girlfriend's dimwit brother in my place might piss me off enough for me to consider retaliation.
Thanks Gucci for not breaching time continuity for not firing him for something he would do in the future!
I'm curious, even if he was fired without any justified reason, and let's assume for the moment that it was for some petty reason, would you think what he did was in any way justified or correct? If you are withholding judgment to hear what the cause of his termination was, I'm trying to imagine any scenario that would justify his actions. Simply being pissed off doesn't work (for me, at least). If it wasn't virtual damage, but instead if on his way out of the building he did $200k damage by smashing computer monitors, slashing the furniture, and breaking the fancy piece of art in the lobby, would it be any different in your mind?
The thing is, it might not be what it seems. A few years ago I got fired, apparently because my incompetent boss thought I was after his job (which couldn't be further from the truth; the last thing I want to be is a manager). Thanks to at-will employment, I was escorted from the building without so much as warning. A couple weeks later, one of their public-facing systems was cracked. Never mind that it was a system I didn't even have an account on, or that I knew much of anything about, and never mind that at the time I was diplomatically asking for chance to plead my case with HR as the wronged party... the execs immediately assumed I'd done it, and sent the F-B-fucking-I to my house. It was probably a random drive-by cracking. It might have been my boss faking the incident out of spite for me, or some other asshole trying to frame me for lulz. But I had nothing whatsoever to do with it. I'm just lucky the Feds found my protests of innocence credible enough to not seize my computers (which incidentally had a bunch of downloaded porn (all of legal age as far as I know, but not by much, and just try proving that to a jury) and a couple dozen ripped movie DVDs on them (stuff I'd rented and wanted to watch again later), and could have been used to ruin what was left of my life at that point). All for being better qualified than my boss. So I'm a big fan of "innocent until proven guilty".
Ever seen what Buckyballs will do when placed in close proximity to a 15k drive?
America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
1) if you're going to fire an IT admin who has access to all your stuff, you meet him at the door in the morning while your other admins are changing passwords. He doesn't touch a computer in your building again. You'll put his files on a flash drive and don't let the door hit you on the way out.
2) Anyone posting IT post-firing sabotage fantasies who isn't posting as a Anonymous Coward deserves the results of their next interview. I'm looking at you sandytaru.
Of course we shouldn't feel sorry for the guy, nor should be feel sorry for the corporation. Injustice by the employer shouldn't be surprised to find injustice by the employee. Not that we know why he was fired to begin with.
An no, the damage done is damage done, makes now difference how it was perpetrated. Simply punish him fairly and move on as he may have felt his punishment may have been worth the revenge.
There is no question that what he did was wrong but there should also be no surprise considering how many places treat their employees.
Quote from google finance.
"Gucci Group, an Italian company with a Dutch address that sells French fashion, does quite well in Japan, too. Its offerings include handbags and other leather goods, shoes, ready-to-wear clothing, cosmetics, skin care, jewelry, and watches. Gucci family squabbles and imprudent licensing once nearly doomed the firm. New management revived it with fresh product lines and stricter licensing, as well as heavy investing in its Asian presence. Gucci operates more than 550 stores worldwide and wholesales products through franchisees and upscale department stores. French retailer PPR purchased almost all of the remaining shares in the company in 2004, taking its interest up to 99.4%. "
Although this is a private company, i'd guess that recent events (Tsunami, credit crunch,) have put this company into the corporate death spiral.But , it needs to be confirmed... wonder if gucci turnover figures are available from any ex employees.
In other words... this is why anti-nepotism laws should be made a requirement of any business over the size of a 10-person "family business."
I don't believe any mention has been made about the reasons for the original termination.
Maybe this guy had a real asshole boss or something.
Doesn't completely excuse what he did but....
At least he didn't follow the Postal model of getting even.
On behalf of all of us... fuck you.
I help my friends with their PCs all the time. I do it out of the kindness of my heart. I help my parents when I can.
But when I help them, I also educate them. I show them what I'm doing. I doublecheck to make sure they've got up to date virus protection, up to date OS, properly locked down home network (PC direct into cable modem = AUGH).
And I tell them look - I'm your friend. I'm helping you out. But I get a ton of people asking for this every day. Coworkers constantly ask for "help" with their personal machines. Friends-of-friends. Friends want someone to help their mom, or their aunt too. I could make a full-time job of "helping friends" with their computer and NEVER MAKE A FUCKING DIME. So I have to limit it. And that means that I'll gladly help a friend out, provided that they're not just being total morons about this stuff and doing crap I warned them not to do.
Is it a bit rough? Sure. Do I want to be a 24/7 free "tech help center" for anyone who has my cell number? Fuck no.
In conclusion, if you didn't read the link the first time, fuck you. I guarantee if you treated a doctor, lawyer, carpenter, or car mechanic the way you treat the IT/Computer people, they'd tell you to fuck off as well.
I heard most geeks are like that because (...)
The problem is clearly not in the geeks If you are gullible to the point of believing everything you hear.
200K? That's what, a belt, a pair of shoes, three handbags and a couple pairs of sunglasses.
"Flyin' in just a sweet place,
Never been known to fail..."
Why wasn't this guys password deactivated? Did Gucci actually have common all-powerful known to all the engineers? We did that at our little IT shop because we didn't have full control of the network (we were a first response team to the main IT guys). It seems like you would give the guys some logins to use to things, use LDAP or ActiveDirectory groups to put them in the admin user level, and then when they leave/fired/downsized/outsourced/etc revoke them from the admin group(s).
How many times do we need to read "Fired techguy used his/known admin passwords to cause hell" before someone catches on?
Procrastinating life a way at a rapid rate of speed.
Um nothing? I play with them next to my HDs all the time and the backups still work fine. Of course this is my personal machine and I am not to paranoid about the backups getting hosed.
We also took some HD magnets (scrapped from an old HD we just wiped) and tried to zap a stack of remaining HDs to be wiped with them. No luck. We could still read the data off of it when we tested to see if the magnets worked so we had to DBAN each and every one of them.
Buckyballs next to the tape archives.... well that's a different story.
Procrastinating life a way at a rapid rate of speed.
I can't say I didn't fantasize about throwing a supermagnet into the data center of an ex-employer I was downsized from, but I knew better and the majority of adults I hope would know better too.
Yeah, I have had those fantasies too. You don't realize just how much damage you can do until you sit and think about it. After being let go by a retail chain with about 700 stores I realized that in about 15min I could pretty much put the entire chain out of business. They had just scrapped all their phones for VOIP and I had the passwords to all the routers and knew they had the domain admin password hardcoded into the mainframe (I had tried, unsuccessfully for over a year to get them to change that). It would have been very easy to vpn in using the admin account, telnet to the furthest VOIP router and erase mem my way back to the office effectively wiping out their phone network. Then, set the tape robot to bulk erase (they didn't use offsite storage - too expensive), wipe the fileserver, domain controllers, AIX and Linux and logoff. They also refused to buy any intrusion detection software so very little chance of getting caught. I would never do that, but it gave me a little perverse pleasure knowing that I could.
That company is still in business and I know of at least two instances where they have had breaches due to their refusal to implement even the most basic of security precautions. Still, I should thank them for canning me. I now work for a Fortune 500 company making more than double what they were paying, so all's well that ends well I guess.
For publicly traded companies. Private companies should have the right to shoot themselves in the foot all they want.
Sam Chihlung Yin allegedly created a fake VPN token... which he tricked Gucci IT staff into activating a month after his employment contract was terminated by Gucci for unrelated reasons.
I certainly hope the reason they fired him wasn't for something he hadn't done yet. Especially if it was in retaliation for being fired in the first place.
It`s like you have an emplyee, who duplicate his company keys and burns down the company at night. What he did is he commited a crime..If he did that with fake accounts or fake keys makes no difference. If I would get fired I WOULD NOT EVEN REMOTELY THINK of harming the company...what he did is really dumb and even if he left in anger, this does not justify any of his actions. I once got fired, but I worked till my last day like every day.Especially in IT you have to have some kind of tact, or you are COMPLETELY WRONG in IT. With great power comes great responsibility!
We've been having a lot of trouble with you lately, and that ALL-CAPS tirade is the last straw. You're fired, now grab your coat and hat and get the hell out!