Slashdot Mirror
Fired Gucci Employee Accused of Attacking Network
WrongSizeGlass writes "Computer World, Information Week, The Register are all reporting on the story of a former Gucci IT employee who is accused of a November 2010 assault on Gucci's network deleting files and virtual servers, taking a storage area network offline, and deleting mailboxes from the corporate email server. The lost productivity is estimated at $200,000. Sam Chihlung Yin, 34, of Jersey City, NJ, allegedly created a fake VPN token in the name of a non-existent employee which he tricked Gucci IT staff into activating in June 2010, a month after his employment contract was terminated by Gucci for unrelated reasons."
They should be paying him that lost $200,000 for running the white-hat attack to fish out the vulnerabilities. Yeah that's it...White. Hat.
Loading...
It's funny how the closer something is to hacking, the less the word is actually used in an article. While this seems to me to be more of a result of bad policies (admin passwords were never changes) and social engineering (which is a form of hacking) actual hacking, I find it funny that the term is hardly used at all whereas when Anonymous tries a DDoS, it's ZOMG HACK0RZ!!!! every other line.
I wonder how long it took for the IT staff to determine the bogus user and remove remote access. The IT department must have activated that account with a minimum of domain admin permission. Bad IT policy at Gucci.
Conjugal visits? Not that I know of. Minimum security prison is no picnic. The trick is, kick someone's ass on the first day or become someone's bitch.
http://www.killerclips.com/clip.php?id=74&qid=669&PHPSESSID=6ea47a84f4b8b325495d3b4b2a7ed7cd
Learning HOW to think is more important than learning WHAT to think.
Being fired is likely to piss off someone whether they deserve to be fired or not.
What he got fired for is irrelevant. Sounds like a nerd's way of "going postal" is to delete as many files as possible on their way out.
Revenge is not a smart move. You are most likely going to get caught and it will ruin your chances at future employment as soon as a prospective employer does a background check.
"Action without philosophy is a lethal weapon; philosophy without action is worthless."
I can't say I didn't fantasize about throwing a supermagnet into the data center of an ex-employer I was downsized from, but I knew better and the majority of adults I hope would know better too.
Occasionally living proof of the Ballmer peak.
"I dunno ... Play chess. Screw."
"Let's stick with chess."
I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired. Or, to use a car analogy, if a former employee was able to walk into a dealership and drive away with a $200,000 car just like that.
The law about computer crimes should have strong penalties for managers that allow that shit to happen. It would be somewhat different if the guy still worked for the corporation, because it's much harder to guard against an attack from inside, but if someone is responsible for managing a valuable asset he should be competent enough to take reasonable precautions to protect it from any attack someone could bring from outside.
Thanks Gucci for not breaching time continuity for not firing him for something he would do in the future!
I'm curious, even if he was fired without any justified reason, and let's assume for the moment that it was for some petty reason, would you think what he did was in any way justified or correct? If you are withholding judgment to hear what the cause of his termination was, I'm trying to imagine any scenario that would justify his actions. Simply being pissed off doesn't work (for me, at least). If it wasn't virtual damage, but instead if on his way out of the building he did $200k damage by smashing computer monitors, slashing the furniture, and breaking the fancy piece of art in the lobby, would it be any different in your mind?
Ever seen what Buckyballs will do when placed in close proximity to a 15k drive?
America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
1) if you're going to fire an IT admin who has access to all your stuff, you meet him at the door in the morning while your other admins are changing passwords. He doesn't touch a computer in your building again. You'll put his files on a flash drive and don't let the door hit you on the way out.
2) Anyone posting IT post-firing sabotage fantasies who isn't posting as a Anonymous Coward deserves the results of their next interview. I'm looking at you sandytaru.
In other words... this is why anti-nepotism laws should be made a requirement of any business over the size of a 10-person "family business."
On behalf of all of us... fuck you.
I help my friends with their PCs all the time. I do it out of the kindness of my heart. I help my parents when I can.
But when I help them, I also educate them. I show them what I'm doing. I doublecheck to make sure they've got up to date virus protection, up to date OS, properly locked down home network (PC direct into cable modem = AUGH).
And I tell them look - I'm your friend. I'm helping you out. But I get a ton of people asking for this every day. Coworkers constantly ask for "help" with their personal machines. Friends-of-friends. Friends want someone to help their mom, or their aunt too. I could make a full-time job of "helping friends" with their computer and NEVER MAKE A FUCKING DIME. So I have to limit it. And that means that I'll gladly help a friend out, provided that they're not just being total morons about this stuff and doing crap I warned them not to do.
Is it a bit rough? Sure. Do I want to be a 24/7 free "tech help center" for anyone who has my cell number? Fuck no.
In conclusion, if you didn't read the link the first time, fuck you. I guarantee if you treated a doctor, lawyer, carpenter, or car mechanic the way you treat the IT/Computer people, they'd tell you to fuck off as well.
I heard most geeks are like that because (...)
The problem is clearly not in the geeks If you are gullible to the point of believing everything you hear.
200K? That's what, a belt, a pair of shoes, three handbags and a couple pairs of sunglasses.
"Flyin' in just a sweet place,
Never been known to fail..."
Why wasn't this guys password deactivated? Did Gucci actually have common all-powerful known to all the engineers? We did that at our little IT shop because we didn't have full control of the network (we were a first response team to the main IT guys). It seems like you would give the guys some logins to use to things, use LDAP or ActiveDirectory groups to put them in the admin user level, and then when they leave/fired/downsized/outsourced/etc revoke them from the admin group(s).
How many times do we need to read "Fired techguy used his/known admin passwords to cause hell" before someone catches on?
Procrastinating life a way at a rapid rate of speed.
Um nothing? I play with them next to my HDs all the time and the backups still work fine. Of course this is my personal machine and I am not to paranoid about the backups getting hosed.
We also took some HD magnets (scrapped from an old HD we just wiped) and tried to zap a stack of remaining HDs to be wiped with them. No luck. We could still read the data off of it when we tested to see if the magnets worked so we had to DBAN each and every one of them.
Buckyballs next to the tape archives.... well that's a different story.
Procrastinating life a way at a rapid rate of speed.
I can't say I didn't fantasize about throwing a supermagnet into the data center of an ex-employer I was downsized from, but I knew better and the majority of adults I hope would know better too.
Yeah, I have had those fantasies too. You don't realize just how much damage you can do until you sit and think about it. After being let go by a retail chain with about 700 stores I realized that in about 15min I could pretty much put the entire chain out of business. They had just scrapped all their phones for VOIP and I had the passwords to all the routers and knew they had the domain admin password hardcoded into the mainframe (I had tried, unsuccessfully for over a year to get them to change that). It would have been very easy to vpn in using the admin account, telnet to the furthest VOIP router and erase mem my way back to the office effectively wiping out their phone network. Then, set the tape robot to bulk erase (they didn't use offsite storage - too expensive), wipe the fileserver, domain controllers, AIX and Linux and logoff. They also refused to buy any intrusion detection software so very little chance of getting caught. I would never do that, but it gave me a little perverse pleasure knowing that I could.
That company is still in business and I know of at least two instances where they have had breaches due to their refusal to implement even the most basic of security precautions. Still, I should thank them for canning me. I now work for a Fortune 500 company making more than double what they were paying, so all's well that ends well I guess.
For publicly traded companies. Private companies should have the right to shoot themselves in the foot all they want.
It`s like you have an emplyee, who duplicate his company keys and burns down the company at night. What he did is he commited a crime..If he did that with fake accounts or fake keys makes no difference. If I would get fired I WOULD NOT EVEN REMOTELY THINK of harming the company...what he did is really dumb and even if he left in anger, this does not justify any of his actions. I once got fired, but I worked till my last day like every day.Especially in IT you have to have some kind of tact, or you are COMPLETELY WRONG in IT. With great power comes great responsibility!