Slashdot Mirror
Fired Techie Created Virtual Chaos At Pharma Co.
itwbennett writes "Using a secret vSphere console, Jason Cornish, formerly an IT staffer at the U.S. subsidiary of drug-maker Shionogi, wiped out most of the company's computer infrastructure earlier this year. Cornish, 37, pleaded guilty Tuesday to computer intrusion charges in connection with the attack."
Well that was totally worth it.
Indeed. Employers can be total asses but what Jason Cornish did was illegal and was going to lead back to him. How did he think he was going to get away with that?
He's facing a maximum of 10 years wen he's sentenced. I wonder if he'd still have been pissed at Shionogi 10 years after they laid him off?
I'm not blaming Shionogi, but they certainly made a poor choice to use him as a consultant after he'd resigned due to a dispute with management. I'm sure when they laid him off two months later (along with other employees) it was the tipping point for whatever was brewing inside. When an IT person who has access to everything (or even one server) leaves you need to change every password ever created, verify every account, etc, etc. It's sounds like a bit of an over reaction, but you never know who will do what. The other clown not turning over passwords probably played a role in this too.
For those wondering how he got caught, he accessed the servers from his home also for the McDonalds just before he accessed them he purchased some food using this credit card.
Damn, he took his time. Musta felt good though.
But seriously, if you're smart enough and determined enough to do this, cant you foresee the outcomes?
tl;dr, Shoulda just spliced an ethernet cable into a power cord, added a "Never unplug this!!!" sticker, and left it by a power outlet. Once the blue smoke is released, the magic is lost.
the ctrl-H thing isn't as funny or neat as you seem to think it is.
THL phish sticks
He could have potentially wiped out some on going expensive research while he was at it and potentially cost lives not to mention jobs at a company that obviously wasn't in the best financial health to start with. This selt centered little prick doesn't deserve any leniency.
I usually can only destroy 10 or so vm's before my vsphere client runs out of memory / handles or just segfaults for the fun of it. Needless to say, my displeasure with that vpshere client has caused me to become somewhat of a vsphere command line ninja.
Firstly, it appears this guy was treated poorly and not only is he a nitwit, it would appear that most of his coworkers/management were as well.
Secondly, it's acts of sabotage like this that make it hard for the rest of us to do our jobs.
Thirdly, on a not so serious note... wi-fi from McDonalds? vSphere console? How did he think he was NOT going to get caught? Did he even try to wipe the logs off the vsphere server? Had this guy two brain cells in his head, he could have obliterated their infrastructure and not left a trace of evidence.
Yes Francis, the world has gone crazy.
Oh wow.
And this was the moment I realised Slashdot was no longer for nerds.
or modern nerds have moved on from VIM
It pays to be obvious, especially if you have a reputation for being subtle.
http://rule6.info/vi-short.html
"Ctrl-H erase last character"
HTH
What you really should care about when it comes to IT department is to keep them happy. The cost compared to what can happen when an employee is disgruntled is minor.
And even if you remove/change all passwords - are you sure that there isn't a backdoor somewhere? Especially in a system like Active Directory where login accounts can be "hidden" anywhere in the tree. Also - some accounts can't change password easily since there are services that may depend on them - or that the password also is the encryption key. It's just a ticking time bomb in some cases.
Some of you may claim "You are doing it wrong" when you depend on "unchangeable" passwords - but in some cases there are interdependencies that causes that kind of problem. And the problems can be all the way from a background task that locks the system account because it uses the old password to encryption key based on the password for the backup solution. In some cases it's caused by the third-party software that you use.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
And in case you didn't figure it out, "^" represents the CTRL key.
And oddly enough, it's not just VI - the windows command prompt works exactly the same way, open one now and hit CTRL+V (probably expecting to paste something) only to get ^V on your screen instead. But it's ok, hit CTRL+H and it'll backspace for you.
I believe its less to do with VI and it's CRAZINESS and more to do with the legacy of some keyboards not actually having a backspace key. Shock horror, I know.
(Cue the "...back in my day, we had to use TWO keys to backspace!" comments...).
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
word^wforshizzle!
What I want to know is why he didn't just ^W
It pays to be obvious, especially if you have a reputation for being subtle.
I see only one problem with that, USA has laws against slavery...something about a civil war they had a while back...if I remember correctly. :)
Please
This is one reason why we need to have a well documented and well tested procedure for the termination of an IT employee.
There need to be a group of people; not just one or two; in the company who have a *full understanding* of the network, the servers; the entire infrastructure. Those people need to get together and come up with a detail step by step procedure and then test it thoroughly.
Once they test it, they should have it reviewed by not just one, but perhaps two or three different security consultants.
This procedure needs to cover *everything*; network passwords, personal passwords, building/room access cards or keys, etc.
It should be a given that physical locks (old fashioned keys) must be changed. Assume that keys are duplicated.
It should also be a given that *all* root/system/admin passwords must be changed
If the person had any access to any private cryptographic and PKI keys, they must be revoked and replaced.
And, by the way, do you search the areas the person had access to and look for rogue modems, wireless access point, or whatever? Do you have an active inventory and configuration of your network readily available? Do you look above the false ceiling and under raised floors? Probably not. But do it. I''ve seen it all. Even a changed lock on a door that not normally used; the person put his own lock on it so he can get in after all the locks on the 'normal' doors are changed. Any extra routers on the perimeter? Yes, I have seen it. That inventory must be thorough, accurate, and periodically checked.
From experience and stories that I have seen; it is a given that if at all possible, all of the account/password/access termination must be done prior to the person knowing that they are to be terminated. I prefer to do this work over a weekend (and do thorough testing) and then formally terminate the person on the following Monday morning when the employee arrives at the building's lobby or reception.
The best places that I have seen have this procedure not only trained to several people but documented in loose leaf binders prominently on key people's desks. They also run drills periodically (with evaluation by at least one if not more external and trusted security consultants) to ensure that *every* access to the building/network/servers is secured properly.
Yes, this costs money; lots of it; but it's your darn business that's at stake
Most Respectfully Yours Mark Allyn Bellingham, Washington
Really?
That was pathetic.
You are entitled to your own opinions, not your own facts.
VIM is a bit far back. I use notepad.
As a matter of fact, I use a Unix based system (Mac) and run an emulator on it (parallells) to run notepad. Because it makes me feel right at home.
I've coded industry strength software in C# in notepad. And now I'm doing the same in an emulator.
Fluent in C,C++, ObjectiveC, Java, C# and an array of scripting languages and scripting libraries (don't make me laugh the "library solutions" to attack a basic vanilla problem by "modern nerds"...)
The "nerd" is no more, if I see what comes in from IT colleges and how hard it is to find kids with the right mindset. My experience in the industry spans only 10 years, but it's becoming an aging crowd.
Go away you "modern nerd" with cheesy vampire soap and WoW nostalgia!
I think we can keep recursing like this until someone returns 1
someone who has your root passwords...
Best Slashdot Co
I think that hardly that moron^H^H^H^H^Htechie will have enough resources to compensate his former employer for damages.
What damages? TFA mentions "virtual chaos" - why wouldn't this equate with "virtual damages" and "virtual prison"?
For those not fully awaken, I'm attempting some lame fun on the overuse of "virtual/virtualization". I've seen until now lots of abuses: "piracy is theft", "cloud", cyberwar/cyberterror (BTW, cybernetics doesn't have too much to do with computers) etc. The "virtual chaos" seems a new concept.
Questions raise, answers kill. Raise questions to stay alive.
maybe employers should treat their employees reasonably and this would happen less often. the employer had all the cards here.. they could've played it any way they wanted, but no. they bated him and then stuck it to him when he bit.
Eh, I'm sure that if you give Visa's lawyers a call they can probably hook you up with the draft language for a 'Managed Freedom Debt Restructuring Settlement' which would do almost as well...
As I recall, the old CRT keyboards did have a backspace key, it was just a lot easier to hit ctrl-H. The ctrl key was just to the left of "A" (somehow that got morphed into caps lock, which seems really stupid). So you could hit ctrl-H w/o ever leaving the home row. I think the backspace key was less conveniently located.
But this goes back a few years... it might well be that the first CRTs I used didn't have a backspace.
I know this might not be a popular opinion, but why should a business "really care" about keeping the IT department happy over any other department? Yes, they could do a lot of damage, but so could ANY disgruntled employee who walks in with a gun and starts shooting. Companies should treat ALL employees with respect, not grudgingly cozy up to IT because they feel like IT has them backed into a corner.
The other sense that I get from your statement was that it seemed like you were blaming management here. It feels a bit like, "Well, they didn't keep their IT staff happy, so they brought it upon themselves!" We don't know what the disagreement was, nor who was at fault for that disagreement. People get in disagreements all the time about relatively minor issues. Perhaps Shionogi wanted him to do something one way and he wanted to do it a different way. That's certainly not worthy of revenge. Right now, we just don't know. The simple fact remains that Mr. Cornish committed an act that was unethical and illegal and did substantial damage to the business. Yes, poor management controls and practices allowed this to take place, but they weren't the ones who committed the act.
Yes, but when you press CTRL+H in Notepad you get the Find+Replace popup, not ^H or backspace.
It pays to be obvious, especially if you have a reputation for being subtle.
Ctrl-H was backspace on paper tape machines. It dates back well before vim: I was using it in 1970, though you had to follow it with DEL to remove the mistype before retyping. It probably dates back to the 19th century.
Consciousness is an illusion caused by an excess of self consciousness.
I wouldn't blame management for the damage, but it certainly is foolish to not take proper precautions when firing IT staff with administrative access. The damage a disgruntled IT employee can cause these days is akin to burning a building down 20 years ago - you could lose everything.
Get a web developer
Has anyone noticed that every system claiming "enterprise" robustness only ever protect against untrusted third parties or component failure? I think there's an enormous amount of research waiting to be done to develop systems that are robust against attacks by rogue administrators. Think about it this way: a modern distributed cluster can be made robust against nuclear warfare, but not a grumpy admin!
Technologies like the kind developed by internet pirates could be applied to enterprise systems. For example, protocols like Bittorrent are designed to be robust against malicious peers. The lessons learned by Wikipedia (where everyone is an 'admin') could be applied too, such as enforced versioning of all configuration changes.
Similarly, multi-party authentication should be an option for critical enterprise systems. It should be possible to mark objects such as VMs or service accounts as "critical", allowing configuration changes only if, say, three admins authenticate together, like in a nuclear launch. This isn't a new concept -- Certificate Authorities often require secondary approval to issue certain types of certificates.
The need will become ever greater as the trend of moving away from tape towards snapshots and replicas accelerates. Do you seriously think Google backs up to tape? Or Amazon? Or any cloud provider? They don't! They just keep two to thee copies of everything, and hope that none of their thousands of administrators ever cracks and does the equivalent of "rm -rf *" on the entire cloud all at once!
Unfortunately, a business with general purpose servers running Windows or Linux are out of luck. Even if someone were to come up with, say, a virtual hosting environment that's robust against even administrators, that wouldn't prevent other mass attacks, such as formatting the SAN (shudder), deleting every object from the Active Directory domain, or my favourite: setting an encryption key on the backups for a month before leaving, wiping the password, and then formatting every server in parallel. Just resetting every password in the system at once is enough to bring most organisations to their knees, and can be done in seconds! How long would it take your organisation to recover from that? You'll just restore the AD from tape, right? Step one: log on to the backup server... err...
Remember: Mirrors won't help. Replicas won't save you. Snapshots can be deleted just like everything else. If the business didn't have off-site tape backups of everything, it's game over.
Anyone doing this will never ever be put into a position of trust again. That is, if the potential future employer do a decent check on who's applying for the job. It doesn't matter how mad you are, you will ruin it for yourself if you do anything to harm your former employer.
I was promised a flying car. Where is my flying car?
wouldn't it be more worthwhile setting up an infrastructure which constantly needs you expertise to stay running, the day you are not there to enter the magic code then "boom". then you could successfully claim having not touched the system after your contract is up. it would have to not be a time bomb but some kind of bash commands which you enter from memory every morning.
Fail. Turn in your nerd card. Seriously though, if you really don't know then you should read up about control character mapping.
Get a web developer
That does not help. Honestly a highly skilled IT guy that understand virus writing can infect all the machines with a timebomb and you would never know it. IF he did it right and inserted the time bomb into a driver there is nothing you could do to stop it.
It's called paying IT people what they are worth and running background checks. This guy would not have had a squeaky clean past if he did stupid crap like this.
Finally having enough staff so that ANY changes are done with a peer review. I.E. Update XYZ needs to be applied. Sr IT guru does not apply it himself and deploy, it MUST be reviewed by 2 others and DOCUMENTED.
But corporations have no interest in properly staffed IT departments that are paid enough to hire competent and trustworthy people... You get what you pay for.
Do not look at laser with remaining good eye.
Ctrl-H was backspace on paper tape machines. It dates back well before vim: I was using it in 1970, though you had to follow it with DEL to remove the mistype before retyping. It probably dates back to the 19th century.
I hope you're joking.
19th century? Any self respecting geek knows that Vim was around well before that.
More like some terminal emulations not implemented very well.
deleting the extra space after periods so i can stay relevant, yeah.
Yes... it's the "how can you get away with it?" question that boggles the mind. If you can't think at least that far ahead, then you should refrain from doing more than "wish damage." (You know, I wish something bad would happen to them because I hate them kinda thing?)
If it were me, I would do something more subtle... something based on a cron job perhaps ... something that runs, clears out logs and other things, mounts VMDKs, deletes random files, exchanges the file names of various random pairs of documents and things like that. It would be weirdness that people would dismiss at first as human error which give the trail time to grow colder and bad backup data to get worse and then at some point just go all-out, destroying itself and the systems -- preferably killing the hardware in some way. Even then the chances of getting caught are pretty good as it would be a careful balance of luck and planning to create this gradual corruption of data that wouldn't go noticed until it was too late... perhaps only corrupt files older than a certain date which are not as likely to be accessed for a long while.I suppose that would be enough to allow the corruption of backups and such along the way...
Anyway, the first thing should always be to plan not to get caught or even suspected.
It probably dates back to the 19th century.
I have a set of 19th century control characters, hand-carved in oak, great conversation piece.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Yeah... nobody has ever been busted for timebombing their former employers systems.
I am very small, utmostly microscopic.
If emacs was good enough for Leonardo da Vinci then it's good enough for me.
(BTW - that's a true statement!)
Intron: the portion of DNA which expresses nothing useful.
And if your employer suddenly doesn't let you access the computers again, you know that he has read your post. :-)
The Tao of math: The numbers you can count are not the real numbers.
Caps lock was added so that enraged AOL users could conveniently type their manifestos for Usenet.
Intron: the portion of DNA which expresses nothing useful.
...make it impossible for some elderly people (along with some kids with cancer, and perhaps a few diabetics) to get their meds.
Oh yeah, and incidentally, cost my employer money.
Douchebag of the Year Award candidate.
I am very small, utmostly microscopic.
Control H (0x08) is the ASCII code for backspace.
The reason why caps lock is above shift is that it's the position where it was on mechanical typewriters. And the reason it was there on mechanical typewriters is that it physically fixed the shift key, and therefore had to be on the metal bar connecting the shift key to the carriage.
The Tao of math: The numbers you can count are not the real numbers.
some keyboards not actually having a backspace key
Close, but not quite... it's more to do with the difficulty of getting the backspace/delete/erase/etc keys to work properly on all the different varieties of terminal that Unix and other OSs used to support: it was very common to have the settings on the computer not match up with your terminal, in such a way that pressing the "delete" key would not delete but instead produce ^H or ^? or some other control sequence...
Need to type accents and special characters in Windows? Use FrKeys
Seems half the comments here are people who say how stupid this guy was -- that they could have done a much more thorough job of destruction AND covered their tracks better. Shows what kind of geeks we are. ;)
Go ahead, post your "I could have done it better" comments here.
I only post comments when someone on the internet is wrong.
That was my thought too. I guess we're the only geeks on the site any more :(
[John]
Shit better not happen!
I don't understand. Was this guy the head of the IT department? Did they lay off the entire IT staff? Who was in charge of the IT department? I hope it is the guy stabbing himself in the stomach. What type of moron doesn't have machines storing VM drives separated from the network just in case of catastrophic disaster or intrusion? For the love of Yoda people! Hire a Security Engineer!
Having to work for a living is the root of all evil.
in some office buildings you do not have full control of the keycard system / locks. That is under the buildings control and lot's of them the building maintenance guys can get in to any room with there keycards / keys.
+1 Funny
Because the IT guys can potentially do a lot more damage to your business (personal injury/loss of life aside) without even needing a gun. And they can do it from the comfort of a beach in some country that doesn't have an extradition treaty with the company's country. It's incredibly unprofessional on the part of the IT guy, of course, and not something I would ever advocate (especially if you intend to ever get another job) but it's certainly in the company's interests to at least part on good terms if you have to part ways (and always have off-site back-ups of everything mission critical, of course).
But corporations have no interest in properly staffed IT departments that are paid enough to hire competent and trustworthy people... You get what you pay for.
That has got to be the best excuse I've ever seen to help justify spending large amounts of time on Slashdot while I'm at work.
Boot Windows, Linux, and ESX over the network for free.
This guy would not have had a squeaky clean past if he did stupid crap like this.
that argument fails for the first offence.
and given that each offence has the same potential - you can only use a mark on a a background as a red flag .. you can NOT use a clean record as a green flag. Companies need to profile new hires - and they need to treat employees (ALL not just IT) with respect.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
I have to admit that my initial reaction was the same as yours.
And then I spent some time thinking about it.
First, riots on previous days had resulted in people being injured and even murdered, robbed and people's homes and business destroyed.
And then these guys come along and try to arrange more of the same, knowing full well the results of those riots.
Second, I got to thinking: who are the worst? The rioters who get caught up in the heat of the moment or the cowardly little turds at the back of crowd egging them on and hiding behind the masses?
My vote is the cowardly little agitators are considerably worse.
Thirdly part of the justice process -sadly too often neglected- is to protect society, punish the guilty and plain old fashioned revenge.
So on all those counts I think a custodial sentence is quite justified.
One of the 'men', Blackshaw , was obviously quite serious and even turned up for the riot- fortunately he was the only one. There was obviously serious intent there.
The other one did it as a drunken prank and took it down when he was sober the following morning- but the damage had been done. His posts had caused serious concern in Warrington and a police response. You might think being drunk is an excuse but it impacted lots of other people- and would you try the same excuse for a drunk driver?
My conclusion is that 4 years is harsh but not unreasonably so given their intent, what they did, the impact they had and the prevailing climate.
Bad analogies are like waxing a monkey with a rainbow.
Companies should treat ALL employees with respect, not grudgingly cozy up to IT because they feel like IT has them backed into a corner.
i agree about treating everyone with respect, the part about being backed in a corner is mostly because IT is not the core competency of most company (IT companies like google, MS, oracle, etc. excluded), so manager don't understand computers as well as they understand their product and its market, and humans tends to be suspicious of things we don't understand, this makes it easy to put them in the corner and get concessions from them
What ? Me, worry ?
If this were me . . .
The minute I leave after a disagreement with management, I would:tell them (hopefully with at least two or three people in the room for witnesses) to immediate terminate *all* of my access to *everyhthing* as I will not do any consulting for them.
I will tell them to send me my personal belongings (if I have any there I care about, as I personally have a strict policy of keeping nothing I value at the office) home and *escort me off the place immediately* and hand them my badge.
This way, there is no doubt that I have a clean break from these folks.
If something happens later on, hopefully I would be far from blame.
Most Respectfully Yours Mark Allyn Bellingham, Washington
What is this "vim" you guys are talking about? It's called "vi" - if you can say it, you can spell it!
I think it quite reasonable for an employer to know whether a potential employee is a convicted thief or has a record of violence.
I do agree that these offences should become 'spent' after a period of time, for example ater 5 years of keeping out of trouble.
Bad analogies are like waxing a monkey with a rainbow.
Same exact thought here... :(
I tried that in a snarky e-mail to some of my younger co-workers the other day, they didn;t get it and asked why I didn't just use strikethrough font
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
+4 internets to this gentleman.
AND A GOLD STAR BECAUSE I CAN LOL!!1!1 (or something like that)
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Sorry but this is just another example of a company who has no idea how to properly terminate or control access. First, those service and/or other random accounts should not have the ability to remotely access systems in the first place, let alone domain admin access. Second, thanks to the miracle of PowerCLI/etc changing local passwords across all hosts (VMware in this case since it is the focus of the story) is dead simple, free, and fast. Third, if you are going to term someone with admin access you cut off their access BEFORE you tell them.
Yes changing service account passwords is difficult but it is your job as an IT staffer to let management know that downtime will be required if someone with full admin access is let go. I've been through that exercise multiple times and it took a small team of us to get it done. Once you have done it once though you know what to expect and can accurately predict how long it will take moving forward. Not only that, you can use the exercise to determine what changes to make that will simplify the process moving forward (such as less accounts with remote access rights).
Ever feel like you are driving the getaway car?
Acts like this create more FUD within companies when it comes to employees. This guy was malicious and it creates more distrust between management and IT employees. I've worked in places where this kind of FUD creates the "walk you out the door" mentality when an employee or contractor even hints that they are leaving. Invariably this distrust leads to these kinds of incidents where contractors and employees are considered as a necessary evil on multiple levels by management. This isn't what we need in the industry and it merely validates all these ridiculous studies where employees are considered a bigger threat than outside entities.
Yes, this company was stupid. It didn't disable ex-employee / contractor passwords when they were terminated, it also didn't properly audit access to the systems. Again, if somebody can get into a hidden VMWare console to do this, then there's something much worse going on within this company. If this company makes pharmaceuticals then I'm wondering why they don't have better controls on access, especially at the system admin level, for these systems?
Harrison's Postulate - "For every action there is an equal and opposite criticism"
What you really should care about when it comes to IT department is to keep them happy. The cost compared to what can happen when an employee is disgruntled is minor.
Or ... have better security management and then just fire spoiled brats like this fuck.
Keep him happy? WTF?! Its work ... a four letter word ... its not the companies responsibility to 'keep you happy', only to pay you what they agreed on.
WTF is wrong with slashdotters today where they seem to think being in the IT world means the company is there to serve you rather than the other way around.
And anyone with a clue will claim they're doing it wrong, because they are. No one should 'depend on onchangeable' passwords, there are password management systems JUST TO HANDLE THIS SORT OF PROBLEM, and if everyone does their job it works just fine. The only way this sort of shit can happen is if multiple people are slacking off or in on the scam.
Again, you're inexperience and lack of understanding makes you think there is some sort of acceptable situation where this can occur because of some interdependancies ... which clearly means YOU, specifically Z00L00K are doing it wrong and shouldn't be doing it at all.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Right, and the engineers who design your actual products ... which are the reasons the IT guys exist aren't as dangerous?
The accountants who can drain and send your entire financial portfolio to random places around the world aren't dangerous?
No, IT guys aren't special, you just think you are and you're too ignorant to realize you really can't do anything more than be fucking obnoxious. You can't do anything that someone else in the company can't do better as far as hurting the company.
It is certainly in your best interests not to try to fuck over the company on your way out the door, unless you like spending time in jail.
IT people are the most self absorbed, arrogant spoiled brats I've ever seen, and there isn't a single reason for it. Just a bunch of people who think they're smarter than everyone around them because their lack of a social life let them learn a little more about Windows than others.
Your statement on slashdot makes me realize that I probably should be okay with employers lookup up peoples online activity just so they can avoid hiring people like you and save themselves the potential of dealing with someone so disconnected from reality that they clearly don't realize what a job is.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Sounds like a great way not to get suspected :)
I didn't say anything about actual rioters- they should certainly be punished.
Agitators should be punished for two offences in my opinion, firstly they should be punished as if they had committed the crim themselves plus they should be punished for corrupting the person or people who actually committed the offence.
People are influenced by other people and it's a nonsense to pretend they aren't and there and some little turds who take great delight in trolling other people and getting them to respond.
Words have power and free speach is no defence against mis-using that power.
Bad analogies are like waxing a monkey with a rainbow.
Second, thanks to the miracle of PowerCLI/etc changing local passwords across all hosts (VMware in this case since it is the focus of the story) is dead simple, free, and fast.
Why exactly are your vmware servers using local accounts? LDAP exists for a reason and VMware is happy to authenticate off it. No one should have local accounts.
Third, if you are going to term someone with admin access you cut off their access BEFORE you tell them.
No, you don't. This creates massive potential problems and can become a HR nightmare and potentially dangerous to the guys turning their accounts off if the former employee finds out and then takes it out on IT rather than the HR people who are supposed to deliver the news.
Have you ever had the misfortune of turning someones account off before they were notified ... only to have them call you or show up at your desk asking why their account isn't working? Thats not a position you want to be in.
The solution is that IT and HR work together to handle those situations or that HR has the ability to terminate employee access themselves, and they do it as part of the termination process with the employee physically in front of them.
Yes changing service account passwords is difficult
Then you're doing it wrong and you should be fired. You seriously need to learn how account management should be done and the tools available to help you do so. You should be using a password management system that tracks all passwords and requires all password changes go through it, then you make it policy for two factor verification of any new IT related software to verify the new software is properly linked up to the password management system, meaning not only the guy who installs it, but someone else verifies the pw management system is linked and working properly.
These problems have been solved for 30 years, you just don't know about them due to inexperience, which is why you shouldn't be doing anything like this sort of work.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Actually it sounds more like a stage magician asking an audience member to confirm, in fact, that there's nothing up his or her sleeves. With that much unprompted "satisfy yourself that there's nothing wrong!" going on, it sounds like he at least knows something.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Honestly a highly skilled IT guy that understand virus writing can infect all the machines with a timebomb and you would never know it
This guy would not have had a squeaky clean past if he did stupid crap like this.
These two quotes are pretty much contradictory, if an IT guy is good enough to pull a stunt without you finding out who did it, how would any past employers? At a company with any sort of normal turnover rate, setting your timebom within a two year timeframe will mean there are dozens of suspects.
People, what a bunch of bastards
The first thing to do is not pull bullshit like this, if you really have to get revenge make an obscene photoshop of your boss and put it on 4chan, otherwise grow the hell up.
Snowden and Manning are heroes.
The problem for small to medium sized businesses is that the IT guy(s) are key players. You have maybe one or two persons that do know the system thoroughly and without their knowledge you won't even be able to read back any backup of your documents, which means that your off site tape archive may be completely useless.
And hiring more - that's a cost that can go up without creating any special benefit except for the day someone gets upset.
From your opinion it does look like you never have been working at an IT department at all - and don't have a clue about it. It also seems to me that they do have a reason to act like spoiled brats considering your attitude towards them. Maybe they have deleted your stash of porn?
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
What you really should care about when it comes to IT department is to keep them happy. The cost compared to what can happen when an employee is disgruntled is minor.
Sooo, you mean, bribe them to not misbehave, essentially. How about what I should really care about is to raise standards so I don't have some childish megalomaniacal sysadmin who has far more power than is good for him.
I am really fed up with this entitlement mentality on Slashdot. Forget the whole "but the company was evil/incompetent" nonsense and self-justification. Whatever happened to personal responsibility, ethics, and the knowledge that two wrongs don't make a right? If you want to know why techies are not treated with more respect, it's because of idiotic behavior like this.
Reality is that there are always local accounts for the operating system services etc. on any computer (virtual or not) and disabling the local accounts is effectively the same thing as cutting off the branch you are sitting on the day something goes wrong.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Time for a check into what the reality is among almost every company.
I'm sure that you are about as popular as cholera at your workplace - even though people around you won't admit it in public.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Especially when it comes from someone who probably wasn't even born when it was actually an issue.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
It actually has nothing at all to do with vi and everything to do with terminal emulation and dumb terminals in general.
Learn what ASCII is and you'll get closer to the root, though not all the way to the beginning.
Anyone who thinks its got any relation to vi is rather clueless and probably just a Linux baby. Not as a dig on Linux, but generally the only people who think silly things like this are people who haven't used anything other than Linux and Windows and think they have a clue about where all these strange little quirks come from.
Control codes existed well before vi or emacs or any other app you know that you think makes you old school.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
You attack modern nerds and you use notepad inside a virtual machine? Get the fuck out of here.
-- Linux user #369862
I would just like to stress that I in no way claimed to be "old school". In fact, I'm quite young, can't grasp Linuz for the life of me and feel much more comfortable in a GUI than the command line.
I'll go get my coat, now. My Geek pass is on your desk.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Most competent IT individuals have the skills already to do severe damage to companies.
Most disgruntled employees don't have an AK-47 waiting on their desk.
Sorry, the accounting guy doesn't have access to the backups, the security system,the phone system, can't grant/revoke remote access permissions, can't control the email server, can't corrupt the database server, and can't set an SMS or Altiris job to format the hard drive of every workstation on every desk in the company. The IT guy **DOES** have access to the accounting system and its database.
So tell me again which is more dangerous?
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Jason and I worked at Shionogi together for 3 years. I was laid off at the same time.
Shionogi did a piss-poor job of that round of lay-offs. I completely understand his attitude.
Apparently the only reason he was caught is because he used a debit card at the Mcdonalds where he logged in...
Smart guy that did a couple of very stupid things...
Modded down 2 points already.
I guess some cowardly little turds who spend their time trolling and winding other people have mod points today.
I think this post pretty much sums up your level of clarity of thought here. Anyone up-modding your early post should see this one before nodding along in agreement.
When information is power, privacy is freedom.
No, don't bribe them, that only works with administrative people and salescritters. Treat them with respect and manage them decently. I realize that this whole concept is abhorent to the modern MBA, but respect goes a really long way toward preventing problems and improving productivity, and a decent manager can get twice the amount of work out of half the number of employees as the standard PHB.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Neither. The executive with the stock options and the direct number to his peer with the competition is the most dangerous, and always will be.
Here's to hot beer, cold women, and Glaswegian kisses for all.
For all my complaints about goings-on at former jobs, the most I can recall doing is grousing about it with colleagues etc.
Why burn bridges? Even in jobs where I've left because of frustration with the business, I'd not publicly badmouth the company or sabotage their infrastructure.
In some cases I've had to re-contact those old employers (as a job reference, or to get some information I needed but no longer had regarding my position). They've always been polite to me, and I've been polite to them.
Being a jackass doesn't help anyone. If you really hate the job, move on, but don't leave a trail of destruction behind.
If you get canned unfairly, talk to a lawyer and build a case for wrongful dismissal or whatever. Vigilante b.s. only proves that you're a cowboy jackass, and that they were fairly justified in firing you.
I like the idea behind that, but realistically is it feasible to have a peer review for every rollout? Are IT departments really under-funded more often than other departments?
I doubt it.
I find it far more likely that the IT crowd is no different than any other crowd and we just like to whine when given the soapbox to do it from. That's just my two cents though.
Frankly, I'd love the capital to hire more hands - oh well. I'm sure everyone else would, too.
Nope. Been in IT 35+ years. He's right. IT is just another job and being 'key players' doesn't make the employee any more deserving of coddling than someone else. Especially as this observation is rather self-motivated.
A clue to all IT personnel: You are an employee hired to do a job. Act like a friggin' professional instead of trying to be the gate keeper from Tron.
"You have maybe one or two persons that do know the system thoroughly and without their knowledge you won't even be able to read back any backup of your documents, which means that your off site tape archive may be completely useless."
First, this situation means they didn't do their job correctly. Second, that sounds very much like you approve of extortion. Your statement would be true if IT guys weren't simply strewn all about the landscape. Hire another.
No, don't bribe them, that only works with administrative people and salescritters. Treat them with respect
Mindblowing, just how oblivious you have to be to type those 1.5 sentences in succession.
I realize that this whole concept is abhorent to the modern MBA
Sigh. Yet again the MBA thing. You know, if this guy had taken the sort of ethics class that is often a core requirement in MBA classes he might have thought twice about the consequences of his actions.
Try hiring a good one. Been trying here for 4 weeks.
Most are the typical MSCE morons. Could not do anything that their is not a check box or radio button for.
So who types in the local password the day something breaks?
What happens if he remembers it?
There are always local accounts in case of oh shit situations.
... for having to use vsphere for this.
A true hacker would have used the VMWare sdk and command line tools and had a VM that later deleted itself perform this act.
Amateur.
"No good deed goes unpunished"
Maybe they don't want to work for someone who can't even spell "MCSE" or use the correct "there".
I've worked in places where local accounts were not allowed. This was enforced through an automated daily check of every workstation and server. The systems engineers didn't have the root passwords. Nobody knew what they were as they were randomly generated and NOT recorded. Everything was sudo as it was auditable in the logfiles, and we couldn't sudo su - or sudo /bin/bash, etc.. as a workaround. There were procedures if we had to actually BE root, usually involving booting into single user mode.
It's not as dire as you say it is, but sometimes it was terrible inconvenient.
Only the ones who got caught were busted for it. What? You thought all crime gets reported?
You mean to say he was also the Collar-Bomber?
I8-D
I've seen plenty of examples of MBAs who have behaved far beyond the pale, ethically. Just because it's a core requirement for a degree doesn't mean a person may actually learn anything from it. It's been my experience that MBAs behave the least ethically of all the people I've worked with.
IT people are the most self absorbed, arrogant spoiled brats I've ever seen, and there isn't a single reason for it. Just a bunch of people who think they're smarter than everyone around them because their lack of a social life let them learn a little more about Windows than others.
Righhhhhht. And that's why Apple is currently worth more than Exxon.
IT people aren't absorbed. They're just tired of being taken advantage of. IT drives most of the world now, and most in IT realize this (hence, they understand their value).
Everyone knows you're supposed to replace data with porn, not flat out delete everything.
What do I know, I'm just an idiot, right?
No, IT guys aren't special, you just think you are and you're too ignorant to realize you really can't do anything more than be fucking obnoxious.
It's pretty obvious that only someone with full administrative access to every computer on your network can do the type of damage that keeps on giving, even years after they have left.
I can think of about 10 different ways to have a task run at a given time, and I'm sure there are a lot more. I can also think of about 10 different ways to make sure that the task starting code gets put where it needs to be so it can eventually be executed, some of which would be restored from backup.
If the task wasn't "erase everything" but rather "cause subtle but painful error", it could go months before people even think it's something other than "cosmic rays". Even a re-image of the machine that seemed to be the problem wouldn't help, as multiple machines would have the problem, and spread it like any other trojan. With a really determined disgruntled admin, even a simultaneous re-image of all machines wouldn't do the job, as you'd have some data somewhere, so anything that could run a script and was backed up could reinfect the network.
By your logic Adolf Hitler was as innocent as a new born, after all he didn't personally invade France or Russia and he didn't personally kill a single Jew, Gypsy or Homosexual.
Bad analogies are like waxing a monkey with a rainbow.
You seriously need to learn how account management should be done and the tools available to help you do so. You should be using a password management system that tracks all passwords and requires all password changes go through it, then you make it policy for two factor verification of any new IT related software to verify the new software is properly linked up to the password management system, meaning not only the guy who installs it, but someone else verifies the pw management system is linked and working properly.
None of this matters if the disgruntled IT guy was able to make sure that every time any admin user logged in, a trojan ran with no effect until after his access was terminated. Then, it started doing evil things.
Also, as far as password management goes, one of the big problems with VMware vSphere is that the management server has root access to every hypervisor. So, if the disgruntled IT guy can make sure they get access to the vSphere server (again, using the trojan that runs long after they have be de-authorized), then it's pretty easy to do exactly what TFA talks about, even if you have a "password management system". But, a truly evil person would have known the backup schedule and merely added errors to the data until it was on every backup, then wiped the sources.
They fired an employee after getting into an argument with management, didn't take away or change passwords, and also didn't backup their systems.
Sounds to me like the company should be taken to court not just the employee.
Seriously, we treat our employees poorly, we don't take security seriously, and don't believe in backup.
What could possibly go wrong?
And admins in your org don't have access to AD to create themselves a secondary account? I've accidentally dragged a user account into the wrong OU and didn't notice it for weeks, it would not be difficult at all for him to have created a valid-looking account and left it hidden for months.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
I think random, sparse, relatively infrequent data corruption (eg bit flips here and there) would be far less obvious and be quite annoying...
"WTF! This memory tests fine!"
Especially if the logic bomb is buried so deep that rotates through the backups as far back as would be reasonable to restore from...
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I cause virtual chaos in the GTA and Just Cause games all the time.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Not every convicted criminal will go through probation.
Bad analogies are like waxing a monkey with a rainbow.
Next time they experience any computer problems they will blame you for setting up a time bomb before you were terminated. Either way, they'll point the finger at you.